From 6576e43d821549b5f462e650199eae32d3b21fea Mon Sep 17 00:00:00 2001
From: Dmitriy Kholkin <ataraxiadev@ataraxiadev.com>
Date: Mon, 18 Nov 2024 03:14:13 +0300
Subject: [PATCH] new home-hypervisor
---
machines/Home-Hypervisor/autoinstall.nix | 21 --
machines/Home-Hypervisor/boot.nix | 92 ++++--
machines/Home-Hypervisor/default.nix | 175 +++++------
machines/Home-Hypervisor/disk-config.nix | 279 ++++++++++++++++++
machines/Home-Hypervisor/dns-mapping.nix | 104 -------
.../hardware-configuration.nix | 109 -------
.../Home-Hypervisor/hardware/networks.nix | 21 ++
machines/Home-Hypervisor/networking.nix | 83 ++++++
machines/Home-Hypervisor/nginx.nix | 79 +++++
machines/Home-Hypervisor/usb-hdd.nix | 27 --
machines/Home-Hypervisor/virtualisation.nix | 21 +-
roles/hypervisor.nix | 2 +-
12 files changed, 613 insertions(+), 400 deletions(-)
delete mode 100644 machines/Home-Hypervisor/autoinstall.nix
create mode 100644 machines/Home-Hypervisor/disk-config.nix
delete mode 100644 machines/Home-Hypervisor/dns-mapping.nix
delete mode 100644 machines/Home-Hypervisor/hardware-configuration.nix
create mode 100644 machines/Home-Hypervisor/hardware/networks.nix
create mode 100644 machines/Home-Hypervisor/networking.nix
create mode 100644 machines/Home-Hypervisor/nginx.nix
delete mode 100644 machines/Home-Hypervisor/usb-hdd.nix
diff --git a/machines/Home-Hypervisor/autoinstall.nix b/machines/Home-Hypervisor/autoinstall.nix
deleted file mode 100644
index d53d7b1..0000000
--- a/machines/Home-Hypervisor/autoinstall.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ ... }: {
- autoinstall."Home-Hypervisor" = {
- debug = false;
- mainuser = "ataraxia";
- flakesPath = "/home/nixos/nixos-config";
- encryption.encryptBoot = true;
- encryption.encryptRoot = true;
- encryption.passwordFile = "/home/nixos/pass";
- encryption.argonIterTime = "4000";
- partitioning.useEntireDisk = true;
- partitioning.disk = "/dev/disk/by-id/ata-Samsung_SSD_870_EVO_500GB_S5Y1NJ1R160554B";
- partitioning.nullifyDisk = false;
- swapPartition.enable = true;
- swapPartition.size = "8GiB";
- zfsOpts.ashift = 13;
- zfsOpts.bootPoolReservation = "256M";
- zfsOpts.rootPoolReservation = "25G";
- persist.enable = true;
- oldUefi = true;
- };
-}
diff --git a/machines/Home-Hypervisor/boot.nix b/machines/Home-Hypervisor/boot.nix
index 6429d30..8138966 100644
--- a/machines/Home-Hypervisor/boot.nix
+++ b/machines/Home-Hypervisor/boot.nix
@@ -1,43 +1,57 @@
-{ config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
let
zfs_arc_max = toString (3 * 1024 * 1024 * 1024);
in {
+ # CachyOS kernel
+ imports = [ inputs.chaotic.nixosModules.default ];
+
boot = {
- zfs.forceImportAll = lib.mkForce false;
- loader.efi.canTouchEfiVariables = false;
- loader.efi.efiSysMountPoint = "/efi";
- loader.generationsDir.copyKernels = true;
- loader.grub = {
- enable = true;
- device = "nodev";
- efiSupport = true;
- enableCryptodisk = true;
- zfsSupport = true;
- efiInstallAsRemovable = true;
- copyKernels = true;
- };
+ # zfs.package = pkgs.zfs_cachyos;
+ # kernelPackages = pkgs.linuxPackages_cachyos-hardened;
+ # kernelPackages = pkgs.linuxPackages_cachyos-server;
+ # kernelPackages = pkgs.linuxPackages_hardened;
+ # kernelPackages = pkgs.linuxPackages;
+ # kernelPackages = pkgs.linuxPackages_xanmod;
+
initrd = {
luks.devices = {
- "cryptboot" = {
- preLVM = true;
- keyFile = "/keyfile0.bin";
- allowDiscards = true;
- bypassWorkqueues = config.deviceSpecific.isSSD;
- fallbackToPassword = true;
- };
+ # "cryptboot" = {
+ # allowDiscards = true;
+ # bypassWorkqueues = config.deviceSpecific.isSSD;
+ # keyFile = "/keyfile0.bin";
+ # };
"cryptroot" = {
- preLVM = true;
- keyFile = "/keyfile0.bin";
allowDiscards = true;
bypassWorkqueues = config.deviceSpecific.isSSD;
- fallbackToPassword = true;
+ keyFile = "/keyfile0.bin";
+ };
+ "crypt-nas" = {
+ device = "/dev/disk/by-id/ata-ST4000NM0035-1V4107_ZC1A7CWN";
+ keyFile = "/nas_keyfile0.bin";
};
};
secrets = {
"keyfile0.bin" = "/etc/secrets/keyfile0.bin";
+ "nas_keyfile0.bin" = "/etc/secrets/nas_keyfile0.bin";
+ };
+ supportedFilesystems = [ "zfs" ];
+ systemd.enable = true;
+ };
+ loader = {
+ efi.canTouchEfiVariables = false;
+ efi.efiSysMountPoint = "/efi";
+ generationsDir.copyKernels = true;
+ grub = {
+ enable = true;
+ enableCryptodisk = true;
+ device = "nodev";
+ copyKernels = true;
+ efiInstallAsRemovable = true;
+ efiSupport = true;
+ zfsSupport = true;
+ useOSProber = false;
};
};
- kernelPackages = pkgs.linuxPackages_hardened;
kernelModules = [ "tcp_bbr" "veth" ];
kernelParams = [
"zfs.zfs_arc_max=${zfs_arc_max}"
@@ -60,9 +74,31 @@ in {
"vm.dirty_ratio" = 40;
"vm.page-cluster" = 0;
"vm.overcommit_memory" = lib.mkForce 1;
-
- "net.ipv4.tcp_congestion_control" = "bbr";
- "net.core.default_qdisc" = "fq";
};
+
+ zfs.extraPools = [ "bpool" "rpool" "nas-pool" ];
};
+
+ networking.hostId = "a9408846";
+
+ # Impermanence
+ persist = {
+ enable = true;
+ cache.clean.enable = true;
+ };
+ fileSystems."/home".neededForBoot = true;
+ fileSystems."/persist".neededForBoot = true;
+ # boot.initrd.systemd.services.rollback = {
+ # description = "Rollback zfs to a pristine state on boot";
+ # wantedBy = [ "initrd.target" ];
+ # after = [ "zfs-import-rpool.service" ];
+ # before = [ "sysroot.mount" ];
+ # path = [ config.boot.zfs.package ];
+ # unitConfig.DefaultDependencies = "no";
+ # serviceConfig.Type = "oneshot";
+ # script = ''
+ # zfs rollback -r rpool/nixos/root@empty && echo " >>> rollback root <<<"
+ # zfs rollback -r rpool/user/home@empty && echo " >>> rollback home <<<"
+ # '';
+ # };
}
diff --git a/machines/Home-Hypervisor/default.nix b/machines/Home-Hypervisor/default.nix
index 482f492..b3e0e61 100644
--- a/machines/Home-Hypervisor/default.nix
+++ b/machines/Home-Hypervisor/default.nix
@@ -2,54 +2,61 @@
let persistRoot = config.autoinstall.persist.persistRoot or "/persist";
in {
imports = with inputs.self; [
+ inputs.disko.nixosModules.disko
+ inputs.srvos.nixosModules.server
+ inputs.srvos.nixosModules.mixins-terminfo
+
+ ./disk-config.nix
+
./backups.nix
./boot.nix
- ./hardware-configuration.nix
- ./usb-hdd.nix
+ ./networking.nix
./virtualisation.nix
customProfiles.hardened
customRoles.hypervisor
- customProfiles.tg-bot
+ ./nginx.nix
+
+ # customProfiles.tg-bot
customProfiles.acme
- customProfiles.attic
- customProfiles.atticd
- customProfiles.authentik
- customProfiles.battery-historian
- customProfiles.coturn
- customProfiles.fail2ban
+ # customProfiles.attic
+ # customProfiles.atticd
+ # customProfiles.authentik
+ # customProfiles.battery-historian
+ # customProfiles.coturn
+ # customProfiles.fail2ban
customProfiles.gitea
- customProfiles.homepage
- customProfiles.hoyolab
- customProfiles.inpx-web
- customProfiles.it-tools
+ # customProfiles.homepage
+ # customProfiles.hoyolab
+ # customProfiles.inpx-web
+ # customProfiles.it-tools
customProfiles.media-stack
- customProfiles.metrics
- customProfiles.minio
- customProfiles.netbird-server
- customProfiles.nginx
- customProfiles.ocis
- customProfiles.onlyoffice
- customProfiles.openbooks
- customProfiles.outline
- customProfiles.radicale
- customProfiles.spdf
- customProfiles.synapse
+ # customProfiles.metrics
+ # customProfiles.minio
+ # customProfiles.netbird-server
+ # customProfiles.nginx
+ # customProfiles.ocis
+ # customProfiles.onlyoffice
+ # customProfiles.openbooks
+ # customProfiles.outline
+ # customProfiles.radicale
+ # customProfiles.spdf
+ # customProfiles.synapse
customProfiles.tinyproxy
- customProfiles.vault
- customProfiles.vaultwarden
- customProfiles.webhooks
- customProfiles.wiki
- customProfiles.yandex-db
+ # customProfiles.vault
+ # customProfiles.vaultwarden
+ # customProfiles.webhooks
+ # customProfiles.wiki
+ # customProfiles.yandex-db
- (import customProfiles.blocky {
- inherit (import ./dns-mapping.nix) dnsmasq-list;
- })
+ # (import customProfiles.blocky {
+ # inherit (import ./dns-mapping.nix) dnsmasq-list;
+ # })
- (import customProfiles.headscale {
- inherit (import ./dns-mapping.nix) headscale-list;
- })
+ # (import customProfiles.headscale {
+ # inherit (import ./dns-mapping.nix) headscale-list;
+ # })
];
security.lockKernelModules = lib.mkForce false;
@@ -57,25 +64,25 @@ in {
cpu.vendor = "intel";
drive.type = "ssd";
gpu.vendor = "other";
- ram = 12;
+ ram = 8;
fileSystem = "zfs";
};
deviceSpecific.isServer = true;
deviceSpecific.vpn.tailscale.enable = true;
# Tailscale auto-login
- services.headscale-auth.home-hypervisor = {
- outPath = "/tmp/hypervisor-authkey";
- before = [ "tailscaled-autoconnect.service" ];
- };
- services.tailscale = {
- authKeyFile = "/tmp/hypervisor-authkey";
- extraUpFlags = [
- "--login-server=https://wg.ataraxiadev.com"
- "--accept-dns=false"
- "--advertise-exit-node=false"
- "--operator=${config.mainuser}"
- ];
- };
+ # services.headscale-auth.home-hypervisor = {
+ # outPath = "/tmp/hypervisor-authkey";
+ # before = [ "tailscaled-autoconnect.service" ];
+ # };
+ # services.tailscale = {
+ # authKeyFile = "/tmp/hypervisor-authkey";
+ # extraUpFlags = [
+ # "--login-server=https://wg.ataraxiadev.com"
+ # "--accept-dns=false"
+ # "--advertise-exit-node=false"
+ # "--operator=${config.mainuser}"
+ # ];
+ # };
zramSwap = {
enable = true;
@@ -91,27 +98,10 @@ in {
files = [ "/etc/machine-id" ];
};
};
- fileSystems."/home".neededForBoot = true;
- fileSystems.${persistRoot}.neededForBoot = true;
- boot.initrd.postDeviceCommands = lib.mkAfter ''
- zfs rollback -r rpool/nixos/root@empty
- zfs rollback -r rpool/user/home@empty
- '';
environment.memoryAllocator.provider = "libc";
-
- # build hell
- environment.noXlibs = lib.mkForce false;
- # minimal profile
- documentation.nixos.enable = lib.mkForce false;
- programs.command-not-found.enable = lib.mkForce false;
- xdg.autostart.enable = lib.mkForce false;
- xdg.icons.enable = lib.mkForce false;
- xdg.mime.enable = lib.mkForce false;
- xdg.sounds.enable = lib.mkForce false;
- services.udisks2.enable = lib.mkForce false;
-
- fonts.enableDefaultPackages = lib.mkForce false;
+ services.udisks2.enable = false;
+ fonts.enableDefaultPackages = false;
fonts.packages =
[ (pkgs.nerdfonts.override { fonts = [ "FiraCode" "VictorMono" ]; }) ];
@@ -123,50 +113,18 @@ in {
trim.enable = true;
trim.interval = "weekly";
};
+ services.postgresql.enable = true;
services.postgresql.settings = {
full_page_writes = "off";
wal_init_zero = "off";
wal_recycle = "off";
};
- # hardened
- networking.firewall.enable = true;
- networking.firewall.allowedTCPPorts = lib.mkDefault [ ];
- networking.firewall.allowedUDPPorts = lib.mkDefault [ ];
- systemd.coredump.enable = false;
- programs.firejail.enable = true;
-
- networking.wireless.enable = false;
- networking.networkmanager.enable = false;
- networking.hostName = config.device;
-
- networking.nameservers = [ "10.10.10.53" "10.10.10.1" "9.9.9.9" ];
- networking.defaultGateway = "10.10.10.1";
- networking.bridges.br0.interfaces = [ "enp2s0f0" ];
- networking.interfaces.br0 = {
- useDHCP = false;
- ipv4.addresses = [{
- address = "10.10.10.10";
- prefixLength = 24;
- }];
- };
- networking.extraHosts = ''
- 127.0.0.1 auth.ataraxiadev.com
- 127.0.0.1 code.ataraxiadev.com
- 127.0.0.1 cache.ataraxiadev.com
- 127.0.0.1 s3.ataraxiadev.com
- 127.0.0.1 wg.ataraxiadev.com
- 127.0.0.1 vault.ataraxiadev.com
- 127.0.0.1 matrix.ataraxiadev.com
- '';
-
- nix.optimise.automatic = false;
-
- services.logind.lidSwitch = "lock";
- services.logind.lidSwitchDocked = "lock";
- services.logind.lidSwitchExternalPower = "lock";
- systemd.services.systemd-timesyncd.wantedBy = [ "multi-user.target" ];
- systemd.timers.systemd-timesyncd = { timerConfig.OnCalendar = "hourly"; };
+ nix.settings.experimental-features = [
+ "cgroups"
+ "fetch-closure"
+ "recursive-nix"
+ ];
home-manager.users.${config.mainuser} = {
home.file.".config/libvirt/libvirt.conf".text = ''
@@ -179,7 +137,6 @@ in {
dig.dnsutils
fd
kitty
- lnav
micro
nix-index-update
p7zip
@@ -193,7 +150,7 @@ in {
smartmontools
];
xdg.mime.enable = false;
- home.stateVersion = "24.05";
+ home.stateVersion = "24.11";
};
- system.stateVersion = "24.05";
+ system.stateVersion = "24.11";
}
diff --git a/machines/Home-Hypervisor/disk-config.nix b/machines/Home-Hypervisor/disk-config.nix
new file mode 100644
index 0000000..fa91607
--- /dev/null
+++ b/machines/Home-Hypervisor/disk-config.nix
@@ -0,0 +1,279 @@
+{ ... }:
+let
+ emptySnapshot = name: "zfs list -t snapshot -H -o name | grep -E '^${name}@blank$' || zfs snapshot ${name}@blank";
+in {
+ disko.devices = {
+ disk = {
+ main = {
+ device = "/dev/disk/by-id/ata-Samsung_SSD_870_EVO_500GB_S5Y1NJ1R160554B";
+ type = "disk";
+ content = {
+ type = "gpt";
+ partitions = {
+ esp = {
+ type = "EF00";
+ name = "ESP";
+ size = "512M";
+ priority = 1;
+ content = {
+ type = "filesystem";
+ format = "vfat";
+ mountpoint = "/efi";
+ mountOptions = [ "umask=0077" ];
+ };
+ };
+ swap = {
+ name = "swap";
+ size = "16G";
+ priority = 2;
+ content = {
+ type = "swap";
+ randomEncryption = true;
+ };
+ };
+ boot = {
+ name = "bpool";
+ size = "4G";
+ priority = 3;
+ content = {
+ type = "zfs";
+ pool = "bpool";
+ };
+ };
+ cryptroot = {
+ size = "100%";
+ priority = 4;
+ content = {
+ type = "luks";
+ name = "cryptroot";
+ settings.allowDiscards = true;
+ passwordFile = "/tmp/cryptroot.pass";
+ additionalKeyFiles = [ "/tmp/cryptroot.key" ];
+ content = {
+ type = "zfs";
+ pool = "rpool";
+ };
+ };
+ };
+ };
+ };
+ };
+ };
+ zpool = {
+ bpool = {
+ type = "zpool";
+ options = {
+ ashift = "13";
+ autotrim = "on";
+ compatibility = "grub2";
+ };
+ rootFsOptions = {
+ acltype = "posixacl";
+ atime = "on";
+ canmount = "off";
+ compression = "lz4";
+ devices = "off";
+ normalization = "formD";
+ relatime = "on";
+ xattr = "sa";
+ dedup = "off";
+ };
+ mountpoint = "/boot";
+ postCreateHook = emptySnapshot "bpool";
+
+ datasets = {
+ nixos = {
+ type = "zfs_fs";
+ options.mountpoint = "none";
+ options.canmount = "off";
+ postCreateHook = emptySnapshot "bpool/nixos";
+ };
+ "nixos/boot" = {
+ type = "zfs_fs";
+ mountpoint = "/boot";
+ options.canmount = "on";
+ postCreateHook = emptySnapshot "bpool/nixos/boot";
+ };
+ };
+ };
+ rpool = {
+ type = "zpool";
+ options = {
+ ashift = "13";
+ autotrim = "on";
+ cachefile = "none";
+ };
+ rootFsOptions = {
+ acltype = "posixacl";
+ atime = "on";
+ canmount = "off";
+ compression = "zstd-5";
+ dedup = "off";
+ dnodesize = "auto";
+ normalization = "formD";
+ relatime = "on";
+ xattr = "sa";
+ };
+ mountpoint = "/";
+ postCreateHook = emptySnapshot "rpool";
+
+ datasets = {
+ reserved = {
+ type = "zfs_fs";
+ options.mountpoint = "none";
+ options = {
+ canmount = "off";
+ refreservation = "20G";
+ };
+ };
+ nixos = {
+ type = "zfs_fs";
+ # mountpoint = "none";
+ options.mountpoint = "none";
+ options.canmount = "off";
+ postCreateHook = emptySnapshot "rpool/nixos";
+ };
+ user = {
+ type = "zfs_fs";
+ options.mountpoint = "none";
+ options.canmount = "off";
+ postCreateHook = emptySnapshot "rpool/user";
+ };
+ persistent = {
+ type = "zfs_fs";
+ options.mountpoint = "none";
+ options.canmount = "off";
+ postCreateHook = emptySnapshot "rpool/persistent";
+ };
+ "nixos/root" = {
+ type = "zfs_fs";
+ mountpoint = "/";
+ options.canmount = "noauto";
+ postCreateHook = emptySnapshot "rpool/nixos/root";
+ };
+ "user/home" = {
+ type = "zfs_fs";
+ mountpoint = "/home";
+ options.canmount = "on";
+ postCreateHook = emptySnapshot "rpool/user/home";
+ };
+ "persistent/impermanence" = {
+ type = "zfs_fs";
+ mountpoint = "/persist";
+ options.canmount = "on";
+ postCreateHook = emptySnapshot "rpool/persistent/impermanence";
+ };
+ "persistent/servers" = {
+ type = "zfs_fs";
+ mountpoint = "/srv";
+ options.canmount = "on";
+ postCreateHook = emptySnapshot "rpool/persistent/servers";
+ };
+ "persistent/nix" = {
+ type = "zfs_fs";
+ mountpoint = "/nix";
+ options.canmount = "on";
+ postCreateHook = emptySnapshot "rpool/persistent/nix";
+ };
+ "persistent/secrets" = {
+ type = "zfs_fs";
+ mountpoint = "/etc/secrets";
+ options.canmount = "on";
+ postCreateHook = emptySnapshot "rpool/persistent/secrets";
+ };
+ "persistent/log" = {
+ type = "zfs_fs";
+ mountpoint = "/var/log";
+ options.canmount = "on";
+ postCreateHook = emptySnapshot "rpool/persistent/log";
+ };
+ # "persistent/lxd" = {
+ # type = "zfs_fs";
+ # options.canmount = "noauto";
+ # postCreateHook = emptySnapshot "rpool/persistent/lxd";
+ # };
+ "persistent/docker" = {
+ type = "zfs_fs";
+ mountpoint = "/var/lib/docker";
+ options.canmount = "on";
+ postCreateHook = emptySnapshot "rpool/persistent/docker";
+ };
+ "persistent/nixos-containers" = {
+ type = "zfs_fs";
+ mountpoint = "/var/lib/nixos-containers";
+ options.canmount = "on";
+ postCreateHook = emptySnapshot "rpool/persistent/nixos-containers";
+ };
+ "persistent/bittorrent" = {
+ type = "zfs_fs";
+ mountpoint = "/media/bittorrent";
+ options.canmount = "on";
+ options.atime = "off";
+ options.recordsize = "16K";
+ options.compression = "lz4";
+ postCreateHook = emptySnapshot "rpool/persistent/bittorrent";
+ };
+ "persistent/libvirt" = {
+ type = "zfs_fs";
+ mountpoint = "/var/lib/libvirt";
+ options.canmount = "on";
+ postCreateHook = emptySnapshot "rpool/persistent/libvirt";
+ };
+ "persistent/libvirt-user" = {
+ type = "zfs_fs";
+ mountpoint = "/media/libvirt";
+ options.canmount = "on";
+ postCreateHook = emptySnapshot "rpool/persistent/libvirt-user";
+ };
+ "persistent/libvirt-user/images" = {
+ type = "zfs_fs";
+ mountpoint = "/media/libvirt/images";
+ options.canmount = "on";
+ options.atime = "off";
+ options.recordsize = "16K";
+ options.compression = "lz4";
+ postCreateHook = emptySnapshot "rpool/persistent/libvirt-user/images";
+ };
+ "persistent/ocis" = {
+ type = "zfs_fs";
+ mountpoint = "/var/lib/ocis";
+ options.canmount = "on";
+ options.recordsize = "1M";
+ postCreateHook = emptySnapshot "rpool/persistent/ocis";
+ };
+ # "persistent/podman" = {
+ # type = "zfs_fs";
+ # mountpoint = "/var/lib/podman";
+ # options.canmount = "on";
+ # options.atime = "off";
+ # postCreateHook = emptySnapshot "rpool/persistent/podman";
+ # };
+ "persistent/postgresql" = {
+ type = "zfs_fs";
+ mountpoint = "/var/lib/postgresql";
+ options.canmount = "on";
+ options.recordsize = "16K";
+ options.atime = "off";
+ options.logbias = "latency";
+ postCreateHook = emptySnapshot "rpool/persistent/postgresql";
+ };
+ vol = {
+ type = "zfs_fs";
+ options.canmount = "off";
+ postCreateHook = emptySnapshot "rpool/vol";
+ };
+ "vol/podman" = {
+ type = "zfs_volume";
+ size = "40G";
+ options.volblocksize = "16K";
+ content = {
+ type = "filesystem";
+ format = "xfs";
+ mountpoint = "/var/lib/containers";
+ };
+ };
+ };
+ };
+ };
+ };
+}
diff --git a/machines/Home-Hypervisor/dns-mapping.nix b/machines/Home-Hypervisor/dns-mapping.nix
deleted file mode 100644
index 8134a0e..0000000
--- a/machines/Home-Hypervisor/dns-mapping.nix
+++ /dev/null
@@ -1,104 +0,0 @@
-{
- headscale-list = [
- { name = "ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "api.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "auth.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "cache.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "cal.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "code.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "docs.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "element.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "file.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "home.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "jackett.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "jellyfin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "joplin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "kavita.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "ldap.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "lib.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "matrix.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "medusa.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "net.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "openbooks.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "pdf.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "qbit.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "radarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "restic.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "s3.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "sonarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "stats.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "tools.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "vault.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "vw.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
- { name = "wiki.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-
- { name = "ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "api.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "auth.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "cache.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "cal.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "code.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "docs.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "element.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "file.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "home.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "jackett.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "jellyfin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "joplin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "kavita.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "ldap.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "lib.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "matrix.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "medusa.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "net.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "openbooks.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "pdf.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "qbit.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "radarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "restic.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "s3.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "sonarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "stats.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "tools.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "vault.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "vw.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- { name = "wiki.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
- ];
- dnsmasq-list = [
- # TODO: Fix dns resolution in blocky for unmapped subdomains of ataraxiadev.com
- "/element.ataraxiadev.com/10.10.10.10"
- "/matrix.ataraxiadev.com/10.10.10.10"
- "/turn.ataraxiadev.com/10.10.10.10"
-
- "/api.ataraxiadev.com/10.10.10.10"
- "/auth.ataraxiadev.com/10.10.10.10"
- "/cache.ataraxiadev.com/10.10.10.10"
- "/cal.ataraxiadev.com/10.10.10.10"
- "/code.ataraxiadev.com/10.10.10.10"
- "/docs.ataraxiadev.com/10.10.10.10"
- "/file.ataraxiadev.com/10.10.10.10"
- "/home.ataraxiadev.com/10.10.10.10"
- "/jackett.ataraxiadev.com/10.10.10.10"
- "/jellyfin.ataraxiadev.com/10.10.10.10"
- "/joplin.ataraxiadev.com/10.10.10.10"
- "/kavita.ataraxiadev.com/10.10.10.10"
- "/ldap.ataraxiadev.com/10.10.10.10"
- "/lib.ataraxiadev.com/10.10.10.10"
- "/medusa.ataraxiadev.com/10.10.10.10"
- "/net.ataraxiadev.com/10.10.10.10"
- "/openbooks.ataraxiadev.com/10.10.10.10"
- "/pdf.ataraxiadev.com/10.10.10.10"
- "/qbit.ataraxiadev.com/10.10.10.10"
- "/radarr.ataraxiadev.com/10.10.10.10"
- "/restic.ataraxiadev.com/10.10.10.10"
- "/s3.ataraxiadev.com/10.10.10.10"
- "/stats.ataraxiadev.com/10.10.10.10"
- "/sonarr.ataraxiadev.com/10.10.10.10"
- "/tools.ataraxiadev.com/10.10.10.10"
- "/vault.ataraxiadev.com/10.10.10.10"
- "/vw.ataraxiadev.com/10.10.10.10"
- "/wiki.ataraxiadev.com/10.10.10.10"
- ];
-}
\ No newline at end of file
diff --git a/machines/Home-Hypervisor/hardware-configuration.nix b/machines/Home-Hypervisor/hardware-configuration.nix
deleted file mode 100644
index 72e09b7..0000000
--- a/machines/Home-Hypervisor/hardware-configuration.nix
+++ /dev/null
@@ -1,109 +0,0 @@
-# Do not modify this file! It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations. Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, modulesPath, ... }:
-
-{
- imports =
- [ (modulesPath + "/installer/scan/not-detected.nix")
- ];
-
- boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
- boot.initrd.kernelModules = [ ];
- boot.kernelModules = [ "kvm-intel" ];
- boot.extraModulePackages = [ ];
-
- fileSystems."/" =
- { device = "rpool/nixos/root";
- fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
- };
-
- fileSystems."/home" =
- { device = "rpool/user/home";
- fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
- };
-
- fileSystems."/persist" =
- { device = "rpool/persistent/impermanence";
- fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
- };
-
- fileSystems."/srv" =
- { device = "rpool/persistent/servers";
- fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
- };
-
- fileSystems."/etc/secrets" =
- { device = "rpool/persistent/secrets";
- fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
- };
-
- fileSystems."/nix" =
- { device = "rpool/persistent/nix";
- fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
- };
-
- fileSystems."/var/log" =
- { device = "rpool/persistent/log";
- fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
- };
-
- fileSystems."/var/lib/docker" =
- { device = "rpool/persistent/docker";
- fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
- };
-
- fileSystems."/var/lib/podman" =
- { device = "/dev/zvol/rpool/vol/podman";
- fsType = "xfs"; options = [ "X-mount.mkdir" ];
- };
-
- fileSystems."/var/lib/nixos-containers" =
- { device = "rpool/persistent/nixos-containers";
- fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
- };
-
- fileSystems."/media/bittorrent" =
- { device = "rpool/persistent/bittorrent";
- fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
- };
-
- fileSystems."/media/libvirt" =
- { device = "rpool/persistent/libvirt";
- fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
- };
-
- fileSystems."/boot" =
- { device = "bpool/nixos/boot";
- fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
- };
-
- fileSystems."/efi" =
- { device = "/dev/disk/by-uuid/C5F3-4271";
- fsType = "vfat";
- };
-
- swapDevices = [
- {
- device = "/dev/disk/by-partuuid/4623124f-05e6-4d55-8fe8-6cd9a904fd72";
- randomEncryption.enable = true;
- randomEncryption.allowDiscards = true;
- }
- ];
-
- # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
- # (the default) this is the recommended approach. When using systemd-networkd it's
- # still possible to use this option, but it's recommended to use it in conjunction
- # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
- networking.useDHCP = lib.mkDefault true;
- # networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
- # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
-
- nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
- hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
- networking.hostId = "a9408846";
- boot.zfs.devNodes = "/dev/disk/by-id";
- boot.supportedFilesystems = [ "xfs" "zfs" ];
- boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-partuuid/465cbfbb-73b8-4129-9904-9fabcc5db368";
- boot.initrd.luks.devices."cryptboot".device = "/dev/disk/by-partuuid/74f2b810-c7ff-471d-9829-7a3ef05c8c0e";
-}
diff --git a/machines/Home-Hypervisor/hardware/networks.nix b/machines/Home-Hypervisor/hardware/networks.nix
new file mode 100644
index 0000000..6c9bf79
--- /dev/null
+++ b/machines/Home-Hypervisor/hardware/networks.nix
@@ -0,0 +1,21 @@
+{
+ domain = "home.ataraxiadev.com";
+ hasIPv6 = false;
+ interfaces = {
+ main' = {
+ mac = "d4:3d:7e:26:a8:af";
+ bridgeName = "br0";
+ ifname = "enp2s0";
+ IPv4 = {
+ address = "10.10.10.10/24";
+ gateway = "10.10.10.1";
+ dns = [ "10.10.10.1" "9.9.9.9" ];
+ };
+ IPv6 = {
+ address = "";
+ gateway = "";
+ dns = [ ];
+ };
+ };
+ };
+}
diff --git a/machines/Home-Hypervisor/networking.nix b/machines/Home-Hypervisor/networking.nix
new file mode 100644
index 0000000..070d362
--- /dev/null
+++ b/machines/Home-Hypervisor/networking.nix
@@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+let
+ inherit (import ./hardware/networks.nix) interfaces domain hasIPv6;
+in {
+ services.resolved.enable = true;
+ networking = {
+ dhcpcd.enable = false;
+ domain = domain;
+ enableIPv6 = hasIPv6;
+ hostName = config.device;
+ nftables.enable = true;
+ useDHCP = false;
+ useNetworkd = lib.mkForce false;
+ usePredictableInterfaceNames = true;
+
+ firewall = {
+ enable = true;
+ allowedTCPPorts = lib.mkDefault [ ];
+ allowedUDPPorts = lib.mkDefault [ ];
+ };
+
+ nameservers = [ "10.10.10.1" "9.9.9.9" ];
+
+ # extraHosts = ''
+ # 127.0.0.1 auth.ataraxiadev.com
+ # 127.0.0.1 code.ataraxiadev.com
+ # 127.0.0.1 cache.ataraxiadev.com
+ # 127.0.0.1 s3.ataraxiadev.com
+ # 127.0.0.1 wg.ataraxiadev.com
+ # 127.0.0.1 vault.ataraxiadev.com
+ # 127.0.0.1 matrix.ataraxiadev.com
+ # '';
+ };
+
+ systemd.network = with interfaces.main'; {
+ enable = lib.mkForce true;
+ wait-online.ignoredInterfaces = [ "lo" ];
+ networks = {
+ "40-${ifname}" = {
+ matchConfig.Name = ifname;
+ linkConfig.RequiredForOnline = "enslaved";
+ networkConfig.Bridge = bridgeName;
+ networkConfig.DHCP = "no";
+ };
+ "60-${bridgeName}" = {
+ matchConfig.Name = bridgeName;
+ address = [
+ IPv4.address
+ ] ++ lib.optionals hasIPv6 [
+ IPv6.address
+ "fc00::1/64"
+ ];
+ linkConfig.RequiredForOnline = "routable";
+ # networkConfig = {
+ # IPForward = true;
+ # DNS = IPv4.dns ++ lib.optionals hasIPv6 IPv6.dns;
+ # };
+ routes = [{
+ Gateway = IPv4.gateway;
+ GatewayOnLink = true;
+ }] ++ lib.optionals hasIPv6 [{
+ Gateway = IPv6.gateway;
+ GatewayOnLink = true;
+ }];
+ };
+ };
+ netdevs = {
+ "60-${bridgeName}" = {
+ netdevConfig = {
+ Kind = "bridge";
+ Name = bridgeName;
+ MACAddress = mac;
+ };
+ };
+ };
+ };
+
+ system.activationScripts.udp-gro-forwarding = {
+ text = with interfaces.main'; ''
+ ${pkgs.ethtool}/bin/ethtool -K ${bridgeName} rx-udp-gro-forwarding on rx-gro-list off
+ '';
+ };
+}
\ No newline at end of file
diff --git a/machines/Home-Hypervisor/nginx.nix b/machines/Home-Hypervisor/nginx.nix
new file mode 100644
index 0000000..1143647
--- /dev/null
+++ b/machines/Home-Hypervisor/nginx.nix
@@ -0,0 +1,79 @@
+{ ... }:
+{
+ services.nginx = {
+ enable = true;
+ group = "acme";
+ recommendedBrotliSettings = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedTlsSettings = true;
+ recommendedZstdSettings = true;
+ clientMaxBodySize = "250m";
+ commonHttpConfig = ''
+ proxy_hide_header X-Frame-Options;
+ '';
+ virtualHosts = let
+ default = {
+ useACMEHost = "ataraxiadev.com";
+ enableACME = false;
+ forceSSL = true;
+ };
+ proxySettings = ''
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-Server $host;
+ '';
+ in {
+ "media-stack" = {
+ serverAliases = [
+ "jellyfin.ataraxiadev.com"
+ "qbit.ataraxiadev.com"
+ "prowlarr.ataraxiadev.com"
+ "jackett.ataraxiadev.com"
+ "sonarr.ataraxiadev.com"
+ "radarr.ataraxiadev.com"
+ "lidarr.ataraxiadev.com"
+ "kavita.ataraxiadev.com"
+ ];
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:8180";
+ proxyWebsockets = true;
+ extraConfig = ''
+ proxy_buffer_size 128k;
+ proxy_buffers 4 256k;
+ proxy_busy_buffers_size 256k;
+ send_timeout 15m;
+ proxy_connect_timeout 600;
+ proxy_send_timeout 600;
+ proxy_read_timeout 15m;
+ '' + proxySettings;
+ };
+ } // default;
+ "medusa.ataraxiadev.com" = {
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:8180";
+ proxyWebsockets = true;
+ extraConfig = ''
+ add_header Content-Security-Policy "upgrade-insecure-requests";
+ '' + proxySettings;
+ };
+ } // default;
+ "code.ataraxiadev.com" = {
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:6000";
+ extraConfig = proxySettings;
+ };
+ } // default;
+ "ataraxiadev.com" = {
+ extraConfig = ''
+ return 301 https://code.ataraxiadev.com$request_uri;
+ '';
+ } // default;
+ };
+ };
+
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
diff --git a/machines/Home-Hypervisor/usb-hdd.nix b/machines/Home-Hypervisor/usb-hdd.nix
deleted file mode 100644
index cf30e6e..0000000
--- a/machines/Home-Hypervisor/usb-hdd.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-{ pkgs, ... }: {
- boot.initrd = rec {
- luks.devices = {
- "crypt-nas" = {
- device = "/dev/disk/by-id/ata-ST4000NM0035-1V4107_ZC1A7CWN";
- keyFile = "/nas_keyfile0.bin";
- };
- };
- secrets = {
- "nas_keyfile0.bin" = "/etc/secrets/nas_keyfile0.bin";
- };
- availableKernelModules = [
- "usb_storage"
- "usbcore"
- "scsi_mod"
- "usb_common"
- "ehci_pci" "ahci" "uas" "sd_mod" "sdhci_pci"
- ];
- kernelModules = availableKernelModules;
- };
-
- boot.zfs.extraPools = [ "nas-pool" ];
-
- system.activationScripts.disable-hdd-spindown.text = ''
- ${pkgs.hdparm}/bin/hdparm -s 0 /dev/disk/by-id/ata-ST4000NM0035-1V4107_ZC1A7CWN
- '';
-}
\ No newline at end of file
diff --git a/machines/Home-Hypervisor/virtualisation.nix b/machines/Home-Hypervisor/virtualisation.nix
index 8943357..fc6db5d 100644
--- a/machines/Home-Hypervisor/virtualisation.nix
+++ b/machines/Home-Hypervisor/virtualisation.nix
@@ -8,12 +8,31 @@
virtualisation = {
docker.enable = lib.mkForce false;
- podman.defaultNetwork.settings.dns_enabled = lib.mkForce false;
+ podman.defaultNetwork.settings.dns_enabled = lib.mkForce true;
podman.extraPackages = [ pkgs.zfs ];
spiceUSBRedirection.enable = lib.mkForce false;
containers.storage.settings.storage.graphroot = lib.mkForce "/var/lib/podman/storage";
};
+ # networking.dhcpcd.denyInterfaces = [ "podman0" ];
+ # systemd.network = {
+ # netdevs."60-podman0" = {
+ # netdevConfig = {
+ # Kind = "bridge";
+ # Name = "podman0";
+ # };
+ # };
+ # networks."50-podman" = {
+ # matchConfig = {
+ # Name = "podman0";
+ # };
+ # linkConfig = {
+ # Unmanaged = true;
+ # ActivationPolicy = "manual";
+ # };
+ # };
+ # };
+
users.users.${config.mainuser} = {
subUidRanges = [{
count = 1000;
diff --git a/roles/hypervisor.nix b/roles/hypervisor.nix
index b369e14..cb84cc4 100644
--- a/roles/hypervisor.nix
+++ b/roles/hypervisor.nix
@@ -15,7 +15,7 @@
nix-index
nnn
overlay
- pass-secret-service
+ # pass-secret-service
ssh
user
vlock