diff options
Diffstat (limited to 'hosts')
| -rw-r--r-- | hosts/sif/default.nix | 11 | ||||
| -rw-r--r-- | hosts/surtr/dns/zones/email.bouncy.soa | 4 | ||||
| -rw-r--r-- | hosts/surtr/email/default.nix | 7 | ||||
| -rw-r--r-- | hosts/vidhar/dns/zones/yggdrasil.soa | 3 | ||||
| -rw-r--r-- | hosts/vidhar/network/default.nix | 26 | ||||
| -rw-r--r-- | hosts/vidhar/network/dhcp/default.nix | 70 | ||||
| -rw-r--r-- | hosts/vidhar/network/ruleset.nft | 19 |
7 files changed, 91 insertions, 49 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index b38a387c..58f99b9a 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix | |||
| @@ -38,6 +38,8 @@ in { | |||
| 38 | kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" "dm-mod" "dm-crypt" ]; | 38 | kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" "dm-mod" "dm-crypt" ]; |
| 39 | }; | 39 | }; |
| 40 | 40 | ||
| 41 | supportedFilesystems = [ "nfs" "nfs4" ]; | ||
| 42 | |||
| 41 | blacklistedKernelModules = [ "nouveau" ]; | 43 | blacklistedKernelModules = [ "nouveau" ]; |
| 42 | 44 | ||
| 43 | # Use the systemd-boot EFI boot loader. | 45 | # Use the systemd-boot EFI boot loader. |
| @@ -289,10 +291,6 @@ in { | |||
| 289 | ]; | 291 | ]; |
| 290 | 292 | ||
| 291 | services = { | 293 | services = { |
| 292 | udev.packages = with pkgs; [ uhk-agent ]; | ||
| 293 | |||
| 294 | # tinc.yggdrasil.enable = true; | ||
| 295 | |||
| 296 | uucp = { | 294 | uucp = { |
| 297 | enable = true; | 295 | enable = true; |
| 298 | nodeName = "sif"; | 296 | nodeName = "sif"; |
| @@ -383,9 +381,10 @@ in { | |||
| 383 | }; | 381 | }; |
| 384 | 382 | ||
| 385 | users = { | 383 | users = { |
| 386 | users.gkleen.extraGroups = [ "media" "plugdev" ]; | 384 | users.gkleen.extraGroups = [ "media" "plugdev" "input" ]; |
| 387 | groups.media = {}; | 385 | groups.media = {}; |
| 388 | groups.plugdev = {}; | 386 | groups.plugdev = {}; |
| 387 | groups.input = {}; | ||
| 389 | }; | 388 | }; |
| 390 | 389 | ||
| 391 | security.rtkit.enable = true; | 390 | security.rtkit.enable = true; |
| @@ -501,6 +500,8 @@ in { | |||
| 501 | }; | 500 | }; |
| 502 | 501 | ||
| 503 | firmware = [ pkgs.firmwareLinuxNonfree ]; | 502 | firmware = [ pkgs.firmwareLinuxNonfree ]; |
| 503 | |||
| 504 | keyboard.uhk.enable = true; | ||
| 504 | }; | 505 | }; |
| 505 | 506 | ||
| 506 | sound.enable = true; | 507 | sound.enable = true; |
diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa index abf8ef07..3f038b92 100644 --- a/hosts/surtr/dns/zones/email.bouncy.soa +++ b/hosts/surtr/dns/zones/email.bouncy.soa | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | $ORIGIN bouncy.email. | 1 | $ORIGIN bouncy.email. |
| 2 | $TTL 3600 | 2 | $TTL 3600 |
| 3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | 3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( |
| 4 | 2022071002 ; serial | 4 | 2022100600 ; serial |
| 5 | 10800 ; refresh | 5 | 10800 ; refresh |
| 6 | 3600 ; retry | 6 | 3600 ; retry |
| 7 | 604800 ; expire | 7 | 604800 ; expire |
| @@ -69,7 +69,7 @@ spm IN MX 0 mailin.bouncy.email. | |||
| 69 | spm IN TXT "v=spf1 redirect=bouncy.email" | 69 | spm IN TXT "v=spf1 redirect=bouncy.email" |
| 70 | _acme-challenge.spm IN NS ns.yggdrasil.li. | 70 | _acme-challenge.spm IN NS ns.yggdrasil.li. |
| 71 | 71 | ||
| 72 | _mta-sts IN TXT "v=STSv1; id=2022071002" | 72 | _mta-sts IN TXT "v=STSv1; id=2022100600" |
| 73 | _smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@bouncy.email" | 73 | _smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@bouncy.email" |
| 74 | mta-sts IN A 202.61.241.61 | 74 | mta-sts IN A 202.61.241.61 |
| 75 | mta-sts IN AAAA 2a03:4000:52:ada:: | 75 | mta-sts IN AAAA 2a03:4000:52:ada:: |
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 2fe5b7f0..42b50c88 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix | |||
| @@ -412,6 +412,8 @@ in { | |||
| 412 | in '' | 412 | in '' |
| 413 | mail_home = /var/lib/mail/%u | 413 | mail_home = /var/lib/mail/%u |
| 414 | 414 | ||
| 415 | mail_plugins = $mail_plugins quota | ||
| 416 | |||
| 415 | first_valid_uid = ${toString config.users.users.dovecot2.uid} | 417 | first_valid_uid = ${toString config.users.users.dovecot2.uid} |
| 416 | last_valid_uid = ${toString config.users.users.dovecot2.uid} | 418 | last_valid_uid = ${toString config.users.users.dovecot2.uid} |
| 417 | first_valid_gid = ${toString config.users.groups.dovecot2.gid} | 419 | first_valid_gid = ${toString config.users.groups.dovecot2.gid} |
| @@ -473,9 +475,10 @@ in { | |||
| 473 | result_failure = return-fail | 475 | result_failure = return-fail |
| 474 | result_internalfail = return-fail | 476 | result_internalfail = return-fail |
| 475 | } | 477 | } |
| 478 | |||
| 479 | mail_plugins = $mail_plugins sieve | ||
| 476 | } | 480 | } |
| 477 | 481 | ||
| 478 | mail_plugins = $mail_plugins quota | ||
| 479 | mailbox_list_index = yes | 482 | mailbox_list_index = yes |
| 480 | postmaster_address = postmaster@yggdrasil.li | 483 | postmaster_address = postmaster@yggdrasil.li |
| 481 | recipient_delimiter = | 484 | recipient_delimiter = |
| @@ -732,7 +735,7 @@ in { | |||
| 732 | cp ${pkgs.writeText "mta-sts.txt" '' | 735 | cp ${pkgs.writeText "mta-sts.txt" '' |
| 733 | version: STSv1 | 736 | version: STSv1 |
| 734 | mode: enforce | 737 | mode: enforce |
| 735 | max_age: 604800 | 738 | max_age: 2419200 |
| 736 | mx: mailin.bouncy.email | 739 | mx: mailin.bouncy.email |
| 737 | ''} $out/.well-known/mta-sts.txt | 740 | ''} $out/.well-known/mta-sts.txt |
| 738 | ''; | 741 | ''; |
diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa index ffa79ee1..3d9d4d83 100644 --- a/hosts/vidhar/dns/zones/yggdrasil.soa +++ b/hosts/vidhar/dns/zones/yggdrasil.soa | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | $ORIGIN yggdrasil. | 1 | $ORIGIN yggdrasil. |
| 2 | $TTL 300 | 2 | $TTL 300 |
| 3 | @ IN SOA vidhar.yggdrasil. root.yggdrasil.li. ( | 3 | @ IN SOA vidhar.yggdrasil. root.yggdrasil.li. ( |
| 4 | 2022040802 ; serial | 4 | 2022101601 ; serial |
| 5 | 300 ; refresh | 5 | 300 ; refresh |
| 6 | 300 ; retry | 6 | 300 ; retry |
| 7 | 300 ; expire | 7 | 300 ; expire |
| @@ -16,6 +16,7 @@ sif IN AAAA 2a03:4000:52:ada:1:2:: | |||
| 16 | 16 | ||
| 17 | grafana.vidhar IN CNAME vidhar.yggdrasil. | 17 | grafana.vidhar IN CNAME vidhar.yggdrasil. |
| 18 | prometheus.vidhar IN CNAME vidhar.yggdrasil. | 18 | prometheus.vidhar IN CNAME vidhar.yggdrasil. |
| 19 | nfsroot.vidhar IN CNAME vidhar.lan.yggdrasil. | ||
| 19 | 20 | ||
| 20 | 21 | ||
| 21 | vidhar.lan IN A 10.141.0.1 | 22 | vidhar.lan IN A 10.141.0.1 |
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index e69674f4..f19ea9cd 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix | |||
| @@ -1,4 +1,5 @@ | |||
| 1 | { pkgs, ... }: | 1 | { pkgs, ... }: |
| 2 | |||
| 2 | { | 3 | { |
| 3 | imports = [ ./dsl.nix ./bifrost ./dhcp ]; | 4 | imports = [ ./dsl.nix ./bifrost ./dhcp ]; |
| 4 | 5 | ||
| @@ -69,5 +70,30 @@ | |||
| 69 | networkConfig.LinkLocalAddressing = "no"; | 70 | networkConfig.LinkLocalAddressing = "no"; |
| 70 | }; | 71 | }; |
| 71 | }; | 72 | }; |
| 73 | |||
| 74 | services.nfs.server = { | ||
| 75 | enable = true; | ||
| 76 | createMountPoints = true; | ||
| 77 | |||
| 78 | statdPort = 4000; | ||
| 79 | lockdPort = 4001; | ||
| 80 | mountdPort = 4002; | ||
| 81 | |||
| 82 | extraNfsdConfig = '' | ||
| 83 | vers3=off | ||
| 84 | ''; | ||
| 85 | |||
| 86 | exports = '' | ||
| 87 | /srv/nfs 10.141.0.0/24(ro,async,root_squash,fsid=0) 2a03:4000:52:ada:1::/80(ro,async,root_squash,fsid=0) | ||
| 88 | /srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash) | ||
| 89 | ''; | ||
| 90 | }; | ||
| 91 | |||
| 92 | fileSystems = { | ||
| 93 | "/srv/nfs/nix-store" = { | ||
| 94 | device = "/nix/store"; | ||
| 95 | options = [ "bind" ]; | ||
| 96 | }; | ||
| 97 | }; | ||
| 72 | }; | 98 | }; |
| 73 | } | 99 | } |
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix index e14b15ac..dfaa4c9f 100644 --- a/hosts/vidhar/network/dhcp/default.nix +++ b/hosts/vidhar/network/dhcp/default.nix | |||
| @@ -26,7 +26,7 @@ with lib; | |||
| 26 | { name = "ipxe"; | 26 | { name = "ipxe"; |
| 27 | test = "option[77].hex == 'iPXE'"; | 27 | test = "option[77].hex == 'iPXE'"; |
| 28 | next-server = "10.141.0.1"; | 28 | next-server = "10.141.0.1"; |
| 29 | boot-file-name = "installer-x86_64-linux/netboot.ipxe"; | 29 | boot-file-name = "http://nfsroot.vidhar.yggdrasil/installer-x86_64-linux/netboot.ipxe"; |
| 30 | only-if-required = true; | 30 | only-if-required = true; |
| 31 | } | 31 | } |
| 32 | { name = "uefi-64"; | 32 | { name = "uefi-64"; |
| @@ -229,6 +229,40 @@ with lib; | |||
| 229 | sopsFile = ./knot-tsig.json.frag; | 229 | sopsFile = ./knot-tsig.json.frag; |
| 230 | }; | 230 | }; |
| 231 | 231 | ||
| 232 | services.nginx.virtualHosts."nfsroot.vidhar.yggdrasil" = { | ||
| 233 | addSSL = false; | ||
| 234 | forceSSL = false; | ||
| 235 | locations."/" = { | ||
| 236 | extraConfig = '' | ||
| 237 | autoindex on; | ||
| 238 | ''; | ||
| 239 | root = pkgs.symlinkJoin { | ||
| 240 | name = "nfsroot.vidhar.yggdrasil"; | ||
| 241 | paths = | ||
| 242 | (map (system: | ||
| 243 | let | ||
| 244 | installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules { | ||
| 245 | modules = [ | ||
| 246 | ({ ... }: { | ||
| 247 | config.nfsroot.storeDevice = "10.141.0.1:nix-store"; | ||
| 248 | config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/installer-${system}/registration"; | ||
| 249 | }) | ||
| 250 | ]; | ||
| 251 | }).config.system.build; | ||
| 252 | in builtins.toPath (pkgs.runCommandLocal "install-${system}" {} '' | ||
| 253 | mkdir -p $out/installer-${system} | ||
| 254 | install -m 0444 -t $out/installer-${system} \ | ||
| 255 | ${installerBuild.initialRamdisk}/initrd \ | ||
| 256 | ${installerBuild.kernel}/bzImage \ | ||
| 257 | ${installerBuild.netbootIpxeScript}/netboot.ipxe \ | ||
| 258 | ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration | ||
| 259 | '') | ||
| 260 | ) ["x86_64-linux"] | ||
| 261 | ); | ||
| 262 | }; | ||
| 263 | }; | ||
| 264 | }; | ||
| 265 | |||
| 232 | systemd.services."pxe-atftpd" = { | 266 | systemd.services."pxe-atftpd" = { |
| 233 | description = "TFTP Server for PXE Booting"; | 267 | description = "TFTP Server for PXE Booting"; |
| 234 | after = [ "network.target" ]; | 268 | after = [ "network.target" ]; |
| @@ -238,44 +272,16 @@ with lib; | |||
| 238 | additionalTargets = { | 272 | additionalTargets = { |
| 239 | "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi"; | 273 | "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi"; |
| 240 | }; | 274 | }; |
| 275 | additionalOptions = [ | ||
| 276 | "NSLOOKUP_CMD" | ||
| 277 | ]; | ||
| 241 | }; | 278 | }; |
| 242 | tftpRoot = pkgs.runCommandLocal "netboot" {} '' | 279 | tftpRoot = pkgs.runCommandLocal "netboot" {} '' |
| 243 | mkdir -p $out | 280 | mkdir -p $out |
| 244 | install -m 0444 -t $out \ | 281 | install -m 0444 -t $out \ |
| 245 | ${ipxe}/ipxe.efi ${ipxe}/i386-ipxe.efi ${ipxe}/undionly.kpxe | 282 | ${ipxe}/ipxe.efi ${ipxe}/i386-ipxe.efi ${ipxe}/undionly.kpxe |
| 246 | |||
| 247 | ${concatMapStringsSep "\n" (system: | ||
| 248 | let | ||
| 249 | installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules { | ||
| 250 | modules = [ | ||
| 251 | ({ ... }: { config.nfsroot.storeDevice = "vidhar:nix-store"; }) | ||
| 252 | ]; | ||
| 253 | }).config.system.build; | ||
| 254 | in '' | ||
| 255 | mkdir -p $out/installer-${system} | ||
| 256 | install -m 0444 -t $out/installer-${system} \ | ||
| 257 | ${installerBuild.initialRamdisk}/initrd \ | ||
| 258 | ${installerBuild.kernel}/bzImage \ | ||
| 259 | ${installerBuild.netbootIpxeScript}/netboot.ipxe | ||
| 260 | '' | ||
| 261 | ) ["x86_64-linux"]} | ||
| 262 | ''; | 283 | ''; |
| 263 | in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}"; | 284 | in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}"; |
| 264 | }; | 285 | }; |
| 265 | |||
| 266 | services.nfs.server = { | ||
| 267 | enable = true; | ||
| 268 | createMountPoints = true; | ||
| 269 | exports = '' | ||
| 270 | /export/nix-root 10.141.0.0/24(ro) | ||
| 271 | ''; | ||
| 272 | }; | ||
| 273 | |||
| 274 | fileSystems = { | ||
| 275 | "/export/nix-root" = { | ||
| 276 | device = "/nix/store"; | ||
| 277 | options = [ "bind" ]; | ||
| 278 | }; | ||
| 279 | }; | ||
| 280 | }; | 286 | }; |
| 281 | } | 287 | } |
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index c0da0fa6..473f8a20 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
| @@ -78,6 +78,7 @@ table inet filter { | |||
| 78 | counter ssh-rx {} | 78 | counter ssh-rx {} |
| 79 | counter mosh-rx {} | 79 | counter mosh-rx {} |
| 80 | counter dns-rx {} | 80 | counter dns-rx {} |
| 81 | counter nfs-rx {} | ||
| 81 | counter wg-rx {} | 82 | counter wg-rx {} |
| 82 | counter yggdrasil-gre-rx {} | 83 | counter yggdrasil-gre-rx {} |
| 83 | counter ipv6-pd-rx {} | 84 | counter ipv6-pd-rx {} |
| @@ -104,6 +105,7 @@ table inet filter { | |||
| 104 | counter ssh-tx {} | 105 | counter ssh-tx {} |
| 105 | counter mosh-tx {} | 106 | counter mosh-tx {} |
| 106 | counter dns-tx {} | 107 | counter dns-tx {} |
| 108 | counter nfs-tx {} | ||
| 107 | counter wg-tx {} | 109 | counter wg-tx {} |
| 108 | counter yggdrasil-gre-tx {} | 110 | counter yggdrasil-gre-tx {} |
| 109 | counter ipv6-pd-tx {} | 111 | counter ipv6-pd-tx {} |
| @@ -152,7 +154,7 @@ table inet filter { | |||
| 152 | 154 | ||
| 153 | 155 | ||
| 154 | ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop | 156 | ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop |
| 155 | 157 | ||
| 156 | 158 | ||
| 157 | iifname lo counter name rx-lo accept | 159 | iifname lo counter name rx-lo accept |
| 158 | iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject | 160 | iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject |
| @@ -165,8 +167,9 @@ table inet filter { | |||
| 165 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept | 167 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept |
| 166 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept | 168 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept |
| 167 | 169 | ||
| 168 | iifname { lan, mgmt, dmz01, yggdrasil } tcp dport 53 counter name dns-rx accept | 170 | iifname { lan, mgmt, dmz01, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept |
| 169 | iifname { lan, mgmt, dmz01, yggdrasil } udp dport 53 counter name dns-rx accept | 171 | |
| 172 | iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept | ||
| 170 | 173 | ||
| 171 | iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept | 174 | iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept |
| 172 | iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept | 175 | iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept |
| @@ -182,7 +185,8 @@ table inet filter { | |||
| 182 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept | 185 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept |
| 183 | 186 | ||
| 184 | iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept | 187 | iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept |
| 185 | 188 | iifname lan tcp dport 80 counter name http-rx accept | |
| 189 | |||
| 186 | iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept | 190 | iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept |
| 187 | 191 | ||
| 188 | ct state {established, related} counter name established-rx accept | 192 | ct state {established, related} counter name established-rx accept |
| @@ -209,8 +213,9 @@ table inet filter { | |||
| 209 | tcp sport 22 counter name ssh-tx | 213 | tcp sport 22 counter name ssh-tx |
| 210 | udp sport 60000-61000 counter name mosh-tx | 214 | udp sport 60000-61000 counter name mosh-tx |
| 211 | 215 | ||
| 212 | tcp sport 53 counter name dns-tx | 216 | meta l4proto {tcp, udp} th sport 53 counter name dns-tx |
| 213 | udp sport 53 counter name dns-tx | 217 | |
| 218 | tcp sport 2049 counter name nfs-tx | ||
| 214 | 219 | ||
| 215 | meta protocol ip udp sport 51820 counter name wg-tx | 220 | meta protocol ip udp sport 51820 counter name wg-tx |
| 216 | meta protocol ip6 udp sport {51821,51822} counter name wg-tx | 221 | meta protocol ip6 udp sport {51821,51822} counter name wg-tx |
| @@ -225,7 +230,7 @@ table inet filter { | |||
| 225 | udp sport { 137, 138, 3702 } counter name samba-tx accept | 230 | udp sport { 137, 138, 3702 } counter name samba-tx accept |
| 226 | tcp sport { 445, 139, 5357 } counter name samba-tx accept | 231 | tcp sport { 445, 139, 5357 } counter name samba-tx accept |
| 227 | 232 | ||
| 228 | tcp sport {80,443} counter name http-tx accept | 233 | tcp sport { 80, 443 } counter name http-tx accept |
| 229 | 234 | ||
| 230 | udp sport 69 counter name tftp-tx accept | 235 | udp sport 69 counter name tftp-tx accept |
| 231 | udp dport 69 counter name tftp-tx accept | 236 | udp dport 69 counter name tftp-tx accept |