AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

new home-hypervisor

Browse Source
This commit is contained in:
Dmitriy Kholkin 2024-11-18 03:14:13 +03:00
parent a392b7383e
commit 6576e43d82
Signed by: AtaraxiaDev
GPG Key ID: FD266B810DF48DF2
12 changed files with 613 additions and 400 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
machines/Home-Hypervisor/autoinstall.nix
View File

@ -1,21 +0,0 @@
{ ... }: {
autoinstall."Home-Hypervisor" = {
debug = false;
mainuser = "ataraxia";
flakesPath = "/home/nixos/nixos-config";
encryption.encryptBoot = true;
encryption.encryptRoot = true;
encryption.passwordFile = "/home/nixos/pass";
encryption.argonIterTime = "4000";
partitioning.useEntireDisk = true;
partitioning.disk = "/dev/disk/by-id/ata-Samsung_SSD_870_EVO_500GB_S5Y1NJ1R160554B";
partitioning.nullifyDisk = false;
swapPartition.enable = true;
swapPartition.size = "8GiB";
zfsOpts.ashift = 13;
zfsOpts.bootPoolReservation = "256M";
zfsOpts.rootPoolReservation = "25G";
persist.enable = true;
oldUefi = true;
};
}

92
machines/Home-Hypervisor/boot.nix
View File

@ -1,43 +1,57 @@
{ config, pkgs, lib, ... }:
{ inputs, config, pkgs, lib, ... }:
let
zfs_arc_max = toString (3 * 1024 * 1024 * 1024);
in {
# CachyOS kernel
imports = [ inputs.chaotic.nixosModules.default ];
boot = {
zfs.forceImportAll = lib.mkForce false;
loader.efi.canTouchEfiVariables = false;
loader.efi.efiSysMountPoint = "/efi";
loader.generationsDir.copyKernels = true;
loader.grub = {
enable = true;
device = "nodev";
efiSupport = true;
enableCryptodisk = true;
zfsSupport = true;
efiInstallAsRemovable = true;
copyKernels = true;
};
# zfs.package = pkgs.zfs_cachyos;
# kernelPackages = pkgs.linuxPackages_cachyos-hardened;
# kernelPackages = pkgs.linuxPackages_cachyos-server;
# kernelPackages = pkgs.linuxPackages_hardened;
# kernelPackages = pkgs.linuxPackages;
# kernelPackages = pkgs.linuxPackages_xanmod;
initrd = {
luks.devices = {
"cryptboot" = {
preLVM = true;
keyFile = "/keyfile0.bin";
allowDiscards = true;
bypassWorkqueues = config.deviceSpecific.isSSD;
fallbackToPassword = true;
};
# "cryptboot" = {
# allowDiscards = true;
# bypassWorkqueues = config.deviceSpecific.isSSD;
# keyFile = "/keyfile0.bin";
# };
"cryptroot" = {
preLVM = true;
keyFile = "/keyfile0.bin";
allowDiscards = true;
bypassWorkqueues = config.deviceSpecific.isSSD;
fallbackToPassword = true;
keyFile = "/keyfile0.bin";
};
"crypt-nas" = {
device = "/dev/disk/by-id/ata-ST4000NM0035-1V4107_ZC1A7CWN";
keyFile = "/nas_keyfile0.bin";
};
};
secrets = {
"keyfile0.bin" = "/etc/secrets/keyfile0.bin";
"nas_keyfile0.bin" = "/etc/secrets/nas_keyfile0.bin";
};
supportedFilesystems = [ "zfs" ];
systemd.enable = true;
};
loader = {
efi.canTouchEfiVariables = false;
efi.efiSysMountPoint = "/efi";
generationsDir.copyKernels = true;
grub = {
enable = true;
enableCryptodisk = true;
device = "nodev";
copyKernels = true;
efiInstallAsRemovable = true;
efiSupport = true;
zfsSupport = true;
useOSProber = false;
};
};
kernelPackages = pkgs.linuxPackages_hardened;
kernelModules = [ "tcp_bbr" "veth" ];
kernelParams = [
"zfs.zfs_arc_max=${zfs_arc_max}"
@ -60,9 +74,31 @@ in {
"vm.dirty_ratio" = 40;
"vm.page-cluster" = 0;
"vm.overcommit_memory" = lib.mkForce 1;
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "fq";
};
zfs.extraPools = [ "bpool" "rpool" "nas-pool" ];
};
networking.hostId = "a9408846";
# Impermanence
persist = {
enable = true;
cache.clean.enable = true;
};
fileSystems."/home".neededForBoot = true;
fileSystems."/persist".neededForBoot = true;
# boot.initrd.systemd.services.rollback = {
# description = "Rollback zfs to a pristine state on boot";
# wantedBy = [ "initrd.target" ];
# after = [ "zfs-import-rpool.service" ];
# before = [ "sysroot.mount" ];
# path = [ config.boot.zfs.package ];
# unitConfig.DefaultDependencies = "no";
# serviceConfig.Type = "oneshot";
# script = ''
# zfs rollback -r rpool/nixos/root@empty && echo " >>> rollback root <<<"
# zfs rollback -r rpool/user/home@empty && echo " >>> rollback home <<<"
# '';
# };
}

175
machines/Home-Hypervisor/default.nix
View File

@ -2,54 +2,61 @@
let persistRoot = config.autoinstall.persist.persistRoot or "/persist";
in {
imports = with inputs.self; [
inputs.disko.nixosModules.disko
inputs.srvos.nixosModules.server
inputs.srvos.nixosModules.mixins-terminfo
./disk-config.nix
./backups.nix
./boot.nix
./hardware-configuration.nix
./usb-hdd.nix
./networking.nix
./virtualisation.nix
customProfiles.hardened
customRoles.hypervisor
customProfiles.tg-bot
./nginx.nix
# customProfiles.tg-bot
customProfiles.acme
customProfiles.attic
customProfiles.atticd
customProfiles.authentik
customProfiles.battery-historian
customProfiles.coturn
customProfiles.fail2ban
# customProfiles.attic
# customProfiles.atticd
# customProfiles.authentik
# customProfiles.battery-historian
# customProfiles.coturn
# customProfiles.fail2ban
customProfiles.gitea
customProfiles.homepage
customProfiles.hoyolab
customProfiles.inpx-web
customProfiles.it-tools
# customProfiles.homepage
# customProfiles.hoyolab
# customProfiles.inpx-web
# customProfiles.it-tools
customProfiles.media-stack
customProfiles.metrics
customProfiles.minio
customProfiles.netbird-server
customProfiles.nginx
customProfiles.ocis
customProfiles.onlyoffice
customProfiles.openbooks
customProfiles.outline
customProfiles.radicale
customProfiles.spdf
customProfiles.synapse
# customProfiles.metrics
# customProfiles.minio
# customProfiles.netbird-server
# customProfiles.nginx
# customProfiles.ocis
# customProfiles.onlyoffice
# customProfiles.openbooks
# customProfiles.outline
# customProfiles.radicale
# customProfiles.spdf
# customProfiles.synapse
customProfiles.tinyproxy
customProfiles.vault
customProfiles.vaultwarden
customProfiles.webhooks
customProfiles.wiki
customProfiles.yandex-db
# customProfiles.vault
# customProfiles.vaultwarden
# customProfiles.webhooks
# customProfiles.wiki
# customProfiles.yandex-db
(import customProfiles.blocky {
inherit (import ./dns-mapping.nix) dnsmasq-list;
})
# (import customProfiles.blocky {
# inherit (import ./dns-mapping.nix) dnsmasq-list;
# })
(import customProfiles.headscale {
inherit (import ./dns-mapping.nix) headscale-list;
})
# (import customProfiles.headscale {
# inherit (import ./dns-mapping.nix) headscale-list;
# })
];
security.lockKernelModules = lib.mkForce false;
@ -57,25 +64,25 @@ in {
cpu.vendor = "intel";
drive.type = "ssd";
gpu.vendor = "other";
ram = 12;
ram = 8;
fileSystem = "zfs";
};
deviceSpecific.isServer = true;
deviceSpecific.vpn.tailscale.enable = true;
# Tailscale auto-login
services.headscale-auth.home-hypervisor = {
outPath = "/tmp/hypervisor-authkey";
before = [ "tailscaled-autoconnect.service" ];
};
services.tailscale = {
authKeyFile = "/tmp/hypervisor-authkey";
extraUpFlags = [
"--login-server=https://wg.ataraxiadev.com"
"--accept-dns=false"
"--advertise-exit-node=false"
"--operator=${config.mainuser}"
];
};
# services.headscale-auth.home-hypervisor = {
# outPath = "/tmp/hypervisor-authkey";
# before = [ "tailscaled-autoconnect.service" ];
# };
# services.tailscale = {
# authKeyFile = "/tmp/hypervisor-authkey";
# extraUpFlags = [
# "--login-server=https://wg.ataraxiadev.com"
# "--accept-dns=false"
# "--advertise-exit-node=false"
# "--operator=${config.mainuser}"
# ];
# };
zramSwap = {
enable = true;
@ -91,27 +98,10 @@ in {
files = [ "/etc/machine-id" ];
};
};
fileSystems."/home".neededForBoot = true;
fileSystems.${persistRoot}.neededForBoot = true;
boot.initrd.postDeviceCommands = lib.mkAfter ''
zfs rollback -r rpool/nixos/root@empty
zfs rollback -r rpool/user/home@empty
'';
environment.memoryAllocator.provider = "libc";
# build hell
environment.noXlibs = lib.mkForce false;
# minimal profile
documentation.nixos.enable = lib.mkForce false;
programs.command-not-found.enable = lib.mkForce false;
xdg.autostart.enable = lib.mkForce false;
xdg.icons.enable = lib.mkForce false;
xdg.mime.enable = lib.mkForce false;
xdg.sounds.enable = lib.mkForce false;
services.udisks2.enable = lib.mkForce false;
fonts.enableDefaultPackages = lib.mkForce false;
services.udisks2.enable = false;
fonts.enableDefaultPackages = false;
fonts.packages =
[ (pkgs.nerdfonts.override { fonts = [ "FiraCode" "VictorMono" ]; }) ];
@ -123,50 +113,18 @@ in {
trim.enable = true;
trim.interval = "weekly";
};
services.postgresql.enable = true;
services.postgresql.settings = {
full_page_writes = "off";
wal_init_zero = "off";
wal_recycle = "off";
};
# hardened
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = lib.mkDefault [ ];
networking.firewall.allowedUDPPorts = lib.mkDefault [ ];
systemd.coredump.enable = false;
programs.firejail.enable = true;
networking.wireless.enable = false;
networking.networkmanager.enable = false;
networking.hostName = config.device;
networking.nameservers = [ "10.10.10.53" "10.10.10.1" "9.9.9.9" ];
networking.defaultGateway = "10.10.10.1";
networking.bridges.br0.interfaces = [ "enp2s0f0" ];
networking.interfaces.br0 = {
useDHCP = false;
ipv4.addresses = [{
address = "10.10.10.10";
prefixLength = 24;
}];
};
networking.extraHosts = ''
127.0.0.1 auth.ataraxiadev.com
127.0.0.1 code.ataraxiadev.com
127.0.0.1 cache.ataraxiadev.com
127.0.0.1 s3.ataraxiadev.com
127.0.0.1 wg.ataraxiadev.com
127.0.0.1 vault.ataraxiadev.com
127.0.0.1 matrix.ataraxiadev.com
'';
nix.optimise.automatic = false;
services.logind.lidSwitch = "lock";
services.logind.lidSwitchDocked = "lock";
services.logind.lidSwitchExternalPower = "lock";
systemd.services.systemd-timesyncd.wantedBy = [ "multi-user.target" ];
systemd.timers.systemd-timesyncd = { timerConfig.OnCalendar = "hourly"; };
nix.settings.experimental-features = [
"cgroups"
"fetch-closure"
"recursive-nix"
];
home-manager.users.${config.mainuser} = {
home.file.".config/libvirt/libvirt.conf".text = ''
@ -179,7 +137,6 @@ in {
dig.dnsutils
fd
kitty
lnav
micro
nix-index-update
p7zip
@ -193,7 +150,7 @@ in {
smartmontools
];
xdg.mime.enable = false;
home.stateVersion = "24.05";
home.stateVersion = "24.11";
};
system.stateVersion = "24.05";
system.stateVersion = "24.11";
}

279
machines/Home-Hypervisor/disk-config.nix Normal file
View File

@ -0,0 +1,279 @@
{ ... }:
let
emptySnapshot = name: "zfs list -t snapshot -H -o name | grep -E '^${name}@blank$' || zfs snapshot ${name}@blank";
in {
disko.devices = {
disk = {
main = {
device = "/dev/disk/by-id/ata-Samsung_SSD_870_EVO_500GB_S5Y1NJ1R160554B";
type = "disk";
content = {
type = "gpt";
partitions = {
esp = {
type = "EF00";
name = "ESP";
size = "512M";
priority = 1;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/efi";
mountOptions = [ "umask=0077" ];
};
};
swap = {
name = "swap";
size = "16G";
priority = 2;
content = {
type = "swap";
randomEncryption = true;
};
};
boot = {
name = "bpool";
size = "4G";
priority = 3;
content = {
type = "zfs";
pool = "bpool";
};
};
cryptroot = {
size = "100%";
priority = 4;
content = {
type = "luks";
name = "cryptroot";
settings.allowDiscards = true;
passwordFile = "/tmp/cryptroot.pass";
additionalKeyFiles = [ "/tmp/cryptroot.key" ];
content = {
type = "zfs";
pool = "rpool";
};
};
};
};
};
};
};
zpool = {
bpool = {
type = "zpool";
options = {
ashift = "13";
autotrim = "on";
compatibility = "grub2";
};
rootFsOptions = {
acltype = "posixacl";
atime = "on";
canmount = "off";
compression = "lz4";
devices = "off";
normalization = "formD";
relatime = "on";
xattr = "sa";
dedup = "off";
};
mountpoint = "/boot";
postCreateHook = emptySnapshot "bpool";
datasets = {
nixos = {
type = "zfs_fs";
options.mountpoint = "none";
options.canmount = "off";
postCreateHook = emptySnapshot "bpool/nixos";
};
"nixos/boot" = {
type = "zfs_fs";
mountpoint = "/boot";
options.canmount = "on";
postCreateHook = emptySnapshot "bpool/nixos/boot";
};
};
};
rpool = {
type = "zpool";
options = {
ashift = "13";
autotrim = "on";
cachefile = "none";
};
rootFsOptions = {
acltype = "posixacl";
atime = "on";
canmount = "off";
compression = "zstd-5";
dedup = "off";
dnodesize = "auto";
normalization = "formD";
relatime = "on";
xattr = "sa";
};
mountpoint = "/";
postCreateHook = emptySnapshot "rpool";
datasets = {
reserved = {
type = "zfs_fs";
options.mountpoint = "none";
options = {
canmount = "off";
refreservation = "20G";
};
};
nixos = {
type = "zfs_fs";
# mountpoint = "none";
options.mountpoint = "none";
options.canmount = "off";
postCreateHook = emptySnapshot "rpool/nixos";
};
user = {
type = "zfs_fs";
options.mountpoint = "none";
options.canmount = "off";
postCreateHook = emptySnapshot "rpool/user";
};
persistent = {
type = "zfs_fs";
options.mountpoint = "none";
options.canmount = "off";
postCreateHook = emptySnapshot "rpool/persistent";
};
"nixos/root" = {
type = "zfs_fs";
mountpoint = "/";
options.canmount = "noauto";
postCreateHook = emptySnapshot "rpool/nixos/root";
};
"user/home" = {
type = "zfs_fs";
mountpoint = "/home";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/user/home";
};
"persistent/impermanence" = {
type = "zfs_fs";
mountpoint = "/persist";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/persistent/impermanence";
};
"persistent/servers" = {
type = "zfs_fs";
mountpoint = "/srv";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/persistent/servers";
};
"persistent/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/persistent/nix";
};
"persistent/secrets" = {
type = "zfs_fs";
mountpoint = "/etc/secrets";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/persistent/secrets";
};
"persistent/log" = {
type = "zfs_fs";
mountpoint = "/var/log";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/persistent/log";
};
# "persistent/lxd" = {
# type = "zfs_fs";
# options.canmount = "noauto";
# postCreateHook = emptySnapshot "rpool/persistent/lxd";
# };
"persistent/docker" = {
type = "zfs_fs";
mountpoint = "/var/lib/docker";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/persistent/docker";
};
"persistent/nixos-containers" = {
type = "zfs_fs";
mountpoint = "/var/lib/nixos-containers";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/persistent/nixos-containers";
};
"persistent/bittorrent" = {
type = "zfs_fs";
mountpoint = "/media/bittorrent";
options.canmount = "on";
options.atime = "off";
options.recordsize = "16K";
options.compression = "lz4";
postCreateHook = emptySnapshot "rpool/persistent/bittorrent";
};
"persistent/libvirt" = {
type = "zfs_fs";
mountpoint = "/var/lib/libvirt";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/persistent/libvirt";
};
"persistent/libvirt-user" = {
type = "zfs_fs";
mountpoint = "/media/libvirt";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/persistent/libvirt-user";
};
"persistent/libvirt-user/images" = {
type = "zfs_fs";
mountpoint = "/media/libvirt/images";
options.canmount = "on";
options.atime = "off";
options.recordsize = "16K";
options.compression = "lz4";
postCreateHook = emptySnapshot "rpool/persistent/libvirt-user/images";
};
"persistent/ocis" = {
type = "zfs_fs";
mountpoint = "/var/lib/ocis";
options.canmount = "on";
options.recordsize = "1M";
postCreateHook = emptySnapshot "rpool/persistent/ocis";
};
# "persistent/podman" = {
# type = "zfs_fs";
# mountpoint = "/var/lib/podman";
# options.canmount = "on";
# options.atime = "off";
# postCreateHook = emptySnapshot "rpool/persistent/podman";
# };
"persistent/postgresql" = {
type = "zfs_fs";
mountpoint = "/var/lib/postgresql";
options.canmount = "on";
options.recordsize = "16K";
options.atime = "off";
options.logbias = "latency";
postCreateHook = emptySnapshot "rpool/persistent/postgresql";
};
vol = {
type = "zfs_fs";
options.canmount = "off";
postCreateHook = emptySnapshot "rpool/vol";
};
"vol/podman" = {
type = "zfs_volume";
size = "40G";
options.volblocksize = "16K";
content = {
type = "filesystem";
format = "xfs";
mountpoint = "/var/lib/containers";
};
};
};
};
};
};
}

104
machines/Home-Hypervisor/dns-mapping.nix
View File

@ -1,104 +0,0 @@
{
headscale-list = [
{ name = "ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "api.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "auth.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "cache.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "cal.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "code.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "docs.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "element.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "file.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "home.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "jackett.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "jellyfin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "joplin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "kavita.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "ldap.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "lib.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "matrix.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "medusa.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "net.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "openbooks.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "pdf.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "qbit.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "radarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "restic.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "s3.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "sonarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "stats.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "tools.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "vault.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "vw.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "wiki.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "api.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "auth.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "cache.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "cal.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "code.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "docs.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "element.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "file.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "home.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "jackett.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "jellyfin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "joplin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "kavita.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "ldap.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "lib.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "matrix.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "medusa.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "net.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "openbooks.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "pdf.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "qbit.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "radarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "restic.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "s3.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "sonarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "stats.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "tools.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "vault.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "vw.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "wiki.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
];
dnsmasq-list = [
# TODO: Fix dns resolution in blocky for unmapped subdomains of ataraxiadev.com
"/element.ataraxiadev.com/10.10.10.10"
"/matrix.ataraxiadev.com/10.10.10.10"
"/turn.ataraxiadev.com/10.10.10.10"
"/api.ataraxiadev.com/10.10.10.10"
"/auth.ataraxiadev.com/10.10.10.10"
"/cache.ataraxiadev.com/10.10.10.10"
"/cal.ataraxiadev.com/10.10.10.10"
"/code.ataraxiadev.com/10.10.10.10"
"/docs.ataraxiadev.com/10.10.10.10"
"/file.ataraxiadev.com/10.10.10.10"
"/home.ataraxiadev.com/10.10.10.10"
"/jackett.ataraxiadev.com/10.10.10.10"
"/jellyfin.ataraxiadev.com/10.10.10.10"
"/joplin.ataraxiadev.com/10.10.10.10"
"/kavita.ataraxiadev.com/10.10.10.10"
"/ldap.ataraxiadev.com/10.10.10.10"
"/lib.ataraxiadev.com/10.10.10.10"
"/medusa.ataraxiadev.com/10.10.10.10"
"/net.ataraxiadev.com/10.10.10.10"
"/openbooks.ataraxiadev.com/10.10.10.10"
"/pdf.ataraxiadev.com/10.10.10.10"
"/qbit.ataraxiadev.com/10.10.10.10"
"/radarr.ataraxiadev.com/10.10.10.10"
"/restic.ataraxiadev.com/10.10.10.10"
"/s3.ataraxiadev.com/10.10.10.10"
"/stats.ataraxiadev.com/10.10.10.10"
"/sonarr.ataraxiadev.com/10.10.10.10"
"/tools.ataraxiadev.com/10.10.10.10"
"/vault.ataraxiadev.com/10.10.10.10"
"/vw.ataraxiadev.com/10.10.10.10"
"/wiki.ataraxiadev.com/10.10.10.10"
];
}

109
machines/Home-Hypervisor/hardware-configuration.nix
View File

@ -1,109 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "rpool/nixos/root";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/home" =
{ device = "rpool/user/home";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/persist" =
{ device = "rpool/persistent/impermanence";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/srv" =
{ device = "rpool/persistent/servers";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/etc/secrets" =
{ device = "rpool/persistent/secrets";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/nix" =
{ device = "rpool/persistent/nix";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/var/log" =
{ device = "rpool/persistent/log";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/var/lib/docker" =
{ device = "rpool/persistent/docker";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/var/lib/podman" =
{ device = "/dev/zvol/rpool/vol/podman";
fsType = "xfs"; options = [ "X-mount.mkdir" ];
};
fileSystems."/var/lib/nixos-containers" =
{ device = "rpool/persistent/nixos-containers";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/media/bittorrent" =
{ device = "rpool/persistent/bittorrent";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/media/libvirt" =
{ device = "rpool/persistent/libvirt";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/boot" =
{ device = "bpool/nixos/boot";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/efi" =
{ device = "/dev/disk/by-uuid/C5F3-4271";
fsType = "vfat";
};
swapDevices = [
{
device = "/dev/disk/by-partuuid/4623124f-05e6-4d55-8fe8-6cd9a904fd72";
randomEncryption.enable = true;
randomEncryption.allowDiscards = true;
}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
networking.hostId = "a9408846";
boot.zfs.devNodes = "/dev/disk/by-id";
boot.supportedFilesystems = [ "xfs" "zfs" ];
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-partuuid/465cbfbb-73b8-4129-9904-9fabcc5db368";
boot.initrd.luks.devices."cryptboot".device = "/dev/disk/by-partuuid/74f2b810-c7ff-471d-9829-7a3ef05c8c0e";
}

21
machines/Home-Hypervisor/hardware/networks.nix Normal file
View File

@ -0,0 +1,21 @@
{
domain = "home.ataraxiadev.com";
hasIPv6 = false;
interfaces = {
main' = {
mac = "d4:3d:7e:26:a8:af";
bridgeName = "br0";
ifname = "enp2s0";
IPv4 = {
address = "10.10.10.10/24";
gateway = "10.10.10.1";
dns = [ "10.10.10.1" "9.9.9.9" ];
};
IPv6 = {
address = "";
gateway = "";
dns = [ ];
};
};
};
}

83
machines/Home-Hypervisor/networking.nix Normal file
View File

@ -0,0 +1,83 @@
{ config, lib, pkgs, ... }:
let
inherit (import ./hardware/networks.nix) interfaces domain hasIPv6;
in {
services.resolved.enable = true;
networking = {
dhcpcd.enable = false;
domain = domain;
enableIPv6 = hasIPv6;
hostName = config.device;
nftables.enable = true;
useDHCP = false;
useNetworkd = lib.mkForce false;
usePredictableInterfaceNames = true;
firewall = {
enable = true;
allowedTCPPorts = lib.mkDefault [ ];
allowedUDPPorts = lib.mkDefault [ ];
};
nameservers = [ "10.10.10.1" "9.9.9.9" ];
# extraHosts = ''
# 127.0.0.1 auth.ataraxiadev.com
# 127.0.0.1 code.ataraxiadev.com
# 127.0.0.1 cache.ataraxiadev.com
# 127.0.0.1 s3.ataraxiadev.com
# 127.0.0.1 wg.ataraxiadev.com
# 127.0.0.1 vault.ataraxiadev.com
# 127.0.0.1 matrix.ataraxiadev.com
# '';
};
systemd.network = with interfaces.main'; {
enable = lib.mkForce true;
wait-online.ignoredInterfaces = [ "lo" ];
networks = {
"40-${ifname}" = {
matchConfig.Name = ifname;
linkConfig.RequiredForOnline = "enslaved";
networkConfig.Bridge = bridgeName;
networkConfig.DHCP = "no";
};
"60-${bridgeName}" = {
matchConfig.Name = bridgeName;
address = [
IPv4.address
] ++ lib.optionals hasIPv6 [
IPv6.address
"fc00::1/64"
];
linkConfig.RequiredForOnline = "routable";
# networkConfig = {
# IPForward = true;
# DNS = IPv4.dns ++ lib.optionals hasIPv6 IPv6.dns;
# };
routes = [{
Gateway = IPv4.gateway;
GatewayOnLink = true;
}] ++ lib.optionals hasIPv6 [{
Gateway = IPv6.gateway;
GatewayOnLink = true;
}];
};
};
netdevs = {
"60-${bridgeName}" = {
netdevConfig = {
Kind = "bridge";
Name = bridgeName;
MACAddress = mac;
};
};
};
};
system.activationScripts.udp-gro-forwarding = {
text = with interfaces.main'; ''
${pkgs.ethtool}/bin/ethtool -K ${bridgeName} rx-udp-gro-forwarding on rx-gro-list off
'';
};
}

79
machines/Home-Hypervisor/nginx.nix Normal file
View File

@ -0,0 +1,79 @@
{ ... }:
{
services.nginx = {
enable = true;
group = "acme";
recommendedBrotliSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedZstdSettings = true;
clientMaxBodySize = "250m";
commonHttpConfig = ''
proxy_hide_header X-Frame-Options;
'';
virtualHosts = let
default = {
useACMEHost = "ataraxiadev.com";
enableACME = false;
forceSSL = true;
};
proxySettings = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
'';
in {
"media-stack" = {
serverAliases = [
"jellyfin.ataraxiadev.com"
"qbit.ataraxiadev.com"
"prowlarr.ataraxiadev.com"
"jackett.ataraxiadev.com"
"sonarr.ataraxiadev.com"
"radarr.ataraxiadev.com"
"lidarr.ataraxiadev.com"
"kavita.ataraxiadev.com"
];
locations."/" = {
proxyPass = "http://127.0.0.1:8180";
proxyWebsockets = true;
extraConfig = ''
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
send_timeout 15m;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 15m;
'' + proxySettings;
};
} // default;
"medusa.ataraxiadev.com" = {
locations."/" = {
proxyPass = "http://127.0.0.1:8180";
proxyWebsockets = true;
extraConfig = ''
add_header Content-Security-Policy "upgrade-insecure-requests";
'' + proxySettings;
};
} // default;
"code.ataraxiadev.com" = {
locations."/" = {
proxyPass = "http://127.0.0.1:6000";
extraConfig = proxySettings;
};
} // default;
"ataraxiadev.com" = {
extraConfig = ''
return 301 https://code.ataraxiadev.com$request_uri;
'';
} // default;
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

27
machines/Home-Hypervisor/usb-hdd.nix
View File

@ -1,27 +0,0 @@
{ pkgs, ... }: {
boot.initrd = rec {
luks.devices = {
"crypt-nas" = {
device = "/dev/disk/by-id/ata-ST4000NM0035-1V4107_ZC1A7CWN";
keyFile = "/nas_keyfile0.bin";
};
};
secrets = {
"nas_keyfile0.bin" = "/etc/secrets/nas_keyfile0.bin";
};
availableKernelModules = [
"usb_storage"
"usbcore"
"scsi_mod"
"usb_common"
"ehci_pci" "ahci" "uas" "sd_mod" "sdhci_pci"
];
kernelModules = availableKernelModules;
};
boot.zfs.extraPools = [ "nas-pool" ];
system.activationScripts.disable-hdd-spindown.text = ''
${pkgs.hdparm}/bin/hdparm -s 0 /dev/disk/by-id/ata-ST4000NM0035-1V4107_ZC1A7CWN
'';
}

21
machines/Home-Hypervisor/virtualisation.nix
View File

@ -8,12 +8,31 @@
virtualisation = {
docker.enable = lib.mkForce false;
podman.defaultNetwork.settings.dns_enabled = lib.mkForce false;
podman.defaultNetwork.settings.dns_enabled = lib.mkForce true;
podman.extraPackages = [ pkgs.zfs ];
spiceUSBRedirection.enable = lib.mkForce false;
containers.storage.settings.storage.graphroot = lib.mkForce "/var/lib/podman/storage";
};
# networking.dhcpcd.denyInterfaces = [ "podman0" ];
# systemd.network = {
# netdevs."60-podman0" = {
# netdevConfig = {
# Kind = "bridge";
# Name = "podman0";
# };
# };
# networks."50-podman" = {
# matchConfig = {
# Name = "podman0";
# };
# linkConfig = {
# Unmanaged = true;
# ActivationPolicy = "manual";
# };
# };
# };
users.users.${config.mainuser} = {
subUidRanges = [{
count = 1000;

2
roles/hypervisor.nix
View File

@ -15,7 +15,7 @@
nix-index
nnn
overlay
pass-secret-service
# pass-secret-service
ssh
user
vlock