{ hostName, flake, config, pkgs, lib, ... }: { imports = with flake.nixosModules.systemProfiles; [ ./zfs.nix ./dsl.nix initrd-all-crypto-modules default-locale openssh rebuild-machines build-server initrd-ssh ]; config = { nixpkgs = { system = "x86_64-linux"; }; networking.hostId = "1e7ddd78"; environment.etc."machine-id".text = "1e7ddd784c525bba2a03d7c160c5da4e"; boot = { loader.grub = { enable = true; version = 2; device = "/dev/disk/by-id/ata-SuperMicro_SSD_SMC0515D95019BDF4083"; }; kernelPackages = pkgs.linuxPackages_latest; kernelModules = [ "kvm-intel" ]; kernelParams = [ "ip=10.141.0.1:::255.255.255.0::eno1:static" ]; tmpOnTmpfs = true; initrd = { supportedFilesystems = [ "zfs" ]; availableKernelModules = [ "ehci_pci" "ahci" "nvme" "isci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "drbg" "rtsx_pci_sdmmc" "libsas" "scsi_transport_sas" "e1000e" ]; kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" ]; luks.devices = { nvm0.device = "/dev/disk/by-label/${hostName}-nvm0"; nvm1.device = "/dev/disk/by-label/${hostName}-nvm1"; hdd0.device = "/dev/disk/by-label/${hostName}-hdd0"; hdd1.device = "/dev/disk/by-label/${hostName}-hdd1"; hdd2.device = "/dev/disk/by-label/${hostName}-hdd2"; hdd3.device = "/dev/disk/by-label/${hostName}-hdd3"; hdd4.device = "/dev/disk/by-label/${hostName}-hdd4"; hdd5.device = "/dev/disk/by-label/${hostName}-hdd5"; }; network.flushBeforeStage2 = false; }; supportedFilesystems = [ "zfs" ]; zfs = { enableUnstable = true; }; }; fileSystems = { "/" = { fsType = "tmpfs"; options = [ "mode=0755" ]; }; }; networking = { hostName = "vidhar"; domain = "yggdrasil"; search = [ "yggdrasil" ]; useDHCP = false; useNetworkd = true; interfaces."eno1" = { ipv4.addresses = [ { address = "10.141.0.1"; prefixLength = 24; } ]; }; firewall.enable = false; nftables = { enable = true; rulesetFile = ./ruleset.nft; }; }; services.resolved = { llmnr = "false"; }; services.dhcpd4 = { enable = true; interfaces = [ "eno1" ]; extraConfig = '' subnet 10.141.0.0 netmask 255.255.255.0 { range 10.141.0.128 10.141.0.254; option domain-name-servers 10.141.0.1; option broadcast-address 10.141.0.255; option routers 10.141.0.1; option domain-name "yggdrasil"; } ''; machines = [ { ethernetAddress = "50:d4:f7:f3:0f:7e"; hostName = "gauss-ap01"; ipAddress = "10.141.0.64"; } ]; }; services.corerad = { enable = true; settings = { interfaces = [ { name = config.networking.pppInterface; monitor = true; verbose = true; } { name = "eno1"; advertise = true; verbose = true; prefix = [{ prefix = "::/64"; }]; route = [{ prefix = "::/0"; }]; rdnss = [{ servers = ["::"]; }]; dnssl = [{ domain_names = ["yggdrasil"]; }]; } ]; }; }; services.ndppd = { enable = true; proxies = { ${config.networking.pppInterface} = { router = true; rules.lan = { method = "iface"; interface = "eno1"; network = "::/0"; }; }; }; }; boot.kernel.sysctl = { "net.ipv6.conf.all.forwarding" = true; "net.ipv6.conf.default.forwarding" = true; "net.ipv4.conf.all.forwarding" = true; "net.ipv4.conf.default.forwarding" = true; "net.core.rmem_max" = "4194304"; "net.core.wmem_max" = "4194304"; }; systemd.network.networks = { "eno2" = { matchConfig.Name = "eno2"; networkConfig.LinkLocalAddressing = "no"; }; "telekom" = { matchConfig.Name = "telekom"; networkConfig.LinkLocalAddressing = "no"; }; }; systemd.services."pppd-telekom" = { bindsTo = [ "sys-subsystem-net-devices-telekom.device" ]; after = [ "sys-subsystem-net-devices-telekom.device" ]; }; systemd.services."dhcpcd-telekom" = { wantedBy = [ "multi-user.target" "network-online.target" ]; bindsTo = [ "pppd-telekom.service" ]; after = [ "pppd-telekom.service" ]; wants = [ "network.target" ]; before = [ "network-online.target" ]; path = with pkgs; [ dhcpcd nettools openresolv ]; unitConfig.ConditionCapability = "CAP_NET_ADMIN"; stopIfChanged = false; serviceConfig = let dhcpcdConf = pkgs.writeText "dhcpcd.conf" '' duid vendorclassid ipv6only nooption domain_name_servers, domain_name, domain_search option classless_static_routes option interface_mtu option host_name option rapid_commit require dhcp_server_identifier slaac private noipv6rs # disable routing solicitation nohook resolv.conf allowinterfaces dsl interface dsl ipv6ra_autoconf iaid 1195061668 ipv6rs # enable routing solicitation for WAN adapter ia_pd 1 eno1/0/64/0 # request a PD and assign it to the LAN waitip 6 ''; in { Type = "forking"; PIDFile = "/run/dhcpcd/pid"; RuntimeDirectory = "dhcpcd"; ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf}"; ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind"; Restart = "always"; }; }; users.users.dhcpcd = { isSystemUser = true; group = "dhcpcd"; }; users.groups.dhcpcd = {}; services.timesyncd.enable = false; services.chrony = { enable = true; servers = []; extraConfig = '' pool time.cloudflare.com iburst nts pool nts.ntp.se iburst nts server nts.sth1.ntp.se iburst nts server nts.sth2.ntp.se iburst nts server ptbtime1.ptb.de iburst nts server ptbtime2.ptb.de iburst nts server ptbtime3.ptb.de iburst nts leapsectz right/UTC makestep 0.1 3 cmdport 0 ''; }; services.openssh = { enable = true; passwordAuthentication = false; challengeResponseAuthentication = false; extraConfig = '' AllowGroups ssh ''; }; users.groups."ssh" = { members = ["root"]; }; security.sudo.extraConfig = '' Defaults lecture = never ''; nix = { daemonCPUSchedPolicy = "batch"; daemonIOSchedClass = "idle"; gc = { automatic = true; options = "--delete-older-than 30d"; }; }; powerManagement = { enable = true; cpuFreqGovernor = "schedutil"; }; services.unbound = { enable = true; resolveLocalQueries = false; stateDir = "/var/lib/unbound"; settings = { server = { interface = ["127.0.0.1" "10.141.0.1" "::0"]; access-control = ["0.0.0.0/0 allow" "::/0 allow"]; root-hints = "${pkgs.dns-root-data}/root.hints"; num-threads = 12; so-reuseport = true; msg-cache-slabs = 16; rrset-cache-slabs = 16; infra-cache-slabs = 16; key-cache-slabs = 16; rrset-cache-size = "100m"; msg-cache-size = "50m"; outgoing-range = 8192; num-queries-per-thread = 4096; so-rcvbuf = "4m"; so-sndbuf = "4m"; cache-max-ttl = 3600; }; }; }; }; }