summaryrefslogtreecommitdiff
path: root/hosts
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2025-05-14 10:50:27 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2025-05-14 10:50:27 +0200
commit43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c (patch)
treec1cc8a034395c9bb8188651f6835922b38887f32 /hosts
parent03d49aa8ec6f51c8f51bfb628e614ac537cca8e0 (diff)
downloadnixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar
nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar.gz
nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar.bz2
nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar.xz
nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.zip
...
Diffstat (limited to 'hosts')
-rw-r--r--hosts/sif/default.nix34
-rw-r--r--hosts/sif/ruleset.nft8
-rw-r--r--hosts/surtr/email/default.nix14
-rw-r--r--hosts/surtr/vpn/default.nix8
-rw-r--r--hosts/surtr/vpn/geri.pub2
-rw-r--r--hosts/vidhar/network/dhcp/default.nix88
6 files changed, 58 insertions, 96 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 0897e1d8..f4de24e8 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -126,38 +126,8 @@ in {
126 rulesetFile = ./ruleset.nft; 126 rulesetFile = ./ruleset.nft;
127 }; 127 };
128 128
129 # firewall = {
130 # enable = true;
131 # allowedTCPPorts = [ 22 # ssh
132 # 8000 # quickserve
133 # ];
134 # };
135
136 # wlanInterfaces = {
137 # wlan0 = {
138 # device = "wlp82s0";
139 # };
140 # };
141
142 # bonds = {
143 # "lan" = {
144 # interfaces = [ "wlan0" "enp0s31f6" "dock0" ];
145 # driverOptions = {
146 # miimon = "1000";
147 # mode = "active-backup";
148 # primary_reselect = "always";
149 # };
150 # };
151 # };
152
153 useDHCP = false; 129 useDHCP = false;
154 useNetworkd = true; 130 useNetworkd = true;
155
156 # interfaces."tinc.yggdrasil" = {
157 # virtual = true;
158 # virtualType = config.services.tinc.networks.yggdrasil.interfaceType;
159 # macAddress = "5c:93:21:c3:61:39";
160 # };
161 }; 131 };
162 132
163 environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = { 133 environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = {
@@ -751,10 +721,6 @@ in {
751 721
752 home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ]; 722 home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ];
753 723
754 environment.pathsToLink = [
755 "share/zsh"
756 ];
757
758 system.stateVersion = "24.11"; 724 system.stateVersion = "24.11";
759 }; 725 };
760} 726}
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft
index 2af8b2ee..62339f69 100644
--- a/hosts/sif/ruleset.nft
+++ b/hosts/sif/ruleset.nft
@@ -61,7 +61,7 @@ table inet filter {
61 counter mosh-rx {} 61 counter mosh-rx {}
62 counter wg-rx {} 62 counter wg-rx {}
63 counter yggdrasil-gre-rx {} 63 counter yggdrasil-gre-rx {}
64 counter quickserve-rx {} 64 counter miniserve-rx {}
65 counter ausweisapp2-rx {} 65 counter ausweisapp2-rx {}
66 66
67 counter established-rx {} 67 counter established-rx {}
@@ -81,7 +81,7 @@ table inet filter {
81 counter mosh-tx {} 81 counter mosh-tx {}
82 counter wg-tx {} 82 counter wg-tx {}
83 counter yggdrasil-gre-tx {} 83 counter yggdrasil-gre-tx {}
84 counter quickserve-tx {} 84 counter miniserve-tx {}
85 85
86 counter tx {} 86 counter tx {}
87 87
@@ -134,7 +134,7 @@ table inet filter {
134 tcp dport 22 counter name ssh-rx accept 134 tcp dport 22 counter name ssh-rx accept
135 udp dport 60000-61000 counter name mosh-rx accept 135 udp dport 60000-61000 counter name mosh-rx accept
136 136
137 tcp dport 8000 counter name quickserve-rx accept 137 tcp dport 8080 counter name miniserve-rx accept
138 udp dport 24727 counter name ausweisapp2-rx accept 138 udp dport 24727 counter name ausweisapp2-rx accept
139 139
140 udp dport 51820-51822 counter name wg-rx accept 140 udp dport 51820-51822 counter name wg-rx accept
@@ -173,7 +173,7 @@ table inet filter {
173 udp sport 51820-51822 counter name wg-tx 173 udp sport 51820-51822 counter name wg-tx
174 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx 174 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
175 175
176 tcp sport 8000 counter name quickserve-tx accept 176 tcp sport 8080 counter name miniserve-tx accept
177 177
178 oifname virbr0 udp sport 67 counter name libvirt-dhcp accept 178 oifname virbr0 udp sport 67 counter name libvirt-dhcp accept
179 oifname virbr0 udp sport 547 counter name libvirt-dhcp accept 179 oifname virbr0 udp sport 547 counter name libvirt-dhcp accept
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 13b33c7f..4666d1d6 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -215,7 +215,7 @@ in {
215 smtpd_client_event_limit_exceptions = ""; 215 smtpd_client_event_limit_exceptions = "";
216 216
217 milter_default_action = "accept"; 217 milter_default_action = "accept";
218 smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"]; 218 smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock" "local:/run/postsrsd/postsrsd-milter.sock"];
219 non_smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"]; 219 non_smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"];
220 220
221 alias_maps = ""; 221 alias_maps = "";
@@ -237,11 +237,6 @@ in {
237 ::/0 silent-discard, dsn 237 ::/0 silent-discard, dsn
238 ''}"; 238 ''}";
239 239
240 sender_canonical_maps = "tcp:localhost:${toString config.services.postsrsd.forwardPort}";
241 sender_canonical_classes = "envelope_sender";
242 recipient_canonical_maps = "tcp:localhost:${toString config.services.postsrsd.reversePort}";
243 recipient_canonical_classes = ["envelope_recipient" "header_recipient"];
244
245 virtual_mailbox_domains = ''pgsql:${pkgs.writeText "virtual_mailbox_domains.cf" '' 240 virtual_mailbox_domains = ''pgsql:${pkgs.writeText "virtual_mailbox_domains.cf" ''
246 hosts = postgresql:///email 241 hosts = postgresql:///email
247 dbname = email 242 dbname = email
@@ -366,10 +361,11 @@ in {
366 361
367 services.postsrsd = { 362 services.postsrsd = {
368 enable = true; 363 enable = true;
369 domain = "surtr.yggdrasil.li"; 364 domains = [ "surtr.yggdrasil.li" ] ++ concatMap (domain: [".${domain}" domain]) emailDomains;
370 separator = "+"; 365 separator = "+";
371 excludeDomains = [ "surtr.yggdrasil.li" 366 extraConfig = ''
372 ] ++ concatMap (domain: [".${domain}" domain]) emailDomains; 367 milter = unix:/run/postsrsd/postsrsd-milter.sock
368 '';
373 }; 369 };
374 370
375 services.opendkim = { 371 services.opendkim = {
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix
index 1bdcf74e..92223144 100644
--- a/hosts/surtr/vpn/default.nix
+++ b/hosts/surtr/vpn/default.nix
@@ -1,4 +1,4 @@
1{ pkgs, config, lib, ... }: 1{ flake, pkgs, config, lib, ... }:
2 2
3with lib; 3with lib;
4 4
@@ -22,7 +22,11 @@ in {
22 "--load-credential=surtr.priv:/run/credentials/container@vpn.service/surtr.priv" 22 "--load-credential=surtr.priv:/run/credentials/container@vpn.service/surtr.priv"
23 "--network-ipvlan=ens3:upstream" 23 "--network-ipvlan=ens3:upstream"
24 ]; 24 ];
25 config = { 25 config = let hostConfig = config; in { config, pkgs, ... }: {
26 system.stateVersion = lib.mkIf hostConfig.containers."vpn".ephemeral config.system.nixos.release;
27 system.configurationRevision = mkIf (flake ? rev) flake.rev;
28 nixpkgs.pkgs = hostConfig.nixpkgs.pkgs;
29
26 boot.kernel.sysctl = { 30 boot.kernel.sysctl = {
27 "net.core.rmem_max" = 4194304; 31 "net.core.rmem_max" = 4194304;
28 "net.core.wmem_max" = 4194304; 32 "net.core.wmem_max" = 4194304;
diff --git a/hosts/surtr/vpn/geri.pub b/hosts/surtr/vpn/geri.pub
index ed5de2b2..2cd9b24e 100644
--- a/hosts/surtr/vpn/geri.pub
+++ b/hosts/surtr/vpn/geri.pub
@@ -1 +1 @@
sYuQSNZHzfegv8HRz71jnZm2nFLGeRnaGwVonhKUj2k= hhER05bvstOTGfiAG3IJsFkBNWCUZHokBXwaiC5d534=
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix
index 098d3061..11460393 100644
--- a/hosts/vidhar/network/dhcp/default.nix
+++ b/hosts/vidhar/network/dhcp/default.nix
@@ -306,32 +306,30 @@ in {
306 pkgs.symlinkJoin { 306 pkgs.symlinkJoin {
307 name = "installer-${system}"; 307 name = "installer-${system}";
308 paths = [ 308 paths = [
309 (let 309 (builtins.addErrorContext "while evaluating installer-${system}-nfsroot" (let
310 installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules { 310 installerBuild' = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
311 modules = [ 311 modules = [
312 ({ ... }: { 312 ({ ... }: {
313 config.nfsroot.storeDevice = "${nfsIp}:nix-store"; 313 config.nfsroot.storeDevice = "${nfsIp}:nix-store";
314 config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/installer-${system}/registration"; 314 config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/installer-${system}/registration";
315 config.system.nixos.label = "installer-${system}";
315 }) 316 })
316 ]; 317 ];
317 }).config.system.build; 318 });
318 in builtins.toPath (pkgs.runCommandLocal "install-${system}" {} '' 319 installerBuild = installerBuild'.config.system.build;
320 in builtins.toPath (pkgs.runCommandLocal "installer-${system}" {} ''
319 mkdir -p $out/installer-${system} 321 mkdir -p $out/installer-${system}
320 install -m 0444 -t $out/installer-${system} \ 322 install -m 0444 -t $out/installer-${system} \
321 ${installerBuild.initialRamdisk}/initrd \ 323 ${installerBuild.initialRamdisk}/initrd \
322 ${installerBuild.kernel}/bzImage \ 324 ${installerBuild.kernel}/bzImage \
323 ${installerBuild.netbootIpxeScript}/netboot.ipxe \ 325 ${installerBuild.netbootIpxeScript}/netboot.ipxe \
324 ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration 326 ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration
325 '')) 327 install -m 0444 ${pkgs.writeText "installer-${system}.menu.ipxe" ''
326 (pkgs.writeTextFile {
327 name = "installer-${system}.menu.ipxe";
328 destination = "/installer-${system}.menu.ipxe";
329 text = ''
330 #!ipxe 328 #!ipxe
331 329
332 :start 330 :start
333 menu iPXE boot menu for installer-${system} 331 menu iPXE boot menu for installer-${system}
334 item installer installer-${system} 332 item installer ${with installerBuild'; "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"}
335 item memtest memtest86plus 333 item memtest memtest86plus
336 item netboot netboot.xyz 334 item netboot netboot.xyz
337 item shell iPXE shell 335 item shell iPXE shell
@@ -353,8 +351,8 @@ in {
353 :memtest 351 :memtest
354 iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin 352 iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin
355 goto start 353 goto start
356 ''; 354 ''} $out/installer-${system}.menu.ipxe
357 }) 355 '')))
358 ]; 356 ];
359 }) ["x86_64-linux"] 357 }) ["x86_64-linux"]
360 ) ++ [ 358 ) ++ [
@@ -366,15 +364,17 @@ in {
366 install -m 0444 ${sources.netbootxyz-efi.src} $out/netboot.xyz.efi 364 install -m 0444 ${sources.netbootxyz-efi.src} $out/netboot.xyz.efi
367 install -m 0444 ${sources.netbootxyz-lkrn.src} $out/netboot.xyz.lkrn 365 install -m 0444 ${sources.netbootxyz-lkrn.src} $out/netboot.xyz.lkrn
368 '') 366 '')
369 (let 367 (builtins.addErrorContext "while evaluating eostre" (let
370 eostreBuild = (flake.nixosConfigurations.eostre.extendModules { 368 eostreBuild' = (flake.nixosConfigurations.eostre.extendModules {
371 modules = [ 369 modules = [
372 ({ ... }: { 370 ({ ... }: {
373 config.nfsroot.storeDevice = "${nfsIp}:nix-store"; 371 config.nfsroot.storeDevice = "${nfsIp}:nix-store";
374 config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/eostre/registration"; 372 config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/eostre/registration";
373 config.system.nixos.label = "eostre";
375 }) 374 })
376 ]; 375 ];
377 }).config.system.build; 376 });
377 eostreBuild = eostreBuild'.config.system.build;
378 in builtins.toPath (pkgs.runCommandLocal "eostre" {} '' 378 in builtins.toPath (pkgs.runCommandLocal "eostre" {} ''
379 mkdir -p $out/eostre 379 mkdir -p $out/eostre
380 install -m 0444 -t $out/eostre \ 380 install -m 0444 -t $out/eostre \
@@ -382,43 +382,39 @@ in {
382 ${eostreBuild.kernel}/bzImage \ 382 ${eostreBuild.kernel}/bzImage \
383 ${eostreBuild.netbootIpxeScript}/netboot.ipxe \ 383 ${eostreBuild.netbootIpxeScript}/netboot.ipxe \
384 ${pkgs.closureInfo { rootPaths = eostreBuild.storeContents; }}/registration 384 ${pkgs.closureInfo { rootPaths = eostreBuild.storeContents; }}/registration
385 '')) 385 install -m 0444 ${pkgs.writeText "eostre.menu.ipxe" ''
386 (pkgs.writeTextFile { 386 #!ipxe
387 name = "eostre.menu.ipxe";
388 destination = "/eostre.menu.ipxe";
389 text = ''
390 #!ipxe
391 387
392 set menu-timeout 5000 388 set menu-timeout 5000
393 389
394 :start 390 :start
395 menu iPXE boot menu for eostre 391 menu iPXE boot menu for eostre
396 item eostre eostre 392 item eostre ${with eostreBuild'; "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"}
397 item memtest memtest86plus 393 item memtest memtest86plus
398 item netboot netboot.xyz 394 item netboot netboot.xyz
399 item shell iPXE shell 395 item shell iPXE shell
400 choose --timeout ''${menu-timeout} --default eostre selected || goto shell 396 choose --timeout ''${menu-timeout} --default eostre selected || goto shell
401 set menu-timeout 0 397 set menu-timeout 0
402 goto ''${selected} 398 goto ''${selected}
403 399
404 :shell 400 :shell
405 set menu-timeout 0 401 set menu-timeout 0
406 shell 402 shell
407 goto start 403 goto start
408 404
409 :eostre 405 :eostre
410 chain eostre/netboot.ipxe 406 chain eostre/netboot.ipxe
411 goto start 407 goto start
412 408
413 :netboot 409 :netboot
414 iseq ''${platform} efi && chain --autofree netboot.xyz.efi || chain --autofree netboot.xyz.lkrn 410 iseq ''${platform} efi && chain --autofree netboot.xyz.efi || chain --autofree netboot.xyz.lkrn
415 goto start 411 goto start
416 412
417 :memtest 413 :memtest
418 iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin 414 iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin
419 goto start 415 goto start
420 ''; 416 ''} $out/eostre.menu.ipxe
421 }) 417 '')))
422 ]; 418 ];
423 }; 419 };
424 }; 420 };
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-15 00:31:47 +0000