parent
2550dbda72
commit
2757a4e9d5
@ -0,0 +1,30 @@ |
|||||||
|
{ config, ... }: |
||||||
|
|
||||||
|
{ |
||||||
|
# HACK (doesn't work): solution to failing ACME services due to |
||||||
|
# failing DNS // See: https://github.com/NixOS/nixpkgs/issues/106862 |
||||||
|
systemd.services."acme-fixperms".wants = [ "bind.service" ]; |
||||||
|
systemd.services."acme-fixperms".after = [ "bind.service" ]; |
||||||
|
|
||||||
|
security.acme.acceptTerms = true; |
||||||
|
security.acme.certs."alarei.kookie.space" = { |
||||||
|
email = "letsencrypt@spacekookie.de"; |
||||||
|
webroot = "/var/lib/acme/acme-challenge"; |
||||||
|
extraDomainNames = [ |
||||||
|
"kookiejar.tech" |
||||||
|
"media.kookiejar.tech" |
||||||
|
"media.alarei.kookie.space" |
||||||
|
"sync.kookiejar.tech" |
||||||
|
"sync.alarei.kookie.space" |
||||||
|
"cloud.kookiejar.tech" |
||||||
|
"could.alarei.kookie.space" |
||||||
|
"music.kookiejar.tech" |
||||||
|
"music.alarei.kookie.space" |
||||||
|
]; |
||||||
|
group = "nginx"; |
||||||
|
}; |
||||||
|
|
||||||
|
users.users.nginx.extraGroups = [ "core" ]; |
||||||
|
|
||||||
|
services.nginx.clientMaxBodySize = "2048M"; |
||||||
|
} |
@ -0,0 +1,11 @@ |
|||||||
|
/** A special module to handle the datacore zfs storage |
||||||
|
* |
||||||
|
* Sets up special archive modes for ZFS and tools to manage the |
||||||
|
* encrypted data sets. |
||||||
|
* |
||||||
|
*/ |
||||||
|
{ config, ... }: |
||||||
|
|
||||||
|
{ |
||||||
|
users.groups.core = {}; |
||||||
|
} |
@ -0,0 +1,64 @@ |
|||||||
|
/** Custom ferm2 configuration on gaia |
||||||
|
* |
||||||
|
* This set of configuration options is required to make the wireguard |
||||||
|
* uplink to osmos.pbb.dev work. It does so by tagging all packets |
||||||
|
* coming in over a particular interface (public-ip) with a mark, and |
||||||
|
* then sorts replies to these connections into a special firewall |
||||||
|
* table to send them out over this link again as well. |
||||||
|
* |
||||||
|
* This module assumes that wireguard is enabled and configured |
||||||
|
*/ |
||||||
|
|
||||||
|
{ config, ... }: |
||||||
|
|
||||||
|
{ |
||||||
|
# Main firewall configuration |
||||||
|
services.ferm2 = { |
||||||
|
enable = true; |
||||||
|
extraConfig = '' |
||||||
|
table mangle { |
||||||
|
chain PREROUTING { |
||||||
|
# Mark all connections coming in from public-ip with mark 1312 |
||||||
|
interface public-ip CONNMARK set-mark 1312; |
||||||
|
} |
||||||
|
|
||||||
|
chain OUTPUT { |
||||||
|
# Mark all packets that are responses to incoming public-ip |
||||||
|
# connetions with mark 1312 (we can filter this in the fw later) |
||||||
|
CONNMARK restore-mark; |
||||||
|
} |
||||||
|
} |
||||||
|
''; |
||||||
|
}; |
||||||
|
|
||||||
|
# Additional ip commands to configure the firewall |
||||||
|
# |
||||||
|
# FIXME: create a firewall module that wraps around this |
||||||
|
networking.localCommands = '' |
||||||
|
set -x |
||||||
|
ip -6 rule flush |
||||||
|
ip -4 rule flush |
||||||
|
ip -6 rule add lookup main prio 32000 |
||||||
|
ip -4 rule add lookup main prio 32000 |
||||||
|
|
||||||
|
# Take packets with fwmark and sort it into 1312 table |
||||||
|
ip -6 rule add from all fwmark 1312 lookup 1312 pref 9000 |
||||||
|
ip -4 rule add from all fwmark 1312 lookup 1312 pref 9000 |
||||||
|
''; |
||||||
|
|
||||||
|
networking.wireguard.interfaces."public-ip" = { |
||||||
|
ips = [ "2a0f:4ac0::18" "195.39.247.18" ]; |
||||||
|
privateKeyFile = "/var/lib/wireguard/keys/milan.private"; |
||||||
|
allowedIPsAsRoutes = true; |
||||||
|
table = "1312"; |
||||||
|
postSetup = "ip link set dev public-ip mtu 1500"; |
||||||
|
peers = [ |
||||||
|
{ publicKey = "kih/GnR4Bov/DM/7Rd21wK+PFQRUNH6sywVuNKkUAkk="; |
||||||
|
allowedIPs = [ "0.0.0.0/0" "::/0" ]; |
||||||
|
# TODO: Currently telecom ipv6 handling is broken |
||||||
|
# endpoint = "2a01:581:1:9::1:51820"; |
||||||
|
endpoint = "62.176.250.82:51820"; |
||||||
|
persistentKeepalive = 25; } |
||||||
|
]; |
||||||
|
}; |
||||||
|
} |
@ -0,0 +1,45 @@ |
|||||||
|
{ config, lib, ... }: |
||||||
|
|
||||||
|
{ |
||||||
|
# Default port should be 8096 |
||||||
|
services.jellyfin = { |
||||||
|
enable = true; |
||||||
|
group = "core"; |
||||||
|
}; |
||||||
|
|
||||||
|
# Required for chromecast stuff... |
||||||
|
networking.firewall.allowedTCPPorts = [ 8096 ]; |
||||||
|
|
||||||
|
# Give jellyfin "core" group |
||||||
|
users.users.jellyfin.extraGroups = [ "core" ]; |
||||||
|
|
||||||
|
# Enable nginx if not already |
||||||
|
services.nginx.enable = true; |
||||||
|
services.nginx.virtualHosts."media.kookiejar.tech" = { |
||||||
|
serverAliases = [ "media.alarei.kookie.space" "kookiejar.tech" ]; |
||||||
|
useACMEHost = "alarei.kookie.space"; |
||||||
|
forceSSL = true; |
||||||
|
locations."/" = { |
||||||
|
proxyPass = "http://127.0.0.1:8096"; |
||||||
|
}; |
||||||
|
|
||||||
|
locations."/socket" = { |
||||||
|
proxyPass = "http://127.0.0.1:8096"; |
||||||
|
extraConfig = '' |
||||||
|
# global proxy conf |
||||||
|
proxy_set_header Host $host; |
||||||
|
proxy_set_header X-Real-IP $remote_addr; |
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
||||||
|
proxy_set_header X-Forwarded-Proto $scheme; |
||||||
|
proxy_set_header X-Forwarded-Host $host:$server_port; |
||||||
|
proxy_set_header X-Forwarded-Port $server_port; |
||||||
|
|
||||||
|
# websocket support |
||||||
|
proxy_http_version 1.1; |
||||||
|
proxy_set_header Upgrade $http_upgrade; |
||||||
|
proxy_set_header Connection $connection_upgrade; |
||||||
|
''; |
||||||
|
}; |
||||||
|
}; |
||||||
|
|
||||||
|
} |
@ -0,0 +1,44 @@ |
|||||||
|
{ config, lib, pkgs, ... }: |
||||||
|
|
||||||
|
{ |
||||||
|
services.nginx.enable = true; |
||||||
|
services.nginx.virtualHosts."cloud.kookiejar.tech" = { |
||||||
|
serverAliases = [ "cloud.alarei.kookie.space"]; |
||||||
|
useACMEHost = "alarei.kookie.space"; |
||||||
|
forceSSL = true; |
||||||
|
}; |
||||||
|
|
||||||
|
# Give nextcloud "core" group |
||||||
|
users.users.nextcloud.extraGroups = [ "core" ]; |
||||||
|
|
||||||
|
# Enable nextcloud and php settings |
||||||
|
services.phpfpm.phpPackage = pkgs.php73; |
||||||
|
services.nextcloud = { |
||||||
|
enable = true; |
||||||
|
package = pkgs.nextcloud19; |
||||||
|
hostName = "cloud.kookiejar.tech"; |
||||||
|
https = true; |
||||||
|
autoUpdateApps.enable = true; |
||||||
|
config = { |
||||||
|
dbtype = "pgsql"; |
||||||
|
dbuser = "nextcloud"; |
||||||
|
dbhost = "/run/postgresql"; |
||||||
|
dbname = "nextcloud"; |
||||||
|
adminpassFile = "/var/lib/nextcloud.admin.pw"; |
||||||
|
adminuser = "spacekookie"; |
||||||
|
}; |
||||||
|
home = "/datacore/cloud"; |
||||||
|
}; |
||||||
|
|
||||||
|
# Setup postgres (currently only used by nextcloud) |
||||||
|
services.postgresql = { |
||||||
|
enable = true; |
||||||
|
ensureDatabases = [ "nextcloud" ]; |
||||||
|
ensureUsers = [ |
||||||
|
{ name = "nextcloud"; |
||||||
|
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; |
||||||
|
} |
||||||
|
]; |
||||||
|
}; |
||||||
|
|
||||||
|
} |
@ -0,0 +1,18 @@ |
|||||||
|
{ config, ... }: |
||||||
|
|
||||||
|
{ |
||||||
|
services.openssh = { |
||||||
|
enable = true; |
||||||
|
permitRootLogin = "prohibit-password"; |
||||||
|
passwordAuthentication = false; |
||||||
|
|
||||||
|
# Required for root |
||||||
|
extraConfig = '' |
||||||
|
Match Address 127.0.0.1 |
||||||
|
PermitRootLogin yes |
||||||
|
''; |
||||||
|
}; |
||||||
|
|
||||||
|
# Also enable mosh because /shrug |
||||||
|
programs.mosh.enable = true; |
||||||
|
} |
@ -0,0 +1,21 @@ |
|||||||
|
{ config, lib, ... }: |
||||||
|
|
||||||
|
{ |
||||||
|
services.syncthing = { |
||||||
|
enable = true; |
||||||
|
user = "spacekookie"; |
||||||
|
group = "core"; |
||||||
|
openDefaultPorts = true; |
||||||
|
guiAddress = "0.0.0.0:8384"; |
||||||
|
}; |
||||||
|
|
||||||
|
services.nginx.enable = true; |
||||||
|
services.nginx.virtualHosts."sync.kookiejar.tech" = { |
||||||
|
serverAliases = [ "sync.alarei.kookie.space" ]; |
||||||
|
useACMEHost = "alarei.kookie.space"; |
||||||
|
forceSSL = true; |
||||||
|
locations."/" = { |
||||||
|
proxyPass = "http://127.0.0.1:8384"; |
||||||
|
}; |
||||||
|
}; |
||||||
|
} |
@ -0,0 +1,14 @@ |
|||||||
|
{ config, ... }: |
||||||
|
|
||||||
|
{ |
||||||
|
networking.wireguard.interfaces."intranet" = { |
||||||
|
ips = [ "10.13.12.2" ]; |
||||||
|
privateKeyFile = "/var/lib/wireguard/keys/private"; |
||||||
|
peers = [ |
||||||
|
{ publicKey = "ugHG/NOqM/9hde9EmWpu7XsCpjT3WQbjLK99IGHtdjQ="; |
||||||
|
allowedIPs = [ "10.13.12.0/24" "10.172.171.0/24" ]; |
||||||
|
endpoint = "hyperion.kookie.space:51820"; |
||||||
|
persistentKeepalive = 25; } |
||||||
|
]; |
||||||
|
}; |
||||||
|
} |
@ -0,0 +1,7 @@ |
|||||||
|
{ config, ... }: |
||||||
|
|
||||||
|
{ |
||||||
|
imports = [ |
||||||
|
./ferm2 |
||||||
|
]; |
||||||
|
} |
@ -0,0 +1,226 @@ |
|||||||
|
/** Taken from git.petabyte.dev |
||||||
|
* |
||||||
|
* https://git.petabyte.dev/petabyteboy/nixfiles/raw/branch/master/modules/ferm2/default.nix |
||||||
|
* |
||||||
|
* TODO: split the config block into its own file (core.nix) like |
||||||
|
*/ |
||||||
|
{ lib, config, ... }: |
||||||
|
|
||||||
|
let |
||||||
|
fwcfg = config.networking.firewall; |
||||||
|
cfg = config.services.ferm2; |
||||||
|
in { |
||||||
|
options = with lib; { |
||||||
|
services.ferm2 = { |
||||||
|
enable = mkEnableOption "Ferm easy rule making"; |
||||||
|
extraConfig = mkOption { |
||||||
|
type = types.lines; |
||||||
|
default = ""; |
||||||
|
}; |
||||||
|
extraConfig6 = mkOption { |
||||||
|
type = types.lines; |
||||||
|
default = ""; |
||||||
|
}; |
||||||
|
extraConfig4 = mkOption { |
||||||
|
type = types.lines; |
||||||
|
default = ""; |
||||||
|
}; |
||||||
|
extraInput = mkOption { |
||||||
|
type = types.lines; |
||||||
|
default = ""; |
||||||
|
}; |
||||||
|
extraInput6 = mkOption { |
||||||
|
type = types.lines; |
||||||
|
default = ""; |
||||||
|
}; |
||||||
|
extraInput4 = mkOption { |
||||||
|
type = types.lines; |
||||||
|
default = ""; |
||||||
|
}; |
||||||
|
extraOutput = mkOption { |
||||||
|
type = types.lines; |
||||||
|
default = ""; |
||||||
|
}; |
||||||
|
extraOutput6 = mkOption { |
||||||
|
type = types.lines; |
||||||
|
default = ""; |
||||||
|
}; |
||||||
|
extraOutput4 = mkOption { |
||||||
|
type = types.lines; |
||||||
|
default = ""; |
||||||
|
}; |
||||||
|
extraForward = mkOption { |
||||||
|
type = types.lines; |
||||||
|
default = ""; |
||||||
|
}; |
||||||
|
extraForward6 = mkOption { |
||||||
|
type = types.lines; |
||||||
|
default = ""; |
||||||
|
}; |
||||||
|
extraForward4 = mkOption { |
||||||
|
type = types.lines; |
||||||
|
default = ""; |
||||||
|
}; |
||||||
|
inputPolicy = mkOption { |
||||||
|
type = types.str; |
||||||
|
default = "DROP"; |
||||||
|
}; |
||||||
|
outputPolicy = mkOption { |
||||||
|
type = types.str; |
||||||
|
default = "ACCEPT"; |
||||||
|
}; |
||||||
|
forwardPolicy = mkOption { |
||||||
|
type = types.str; |
||||||
|
default = "ACCEPT"; |
||||||
|
}; |
||||||
|
}; |
||||||
|
}; |
||||||
|
|
||||||
|
config = lib.mkIf cfg.enable { |
||||||
|
networking.firewall.enable = false; |
||||||
|
services.ferm.enable = true; |
||||||
|
services.ferm.config = '' |
||||||
|
domain ip6 { |
||||||
|
table filter { |
||||||
|
chain INPUT { |
||||||
|
policy ${cfg.inputPolicy}; |
||||||
|
|
||||||
|
proto ipv6-icmp icmpv6-type redirect DROP; |
||||||
|
proto ipv6-icmp icmpv6-type 139 DROP; |
||||||
|
proto ipv6-icmp ACCEPT; |
||||||
|
|
||||||
|
mod state state INVALID DROP; |
||||||
|
mod state state (ESTABLISHED RELATED) ACCEPT; |
||||||
|
|
||||||
|
interface (lo ${ |
||||||
|
lib.concatStringsSep " " fwcfg.trustedInterfaces |
||||||
|
}) ACCEPT; |
||||||
|
|
||||||
|
proto tcp dport (${ |
||||||
|
lib.concatStringsSep " " (map toString fwcfg.allowedTCPPorts) |
||||||
|
} ${ |
||||||
|
lib.concatStringsSep " " |
||||||
|
(map (range: "${toString range.from}:${toString range.to}") |
||||||
|
fwcfg.allowedTCPPortRanges) |
||||||
|
}) ACCEPT; |
||||||
|
proto udp dport (${ |
||||||
|
lib.concatStringsSep " " (map toString fwcfg.allowedUDPPorts) |
||||||
|
} ${ |
||||||
|
lib.concatStringsSep " " |
||||||
|
(map (range: "${toString range.from}:${toString range.to}") |
||||||
|
fwcfg.allowedUDPPortRanges) |
||||||
|
}) ACCEPT; |
||||||
|
|
||||||
|
${ |
||||||
|
lib.concatStringsSep "\n" (lib.mapAttrsToList (name: config: '' |
||||||
|
interface ${name} proto udp dport (${ |
||||||
|
lib.concatStringsSep " " (map toString config.allowedUDPPorts) |
||||||
|
} ${ |
||||||
|
lib.concatStringsSep " " |
||||||
|
(map (range: "${toString range.from}:${toString range.to}") |
||||||
|
config.allowedUDPPortRanges) |
||||||
|
}) ACCEPT; |
||||||
|
interface ${name} proto tcp dport (${ |
||||||
|
lib.concatStringsSep " " (map toString config.allowedTCPPorts) |
||||||
|
} ${ |
||||||
|
lib.concatStringsSep " " |
||||||
|
(map (range: "${toString range.from}:${toString range.to}") |
||||||
|
config.allowedTCPPortRanges) |
||||||
|
}) ACCEPT; |
||||||
|
'') fwcfg.interfaces) |
||||||
|
} |
||||||
|
|
||||||
|
proto udp dport 546 daddr fe80::/64 ACCEPT; |
||||||
|
|
||||||
|
${cfg.extraInput} |
||||||
|
${cfg.extraInput6} |
||||||
|
} |
||||||
|
chain OUTPUT { |
||||||
|
policy ${cfg.outputPolicy}; |
||||||
|
|
||||||
|
${cfg.extraOutput} |
||||||
|
${cfg.extraOutput6} |
||||||
|
} |
||||||
|
chain FORWARD { |
||||||
|
policy ${cfg.forwardPolicy}; |
||||||
|
|
||||||
|
${cfg.extraForward} |
||||||
|
${cfg.extraForward6} |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
${cfg.extraConfig} |
||||||
|
${cfg.extraConfig6} |
||||||
|
} |
||||||
|
|
||||||
|
domain ip { |
||||||
|
table filter { |
||||||
|
chain INPUT { |
||||||
|
policy ${cfg.inputPolicy}; |
||||||
|
|
||||||
|
proto icmp icmp-type echo-request ACCEPT; |
||||||
|
|
||||||
|
mod state state INVALID DROP; |
||||||
|
mod state state (ESTABLISHED RELATED) ACCEPT; |
||||||
|
|
||||||
|
interface (lo ${ |
||||||
|
lib.concatStringsSep " " fwcfg.trustedInterfaces |
||||||
|
}) ACCEPT; |
||||||
|
|
||||||
|
proto tcp dport (${ |
||||||
|
lib.concatStringsSep " " (map toString fwcfg.allowedTCPPorts) |
||||||
|
} ${ |
||||||
|
lib.concatStringsSep " " |
||||||
|
(map (range: "${toString range.from}:${toString range.to}") |
||||||
|
fwcfg.allowedTCPPortRanges) |
||||||
|
}) ACCEPT; |
||||||
|
proto udp dport (${ |
||||||
|
lib.concatStringsSep " " (map toString fwcfg.allowedUDPPorts) |
||||||
|
} ${ |
||||||
|
lib.concatStringsSep " " |
||||||
|
(map (range: "${toString range.from}:${toString range.to}") |
||||||
|
fwcfg.allowedUDPPortRanges) |
||||||
|
}) ACCEPT; |
||||||
|
|
||||||
|
${ |
||||||
|
lib.concatStringsSep "\n" (lib.mapAttrsToList (name: config: '' |
||||||
|
interface ${name} proto udp dport (${ |
||||||
|
lib.concatStringsSep " " (map toString config.allowedUDPPorts) |
||||||
|
} ${ |
||||||
|
lib.concatStringsSep " " |
||||||
|
(map (range: "${toString range.from}:${toString range.to}") |
||||||
|
config.allowedUDPPortRanges) |
||||||
|
}) ACCEPT; |
||||||
|
interface ${name} proto tcp dport (${ |
||||||
|
lib.concatStringsSep " " (map toString config.allowedTCPPorts) |
||||||
|
} ${ |
||||||
|
lib.concatStringsSep " " |
||||||
|
(map (range: "${toString range.from}:${toString range.to}") |
||||||
|
config.allowedTCPPortRanges) |
||||||
|
}) ACCEPT; |
||||||
|
'') fwcfg.interfaces) |
||||||
|
} |
||||||
|
|
||||||
|
${cfg.extraInput} |
||||||
|
${cfg.extraInput4} |
||||||
|
} |
||||||
|
chain OUTPUT { |
||||||
|
policy ${cfg.outputPolicy}; |
||||||
|
|
||||||
|
${cfg.extraOutput} |
||||||
|
${cfg.extraOutput4} |
||||||
|
} |
||||||
|
chain FORWARD { |
||||||
|
policy ${cfg.forwardPolicy}; |
||||||
|
|
||||||
|
${cfg.extraForward} |
||||||
|
${cfg.extraForward4} |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
${cfg.extraConfig} |
||||||
|
${cfg.extraConfig4} |
||||||
|
} |
||||||
|
''; |
||||||
|
}; |
||||||
|
} |
@ -0,0 +1,136 @@ |
|||||||
|
/* TOP LEVEL DEVICE CONFIGURATION FOR |
||||||
|
* |
||||||
|
* gaia (data storage node) |
||||||
|
* |
||||||
|
* |
||||||
|
* This file is part of LIBKOOKIE, a collection of nix expressions. |
||||||
|
* LIBKOOKIE is licensed under the GPL-3.0 (or later) -- see LICENSE |
||||||
|
*/ |
||||||
|
|
||||||
|
{ lib, config, pkgs, ... } @ args: |
||||||
|
|
||||||
|
let klib = (import <modules/harness/lib.nix>) args; |
||||||
|
in |
||||||
|
{ |
||||||
|
################################################################### |
||||||
|
# libkookie configuration |
||||||
|
# |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
|
||||||
|
imports = with klib; [ |
||||||
|
# Load base modules required to bootstrap libkookie |
||||||
|
<home-manager/nixos> <modules> <configuration/nix> |
||||||
|
|
||||||
|
# BUILD A BETTER LOADER GOD DAMN IT |
||||||
|
<configuration/server/acme/gaia.nix> |
||||||
|
<configuration/server/datacore> |
||||||
|
<configuration/server/ferm2/gaia.nix> |
||||||
|
<configuration/server/syncthing> |
||||||
|
<configuration/server/jellyfin> |
||||||
|
<configuration/server/nextcloud> |
||||||
|
<configuration/server/openssh> |
||||||
|
<configuration/server/syncthing> |
||||||
|
<configuration/server/wireguard/gaia.nix> |
||||||
|
]; |
||||||
|
|
||||||
|
# TODO: build a klib function to patch cfg here |
||||||
|
libkookie.activeUsers = with klib; [ |
||||||
|
(patchAttrs(load <configuration/users/spacekookie>) (a: { cfg.extraGroups = a.cfg.extraGroups ++ [ "core" ]; })) |
||||||
|
(patchAttrs(load <configuration/users/qyliss>) ({ ... }: { cfg.extraGroups = [ "core" ]; })) |
||||||
|
]; |
||||||
|
|
||||||
|
# Enable fish shell handling on the system |
||||||
|
libkookie.base.fish.enable = true; |
||||||
|
|
||||||
|
|
||||||
|
# |
||||||
|
# |
||||||
|
# |
||||||
|
# |
||||||
|
################################################################### |
||||||
|
|
||||||
|
################################################################### |
||||||
|
# NixOS base system options |
||||||
|
# |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
|
||||||
|
boot.cleanTmpDir = true; |
||||||
|
boot.tmpOnTmpfs = true; |
||||||
|
boot.supportedFilesystems = [ "zfs" "exfat" ]; |
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; |
||||||
|
boot.initrd.kernelModules = [ ]; |
||||||
|
boot.kernelModules = [ "kvm-amd" ]; |
||||||
|
boot.extraModulePackages = [ ]; |
||||||
|
boot.loader.grub.device = "/dev/sdg"; |
||||||
|
|
||||||
|
fileSystems."/" = |
||||||
|
{ device = "zroot"; |
||||||
|
fsType = "zfs"; |
||||||
|
}; |
||||||
|
|
||||||
|
fileSystems."/boot" = |
||||||
|
{ device = "/dev/disk/by-uuid/e5b36b2d-bdc7-4963-9a60-c2e1611a9676"; |
||||||
|
fsType = "ext4"; |
||||||
|
}; |
||||||
|
|
||||||
|
swapDevices = [ ]; |
||||||
|
nix.maxJobs = 4; |
||||||
|
|
||||||
|
networking = { |
||||||
|
defaultGateway = "10.7.1.1"; |
||||||
|
nameservers = [ "10.7.1.2" "1.1.1.1" ]; |
||||||
|
interfaces.eno1 = { |
||||||
|
ipv4.addresses = [ { address = "10.7.1.3"; prefixLength = 24; } ]; |
||||||
|
}; |
||||||
|
hostName = "gaia"; |
||||||
|
hostId = "59405489"; |
||||||
|
dhcpcd.enable = false; |
||||||
|
|
||||||
|
firewall.allowedTCPPorts = [ 80 443 ]; |
||||||
|
nat = { |
||||||
|
enable = true; |
||||||
|
internalInterfaces = ["ve-+"]; |
||||||
|
externalInterface = "eno1"; |
||||||
|
}; |
||||||
|
}; |
||||||
|
|
||||||
|
time.timeZone = "Europe/Berlin"; |
||||||
|
programs.mtr.enable = true; |
||||||
|
|
||||||
|
# Torrenting container |
||||||
|
# containers.trnsmssn = |
||||||
|
# { autoStart = true; |
||||||
|
# privateNetwork = true; |
||||||
|
# hostAddress = "10.7.1.3"; |
||||||
|
# localAddress = "10.7.1.13"; |
||||||
|
# config = { config, pkgs, ... }: |
||||||
|
# { services.mullvad.enable = true; |
||||||
|
# services.transmission = { enable = true; }; |
||||||
|
# environment.systemPackages = with pkgs; [ transmission openvpn ]; |
||||||
|
# }; |
||||||
|
# }; |
||||||
|
|
||||||
|
users.users."spacekookie".hashedPassword = "$6$rounds=1000000$Nnlc.bdBdGIVXtL$Ndb0WoOT.xl3eV2ba4jHe0ajbrGfVSf.RoS2hdaU8hvV8.UHBAZbDtLtXLqQ59Q6eUfjui3YIY6XWUGxAZNYF."; |
||||||
|
|
||||||
|
# users.users."spacekookie" = { |
||||||
|
# hashedPassword = |
||||||
|
# openssh.authorizedKeys.keys = [ |
||||||
|
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBALMtai+K3wBvpSf9ntuBH1GNte7quhIA4/ZWKlvF0A" # uwu |
||||||
|
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdIsXiaE3YLuqekTg8Xq65n1GUX5IQc8/FKMrbCsCWY" # tempest |
||||||
|
|
||||||
|
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMN1iwhQinXxg9H+wJn34EawgzdrrdfBzT0N0wy8yz9 spacekookie@alarei" |
||||||
|
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPQ7alBckvMjRL/Tp38dSkZDTR/cLHRcJPwhP5+/fdM" |
||||||
|
# ]; |
||||||
|
# }; |
||||||
|
|
||||||
|
# This is pinned here because nextcloud/postgres is being unstable |
||||||
|
# at version 18. In the future you might wanna look at upgrading |
||||||
|
# again, but for now, just be happily one major version behind! |
||||||
|
system.stateVersion = "20.09"; |
||||||
|
} |
||||||
|
|
Loading…
Reference in new issue