From 43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Wed, 14 May 2025 10:50:27 +0200 Subject: ... --- hosts/sif/default.nix | 34 -------------- hosts/sif/ruleset.nft | 8 ++-- hosts/surtr/email/default.nix | 14 ++---- hosts/surtr/vpn/default.nix | 8 +++- hosts/surtr/vpn/geri.pub | 2 +- hosts/vidhar/network/dhcp/default.nix | 88 +++++++++++++++++------------------ 6 files changed, 58 insertions(+), 96 deletions(-) (limited to 'hosts') diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 0897e1d8..f4de24e8 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -126,38 +126,8 @@ in { rulesetFile = ./ruleset.nft; }; - # firewall = { - # enable = true; - # allowedTCPPorts = [ 22 # ssh - # 8000 # quickserve - # ]; - # }; - - # wlanInterfaces = { - # wlan0 = { - # device = "wlp82s0"; - # }; - # }; - - # bonds = { - # "lan" = { - # interfaces = [ "wlan0" "enp0s31f6" "dock0" ]; - # driverOptions = { - # miimon = "1000"; - # mode = "active-backup"; - # primary_reselect = "always"; - # }; - # }; - # }; - useDHCP = false; useNetworkd = true; - - # interfaces."tinc.yggdrasil" = { - # virtual = true; - # virtualType = config.services.tinc.networks.yggdrasil.interfaceType; - # macAddress = "5c:93:21:c3:61:39"; - # }; }; environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = { @@ -751,10 +721,6 @@ in { home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ]; - environment.pathsToLink = [ - "share/zsh" - ]; - system.stateVersion = "24.11"; }; } diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft index 2af8b2ee..62339f69 100644 --- a/hosts/sif/ruleset.nft +++ b/hosts/sif/ruleset.nft @@ -61,7 +61,7 @@ table inet filter { counter mosh-rx {} counter wg-rx {} counter yggdrasil-gre-rx {} - counter quickserve-rx {} + counter miniserve-rx {} counter ausweisapp2-rx {} counter established-rx {} @@ -81,7 +81,7 @@ table inet filter { counter mosh-tx {} counter wg-tx {} counter yggdrasil-gre-tx {} - counter quickserve-tx {} + counter miniserve-tx {} counter tx {} @@ -134,7 +134,7 @@ table inet filter { tcp dport 22 counter name ssh-rx accept udp dport 60000-61000 counter name mosh-rx accept - tcp dport 8000 counter name quickserve-rx accept + tcp dport 8080 counter name miniserve-rx accept udp dport 24727 counter name ausweisapp2-rx accept udp dport 51820-51822 counter name wg-rx accept @@ -173,7 +173,7 @@ table inet filter { udp sport 51820-51822 counter name wg-tx iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx - tcp sport 8000 counter name quickserve-tx accept + tcp sport 8080 counter name miniserve-tx accept oifname virbr0 udp sport 67 counter name libvirt-dhcp accept oifname virbr0 udp sport 547 counter name libvirt-dhcp accept diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 13b33c7f..4666d1d6 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -215,7 +215,7 @@ in { smtpd_client_event_limit_exceptions = ""; milter_default_action = "accept"; - smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"]; + smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock" "local:/run/postsrsd/postsrsd-milter.sock"]; non_smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"]; alias_maps = ""; @@ -237,11 +237,6 @@ in { ::/0 silent-discard, dsn ''}"; - sender_canonical_maps = "tcp:localhost:${toString config.services.postsrsd.forwardPort}"; - sender_canonical_classes = "envelope_sender"; - recipient_canonical_maps = "tcp:localhost:${toString config.services.postsrsd.reversePort}"; - recipient_canonical_classes = ["envelope_recipient" "header_recipient"]; - virtual_mailbox_domains = ''pgsql:${pkgs.writeText "virtual_mailbox_domains.cf" '' hosts = postgresql:///email dbname = email @@ -366,10 +361,11 @@ in { services.postsrsd = { enable = true; - domain = "surtr.yggdrasil.li"; + domains = [ "surtr.yggdrasil.li" ] ++ concatMap (domain: [".${domain}" domain]) emailDomains; separator = "+"; - excludeDomains = [ "surtr.yggdrasil.li" - ] ++ concatMap (domain: [".${domain}" domain]) emailDomains; + extraConfig = '' + milter = unix:/run/postsrsd/postsrsd-milter.sock + ''; }; services.opendkim = { diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix index 1bdcf74e..92223144 100644 --- a/hosts/surtr/vpn/default.nix +++ b/hosts/surtr/vpn/default.nix @@ -1,4 +1,4 @@ -{ pkgs, config, lib, ... }: +{ flake, pkgs, config, lib, ... }: with lib; @@ -22,7 +22,11 @@ in { "--load-credential=surtr.priv:/run/credentials/container@vpn.service/surtr.priv" "--network-ipvlan=ens3:upstream" ]; - config = { + config = let hostConfig = config; in { config, pkgs, ... }: { + system.stateVersion = lib.mkIf hostConfig.containers."vpn".ephemeral config.system.nixos.release; + system.configurationRevision = mkIf (flake ? rev) flake.rev; + nixpkgs.pkgs = hostConfig.nixpkgs.pkgs; + boot.kernel.sysctl = { "net.core.rmem_max" = 4194304; "net.core.wmem_max" = 4194304; diff --git a/hosts/surtr/vpn/geri.pub b/hosts/surtr/vpn/geri.pub index ed5de2b2..2cd9b24e 100644 --- a/hosts/surtr/vpn/geri.pub +++ b/hosts/surtr/vpn/geri.pub @@ -1 +1 @@ -sYuQSNZHzfegv8HRz71jnZm2nFLGeRnaGwVonhKUj2k= +hhER05bvstOTGfiAG3IJsFkBNWCUZHokBXwaiC5d534= diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix index 098d3061..11460393 100644 --- a/hosts/vidhar/network/dhcp/default.nix +++ b/hosts/vidhar/network/dhcp/default.nix @@ -306,32 +306,30 @@ in { pkgs.symlinkJoin { name = "installer-${system}"; paths = [ - (let - installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules { + (builtins.addErrorContext "while evaluating installer-${system}-nfsroot" (let + installerBuild' = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules { modules = [ ({ ... }: { config.nfsroot.storeDevice = "${nfsIp}:nix-store"; config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/installer-${system}/registration"; + config.system.nixos.label = "installer-${system}"; }) ]; - }).config.system.build; - in builtins.toPath (pkgs.runCommandLocal "install-${system}" {} '' + }); + installerBuild = installerBuild'.config.system.build; + in builtins.toPath (pkgs.runCommandLocal "installer-${system}" {} '' mkdir -p $out/installer-${system} install -m 0444 -t $out/installer-${system} \ ${installerBuild.initialRamdisk}/initrd \ ${installerBuild.kernel}/bzImage \ ${installerBuild.netbootIpxeScript}/netboot.ipxe \ ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration - '')) - (pkgs.writeTextFile { - name = "installer-${system}.menu.ipxe"; - destination = "/installer-${system}.menu.ipxe"; - text = '' + install -m 0444 ${pkgs.writeText "installer-${system}.menu.ipxe" '' #!ipxe :start menu iPXE boot menu for installer-${system} - item installer installer-${system} + item installer ${with installerBuild'; "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"} item memtest memtest86plus item netboot netboot.xyz item shell iPXE shell @@ -353,8 +351,8 @@ in { :memtest iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin goto start - ''; - }) + ''} $out/installer-${system}.menu.ipxe + ''))) ]; }) ["x86_64-linux"] ) ++ [ @@ -366,15 +364,17 @@ in { install -m 0444 ${sources.netbootxyz-efi.src} $out/netboot.xyz.efi install -m 0444 ${sources.netbootxyz-lkrn.src} $out/netboot.xyz.lkrn '') - (let - eostreBuild = (flake.nixosConfigurations.eostre.extendModules { + (builtins.addErrorContext "while evaluating eostre" (let + eostreBuild' = (flake.nixosConfigurations.eostre.extendModules { modules = [ ({ ... }: { config.nfsroot.storeDevice = "${nfsIp}:nix-store"; config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/eostre/registration"; + config.system.nixos.label = "eostre"; }) ]; - }).config.system.build; + }); + eostreBuild = eostreBuild'.config.system.build; in builtins.toPath (pkgs.runCommandLocal "eostre" {} '' mkdir -p $out/eostre install -m 0444 -t $out/eostre \ @@ -382,43 +382,39 @@ in { ${eostreBuild.kernel}/bzImage \ ${eostreBuild.netbootIpxeScript}/netboot.ipxe \ ${pkgs.closureInfo { rootPaths = eostreBuild.storeContents; }}/registration - '')) - (pkgs.writeTextFile { - name = "eostre.menu.ipxe"; - destination = "/eostre.menu.ipxe"; - text = '' - #!ipxe + install -m 0444 ${pkgs.writeText "eostre.menu.ipxe" '' + #!ipxe - set menu-timeout 5000 + set menu-timeout 5000 - :start - menu iPXE boot menu for eostre - item eostre eostre - item memtest memtest86plus - item netboot netboot.xyz - item shell iPXE shell - choose --timeout ''${menu-timeout} --default eostre selected || goto shell - set menu-timeout 0 - goto ''${selected} + :start + menu iPXE boot menu for eostre + item eostre ${with eostreBuild'; "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"} + item memtest memtest86plus + item netboot netboot.xyz + item shell iPXE shell + choose --timeout ''${menu-timeout} --default eostre selected || goto shell + set menu-timeout 0 + goto ''${selected} - :shell - set menu-timeout 0 - shell - goto start + :shell + set menu-timeout 0 + shell + goto start - :eostre - chain eostre/netboot.ipxe - goto start + :eostre + chain eostre/netboot.ipxe + goto start - :netboot - iseq ''${platform} efi && chain --autofree netboot.xyz.efi || chain --autofree netboot.xyz.lkrn - goto start + :netboot + iseq ''${platform} efi && chain --autofree netboot.xyz.efi || chain --autofree netboot.xyz.lkrn + goto start - :memtest - iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin - goto start - ''; - }) + :memtest + iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin + goto start + ''} $out/eostre.menu.ipxe + ''))) ]; }; }; -- cgit v1.2.3