{ hostName, flake, config, pkgs, lib, ... }: { imports = with flake.nixosModules.systemProfiles; [ ./zfs.nix ./dsl.nix initrd-all-crypto-modules default-locale openssh rebuild-machines build-server initrd-ssh ]; config = { nixpkgs = { system = "x86_64-linux"; }; networking.hostId = "1e7ddd78"; environment.etc."machine-id".text = "1e7ddd784c525bba2a03d7c160c5da4e"; boot = { loader.grub = { enable = true; version = 2; device = "/dev/disk/by-id/ata-SuperMicro_SSD_SMC0515D95019BDF4083"; }; kernelPackages = pkgs.linuxPackages_latest; kernelModules = [ "kvm-intel" ]; kernelParams = [ "ip=10.141.0.1:::255.255.255.0::eno1:static" ]; tmpOnTmpfs = true; initrd = { supportedFilesystems = [ "zfs" ]; availableKernelModules = [ "ehci_pci" "ahci" "nvme" "isci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "drbg" "rtsx_pci_sdmmc" "libsas" "scsi_transport_sas" "e1000e" ]; kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" ]; luks.devices = { nvm0.device = "/dev/disk/by-label/${hostName}-nvm0"; nvm1.device = "/dev/disk/by-label/${hostName}-nvm1"; hdd0.device = "/dev/disk/by-label/${hostName}-hdd0"; hdd1.device = "/dev/disk/by-label/${hostName}-hdd1"; hdd2.device = "/dev/disk/by-label/${hostName}-hdd2"; hdd3.device = "/dev/disk/by-label/${hostName}-hdd3"; hdd4.device = "/dev/disk/by-label/${hostName}-hdd4"; hdd5.device = "/dev/disk/by-label/${hostName}-hdd5"; }; network.flushBeforeStage2 = false; }; supportedFilesystems = [ "zfs" ]; zfs = { enableUnstable = true; }; }; fileSystems = { "/" = { fsType = "tmpfs"; options = [ "mode=0755" ]; }; }; networking = { hostName = "vidhar"; domain = "yggdrasil"; search = [ "yggdrasil" ]; useDHCP = false; useNetworkd = true; interfaces."eno1" = { ipv4.addresses = [ { address = "10.141.0.1"; prefixLength = 24; } ]; }; firewall = { enable = true; allowPing = true; allowedTCPPorts = [ 22 # ssh ]; allowedUDPPorts = [ 51820 # wireguard ]; allowedUDPPortRanges = [ { from = 60000; to = 61000; } # mosh ]; extraCommands = '' ip46tables -D FORWARD -j nixos-fw-forward || true ip46tables -F nixos-fw-forward || true ip46tables -X nixos-fw-forward || true ip46tables -N nixos-fw-forward ip46tables -A nixos-fw-forward -i eno1 -j ACCEPT ip46tables -A nixos-fw-forward -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A nixos-fw-forward -p icmpv6 --icmpv6-type redirect -j nixos-fw-log-refuse ip6tables -A nixos-fw-forward -p icmpv6 --icmpv6-type 139 -j nixos-fw-log-refuse ip6tables -A nixos-fw-forward -p icmpv6 -j ACCEPT ip46tables -A nixos-fw-forward -j nixos-fw-log-refuse ip46tables -A FORWARD -j nixos-fw-forward ip46tables -t nat -D POSTROUTING -j nixos-fw-postrouting-nat || true ip46tables -t nat -F nixos-fw-postrouting-nat || true ip46tables -t nat -X nixos-fw-postrouting-nat || true ip46tables -t nat -N nixos-fw-postrouting-nat iptables -t nat -A nixos-fw-postrouting-nat -o dsl -j MASQUERADE ip46tables -t nat -A POSTROUTING -j nixos-fw-postrouting-nat ip46tables -t mangle -D POSTROUTING -j nixos-fw-postrouting-mangle || true ip46tables -t mangle -F nixos-fw-postrouting-mangle || true ip46tables -t mangle -X nixos-fw-postrouting-mangle || true ip46tables -t mangle -N nixos-fw-postrouting-mangle ip46tables -t mangle -A nixos-fw-postrouting-mangle -o dsl -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ip46tables -t mangle -A POSTROUTING -j nixos-fw-postrouting-mangle ''; }; }; services.dhcpd4 = { enable = true; interfaces = [ "eno1" ]; extraConfig = '' subnet 10.141.0.0 netmask 255.255.255.0 { range 10.141.0.128 10.141.0.254; option domain-name-servers 1.1.1.1, 1.0.0.1; option broadcast-address 10.141.0.255; option routers 10.141.0.1; option domain-name "asgard.yggdrasil"; } ''; }; services.corerad = { enable = true; settings = { interfaces = [ { name = config.networking.pppInterface; monitor = true; verbose = true; } { name = "eno1"; advertise = true; verbose = true; prefix = [{ prefix = "::/64"; }]; route = [{ prefix = "::/0"; }]; } ]; }; }; boot.kernel.sysctl = { "net.ipv6.conf.all.forwarding" = true; "net.ipv6.conf.default.forwarding" = true; "net.ipv4.conf.all.forwarding" = true; "net.ipv4.conf.default.forwarding" = true; }; systemd.network.networks = { "eno2".networkConfig.LinkLocalAddressing = "no"; "telekom".networkConfig.LinkLocalAddressing = "no"; }; systemd.services."dhcpcd-telekom" = { wantedBy = [ "multi-user.target" "network-online.target" ]; bindsTo = [ "pppd-telekom.service" ]; after = [ "pppd-telekom.service" ]; wants = [ "network.target" ]; before = [ "network-online.target" ]; path = with pkgs; [ dhcpcd nettools openresolv ]; unitConfig.ConditionCapability = "CAP_NET_ADMIN"; stopIfChanged = false; serviceConfig = let dhcpcdConf = pkgs.writeText "dhcpcd.conf" '' duid vendorclassid ipv6only nooption domain_name_servers, domain_name, domain_search option classless_static_routes option interface_mtu option host_name option rapid_commit require dhcp_server_identifier slaac private noipv6rs # disable routing solicitation allowinterfaces dsl interface dsl ipv6rs # enable routing solicitation for WAN adapter ia_na 1 # request an IPv6 address ia_pd 1 eno1/0 # request a PD and assign it to the LAN waitip 6 ''; in { Type = "forking"; PIDFile = "/run/dhcpcd.pid"; ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd --config ${dhcpcdConf}"; ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind"; Restart = "always"; }; }; services.timesyncd.enable = false; services.chrony = { enable = true; servers = []; extraConfig = '' pool time.cloudflare.com iburst nts pool nts.ntp.se iburst nts server nts.sth1.ntp.se iburst nts server nts.sth2.ntp.se iburst nts server ptbtime1.ptb.de iburst nts server ptbtime2.ptb.de iburst nts server ptbtime3.ptb.de iburst nts makestep 0.1 3 cmdport 0 ''; }; services.openssh = { enable = true; passwordAuthentication = false; challengeResponseAuthentication = false; extraConfig = '' AllowGroups ssh ''; }; users.groups."ssh" = { members = ["root"]; }; security.sudo.extraConfig = '' Defaults lecture = never ''; nix.gc = { automatic = true; options = "--delete-older-than 30d"; }; powerManagement = { enable = true; cpuFreqGovernor = "schedutil"; }; }; }