From 42984e77041cfc95d333319bef0b2d8f441f56d3 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Wed, 2 Nov 2022 00:11:28 +0100 Subject: =?UTF-8?q?eos=20=E2=86=92=20eostre?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- hosts/eos/default.nix | 101 --------------------------------- hosts/eos/ruleset.nft | 101 --------------------------------- hosts/eostre/default.nix | 104 ++++++++++++++++++++++++++++++++++ hosts/eostre/ruleset.nft | 101 +++++++++++++++++++++++++++++++++ hosts/vidhar/network/dhcp/default.nix | 22 +++---- hosts/vidhar/samba.nix | 8 +-- 6 files changed, 220 insertions(+), 217 deletions(-) delete mode 100644 hosts/eos/default.nix delete mode 100644 hosts/eos/ruleset.nft create mode 100644 hosts/eostre/default.nix create mode 100644 hosts/eostre/ruleset.nft (limited to 'hosts') diff --git a/hosts/eos/default.nix b/hosts/eos/default.nix deleted file mode 100644 index 1c5347e7..00000000 --- a/hosts/eos/default.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ flake, config, pkgs, lib, ... }: - -with lib; - -{ - imports = with flake.nixosModules.systemProfiles; [ - nfsroot - ]; - - config = { - nixpkgs = { - system = "x86_64-linux"; - config = { - allowUnfree = true; - }; - }; - - boot = { - initrd = { - availableKernelModules = [ "nvme" "ahci" "xhci_pci" "usbhid" "sd_mod" "sr_mod" ]; - kernelModules = [ "igb" ]; - }; - kernelModules = [ "kvm-amd" ]; - extraModulePackages = [ ]; - - plymouth.enable = true; - - tmpOnTmpfs = true; - }; - - hardware = { - enableRedistributableFirmware = true; - cpu.amd.updateMicrocode = config.hardware.enableRedistributableFirmware; - - nvidia = { - modesetting.enable = true; - powerManagement.enable = true; - }; - - opengl.enable = true; - }; - - environment.etc."machine-id".text = "f457b21333f1491e916521151ff5d468"; - - networking = { - hostId = "f457b213"; - - domain = "asgard.yggdrasil"; - search = [ "asgard.yggdrasil" "yggdrasil" ]; - - hosts = { - "127.0.0.1" = [ "eos.asgard.yggdrasil" "eos" ]; - "::1" = [ "eos.asgard.yggdrasil" "eos" ]; - }; - - firewall.enable = false; - nftables = { - enable = true; - rulesetFile = ./ruleset.nft; - }; - }; - - services.resolved = { - llmnr = "false"; - }; - - zramSwap.enable = true; - - system.stateVersion = config.system.nixos.release; # No state - - - time.timeZone = "Europe/Berlin"; - time.hardwareClockInLocalTime = true; - i18n.defaultLocale = "en_DK.UTF-8"; - - - environment.systemPackages = with pkgs; [ cifs-utils ]; - - security.pam.mount = { - enable = true; - extraVolumes = [ - "" - "" - ]; - }; - - - services.xserver = { - enable = true; - displayManager.sddm = { - enable = true; - settings = { - Users.HideUsers = "gkleen"; - }; - }; - desktopManager.plasma5.enable = true; - - videoDrivers = [ "nvidia" ]; - }; - }; -} diff --git a/hosts/eos/ruleset.nft b/hosts/eos/ruleset.nft deleted file mode 100644 index 7b38a059..00000000 --- a/hosts/eos/ruleset.nft +++ /dev/null @@ -1,101 +0,0 @@ -define icmp_protos = {ipv6-icmp, icmp, igmp} - -table arp filter { - limit lim_arp { - rate over 50 mbytes/second burst 50 mbytes - } - - chain input { - type filter hook input priority filter - policy accept - - limit name lim_arp counter drop - - counter - } - - chain output { - type filter hook output priority filter - policy accept - - limit name lim_arp counter drop - - counter - } -} - -table inet filter { - limit lim_reject { - rate over 1000/second burst 1000 packets - } - - limit lim_icmp { - rate over 50 mbytes/second burst 50 mbytes - } - - - chain forward { - type filter hook forward priority filter - policy drop - - - ct state invalid log level debug prefix "drop invalid forward: " counter drop - - - iifname lo counter accept - - - limit name lim_reject log level debug prefix "drop forward: " counter drop - log level debug prefix "reject forward: " counter - meta l4proto tcp ct state new counter reject with tcp reset - ct state new counter reject - - - counter - } - - chain input { - type filter hook input priority filter - policy drop - - - ct state invalid log level debug prefix "drop invalid input: " counter drop - - - iifname lo counter accept - iif != lo ip daddr 127.0.0.1/8 counter reject - iif != lo ip6 daddr ::1/128 counter reject - - meta l4proto $icmp_protos limit name lim_icmp counter drop - meta l4proto $icmp_protos counter accept - - tcp dport 22 counter accept - udp dport 60000-61000 counter accept - - - ct state {established, related} counter accept - - - limit name lim_reject log level debug prefix "drop input: " counter drop - log level debug prefix "reject input: " counter - meta l4proto tcp ct state new counter reject with tcp reset - ct state new counter reject - - - counter - } - - chain output { - type filter hook output priority filter - policy accept - - - oifname lo counter accept - - meta l4proto $icmp_protos limit name lim_icmp counter drop - meta l4proto $icmp_protos counter accept - - - counter - } -} \ No newline at end of file diff --git a/hosts/eostre/default.nix b/hosts/eostre/default.nix new file mode 100644 index 00000000..4aa6473e --- /dev/null +++ b/hosts/eostre/default.nix @@ -0,0 +1,104 @@ +{ flake, config, pkgs, lib, ... }: + +with lib; + +{ + imports = with flake.nixosModules.systemProfiles; [ + nfsroot + ]; + + config = { + nixpkgs = { + system = "x86_64-linux"; + config = { + allowUnfree = true; + }; + }; + + boot = { + initrd = { + availableKernelModules = [ "nvme" "ahci" "xhci_pci" "usbhid" "sd_mod" "sr_mod" ]; + kernelModules = [ "igb" ]; + }; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + + plymouth.enable = true; + + tmpOnTmpfs = true; + }; + + hardware = { + enableRedistributableFirmware = true; + cpu.amd.updateMicrocode = config.hardware.enableRedistributableFirmware; + + nvidia = { + modesetting.enable = true; + powerManagement.enable = true; + }; + + opengl.enable = true; + }; + + environment.etc."machine-id".text = "f457b21333f1491e916521151ff5d468"; + + networking = { + hostId = "f457b213"; + + domain = "lan.yggdrasil"; + search = [ "lan.yggdrasil" "yggdrasil" ]; + + hosts = { + "127.0.0.1" = [ "eostre.lan.yggdrasil" "eostre" ]; + "::1" = [ "eostre.lan.yggdrasil" "eostre" ]; + }; + + firewall.enable = false; + nftables = { + enable = true; + rulesetFile = ./ruleset.nft; + }; + }; + + services.resolved = { + llmnr = "false"; + }; + + zramSwap.enable = true; + + system.stateVersion = config.system.nixos.release; # No state + security.sudo.extraConfig = '' + Defaults lecture = never + ''; + + + time.timeZone = "Europe/Berlin"; + time.hardwareClockInLocalTime = true; + i18n.defaultLocale = "en_DK.UTF-8"; + + + environment.systemPackages = with pkgs; [ cifs-utils ]; + + security.pam.mount = { + enable = true; + extraVolumes = [ + "" + "" + ]; + }; + + + services.xserver = { + enable = true; + displayManager.sddm = { + enable = true; + settings = { + Users.HideUsers = "gkleen"; + }; + }; + desktopManager.plasma5.enable = true; + + videoDrivers = [ "nvidia" ]; + }; + }; +} diff --git a/hosts/eostre/ruleset.nft b/hosts/eostre/ruleset.nft new file mode 100644 index 00000000..7b38a059 --- /dev/null +++ b/hosts/eostre/ruleset.nft @@ -0,0 +1,101 @@ +define icmp_protos = {ipv6-icmp, icmp, igmp} + +table arp filter { + limit lim_arp { + rate over 50 mbytes/second burst 50 mbytes + } + + chain input { + type filter hook input priority filter + policy accept + + limit name lim_arp counter drop + + counter + } + + chain output { + type filter hook output priority filter + policy accept + + limit name lim_arp counter drop + + counter + } +} + +table inet filter { + limit lim_reject { + rate over 1000/second burst 1000 packets + } + + limit lim_icmp { + rate over 50 mbytes/second burst 50 mbytes + } + + + chain forward { + type filter hook forward priority filter + policy drop + + + ct state invalid log level debug prefix "drop invalid forward: " counter drop + + + iifname lo counter accept + + + limit name lim_reject log level debug prefix "drop forward: " counter drop + log level debug prefix "reject forward: " counter + meta l4proto tcp ct state new counter reject with tcp reset + ct state new counter reject + + + counter + } + + chain input { + type filter hook input priority filter + policy drop + + + ct state invalid log level debug prefix "drop invalid input: " counter drop + + + iifname lo counter accept + iif != lo ip daddr 127.0.0.1/8 counter reject + iif != lo ip6 daddr ::1/128 counter reject + + meta l4proto $icmp_protos limit name lim_icmp counter drop + meta l4proto $icmp_protos counter accept + + tcp dport 22 counter accept + udp dport 60000-61000 counter accept + + + ct state {established, related} counter accept + + + limit name lim_reject log level debug prefix "drop input: " counter drop + log level debug prefix "reject input: " counter + meta l4proto tcp ct state new counter reject with tcp reset + ct state new counter reject + + + counter + } + + chain output { + type filter hook output priority filter + policy accept + + + oifname lo counter accept + + meta l4proto $icmp_protos limit name lim_icmp counter drop + meta l4proto $icmp_protos counter accept + + + counter + } +} \ No newline at end of file diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix index d3407f1d..1c29dc6a 100644 --- a/hosts/vidhar/network/dhcp/default.nix +++ b/hosts/vidhar/network/dhcp/default.nix @@ -23,10 +23,10 @@ with lib; }; client-classes = [ - { name = "eos-ipxe"; + { name = "eostre-ipxe"; test = "hexstring(pkt4.mac, ':') == '00:d8:61:79:c5:40' and option[77].hex == 'iPXE'"; next-server = "10.141.0.1"; - boot-file-name = "http://nfsroot.vidhar.yggdrasil/eos/netboot.ipxe"; + boot-file-name = "http://nfsroot.vidhar.yggdrasil/eostre/netboot.ipxe"; only-if-required = true; } { name = "ipxe"; @@ -266,21 +266,21 @@ with lib; ) ["x86_64-linux"] ) ++ [ (let - eosBuild = (flake.nixosConfigurations.eos.extendModules { + eostreBuild = (flake.nixosConfigurations.eostre.extendModules { modules = [ ({ ... }: { config.nfsroot.storeDevice = "10.141.0.1:nix-store"; - config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/eos/registration"; + config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/eostre/registration"; }) ]; }).config.system.build; - in builtins.toPath (pkgs.runCommandLocal "eos" {} '' - mkdir -p $out/eos - install -m 0444 -t $out/eos \ - ${eosBuild.initialRamdisk}/initrd \ - ${eosBuild.kernel}/bzImage \ - ${eosBuild.netbootIpxeScript}/netboot.ipxe \ - ${pkgs.closureInfo { rootPaths = eosBuild.storeContents; }}/registration + in builtins.toPath (pkgs.runCommandLocal "eostre" {} '' + mkdir -p $out/eostre + install -m 0444 -t $out/eostre \ + ${eostreBuild.initialRamdisk}/initrd \ + ${eostreBuild.kernel}/bzImage \ + ${eostreBuild.netbootIpxeScript}/netboot.ipxe \ + ${pkgs.closureInfo { rootPaths = eostreBuild.storeContents; }}/registration '')) ]; }; diff --git a/hosts/vidhar/samba.nix b/hosts/vidhar/samba.nix index ffca9c6d..506edaae 100644 --- a/hosts/vidhar/samba.nix +++ b/hosts/vidhar/samba.nix @@ -40,10 +40,10 @@ writeable = "true"; path = "/srv/eos"; }; - home-eos = { - comment = "Home directoriy for %u on PXE booted EOS"; - path = "/srv/cifs/home-eos/%u"; - volume = "%u@eos"; + home-eostre = { + comment = "Home directoriy for %u on PXE booted eostre"; + path = "/srv/cifs/home-eostre/%u"; + volume = "%u@eostre"; browseable = true; "read only" = false; "create mask" = "0700"; -- cgit v1.2.3