dadada/nix-config
dadada/nix-config
1
0
Fork 0
Code Issues 2 Pull requests 5 Projects Releases Packages Wiki Activity Actions

Compare commits

base: dadada:02bcc3ede9be81405963319b6eb2f134a8235c04
Branches Tags
dadada:main
dadada:dev/stolas
dadada:dependabot/github_actions/DeterminateSystems/update-flake-lock-23
dadada:update_flake_lock_action
dadada:dependabot/github_actions/DeterminateSystems/nix-installer-action-12
dadada:dependabot/github_actions/cachix/cachix-action-15
dadada:dependabot/github_actions/cachix/install-nix-action-27
dadada:v0.1
..
compare: dadada:578d4526e5e7c2221bd544e337fa30b8692e4a79
Branches Tags
dadada:main
dadada:dev/stolas
dadada:dependabot/github_actions/DeterminateSystems/update-flake-lock-23
dadada:update_flake_lock_action
dadada:dependabot/github_actions/DeterminateSystems/nix-installer-action-12
dadada:dependabot/github_actions/cachix/cachix-action-15
dadada:dependabot/github_actions/cachix/install-nix-action-27
dadada:v0.1

No commits in common. "02bcc3ede9be81405963319b6eb2f134a8235c04" and "578d4526e5e7c2221bd544e337fa30b8692e4a79" have entirely different histories.
02bcc3ede9 ... 578d4526e5

18 changed files with 863 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

20
checks.nix Normal file
View file

@ -0,0 +1,20 @@
{
self,
flake-utils,
nixpkgs,
...
}:
(flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = nixpkgs.legacyPackages.${system};
formatter = self.formatter.${system};
in
{
checks = {
format = pkgs.runCommand "check-format" {
buildInputs = [ formatter ];
} "${formatter}/bin/nixpkgs-fmt --check ${./.} && touch $out";
};
}
)).checks

1
devshell.nix
View file

@ -6,6 +6,7 @@
packages = with pkgs; [
agenix
nixpkgs-fmt
nixos-rebuild
];

108
nixos/agares/configuration.nix Normal file
View file

@ -0,0 +1,108 @@
{
config,
modulesPath,
pkgs,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
./ddns.nix
./dns.nix
./firewall.nix
../modules/profiles/server.nix
./network.nix
./ntp.nix
./ppp.nix
];
fileSystems."/" = {
device = "/dev/sda1";
fsType = "btrfs";
options = [ "subvol=root" ];
};
#fileSystems."/nix/store" = {
# device = "/dev/sda1";
# fsType = "btrfs";
# options = [ "subvol=/root/nix" "noatime" ];
#};
fileSystems."/swap" = {
device = "/dev/sda1";
fsType = "btrfs";
options = [
"subvol=/root/swap"
"noatime"
];
};
#swapDevices = [{
# device = "/swap/swapfile";
# size = 32 * 1024; # 32 GByte
#}];
hardware.cpu.amd.updateMicrocode = config.hardware.enableRedistributableFirmware;
dadada = {
admin.enable = true;
};
services.smartd.enable = true;
networking.hostName = "agares";
networking.domain = "bs.dadada.li";
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"ehci_pci"
"usb_storage"
"sd_mod"
"sdhci_pci"
];
boot.initrd.kernelModules = [ "dm-snapshot" ];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
boot.loader.grub.extraConfig = "
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
terminal_input serial
terminal_output serial
";
boot.kernelParams = [
"console=ttyS0,115200"
"amd_iommu=on"
"iommu=pt"
];
boot.kernelModules = [
"kvm-amd"
"vfio"
"vfio_iommu_type1"
"vfio_pci"
"vfio_virqfd"
];
environment.systemPackages = with pkgs; [
curl
flashrom
dmidecode
tcpdump
];
services.munin-node = {
enable = true;
extraConfig = ''
host_name ${config.networking.hostName}
cidr_allow 10.3.3.3/32
'';
};
# Running router VM. They have to be restarted in the right order, so network comes up cleanly. Not ideal.
system.autoUpgrade.allowReboot = false;
system.stateVersion = "23.05";
}

13
nixos/agares/ddns.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, ... }:
{
dadada.ddns = {
domains = [ "vpn.dadada.li" ];
credentialsPath = config.age.secrets."ddns-credentials".path;
interface = "ppp0";
};
age.secrets."ddns-credentials" = {
file = "${config.dadada.secrets.path}/ddns-credentials.age";
mode = "400";
};
}

81
nixos/agares/dns.nix Normal file
View file

@ -0,0 +1,81 @@
{ ... }:
{
services.unbound = {
enable = true;
localControlSocketPath = "/run/unbound/unbound.ctl";
settings = {
server = {
access-control = [
"127.0.0.0/8 allow"
"127.0.0.1/32 allow_snoop"
"192.168.96.0/19 allow"
"192.168.1.0/24 allow"
"172.16.128.0/24 allow"
"::1/128 allow_snoop"
"fd42:9c3b:f96d::/48 allow"
];
interface = [
"127.0.0.1"
"192.168.1.1"
"192.168.100.1"
"192.168.101.1"
"192.168.102.1"
"192.168.103.1"
"192.168.120.1"
"::1"
"fd42:9c3b:f96d:100::1"
"fd42:9c3b:f96d:101::1"
"fd42:9c3b:f96d:102::1"
"fd42:9c3b:f96d:103::1"
"fd42:9c3b:f96d:120::1"
];
prefer-ip6 = true;
prefetch = true;
prefetch-key = true;
serve-expired = false;
aggressive-nsec = true;
hide-identity = true;
hide-version = true;
use-caps-for-id = true;
val-permissive-mode = true;
local-data = [
"\"agares.bs.dadada.li. 10800 IN A 192.168.101.1\""
"\"danjal.bs.dadada.li. 10800 IN A 192.168.100.108\""
"\"legion.bs.dadada.li. 10800 IN A 192.168.100.107\""
"\"ninurta.bs.dadada.li. 10800 IN A 192.168.101.184\""
"\"agares.bs.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101::1\""
"\"ninurta.bs.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe\""
"\"backup1.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe\""
];
local-zone = [
"\"168.192.in-addr.arpa.\" nodefault"
"\"d.f.ip6.arpa.\" nodefault"
];
};
forward-zone = [
{
name = ".";
forward-tls-upstream = "yes";
forward-addr = [
"2620:fe::fe@853#dns.quad9.net"
"2620:fe::9@853#dns.quad9.net"
"9.9.9.9@853#dns.quad9.net"
"149.112.112.112@853#dns.quad9.net"
];
}
];
stub-zone =
let
stubZone = name: addrs: {
name = "${name}";
stub-addr = addrs;
};
in
[
#(stubZone "li.dadada.bs" ["192.168.128.220" "2a01:4f8:c010:a710::1"])
#(stubZone "d.6.9.f.b.3.c.9.2.4.d.f.ip6.arpa" ["192.168.101.220" "2a01:4f8:c010:a710::1"])
#(stubZone "168.192.in-addr.arpa" ["192.168.128.220" "2a01:4f8:c010:a710::1"])
];
};
};
}

13
nixos/agares/firewall.nix Normal file
View file

@ -0,0 +1,13 @@
{ ... }:
{
networking = {
useDHCP = false;
nat.enable = false;
firewall.enable = false;
nftables = {
enable = true;
checkRuleset = true;
ruleset = builtins.readFile ./rules.nft;
};
};
}

323
nixos/agares/network.nix Normal file
View file

@ -0,0 +1,323 @@
{ config, lib, ... }:
let
ulaPrefix = "fd42:9c3b:f96d"; # fd42:9c3b:f96d::/48
ipv4Prefix = "192.168"; # 192.168.96.0/19
domain = "bs.dadada.li";
in
{
networking.useDHCP = false;
systemd.network = {
enable = true;
links = {
"10-persistent" = {
matchConfig.OriginalName = [
"enp1s0"
"enp2s0"
]; # takes search domains from the [Network]
linkConfig.MACAddressPolicy = "persistent";
};
};
netdevs = {
# QoS concentrator
"ifb4ppp0" = {
netdevConfig = {
Kind = "ifb";
Name = "ifb4ppp0";
};
};
"20-lan" = {
netdevConfig = {
Kind = "vlan";
Name = "lan.10";
};
vlanConfig = {
Id = 10;
};
};
"20-freifunk" = {
netdevConfig = {
Kind = "vlan";
Name = "ff.11";
};
vlanConfig = {
Id = 11;
};
};
"20-roadw" = {
netdevConfig = {
Kind = "wireguard";
Name = "roadw";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."wg-privkey-vpn-dadada-li".path;
ListenPort = 51234;
};
wireguardPeers = [
{
wireguardPeerConfig =
let
peerAddresses = i: [
"${ipv4Prefix}.120.${i}/32"
"${ulaPrefix}:120::${i}/128"
];
in
{
PublicKey = "0eWP1hzkyoXlrjPSOq+6Y1u8tnFH+SejBJs8f8lf+iU=";
AllowedIPs = peerAddresses "3";
};
}
];
};
"20-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."wg-privkey-wg0".path;
ListenPort = 51235;
};
wireguardPeers = lib.singleton {
wireguardPeerConfig = {
PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE=";
AllowedIPs = [
"10.3.3.3/32"
"fd42:9c3b:f96d:121::3/128"
"fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128"
];
};
};
};
};
networks =
let
subnet = name: subnetId: {
matchConfig.Name = name;
addresses = [
{ addressConfig.Address = "${ipv4Prefix}.${subnetId}.1/24"; }
{ addressConfig.Address = "${ulaPrefix}:${subnetId}::1/64"; }
];
dhcpPrefixDelegationConfig = {
SubnetId = "auto";
};
ipv6Prefixes = [
{
ipv6PrefixConfig.Prefix = "${ulaPrefix}:${subnetId}::/64";
}
];
dhcpServerConfig = {
DNS = "_server_address";
NTP = "_server_address";
EmitDNS = true;
EmitNTP = true;
EmitRouter = true;
PoolOffset = 100;
PoolSize = 100;
};
ipv6SendRAConfig = {
EmitDNS = true;
DNS = "_link_local";
EmitDomains = true; # takes search domains from the [Network]
};
linkConfig = {
RequiredForOnline = false;
};
networkConfig = {
Domains = domain;
EmitLLDP = "yes";
IPv6SendRA = true;
IPv6AcceptRA = false;
DHCPPrefixDelegation = true;
DHCPServer = true;
};
extraConfig = ''
[CAKE]
OverheadBytes = 38
Bandwidth = 1G
RTT = lan
'';
};
in
{
"10-mgmt" = lib.mkMerge [
(subnet "enp1s0" "100")
{
networkConfig.VLAN = [
"lan.10"
"ff.11"
];
dhcpServerStaticLeases = [
{
# legion
dhcpServerStaticLeaseConfig = {
Address = "192.168.100.107";
MACAddress = "80:CC:9C:95:4A:60";
};
}
{
# danyal
dhcpServerStaticLeaseConfig = {
Address = "192.168.100.108";
MACAddress = "c8:9e:43:a3:3d:7f";
};
}
];
}
];
"30-wg0" = {
matchConfig.Name = "wg0";
address = [
"10.3.3.2/32"
"fd42:9c3b:f96d:121::2/128"
];
DHCP = "no";
networkConfig.IPv6AcceptRA = false;
linkConfig.RequiredForOnline = false;
routes = [
{
routeConfig = {
Destination = "10.3.3.1/24";
};
}
{
routeConfig = {
Destination = "fd42:9c3b:f96d:121::1/64";
};
}
];
};
"30-lan" = subnet "lan.10" "101" // {
dhcpServerStaticLeases = [
{
# ninurta
dhcpServerStaticLeaseConfig = {
Address = "192.168.101.184";
MACAddress = "48:21:0B:3E:9C:FE";
};
}
{
# crocell
dhcpServerStaticLeaseConfig = {
Address = "192.168.101.122";
MACAddress = "9C:C9:EB:4F:3F:0E";
};
}
{
# gorgon
dhcpServerStaticLeaseConfig = {
Address = "192.168.101.205";
MACAddress = "8C:C6:81:6A:39:2F";
};
}
];
};
"30-ff" = subnet "ff.11" "102";
"30-ifb4ppp0" = {
name = "ifb4ppp0";
extraConfig = ''
[CAKE]
OverheadBytes = 65
Bandwidth = 100M
FlowIsolationMode = triple
RTT = internet
'';
linkConfig = {
RequiredForOnline = false;
};
};
"30-ppp0" = {
name = "ppp*";
linkConfig = {
RequiredForOnline = "routable";
};
networkConfig = {
KeepConfiguration = "static";
DefaultRouteOnDevice = true;
LinkLocalAddressing = "ipv6";
DHCP = "ipv6";
};
extraConfig = ''
[CAKE]
OverheadBytes = 65
Bandwidth = 40M
FlowIsolationMode = triple
NAT=true
RTT = internet
[DHCPv6]
PrefixDelegationHint= ::/56
UseAddress = false
UseDelegatedPrefix = true
WithoutRA = solicit
[DHCPPrefixDelegation]
UplinkInterface=:self
'';
ipv6SendRAConfig = {
# Let networkd know that we would very much like to use DHCPv6
# to obtain the "managed" information. Not sure why they can't
# just take that from the upstream RAs.
Managed = true;
};
};
# Talk to modem for management
"enp2s0" = {
name = "enp2s0";
linkConfig = {
RequiredForOnline = false;
};
networkConfig = {
Address = "192.168.1.254/24";
EmitLLDP = "yes";
};
};
"10-roadw" = {
matchConfig.Name = "roadw";
addresses = [
{ addressConfig.Address = "${ipv4Prefix}.120.1/24"; }
{ addressConfig.Address = "${ulaPrefix}:120::1/64"; }
];
DHCP = "no";
networkConfig.IPv6AcceptRA = false;
linkConfig.RequiredForOnline = false;
routes = [
{
routeConfig = {
Destination = "${ipv4Prefix}.120.1/24";
};
}
{
routeConfig = {
Destination = "${ulaPrefix}::120:1/64";
};
}
];
};
};
};
age.secrets."wg-privkey-vpn-dadada-li" = {
file = "${config.dadada.secrets.path}/wg-privkey-vpn-dadada-li.age";
owner = "systemd-network";
};
age.secrets."wg-privkey-wg0" = {
file = "${config.dadada.secrets.path}/agares-wg0-key.age";
owner = "systemd-network";
};
boot.kernel.sysctl = {
# Enable forwarding for interface
"net.ipv4.conf.all.forwarding" = "1";
"net.ipv6.conf.all.forwarding" = "1";
"net.ipv6.conf.all.accept_ra" = "0";
"net.ipv6.conf.all.autoconf" = "0";
# Set via systemd-networkd
#"net.ipv6.conf.${intf}.use_tempaddr" = "0";
};
powerManagement.cpuFreqGovernor = lib.mkDefault "schedutil";
}

12
nixos/agares/ntp.nix Normal file
View file

@ -0,0 +1,12 @@
{ ... }:
{
services.chrony = {
enable = true;
extraConfig = ''
allow 192.168.1
allow 192.168.100
allow 192.168.101
allow 192.168.102
'';
};
}

68
nixos/agares/ppp.nix Normal file
View file

@ -0,0 +1,68 @@
{
pkgs,
lib,
config,
...
}:
let
secretsPath = config.dadada.secrets.path;
in
{
# PPPoE
services.pppd = {
enable = true;
peers = {
telekom = {
enable = true;
autostart = true;
config = ''
debug
plugin pppoe.so enp2s0
noauth
hide-password
call telekom-secret
linkname ppp0
persist
maxfail 0
holdoff 5
noipdefault
defaultroute
lcp-echo-interval 15
lcp-echo-failure 3
'';
};
};
};
age.secrets."etc-ppp-telekom-secret" = {
file = "${secretsPath}/etc-ppp-telekom-secret.age";
owner = "root";
mode = "700";
path = "/etc/ppp/peers/telekom-secret";
};
age.secrets."etc-ppp-pap-secrets" = {
# format: client server passphrase
file = "${secretsPath}/etc-ppp-chap-secrets.age";
owner = "root";
mode = "700";
path = "/etc/ppp/pap-secrets";
};
# Hook for QoS via Intermediate Functional Block
environment.etc."ppp/ip-up" = {
mode = "755";
text = with lib; ''
#!/usr/bin/env sh
${getBin pkgs.iproute2}/bin/tc qdisc del dev $1 ingress
${getBin pkgs.iproute2}/bin/tc qdisc add dev $1 handle ffff: ingress
${getBin pkgs.iproute2}/bin/tc filter add dev $1 parent ffff: matchall action mirred egress redirect dev ifb4ppp0
'';
};
}

136
nixos/agares/rules.nft Normal file
View file

@ -0,0 +1,136 @@
flush ruleset
define IF_MGMT = "enp1s0"
define IF_FF = "ff.11"
define IF_LAN = "lan.10"
define IF_WAN = "ppp0"
# Modem uses this for internet uplink via our WAN
define IF_MODEM = "enp2s0"
define IF_ROADW = "roadw"
table inet filter {
# Will give "no such file or directory if hardware does not support flow offloading"
# flowtable f {
# hook ingress priority 0; devices = { enp1s0, enp2s0 }; flags offload;
# }
chain input_local {
ip6 saddr != ::1/128 log prefix "Dropped IPv6 nonlocalhost packet on loopback:" drop
accept comment "Accept traffic to loopback interface"
}
chain input_icmp_untrusted {
# Allow ICMP echo
ip protocol icmp icmp type { echo-request } limit rate 1000/second burst 5 packets accept comment "Accept echo request"
# Allow some ICMPv6
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } limit rate 1000/second burst 5 packets accept comment "Allow some ICMPv6"
}
chain input_modem {
jump input_icmp_untrusted
}
chain input_wan {
# DHCPv6 client
meta nfproto ipv6 udp sport 547 accept comment "Allow DHCPv6 client"
jump input_icmp_untrusted
udp dport 51234 accept comment "Wireguard roadwarriors"
}
chain input_lan {
counter accept comment "Accept all traffic from LAN"
}
chain input_mgmt {
counter accept comment "Accept all traffic from MGMT"
}
chain input_roadw {
counter accept comment "Accept all traffic from roadwarriors"
}
chain input_ff {
jump input_icmp_untrusted
# DHCP
meta nfproto ipv6 udp dport 547 accept comment "Allow DHCPv6 client"
# Allow DNS and DHCP from Freifunk
udp dport { 53, 67 } accept comment "Allow DNS and DHCP from Freifunk"
}
chain input_wg0 {
tcp dport 4949 accept comment "Munin node"
}
chain input {
type filter hook input priority filter; policy drop;
ct state {established, related} counter accept comment "Accept packets from established and related connections"
ct state invalid counter drop comment "Early drop of invalid packets"
iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt, wg0 : jump input_wg0 }
}
# Only works if hardware flow offloading is available
# chain offload {
# type filter hook forward priority -100; policy accept;
# ip protocol tcp flow add @f
# counter packets 0 bytes 0
# }
chain forward {
type filter hook forward priority filter; policy drop;
# Accept connections tracked by destination NAT
ct status dnat counter accept comment "Accept connections tracked by DNAT"
# TCP options
tcp flags syn tcp option maxseg size set rt mtu comment "Remove TCP maximum segment size and set a size based on route information"
# ICMPv6
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, parameter-problem } limit rate 5/second counter accept comment "Forward up to five ICMP messages of allowed types per second"
meta l4proto ipv6-icmp accept comment "Forward ICMP in IPv6"
# mgmt <-> *
iifname { $IF_LAN, $IF_ROADW } oifname $IF_MGMT counter reject comment "Reject traffic from LAN and roadwarrior to MGMT"
iifname $IF_MGMT oifname { $IF_LAN, $IF_ROADW } counter reject comment "Reject traffic from MGMT to LAN and roadwarrior"
# drop (instead of reject) everything else to MGMT
# LAN, ROADW -> * (except mgmt)
iifname { $IF_LAN, $IF_ROADW } counter accept comment "Allow all traffic forwarding from LAN and roadwarrior to all interfaces, except to mgmt"
# FF -> WAN
iifname { $IF_FF } oifname $IF_WAN counter accept comment "Allow all traffic forwarding from Freifunk and services to WAN"
# { WAN } -> { FF, LAN, RW }
iifname { $IF_WAN } oifname { $IF_FF, $IF_LAN, $IF_ROADW } ct state established,related counter accept comment "Allow established back from WAN"
}
chain output {
type filter hook output priority 100; policy accept;
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr { 192.168.96.0/19 } oifname { $IF_WAN } masquerade comment "Masquerade traffic from LANs"
}
}
table arp filter {
chain input {
type filter hook input priority filter; policy drop;
iifname { $IF_MGMT, $IF_LAN, $IF_FF, $IF_MODEM } limit rate 1/second burst 2 packets accept comment "Limit number of ARP messages from LAN, FF, MGMT, modem"
}
}

8
nixos/configurations.nix
View file

@ -77,6 +77,14 @@ in
];
};
agares = nixosSystem {
modules = [
{ nixpkgs.pkgs = nixpkgsx86; }
baseModule
./agares/configuration.nix
];
};
installer = nixosSystem {
modules = [
nixos-generators.nixosModules.install-iso

2
nixos/gorgon/configuration.nix
View file

@ -261,7 +261,7 @@ in
xdg.portal.wlr.enable = false;
hardware.bluetooth.enable = true;
hardware.graphics = {
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [
vaapiVdpau

5
nixos/modules/steam.nix
View file

@ -15,8 +15,11 @@ in
};
};
config = mkIf cfg.enable {
hardware.graphics = {
nixpkgs.config.allowUnfree = true;
hardware.opengl = {
enable = true;
driSupport32Bit = true;
extraPackages32 = with pkgs.pkgsi686Linux; [ libva ];
};

2
nixos/modules/yubikey.nix
View file

@ -34,7 +34,7 @@ in
};
u2f = {
control = "sufficient";
settings.cue = true;
cue = true;
};
};

16
nixos/ninurta/configuration.nix
View file

@ -270,10 +270,14 @@ in
linkConfig.RequiredForOnline = false;
routes = [
{
routeConfig = {
Destination = "10.3.3.1/24";
};
}
{
routeConfig = {
Destination = "fd42:9c3b:f96d:121::1/64";
};
}
];
};
@ -290,10 +294,14 @@ in
linkConfig.RequiredForOnline = false;
routes = [
{
routeConfig = {
Destination = "10.11.0.0/22";
};
}
{
routeConfig = {
Destination = "fc00:1337:dead:beef::10.11.0.0/118";
};
}
];
};
@ -333,6 +341,7 @@ in
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY=";
AllowedIPs = [
"10.3.3.1/32"
@ -340,14 +349,17 @@ in
];
PersistentKeepalive = 25;
Endpoint = "surgat.dadada.li:51235";
};
}
{
wireguardPeerConfig = {
PublicKey = "INfv++4R+Kd2jdh/3CooM70ZeeoN6aeU6mo+T4C8gWU=";
AllowedIPs = [
"10.3.3.2/32"
"fd42:9c3b:f96d:121::2/128"
];
Endpoint = "192.168.101.1:51235";
};
}
];
};
@ -361,6 +373,7 @@ in
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8=";
AllowedIPs = [
"10.11.0.0/22"
@ -370,6 +383,7 @@ in
PersistentKeepalive = 25;
PresharedKeyFile = config.age.secrets.${uwuPresharedKey}.path;
Endpoint = "53c70r.de:51820";
};
}
];
};
@ -429,7 +443,7 @@ in
})
];
services.pulseaudio.enable = false;
hardware.pulseaudio.enable = false;
environment.systemPackages = with pkgs; [
smartmontools

12
nixos/surgat/configuration.nix
View file

@ -74,10 +74,12 @@ in
"2a01:4f8:c17:1d70::/64"
];
routes = [
{ Gateway = "fe80::1"; }
{ routeConfig.Gateway = "fe80::1"; }
{
routeConfig = {
Gateway = "172.31.1.1";
GatewayOnLink = true;
};
}
];
linkConfig.RequiredForOnline = "routable";
@ -93,13 +95,19 @@ in
linkConfig.RequiredForOnline = "no";
routes = [
{
routeConfig = {
Destination = "10.3.3.3/24";
};
}
{
routeConfig = {
Destination = "fd42:9c3b:f96d:121::/64";
};
}
{
routeConfig = {
Destination = "fd42:9c3b:f96d:101::/64";
};
}
];
};
@ -116,12 +124,14 @@ in
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE=";
AllowedIPs = [
"10.3.3.3/32"
"fd42:9c3b:f96d:121::3/128"
"fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128"
];
};
}
];
};

5
outputs.nix
View file

@ -27,10 +27,6 @@
in
import ./devshell.nix { inherit pkgs extraModules; };
checks = {
formatting = treefmtEval.config.build.check self;
};
formatter = treefmtEval.config.build.wrapper;
packages = import ./pkgs { inherit pkgs; } // {
@ -39,6 +35,7 @@
}
))
// {
checks = import ./checks.nix inputs;
hmModules = import ./home/modules.nix { lib = nixpkgs.lib; };
hmConfigurations = {
dadada = import ./home;

10
secrets/secrets.nix
View file

@ -1,6 +1,7 @@
let
dadada = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+bBJptw2H35vMPV7Mfj9oaepR7cHCQH8ZsvL8qnj+r dadada (nix-config-secrets) <dadada@dadada.li>";
systems = {
agares = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcbuLtU9/VhFy5VAp/ZI0T+gr7kExG73hmjjvno10gP root@nixos";
gorgon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCcwG8BkqjZJ1bPdFbLYfXeBgaI10+gyVs1r1aNJ49H root@gorgon";
ifrit = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEYO4L5EvKRtVUB6YHtHN7R980fwH9kKVt0V3kj6rORS root@nixos";
ninurta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8TDCzjVVO7A4k6rp+srMj0HHc5gmUOlskTBOvhMkEc root@nixos";
@ -62,16 +63,24 @@ in
dadada
];
"ddns-credentials.age".publicKeys = [
systems.agares
systems.ninurta
dadada
];
"etc-ppp-chap-secrets.age".publicKeys = [
systems.agares
dadada
];
"etc-ppp-telekom-secret.age".publicKeys = [
systems.agares
dadada
];
"wg-privkey-vpn-dadada-li.age".publicKeys = [
systems.agares
dadada
];
"agares-wg0-key.age".publicKeys = [
systems.agares
dadada
];
}
@ -80,4 +89,5 @@ in
// backupSecrets "ifrit"
// backupSecrets "pruflas"
// backupSecrets "surgat"
// backupSecrets "agares"
// backupSecrets "stolas"