From 42984e77041cfc95d333319bef0b2d8f441f56d3 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Wed, 2 Nov 2022 00:11:28 +0100
Subject: =?UTF-8?q?eos=20=E2=86=92=20eostre?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
hosts/eos/default.nix | 101 ---------------------------------
hosts/eos/ruleset.nft | 101 ---------------------------------
hosts/eostre/default.nix | 104 ++++++++++++++++++++++++++++++++++
hosts/eostre/ruleset.nft | 101 +++++++++++++++++++++++++++++++++
hosts/vidhar/network/dhcp/default.nix | 22 +++----
hosts/vidhar/samba.nix | 8 +--
6 files changed, 220 insertions(+), 217 deletions(-)
delete mode 100644 hosts/eos/default.nix
delete mode 100644 hosts/eos/ruleset.nft
create mode 100644 hosts/eostre/default.nix
create mode 100644 hosts/eostre/ruleset.nft
(limited to 'hosts')
diff --git a/hosts/eos/default.nix b/hosts/eos/default.nix
deleted file mode 100644
index 1c5347e7..00000000
--- a/hosts/eos/default.nix
+++ /dev/null
@@ -1,101 +0,0 @@
-{ flake, config, pkgs, lib, ... }:
-
-with lib;
-
-{
- imports = with flake.nixosModules.systemProfiles; [
- nfsroot
- ];
-
- config = {
- nixpkgs = {
- system = "x86_64-linux";
- config = {
- allowUnfree = true;
- };
- };
-
- boot = {
- initrd = {
- availableKernelModules = [ "nvme" "ahci" "xhci_pci" "usbhid" "sd_mod" "sr_mod" ];
- kernelModules = [ "igb" ];
- };
- kernelModules = [ "kvm-amd" ];
- extraModulePackages = [ ];
-
- plymouth.enable = true;
-
- tmpOnTmpfs = true;
- };
-
- hardware = {
- enableRedistributableFirmware = true;
- cpu.amd.updateMicrocode = config.hardware.enableRedistributableFirmware;
-
- nvidia = {
- modesetting.enable = true;
- powerManagement.enable = true;
- };
-
- opengl.enable = true;
- };
-
- environment.etc."machine-id".text = "f457b21333f1491e916521151ff5d468";
-
- networking = {
- hostId = "f457b213";
-
- domain = "asgard.yggdrasil";
- search = [ "asgard.yggdrasil" "yggdrasil" ];
-
- hosts = {
- "127.0.0.1" = [ "eos.asgard.yggdrasil" "eos" ];
- "::1" = [ "eos.asgard.yggdrasil" "eos" ];
- };
-
- firewall.enable = false;
- nftables = {
- enable = true;
- rulesetFile = ./ruleset.nft;
- };
- };
-
- services.resolved = {
- llmnr = "false";
- };
-
- zramSwap.enable = true;
-
- system.stateVersion = config.system.nixos.release; # No state
-
-
- time.timeZone = "Europe/Berlin";
- time.hardwareClockInLocalTime = true;
- i18n.defaultLocale = "en_DK.UTF-8";
-
-
- environment.systemPackages = with pkgs; [ cifs-utils ];
-
- security.pam.mount = {
- enable = true;
- extraVolumes = [
- "<volume sgrp=\"users\" fstype=\"cifs\" server=\"vidhar.lan.yggdrasil\" path=\"home-eos\" mountpoint=\"~\" />"
- "<volume sgrp=\"users\" fstype=\"cifs\" server=\"vidhar.lan.yggdrasil\" path=\"%(USER)\" mountpoint=\"/run/media/%(USER)/vidhar\" />"
- ];
- };
-
-
- services.xserver = {
- enable = true;
- displayManager.sddm = {
- enable = true;
- settings = {
- Users.HideUsers = "gkleen";
- };
- };
- desktopManager.plasma5.enable = true;
-
- videoDrivers = [ "nvidia" ];
- };
- };
-}
diff --git a/hosts/eos/ruleset.nft b/hosts/eos/ruleset.nft
deleted file mode 100644
index 7b38a059..00000000
--- a/hosts/eos/ruleset.nft
+++ /dev/null
@@ -1,101 +0,0 @@
-define icmp_protos = {ipv6-icmp, icmp, igmp}
-
-table arp filter {
- limit lim_arp {
- rate over 50 mbytes/second burst 50 mbytes
- }
-
- chain input {
- type filter hook input priority filter
- policy accept
-
- limit name lim_arp counter drop
-
- counter
- }
-
- chain output {
- type filter hook output priority filter
- policy accept
-
- limit name lim_arp counter drop
-
- counter
- }
-}
-
-table inet filter {
- limit lim_reject {
- rate over 1000/second burst 1000 packets
- }
-
- limit lim_icmp {
- rate over 50 mbytes/second burst 50 mbytes
- }
-
-
- chain forward {
- type filter hook forward priority filter
- policy drop
-
-
- ct state invalid log level debug prefix "drop invalid forward: " counter drop
-
-
- iifname lo counter accept
-
-
- limit name lim_reject log level debug prefix "drop forward: " counter drop
- log level debug prefix "reject forward: " counter
- meta l4proto tcp ct state new counter reject with tcp reset
- ct state new counter reject
-
-
- counter
- }
-
- chain input {
- type filter hook input priority filter
- policy drop
-
-
- ct state invalid log level debug prefix "drop invalid input: " counter drop
-
-
- iifname lo counter accept
- iif != lo ip daddr 127.0.0.1/8 counter reject
- iif != lo ip6 daddr ::1/128 counter reject
-
- meta l4proto $icmp_protos limit name lim_icmp counter drop
- meta l4proto $icmp_protos counter accept
-
- tcp dport 22 counter accept
- udp dport 60000-61000 counter accept
-
-
- ct state {established, related} counter accept
-
-
- limit name lim_reject log level debug prefix "drop input: " counter drop
- log level debug prefix "reject input: " counter
- meta l4proto tcp ct state new counter reject with tcp reset
- ct state new counter reject
-
-
- counter
- }
-
- chain output {
- type filter hook output priority filter
- policy accept
-
-
- oifname lo counter accept
-
- meta l4proto $icmp_protos limit name lim_icmp counter drop
- meta l4proto $icmp_protos counter accept
-
-
- counter
- }
-}
\ No newline at end of file
diff --git a/hosts/eostre/default.nix b/hosts/eostre/default.nix
new file mode 100644
index 00000000..4aa6473e
--- /dev/null
+++ b/hosts/eostre/default.nix
@@ -0,0 +1,104 @@
+{ flake, config, pkgs, lib, ... }:
+
+with lib;
+
+{
+ imports = with flake.nixosModules.systemProfiles; [
+ nfsroot
+ ];
+
+ config = {
+ nixpkgs = {
+ system = "x86_64-linux";
+ config = {
+ allowUnfree = true;
+ };
+ };
+
+ boot = {
+ initrd = {
+ availableKernelModules = [ "nvme" "ahci" "xhci_pci" "usbhid" "sd_mod" "sr_mod" ];
+ kernelModules = [ "igb" ];
+ };
+ kernelModules = [ "kvm-amd" ];
+ extraModulePackages = [ ];
+
+ plymouth.enable = true;
+
+ tmpOnTmpfs = true;
+ };
+
+ hardware = {
+ enableRedistributableFirmware = true;
+ cpu.amd.updateMicrocode = config.hardware.enableRedistributableFirmware;
+
+ nvidia = {
+ modesetting.enable = true;
+ powerManagement.enable = true;
+ };
+
+ opengl.enable = true;
+ };
+
+ environment.etc."machine-id".text = "f457b21333f1491e916521151ff5d468";
+
+ networking = {
+ hostId = "f457b213";
+
+ domain = "lan.yggdrasil";
+ search = [ "lan.yggdrasil" "yggdrasil" ];
+
+ hosts = {
+ "127.0.0.1" = [ "eostre.lan.yggdrasil" "eostre" ];
+ "::1" = [ "eostre.lan.yggdrasil" "eostre" ];
+ };
+
+ firewall.enable = false;
+ nftables = {
+ enable = true;
+ rulesetFile = ./ruleset.nft;
+ };
+ };
+
+ services.resolved = {
+ llmnr = "false";
+ };
+
+ zramSwap.enable = true;
+
+ system.stateVersion = config.system.nixos.release; # No state
+ security.sudo.extraConfig = ''
+ Defaults lecture = never
+ '';
+
+
+ time.timeZone = "Europe/Berlin";
+ time.hardwareClockInLocalTime = true;
+ i18n.defaultLocale = "en_DK.UTF-8";
+
+
+ environment.systemPackages = with pkgs; [ cifs-utils ];
+
+ security.pam.mount = {
+ enable = true;
+ extraVolumes = [
+ "<volume sgrp=\"users\" fstype=\"cifs\" server=\"vidhar.lan.yggdrasil\" path=\"home-eostre\" mountpoint=\"~\" />"
+ "<volume sgrp=\"users\" fstype=\"cifs\" server=\"vidhar.lan.yggdrasil\" path=\"%(USER)\" mountpoint=\"/run/media/%(USER)/vidhar\" />"
+ ];
+ };
+
+
+ services.xserver = {
+ enable = true;
+ displayManager.sddm = {
+ enable = true;
+ settings = {
+ Users.HideUsers = "gkleen";
+ };
+ };
+ desktopManager.plasma5.enable = true;
+
+ videoDrivers = [ "nvidia" ];
+ };
+ };
+}
diff --git a/hosts/eostre/ruleset.nft b/hosts/eostre/ruleset.nft
new file mode 100644
index 00000000..7b38a059
--- /dev/null
+++ b/hosts/eostre/ruleset.nft
@@ -0,0 +1,101 @@
+define icmp_protos = {ipv6-icmp, icmp, igmp}
+
+table arp filter {
+ limit lim_arp {
+ rate over 50 mbytes/second burst 50 mbytes
+ }
+
+ chain input {
+ type filter hook input priority filter
+ policy accept
+
+ limit name lim_arp counter drop
+
+ counter
+ }
+
+ chain output {
+ type filter hook output priority filter
+ policy accept
+
+ limit name lim_arp counter drop
+
+ counter
+ }
+}
+
+table inet filter {
+ limit lim_reject {
+ rate over 1000/second burst 1000 packets
+ }
+
+ limit lim_icmp {
+ rate over 50 mbytes/second burst 50 mbytes
+ }
+
+
+ chain forward {
+ type filter hook forward priority filter
+ policy drop
+
+
+ ct state invalid log level debug prefix "drop invalid forward: " counter drop
+
+
+ iifname lo counter accept
+
+
+ limit name lim_reject log level debug prefix "drop forward: " counter drop
+ log level debug prefix "reject forward: " counter
+ meta l4proto tcp ct state new counter reject with tcp reset
+ ct state new counter reject
+
+
+ counter
+ }
+
+ chain input {
+ type filter hook input priority filter
+ policy drop
+
+
+ ct state invalid log level debug prefix "drop invalid input: " counter drop
+
+
+ iifname lo counter accept
+ iif != lo ip daddr 127.0.0.1/8 counter reject
+ iif != lo ip6 daddr ::1/128 counter reject
+
+ meta l4proto $icmp_protos limit name lim_icmp counter drop
+ meta l4proto $icmp_protos counter accept
+
+ tcp dport 22 counter accept
+ udp dport 60000-61000 counter accept
+
+
+ ct state {established, related} counter accept
+
+
+ limit name lim_reject log level debug prefix "drop input: " counter drop
+ log level debug prefix "reject input: " counter
+ meta l4proto tcp ct state new counter reject with tcp reset
+ ct state new counter reject
+
+
+ counter
+ }
+
+ chain output {
+ type filter hook output priority filter
+ policy accept
+
+
+ oifname lo counter accept
+
+ meta l4proto $icmp_protos limit name lim_icmp counter drop
+ meta l4proto $icmp_protos counter accept
+
+
+ counter
+ }
+}
\ No newline at end of file
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix
index d3407f1d..1c29dc6a 100644
--- a/hosts/vidhar/network/dhcp/default.nix
+++ b/hosts/vidhar/network/dhcp/default.nix
@@ -23,10 +23,10 @@ with lib;
};
client-classes = [
- { name = "eos-ipxe";
+ { name = "eostre-ipxe";
test = "hexstring(pkt4.mac, ':') == '00:d8:61:79:c5:40' and option[77].hex == 'iPXE'";
next-server = "10.141.0.1";
- boot-file-name = "http://nfsroot.vidhar.yggdrasil/eos/netboot.ipxe";
+ boot-file-name = "http://nfsroot.vidhar.yggdrasil/eostre/netboot.ipxe";
only-if-required = true;
}
{ name = "ipxe";
@@ -266,21 +266,21 @@ with lib;
) ["x86_64-linux"]
) ++ [
(let
- eosBuild = (flake.nixosConfigurations.eos.extendModules {
+ eostreBuild = (flake.nixosConfigurations.eostre.extendModules {
modules = [
({ ... }: {
config.nfsroot.storeDevice = "10.141.0.1:nix-store";
- config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/eos/registration";
+ config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/eostre/registration";
})
];
}).config.system.build;
- in builtins.toPath (pkgs.runCommandLocal "eos" {} ''
- mkdir -p $out/eos
- install -m 0444 -t $out/eos \
- ${eosBuild.initialRamdisk}/initrd \
- ${eosBuild.kernel}/bzImage \
- ${eosBuild.netbootIpxeScript}/netboot.ipxe \
- ${pkgs.closureInfo { rootPaths = eosBuild.storeContents; }}/registration
+ in builtins.toPath (pkgs.runCommandLocal "eostre" {} ''
+ mkdir -p $out/eostre
+ install -m 0444 -t $out/eostre \
+ ${eostreBuild.initialRamdisk}/initrd \
+ ${eostreBuild.kernel}/bzImage \
+ ${eostreBuild.netbootIpxeScript}/netboot.ipxe \
+ ${pkgs.closureInfo { rootPaths = eostreBuild.storeContents; }}/registration
''))
];
};
diff --git a/hosts/vidhar/samba.nix b/hosts/vidhar/samba.nix
index ffca9c6d..506edaae 100644
--- a/hosts/vidhar/samba.nix
+++ b/hosts/vidhar/samba.nix
@@ -40,10 +40,10 @@
writeable = "true";
path = "/srv/eos";
};
- home-eos = {
- comment = "Home directoriy for %u on PXE booted EOS";
- path = "/srv/cifs/home-eos/%u";
- volume = "%u@eos";
+ home-eostre = {
+ comment = "Home directoriy for %u on PXE booted eostre";
+ path = "/srv/cifs/home-eostre/%u";
+ volume = "%u@eostre";
browseable = true;
"read only" = false;
"create mask" = "0700";
--
cgit v1.2.3