summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hosts/vidhar/default.nix334
-rw-r--r--hosts/vidhar/dns.nix47
-rw-r--r--hosts/vidhar/dsl.nix134
-rw-r--r--hosts/vidhar/network.nix83
-rw-r--r--hosts/vidhar/samba.nix81
5 files changed, 344 insertions, 335 deletions
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 933f5af9..a2764158 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -1,7 +1,7 @@
1{ hostName, flake, config, pkgs, lib, ... }: 1{ hostName, flake, config, pkgs, lib, ... }:
2{ 2{
3 imports = with flake.nixosModules.systemProfiles; [ 3 imports = with flake.nixosModules.systemProfiles; [
4 ./zfs.nix ./dsl.nix 4 ./zfs.nix ./network.nix ./samba.nix ./dns.nix
5 initrd-all-crypto-modules default-locale openssh rebuild-machines 5 initrd-all-crypto-modules default-locale openssh rebuild-machines
6 build-server 6 build-server
7 initrd-ssh 7 initrd-ssh
@@ -63,218 +63,6 @@
63 options = [ "mode=0755" ]; 63 options = [ "mode=0755" ];
64 }; 64 };
65 }; 65 };
66
67 networking = {
68 hostName = "vidhar";
69 domain = "yggdrasil";
70 search = [ "yggdrasil" ];
71
72 useDHCP = false;
73 useNetworkd = true;
74
75 interfaces."lan" = {
76 ipv4.addresses = [
77 { address = "10.141.0.1"; prefixLength = 24; }
78 ];
79 };
80 interfaces."mgmt" = {
81 ipv4.addresses = [
82 { address = "10.141.1.1"; prefixLength = 24; }
83 ];
84 };
85
86 vlans = {
87 mgmt = {
88 id = 2;
89 interface = "eno2";
90 };
91 lan = {
92 id = 3;
93 interface = "eno2";
94 };
95 };
96
97 firewall.enable = false;
98 nftables = {
99 enable = true;
100 rulesetFile = ./ruleset.nft;
101 };
102 };
103
104 services.resolved = {
105 llmnr = "false";
106 };
107
108 services.dhcpd4 = {
109 enable = true;
110 interfaces = [ "lan" "mgmt" ];
111 extraConfig = ''
112 subnet 10.141.0.0 netmask 255.255.255.0 {
113 range 10.141.0.128 10.141.0.254;
114 option domain-name-servers 10.141.0.1;
115 option broadcast-address 10.141.0.255;
116 option routers 10.141.0.1;
117 option domain-name "yggdrasil";
118 }
119
120 subnet 10.141.1.0 netmask 255.255.255.0 {
121 range 10.141.1.128 10.141.1.254;
122 }
123 '';
124 machines = [
125 {
126 ethernetAddress = "50:d4:f7:f3:0f:7e";
127 hostName = "gauss-ap01";
128 ipAddress = "10.141.0.64";
129 }
130 {
131 ethernetAddress = "60:a4:b7:53:94:b5";
132 hostName = "switch01";
133 ipAddress = "10.141.1.2";
134 }
135 ];
136 };
137 services.corerad = {
138 enable = true;
139 settings = {
140 interfaces = [
141 { name = config.networking.pppInterface;
142 monitor = true;
143 verbose = true;
144 }
145 { name = "lan";
146 advertise = true;
147 verbose = true;
148 prefix = [{ prefix = "::/64"; }];
149 route = [{ prefix = "::/0"; }];
150 rdnss = [{ servers = ["::"]; }];
151 dnssl = [{ domain_names = ["yggdrasil"]; }];
152 }
153 ];
154 };
155 };
156 services.ndppd = {
157 enable = true;
158 proxies = {
159 ${config.networking.pppInterface} = {
160 router = true;
161 rules.lan = {
162 method = "iface";
163 interface = "lan";
164 network = "::/0";
165 };
166 };
167 };
168 };
169 boot.kernel.sysctl = {
170 "net.ipv6.conf.all.forwarding" = true;
171 "net.ipv6.conf.default.forwarding" = true;
172 "net.ipv4.conf.all.forwarding" = true;
173 "net.ipv4.conf.default.forwarding" = true;
174
175 "net.core.rmem_max" = "4194304";
176 "net.core.wmem_max" = "4194304";
177 };
178 systemd.network.networks = {
179 "eno2" = {
180 matchConfig.Name = "eno2";
181 networkConfig.LinkLocalAddressing = "no";
182 };
183 "telekom" = {
184 matchConfig.Name = "telekom";
185 networkConfig.LinkLocalAddressing = "no";
186 };
187 };
188 systemd.services."pppd-telekom" = {
189 bindsTo = [ "sys-subsystem-net-devices-telekom.device" ];
190 after = [ "sys-subsystem-net-devices-telekom.device" ];
191 };
192 systemd.services."dhcpcd-telekom" = {
193 wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ];
194 bindsTo = [ "pppd-telekom.service" "sys-subsystem-net-devices-dsl.device" ];
195 after = [ "pppd-telekom.service" "sys-subsystem-net-devices-dsl.device" ];
196 wants = [ "network.target" ];
197 before = [ "network-online.target" ];
198
199 path = with pkgs; [ dhcpcd nettools openresolv ];
200 unitConfig.ConditionCapability = "CAP_NET_ADMIN";
201
202 stopIfChanged = false;
203
204 preStart = ''
205 i=0
206
207 while [[ -z "$(${pkgs.iproute2}/bin/ip -6 addr show dev ${config.networking.pppInterface} scope link)" ]]; do
208 ${pkgs.coreutils}/bin/sleep 0.1
209 i=$((i + 1))
210 if [[ "$i" -ge 10 ]]; then
211 exit 1
212 fi
213 done
214 '';
215
216 serviceConfig = let
217 dhcpcdConf = pkgs.writeText "dhcpcd.conf" ''
218 duid
219 vendorclassid
220 ipv6only
221
222 nooption domain_name_servers, domain_name, domain_search
223 option classless_static_routes
224 option interface_mtu
225
226 option host_name
227 option rapid_commit
228 require dhcp_server_identifier
229 slaac private
230
231 noipv6rs # disable routing solicitation
232 nohook resolv.conf
233 allowinterfaces dsl
234 interface dsl
235 ipv6ra_autoconf
236 iaid 1195061668
237 ipv6rs # enable routing solicitation for WAN adapter
238 ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN
239
240 waitip 6
241 '';
242 in {
243 Type = "forking";
244 PIDFile = "/run/dhcpcd/pid";
245 RuntimeDirectory = "dhcpcd";
246 ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf}";
247 ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind";
248 Restart = "always";
249 RestartSec = "5";
250 };
251 };
252 systemd.services.ndppd = {
253 wantedBy = [ "dhcpcd-telekom.service" ];
254 bindsTo = [ "dhcpcd-telekom.service" ];
255 after = [ "dhcpcd-telekom.service" ];
256
257 serviceConfig = {
258 Restart = "always";
259 RestartSec = "5";
260 };
261 };
262 systemd.services.corerad = {
263 wantedBy = [ "dhcpcd-telekom.service" ];
264 bindsTo = [ "dhcpcd-telekom.service" ];
265 after = [ "dhcpcd-telekom.service" ];
266
267 serviceConfig = {
268 Restart = lib.mkForce "always";
269 RestartSec = "5";
270 };
271 };
272 systemd.services."systemd-networkd".stopIfChanged = false;
273 users.users.dhcpcd = {
274 isSystemUser = true;
275 group = "dhcpcd";
276 };
277 users.groups.dhcpcd = {};
278 66
279 services.timesyncd.enable = false; 67 services.timesyncd.enable = false;
280 services.chrony = { 68 services.chrony = {
@@ -331,125 +119,5 @@
331 119
332 cpuFreqGovernor = "schedutil"; 120 cpuFreqGovernor = "schedutil";
333 }; 121 };
334
335 services.unbound = {
336 enable = true;
337 resolveLocalQueries = false;
338 stateDir = "/var/lib/unbound";
339 localControlSocketPath = "/run/unbound/unbound.ctl";
340 settings = {
341 server = {
342 interface = ["127.0.0.1" "10.141.0.1" "::0"];
343 access-control = ["0.0.0.0/0 allow" "::/0 allow"];
344 root-hints = "${pkgs.dns-root-data}/root.hints";
345
346 num-threads = 12;
347 so-reuseport = true;
348 msg-cache-slabs = 16;
349 rrset-cache-slabs = 16;
350 infra-cache-slabs = 16;
351 key-cache-slabs = 16;
352
353 rrset-cache-size = "100m";
354 msg-cache-size = "50m";
355 outgoing-range = 8192;
356 num-queries-per-thread = 4096;
357
358 so-rcvbuf = "4m";
359 so-sndbuf = "4m";
360
361 serve-expired = true;
362 serve-expired-ttl = 86400;
363 serve-expired-reply-ttl = 0;
364
365 prefetch = true;
366 prefetch-key = true;
367
368 minimal-responses = false;
369
370 extended-statistics = true;
371
372 rrset-roundrobin = true;
373 use-caps-for-id = true;
374 };
375 };
376 };
377
378 services.samba = {
379 enable = true;
380 securityType = "user";
381 extraConfig = ''
382 domain master = yes
383 workgroup = WORKGROUP
384 load printers = no
385 printing = bsd
386 printcap name = /dev/null
387 disable spoolss = yes
388 guest account = nobody
389 bind interfaces only = yes
390 interfaces = lo lan
391 '';
392 shares = {
393 homes = {
394 comment = "Home Directories";
395 path = "/home/%S";
396 browseable = "no";
397 "valid users" = "%S";
398 "read only" = "no";
399 "create mask" = "0700";
400 "directory mask" = "0700";
401 "vfs objects" = "shadow_copy2";
402 "shadow:snapdir" = ".zfs/snapshot";
403 "shadow:sort" = "desc";
404 "shadow:format" = "%Y-%m-%d-%Hh%MU";
405 "shadow:snapprefix" = "^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}";
406 "shadow:delimiter" = "-";
407 };
408 eos = {
409 comment = "Disk image of eos";
410 browseable = true;
411 "valid users" = "mherold";
412 writeable = "true";
413 path = "/srv/eos";
414 };
415 };
416 };
417 services.samba-wsdd = {
418 enable = true;
419 workgroup = "WORKGROUP";
420 interface = [ "lo" "lan" ];
421 };
422
423 fileSystems."/srv/eos.lower" = {
424 device = "/dev/zvol/hdd-raid6/safe/home/mherold/eos/base";
425 fsType = "ntfs3";
426 options = [ "ro" "uid=mherold" "gid=users" "fmask=0177" "dmask=0077" "nofail" "noauto" ];
427 };
428
429 fileSystems."/srv/eos.upper" = {
430 device = "/dev/zvol/hdd-raid6/safe/home/mherold/eos/upper";
431 fsType = "ext4";
432 options = [ "nofail" "noauto" ];
433 };
434
435 systemd.mounts = [
436 {
437 wantedBy = [ "samba-smbd.service" ];
438 before = [ "samba-smbd.service" ];
439
440 where = "/srv/eos";
441 what = "overlay";
442 type = "overlay";
443 options = lib.concatStringsSep ","
444 [ "lowerdir=/srv/eos.lower"
445 "upperdir=/srv/eos.upper/upper"
446 "workdir=/srv/eos.upper/work"
447 ];
448
449 unitConfig = {
450 RequiresMountsFor = [ "/srv/eos.lower" "/srv/eos.upper" ];
451 };
452 }
453 ];
454 }; 122 };
455} 123}
diff --git a/hosts/vidhar/dns.nix b/hosts/vidhar/dns.nix
new file mode 100644
index 00000000..49afc5fc
--- /dev/null
+++ b/hosts/vidhar/dns.nix
@@ -0,0 +1,47 @@
1{ config, lib, pkgs, ... }:
2{
3 config = {
4 services.unbound = {
5 enable = true;
6 resolveLocalQueries = false;
7 stateDir = "/var/lib/unbound";
8 localControlSocketPath = "/run/unbound/unbound.ctl";
9 settings = {
10 server = {
11 interface = ["127.0.0.1" "10.141.0.1" "::0"];
12 access-control = ["0.0.0.0/0 allow" "::/0 allow"];
13 root-hints = "${pkgs.dns-root-data}/root.hints";
14
15 num-threads = 12;
16 so-reuseport = true;
17 msg-cache-slabs = 16;
18 rrset-cache-slabs = 16;
19 infra-cache-slabs = 16;
20 key-cache-slabs = 16;
21
22 rrset-cache-size = "100m";
23 msg-cache-size = "50m";
24 outgoing-range = 8192;
25 num-queries-per-thread = 4096;
26
27 so-rcvbuf = "4m";
28 so-sndbuf = "4m";
29
30 serve-expired = true;
31 serve-expired-ttl = 86400;
32 serve-expired-reply-ttl = 0;
33
34 prefetch = true;
35 prefetch-key = true;
36
37 minimal-responses = false;
38
39 extended-statistics = true;
40
41 rrset-roundrobin = true;
42 use-caps-for-id = true;
43 };
44 };
45 };
46 };
47}
diff --git a/hosts/vidhar/dsl.nix b/hosts/vidhar/dsl.nix
index 0f92a079..8cbfc1e7 100644
--- a/hosts/vidhar/dsl.nix
+++ b/hosts/vidhar/dsl.nix
@@ -67,9 +67,9 @@ in {
67 }; 67 };
68 }; 68 };
69 69
70 systemd.network.networks."dsl" = { 70 systemd.network.networks.${pppInterface} = {
71 matchConfig = { 71 matchConfig = {
72 Name = "dsl"; 72 Name = pppInterface;
73 }; 73 };
74 dns = [ "::1" "127.0.0.1" ]; 74 dns = [ "::1" "127.0.0.1" ];
75 domains = [ "~." ]; 75 domains = [ "~." ];
@@ -78,5 +78,135 @@ in {
78 DNSSEC = true; 78 DNSSEC = true;
79 }; 79 };
80 }; 80 };
81
82 services.corerad = {
83 enable = true;
84 settings = {
85 interfaces = [
86 { name = pppInterface;
87 monitor = true;
88 verbose = true;
89 }
90 { name = "lan";
91 advertise = true;
92 verbose = true;
93 prefix = [{ prefix = "::/64"; }];
94 route = [{ prefix = "::/0"; }];
95 rdnss = [{ servers = ["::"]; }];
96 dnssl = [{ domain_names = ["yggdrasil"]; }];
97 }
98 ];
99 };
100 };
101 services.ndppd = {
102 enable = true;
103 proxies = {
104 ${pppInterface} = {
105 router = true;
106 rules.lan = {
107 method = "iface";
108 interface = "lan";
109 network = "::/0";
110 };
111 };
112 };
113 };
114 boot.kernel.sysctl = {
115 "net.ipv6.conf.all.forwarding" = true;
116 "net.ipv6.conf.default.forwarding" = true;
117 "net.ipv4.conf.all.forwarding" = true;
118 "net.ipv4.conf.default.forwarding" = true;
119
120 "net.core.rmem_max" = "4194304";
121 "net.core.wmem_max" = "4194304";
122 };
123 systemd.services."pppd-telekom" = {
124 bindsTo = [ "sys-subsystem-net-devices-${pppInterface}.device" ];
125 after = [ "sys-subsystem-net-devices-${pppInterface}.device" ];
126 };
127 systemd.services."dhcpcd-telekom" = {
128 wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ];
129 bindsTo = [ "pppd-telekom.service" "sys-subsystem-net-devices-${pppInterface}.device" ];
130 after = [ "pppd-telekom.service" "sys-subsystem-net-devices-${pppInterface}.device" ];
131 wants = [ "network.target" ];
132 before = [ "network-online.target" ];
133
134 path = with pkgs; [ dhcpcd nettools openresolv ];
135 unitConfig.ConditionCapability = "CAP_NET_ADMIN";
136
137 stopIfChanged = false;
138
139 preStart = ''
140 i=0
141
142 while [[ -z "$(${pkgs.iproute2}/bin/ip -6 addr show dev ${pppInterface} scope link)" ]]; do
143 ${pkgs.coreutils}/bin/sleep 0.1
144 i=$((i + 1))
145 if [[ "$i" -ge 10 ]]; then
146 exit 1
147 fi
148 done
149 '';
150
151 serviceConfig = let
152 dhcpcdConf = pkgs.writeText "dhcpcd.conf" ''
153 duid
154 vendorclassid
155 ipv6only
156
157 nooption domain_name_servers, domain_name, domain_search
158 option classless_static_routes
159 option interface_mtu
160
161 option host_name
162 option rapid_commit
163 require dhcp_server_identifier
164 slaac private
165
166 nohook resolv.conf
167 ipv6ra_autoconf
168 iaid 1195061668
169 ipv6rs # enable routing solicitation for WAN adapter
170 ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN
171
172 reboot 0
173
174 waitip 6
175 '';
176 in {
177 Type = "forking";
178 PIDFile = "/run/dhcpcd/pid";
179 RuntimeDirectory = "dhcpcd";
180 ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf} ${pppInterface}";
181 ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind ${pppInterface}";
182 Restart = "always";
183 RestartSec = "5";
184 };
185 };
186 systemd.services.ndppd = {
187 wantedBy = [ "dhcpcd-telekom.service" ];
188 bindsTo = [ "dhcpcd-telekom.service" ];
189 after = [ "dhcpcd-telekom.service" ];
190
191 serviceConfig = {
192 Restart = "always";
193 RestartSec = "5";
194 };
195 };
196 systemd.services.corerad = {
197 wantedBy = [ "dhcpcd-telekom.service" ];
198 bindsTo = [ "dhcpcd-telekom.service" ];
199 after = [ "dhcpcd-telekom.service" ];
200
201 serviceConfig = {
202 Restart = lib.mkForce "always";
203 RestartSec = "5";
204 };
205 };
206 users.users.dhcpcd = {
207 isSystemUser = true;
208 group = "dhcpcd";
209 };
210 users.groups.dhcpcd = {};
81 }; 211 };
82} 212}
diff --git a/hosts/vidhar/network.nix b/hosts/vidhar/network.nix
new file mode 100644
index 00000000..a32dd2f8
--- /dev/null
+++ b/hosts/vidhar/network.nix
@@ -0,0 +1,83 @@
1{ config, lib, pkgs, ... }:
2{
3 imports = [ ./dsl.nix ];
4
5 config = {
6 networking = {
7 hostName = "vidhar";
8 domain = "yggdrasil";
9 search = [ "yggdrasil" ];
10
11 useDHCP = false;
12 useNetworkd = true;
13
14 interfaces."lan" = {
15 ipv4.addresses = [
16 { address = "10.141.0.1"; prefixLength = 24; }
17 ];
18 };
19 interfaces."mgmt" = {
20 ipv4.addresses = [
21 { address = "10.141.1.1"; prefixLength = 24; }
22 ];
23 };
24
25 vlans = {
26 mgmt = {
27 id = 2;
28 interface = "eno2";
29 };
30 lan = {
31 id = 3;
32 interface = "eno2";
33 };
34 };
35
36 firewall.enable = false;
37 nftables = {
38 enable = true;
39 rulesetFile = ./ruleset.nft;
40 };
41 };
42
43 services.resolved = {
44 llmnr = "false";
45 };
46
47 services.dhcpd4 = {
48 enable = true;
49 interfaces = [ "lan" "mgmt" ];
50 extraConfig = ''
51 subnet 10.141.0.0 netmask 255.255.255.0 {
52 range 10.141.0.128 10.141.0.254;
53 option domain-name-servers 10.141.0.1;
54 option broadcast-address 10.141.0.255;
55 option routers 10.141.0.1;
56 option domain-name "yggdrasil";
57 }
58
59 subnet 10.141.1.0 netmask 255.255.255.0 {
60 range 10.141.1.128 10.141.1.254;
61 }
62 '';
63 machines = [
64 {
65 ethernetAddress = "50:d4:f7:f3:0f:7e";
66 hostName = "gauss-ap01";
67 ipAddress = "10.141.0.64";
68 }
69 {
70 ethernetAddress = "60:a4:b7:53:94:b5";
71 hostName = "switch01";
72 ipAddress = "10.141.1.2";
73 }
74 ];
75 };
76 systemd.network.networks = {
77 "eno2" = {
78 matchConfig.Name = "eno2";
79 networkConfig.LinkLocalAddressing = "no";
80 };
81 };
82 };
83}
diff --git a/hosts/vidhar/samba.nix b/hosts/vidhar/samba.nix
new file mode 100644
index 00000000..b3722617
--- /dev/null
+++ b/hosts/vidhar/samba.nix
@@ -0,0 +1,81 @@
1{ config, lib, pkgs, ... }:
2{
3 config = {
4 services.samba = {
5 enable = true;
6 securityType = "user";
7 extraConfig = ''
8 domain master = yes
9 workgroup = WORKGROUP
10 load printers = no
11 printing = bsd
12 printcap name = /dev/null
13 disable spoolss = yes
14 guest account = nobody
15 bind interfaces only = yes
16 interfaces = lo lan
17 '';
18 shares = {
19 homes = {
20 comment = "Home Directories";
21 path = "/home/%S";
22 browseable = "no";
23 "valid users" = "%S";
24 "read only" = "no";
25 "create mask" = "0700";
26 "directory mask" = "0700";
27 "vfs objects" = "shadow_copy2";
28 "shadow:snapdir" = ".zfs/snapshot";
29 "shadow:sort" = "desc";
30 "shadow:format" = "%Y-%m-%d-%Hh%MU";
31 "shadow:snapprefix" = "^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}";
32 "shadow:delimiter" = "-";
33 };
34 eos = {
35 comment = "Disk image of eos";
36 browseable = true;
37 "valid users" = "mherold";
38 writeable = "true";
39 path = "/srv/eos";
40 };
41 };
42 };
43 services.samba-wsdd = {
44 enable = true;
45 workgroup = "WORKGROUP";
46 interface = [ "lo" "lan" ];
47 };
48
49 fileSystems."/srv/eos.lower" = {
50 device = "/dev/zvol/hdd-raid6/safe/home/mherold/eos/base";
51 fsType = "ntfs3";
52 options = [ "ro" "uid=mherold" "gid=users" "fmask=0177" "dmask=0077" "nofail" "noauto" ];
53 };
54
55 fileSystems."/srv/eos.upper" = {
56 device = "/dev/zvol/hdd-raid6/safe/home/mherold/eos/upper";
57 fsType = "ext4";
58 options = [ "nofail" "noauto" ];
59 };
60
61 systemd.mounts = [
62 {
63 wantedBy = [ "samba-smbd.service" ];
64 before = [ "samba-smbd.service" ];
65
66 where = "/srv/eos";
67 what = "overlay";
68 type = "overlay";
69 options = lib.concatStringsSep ","
70 [ "lowerdir=/srv/eos.lower"
71 "upperdir=/srv/eos.upper/upper"
72 "workdir=/srv/eos.upper/work"
73 ];
74
75 unitConfig = {
76 RequiresMountsFor = [ "/srv/eos.lower" "/srv/eos.upper" ];
77 };
78 }
79 ];
80 };
81}