diff options
-rw-r--r-- | hosts/vidhar/default.nix | 334 | ||||
-rw-r--r-- | hosts/vidhar/dns.nix | 47 | ||||
-rw-r--r-- | hosts/vidhar/dsl.nix | 134 | ||||
-rw-r--r-- | hosts/vidhar/network.nix | 83 | ||||
-rw-r--r-- | hosts/vidhar/samba.nix | 81 |
5 files changed, 344 insertions, 335 deletions
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 933f5af9..a2764158 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix | |||
@@ -1,7 +1,7 @@ | |||
1 | { hostName, flake, config, pkgs, lib, ... }: | 1 | { hostName, flake, config, pkgs, lib, ... }: |
2 | { | 2 | { |
3 | imports = with flake.nixosModules.systemProfiles; [ | 3 | imports = with flake.nixosModules.systemProfiles; [ |
4 | ./zfs.nix ./dsl.nix | 4 | ./zfs.nix ./network.nix ./samba.nix ./dns.nix |
5 | initrd-all-crypto-modules default-locale openssh rebuild-machines | 5 | initrd-all-crypto-modules default-locale openssh rebuild-machines |
6 | build-server | 6 | build-server |
7 | initrd-ssh | 7 | initrd-ssh |
@@ -63,218 +63,6 @@ | |||
63 | options = [ "mode=0755" ]; | 63 | options = [ "mode=0755" ]; |
64 | }; | 64 | }; |
65 | }; | 65 | }; |
66 | |||
67 | networking = { | ||
68 | hostName = "vidhar"; | ||
69 | domain = "yggdrasil"; | ||
70 | search = [ "yggdrasil" ]; | ||
71 | |||
72 | useDHCP = false; | ||
73 | useNetworkd = true; | ||
74 | |||
75 | interfaces."lan" = { | ||
76 | ipv4.addresses = [ | ||
77 | { address = "10.141.0.1"; prefixLength = 24; } | ||
78 | ]; | ||
79 | }; | ||
80 | interfaces."mgmt" = { | ||
81 | ipv4.addresses = [ | ||
82 | { address = "10.141.1.1"; prefixLength = 24; } | ||
83 | ]; | ||
84 | }; | ||
85 | |||
86 | vlans = { | ||
87 | mgmt = { | ||
88 | id = 2; | ||
89 | interface = "eno2"; | ||
90 | }; | ||
91 | lan = { | ||
92 | id = 3; | ||
93 | interface = "eno2"; | ||
94 | }; | ||
95 | }; | ||
96 | |||
97 | firewall.enable = false; | ||
98 | nftables = { | ||
99 | enable = true; | ||
100 | rulesetFile = ./ruleset.nft; | ||
101 | }; | ||
102 | }; | ||
103 | |||
104 | services.resolved = { | ||
105 | llmnr = "false"; | ||
106 | }; | ||
107 | |||
108 | services.dhcpd4 = { | ||
109 | enable = true; | ||
110 | interfaces = [ "lan" "mgmt" ]; | ||
111 | extraConfig = '' | ||
112 | subnet 10.141.0.0 netmask 255.255.255.0 { | ||
113 | range 10.141.0.128 10.141.0.254; | ||
114 | option domain-name-servers 10.141.0.1; | ||
115 | option broadcast-address 10.141.0.255; | ||
116 | option routers 10.141.0.1; | ||
117 | option domain-name "yggdrasil"; | ||
118 | } | ||
119 | |||
120 | subnet 10.141.1.0 netmask 255.255.255.0 { | ||
121 | range 10.141.1.128 10.141.1.254; | ||
122 | } | ||
123 | ''; | ||
124 | machines = [ | ||
125 | { | ||
126 | ethernetAddress = "50:d4:f7:f3:0f:7e"; | ||
127 | hostName = "gauss-ap01"; | ||
128 | ipAddress = "10.141.0.64"; | ||
129 | } | ||
130 | { | ||
131 | ethernetAddress = "60:a4:b7:53:94:b5"; | ||
132 | hostName = "switch01"; | ||
133 | ipAddress = "10.141.1.2"; | ||
134 | } | ||
135 | ]; | ||
136 | }; | ||
137 | services.corerad = { | ||
138 | enable = true; | ||
139 | settings = { | ||
140 | interfaces = [ | ||
141 | { name = config.networking.pppInterface; | ||
142 | monitor = true; | ||
143 | verbose = true; | ||
144 | } | ||
145 | { name = "lan"; | ||
146 | advertise = true; | ||
147 | verbose = true; | ||
148 | prefix = [{ prefix = "::/64"; }]; | ||
149 | route = [{ prefix = "::/0"; }]; | ||
150 | rdnss = [{ servers = ["::"]; }]; | ||
151 | dnssl = [{ domain_names = ["yggdrasil"]; }]; | ||
152 | } | ||
153 | ]; | ||
154 | }; | ||
155 | }; | ||
156 | services.ndppd = { | ||
157 | enable = true; | ||
158 | proxies = { | ||
159 | ${config.networking.pppInterface} = { | ||
160 | router = true; | ||
161 | rules.lan = { | ||
162 | method = "iface"; | ||
163 | interface = "lan"; | ||
164 | network = "::/0"; | ||
165 | }; | ||
166 | }; | ||
167 | }; | ||
168 | }; | ||
169 | boot.kernel.sysctl = { | ||
170 | "net.ipv6.conf.all.forwarding" = true; | ||
171 | "net.ipv6.conf.default.forwarding" = true; | ||
172 | "net.ipv4.conf.all.forwarding" = true; | ||
173 | "net.ipv4.conf.default.forwarding" = true; | ||
174 | |||
175 | "net.core.rmem_max" = "4194304"; | ||
176 | "net.core.wmem_max" = "4194304"; | ||
177 | }; | ||
178 | systemd.network.networks = { | ||
179 | "eno2" = { | ||
180 | matchConfig.Name = "eno2"; | ||
181 | networkConfig.LinkLocalAddressing = "no"; | ||
182 | }; | ||
183 | "telekom" = { | ||
184 | matchConfig.Name = "telekom"; | ||
185 | networkConfig.LinkLocalAddressing = "no"; | ||
186 | }; | ||
187 | }; | ||
188 | systemd.services."pppd-telekom" = { | ||
189 | bindsTo = [ "sys-subsystem-net-devices-telekom.device" ]; | ||
190 | after = [ "sys-subsystem-net-devices-telekom.device" ]; | ||
191 | }; | ||
192 | systemd.services."dhcpcd-telekom" = { | ||
193 | wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ]; | ||
194 | bindsTo = [ "pppd-telekom.service" "sys-subsystem-net-devices-dsl.device" ]; | ||
195 | after = [ "pppd-telekom.service" "sys-subsystem-net-devices-dsl.device" ]; | ||
196 | wants = [ "network.target" ]; | ||
197 | before = [ "network-online.target" ]; | ||
198 | |||
199 | path = with pkgs; [ dhcpcd nettools openresolv ]; | ||
200 | unitConfig.ConditionCapability = "CAP_NET_ADMIN"; | ||
201 | |||
202 | stopIfChanged = false; | ||
203 | |||
204 | preStart = '' | ||
205 | i=0 | ||
206 | |||
207 | while [[ -z "$(${pkgs.iproute2}/bin/ip -6 addr show dev ${config.networking.pppInterface} scope link)" ]]; do | ||
208 | ${pkgs.coreutils}/bin/sleep 0.1 | ||
209 | i=$((i + 1)) | ||
210 | if [[ "$i" -ge 10 ]]; then | ||
211 | exit 1 | ||
212 | fi | ||
213 | done | ||
214 | ''; | ||
215 | |||
216 | serviceConfig = let | ||
217 | dhcpcdConf = pkgs.writeText "dhcpcd.conf" '' | ||
218 | duid | ||
219 | vendorclassid | ||
220 | ipv6only | ||
221 | |||
222 | nooption domain_name_servers, domain_name, domain_search | ||
223 | option classless_static_routes | ||
224 | option interface_mtu | ||
225 | |||
226 | option host_name | ||
227 | option rapid_commit | ||
228 | require dhcp_server_identifier | ||
229 | slaac private | ||
230 | |||
231 | noipv6rs # disable routing solicitation | ||
232 | nohook resolv.conf | ||
233 | allowinterfaces dsl | ||
234 | interface dsl | ||
235 | ipv6ra_autoconf | ||
236 | iaid 1195061668 | ||
237 | ipv6rs # enable routing solicitation for WAN adapter | ||
238 | ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN | ||
239 | |||
240 | waitip 6 | ||
241 | ''; | ||
242 | in { | ||
243 | Type = "forking"; | ||
244 | PIDFile = "/run/dhcpcd/pid"; | ||
245 | RuntimeDirectory = "dhcpcd"; | ||
246 | ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf}"; | ||
247 | ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind"; | ||
248 | Restart = "always"; | ||
249 | RestartSec = "5"; | ||
250 | }; | ||
251 | }; | ||
252 | systemd.services.ndppd = { | ||
253 | wantedBy = [ "dhcpcd-telekom.service" ]; | ||
254 | bindsTo = [ "dhcpcd-telekom.service" ]; | ||
255 | after = [ "dhcpcd-telekom.service" ]; | ||
256 | |||
257 | serviceConfig = { | ||
258 | Restart = "always"; | ||
259 | RestartSec = "5"; | ||
260 | }; | ||
261 | }; | ||
262 | systemd.services.corerad = { | ||
263 | wantedBy = [ "dhcpcd-telekom.service" ]; | ||
264 | bindsTo = [ "dhcpcd-telekom.service" ]; | ||
265 | after = [ "dhcpcd-telekom.service" ]; | ||
266 | |||
267 | serviceConfig = { | ||
268 | Restart = lib.mkForce "always"; | ||
269 | RestartSec = "5"; | ||
270 | }; | ||
271 | }; | ||
272 | systemd.services."systemd-networkd".stopIfChanged = false; | ||
273 | users.users.dhcpcd = { | ||
274 | isSystemUser = true; | ||
275 | group = "dhcpcd"; | ||
276 | }; | ||
277 | users.groups.dhcpcd = {}; | ||
278 | 66 | ||
279 | services.timesyncd.enable = false; | 67 | services.timesyncd.enable = false; |
280 | services.chrony = { | 68 | services.chrony = { |
@@ -331,125 +119,5 @@ | |||
331 | 119 | ||
332 | cpuFreqGovernor = "schedutil"; | 120 | cpuFreqGovernor = "schedutil"; |
333 | }; | 121 | }; |
334 | |||
335 | services.unbound = { | ||
336 | enable = true; | ||
337 | resolveLocalQueries = false; | ||
338 | stateDir = "/var/lib/unbound"; | ||
339 | localControlSocketPath = "/run/unbound/unbound.ctl"; | ||
340 | settings = { | ||
341 | server = { | ||
342 | interface = ["127.0.0.1" "10.141.0.1" "::0"]; | ||
343 | access-control = ["0.0.0.0/0 allow" "::/0 allow"]; | ||
344 | root-hints = "${pkgs.dns-root-data}/root.hints"; | ||
345 | |||
346 | num-threads = 12; | ||
347 | so-reuseport = true; | ||
348 | msg-cache-slabs = 16; | ||
349 | rrset-cache-slabs = 16; | ||
350 | infra-cache-slabs = 16; | ||
351 | key-cache-slabs = 16; | ||
352 | |||
353 | rrset-cache-size = "100m"; | ||
354 | msg-cache-size = "50m"; | ||
355 | outgoing-range = 8192; | ||
356 | num-queries-per-thread = 4096; | ||
357 | |||
358 | so-rcvbuf = "4m"; | ||
359 | so-sndbuf = "4m"; | ||
360 | |||
361 | serve-expired = true; | ||
362 | serve-expired-ttl = 86400; | ||
363 | serve-expired-reply-ttl = 0; | ||
364 | |||
365 | prefetch = true; | ||
366 | prefetch-key = true; | ||
367 | |||
368 | minimal-responses = false; | ||
369 | |||
370 | extended-statistics = true; | ||
371 | |||
372 | rrset-roundrobin = true; | ||
373 | use-caps-for-id = true; | ||
374 | }; | ||
375 | }; | ||
376 | }; | ||
377 | |||
378 | services.samba = { | ||
379 | enable = true; | ||
380 | securityType = "user"; | ||
381 | extraConfig = '' | ||
382 | domain master = yes | ||
383 | workgroup = WORKGROUP | ||
384 | load printers = no | ||
385 | printing = bsd | ||
386 | printcap name = /dev/null | ||
387 | disable spoolss = yes | ||
388 | guest account = nobody | ||
389 | bind interfaces only = yes | ||
390 | interfaces = lo lan | ||
391 | ''; | ||
392 | shares = { | ||
393 | homes = { | ||
394 | comment = "Home Directories"; | ||
395 | path = "/home/%S"; | ||
396 | browseable = "no"; | ||
397 | "valid users" = "%S"; | ||
398 | "read only" = "no"; | ||
399 | "create mask" = "0700"; | ||
400 | "directory mask" = "0700"; | ||
401 | "vfs objects" = "shadow_copy2"; | ||
402 | "shadow:snapdir" = ".zfs/snapshot"; | ||
403 | "shadow:sort" = "desc"; | ||
404 | "shadow:format" = "%Y-%m-%d-%Hh%MU"; | ||
405 | "shadow:snapprefix" = "^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}"; | ||
406 | "shadow:delimiter" = "-"; | ||
407 | }; | ||
408 | eos = { | ||
409 | comment = "Disk image of eos"; | ||
410 | browseable = true; | ||
411 | "valid users" = "mherold"; | ||
412 | writeable = "true"; | ||
413 | path = "/srv/eos"; | ||
414 | }; | ||
415 | }; | ||
416 | }; | ||
417 | services.samba-wsdd = { | ||
418 | enable = true; | ||
419 | workgroup = "WORKGROUP"; | ||
420 | interface = [ "lo" "lan" ]; | ||
421 | }; | ||
422 | |||
423 | fileSystems."/srv/eos.lower" = { | ||
424 | device = "/dev/zvol/hdd-raid6/safe/home/mherold/eos/base"; | ||
425 | fsType = "ntfs3"; | ||
426 | options = [ "ro" "uid=mherold" "gid=users" "fmask=0177" "dmask=0077" "nofail" "noauto" ]; | ||
427 | }; | ||
428 | |||
429 | fileSystems."/srv/eos.upper" = { | ||
430 | device = "/dev/zvol/hdd-raid6/safe/home/mherold/eos/upper"; | ||
431 | fsType = "ext4"; | ||
432 | options = [ "nofail" "noauto" ]; | ||
433 | }; | ||
434 | |||
435 | systemd.mounts = [ | ||
436 | { | ||
437 | wantedBy = [ "samba-smbd.service" ]; | ||
438 | before = [ "samba-smbd.service" ]; | ||
439 | |||
440 | where = "/srv/eos"; | ||
441 | what = "overlay"; | ||
442 | type = "overlay"; | ||
443 | options = lib.concatStringsSep "," | ||
444 | [ "lowerdir=/srv/eos.lower" | ||
445 | "upperdir=/srv/eos.upper/upper" | ||
446 | "workdir=/srv/eos.upper/work" | ||
447 | ]; | ||
448 | |||
449 | unitConfig = { | ||
450 | RequiresMountsFor = [ "/srv/eos.lower" "/srv/eos.upper" ]; | ||
451 | }; | ||
452 | } | ||
453 | ]; | ||
454 | }; | 122 | }; |
455 | } | 123 | } |
diff --git a/hosts/vidhar/dns.nix b/hosts/vidhar/dns.nix new file mode 100644 index 00000000..49afc5fc --- /dev/null +++ b/hosts/vidhar/dns.nix | |||
@@ -0,0 +1,47 @@ | |||
1 | { config, lib, pkgs, ... }: | ||
2 | { | ||
3 | config = { | ||
4 | services.unbound = { | ||
5 | enable = true; | ||
6 | resolveLocalQueries = false; | ||
7 | stateDir = "/var/lib/unbound"; | ||
8 | localControlSocketPath = "/run/unbound/unbound.ctl"; | ||
9 | settings = { | ||
10 | server = { | ||
11 | interface = ["127.0.0.1" "10.141.0.1" "::0"]; | ||
12 | access-control = ["0.0.0.0/0 allow" "::/0 allow"]; | ||
13 | root-hints = "${pkgs.dns-root-data}/root.hints"; | ||
14 | |||
15 | num-threads = 12; | ||
16 | so-reuseport = true; | ||
17 | msg-cache-slabs = 16; | ||
18 | rrset-cache-slabs = 16; | ||
19 | infra-cache-slabs = 16; | ||
20 | key-cache-slabs = 16; | ||
21 | |||
22 | rrset-cache-size = "100m"; | ||
23 | msg-cache-size = "50m"; | ||
24 | outgoing-range = 8192; | ||
25 | num-queries-per-thread = 4096; | ||
26 | |||
27 | so-rcvbuf = "4m"; | ||
28 | so-sndbuf = "4m"; | ||
29 | |||
30 | serve-expired = true; | ||
31 | serve-expired-ttl = 86400; | ||
32 | serve-expired-reply-ttl = 0; | ||
33 | |||
34 | prefetch = true; | ||
35 | prefetch-key = true; | ||
36 | |||
37 | minimal-responses = false; | ||
38 | |||
39 | extended-statistics = true; | ||
40 | |||
41 | rrset-roundrobin = true; | ||
42 | use-caps-for-id = true; | ||
43 | }; | ||
44 | }; | ||
45 | }; | ||
46 | }; | ||
47 | } | ||
diff --git a/hosts/vidhar/dsl.nix b/hosts/vidhar/dsl.nix index 0f92a079..8cbfc1e7 100644 --- a/hosts/vidhar/dsl.nix +++ b/hosts/vidhar/dsl.nix | |||
@@ -67,9 +67,9 @@ in { | |||
67 | }; | 67 | }; |
68 | }; | 68 | }; |
69 | 69 | ||
70 | systemd.network.networks."dsl" = { | 70 | systemd.network.networks.${pppInterface} = { |
71 | matchConfig = { | 71 | matchConfig = { |
72 | Name = "dsl"; | 72 | Name = pppInterface; |
73 | }; | 73 | }; |
74 | dns = [ "::1" "127.0.0.1" ]; | 74 | dns = [ "::1" "127.0.0.1" ]; |
75 | domains = [ "~." ]; | 75 | domains = [ "~." ]; |
@@ -78,5 +78,135 @@ in { | |||
78 | DNSSEC = true; | 78 | DNSSEC = true; |
79 | }; | 79 | }; |
80 | }; | 80 | }; |
81 | |||
82 | services.corerad = { | ||
83 | enable = true; | ||
84 | settings = { | ||
85 | interfaces = [ | ||
86 | { name = pppInterface; | ||
87 | monitor = true; | ||
88 | verbose = true; | ||
89 | } | ||
90 | { name = "lan"; | ||
91 | advertise = true; | ||
92 | verbose = true; | ||
93 | prefix = [{ prefix = "::/64"; }]; | ||
94 | route = [{ prefix = "::/0"; }]; | ||
95 | rdnss = [{ servers = ["::"]; }]; | ||
96 | dnssl = [{ domain_names = ["yggdrasil"]; }]; | ||
97 | } | ||
98 | ]; | ||
99 | }; | ||
100 | }; | ||
101 | services.ndppd = { | ||
102 | enable = true; | ||
103 | proxies = { | ||
104 | ${pppInterface} = { | ||
105 | router = true; | ||
106 | rules.lan = { | ||
107 | method = "iface"; | ||
108 | interface = "lan"; | ||
109 | network = "::/0"; | ||
110 | }; | ||
111 | }; | ||
112 | }; | ||
113 | }; | ||
114 | boot.kernel.sysctl = { | ||
115 | "net.ipv6.conf.all.forwarding" = true; | ||
116 | "net.ipv6.conf.default.forwarding" = true; | ||
117 | "net.ipv4.conf.all.forwarding" = true; | ||
118 | "net.ipv4.conf.default.forwarding" = true; | ||
119 | |||
120 | "net.core.rmem_max" = "4194304"; | ||
121 | "net.core.wmem_max" = "4194304"; | ||
122 | }; | ||
123 | systemd.services."pppd-telekom" = { | ||
124 | bindsTo = [ "sys-subsystem-net-devices-${pppInterface}.device" ]; | ||
125 | after = [ "sys-subsystem-net-devices-${pppInterface}.device" ]; | ||
126 | }; | ||
127 | systemd.services."dhcpcd-telekom" = { | ||
128 | wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ]; | ||
129 | bindsTo = [ "pppd-telekom.service" "sys-subsystem-net-devices-${pppInterface}.device" ]; | ||
130 | after = [ "pppd-telekom.service" "sys-subsystem-net-devices-${pppInterface}.device" ]; | ||
131 | wants = [ "network.target" ]; | ||
132 | before = [ "network-online.target" ]; | ||
133 | |||
134 | path = with pkgs; [ dhcpcd nettools openresolv ]; | ||
135 | unitConfig.ConditionCapability = "CAP_NET_ADMIN"; | ||
136 | |||
137 | stopIfChanged = false; | ||
138 | |||
139 | preStart = '' | ||
140 | i=0 | ||
141 | |||
142 | while [[ -z "$(${pkgs.iproute2}/bin/ip -6 addr show dev ${pppInterface} scope link)" ]]; do | ||
143 | ${pkgs.coreutils}/bin/sleep 0.1 | ||
144 | i=$((i + 1)) | ||
145 | if [[ "$i" -ge 10 ]]; then | ||
146 | exit 1 | ||
147 | fi | ||
148 | done | ||
149 | ''; | ||
150 | |||
151 | serviceConfig = let | ||
152 | dhcpcdConf = pkgs.writeText "dhcpcd.conf" '' | ||
153 | duid | ||
154 | vendorclassid | ||
155 | ipv6only | ||
156 | |||
157 | nooption domain_name_servers, domain_name, domain_search | ||
158 | option classless_static_routes | ||
159 | option interface_mtu | ||
160 | |||
161 | option host_name | ||
162 | option rapid_commit | ||
163 | require dhcp_server_identifier | ||
164 | slaac private | ||
165 | |||
166 | nohook resolv.conf | ||
167 | ipv6ra_autoconf | ||
168 | iaid 1195061668 | ||
169 | ipv6rs # enable routing solicitation for WAN adapter | ||
170 | ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN | ||
171 | |||
172 | reboot 0 | ||
173 | |||
174 | waitip 6 | ||
175 | ''; | ||
176 | in { | ||
177 | Type = "forking"; | ||
178 | PIDFile = "/run/dhcpcd/pid"; | ||
179 | RuntimeDirectory = "dhcpcd"; | ||
180 | ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf} ${pppInterface}"; | ||
181 | ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind ${pppInterface}"; | ||
182 | Restart = "always"; | ||
183 | RestartSec = "5"; | ||
184 | }; | ||
185 | }; | ||
186 | systemd.services.ndppd = { | ||
187 | wantedBy = [ "dhcpcd-telekom.service" ]; | ||
188 | bindsTo = [ "dhcpcd-telekom.service" ]; | ||
189 | after = [ "dhcpcd-telekom.service" ]; | ||
190 | |||
191 | serviceConfig = { | ||
192 | Restart = "always"; | ||
193 | RestartSec = "5"; | ||
194 | }; | ||
195 | }; | ||
196 | systemd.services.corerad = { | ||
197 | wantedBy = [ "dhcpcd-telekom.service" ]; | ||
198 | bindsTo = [ "dhcpcd-telekom.service" ]; | ||
199 | after = [ "dhcpcd-telekom.service" ]; | ||
200 | |||
201 | serviceConfig = { | ||
202 | Restart = lib.mkForce "always"; | ||
203 | RestartSec = "5"; | ||
204 | }; | ||
205 | }; | ||
206 | users.users.dhcpcd = { | ||
207 | isSystemUser = true; | ||
208 | group = "dhcpcd"; | ||
209 | }; | ||
210 | users.groups.dhcpcd = {}; | ||
81 | }; | 211 | }; |
82 | } | 212 | } |
diff --git a/hosts/vidhar/network.nix b/hosts/vidhar/network.nix new file mode 100644 index 00000000..a32dd2f8 --- /dev/null +++ b/hosts/vidhar/network.nix | |||
@@ -0,0 +1,83 @@ | |||
1 | { config, lib, pkgs, ... }: | ||
2 | { | ||
3 | imports = [ ./dsl.nix ]; | ||
4 | |||
5 | config = { | ||
6 | networking = { | ||
7 | hostName = "vidhar"; | ||
8 | domain = "yggdrasil"; | ||
9 | search = [ "yggdrasil" ]; | ||
10 | |||
11 | useDHCP = false; | ||
12 | useNetworkd = true; | ||
13 | |||
14 | interfaces."lan" = { | ||
15 | ipv4.addresses = [ | ||
16 | { address = "10.141.0.1"; prefixLength = 24; } | ||
17 | ]; | ||
18 | }; | ||
19 | interfaces."mgmt" = { | ||
20 | ipv4.addresses = [ | ||
21 | { address = "10.141.1.1"; prefixLength = 24; } | ||
22 | ]; | ||
23 | }; | ||
24 | |||
25 | vlans = { | ||
26 | mgmt = { | ||
27 | id = 2; | ||
28 | interface = "eno2"; | ||
29 | }; | ||
30 | lan = { | ||
31 | id = 3; | ||
32 | interface = "eno2"; | ||
33 | }; | ||
34 | }; | ||
35 | |||
36 | firewall.enable = false; | ||
37 | nftables = { | ||
38 | enable = true; | ||
39 | rulesetFile = ./ruleset.nft; | ||
40 | }; | ||
41 | }; | ||
42 | |||
43 | services.resolved = { | ||
44 | llmnr = "false"; | ||
45 | }; | ||
46 | |||
47 | services.dhcpd4 = { | ||
48 | enable = true; | ||
49 | interfaces = [ "lan" "mgmt" ]; | ||
50 | extraConfig = '' | ||
51 | subnet 10.141.0.0 netmask 255.255.255.0 { | ||
52 | range 10.141.0.128 10.141.0.254; | ||
53 | option domain-name-servers 10.141.0.1; | ||
54 | option broadcast-address 10.141.0.255; | ||
55 | option routers 10.141.0.1; | ||
56 | option domain-name "yggdrasil"; | ||
57 | } | ||
58 | |||
59 | subnet 10.141.1.0 netmask 255.255.255.0 { | ||
60 | range 10.141.1.128 10.141.1.254; | ||
61 | } | ||
62 | ''; | ||
63 | machines = [ | ||
64 | { | ||
65 | ethernetAddress = "50:d4:f7:f3:0f:7e"; | ||
66 | hostName = "gauss-ap01"; | ||
67 | ipAddress = "10.141.0.64"; | ||
68 | } | ||
69 | { | ||
70 | ethernetAddress = "60:a4:b7:53:94:b5"; | ||
71 | hostName = "switch01"; | ||
72 | ipAddress = "10.141.1.2"; | ||
73 | } | ||
74 | ]; | ||
75 | }; | ||
76 | systemd.network.networks = { | ||
77 | "eno2" = { | ||
78 | matchConfig.Name = "eno2"; | ||
79 | networkConfig.LinkLocalAddressing = "no"; | ||
80 | }; | ||
81 | }; | ||
82 | }; | ||
83 | } | ||
diff --git a/hosts/vidhar/samba.nix b/hosts/vidhar/samba.nix new file mode 100644 index 00000000..b3722617 --- /dev/null +++ b/hosts/vidhar/samba.nix | |||
@@ -0,0 +1,81 @@ | |||
1 | { config, lib, pkgs, ... }: | ||
2 | { | ||
3 | config = { | ||
4 | services.samba = { | ||
5 | enable = true; | ||
6 | securityType = "user"; | ||
7 | extraConfig = '' | ||
8 | domain master = yes | ||
9 | workgroup = WORKGROUP | ||
10 | load printers = no | ||
11 | printing = bsd | ||
12 | printcap name = /dev/null | ||
13 | disable spoolss = yes | ||
14 | guest account = nobody | ||
15 | bind interfaces only = yes | ||
16 | interfaces = lo lan | ||
17 | ''; | ||
18 | shares = { | ||
19 | homes = { | ||
20 | comment = "Home Directories"; | ||
21 | path = "/home/%S"; | ||
22 | browseable = "no"; | ||
23 | "valid users" = "%S"; | ||
24 | "read only" = "no"; | ||
25 | "create mask" = "0700"; | ||
26 | "directory mask" = "0700"; | ||
27 | "vfs objects" = "shadow_copy2"; | ||
28 | "shadow:snapdir" = ".zfs/snapshot"; | ||
29 | "shadow:sort" = "desc"; | ||
30 | "shadow:format" = "%Y-%m-%d-%Hh%MU"; | ||
31 | "shadow:snapprefix" = "^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}"; | ||
32 | "shadow:delimiter" = "-"; | ||
33 | }; | ||
34 | eos = { | ||
35 | comment = "Disk image of eos"; | ||
36 | browseable = true; | ||
37 | "valid users" = "mherold"; | ||
38 | writeable = "true"; | ||
39 | path = "/srv/eos"; | ||
40 | }; | ||
41 | }; | ||
42 | }; | ||
43 | services.samba-wsdd = { | ||
44 | enable = true; | ||
45 | workgroup = "WORKGROUP"; | ||
46 | interface = [ "lo" "lan" ]; | ||
47 | }; | ||
48 | |||
49 | fileSystems."/srv/eos.lower" = { | ||
50 | device = "/dev/zvol/hdd-raid6/safe/home/mherold/eos/base"; | ||
51 | fsType = "ntfs3"; | ||
52 | options = [ "ro" "uid=mherold" "gid=users" "fmask=0177" "dmask=0077" "nofail" "noauto" ]; | ||
53 | }; | ||
54 | |||
55 | fileSystems."/srv/eos.upper" = { | ||
56 | device = "/dev/zvol/hdd-raid6/safe/home/mherold/eos/upper"; | ||
57 | fsType = "ext4"; | ||
58 | options = [ "nofail" "noauto" ]; | ||
59 | }; | ||
60 | |||
61 | systemd.mounts = [ | ||
62 | { | ||
63 | wantedBy = [ "samba-smbd.service" ]; | ||
64 | before = [ "samba-smbd.service" ]; | ||
65 | |||
66 | where = "/srv/eos"; | ||
67 | what = "overlay"; | ||
68 | type = "overlay"; | ||
69 | options = lib.concatStringsSep "," | ||
70 | [ "lowerdir=/srv/eos.lower" | ||
71 | "upperdir=/srv/eos.upper/upper" | ||
72 | "workdir=/srv/eos.upper/work" | ||
73 | ]; | ||
74 | |||
75 | unitConfig = { | ||
76 | RequiresMountsFor = [ "/srv/eos.lower" "/srv/eos.upper" ]; | ||
77 | }; | ||
78 | } | ||
79 | ]; | ||
80 | }; | ||
81 | } | ||