{ hostName, flake, config, pkgs, lib, ... }: { imports = with flake.nixosModules.systemProfiles; [ ./zfs.nix ./dsl.nix initrd-all-crypto-modules default-locale openssh rebuild-machines build-server initrd-ssh ]; config = { nixpkgs = { system = "x86_64-linux"; }; networking.hostId = "1e7ddd78"; environment.etc."machine-id".text = "1e7ddd784c525bba2a03d7c160c5da4e"; boot = { loader.grub = { enable = true; version = 2; device = "/dev/disk/by-id/ata-SuperMicro_SSD_SMC0515D95019BDF4083"; }; kernelPackages = pkgs.linuxPackages_latest; kernelModules = [ "kvm-intel" ]; kernelParams = [ "ip=10.141.0.1:::255.255.255.0::eno1:static" ]; tmpOnTmpfs = true; initrd = { supportedFilesystems = [ "zfs" ]; availableKernelModules = [ "ehci_pci" "ahci" "nvme" "isci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "drbg" "rtsx_pci_sdmmc" "libsas" "scsi_transport_sas" "e1000e" ]; kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" ]; luks.devices = { nvm0.device = "/dev/disk/by-label/${hostName}-nvm0"; nvm1.device = "/dev/disk/by-label/${hostName}-nvm1"; hdd0.device = "/dev/disk/by-label/${hostName}-hdd0"; hdd1.device = "/dev/disk/by-label/${hostName}-hdd1"; hdd2.device = "/dev/disk/by-label/${hostName}-hdd2"; hdd3.device = "/dev/disk/by-label/${hostName}-hdd3"; hdd4.device = "/dev/disk/by-label/${hostName}-hdd4"; hdd5.device = "/dev/disk/by-label/${hostName}-hdd5"; }; network.flushBeforeStage2 = false; }; supportedFilesystems = [ "zfs" ]; zfs = { enableUnstable = true; }; }; fileSystems = { "/" = { fsType = "tmpfs"; options = [ "mode=0755" ]; }; }; networking = { hostName = "vidhar"; domain = "yggdrasil"; search = [ "yggdrasil" ]; useDHCP = false; useNetworkd = true; interfaces."eno1" = { ipv4.addresses = [ { address = "10.141.0.1"; prefixLength = 24; } ]; }; interfaces."mgmt" = { ipv4.addresses = [ { address = "10.141.1.1"; prefixLength = 24; } ]; }; vlans = { mgmt = { id = 2; interface = "eno2"; }; }; firewall.enable = false; nftables = { enable = true; rulesetFile = ./ruleset.nft; }; }; services.resolved = { llmnr = "false"; }; services.dhcpd4 = { enable = true; interfaces = [ "eno1" "mgmt" ]; extraConfig = '' subnet 10.141.0.0 netmask 255.255.255.0 { range 10.141.0.128 10.141.0.254; option domain-name-servers 10.141.0.1; option broadcast-address 10.141.0.255; option routers 10.141.0.1; option domain-name "yggdrasil"; } subnet 10.141.1.0 netmask 255.255.255.0 { range 10.141.1.128 10.141.1.254; } ''; machines = [ { ethernetAddress = "50:d4:f7:f3:0f:7e"; hostName = "gauss-ap01"; ipAddress = "10.141.0.64"; } { ethernetAddress = "60:a4:b7:53:94:b5"; hostName = "switch01"; ipAddress = "10.141.1.2"; } ]; }; services.corerad = { enable = true; settings = { interfaces = [ { name = config.networking.pppInterface; monitor = true; verbose = true; } { name = "eno1"; advertise = true; verbose = true; prefix = [{ prefix = "::/64"; }]; route = [{ prefix = "::/0"; }]; rdnss = [{ servers = ["::"]; }]; dnssl = [{ domain_names = ["yggdrasil"]; }]; } ]; }; }; services.ndppd = { enable = true; proxies = { ${config.networking.pppInterface} = { router = true; rules.lan = { method = "iface"; interface = "eno1"; network = "::/0"; }; }; }; }; boot.kernel.sysctl = { "net.ipv6.conf.all.forwarding" = true; "net.ipv6.conf.default.forwarding" = true; "net.ipv4.conf.all.forwarding" = true; "net.ipv4.conf.default.forwarding" = true; "net.core.rmem_max" = "4194304"; "net.core.wmem_max" = "4194304"; }; systemd.network.networks = { "eno2" = { matchConfig.Name = "eno2"; networkConfig.LinkLocalAddressing = "no"; }; "telekom" = { matchConfig.Name = "telekom"; networkConfig.LinkLocalAddressing = "no"; }; }; systemd.services."pppd-telekom" = { bindsTo = [ "sys-subsystem-net-devices-telekom.device" ]; after = [ "sys-subsystem-net-devices-telekom.device" ]; }; systemd.services."dhcpcd-telekom" = { wantedBy = [ "multi-user.target" "network-online.target" ]; bindsTo = [ "pppd-telekom.service" ]; after = [ "pppd-telekom.service" ]; wants = [ "network.target" ]; before = [ "network-online.target" ]; path = with pkgs; [ dhcpcd nettools openresolv ]; unitConfig.ConditionCapability = "CAP_NET_ADMIN"; stopIfChanged = false; serviceConfig = let dhcpcdConf = pkgs.writeText "dhcpcd.conf" '' duid vendorclassid ipv6only nooption domain_name_servers, domain_name, domain_search option classless_static_routes option interface_mtu option host_name option rapid_commit require dhcp_server_identifier slaac private noipv6rs # disable routing solicitation nohook resolv.conf allowinterfaces dsl interface dsl ipv6ra_autoconf iaid 1195061668 ipv6rs # enable routing solicitation for WAN adapter ia_pd 1 eno1/0/64/0 # request a PD and assign it to the LAN waitip 6 ''; in { Type = "forking"; PIDFile = "/run/dhcpcd/pid"; RuntimeDirectory = "dhcpcd"; ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf}"; ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind"; Restart = "always"; }; }; users.users.dhcpcd = { isSystemUser = true; group = "dhcpcd"; }; users.groups.dhcpcd = {}; services.timesyncd.enable = false; services.chrony = { enable = true; servers = []; extraConfig = '' allow 10.141.1.0/24 local pool time.cloudflare.com iburst nts pool nts.ntp.se iburst nts server nts.sth1.ntp.se iburst nts server nts.sth2.ntp.se iburst nts server ptbtime1.ptb.de iburst nts server ptbtime2.ptb.de iburst nts server ptbtime3.ptb.de iburst nts leapsectz right/UTC makestep 0.1 3 cmdport 0 ''; }; services.openssh = { enable = true; passwordAuthentication = false; challengeResponseAuthentication = false; extraConfig = '' AllowGroups ssh ''; }; users.groups."ssh" = { members = ["root"]; }; security.sudo.extraConfig = '' Defaults lecture = never ''; nix = { daemonCPUSchedPolicy = "batch"; daemonIOSchedClass = "idle"; gc = { automatic = true; options = "--delete-older-than 30d"; }; }; powerManagement = { enable = true; cpuFreqGovernor = "schedutil"; }; services.unbound = { enable = true; resolveLocalQueries = false; stateDir = "/var/lib/unbound"; localControlSocketPath = "/run/unbound/unbound.ctl"; settings = { server = { interface = ["127.0.0.1" "10.141.0.1" "::0"]; access-control = ["0.0.0.0/0 allow" "::/0 allow"]; root-hints = "${pkgs.dns-root-data}/root.hints"; num-threads = 12; so-reuseport = true; msg-cache-slabs = 16; rrset-cache-slabs = 16; infra-cache-slabs = 16; key-cache-slabs = 16; rrset-cache-size = "100m"; msg-cache-size = "50m"; outgoing-range = 8192; num-queries-per-thread = 4096; so-rcvbuf = "4m"; so-sndbuf = "4m"; serve-expired = true; serve-expired-ttl = 86400; serve-expired-reply-ttl = 0; prefetch = true; prefetch-key = true; minimal-responses = false; extended-statistics = true; rrset-roundrobin = true; use-caps-for-id = true; }; }; }; services.samba = { enable = true; securityType = "user"; extraConfig = '' workgroup = WORKGROUP ''; shares = { homes = { path = "/home/%S"; browseable = "no"; "valid users" = "%S"; "read only" = "no"; "create mask" = "0700"; "directory mask" = "0700"; "vfs objects" = "shadow_copy2"; "shadow:snapdir" = ".zfs/snapshot"; "shadow:sort" = "desc"; "shadow: format" = "-%Y-%m-%d-%Hh%MU"; "shadow: snapprefix" = "^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}"; "shadow: delimiter" = "-20"; }; }; }; services.samba-wsdd = { enable = true; workgroup = "WORKGROUP"; }; }; }