9 files changed, 232 insertions, 66 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 24cc86ac..647021ca 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -14,6 +14,7 @@ in {
    ./hw.nix
    ./mail
    initrd-all-crypto-modules default-locale openssh rebuild-machines
+    networkmanager
  ];
  config = {
@@ -71,16 +72,6 @@ in {
                          ];
      };
-      networkmanager = {
-        enable = true;
-        dhcp = "internal";
-        dns = lib.mkForce "dnsmasq";
-        extraConfig = ''
-          [connectivity]
-          uri=https://online.yggdrasil.li
-        '';
-      };
      # wlanInterfaces = {
      #   wlan0 = {
      #     device = "wlp82s0";
@@ -98,7 +89,6 @@ in {
      #   };
      # };
-      dhcpcd.enable = false;
      useDHCP = false;
      useNetworkd = true;
@@ -109,9 +99,6 @@ in {
      # };
    };
-    systemd.services."NetworkManager-wait-online".enable = false;
-    systemd.services."systemd-networkd-wait-online".enable = false;
    environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = {
      text = ''
        server=/sif.libvirt/192.168.122.1
@@ -205,8 +192,6 @@ in {
    };
    networking.networkmanager.unmanaged = ["wgrz"];
-    services.resolved.enable = false;
    services.openssh.enable = true;
    powerManagement = {
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 2444f537..ab79dd16 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ flake, config, lib, pkgs, ... }:
 {
  imports = [ ./dsl.nix ./bifrost ];
@@ -71,6 +71,27 @@
            type = "memfile";
          };
+          client-classes = [
+            { name = "ipxe";
+              test = "option[77].hex == 'iPXE'";
+              next-server = "10.141.0.1";
+              boot-file-name = "netboot.ipxe";
+              only-if-required = true;
+            }
+            { name = "uefi-64";
+              test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009'";
+              only-if-required = true;
+              tftp-server-name = "10.141.0.1";
+              boot-file-name = "ipxe.efi";
+            }
+            { name = "legacy";
+              test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'";
+              only-if-required = true;
+              tftp-server-name = "10.141.0.1";
+              boot-file-name = "undionly.kpxe";
+            }
+          ];
          subnet4 = [
            { subnet = "10.141.0.0/24";
              option-data = [
@@ -89,6 +110,7 @@
              ];
              pools = [ { pool = "10.141.0.128 - 10.141.0.254"; } ];
              reservations = [];
+              require-client-classes = ["ipxe" "uefi-64" "legacy"];
            }
            { subnet = "10.141.1.0/24";
              option-data = [
@@ -157,5 +179,22 @@
        networkConfig.LinkLocalAddressing = "no";
      };
    };
+    systemd.services."installer-atftpd" = {
+      description = "TFTP Server for PXE Booting NixOS Installer";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.ExecStart = let
+        installerBuild = flake.nixosConfigurations.installer-x86_64-linux-netboot.config.system.build;
+        tftpRoot = pkgs.runCommandLocal "installer-netboot" {} ''
+          mkdir -p $out
+          install -m 0444 -t $out \
+            ${installerBuild.netbootRamdisk}/initrd \
+            ${installerBuild.kernel}/bzImage \
+            ${installerBuild.netbootIpxeScript}/netboot.ipxe \
+            ${pkgs.ipxe}/ipxe.efi ${pkgs.ipxe}/undionly.kpxe
+        '';
+      in "${pkgs.atftp} --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}";
+    };
  };
 }
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index f2b1eda0..0f591f24 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -183,7 +183,7 @@ table inet filter {
    iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept
    
-    iifname mgmt udp dport 69 counter name tftp-rx accept
+    iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept
    ct state {established, related} counter name established-rx accept
@@ -228,7 +228,7 @@ table inet filter {
    tcp sport 80 counter name http-tx accept
    udp sport 69 counter name tftp-tx accept
-    iifname mgmt udp dport 69 counter name tftp-tx accept
+    udp dport 69 counter name tftp-tx accept
    counter name tx
diff --git a/installer.nix b/installer.nix
deleted file mode 100644
index 310105b8..00000000
--- a/installer.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{ flake, pkgs, ... }: {
-  imports = with flake.nixosModules.systemProfiles; [
-    default-locale zfs
-  ];
-  config = {
-    networking.wireless.enable = false;
-    
-    networking.firewall = {
-      enable = true;
-      allowedTCPPorts = [ 22 # ssh
-                        ];
-      allowedUDPPortRanges = [
-        { from = 60000; to = 61000; } # mosh
-      ];
-    };
-    systemd.services."sshd".wantedBy = ["multi-user.target"]; 
-    services.qemuGuest.enable = true;
-    environment.systemPackages = with pkgs; [
-      nvme-cli iotop mosh
-    ];
-  };
-}
diff --git a/installer/default.nix b/installer/default.nix
new file mode 100644
index 00000000..bf09c8d8
--- /dev/null
+++ b/installer/default.nix
@@ -0,0 +1,32 @@
+{ flake, pkgs, ... }: {
+  imports = with flake.nixosModules.systemProfiles; [
+    default-locale zfs networkmanager openssh
+  ];
+  config = {
+    networking = {
+      firewall.enable = false;
+      nftables = {
+        enable = true;
+        rulesetFile = ./ruleset.nft;
+      };
+    };
+     
+    services.openssh = {
+      enable = true;
+      staticHostKeys = false;
+    };
+    services.qemuGuest.enable = true;
+    services.resolved = {
+      llmnr = "false";
+    };
+    environment.systemPackages = with pkgs; [
+      nvme-cli iotop mosh
+    ];
+    zramSwap.enable = true;
+  };
+}
diff --git a/installer/ruleset.nft b/installer/ruleset.nft
new file mode 100644
index 00000000..4de54dd7
--- /dev/null
+++ b/installer/ruleset.nft
@@ -0,0 +1,98 @@
+define icmp_protos = {ipv6-icmp, icmp, igmp}
+table arp filter {
+  limit lim_arp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+  chain input {
+    type filter hook input priority filter
+    policy accept
+    limit name lim_arp counter drop
+    counter
+  }
+  chain output {
+    type filter hook output priority filter
+    policy accept
+    limit name lim_arp counter drop
+    counter
+  }
+}
+table inet filter {
+  limit lim_reject {
+    rate over 1000/second burst 1000 packets
+  }
+  limit lim_icmp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+    ct state invalid log level debug prefix "drop invalid forward: " counter drop
+    iifname lo counter accept
+    limit name lim_reject log level debug prefix "drop forward: " counter drop
+    log level debug prefix "reject forward: " counter
+    meta l4proto tcp ct state new counter reject with tcp reset
+    ct state new counter reject
+    counter
+  }
+  chain input {
+    type filter hook input priority filter
+    policy drop
+    ct state invalid log level debug prefix "drop invalid input: " counter drop
+    
+    iifname lo counter accept
+    iif != lo ip daddr 127.0.0.1/8 counter reject
+    iif != lo ip6 daddr ::1/128 counter reject
+    meta l4proto $icmp_protos limit name lim_icmp counter drop
+    meta l4proto $icmp_protos counter accept
+    tcp dport 22 counter accept
+    udp dport 60000-61000 counter accept
+    limit name lim_reject log level debug prefix "drop input: " counter drop
+    log level debug prefix "reject input: " counter
+    meta l4proto tcp ct state new counter reject with tcp reset
+    ct state new counter reject
+    counter
+  }
+  chain output {
+    type filter hook output priority filter
+    policy accept
+    oifname lo counter accept
+    meta l4proto $icmp_protos limit name lim_icmp counter drop
+    meta l4proto $icmp_protos counter accept
+    counter
+  }
+}
+\ No newline at end of file
diff --git a/system-profiles/networkmanager.nix b/system-profiles/networkmanager.nix
new file mode 100644
index 00000000..d1eb9cd1
--- /dev/null
+++ b/system-profiles/networkmanager.nix
@@ -0,0 +1,26 @@
+{ lib, ... }:
+with lib;
+{
+  config = {
+    networking = {
+      networkmanager = {
+        enable = true;
+        dhcp = "internal";
+        dns = mkForce "dnsmasq";
+        extraConfig = ''
+          [connectivity]
+          uri=https://online.yggdrasil.li
+        '';
+      };
+      dhcpcd.enable = false;
+    };
+    systemd.services."NetworkManager-wait-online".enable = false;
+    systemd.services."systemd-networkd-wait-online".enable = false;
+    services.resolved.enable = false;
+  };
+}
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 048a948f..19bc46b7 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -1,22 +1,34 @@
 { customUtils, lib, config, hostName, pkgs, ... }:
-{
+with lib;
+let
+  cfg = config.services.openssh;
+in {
+  options = {
+    services.openssh.staticHostKeys = mkOption {
+      type = types.bool;
+      default = true;
+    };
+  };
+  
  config = {
-    systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager
+    systemd.user.services."ssh-agent".enable = mkForce false; # ssh-agent should be done via home-manager
-    services.openssh = lib.mkIf config.services.openssh.enable {
+    services.openssh = mkIf cfg.enable {
-      hostKeys = lib.mkForce []; # done manually
+      hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually
      ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
      macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];
      kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
-      moduliFile = config.sops.secrets.ssh_moduli.path;
+      moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path;
      extraConfig = ''
        HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
        CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
-        HostKey /etc/ssh/ssh_host_ed25519_key
+        ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_ed25519_key"}
-        HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+        ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"}
-        HostKey /etc/ssh/ssh_host_rsa_key
+        ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_rsa_key"}
-        HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
+        ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"}
        RevokedKeys /etc/ssh/krl.bin
      '';
      logLevel = "VERBOSE";
@@ -45,35 +57,35 @@
      '';
    };
-    sops.secrets = lib.mkIf config.services.openssh.enable {
+    sops.secrets = mkIf cfg.enable {
-      ssh_host_rsa_key = {
+      ssh_host_rsa_key = mkIf cfg.staticHostKeys {
        key = "rsa";
        path = "/etc/ssh/ssh_host_rsa_key";
        sopsFile = ./host-keys + "/${hostName}.yaml";
      };
-      ssh_host_ed25519_key = {
+      ssh_host_ed25519_key = mkIf cfg.staticHostKeys {
        key = "ed25519";
        path = "/etc/ssh/ssh_host_ed25519_key";
        sopsFile = ./host-keys + "/${hostName}.yaml";
      };
-      ssh_moduli = {
+      ssh_moduli = mkIf (pathExists (./host-moduli + "/${hostName}")) {
        format = "binary";
        path = "/etc/ssh/moduli";
        sopsFile = ./host-moduli + "/${hostName}";
      };
    };
-    environment.etc = lib.mkIf config.services.openssh.enable {
+    environment.etc = mkIf cfg.enable {
-      "ssh/ssh_host_rsa_key.pub".source = ./known-hosts + "/${hostName}/rsa.pub";
+      "ssh/ssh_host_rsa_key.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/rsa.pub"; };
-      "ssh/ssh_host_ed25519_key.pub".source = ./known-hosts + "/${hostName}/ed25519.pub";
+      "ssh/ssh_host_ed25519_key.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/ed25519.pub"; };
-      "ssh/ssh_host_rsa_key-cert.pub".source = ./known-hosts + "/${hostName}/rsa-cert.pub";
+      "ssh/ssh_host_rsa_key-cert.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/rsa-cert.pub"; };
-      "ssh/ssh_host_ed25519_key-cert.pub".source = ./known-hosts + "/${hostName}/ed25519-cert.pub";
+      "ssh/ssh_host_ed25519_key-cert.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/ed25519-cert.pub"; };
      "ssh/krl.bin".source = ./ca/krl.bin;
    };
-    environment.systemPackages = lib.mkIf config.services.openssh.enable (with pkgs; [
+    environment.systemPackages = mkIf cfg.enable (with pkgs; [
      rxvt_unicode.terminfo alacritty.terminfo
    ]);
  };
diff --git a/system-profiles/zfs.nix b/system-profiles/zfs.nix
index 5703f7ed..85e5ad03 100644
--- a/system-profiles/zfs.nix
+++ b/system-profiles/zfs.nix
@@ -1,6 +1,6 @@
-{ pkgs, ... } : {
+{ config, pkgs, ... } : {
  config.boot = {
-    kernelPackages = pkgs.linuxPackages_5_15;
+    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
    supportedFilesystems = [ "zfs" ];
    zfs.enableUnstable = true;
  };

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 24cc86ac..647021ca 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix
@@ -14,6 +14,7 @@ in {
14	./hw.nix	14	./hw.nix
15	./mail	15	./mail
16	initrd-all-crypto-modules default-locale openssh rebuild-machines	16	initrd-all-crypto-modules default-locale openssh rebuild-machines
		17	networkmanager
17	];	18	];
18		19
19	config = {	20	config = {
@@ -71,16 +72,6 @@ in {
71	];	72	];
72	};	73	};
73		74
74	networkmanager = {
75	enable = true;
76	dhcp = "internal";
77	dns = lib.mkForce "dnsmasq";
78	extraConfig = ''
79	[connectivity]
80	uri=https://online.yggdrasil.li
81	'';
82	};
83
84	# wlanInterfaces = {	75	# wlanInterfaces = {
85	# wlan0 = {	76	# wlan0 = {
86	# device = "wlp82s0";	77	# device = "wlp82s0";
@@ -98,7 +89,6 @@ in {
98	# };	89	# };
99	# };	90	# };
100		91
101	dhcpcd.enable = false;
102	useDHCP = false;	92	useDHCP = false;
103	useNetworkd = true;	93	useNetworkd = true;
104		94
@@ -109,9 +99,6 @@ in {
109	# };	99	# };
110	};	100	};
111		101
112	systemd.services."NetworkManager-wait-online".enable = false;
113	systemd.services."systemd-networkd-wait-online".enable = false;
114
115	environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = {	102	environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = {
116	text = ''	103	text = ''
117	server=/sif.libvirt/192.168.122.1	104	server=/sif.libvirt/192.168.122.1
@@ -205,8 +192,6 @@ in {
205	};	192	};
206	networking.networkmanager.unmanaged = ["wgrz"];	193	networking.networkmanager.unmanaged = ["wgrz"];
207		194
208	services.resolved.enable = false;
209
210	services.openssh.enable = true;	195	services.openssh.enable = true;
211		196
212	powerManagement = {	197	powerManagement = {


diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index 2444f537..ab79dd16 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix
@@ -1,4 +1,4 @@
1	{ config, lib, pkgs, ... }:	1	{ flake, config, lib, pkgs, ... }:
2	{	2	{
3	imports = [ ./dsl.nix ./bifrost ];	3	imports = [ ./dsl.nix ./bifrost ];
4		4
@@ -71,6 +71,27 @@
71	type = "memfile";	71	type = "memfile";
72	};	72	};
73		73
		74	client-classes = [
		75	{ name = "ipxe";
		76	test = "option[77].hex == 'iPXE'";
		77	next-server = "10.141.0.1";
		78	boot-file-name = "netboot.ipxe";
		79	only-if-required = true;
		80	}
		81	{ name = "uefi-64";
		82	test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009'";
		83	only-if-required = true;
		84	tftp-server-name = "10.141.0.1";
		85	boot-file-name = "ipxe.efi";
		86	}
		87	{ name = "legacy";
		88	test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'";
		89	only-if-required = true;
		90	tftp-server-name = "10.141.0.1";
		91	boot-file-name = "undionly.kpxe";
		92	}
		93	];
		94
74	subnet4 = [	95	subnet4 = [
75	{ subnet = "10.141.0.0/24";	96	{ subnet = "10.141.0.0/24";
76	option-data = [	97	option-data = [
@@ -89,6 +110,7 @@
89	];	110	];
90	pools = [ { pool = "10.141.0.128 - 10.141.0.254"; } ];	111	pools = [ { pool = "10.141.0.128 - 10.141.0.254"; } ];
91	reservations = [];	112	reservations = [];
		113	require-client-classes = ["ipxe" "uefi-64" "legacy"];
92	}	114	}
93	{ subnet = "10.141.1.0/24";	115	{ subnet = "10.141.1.0/24";
94	option-data = [	116	option-data = [
@@ -157,5 +179,22 @@
157	networkConfig.LinkLocalAddressing = "no";	179	networkConfig.LinkLocalAddressing = "no";
158	};	180	};
159	};	181	};
		182
		183	systemd.services."installer-atftpd" = {
		184	description = "TFTP Server for PXE Booting NixOS Installer";
		185	after = [ "network.target" ];
		186	wantedBy = [ "multi-user.target" ];
		187	serviceConfig.ExecStart = let
		188	installerBuild = flake.nixosConfigurations.installer-x86_64-linux-netboot.config.system.build;
		189	tftpRoot = pkgs.runCommandLocal "installer-netboot" {} ''
		190	mkdir -p $out
		191	install -m 0444 -t $out \
		192	${installerBuild.netbootRamdisk}/initrd \
		193	${installerBuild.kernel}/bzImage \
		194	${installerBuild.netbootIpxeScript}/netboot.ipxe \
		195	${pkgs.ipxe}/ipxe.efi ${pkgs.ipxe}/undionly.kpxe
		196	'';
		197	in "${pkgs.atftp} --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}";
		198	};
160	};	199	};
161	}	200	}


diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index f2b1eda0..0f591f24 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft
@@ -183,7 +183,7 @@ table inet filter {
183		183
184	iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept	184	iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept
185		185
186	iifname mgmt udp dport 69 counter name tftp-rx accept	186	iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept
187		187
188	ct state {established, related} counter name established-rx accept	188	ct state {established, related} counter name established-rx accept
189		189
@@ -228,7 +228,7 @@ table inet filter {
228	tcp sport 80 counter name http-tx accept	228	tcp sport 80 counter name http-tx accept
229		229
230	udp sport 69 counter name tftp-tx accept	230	udp sport 69 counter name tftp-tx accept
231	iifname mgmt udp dport 69 counter name tftp-tx accept	231	udp dport 69 counter name tftp-tx accept
232		232
233		233
234	counter name tx	234	counter name tx


diff --git a/installer.nix b/installer.nix deleted file mode 100644 index 310105b8..00000000 --- a/installer.nix +++ /dev/null
@@ -1,26 +0,0 @@
1	{ flake, pkgs, ... }: {
2	imports = with flake.nixosModules.systemProfiles; [
3	default-locale zfs
4	];
5
6	config = {
7	networking.wireless.enable = false;
8
9	networking.firewall = {
10	enable = true;
11	allowedTCPPorts = [ 22 # ssh
12	];
13	allowedUDPPortRanges = [
14	{ from = 60000; to = 61000; } # mosh
15	];
16	};
17
18	systemd.services."sshd".wantedBy = ["multi-user.target"];
19
20	services.qemuGuest.enable = true;
21
22	environment.systemPackages = with pkgs; [
23	nvme-cli iotop mosh
24	];
25	};
26	}


diff --git a/installer/default.nix b/installer/default.nix new file mode 100644 index 00000000..bf09c8d8 --- /dev/null +++ b/installer/default.nix
@@ -0,0 +1,32 @@
		1	{ flake, pkgs, ... }: {
		2	imports = with flake.nixosModules.systemProfiles; [
		3	default-locale zfs networkmanager openssh
		4	];
		5
		6	config = {
		7	networking = {
		8	firewall.enable = false;
		9	nftables = {
		10	enable = true;
		11	rulesetFile = ./ruleset.nft;
		12	};
		13	};
		14
		15	services.openssh = {
		16	enable = true;
		17	staticHostKeys = false;
		18	};
		19
		20	services.qemuGuest.enable = true;
		21
		22	services.resolved = {
		23	llmnr = "false";
		24	};
		25
		26	environment.systemPackages = with pkgs; [
		27	nvme-cli iotop mosh
		28	];
		29
		30	zramSwap.enable = true;
		31	};
		32	}


diff --git a/installer/ruleset.nft b/installer/ruleset.nft new file mode 100644 index 00000000..4de54dd7 --- /dev/null +++ b/installer/ruleset.nft
@@ -0,0 +1,98 @@
		1	define icmp_protos = {ipv6-icmp, icmp, igmp}
		2
		3	table arp filter {
		4	limit lim_arp {
		5	rate over 50 mbytes/second burst 50 mbytes
		6	}
		7
		8	chain input {
		9	type filter hook input priority filter
		10	policy accept
		11
		12	limit name lim_arp counter drop
		13
		14	counter
		15	}
		16
		17	chain output {
		18	type filter hook output priority filter
		19	policy accept
		20
		21	limit name lim_arp counter drop
		22
		23	counter
		24	}
		25	}
		26
		27	table inet filter {
		28	limit lim_reject {
		29	rate over 1000/second burst 1000 packets
		30	}
		31
		32	limit lim_icmp {
		33	rate over 50 mbytes/second burst 50 mbytes
		34	}
		35
		36
		37	chain forward {
		38	type filter hook forward priority filter
		39	policy drop
		40
		41
		42	ct state invalid log level debug prefix "drop invalid forward: " counter drop
		43
		44
		45	iifname lo counter accept
		46
		47
		48	limit name lim_reject log level debug prefix "drop forward: " counter drop
		49	log level debug prefix "reject forward: " counter
		50	meta l4proto tcp ct state new counter reject with tcp reset
		51	ct state new counter reject
		52
		53
		54	counter
		55	}
		56
		57	chain input {
		58	type filter hook input priority filter
		59	policy drop
		60
		61
		62	ct state invalid log level debug prefix "drop invalid input: " counter drop
		63
		64
		65	iifname lo counter accept
		66	iif != lo ip daddr 127.0.0.1/8 counter reject
		67	iif != lo ip6 daddr ::1/128 counter reject
		68
		69	meta l4proto $icmp_protos limit name lim_icmp counter drop
		70	meta l4proto $icmp_protos counter accept
		71
		72	tcp dport 22 counter accept
		73	udp dport 60000-61000 counter accept
		74
		75
		76	limit name lim_reject log level debug prefix "drop input: " counter drop
		77	log level debug prefix "reject input: " counter
		78	meta l4proto tcp ct state new counter reject with tcp reset
		79	ct state new counter reject
		80
		81
		82	counter
		83	}
		84
		85	chain output {
		86	type filter hook output priority filter
		87	policy accept
		88
		89
		90	oifname lo counter accept
		91
		92	meta l4proto $icmp_protos limit name lim_icmp counter drop
		93	meta l4proto $icmp_protos counter accept
		94
		95
		96	counter
		97	}
		98	} \ No newline at end of file


diff --git a/system-profiles/networkmanager.nix b/system-profiles/networkmanager.nix new file mode 100644 index 00000000..d1eb9cd1 --- /dev/null +++ b/system-profiles/networkmanager.nix
@@ -0,0 +1,26 @@
		1	{ lib, ... }:
		2
		3	with lib;
		4
		5	{
		6	config = {
		7	networking = {
		8	networkmanager = {
		9	enable = true;
		10	dhcp = "internal";
		11	dns = mkForce "dnsmasq";
		12	extraConfig = ''
		13	[connectivity]
		14	uri=https://online.yggdrasil.li
		15	'';
		16	};
		17
		18	dhcpcd.enable = false;
		19	};
		20
		21	systemd.services."NetworkManager-wait-online".enable = false;
		22	systemd.services."systemd-networkd-wait-online".enable = false;
		23
		24	services.resolved.enable = false;
		25	};
		26	}


diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 048a948f..19bc46b7 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix
@@ -1,22 +1,34 @@
1	{ customUtils, lib, config, hostName, pkgs, ... }:	1	{ customUtils, lib, config, hostName, pkgs, ... }:
2	{	2
		3	with lib;
		4
		5	let
		6	cfg = config.services.openssh;
		7	in {
		8	options = {
		9	services.openssh.staticHostKeys = mkOption {
		10	type = types.bool;
		11	default = true;
		12	};
		13	};
		14
3	config = {	15	config = {
4	systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager	16	systemd.user.services."ssh-agent".enable = mkForce false; # ssh-agent should be done via home-manager
5		17
6	services.openssh = lib.mkIf config.services.openssh.enable {	18	services.openssh = mkIf cfg.enable {
7	hostKeys = lib.mkForce []; # done manually	19	hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually
8	ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];	20	ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
9	macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];	21	macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];
10	kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];	22	kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
11	moduliFile = config.sops.secrets.ssh_moduli.path;	23	moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path;
12	extraConfig = ''	24	extraConfig = ''
13	HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512	25	HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
14	CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512	26	CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
15		27
16	HostKey /etc/ssh/ssh_host_ed25519_key	28	${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_ed25519_key"}
17	HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub	29	${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"}
18	HostKey /etc/ssh/ssh_host_rsa_key	30	${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_rsa_key"}
19	HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub	31	${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"}
20	RevokedKeys /etc/ssh/krl.bin	32	RevokedKeys /etc/ssh/krl.bin
21	'';	33	'';
22	logLevel = "VERBOSE";	34	logLevel = "VERBOSE";
@@ -45,35 +57,35 @@
45	'';	57	'';
46	};	58	};
47		59
48	sops.secrets = lib.mkIf config.services.openssh.enable {	60	sops.secrets = mkIf cfg.enable {
49	ssh_host_rsa_key = {	61	ssh_host_rsa_key = mkIf cfg.staticHostKeys {
50	key = "rsa";	62	key = "rsa";
51	path = "/etc/ssh/ssh_host_rsa_key";	63	path = "/etc/ssh/ssh_host_rsa_key";
52	sopsFile = ./host-keys + "/${hostName}.yaml";	64	sopsFile = ./host-keys + "/${hostName}.yaml";
53	};	65	};
54	ssh_host_ed25519_key = {	66	ssh_host_ed25519_key = mkIf cfg.staticHostKeys {
55	key = "ed25519";	67	key = "ed25519";
56	path = "/etc/ssh/ssh_host_ed25519_key";	68	path = "/etc/ssh/ssh_host_ed25519_key";
57	sopsFile = ./host-keys + "/${hostName}.yaml";	69	sopsFile = ./host-keys + "/${hostName}.yaml";
58	};	70	};
59	ssh_moduli = {	71	ssh_moduli = mkIf (pathExists (./host-moduli + "/${hostName}")) {
60	format = "binary";	72	format = "binary";
61	path = "/etc/ssh/moduli";	73	path = "/etc/ssh/moduli";
62	sopsFile = ./host-moduli + "/${hostName}";	74	sopsFile = ./host-moduli + "/${hostName}";
63	};	75	};
64	};	76	};
65		77
66	environment.etc = lib.mkIf config.services.openssh.enable {	78	environment.etc = mkIf cfg.enable {
67	"ssh/ssh_host_rsa_key.pub".source = ./known-hosts + "/${hostName}/rsa.pub";	79	"ssh/ssh_host_rsa_key.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/rsa.pub"; };
68	"ssh/ssh_host_ed25519_key.pub".source = ./known-hosts + "/${hostName}/ed25519.pub";	80	"ssh/ssh_host_ed25519_key.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/ed25519.pub"; };
69		81
70	"ssh/ssh_host_rsa_key-cert.pub".source = ./known-hosts + "/${hostName}/rsa-cert.pub";	82	"ssh/ssh_host_rsa_key-cert.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/rsa-cert.pub"; };
71	"ssh/ssh_host_ed25519_key-cert.pub".source = ./known-hosts + "/${hostName}/ed25519-cert.pub";	83	"ssh/ssh_host_ed25519_key-cert.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/ed25519-cert.pub"; };
72		84
73	"ssh/krl.bin".source = ./ca/krl.bin;	85	"ssh/krl.bin".source = ./ca/krl.bin;
74	};	86	};
75		87
76	environment.systemPackages = lib.mkIf config.services.openssh.enable (with pkgs; [	88	environment.systemPackages = mkIf cfg.enable (with pkgs; [
77	rxvt_unicode.terminfo alacritty.terminfo	89	rxvt_unicode.terminfo alacritty.terminfo
78	]);	90	]);
79	};	91	};


diff --git a/system-profiles/zfs.nix b/system-profiles/zfs.nix index 5703f7ed..85e5ad03 100644 --- a/system-profiles/zfs.nix +++ b/system-profiles/zfs.nix
@@ -1,6 +1,6 @@
1	{ pkgs, ... } : {	1	{ config, pkgs, ... } : {
2	config.boot = {	2	config.boot = {
3	kernelPackages = pkgs.linuxPackages_5_15;	3	kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
4	supportedFilesystems = [ "zfs" ];	4	supportedFilesystems = [ "zfs" ];
5	zfs.enableUnstable = true;	5	zfs.enableUnstable = true;
6	};	6	};