...

author: Gregor Kleen <gkleen@yggdrasil.li> 2025-05-14 10:50:27 +0200
committer: Gregor Kleen <gkleen@yggdrasil.li> 2025-05-14 10:50:27 +0200
commit: 43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c (patch)
tree: c1cc8a034395c9bb8188651f6835922b38887f32 /hosts
parent: 03d49aa8ec6f51c8f51bfb628e614ac537cca8e0 (diff)
download: nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar
nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar.gz
nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar.bz2
nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar.xz
nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.zip
6 files changed, 58 insertions, 96 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 0897e1d8..f4de24e8 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -126,38 +126,8 @@ in {
        rulesetFile = ./ruleset.nft;
      };
-      # firewall = {
-      #   enable = true;
-      #   allowedTCPPorts = [ 22 # ssh
-      #                       8000 # quickserve
-      #                     ];
-      # };
-      # wlanInterfaces = {
-      #   wlan0 = {
-      #     device = "wlp82s0";
-      #   };
-      # };
-      # bonds = {
-      #   "lan" = {
-      #     interfaces = [ "wlan0" "enp0s31f6" "dock0" ];
-      #     driverOptions = {
-      #       miimon = "1000";
-      #       mode = "active-backup";
-      #       primary_reselect = "always";
-      #     };
-      #   };
-      # };
      useDHCP = false;
      useNetworkd = true;
-      # interfaces."tinc.yggdrasil" = {
-      #   virtual = true;
-      #   virtualType = config.services.tinc.networks.yggdrasil.interfaceType;
-      #   macAddress = "5c:93:21:c3:61:39";
-      # };
    };
    environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = {
@@ -751,10 +721,6 @@ in {
    home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ];
-    environment.pathsToLink = [
-      "share/zsh"
-    ];
    system.stateVersion = "24.11";
  };
 }
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft
index 2af8b2ee..62339f69 100644
--- a/hosts/sif/ruleset.nft
+++ b/hosts/sif/ruleset.nft
@@ -61,7 +61,7 @@ table inet filter {
  counter mosh-rx {}
  counter wg-rx {}
  counter yggdrasil-gre-rx {}
-  counter quickserve-rx {}
+  counter miniserve-rx {}
  counter ausweisapp2-rx {}
  counter established-rx {}
@@ -81,7 +81,7 @@ table inet filter {
  counter mosh-tx {}
  counter wg-tx {}
  counter yggdrasil-gre-tx {}
-  counter quickserve-tx {}
+  counter miniserve-tx {}
  counter tx {}
@@ -134,7 +134,7 @@ table inet filter {
    tcp dport 22 counter name ssh-rx accept
    udp dport 60000-61000 counter name mosh-rx accept
-    tcp dport 8000 counter name quickserve-rx accept
+    tcp dport 8080 counter name miniserve-rx accept
    udp dport 24727 counter name ausweisapp2-rx accept
    udp dport 51820-51822 counter name wg-rx accept
@@ -173,7 +173,7 @@ table inet filter {
    udp sport 51820-51822 counter name wg-tx
    iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
-    tcp sport 8000 counter name quickserve-tx accept
+    tcp sport 8080 counter name miniserve-tx accept
    oifname virbr0 udp sport 67 counter name libvirt-dhcp accept
    oifname virbr0 udp sport 547 counter name libvirt-dhcp accept
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 13b33c7f..4666d1d6 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -215,7 +215,7 @@ in {
        smtpd_client_event_limit_exceptions = "";
        milter_default_action = "accept";
-        smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"];
+        smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock" "local:/run/postsrsd/postsrsd-milter.sock"];
        non_smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"];
        alias_maps = "";
@@ -237,11 +237,6 @@ in {
          ::/0                silent-discard, dsn
        ''}";
-        sender_canonical_maps = "tcp:localhost:${toString config.services.postsrsd.forwardPort}";
-        sender_canonical_classes = "envelope_sender";
-        recipient_canonical_maps = "tcp:localhost:${toString config.services.postsrsd.reversePort}";
-        recipient_canonical_classes = ["envelope_recipient" "header_recipient"];
        virtual_mailbox_domains = ''pgsql:${pkgs.writeText "virtual_mailbox_domains.cf" ''
          hosts = postgresql:///email
          dbname = email
@@ -366,10 +361,11 @@ in {
    services.postsrsd = {
      enable = true;
-      domain = "surtr.yggdrasil.li";
+      domains = [ "surtr.yggdrasil.li" ] ++ concatMap (domain: [".${domain}" domain]) emailDomains;
      separator = "+";
-      excludeDomains = [ "surtr.yggdrasil.li"
+      extraConfig = ''
-                       ] ++ concatMap (domain: [".${domain}" domain]) emailDomains;
+        milter = unix:/run/postsrsd/postsrsd-milter.sock
+      '';
    };
    services.opendkim = {
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix
index 1bdcf74e..92223144 100644
--- a/hosts/surtr/vpn/default.nix
+++ b/hosts/surtr/vpn/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, config, lib, ... }:
+{ flake, pkgs, config, lib, ... }:
 with lib;
@@ -22,7 +22,11 @@ in {
        "--load-credential=surtr.priv:/run/credentials/container@vpn.service/surtr.priv"
        "--network-ipvlan=ens3:upstream"
      ];
-      config = {
+      config = let hostConfig = config; in { config, pkgs, ... }: {
+        system.stateVersion = lib.mkIf hostConfig.containers."vpn".ephemeral config.system.nixos.release;
+        system.configurationRevision = mkIf (flake ? rev) flake.rev;
+        nixpkgs.pkgs = hostConfig.nixpkgs.pkgs;
        boot.kernel.sysctl = {
          "net.core.rmem_max" = 4194304;
          "net.core.wmem_max" = 4194304;
diff --git a/hosts/surtr/vpn/geri.pub b/hosts/surtr/vpn/geri.pub
index ed5de2b2..2cd9b24e 100644
--- a/hosts/surtr/vpn/geri.pub
+++ b/hosts/surtr/vpn/geri.pub
@@ -1 +1 @@
-sYuQSNZHzfegv8HRz71jnZm2nFLGeRnaGwVonhKUj2k=
+hhER05bvstOTGfiAG3IJsFkBNWCUZHokBXwaiC5d534=
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix
index 098d3061..11460393 100644
--- a/hosts/vidhar/network/dhcp/default.nix
+++ b/hosts/vidhar/network/dhcp/default.nix
@@ -306,32 +306,30 @@ in {
              pkgs.symlinkJoin {
                name = "installer-${system}";
                paths = [
-                  (let
+                  (builtins.addErrorContext "while evaluating installer-${system}-nfsroot" (let
-                    installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
+                    installerBuild' = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
                      modules = [
                        ({ ... }: {
                          config.nfsroot.storeDevice = "${nfsIp}:nix-store";
                          config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/installer-${system}/registration";
+                          config.system.nixos.label = "installer-${system}";
                        })
                      ];
-                    }).config.system.build;
+                    });
-                  in builtins.toPath (pkgs.runCommandLocal "install-${system}" {} ''
+                    installerBuild = installerBuild'.config.system.build;
+                  in builtins.toPath (pkgs.runCommandLocal "installer-${system}" {} ''
                    mkdir -p $out/installer-${system}
                    install -m 0444 -t $out/installer-${system} \
                      ${installerBuild.initialRamdisk}/initrd \
                      ${installerBuild.kernel}/bzImage \
                      ${installerBuild.netbootIpxeScript}/netboot.ipxe \
                      ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration
-                  ''))
+                    install -m 0444 ${pkgs.writeText "installer-${system}.menu.ipxe" ''
-                  (pkgs.writeTextFile {
-                    name = "installer-${system}.menu.ipxe";
-                    destination = "/installer-${system}.menu.ipxe";
-                    text = ''
                      #!ipxe
                      :start
                      menu iPXE boot menu for installer-${system}
-                      item installer installer-${system}
+                      item installer ${with installerBuild'; "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"}
                      item memtest memtest86plus
                      item netboot netboot.xyz
                      item shell iPXE shell
@@ -353,8 +351,8 @@ in {
                      :memtest
                      iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin
                      goto start
-                    '';
+                    ''} $out/installer-${system}.menu.ipxe
-                  })
+                  '')))
                ];
              }) ["x86_64-linux"]
            ) ++ [
@@ -366,15 +364,17 @@ in {
                install -m 0444 ${sources.netbootxyz-efi.src} $out/netboot.xyz.efi
                install -m 0444 ${sources.netbootxyz-lkrn.src} $out/netboot.xyz.lkrn
              '')
-              (let
+              (builtins.addErrorContext "while evaluating eostre" (let
-                 eostreBuild = (flake.nixosConfigurations.eostre.extendModules {
+                 eostreBuild' = (flake.nixosConfigurations.eostre.extendModules {
                   modules = [
                     ({ ... }: {
                       config.nfsroot.storeDevice = "${nfsIp}:nix-store";
                       config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/eostre/registration";
+                       config.system.nixos.label = "eostre";
                     })
                   ];
-                 }).config.system.build;
+                 });
+                 eostreBuild = eostreBuild'.config.system.build;
               in builtins.toPath (pkgs.runCommandLocal "eostre" {} ''
                    mkdir -p $out/eostre
                    install -m 0444 -t $out/eostre \
@@ -382,43 +382,39 @@ in {
                      ${eostreBuild.kernel}/bzImage \
                      ${eostreBuild.netbootIpxeScript}/netboot.ipxe \
                      ${pkgs.closureInfo { rootPaths = eostreBuild.storeContents; }}/registration
-                  ''))
+                    install -m 0444 ${pkgs.writeText "eostre.menu.ipxe" ''
-              (pkgs.writeTextFile {
+                      #!ipxe
-                name = "eostre.menu.ipxe";
-                destination = "/eostre.menu.ipxe";
-                text = ''
-                  #!ipxe
-                  set menu-timeout 5000
+                      set menu-timeout 5000
-                  :start
+                      :start
-                  menu iPXE boot menu for eostre
+                      menu iPXE boot menu for eostre
-                  item eostre eostre
+                      item eostre ${with eostreBuild'; "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"}
-                  item memtest memtest86plus
+                      item memtest memtest86plus
-                  item netboot netboot.xyz
+                      item netboot netboot.xyz
-                  item shell iPXE shell
+                      item shell iPXE shell
-                  choose --timeout ''${menu-timeout} --default eostre selected || goto shell
+                      choose --timeout ''${menu-timeout} --default eostre selected || goto shell
-                  set menu-timeout 0
+                      set menu-timeout 0
-                  goto ''${selected}
+                      goto ''${selected}
-                  :shell
+                      :shell
-                  set menu-timeout 0
+                      set menu-timeout 0
-                  shell
+                      shell
-                  goto start
+                      goto start
-                  :eostre
+                      :eostre
-                  chain eostre/netboot.ipxe
+                      chain eostre/netboot.ipxe
-                  goto start
+                      goto start
-                  :netboot
+                      :netboot
-                  iseq ''${platform} efi && chain --autofree netboot.xyz.efi || chain --autofree netboot.xyz.lkrn
+                      iseq ''${platform} efi && chain --autofree netboot.xyz.efi || chain --autofree netboot.xyz.lkrn
-                  goto start
+                      goto start
-                  :memtest
+                      :memtest
-                  iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin
+                      iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin
-                  goto start
+                      goto start
-                '';
+                    ''} $out/eostre.menu.ipxe
-              })
+                  '')))
            ];
        };
      };
author	Gregor Kleen <gkleen@yggdrasil.li>	2025-05-14 10:50:27 +0200
committer	Gregor Kleen <gkleen@yggdrasil.li>	2025-05-14 10:50:27 +0200
commit	43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c (patch)
tree	c1cc8a034395c9bb8188651f6835922b38887f32 /hosts
parent	03d49aa8ec6f51c8f51bfb628e614ac537cca8e0 (diff)
download	nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar.gz nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar.bz2 nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar.xz nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.zip