diff --git a/checks.nix b/checks.nix new file mode 100644 index 0000000..9505c35 --- /dev/null +++ b/checks.nix @@ -0,0 +1,20 @@ +{ + self, + flake-utils, + nixpkgs, + ... +}: +(flake-utils.lib.eachDefaultSystem ( + system: + let + pkgs = nixpkgs.legacyPackages.${system}; + formatter = self.formatter.${system}; + in + { + checks = { + format = pkgs.runCommand "check-format" { + buildInputs = [ formatter ]; + } "${formatter}/bin/nixpkgs-fmt --check ${./.} && touch $out"; + }; + } +)).checks diff --git a/devshell.nix b/devshell.nix index 3931494..1fbad07 100644 --- a/devshell.nix +++ b/devshell.nix @@ -6,6 +6,7 @@ packages = with pkgs; [ agenix + nixpkgs-fmt nixos-rebuild ]; diff --git a/nixos/agares/configuration.nix b/nixos/agares/configuration.nix new file mode 100644 index 0000000..ba00c29 --- /dev/null +++ b/nixos/agares/configuration.nix @@ -0,0 +1,108 @@ +{ + config, + modulesPath, + pkgs, + ... +}: +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ./ddns.nix + ./dns.nix + ./firewall.nix + ../modules/profiles/server.nix + ./network.nix + ./ntp.nix + ./ppp.nix + ]; + + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "btrfs"; + options = [ "subvol=root" ]; + }; + + #fileSystems."/nix/store" = { + # device = "/dev/sda1"; + # fsType = "btrfs"; + # options = [ "subvol=/root/nix" "noatime" ]; + #}; + + fileSystems."/swap" = { + device = "/dev/sda1"; + fsType = "btrfs"; + options = [ + "subvol=/root/swap" + "noatime" + ]; + }; + + #swapDevices = [{ + # device = "/swap/swapfile"; + # size = 32 * 1024; # 32 GByte + #}]; + + hardware.cpu.amd.updateMicrocode = config.hardware.enableRedistributableFirmware; + + dadada = { + admin.enable = true; + }; + + services.smartd.enable = true; + + networking.hostName = "agares"; + networking.domain = "bs.dadada.li"; + + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "ehci_pci" + "usb_storage" + "sd_mod" + "sdhci_pci" + ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + boot.loader.grub.extraConfig = " + serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1 + terminal_input serial + terminal_output serial + "; + + boot.kernelParams = [ + "console=ttyS0,115200" + "amd_iommu=on" + "iommu=pt" + ]; + + boot.kernelModules = [ + "kvm-amd" + "vfio" + "vfio_iommu_type1" + "vfio_pci" + "vfio_virqfd" + ]; + + environment.systemPackages = with pkgs; [ + curl + flashrom + dmidecode + tcpdump + ]; + + services.munin-node = { + enable = true; + extraConfig = '' + host_name ${config.networking.hostName} + cidr_allow 10.3.3.3/32 + ''; + }; + + # Running router VM. They have to be restarted in the right order, so network comes up cleanly. Not ideal. + system.autoUpgrade.allowReboot = false; + + system.stateVersion = "23.05"; +} diff --git a/nixos/agares/ddns.nix b/nixos/agares/ddns.nix new file mode 100644 index 0000000..9a5948f --- /dev/null +++ b/nixos/agares/ddns.nix @@ -0,0 +1,13 @@ +{ config, ... }: +{ + dadada.ddns = { + domains = [ "vpn.dadada.li" ]; + credentialsPath = config.age.secrets."ddns-credentials".path; + interface = "ppp0"; + }; + + age.secrets."ddns-credentials" = { + file = "${config.dadada.secrets.path}/ddns-credentials.age"; + mode = "400"; + }; +} diff --git a/nixos/agares/dns.nix b/nixos/agares/dns.nix new file mode 100644 index 0000000..fe2843f --- /dev/null +++ b/nixos/agares/dns.nix @@ -0,0 +1,81 @@ +{ ... }: +{ + services.unbound = { + enable = true; + localControlSocketPath = "/run/unbound/unbound.ctl"; + settings = { + server = { + access-control = [ + "127.0.0.0/8 allow" + "127.0.0.1/32 allow_snoop" + "192.168.96.0/19 allow" + "192.168.1.0/24 allow" + "172.16.128.0/24 allow" + "::1/128 allow_snoop" + "fd42:9c3b:f96d::/48 allow" + ]; + interface = [ + "127.0.0.1" + "192.168.1.1" + "192.168.100.1" + "192.168.101.1" + "192.168.102.1" + "192.168.103.1" + "192.168.120.1" + "::1" + "fd42:9c3b:f96d:100::1" + "fd42:9c3b:f96d:101::1" + "fd42:9c3b:f96d:102::1" + "fd42:9c3b:f96d:103::1" + "fd42:9c3b:f96d:120::1" + ]; + prefer-ip6 = true; + prefetch = true; + prefetch-key = true; + serve-expired = false; + aggressive-nsec = true; + hide-identity = true; + hide-version = true; + use-caps-for-id = true; + val-permissive-mode = true; + local-data = [ + "\"agares.bs.dadada.li. 10800 IN A 192.168.101.1\"" + "\"danjal.bs.dadada.li. 10800 IN A 192.168.100.108\"" + "\"legion.bs.dadada.li. 10800 IN A 192.168.100.107\"" + "\"ninurta.bs.dadada.li. 10800 IN A 192.168.101.184\"" + "\"agares.bs.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101::1\"" + "\"ninurta.bs.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe\"" + "\"backup1.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe\"" + ]; + local-zone = [ + "\"168.192.in-addr.arpa.\" nodefault" + "\"d.f.ip6.arpa.\" nodefault" + ]; + }; + forward-zone = [ + { + name = "."; + forward-tls-upstream = "yes"; + forward-addr = [ + "2620:fe::fe@853#dns.quad9.net" + "2620:fe::9@853#dns.quad9.net" + "9.9.9.9@853#dns.quad9.net" + "149.112.112.112@853#dns.quad9.net" + ]; + } + ]; + stub-zone = + let + stubZone = name: addrs: { + name = "${name}"; + stub-addr = addrs; + }; + in + [ + #(stubZone "li.dadada.bs" ["192.168.128.220" "2a01:4f8:c010:a710::1"]) + #(stubZone "d.6.9.f.b.3.c.9.2.4.d.f.ip6.arpa" ["192.168.101.220" "2a01:4f8:c010:a710::1"]) + #(stubZone "168.192.in-addr.arpa" ["192.168.128.220" "2a01:4f8:c010:a710::1"]) + ]; + }; + }; +} diff --git a/nixos/agares/firewall.nix b/nixos/agares/firewall.nix new file mode 100644 index 0000000..569259f --- /dev/null +++ b/nixos/agares/firewall.nix @@ -0,0 +1,13 @@ +{ ... }: +{ + networking = { + useDHCP = false; + nat.enable = false; + firewall.enable = false; + nftables = { + enable = true; + checkRuleset = true; + ruleset = builtins.readFile ./rules.nft; + }; + }; +} diff --git a/nixos/agares/network.nix b/nixos/agares/network.nix new file mode 100644 index 0000000..6d86d22 --- /dev/null +++ b/nixos/agares/network.nix @@ -0,0 +1,323 @@ +{ config, lib, ... }: +let + ulaPrefix = "fd42:9c3b:f96d"; # fd42:9c3b:f96d::/48 + ipv4Prefix = "192.168"; # 192.168.96.0/19 + domain = "bs.dadada.li"; +in +{ + networking.useDHCP = false; + systemd.network = { + enable = true; + links = { + "10-persistent" = { + matchConfig.OriginalName = [ + "enp1s0" + "enp2s0" + ]; # takes search domains from the [Network] + linkConfig.MACAddressPolicy = "persistent"; + }; + }; + netdevs = { + # QoS concentrator + "ifb4ppp0" = { + netdevConfig = { + Kind = "ifb"; + Name = "ifb4ppp0"; + }; + }; + "20-lan" = { + netdevConfig = { + Kind = "vlan"; + Name = "lan.10"; + }; + vlanConfig = { + Id = 10; + }; + }; + "20-freifunk" = { + netdevConfig = { + Kind = "vlan"; + Name = "ff.11"; + }; + vlanConfig = { + Id = 11; + }; + }; + "20-roadw" = { + netdevConfig = { + Kind = "wireguard"; + Name = "roadw"; + }; + wireguardConfig = { + PrivateKeyFile = config.age.secrets."wg-privkey-vpn-dadada-li".path; + ListenPort = 51234; + }; + wireguardPeers = [ + { + wireguardPeerConfig = + let + peerAddresses = i: [ + "${ipv4Prefix}.120.${i}/32" + "${ulaPrefix}:120::${i}/128" + ]; + in + { + PublicKey = "0eWP1hzkyoXlrjPSOq+6Y1u8tnFH+SejBJs8f8lf+iU="; + AllowedIPs = peerAddresses "3"; + }; + } + ]; + }; + "20-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + wireguardConfig = { + PrivateKeyFile = config.age.secrets."wg-privkey-wg0".path; + ListenPort = 51235; + }; + wireguardPeers = lib.singleton { + wireguardPeerConfig = { + PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE="; + AllowedIPs = [ + "10.3.3.3/32" + "fd42:9c3b:f96d:121::3/128" + "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128" + ]; + }; + }; + }; + }; + networks = + let + subnet = name: subnetId: { + matchConfig.Name = name; + addresses = [ + { addressConfig.Address = "${ipv4Prefix}.${subnetId}.1/24"; } + { addressConfig.Address = "${ulaPrefix}:${subnetId}::1/64"; } + ]; + dhcpPrefixDelegationConfig = { + SubnetId = "auto"; + }; + ipv6Prefixes = [ + { + ipv6PrefixConfig.Prefix = "${ulaPrefix}:${subnetId}::/64"; + } + ]; + dhcpServerConfig = { + DNS = "_server_address"; + NTP = "_server_address"; + EmitDNS = true; + EmitNTP = true; + EmitRouter = true; + PoolOffset = 100; + PoolSize = 100; + }; + ipv6SendRAConfig = { + EmitDNS = true; + DNS = "_link_local"; + EmitDomains = true; # takes search domains from the [Network] + }; + linkConfig = { + RequiredForOnline = false; + }; + networkConfig = { + Domains = domain; + EmitLLDP = "yes"; + IPv6SendRA = true; + IPv6AcceptRA = false; + DHCPPrefixDelegation = true; + DHCPServer = true; + }; + extraConfig = '' + [CAKE] + OverheadBytes = 38 + Bandwidth = 1G + RTT = lan + ''; + }; + in + { + "10-mgmt" = lib.mkMerge [ + (subnet "enp1s0" "100") + { + networkConfig.VLAN = [ + "lan.10" + "ff.11" + ]; + dhcpServerStaticLeases = [ + { + # legion + dhcpServerStaticLeaseConfig = { + Address = "192.168.100.107"; + MACAddress = "80:CC:9C:95:4A:60"; + }; + } + { + # danyal + dhcpServerStaticLeaseConfig = { + Address = "192.168.100.108"; + MACAddress = "c8:9e:43:a3:3d:7f"; + }; + } + ]; + } + ]; + "30-wg0" = { + matchConfig.Name = "wg0"; + address = [ + "10.3.3.2/32" + "fd42:9c3b:f96d:121::2/128" + ]; + DHCP = "no"; + networkConfig.IPv6AcceptRA = false; + linkConfig.RequiredForOnline = false; + routes = [ + { + routeConfig = { + Destination = "10.3.3.1/24"; + }; + } + { + routeConfig = { + Destination = "fd42:9c3b:f96d:121::1/64"; + }; + } + ]; + }; + "30-lan" = subnet "lan.10" "101" // { + dhcpServerStaticLeases = [ + { + # ninurta + dhcpServerStaticLeaseConfig = { + Address = "192.168.101.184"; + MACAddress = "48:21:0B:3E:9C:FE"; + }; + } + { + # crocell + dhcpServerStaticLeaseConfig = { + Address = "192.168.101.122"; + MACAddress = "9C:C9:EB:4F:3F:0E"; + }; + } + { + # gorgon + dhcpServerStaticLeaseConfig = { + Address = "192.168.101.205"; + MACAddress = "8C:C6:81:6A:39:2F"; + }; + } + ]; + }; + + "30-ff" = subnet "ff.11" "102"; + + "30-ifb4ppp0" = { + name = "ifb4ppp0"; + extraConfig = '' + [CAKE] + OverheadBytes = 65 + Bandwidth = 100M + FlowIsolationMode = triple + RTT = internet + ''; + linkConfig = { + RequiredForOnline = false; + }; + }; + + "30-ppp0" = { + name = "ppp*"; + linkConfig = { + RequiredForOnline = "routable"; + }; + networkConfig = { + KeepConfiguration = "static"; + DefaultRouteOnDevice = true; + LinkLocalAddressing = "ipv6"; + DHCP = "ipv6"; + }; + extraConfig = '' + [CAKE] + OverheadBytes = 65 + Bandwidth = 40M + FlowIsolationMode = triple + NAT=true + RTT = internet + + [DHCPv6] + PrefixDelegationHint= ::/56 + UseAddress = false + UseDelegatedPrefix = true + WithoutRA = solicit + + [DHCPPrefixDelegation] + UplinkInterface=:self + ''; + ipv6SendRAConfig = { + # Let networkd know that we would very much like to use DHCPv6 + # to obtain the "managed" information. Not sure why they can't + # just take that from the upstream RAs. + Managed = true; + }; + }; + # Talk to modem for management + "enp2s0" = { + name = "enp2s0"; + linkConfig = { + RequiredForOnline = false; + }; + networkConfig = { + Address = "192.168.1.254/24"; + EmitLLDP = "yes"; + }; + }; + "10-roadw" = { + matchConfig.Name = "roadw"; + addresses = [ + { addressConfig.Address = "${ipv4Prefix}.120.1/24"; } + { addressConfig.Address = "${ulaPrefix}:120::1/64"; } + ]; + DHCP = "no"; + networkConfig.IPv6AcceptRA = false; + linkConfig.RequiredForOnline = false; + routes = [ + { + routeConfig = { + Destination = "${ipv4Prefix}.120.1/24"; + }; + } + { + routeConfig = { + Destination = "${ulaPrefix}::120:1/64"; + }; + } + ]; + }; + }; + }; + + age.secrets."wg-privkey-vpn-dadada-li" = { + file = "${config.dadada.secrets.path}/wg-privkey-vpn-dadada-li.age"; + owner = "systemd-network"; + }; + + age.secrets."wg-privkey-wg0" = { + file = "${config.dadada.secrets.path}/agares-wg0-key.age"; + owner = "systemd-network"; + }; + + boot.kernel.sysctl = { + # Enable forwarding for interface + "net.ipv4.conf.all.forwarding" = "1"; + "net.ipv6.conf.all.forwarding" = "1"; + "net.ipv6.conf.all.accept_ra" = "0"; + "net.ipv6.conf.all.autoconf" = "0"; + # Set via systemd-networkd + #"net.ipv6.conf.${intf}.use_tempaddr" = "0"; + }; + + powerManagement.cpuFreqGovernor = lib.mkDefault "schedutil"; +} diff --git a/nixos/agares/ntp.nix b/nixos/agares/ntp.nix new file mode 100644 index 0000000..c3ec49b --- /dev/null +++ b/nixos/agares/ntp.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + services.chrony = { + enable = true; + extraConfig = '' + allow 192.168.1 + allow 192.168.100 + allow 192.168.101 + allow 192.168.102 + ''; + }; +} diff --git a/nixos/agares/ppp.nix b/nixos/agares/ppp.nix new file mode 100644 index 0000000..ffa5bc4 --- /dev/null +++ b/nixos/agares/ppp.nix @@ -0,0 +1,68 @@ +{ + pkgs, + lib, + config, + ... +}: +let + secretsPath = config.dadada.secrets.path; +in +{ + # PPPoE + services.pppd = { + enable = true; + peers = { + telekom = { + enable = true; + autostart = true; + config = '' + debug + + plugin pppoe.so enp2s0 + + noauth + hide-password + call telekom-secret + + linkname ppp0 + + persist + maxfail 0 + holdoff 5 + + noipdefault + defaultroute + + lcp-echo-interval 15 + lcp-echo-failure 3 + ''; + }; + }; + }; + + age.secrets."etc-ppp-telekom-secret" = { + file = "${secretsPath}/etc-ppp-telekom-secret.age"; + owner = "root"; + mode = "700"; + path = "/etc/ppp/peers/telekom-secret"; + }; + + age.secrets."etc-ppp-pap-secrets" = { + # format: client server passphrase + file = "${secretsPath}/etc-ppp-chap-secrets.age"; + owner = "root"; + mode = "700"; + path = "/etc/ppp/pap-secrets"; + }; + + # Hook for QoS via Intermediate Functional Block + environment.etc."ppp/ip-up" = { + mode = "755"; + text = with lib; '' + #!/usr/bin/env sh + ${getBin pkgs.iproute2}/bin/tc qdisc del dev $1 ingress + ${getBin pkgs.iproute2}/bin/tc qdisc add dev $1 handle ffff: ingress + ${getBin pkgs.iproute2}/bin/tc filter add dev $1 parent ffff: matchall action mirred egress redirect dev ifb4ppp0 + ''; + }; +} diff --git a/nixos/agares/rules.nft b/nixos/agares/rules.nft new file mode 100644 index 0000000..4b41bea --- /dev/null +++ b/nixos/agares/rules.nft @@ -0,0 +1,136 @@ +flush ruleset + +define IF_MGMT = "enp1s0" +define IF_FF = "ff.11" +define IF_LAN = "lan.10" +define IF_WAN = "ppp0" + +# Modem uses this for internet uplink via our WAN +define IF_MODEM = "enp2s0" + +define IF_ROADW = "roadw" + +table inet filter { + # Will give "no such file or directory if hardware does not support flow offloading" + # flowtable f { + # hook ingress priority 0; devices = { enp1s0, enp2s0 }; flags offload; + # } + + chain input_local { + ip6 saddr != ::1/128 log prefix "Dropped IPv6 nonlocalhost packet on loopback:" drop + accept comment "Accept traffic to loopback interface" + } + + chain input_icmp_untrusted { + # Allow ICMP echo + ip protocol icmp icmp type { echo-request } limit rate 1000/second burst 5 packets accept comment "Accept echo request" + + # Allow some ICMPv6 + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } limit rate 1000/second burst 5 packets accept comment "Allow some ICMPv6" + } + + chain input_modem { + jump input_icmp_untrusted + } + + chain input_wan { + # DHCPv6 client + meta nfproto ipv6 udp sport 547 accept comment "Allow DHCPv6 client" + + jump input_icmp_untrusted + + udp dport 51234 accept comment "Wireguard roadwarriors" + } + + chain input_lan { + counter accept comment "Accept all traffic from LAN" + } + + chain input_mgmt { + counter accept comment "Accept all traffic from MGMT" + } + + chain input_roadw { + counter accept comment "Accept all traffic from roadwarriors" + } + + chain input_ff { + jump input_icmp_untrusted + + # DHCP + meta nfproto ipv6 udp dport 547 accept comment "Allow DHCPv6 client" + + # Allow DNS and DHCP from Freifunk + udp dport { 53, 67 } accept comment "Allow DNS and DHCP from Freifunk" + } + + chain input_wg0 { + tcp dport 4949 accept comment "Munin node" + } + + chain input { + type filter hook input priority filter; policy drop; + + ct state {established, related} counter accept comment "Accept packets from established and related connections" + ct state invalid counter drop comment "Early drop of invalid packets" + + iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt, wg0 : jump input_wg0 } + } + +# Only works if hardware flow offloading is available +# chain offload { +# type filter hook forward priority -100; policy accept; +# ip protocol tcp flow add @f +# counter packets 0 bytes 0 +# } + + chain forward { + type filter hook forward priority filter; policy drop; + + # Accept connections tracked by destination NAT + ct status dnat counter accept comment "Accept connections tracked by DNAT" + + # TCP options + tcp flags syn tcp option maxseg size set rt mtu comment "Remove TCP maximum segment size and set a size based on route information" + + # ICMPv6 + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, parameter-problem } limit rate 5/second counter accept comment "Forward up to five ICMP messages of allowed types per second" + meta l4proto ipv6-icmp accept comment "Forward ICMP in IPv6" + + # mgmt <-> * + iifname { $IF_LAN, $IF_ROADW } oifname $IF_MGMT counter reject comment "Reject traffic from LAN and roadwarrior to MGMT" + iifname $IF_MGMT oifname { $IF_LAN, $IF_ROADW } counter reject comment "Reject traffic from MGMT to LAN and roadwarrior" + # drop (instead of reject) everything else to MGMT + + # LAN, ROADW -> * (except mgmt) + iifname { $IF_LAN, $IF_ROADW } counter accept comment "Allow all traffic forwarding from LAN and roadwarrior to all interfaces, except to mgmt" + + # FF -> WAN + iifname { $IF_FF } oifname $IF_WAN counter accept comment "Allow all traffic forwarding from Freifunk and services to WAN" + + # { WAN } -> { FF, LAN, RW } + iifname { $IF_WAN } oifname { $IF_FF, $IF_LAN, $IF_ROADW } ct state established,related counter accept comment "Allow established back from WAN" + } + + chain output { + type filter hook output priority 100; policy accept; + } +} + +table ip nat { + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + } + + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + ip saddr { 192.168.96.0/19 } oifname { $IF_WAN } masquerade comment "Masquerade traffic from LANs" + } +} + +table arp filter { + chain input { + type filter hook input priority filter; policy drop; + iifname { $IF_MGMT, $IF_LAN, $IF_FF, $IF_MODEM } limit rate 1/second burst 2 packets accept comment "Limit number of ARP messages from LAN, FF, MGMT, modem" + } +} diff --git a/nixos/configurations.nix b/nixos/configurations.nix index 877c6a9..220e4d0 100644 --- a/nixos/configurations.nix +++ b/nixos/configurations.nix @@ -77,6 +77,14 @@ in ]; }; + agares = nixosSystem { + modules = [ + { nixpkgs.pkgs = nixpkgsx86; } + baseModule + ./agares/configuration.nix + ]; + }; + installer = nixosSystem { modules = [ nixos-generators.nixosModules.install-iso diff --git a/nixos/gorgon/configuration.nix b/nixos/gorgon/configuration.nix index 69e7588..cb99b2a 100644 --- a/nixos/gorgon/configuration.nix +++ b/nixos/gorgon/configuration.nix @@ -261,7 +261,7 @@ in xdg.portal.wlr.enable = false; hardware.bluetooth.enable = true; - hardware.graphics = { + hardware.opengl = { enable = true; extraPackages = with pkgs; [ vaapiVdpau diff --git a/nixos/modules/steam.nix b/nixos/modules/steam.nix index e14add3..b6b0846 100644 --- a/nixos/modules/steam.nix +++ b/nixos/modules/steam.nix @@ -15,8 +15,11 @@ in }; }; config = mkIf cfg.enable { - hardware.graphics = { + nixpkgs.config.allowUnfree = true; + + hardware.opengl = { enable = true; + driSupport32Bit = true; extraPackages32 = with pkgs.pkgsi686Linux; [ libva ]; }; diff --git a/nixos/modules/yubikey.nix b/nixos/modules/yubikey.nix index 47699e1..4be4492 100644 --- a/nixos/modules/yubikey.nix +++ b/nixos/modules/yubikey.nix @@ -34,7 +34,7 @@ in }; u2f = { control = "sufficient"; - settings.cue = true; + cue = true; }; }; diff --git a/nixos/ninurta/configuration.nix b/nixos/ninurta/configuration.nix index d4a7bb9..47c0103 100644 --- a/nixos/ninurta/configuration.nix +++ b/nixos/ninurta/configuration.nix @@ -270,10 +270,14 @@ in linkConfig.RequiredForOnline = false; routes = [ { - Destination = "10.3.3.1/24"; + routeConfig = { + Destination = "10.3.3.1/24"; + }; } { - Destination = "fd42:9c3b:f96d:121::1/64"; + routeConfig = { + Destination = "fd42:9c3b:f96d:121::1/64"; + }; } ]; }; @@ -290,10 +294,14 @@ in linkConfig.RequiredForOnline = false; routes = [ { - Destination = "10.11.0.0/22"; + routeConfig = { + Destination = "10.11.0.0/22"; + }; } { - Destination = "fc00:1337:dead:beef::10.11.0.0/118"; + routeConfig = { + Destination = "fc00:1337:dead:beef::10.11.0.0/118"; + }; } ]; }; @@ -333,21 +341,25 @@ in }; wireguardPeers = [ { - PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY="; - AllowedIPs = [ - "10.3.3.1/32" - "fd42:9c3b:f96d:121::1/128" - ]; - PersistentKeepalive = 25; - Endpoint = "surgat.dadada.li:51235"; + wireguardPeerConfig = { + PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY="; + AllowedIPs = [ + "10.3.3.1/32" + "fd42:9c3b:f96d:121::1/128" + ]; + PersistentKeepalive = 25; + Endpoint = "surgat.dadada.li:51235"; + }; } { - PublicKey = "INfv++4R+Kd2jdh/3CooM70ZeeoN6aeU6mo+T4C8gWU="; - AllowedIPs = [ - "10.3.3.2/32" - "fd42:9c3b:f96d:121::2/128" - ]; - Endpoint = "192.168.101.1:51235"; + wireguardPeerConfig = { + PublicKey = "INfv++4R+Kd2jdh/3CooM70ZeeoN6aeU6mo+T4C8gWU="; + AllowedIPs = [ + "10.3.3.2/32" + "fd42:9c3b:f96d:121::2/128" + ]; + Endpoint = "192.168.101.1:51235"; + }; } ]; }; @@ -361,15 +373,17 @@ in }; wireguardPeers = [ { - PublicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8="; - AllowedIPs = [ - "10.11.0.0/22" - "fc00:1337:dead:beef::10.11.0.0/118" - "192.168.178.0/23" - ]; - PersistentKeepalive = 25; - PresharedKeyFile = config.age.secrets.${uwuPresharedKey}.path; - Endpoint = "53c70r.de:51820"; + wireguardPeerConfig = { + PublicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8="; + AllowedIPs = [ + "10.11.0.0/22" + "fc00:1337:dead:beef::10.11.0.0/118" + "192.168.178.0/23" + ]; + PersistentKeepalive = 25; + PresharedKeyFile = config.age.secrets.${uwuPresharedKey}.path; + Endpoint = "53c70r.de:51820"; + }; } ]; }; @@ -429,7 +443,7 @@ in }) ]; - services.pulseaudio.enable = false; + hardware.pulseaudio.enable = false; environment.systemPackages = with pkgs; [ smartmontools diff --git a/nixos/surgat/configuration.nix b/nixos/surgat/configuration.nix index 5ddef7f..5cd9596 100644 --- a/nixos/surgat/configuration.nix +++ b/nixos/surgat/configuration.nix @@ -74,10 +74,12 @@ in "2a01:4f8:c17:1d70::/64" ]; routes = [ - { Gateway = "fe80::1"; } + { routeConfig.Gateway = "fe80::1"; } { - Gateway = "172.31.1.1"; - GatewayOnLink = true; + routeConfig = { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + }; } ]; linkConfig.RequiredForOnline = "routable"; @@ -93,13 +95,19 @@ in linkConfig.RequiredForOnline = "no"; routes = [ { - Destination = "10.3.3.3/24"; + routeConfig = { + Destination = "10.3.3.3/24"; + }; } { - Destination = "fd42:9c3b:f96d:121::/64"; + routeConfig = { + Destination = "fd42:9c3b:f96d:121::/64"; + }; } { - Destination = "fd42:9c3b:f96d:101::/64"; + routeConfig = { + Destination = "fd42:9c3b:f96d:101::/64"; + }; } ]; }; @@ -116,12 +124,14 @@ in }; wireguardPeers = [ { - PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE="; - AllowedIPs = [ - "10.3.3.3/32" - "fd42:9c3b:f96d:121::3/128" - "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128" - ]; + wireguardPeerConfig = { + PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE="; + AllowedIPs = [ + "10.3.3.3/32" + "fd42:9c3b:f96d:121::3/128" + "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128" + ]; + }; } ]; }; diff --git a/outputs.nix b/outputs.nix index ef7a742..08e8ad0 100644 --- a/outputs.nix +++ b/outputs.nix @@ -27,10 +27,6 @@ in import ./devshell.nix { inherit pkgs extraModules; }; - checks = { - formatting = treefmtEval.config.build.check self; - }; - formatter = treefmtEval.config.build.wrapper; packages = import ./pkgs { inherit pkgs; } // { @@ -39,6 +35,7 @@ } )) // { + checks = import ./checks.nix inputs; hmModules = import ./home/modules.nix { lib = nixpkgs.lib; }; hmConfigurations = { dadada = import ./home; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 50dd263..f449646 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,6 +1,7 @@ let dadada = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+bBJptw2H35vMPV7Mfj9oaepR7cHCQH8ZsvL8qnj+r dadada (nix-config-secrets) "; systems = { + agares = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcbuLtU9/VhFy5VAp/ZI0T+gr7kExG73hmjjvno10gP root@nixos"; gorgon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCcwG8BkqjZJ1bPdFbLYfXeBgaI10+gyVs1r1aNJ49H root@gorgon"; ifrit = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEYO4L5EvKRtVUB6YHtHN7R980fwH9kKVt0V3kj6rORS root@nixos"; ninurta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8TDCzjVVO7A4k6rp+srMj0HHc5gmUOlskTBOvhMkEc root@nixos"; @@ -62,16 +63,24 @@ in dadada ]; "ddns-credentials.age".publicKeys = [ + systems.agares systems.ninurta dadada ]; "etc-ppp-chap-secrets.age".publicKeys = [ + systems.agares dadada ]; "etc-ppp-telekom-secret.age".publicKeys = [ + systems.agares dadada ]; "wg-privkey-vpn-dadada-li.age".publicKeys = [ + systems.agares + dadada + ]; + "agares-wg0-key.age".publicKeys = [ + systems.agares dadada ]; } @@ -80,4 +89,5 @@ in // backupSecrets "ifrit" // backupSecrets "pruflas" // backupSecrets "surgat" +// backupSecrets "agares" // backupSecrets "stolas"