From 42984e77041cfc95d333319bef0b2d8f441f56d3 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Wed, 2 Nov 2022 00:11:28 +0100 Subject: =?UTF-8?q?eos=20=E2=86=92=20eostre?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- accounts/gkleen@eos.nix | 24 -------- accounts/gkleen@eostre.nix | 24 ++++++++ accounts/mherold@eos.nix | 25 -------- accounts/mherold@eostre.nix | 25 ++++++++ deploy/eos.nix | 1 - deploy/eostre.nix | 1 + hosts/eos/default.nix | 101 --------------------------------- hosts/eos/ruleset.nft | 101 --------------------------------- hosts/eostre/default.nix | 104 ++++++++++++++++++++++++++++++++++ hosts/eostre/ruleset.nft | 101 +++++++++++++++++++++++++++++++++ hosts/vidhar/network/dhcp/default.nix | 22 +++---- hosts/vidhar/samba.nix | 8 +-- 12 files changed, 270 insertions(+), 267 deletions(-) delete mode 100644 accounts/gkleen@eos.nix create mode 100644 accounts/gkleen@eostre.nix delete mode 100644 accounts/mherold@eos.nix create mode 100644 accounts/mherold@eostre.nix delete mode 100644 deploy/eos.nix create mode 100644 deploy/eostre.nix delete mode 100644 hosts/eos/default.nix delete mode 100644 hosts/eos/ruleset.nft create mode 100644 hosts/eostre/default.nix create mode 100644 hosts/eostre/ruleset.nft diff --git a/accounts/gkleen@eos.nix b/accounts/gkleen@eos.nix deleted file mode 100644 index dbe48ead..00000000 --- a/accounts/gkleen@eos.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ flake, userName, pkgs, ... }: -{ - imports = with flake.nixosModules.userProfiles.${userName}; [ - zsh utils tmux - ]; - - config.home-manager.users.${userName} = { - nixpkgs.config = { - allowUnfree = true; - }; - - home.packages = with pkgs; [ - thunderbird libreoffice element-desktop keepassxc - ]; - - programs.firefox = { - enable = true; - profiles.default.settings = { - "dom.security.https_only_mode" = true; - "browser.cache.disk.enable" = false; - }; - }; - }; -} diff --git a/accounts/gkleen@eostre.nix b/accounts/gkleen@eostre.nix new file mode 100644 index 00000000..dbe48ead --- /dev/null +++ b/accounts/gkleen@eostre.nix @@ -0,0 +1,24 @@ +{ flake, userName, pkgs, ... }: +{ + imports = with flake.nixosModules.userProfiles.${userName}; [ + zsh utils tmux + ]; + + config.home-manager.users.${userName} = { + nixpkgs.config = { + allowUnfree = true; + }; + + home.packages = with pkgs; [ + thunderbird libreoffice element-desktop keepassxc + ]; + + programs.firefox = { + enable = true; + profiles.default.settings = { + "dom.security.https_only_mode" = true; + "browser.cache.disk.enable" = false; + }; + }; + }; +} diff --git a/accounts/mherold@eos.nix b/accounts/mherold@eos.nix deleted file mode 100644 index ab1bf154..00000000 --- a/accounts/mherold@eos.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ userName, pkgs, lib, ... }: { - config = { - users.users.${userName} = { - hashedPassword = lib.mkForce "$6$rounds=500000$TaikR1KI4CGveV0a$jLrBjNScflgniUiy87zxQ.IjnyK8K7FbYTW7L0k0EBVrdiImds26WwNjA6DrQpENALwPMzJVIK5BTie17fFVG."; - }; - - home-manager.users.${userName} = { - nixpkgs.config = { - allowUnfree = true; - }; - - home.packages = with pkgs; [ - thunderbird libreoffice element-desktop keepassxc - ]; - - programs.firefox = { - enable = true; - profiles.default.settings = { - "dom.security.https_only_mode" = true; - "browser.cache.disk.enable" = false; - }; - }; - }; - }; -} diff --git a/accounts/mherold@eostre.nix b/accounts/mherold@eostre.nix new file mode 100644 index 00000000..ab1bf154 --- /dev/null +++ b/accounts/mherold@eostre.nix @@ -0,0 +1,25 @@ +{ userName, pkgs, lib, ... }: { + config = { + users.users.${userName} = { + hashedPassword = lib.mkForce "$6$rounds=500000$TaikR1KI4CGveV0a$jLrBjNScflgniUiy87zxQ.IjnyK8K7FbYTW7L0k0EBVrdiImds26WwNjA6DrQpENALwPMzJVIK5BTie17fFVG."; + }; + + home-manager.users.${userName} = { + nixpkgs.config = { + allowUnfree = true; + }; + + home.packages = with pkgs; [ + thunderbird libreoffice element-desktop keepassxc + ]; + + programs.firefox = { + enable = true; + profiles.default.settings = { + "dom.security.https_only_mode" = true; + "browser.cache.disk.enable" = false; + }; + }; + }; + }; +} diff --git a/deploy/eos.nix b/deploy/eos.nix deleted file mode 100644 index 65a4c7ed..00000000 --- a/deploy/eos.nix +++ /dev/null @@ -1 +0,0 @@ -{ ... }: { enabled = false; } diff --git a/deploy/eostre.nix b/deploy/eostre.nix new file mode 100644 index 00000000..65a4c7ed --- /dev/null +++ b/deploy/eostre.nix @@ -0,0 +1 @@ +{ ... }: { enabled = false; } diff --git a/hosts/eos/default.nix b/hosts/eos/default.nix deleted file mode 100644 index 1c5347e7..00000000 --- a/hosts/eos/default.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ flake, config, pkgs, lib, ... }: - -with lib; - -{ - imports = with flake.nixosModules.systemProfiles; [ - nfsroot - ]; - - config = { - nixpkgs = { - system = "x86_64-linux"; - config = { - allowUnfree = true; - }; - }; - - boot = { - initrd = { - availableKernelModules = [ "nvme" "ahci" "xhci_pci" "usbhid" "sd_mod" "sr_mod" ]; - kernelModules = [ "igb" ]; - }; - kernelModules = [ "kvm-amd" ]; - extraModulePackages = [ ]; - - plymouth.enable = true; - - tmpOnTmpfs = true; - }; - - hardware = { - enableRedistributableFirmware = true; - cpu.amd.updateMicrocode = config.hardware.enableRedistributableFirmware; - - nvidia = { - modesetting.enable = true; - powerManagement.enable = true; - }; - - opengl.enable = true; - }; - - environment.etc."machine-id".text = "f457b21333f1491e916521151ff5d468"; - - networking = { - hostId = "f457b213"; - - domain = "asgard.yggdrasil"; - search = [ "asgard.yggdrasil" "yggdrasil" ]; - - hosts = { - "127.0.0.1" = [ "eos.asgard.yggdrasil" "eos" ]; - "::1" = [ "eos.asgard.yggdrasil" "eos" ]; - }; - - firewall.enable = false; - nftables = { - enable = true; - rulesetFile = ./ruleset.nft; - }; - }; - - services.resolved = { - llmnr = "false"; - }; - - zramSwap.enable = true; - - system.stateVersion = config.system.nixos.release; # No state - - - time.timeZone = "Europe/Berlin"; - time.hardwareClockInLocalTime = true; - i18n.defaultLocale = "en_DK.UTF-8"; - - - environment.systemPackages = with pkgs; [ cifs-utils ]; - - security.pam.mount = { - enable = true; - extraVolumes = [ - "" - "" - ]; - }; - - - services.xserver = { - enable = true; - displayManager.sddm = { - enable = true; - settings = { - Users.HideUsers = "gkleen"; - }; - }; - desktopManager.plasma5.enable = true; - - videoDrivers = [ "nvidia" ]; - }; - }; -} diff --git a/hosts/eos/ruleset.nft b/hosts/eos/ruleset.nft deleted file mode 100644 index 7b38a059..00000000 --- a/hosts/eos/ruleset.nft +++ /dev/null @@ -1,101 +0,0 @@ -define icmp_protos = {ipv6-icmp, icmp, igmp} - -table arp filter { - limit lim_arp { - rate over 50 mbytes/second burst 50 mbytes - } - - chain input { - type filter hook input priority filter - policy accept - - limit name lim_arp counter drop - - counter - } - - chain output { - type filter hook output priority filter - policy accept - - limit name lim_arp counter drop - - counter - } -} - -table inet filter { - limit lim_reject { - rate over 1000/second burst 1000 packets - } - - limit lim_icmp { - rate over 50 mbytes/second burst 50 mbytes - } - - - chain forward { - type filter hook forward priority filter - policy drop - - - ct state invalid log level debug prefix "drop invalid forward: " counter drop - - - iifname lo counter accept - - - limit name lim_reject log level debug prefix "drop forward: " counter drop - log level debug prefix "reject forward: " counter - meta l4proto tcp ct state new counter reject with tcp reset - ct state new counter reject - - - counter - } - - chain input { - type filter hook input priority filter - policy drop - - - ct state invalid log level debug prefix "drop invalid input: " counter drop - - - iifname lo counter accept - iif != lo ip daddr 127.0.0.1/8 counter reject - iif != lo ip6 daddr ::1/128 counter reject - - meta l4proto $icmp_protos limit name lim_icmp counter drop - meta l4proto $icmp_protos counter accept - - tcp dport 22 counter accept - udp dport 60000-61000 counter accept - - - ct state {established, related} counter accept - - - limit name lim_reject log level debug prefix "drop input: " counter drop - log level debug prefix "reject input: " counter - meta l4proto tcp ct state new counter reject with tcp reset - ct state new counter reject - - - counter - } - - chain output { - type filter hook output priority filter - policy accept - - - oifname lo counter accept - - meta l4proto $icmp_protos limit name lim_icmp counter drop - meta l4proto $icmp_protos counter accept - - - counter - } -} \ No newline at end of file diff --git a/hosts/eostre/default.nix b/hosts/eostre/default.nix new file mode 100644 index 00000000..4aa6473e --- /dev/null +++ b/hosts/eostre/default.nix @@ -0,0 +1,104 @@ +{ flake, config, pkgs, lib, ... }: + +with lib; + +{ + imports = with flake.nixosModules.systemProfiles; [ + nfsroot + ]; + + config = { + nixpkgs = { + system = "x86_64-linux"; + config = { + allowUnfree = true; + }; + }; + + boot = { + initrd = { + availableKernelModules = [ "nvme" "ahci" "xhci_pci" "usbhid" "sd_mod" "sr_mod" ]; + kernelModules = [ "igb" ]; + }; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + + plymouth.enable = true; + + tmpOnTmpfs = true; + }; + + hardware = { + enableRedistributableFirmware = true; + cpu.amd.updateMicrocode = config.hardware.enableRedistributableFirmware; + + nvidia = { + modesetting.enable = true; + powerManagement.enable = true; + }; + + opengl.enable = true; + }; + + environment.etc."machine-id".text = "f457b21333f1491e916521151ff5d468"; + + networking = { + hostId = "f457b213"; + + domain = "lan.yggdrasil"; + search = [ "lan.yggdrasil" "yggdrasil" ]; + + hosts = { + "127.0.0.1" = [ "eostre.lan.yggdrasil" "eostre" ]; + "::1" = [ "eostre.lan.yggdrasil" "eostre" ]; + }; + + firewall.enable = false; + nftables = { + enable = true; + rulesetFile = ./ruleset.nft; + }; + }; + + services.resolved = { + llmnr = "false"; + }; + + zramSwap.enable = true; + + system.stateVersion = config.system.nixos.release; # No state + security.sudo.extraConfig = '' + Defaults lecture = never + ''; + + + time.timeZone = "Europe/Berlin"; + time.hardwareClockInLocalTime = true; + i18n.defaultLocale = "en_DK.UTF-8"; + + + environment.systemPackages = with pkgs; [ cifs-utils ]; + + security.pam.mount = { + enable = true; + extraVolumes = [ + "" + "" + ]; + }; + + + services.xserver = { + enable = true; + displayManager.sddm = { + enable = true; + settings = { + Users.HideUsers = "gkleen"; + }; + }; + desktopManager.plasma5.enable = true; + + videoDrivers = [ "nvidia" ]; + }; + }; +} diff --git a/hosts/eostre/ruleset.nft b/hosts/eostre/ruleset.nft new file mode 100644 index 00000000..7b38a059 --- /dev/null +++ b/hosts/eostre/ruleset.nft @@ -0,0 +1,101 @@ +define icmp_protos = {ipv6-icmp, icmp, igmp} + +table arp filter { + limit lim_arp { + rate over 50 mbytes/second burst 50 mbytes + } + + chain input { + type filter hook input priority filter + policy accept + + limit name lim_arp counter drop + + counter + } + + chain output { + type filter hook output priority filter + policy accept + + limit name lim_arp counter drop + + counter + } +} + +table inet filter { + limit lim_reject { + rate over 1000/second burst 1000 packets + } + + limit lim_icmp { + rate over 50 mbytes/second burst 50 mbytes + } + + + chain forward { + type filter hook forward priority filter + policy drop + + + ct state invalid log level debug prefix "drop invalid forward: " counter drop + + + iifname lo counter accept + + + limit name lim_reject log level debug prefix "drop forward: " counter drop + log level debug prefix "reject forward: " counter + meta l4proto tcp ct state new counter reject with tcp reset + ct state new counter reject + + + counter + } + + chain input { + type filter hook input priority filter + policy drop + + + ct state invalid log level debug prefix "drop invalid input: " counter drop + + + iifname lo counter accept + iif != lo ip daddr 127.0.0.1/8 counter reject + iif != lo ip6 daddr ::1/128 counter reject + + meta l4proto $icmp_protos limit name lim_icmp counter drop + meta l4proto $icmp_protos counter accept + + tcp dport 22 counter accept + udp dport 60000-61000 counter accept + + + ct state {established, related} counter accept + + + limit name lim_reject log level debug prefix "drop input: " counter drop + log level debug prefix "reject input: " counter + meta l4proto tcp ct state new counter reject with tcp reset + ct state new counter reject + + + counter + } + + chain output { + type filter hook output priority filter + policy accept + + + oifname lo counter accept + + meta l4proto $icmp_protos limit name lim_icmp counter drop + meta l4proto $icmp_protos counter accept + + + counter + } +} \ No newline at end of file diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix index d3407f1d..1c29dc6a 100644 --- a/hosts/vidhar/network/dhcp/default.nix +++ b/hosts/vidhar/network/dhcp/default.nix @@ -23,10 +23,10 @@ with lib; }; client-classes = [ - { name = "eos-ipxe"; + { name = "eostre-ipxe"; test = "hexstring(pkt4.mac, ':') == '00:d8:61:79:c5:40' and option[77].hex == 'iPXE'"; next-server = "10.141.0.1"; - boot-file-name = "http://nfsroot.vidhar.yggdrasil/eos/netboot.ipxe"; + boot-file-name = "http://nfsroot.vidhar.yggdrasil/eostre/netboot.ipxe"; only-if-required = true; } { name = "ipxe"; @@ -266,21 +266,21 @@ with lib; ) ["x86_64-linux"] ) ++ [ (let - eosBuild = (flake.nixosConfigurations.eos.extendModules { + eostreBuild = (flake.nixosConfigurations.eostre.extendModules { modules = [ ({ ... }: { config.nfsroot.storeDevice = "10.141.0.1:nix-store"; - config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/eos/registration"; + config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/eostre/registration"; }) ]; }).config.system.build; - in builtins.toPath (pkgs.runCommandLocal "eos" {} '' - mkdir -p $out/eos - install -m 0444 -t $out/eos \ - ${eosBuild.initialRamdisk}/initrd \ - ${eosBuild.kernel}/bzImage \ - ${eosBuild.netbootIpxeScript}/netboot.ipxe \ - ${pkgs.closureInfo { rootPaths = eosBuild.storeContents; }}/registration + in builtins.toPath (pkgs.runCommandLocal "eostre" {} '' + mkdir -p $out/eostre + install -m 0444 -t $out/eostre \ + ${eostreBuild.initialRamdisk}/initrd \ + ${eostreBuild.kernel}/bzImage \ + ${eostreBuild.netbootIpxeScript}/netboot.ipxe \ + ${pkgs.closureInfo { rootPaths = eostreBuild.storeContents; }}/registration '')) ]; }; diff --git a/hosts/vidhar/samba.nix b/hosts/vidhar/samba.nix index ffca9c6d..506edaae 100644 --- a/hosts/vidhar/samba.nix +++ b/hosts/vidhar/samba.nix @@ -40,10 +40,10 @@ writeable = "true"; path = "/srv/eos"; }; - home-eos = { - comment = "Home directoriy for %u on PXE booted EOS"; - path = "/srv/cifs/home-eos/%u"; - volume = "%u@eos"; + home-eostre = { + comment = "Home directoriy for %u on PXE booted eostre"; + path = "/srv/cifs/home-eostre/%u"; + volume = "%u@eostre"; browseable = true; "read only" = false; "create mask" = "0700"; -- cgit v1.2.3