diff --git a/machines/Home-Hypervisor/autoinstall.nix b/machines/Home-Hypervisor/autoinstall.nix deleted file mode 100644 index d53d7b1..0000000 --- a/machines/Home-Hypervisor/autoinstall.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ ... }: { - autoinstall."Home-Hypervisor" = { - debug = false; - mainuser = "ataraxia"; - flakesPath = "/home/nixos/nixos-config"; - encryption.encryptBoot = true; - encryption.encryptRoot = true; - encryption.passwordFile = "/home/nixos/pass"; - encryption.argonIterTime = "4000"; - partitioning.useEntireDisk = true; - partitioning.disk = "/dev/disk/by-id/ata-Samsung_SSD_870_EVO_500GB_S5Y1NJ1R160554B"; - partitioning.nullifyDisk = false; - swapPartition.enable = true; - swapPartition.size = "8GiB"; - zfsOpts.ashift = 13; - zfsOpts.bootPoolReservation = "256M"; - zfsOpts.rootPoolReservation = "25G"; - persist.enable = true; - oldUefi = true; - }; -} diff --git a/machines/Home-Hypervisor/boot.nix b/machines/Home-Hypervisor/boot.nix index 6429d30..8138966 100644 --- a/machines/Home-Hypervisor/boot.nix +++ b/machines/Home-Hypervisor/boot.nix @@ -1,43 +1,57 @@ -{ config, pkgs, lib, ... }: +{ inputs, config, pkgs, lib, ... }: let zfs_arc_max = toString (3 * 1024 * 1024 * 1024); in { + # CachyOS kernel + imports = [ inputs.chaotic.nixosModules.default ]; + boot = { - zfs.forceImportAll = lib.mkForce false; - loader.efi.canTouchEfiVariables = false; - loader.efi.efiSysMountPoint = "/efi"; - loader.generationsDir.copyKernels = true; - loader.grub = { - enable = true; - device = "nodev"; - efiSupport = true; - enableCryptodisk = true; - zfsSupport = true; - efiInstallAsRemovable = true; - copyKernels = true; - }; + # zfs.package = pkgs.zfs_cachyos; + # kernelPackages = pkgs.linuxPackages_cachyos-hardened; + # kernelPackages = pkgs.linuxPackages_cachyos-server; + # kernelPackages = pkgs.linuxPackages_hardened; + # kernelPackages = pkgs.linuxPackages; + # kernelPackages = pkgs.linuxPackages_xanmod; + initrd = { luks.devices = { - "cryptboot" = { - preLVM = true; - keyFile = "/keyfile0.bin"; - allowDiscards = true; - bypassWorkqueues = config.deviceSpecific.isSSD; - fallbackToPassword = true; - }; + # "cryptboot" = { + # allowDiscards = true; + # bypassWorkqueues = config.deviceSpecific.isSSD; + # keyFile = "/keyfile0.bin"; + # }; "cryptroot" = { - preLVM = true; - keyFile = "/keyfile0.bin"; allowDiscards = true; bypassWorkqueues = config.deviceSpecific.isSSD; - fallbackToPassword = true; + keyFile = "/keyfile0.bin"; + }; + "crypt-nas" = { + device = "/dev/disk/by-id/ata-ST4000NM0035-1V4107_ZC1A7CWN"; + keyFile = "/nas_keyfile0.bin"; }; }; secrets = { "keyfile0.bin" = "/etc/secrets/keyfile0.bin"; + "nas_keyfile0.bin" = "/etc/secrets/nas_keyfile0.bin"; + }; + supportedFilesystems = [ "zfs" ]; + systemd.enable = true; + }; + loader = { + efi.canTouchEfiVariables = false; + efi.efiSysMountPoint = "/efi"; + generationsDir.copyKernels = true; + grub = { + enable = true; + enableCryptodisk = true; + device = "nodev"; + copyKernels = true; + efiInstallAsRemovable = true; + efiSupport = true; + zfsSupport = true; + useOSProber = false; }; }; - kernelPackages = pkgs.linuxPackages_hardened; kernelModules = [ "tcp_bbr" "veth" ]; kernelParams = [ "zfs.zfs_arc_max=${zfs_arc_max}" @@ -60,9 +74,31 @@ in { "vm.dirty_ratio" = 40; "vm.page-cluster" = 0; "vm.overcommit_memory" = lib.mkForce 1; - - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.core.default_qdisc" = "fq"; }; + + zfs.extraPools = [ "bpool" "rpool" "nas-pool" ]; }; + + networking.hostId = "a9408846"; + + # Impermanence + persist = { + enable = true; + cache.clean.enable = true; + }; + fileSystems."/home".neededForBoot = true; + fileSystems."/persist".neededForBoot = true; + # boot.initrd.systemd.services.rollback = { + # description = "Rollback zfs to a pristine state on boot"; + # wantedBy = [ "initrd.target" ]; + # after = [ "zfs-import-rpool.service" ]; + # before = [ "sysroot.mount" ]; + # path = [ config.boot.zfs.package ]; + # unitConfig.DefaultDependencies = "no"; + # serviceConfig.Type = "oneshot"; + # script = '' + # zfs rollback -r rpool/nixos/root@empty && echo " >>> rollback root <<<" + # zfs rollback -r rpool/user/home@empty && echo " >>> rollback home <<<" + # ''; + # }; } diff --git a/machines/Home-Hypervisor/default.nix b/machines/Home-Hypervisor/default.nix index 482f492..b3e0e61 100644 --- a/machines/Home-Hypervisor/default.nix +++ b/machines/Home-Hypervisor/default.nix @@ -2,54 +2,61 @@ let persistRoot = config.autoinstall.persist.persistRoot or "/persist"; in { imports = with inputs.self; [ + inputs.disko.nixosModules.disko + inputs.srvos.nixosModules.server + inputs.srvos.nixosModules.mixins-terminfo + + ./disk-config.nix + ./backups.nix ./boot.nix - ./hardware-configuration.nix - ./usb-hdd.nix + ./networking.nix ./virtualisation.nix customProfiles.hardened customRoles.hypervisor - customProfiles.tg-bot + ./nginx.nix + + # customProfiles.tg-bot customProfiles.acme - customProfiles.attic - customProfiles.atticd - customProfiles.authentik - customProfiles.battery-historian - customProfiles.coturn - customProfiles.fail2ban + # customProfiles.attic + # customProfiles.atticd + # customProfiles.authentik + # customProfiles.battery-historian + # customProfiles.coturn + # customProfiles.fail2ban customProfiles.gitea - customProfiles.homepage - customProfiles.hoyolab - customProfiles.inpx-web - customProfiles.it-tools + # customProfiles.homepage + # customProfiles.hoyolab + # customProfiles.inpx-web + # customProfiles.it-tools customProfiles.media-stack - customProfiles.metrics - customProfiles.minio - customProfiles.netbird-server - customProfiles.nginx - customProfiles.ocis - customProfiles.onlyoffice - customProfiles.openbooks - customProfiles.outline - customProfiles.radicale - customProfiles.spdf - customProfiles.synapse + # customProfiles.metrics + # customProfiles.minio + # customProfiles.netbird-server + # customProfiles.nginx + # customProfiles.ocis + # customProfiles.onlyoffice + # customProfiles.openbooks + # customProfiles.outline + # customProfiles.radicale + # customProfiles.spdf + # customProfiles.synapse customProfiles.tinyproxy - customProfiles.vault - customProfiles.vaultwarden - customProfiles.webhooks - customProfiles.wiki - customProfiles.yandex-db + # customProfiles.vault + # customProfiles.vaultwarden + # customProfiles.webhooks + # customProfiles.wiki + # customProfiles.yandex-db - (import customProfiles.blocky { - inherit (import ./dns-mapping.nix) dnsmasq-list; - }) + # (import customProfiles.blocky { + # inherit (import ./dns-mapping.nix) dnsmasq-list; + # }) - (import customProfiles.headscale { - inherit (import ./dns-mapping.nix) headscale-list; - }) + # (import customProfiles.headscale { + # inherit (import ./dns-mapping.nix) headscale-list; + # }) ]; security.lockKernelModules = lib.mkForce false; @@ -57,25 +64,25 @@ in { cpu.vendor = "intel"; drive.type = "ssd"; gpu.vendor = "other"; - ram = 12; + ram = 8; fileSystem = "zfs"; }; deviceSpecific.isServer = true; deviceSpecific.vpn.tailscale.enable = true; # Tailscale auto-login - services.headscale-auth.home-hypervisor = { - outPath = "/tmp/hypervisor-authkey"; - before = [ "tailscaled-autoconnect.service" ]; - }; - services.tailscale = { - authKeyFile = "/tmp/hypervisor-authkey"; - extraUpFlags = [ - "--login-server=https://wg.ataraxiadev.com" - "--accept-dns=false" - "--advertise-exit-node=false" - "--operator=${config.mainuser}" - ]; - }; + # services.headscale-auth.home-hypervisor = { + # outPath = "/tmp/hypervisor-authkey"; + # before = [ "tailscaled-autoconnect.service" ]; + # }; + # services.tailscale = { + # authKeyFile = "/tmp/hypervisor-authkey"; + # extraUpFlags = [ + # "--login-server=https://wg.ataraxiadev.com" + # "--accept-dns=false" + # "--advertise-exit-node=false" + # "--operator=${config.mainuser}" + # ]; + # }; zramSwap = { enable = true; @@ -91,27 +98,10 @@ in { files = [ "/etc/machine-id" ]; }; }; - fileSystems."/home".neededForBoot = true; - fileSystems.${persistRoot}.neededForBoot = true; - boot.initrd.postDeviceCommands = lib.mkAfter '' - zfs rollback -r rpool/nixos/root@empty - zfs rollback -r rpool/user/home@empty - ''; environment.memoryAllocator.provider = "libc"; - - # build hell - environment.noXlibs = lib.mkForce false; - # minimal profile - documentation.nixos.enable = lib.mkForce false; - programs.command-not-found.enable = lib.mkForce false; - xdg.autostart.enable = lib.mkForce false; - xdg.icons.enable = lib.mkForce false; - xdg.mime.enable = lib.mkForce false; - xdg.sounds.enable = lib.mkForce false; - services.udisks2.enable = lib.mkForce false; - - fonts.enableDefaultPackages = lib.mkForce false; + services.udisks2.enable = false; + fonts.enableDefaultPackages = false; fonts.packages = [ (pkgs.nerdfonts.override { fonts = [ "FiraCode" "VictorMono" ]; }) ]; @@ -123,50 +113,18 @@ in { trim.enable = true; trim.interval = "weekly"; }; + services.postgresql.enable = true; services.postgresql.settings = { full_page_writes = "off"; wal_init_zero = "off"; wal_recycle = "off"; }; - # hardened - networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = lib.mkDefault [ ]; - networking.firewall.allowedUDPPorts = lib.mkDefault [ ]; - systemd.coredump.enable = false; - programs.firejail.enable = true; - - networking.wireless.enable = false; - networking.networkmanager.enable = false; - networking.hostName = config.device; - - networking.nameservers = [ "10.10.10.53" "10.10.10.1" "9.9.9.9" ]; - networking.defaultGateway = "10.10.10.1"; - networking.bridges.br0.interfaces = [ "enp2s0f0" ]; - networking.interfaces.br0 = { - useDHCP = false; - ipv4.addresses = [{ - address = "10.10.10.10"; - prefixLength = 24; - }]; - }; - networking.extraHosts = '' - 127.0.0.1 auth.ataraxiadev.com - 127.0.0.1 code.ataraxiadev.com - 127.0.0.1 cache.ataraxiadev.com - 127.0.0.1 s3.ataraxiadev.com - 127.0.0.1 wg.ataraxiadev.com - 127.0.0.1 vault.ataraxiadev.com - 127.0.0.1 matrix.ataraxiadev.com - ''; - - nix.optimise.automatic = false; - - services.logind.lidSwitch = "lock"; - services.logind.lidSwitchDocked = "lock"; - services.logind.lidSwitchExternalPower = "lock"; - systemd.services.systemd-timesyncd.wantedBy = [ "multi-user.target" ]; - systemd.timers.systemd-timesyncd = { timerConfig.OnCalendar = "hourly"; }; + nix.settings.experimental-features = [ + "cgroups" + "fetch-closure" + "recursive-nix" + ]; home-manager.users.${config.mainuser} = { home.file.".config/libvirt/libvirt.conf".text = '' @@ -179,7 +137,6 @@ in { dig.dnsutils fd kitty - lnav micro nix-index-update p7zip @@ -193,7 +150,7 @@ in { smartmontools ]; xdg.mime.enable = false; - home.stateVersion = "24.05"; + home.stateVersion = "24.11"; }; - system.stateVersion = "24.05"; + system.stateVersion = "24.11"; } diff --git a/machines/Home-Hypervisor/disk-config.nix b/machines/Home-Hypervisor/disk-config.nix new file mode 100644 index 0000000..fa91607 --- /dev/null +++ b/machines/Home-Hypervisor/disk-config.nix @@ -0,0 +1,279 @@ +{ ... }: +let + emptySnapshot = name: "zfs list -t snapshot -H -o name | grep -E '^${name}@blank$' || zfs snapshot ${name}@blank"; +in { + disko.devices = { + disk = { + main = { + device = "/dev/disk/by-id/ata-Samsung_SSD_870_EVO_500GB_S5Y1NJ1R160554B"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + esp = { + type = "EF00"; + name = "ESP"; + size = "512M"; + priority = 1; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/efi"; + mountOptions = [ "umask=0077" ]; + }; + }; + swap = { + name = "swap"; + size = "16G"; + priority = 2; + content = { + type = "swap"; + randomEncryption = true; + }; + }; + boot = { + name = "bpool"; + size = "4G"; + priority = 3; + content = { + type = "zfs"; + pool = "bpool"; + }; + }; + cryptroot = { + size = "100%"; + priority = 4; + content = { + type = "luks"; + name = "cryptroot"; + settings.allowDiscards = true; + passwordFile = "/tmp/cryptroot.pass"; + additionalKeyFiles = [ "/tmp/cryptroot.key" ]; + content = { + type = "zfs"; + pool = "rpool"; + }; + }; + }; + }; + }; + }; + }; + zpool = { + bpool = { + type = "zpool"; + options = { + ashift = "13"; + autotrim = "on"; + compatibility = "grub2"; + }; + rootFsOptions = { + acltype = "posixacl"; + atime = "on"; + canmount = "off"; + compression = "lz4"; + devices = "off"; + normalization = "formD"; + relatime = "on"; + xattr = "sa"; + dedup = "off"; + }; + mountpoint = "/boot"; + postCreateHook = emptySnapshot "bpool"; + + datasets = { + nixos = { + type = "zfs_fs"; + options.mountpoint = "none"; + options.canmount = "off"; + postCreateHook = emptySnapshot "bpool/nixos"; + }; + "nixos/boot" = { + type = "zfs_fs"; + mountpoint = "/boot"; + options.canmount = "on"; + postCreateHook = emptySnapshot "bpool/nixos/boot"; + }; + }; + }; + rpool = { + type = "zpool"; + options = { + ashift = "13"; + autotrim = "on"; + cachefile = "none"; + }; + rootFsOptions = { + acltype = "posixacl"; + atime = "on"; + canmount = "off"; + compression = "zstd-5"; + dedup = "off"; + dnodesize = "auto"; + normalization = "formD"; + relatime = "on"; + xattr = "sa"; + }; + mountpoint = "/"; + postCreateHook = emptySnapshot "rpool"; + + datasets = { + reserved = { + type = "zfs_fs"; + options.mountpoint = "none"; + options = { + canmount = "off"; + refreservation = "20G"; + }; + }; + nixos = { + type = "zfs_fs"; + # mountpoint = "none"; + options.mountpoint = "none"; + options.canmount = "off"; + postCreateHook = emptySnapshot "rpool/nixos"; + }; + user = { + type = "zfs_fs"; + options.mountpoint = "none"; + options.canmount = "off"; + postCreateHook = emptySnapshot "rpool/user"; + }; + persistent = { + type = "zfs_fs"; + options.mountpoint = "none"; + options.canmount = "off"; + postCreateHook = emptySnapshot "rpool/persistent"; + }; + "nixos/root" = { + type = "zfs_fs"; + mountpoint = "/"; + options.canmount = "noauto"; + postCreateHook = emptySnapshot "rpool/nixos/root"; + }; + "user/home" = { + type = "zfs_fs"; + mountpoint = "/home"; + options.canmount = "on"; + postCreateHook = emptySnapshot "rpool/user/home"; + }; + "persistent/impermanence" = { + type = "zfs_fs"; + mountpoint = "/persist"; + options.canmount = "on"; + postCreateHook = emptySnapshot "rpool/persistent/impermanence"; + }; + "persistent/servers" = { + type = "zfs_fs"; + mountpoint = "/srv"; + options.canmount = "on"; + postCreateHook = emptySnapshot "rpool/persistent/servers"; + }; + "persistent/nix" = { + type = "zfs_fs"; + mountpoint = "/nix"; + options.canmount = "on"; + postCreateHook = emptySnapshot "rpool/persistent/nix"; + }; + "persistent/secrets" = { + type = "zfs_fs"; + mountpoint = "/etc/secrets"; + options.canmount = "on"; + postCreateHook = emptySnapshot "rpool/persistent/secrets"; + }; + "persistent/log" = { + type = "zfs_fs"; + mountpoint = "/var/log"; + options.canmount = "on"; + postCreateHook = emptySnapshot "rpool/persistent/log"; + }; + # "persistent/lxd" = { + # type = "zfs_fs"; + # options.canmount = "noauto"; + # postCreateHook = emptySnapshot "rpool/persistent/lxd"; + # }; + "persistent/docker" = { + type = "zfs_fs"; + mountpoint = "/var/lib/docker"; + options.canmount = "on"; + postCreateHook = emptySnapshot "rpool/persistent/docker"; + }; + "persistent/nixos-containers" = { + type = "zfs_fs"; + mountpoint = "/var/lib/nixos-containers"; + options.canmount = "on"; + postCreateHook = emptySnapshot "rpool/persistent/nixos-containers"; + }; + "persistent/bittorrent" = { + type = "zfs_fs"; + mountpoint = "/media/bittorrent"; + options.canmount = "on"; + options.atime = "off"; + options.recordsize = "16K"; + options.compression = "lz4"; + postCreateHook = emptySnapshot "rpool/persistent/bittorrent"; + }; + "persistent/libvirt" = { + type = "zfs_fs"; + mountpoint = "/var/lib/libvirt"; + options.canmount = "on"; + postCreateHook = emptySnapshot "rpool/persistent/libvirt"; + }; + "persistent/libvirt-user" = { + type = "zfs_fs"; + mountpoint = "/media/libvirt"; + options.canmount = "on"; + postCreateHook = emptySnapshot "rpool/persistent/libvirt-user"; + }; + "persistent/libvirt-user/images" = { + type = "zfs_fs"; + mountpoint = "/media/libvirt/images"; + options.canmount = "on"; + options.atime = "off"; + options.recordsize = "16K"; + options.compression = "lz4"; + postCreateHook = emptySnapshot "rpool/persistent/libvirt-user/images"; + }; + "persistent/ocis" = { + type = "zfs_fs"; + mountpoint = "/var/lib/ocis"; + options.canmount = "on"; + options.recordsize = "1M"; + postCreateHook = emptySnapshot "rpool/persistent/ocis"; + }; + # "persistent/podman" = { + # type = "zfs_fs"; + # mountpoint = "/var/lib/podman"; + # options.canmount = "on"; + # options.atime = "off"; + # postCreateHook = emptySnapshot "rpool/persistent/podman"; + # }; + "persistent/postgresql" = { + type = "zfs_fs"; + mountpoint = "/var/lib/postgresql"; + options.canmount = "on"; + options.recordsize = "16K"; + options.atime = "off"; + options.logbias = "latency"; + postCreateHook = emptySnapshot "rpool/persistent/postgresql"; + }; + vol = { + type = "zfs_fs"; + options.canmount = "off"; + postCreateHook = emptySnapshot "rpool/vol"; + }; + "vol/podman" = { + type = "zfs_volume"; + size = "40G"; + options.volblocksize = "16K"; + content = { + type = "filesystem"; + format = "xfs"; + mountpoint = "/var/lib/containers"; + }; + }; + }; + }; + }; + }; +} diff --git a/machines/Home-Hypervisor/dns-mapping.nix b/machines/Home-Hypervisor/dns-mapping.nix deleted file mode 100644 index 8134a0e..0000000 --- a/machines/Home-Hypervisor/dns-mapping.nix +++ /dev/null @@ -1,104 +0,0 @@ -{ - headscale-list = [ - { name = "ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "api.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "auth.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "cache.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "cal.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "code.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "docs.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "element.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "file.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "home.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "jackett.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "jellyfin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "joplin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "kavita.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "ldap.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "lib.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "matrix.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "medusa.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "net.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "openbooks.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "pdf.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "qbit.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "radarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "restic.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "s3.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "sonarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "stats.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "tools.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "vault.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "vw.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "wiki.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - - { name = "ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "api.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "auth.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "cache.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "cal.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "code.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "docs.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "element.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "file.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "home.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "jackett.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "jellyfin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "joplin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "kavita.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "ldap.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "lib.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "matrix.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "medusa.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "net.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "openbooks.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "pdf.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "qbit.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "radarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "restic.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "s3.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "sonarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "stats.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "tools.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "vault.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "vw.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "wiki.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - ]; - dnsmasq-list = [ - # TODO: Fix dns resolution in blocky for unmapped subdomains of ataraxiadev.com - "/element.ataraxiadev.com/10.10.10.10" - "/matrix.ataraxiadev.com/10.10.10.10" - "/turn.ataraxiadev.com/10.10.10.10" - - "/api.ataraxiadev.com/10.10.10.10" - "/auth.ataraxiadev.com/10.10.10.10" - "/cache.ataraxiadev.com/10.10.10.10" - "/cal.ataraxiadev.com/10.10.10.10" - "/code.ataraxiadev.com/10.10.10.10" - "/docs.ataraxiadev.com/10.10.10.10" - "/file.ataraxiadev.com/10.10.10.10" - "/home.ataraxiadev.com/10.10.10.10" - "/jackett.ataraxiadev.com/10.10.10.10" - "/jellyfin.ataraxiadev.com/10.10.10.10" - "/joplin.ataraxiadev.com/10.10.10.10" - "/kavita.ataraxiadev.com/10.10.10.10" - "/ldap.ataraxiadev.com/10.10.10.10" - "/lib.ataraxiadev.com/10.10.10.10" - "/medusa.ataraxiadev.com/10.10.10.10" - "/net.ataraxiadev.com/10.10.10.10" - "/openbooks.ataraxiadev.com/10.10.10.10" - "/pdf.ataraxiadev.com/10.10.10.10" - "/qbit.ataraxiadev.com/10.10.10.10" - "/radarr.ataraxiadev.com/10.10.10.10" - "/restic.ataraxiadev.com/10.10.10.10" - "/s3.ataraxiadev.com/10.10.10.10" - "/stats.ataraxiadev.com/10.10.10.10" - "/sonarr.ataraxiadev.com/10.10.10.10" - "/tools.ataraxiadev.com/10.10.10.10" - "/vault.ataraxiadev.com/10.10.10.10" - "/vw.ataraxiadev.com/10.10.10.10" - "/wiki.ataraxiadev.com/10.10.10.10" - ]; -} \ No newline at end of file diff --git a/machines/Home-Hypervisor/hardware-configuration.nix b/machines/Home-Hypervisor/hardware-configuration.nix deleted file mode 100644 index 72e09b7..0000000 --- a/machines/Home-Hypervisor/hardware-configuration.nix +++ /dev/null @@ -1,109 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "rpool/nixos/root"; - fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ]; - }; - - fileSystems."/home" = - { device = "rpool/user/home"; - fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ]; - }; - - fileSystems."/persist" = - { device = "rpool/persistent/impermanence"; - fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ]; - }; - - fileSystems."/srv" = - { device = "rpool/persistent/servers"; - fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ]; - }; - - fileSystems."/etc/secrets" = - { device = "rpool/persistent/secrets"; - fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ]; - }; - - fileSystems."/nix" = - { device = "rpool/persistent/nix"; - fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ]; - }; - - fileSystems."/var/log" = - { device = "rpool/persistent/log"; - fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ]; - }; - - fileSystems."/var/lib/docker" = - { device = "rpool/persistent/docker"; - fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ]; - }; - - fileSystems."/var/lib/podman" = - { device = "/dev/zvol/rpool/vol/podman"; - fsType = "xfs"; options = [ "X-mount.mkdir" ]; - }; - - fileSystems."/var/lib/nixos-containers" = - { device = "rpool/persistent/nixos-containers"; - fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ]; - }; - - fileSystems."/media/bittorrent" = - { device = "rpool/persistent/bittorrent"; - fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ]; - }; - - fileSystems."/media/libvirt" = - { device = "rpool/persistent/libvirt"; - fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ]; - }; - - fileSystems."/boot" = - { device = "bpool/nixos/boot"; - fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ]; - }; - - fileSystems."/efi" = - { device = "/dev/disk/by-uuid/C5F3-4271"; - fsType = "vfat"; - }; - - swapDevices = [ - { - device = "/dev/disk/by-partuuid/4623124f-05e6-4d55-8fe8-6cd9a904fd72"; - randomEncryption.enable = true; - randomEncryption.allowDiscards = true; - } - ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - networking.hostId = "a9408846"; - boot.zfs.devNodes = "/dev/disk/by-id"; - boot.supportedFilesystems = [ "xfs" "zfs" ]; - boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-partuuid/465cbfbb-73b8-4129-9904-9fabcc5db368"; - boot.initrd.luks.devices."cryptboot".device = "/dev/disk/by-partuuid/74f2b810-c7ff-471d-9829-7a3ef05c8c0e"; -} diff --git a/machines/Home-Hypervisor/hardware/networks.nix b/machines/Home-Hypervisor/hardware/networks.nix new file mode 100644 index 0000000..6c9bf79 --- /dev/null +++ b/machines/Home-Hypervisor/hardware/networks.nix @@ -0,0 +1,21 @@ +{ + domain = "home.ataraxiadev.com"; + hasIPv6 = false; + interfaces = { + main' = { + mac = "d4:3d:7e:26:a8:af"; + bridgeName = "br0"; + ifname = "enp2s0"; + IPv4 = { + address = "10.10.10.10/24"; + gateway = "10.10.10.1"; + dns = [ "10.10.10.1" "9.9.9.9" ]; + }; + IPv6 = { + address = ""; + gateway = ""; + dns = [ ]; + }; + }; + }; +} diff --git a/machines/Home-Hypervisor/networking.nix b/machines/Home-Hypervisor/networking.nix new file mode 100644 index 0000000..070d362 --- /dev/null +++ b/machines/Home-Hypervisor/networking.nix @@ -0,0 +1,83 @@ +{ config, lib, pkgs, ... }: +let + inherit (import ./hardware/networks.nix) interfaces domain hasIPv6; +in { + services.resolved.enable = true; + networking = { + dhcpcd.enable = false; + domain = domain; + enableIPv6 = hasIPv6; + hostName = config.device; + nftables.enable = true; + useDHCP = false; + useNetworkd = lib.mkForce false; + usePredictableInterfaceNames = true; + + firewall = { + enable = true; + allowedTCPPorts = lib.mkDefault [ ]; + allowedUDPPorts = lib.mkDefault [ ]; + }; + + nameservers = [ "10.10.10.1" "9.9.9.9" ]; + + # extraHosts = '' + # 127.0.0.1 auth.ataraxiadev.com + # 127.0.0.1 code.ataraxiadev.com + # 127.0.0.1 cache.ataraxiadev.com + # 127.0.0.1 s3.ataraxiadev.com + # 127.0.0.1 wg.ataraxiadev.com + # 127.0.0.1 vault.ataraxiadev.com + # 127.0.0.1 matrix.ataraxiadev.com + # ''; + }; + + systemd.network = with interfaces.main'; { + enable = lib.mkForce true; + wait-online.ignoredInterfaces = [ "lo" ]; + networks = { + "40-${ifname}" = { + matchConfig.Name = ifname; + linkConfig.RequiredForOnline = "enslaved"; + networkConfig.Bridge = bridgeName; + networkConfig.DHCP = "no"; + }; + "60-${bridgeName}" = { + matchConfig.Name = bridgeName; + address = [ + IPv4.address + ] ++ lib.optionals hasIPv6 [ + IPv6.address + "fc00::1/64" + ]; + linkConfig.RequiredForOnline = "routable"; + # networkConfig = { + # IPForward = true; + # DNS = IPv4.dns ++ lib.optionals hasIPv6 IPv6.dns; + # }; + routes = [{ + Gateway = IPv4.gateway; + GatewayOnLink = true; + }] ++ lib.optionals hasIPv6 [{ + Gateway = IPv6.gateway; + GatewayOnLink = true; + }]; + }; + }; + netdevs = { + "60-${bridgeName}" = { + netdevConfig = { + Kind = "bridge"; + Name = bridgeName; + MACAddress = mac; + }; + }; + }; + }; + + system.activationScripts.udp-gro-forwarding = { + text = with interfaces.main'; '' + ${pkgs.ethtool}/bin/ethtool -K ${bridgeName} rx-udp-gro-forwarding on rx-gro-list off + ''; + }; +} \ No newline at end of file diff --git a/machines/Home-Hypervisor/nginx.nix b/machines/Home-Hypervisor/nginx.nix new file mode 100644 index 0000000..1143647 --- /dev/null +++ b/machines/Home-Hypervisor/nginx.nix @@ -0,0 +1,79 @@ +{ ... }: +{ + services.nginx = { + enable = true; + group = "acme"; + recommendedBrotliSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedZstdSettings = true; + clientMaxBodySize = "250m"; + commonHttpConfig = '' + proxy_hide_header X-Frame-Options; + ''; + virtualHosts = let + default = { + useACMEHost = "ataraxiadev.com"; + enableACME = false; + forceSSL = true; + }; + proxySettings = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + ''; + in { + "media-stack" = { + serverAliases = [ + "jellyfin.ataraxiadev.com" + "qbit.ataraxiadev.com" + "prowlarr.ataraxiadev.com" + "jackett.ataraxiadev.com" + "sonarr.ataraxiadev.com" + "radarr.ataraxiadev.com" + "lidarr.ataraxiadev.com" + "kavita.ataraxiadev.com" + ]; + locations."/" = { + proxyPass = "http://127.0.0.1:8180"; + proxyWebsockets = true; + extraConfig = '' + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + send_timeout 15m; + proxy_connect_timeout 600; + proxy_send_timeout 600; + proxy_read_timeout 15m; + '' + proxySettings; + }; + } // default; + "medusa.ataraxiadev.com" = { + locations."/" = { + proxyPass = "http://127.0.0.1:8180"; + proxyWebsockets = true; + extraConfig = '' + add_header Content-Security-Policy "upgrade-insecure-requests"; + '' + proxySettings; + }; + } // default; + "code.ataraxiadev.com" = { + locations."/" = { + proxyPass = "http://127.0.0.1:6000"; + extraConfig = proxySettings; + }; + } // default; + "ataraxiadev.com" = { + extraConfig = '' + return 301 https://code.ataraxiadev.com$request_uri; + ''; + } // default; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} diff --git a/machines/Home-Hypervisor/usb-hdd.nix b/machines/Home-Hypervisor/usb-hdd.nix deleted file mode 100644 index cf30e6e..0000000 --- a/machines/Home-Hypervisor/usb-hdd.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ pkgs, ... }: { - boot.initrd = rec { - luks.devices = { - "crypt-nas" = { - device = "/dev/disk/by-id/ata-ST4000NM0035-1V4107_ZC1A7CWN"; - keyFile = "/nas_keyfile0.bin"; - }; - }; - secrets = { - "nas_keyfile0.bin" = "/etc/secrets/nas_keyfile0.bin"; - }; - availableKernelModules = [ - "usb_storage" - "usbcore" - "scsi_mod" - "usb_common" - "ehci_pci" "ahci" "uas" "sd_mod" "sdhci_pci" - ]; - kernelModules = availableKernelModules; - }; - - boot.zfs.extraPools = [ "nas-pool" ]; - - system.activationScripts.disable-hdd-spindown.text = '' - ${pkgs.hdparm}/bin/hdparm -s 0 /dev/disk/by-id/ata-ST4000NM0035-1V4107_ZC1A7CWN - ''; -} \ No newline at end of file diff --git a/machines/Home-Hypervisor/virtualisation.nix b/machines/Home-Hypervisor/virtualisation.nix index 8943357..fc6db5d 100644 --- a/machines/Home-Hypervisor/virtualisation.nix +++ b/machines/Home-Hypervisor/virtualisation.nix @@ -8,12 +8,31 @@ virtualisation = { docker.enable = lib.mkForce false; - podman.defaultNetwork.settings.dns_enabled = lib.mkForce false; + podman.defaultNetwork.settings.dns_enabled = lib.mkForce true; podman.extraPackages = [ pkgs.zfs ]; spiceUSBRedirection.enable = lib.mkForce false; containers.storage.settings.storage.graphroot = lib.mkForce "/var/lib/podman/storage"; }; + # networking.dhcpcd.denyInterfaces = [ "podman0" ]; + # systemd.network = { + # netdevs."60-podman0" = { + # netdevConfig = { + # Kind = "bridge"; + # Name = "podman0"; + # }; + # }; + # networks."50-podman" = { + # matchConfig = { + # Name = "podman0"; + # }; + # linkConfig = { + # Unmanaged = true; + # ActivationPolicy = "manual"; + # }; + # }; + # }; + users.users.${config.mainuser} = { subUidRanges = [{ count = 1000; diff --git a/roles/hypervisor.nix b/roles/hypervisor.nix index b369e14..cb84cc4 100644 --- a/roles/hypervisor.nix +++ b/roles/hypervisor.nix @@ -15,7 +15,7 @@ nix-index nnn overlay - pass-secret-service + # pass-secret-service ssh user vlock