AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add new vps machine

Browse Source
This commit is contained in:
Dmitriy Kholkin 2023-06-23 18:27:46 +03:00
parent d9072ae7f5
commit c0cb0cdafa
11 changed files with 666 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
flake.lock generated
View File

@ -160,6 +160,46 @@
"type": "github"
}
},
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat_3",
"nixpkgs": "nixpkgs_3",
"utils": "utils"
},
"locked": {
"lastModified": 1686747123,
"narHash": "sha256-XUQK9kwHpTeilHoad7L4LjMCCyY13Oq383CoFADecRE=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "724463b5a94daa810abfc64a4f87faef4e00f984",
"type": "github"
},
"original": {
"owner": "serokell",
"repo": "deploy-rs",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1687134796,
"narHash": "sha256-gjBAkEtNPMQzqK4IHjTQBUv3VhggszOHLJbhXZy0OVQ=",
"owner": "nix-community",
"repo": "disko",
"rev": "4823509bb3b014dc85abefc13efcfa076d36338a",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@ -195,11 +235,11 @@
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
@ -257,6 +297,22 @@
}
},
"flake-compat_7": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_8": {
"flake": false,
"locked": {
"lastModified": 1668681692,
@ -539,7 +595,7 @@
"hyprland": {
"inputs": {
"hyprland-protocols": "hyprland-protocols",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_4",
"wlroots": "wlroots",
"xdph": "xdph"
},
@ -668,9 +724,9 @@
},
"nix": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-compat": "flake-compat_4",
"lowdown-src": "lowdown-src",
"nixpkgs": "nixpkgs_4",
"nixpkgs": "nixpkgs_5",
"nixpkgs-regression": "nixpkgs-regression"
},
"locked": {
@ -689,7 +745,7 @@
},
"nix-alien": {
"inputs": {
"flake-compat": "flake-compat_4",
"flake-compat": "flake-compat_5",
"flake-utils": "flake-utils_4",
"nix-index-database": "nix-index-database",
"nixpkgs": [
@ -713,7 +769,7 @@
"nix-direnv": {
"inputs": {
"flake-utils": "flake-utils_5",
"nixpkgs": "nixpkgs_5"
"nixpkgs": "nixpkgs_6"
},
"locked": {
"lastModified": 1686544557,
@ -752,7 +808,7 @@
},
"nix-vscode-marketplace": {
"inputs": {
"flake-compat": "flake-compat_5",
"flake-compat": "flake-compat_6",
"flake-utils": "flake-utils_6",
"nixpkgs": [
"nixpkgs"
@ -905,6 +961,22 @@
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1686921029,
"narHash": "sha256-J1bX9plPCFhTSh6E3TWn9XSxggBh/zDD4xigyaIQBy8=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c7ff1b9b95620ce8728c0d7bd501c458e6da9e04",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1665466769,
@ -922,6 +994,22 @@
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1671417167,
"narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1686592866,
"narHash": "sha256-riGg89eWhXJcPNrQGcSwTEEm7CGxWC06oSX44hajeMw=",
@ -937,7 +1025,7 @@
"type": "github"
}
},
"nixpkgs_4": {
"nixpkgs_5": {
"locked": {
"lastModified": 1670461440,
"narHash": "sha256-jy1LB8HOMKGJEGXgzFRLDU1CBGL0/LlkolgnqIsF0D8=",
@ -953,7 +1041,7 @@
"type": "github"
}
},
"nixpkgs_5": {
"nixpkgs_6": {
"locked": {
"lastModified": 1686488075,
"narHash": "sha256-2otSBt2hbeD+5yY25NF3RhWx7l5SDt1aeU3cJ/9My4M=",
@ -969,7 +1057,7 @@
"type": "github"
}
},
"nixpkgs_6": {
"nixpkgs_7": {
"locked": {
"lastModified": 1686592866,
"narHash": "sha256-riGg89eWhXJcPNrQGcSwTEEm7CGxWC06oSX44hajeMw=",
@ -985,7 +1073,7 @@
"type": "github"
}
},
"nixpkgs_7": {
"nixpkgs_8": {
"locked": {
"lastModified": 1685012353,
"narHash": "sha256-U3oOge4cHnav8OLGdRVhL45xoRj4Ppd+It6nPC9nNIU=",
@ -1049,10 +1137,10 @@
},
"prismlauncher": {
"inputs": {
"flake-compat": "flake-compat_6",
"flake-compat": "flake-compat_7",
"flake-parts": "flake-parts",
"libnbtplusplus": "libnbtplusplus",
"nixpkgs": "nixpkgs_7",
"nixpkgs": "nixpkgs_8",
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
@ -1076,7 +1164,7 @@
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
"utils": "utils_2"
},
"locked": {
"lastModified": 1669555118,
@ -1100,6 +1188,8 @@
"base16": "base16",
"base16-tokyonight-scheme": "base16-tokyonight-scheme",
"cassowary": "cassowary",
"deploy-rs": "deploy-rs",
"disko": "disko",
"flake-registry": "flake-registry",
"flake-utils-plus": "flake-utils-plus_2",
"home-manager": "home-manager",
@ -1112,8 +1202,9 @@
"nix-direnv": "nix-direnv",
"nix-vscode-marketplace": "nix-vscode-marketplace",
"nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs_6",
"nixpkgs": "nixpkgs_7",
"nixpkgs-master": "nixpkgs-master",
"nixpkgs-stable": "nixpkgs-stable_2",
"nur": "nur",
"prismlauncher": "prismlauncher",
"rnix-lsp": "rnix-lsp",
@ -1168,12 +1259,12 @@
"simple-nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat_7",
"flake-compat": "flake-compat_8",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-22_11": "nixpkgs-22_11",
"utils": "utils_2"
"utils": "utils_3"
},
"locked": {
"lastModified": 1686468558,
@ -1250,6 +1341,21 @@
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"utils_2": {
"locked": {
"lastModified": 1656928814,
"narHash": "sha256-RIFfgBuKz6Hp89yRr7+NR5tzIAbn52h8vT6vXkYjZoM=",
@ -1264,7 +1370,7 @@
"type": "github"
}
},
"utils_2": {
"utils_3": {
"locked": {
"lastModified": 1605370193,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",

46
flake.nix
View File

@ -5,6 +5,7 @@
flake-utils-plus.url = "github:AtaraxiaSjel/flake-utils-plus";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-master.url = "github:nixos/nixpkgs/master";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.05";
nix.url = "github:nixos/nix";
flake-registry = {
url = "github:nixos/flake-registry";
@ -33,6 +34,11 @@
url = "github:AtaraxiaSjel/cassowary";
inputs.nixpkgs.follows = "nixpkgs";
};
deploy-rs.url = "github:serokell/deploy-rs";
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
hoyolab-daily-bot = {
url = "github:AtaraxiaSjel/hoyolab-daily-bot";
inputs.nixpkgs.follows = "nixpkgs";
@ -117,6 +123,8 @@
channelsConfig = { allowUnfree = true; };
channels.unstable.input = nixpkgs;
channels.unstable.patches = patchesPath [ "zen-kernels.patch" ] ++ sharedPatches;
channels.stable.input = inputs.nixpkgs-stable;
channels.stable.patches = sharedPatches;
hostDefaults.system = "x86_64-linux";
hostDefaults.channelName = "unstable";
@ -133,7 +141,17 @@
];
specialArgs = { inherit inputs; };
};
in (genAttrs hostnames mkHost);
in (genAttrs hostnames mkHost) // {
NixOS-VPS = {
system = builtins.readFile (./machines/NixOS-VPS/system);
modules = [
(import (./machines/NixOS-VPS))
{ device = "NixOS-VPS"; mainuser = "ataraxia"; }
];
specialArgs = { inherit inputs; };
channelName = "stable";
};
};
outputsBuilder = channels: let
pkgs = channels.unstable;
@ -165,7 +183,7 @@
name = "aliases";
packages = with pkgs; [
rebuild update-vscode upgrade upgrade-hyprland
nixfmt nixpkgs-fmt statix vulnix deadnix git
nixfmt nixpkgs-fmt statix vulnix deadnix git deploy-rs
];
};
ci = pkgs.mkShell {
@ -208,5 +226,29 @@
ivpn-ui = pkgs.callPackage ./profiles/packages/ivpn-ui { };
};
};
deploy.nodes = let
pkgs = import nixpkgs { system = "x86_64-linux"; };
deployPkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [
inputs.deploy-rs.overlay
(self: super: { deploy-rs = { inherit (pkgs) deploy-rs; lib = super.deploy-rs.lib; }; })
];
};
in {
NixOS-VPS = {
hostname = "wg.ataraxiadev.com";
profiles.system = {
sshUser = "deploy";
user = "root";
fastConnection = true;
remoteBuild = false;
path = deployPkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.NixOS-VPS;
};
};
};
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
};
}

144
machines/NixOS-VPS/default.nix Normal file
View File

@ -0,0 +1,144 @@
{ modulesPath, inputs, lib, pkgs, config, ... }: {
imports = with inputs.self; [
(modulesPath + "/profiles/qemu-guest.nix")
(modulesPath + "/profiles/minimal.nix")
inputs.disko.nixosModules.disko
./hardware
./network.nix
./nix.nix
./wireguard.nix
customModules.devices
customModules.users
nixosProfiles.hardened
nixosProfiles.overlay
];
# disko.devices = import ./disko.nix { inherit lib; };
# Misc
boot = {
# TODO: hardened kernel with bcachefs patches
supportedFilesystems = [ "vfat" "btrfs" ];
kernelModules = [ "tcp_bbr" ];
kernelParams = [
"scsi_mod.use_blk_mq=1"
"kvm.ignore_msrs=1"
"kvm.report_ignored_msrs=0"
];
kernel.sysctl = {
"vm.swappiness" = 50;
"vm.vfs_cache_pressure" = 200;
"vm.dirty_background_ratio" = 1;
"vm.dirty_ratio" = 40;
"vm.page-cluster" = 0;
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
# "net.core.default_qdisc" = "fq";
};
loader.grub = {
devices = [ "/dev/sda" ];
efiSupport = true;
efiInstallAsRemovable = true;
};
};
zramSwap = {
enable = true;
algorithm = "zstd";
memoryPercent = 100;
};
deviceSpecific.isServer = true;
services.journald.extraConfig = "Compress=false";
nix.optimise.automatic = false;
nix.distributedBuilds = lib.mkForce false;
hardware.enableRedistributableFirmware = true;
environment.noXlibs = lib.mkForce false;
fonts.enableDefaultFonts = lib.mkForce false;
# fonts.fonts = [ (pkgs.nerdfonts.override { fonts = [ "FiraCode" "VictorMono" ]; }) ];
security.polkit.enable = true;
# security.pam.enableSSHAgentAuth = true;
environment.systemPackages = with pkgs; [
bat
bottom
comma
git
kitty
micro
nix-index-update
pwgen
];
# Locale
i18n.defaultLocale = "en_GB.UTF-8";
i18n.extraLocaleSettings = {
LANGUAGE = "en_GB.UTF-8";
LC_ALL = "en_GB.UTF-8";
LC_TIME = "en_GB.UTF-8";
LC_ADDRESS = "ru_RU.UTF-8";
LC_MONETARY = "ru_RU.UTF-8";
LC_PAPER = "ru_RU.UTF-8";
};
environment.sessionVariables = {
XKB_DEFAULT_LAYOUT = "us,ru";
XKB_DEFAULT_OPTIONS = "grp:win_space_toggle";
LANGUAGE = "en_GB.UTF-8";
LC_ALL = "en_GB.UTF-8";
};
# Hardened
networking.firewall = {
enable = true;
allowPing = false;
allowedTCPPorts = lib.mkDefault [ ];
allowedUDPPorts = lib.mkDefault [ ];
};
systemd.coredump.enable = false;
programs.firejail.enable = true;
# Users
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.PermitRootLogin = lib.mkForce "no";
settings.X11Forwarding = false;
extraConfig = "StreamLocalBindUnlink yes";
ports = [ 22 ];
};
users.mutableUsers = false;
users.users = {
${config.mainuser} = {
isNormalUser = true;
extraGroups = [ "disk" "systemd-journal" "wheel" ];
uid = 1000;
hashedPassword =
"$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6";
shell = pkgs.bash;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+xd8ClJPvJuAdYC9HlNnjiubEtYfvnKjYr9ROV+UmPVvI3ZITF24OaMI+fxgR0EqGfcUzSGom8528IB53Q3aFMIAaA0vKjW+jrByyB2l/k/+ttpLbH75c9WyOpAcUDTen8BhHKPyXOHoJ1jLu7GFmtPZ+mZo8thFB/VIRrwECHd8DnF0drsSCorkRp1bZC7bAHgztaYHNBUoAVGgJ7nLwW7DotlgbUEDiPJHXOxd/c/ZlXIB/cfUUqF+L5ThbMPhMcwRMspLy+nQdmHhih9k6SkvYqJoNqHT5/XeShb0RkIzvUWT2CYTPop5kAY5mMnatVTOY1FZPhHzk3G8MhOQ3r/elM/ecZxmjL8uozMN9kRGf1IL4DgQZfVqQRILdNSQGb0tfeiyirNZe1RlDw9UvMnZJOw0EkiC9lSSRhBWXXxAmxRrbNFTPQSp+/kiIGDmp2AsGhD11CfTDEU3wcLEUPBUqp1FYSzHncJyEKGy2Dpa5xaUJ0cuyGL4W3WHDXa4sTfY+AIXbQTD88Ujdsbfzyd6lrikG4D/crCurXissrh7q9DuYKWRI24cp5bw9lG33U1EXisnZqFyZNwMAmSj2QEGsHCwSevn0FgyRa2WYXgpZ9hfgY4le+ZSMo2JTosQ6DjGyxMDyQAHJ/ismTTzL67Q2p6U+73toYm62Qqdspw== (none)"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDP0/DReYSAfkucroMTdELzTORsGhhbEa+W0FDFBnwViHuoqoKvetCOkW657icexc5v/j6Ghy3+Li9twbHnEDzUJVtNtauhGMjOcUYt6pTbeJ09CGSAh+orxzeY4vXp7ANb91xW8yRn/EE4ALxqbLsc/D7TUMl11fmf0UW+kLgU5TcUYVSLMjQqBpD1Lo7lXLrImloDxe5fwoBDT09E59r9tq6+/3aHz8mpKRLsIQIV0Av00BRJ+/OVmZuBd9WS35rfkpUYmpEVInSJy3G4O6kCvY/zc9Bnh67l4kALZZ0+6W23kBGrzaRfaOtCEcscwfIu+6GXiHOL33rrMNNinF0T2942jGc18feL6P/LZCzqz8bGdFNxT43jAGPeDDcrJEWAJZFO3vVTP65dTRTHQG2KlQMzS7tcif6YUlY2JLJIb61ZfLoShH/ini/tqsGT0Be1f3ndOFt48h4XMW1oIF+EXaHYeO2UJ6855m8Wpxs4bP/jX6vMV38IvvnHy4tWD50= alukard@AMD-Workstation"
];
};
deploy = {
description = "The administrator account for the servers.";
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys =
config.users.users.${config.mainuser}.openssh.authorizedKeys.keys;
};
root.openssh.authorizedKeys.keys =
config.users.users.${config.mainuser}.openssh.authorizedKeys.keys;
};
# Passwordless sudo for deploy user
security.sudo.extraRules = [{
users = [ "deploy" ];
commands = [{
command = "ALL";
options = [ "NOPASSWD" ];
}];
}];
system.stateVersion = "23.05";
}

74
machines/NixOS-VPS/disko.nix Normal file
View File

@ -0,0 +1,74 @@
{ lib, disks ? [ "/dev/sda" ], ... }: {
disk = lib.genAttrs disks (dev: {
device = dev;
type = "disk";
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "boot";
start = "0";
end = "1M";
part-type = "primary";
flags = [ "bios_grub" ];
}
{
name = "ESP";
start = "1MiB";
end = "100MiB";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
}
{
name = "root";
start = "100MiB";
end = "-2G";
part-type = "primary";
bootable = true;
# content = {
# type = "filesystem";
# format = "bcachefs";
# extraArgs = [
# "--block_size=8192"
# "--compression=zstd"
# "--discard"
# "--acl"
# ];
# mountpoint = "/";
# };
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
"/rootfs" = {
mountpoint = "/";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/home" = {
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/nix" = {
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
};
};
}
{
name = "swap";
start = "-2G";
end = "100%";
part-type = "primary";
content = {
type = "swap";
randomEncryption = true;
};
}
];
};
});
}

41
machines/NixOS-VPS/hardware/default.nix Normal file
View File

@ -0,0 +1,41 @@
{ config, lib, pkgs, modulesPath, ... }: {
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules =
[ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-partuuid/34c39dc8-07e8-4dd0-9c74-462d43c874d0";
fsType = "btrfs";
options = [ "subvol=rootfs" "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
fileSystems."/nix" = {
device = "/dev/disk/by-partuuid/34c39dc8-07e8-4dd0-9c74-462d43c874d0";
fsType = "btrfs";
options = [ "subvol=nix" "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-partuuid/a9bc6629-2e9b-46e8-b482-aea8651d1949";
fsType = "vfat";
};
fileSystems."/home" = {
device = "/dev/disk/by-partuuid/34c39dc8-07e8-4dd0-9c74-462d43c874d0";
fsType = "btrfs";
options = [ "subvol=home" "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
swapDevices = [{
device = "/dev/disk/by-partuuid/a460e7c7-3005-4516-9a8e-f751082b8bb6";
randomEncryption.enable = true;
randomEncryption.allowDiscards = true;
priority = 0;
}];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

85
machines/NixOS-VPS/hardware/networks.nix Normal file
View File

@ -0,0 +1,85 @@
rec {
privateIPv6Prefix = "fd3a:900e:8e74:ffff";
interfaces = {
# This is the public-facing interface. Any interface name with a prime
# symbol means it's a public-facing interface.
main' = {
ifname = "enp0s18";
IPv4 = {
address = "193.219.97.142/26";
gateway = "193.219.97.129";
dns = [ "46.102.157.27" "46.102.157.42" ];
};
IPv6 = {
address = "2a0d:f302:128:3792::1/48";
gateway = "2a0d:f302:127::1";
dns = [ "2a0d:f302:99::99" "2a0d:f302:100::100" ];
};
};
wireguard0 = {
ifname = "wg0";
dns = [ "${privateIPv6Prefix}::0:53" ];
IPv4 = {
address = "10.100.0.1";
# gateway = "10.100.0.1";
};
IPv6 = {
address = "${privateIPv6Prefix}::1";
# gateway = "${privateIPv6Prefix}::1";
};
};
};
# Wireguard-related things.
wireguardPort = 40820;
wireguardIPv4Prefix = "10.100.0";
wireguardIPv6Prefix = "${privateIPv6Prefix}::0";
wireguardPeers = {
server = with interfaces.wireguard0; {
IPv4 = IPv4.address;
IPv6 = IPv6.address;
};
ataraxia = {
IPv4 = "${wireguardIPv4Prefix}.2";
IPv6 = "${wireguardIPv6Prefix}:2";
};
hypervisor = {
IPv4 = "${wireguardIPv4Prefix}.3";
IPv6 = "${wireguardIPv6Prefix}:3";
};
mikrotik = {
IPv4 = "${wireguardIPv4Prefix}.4";
IPv6 = "${wireguardIPv6Prefix}:4";
};
poco = {
IPv4 = "${wireguardIPv4Prefix}.5";
IPv6 = "${wireguardIPv6Prefix}:5";
};
kpoxa = {
IPv4 = "${wireguardIPv4Prefix}.6";
IPv6 = "${wireguardIPv6Prefix}:6";
};
kpoxa2 = {
IPv4 = "${wireguardIPv4Prefix}.7";
IPv6 = "${wireguardIPv6Prefix}:7";
};
faysss = {
IPv4 = "${wireguardIPv4Prefix}.8";
IPv6 = "${wireguardIPv6Prefix}:8";
};
faysss2 = {
IPv4 = "${wireguardIPv4Prefix}.9";
IPv6 = "${wireguardIPv6Prefix}:9";
};
faysss3 = {
IPv4 = "${wireguardIPv4Prefix}.10";
IPv6 = "${wireguardIPv6Prefix}:a";
};
doste = {
IPv4 = "${wireguardIPv4Prefix}.11";
IPv6 = "${wireguardIPv6Prefix}:b";
};
};
}

50
machines/NixOS-VPS/network.nix Normal file
View File

@ -0,0 +1,50 @@
{ config, ... }:
let
inherit (import ./hardware/networks.nix) interfaces;
in {
services.resolved = {
enable = true;
dnssec = "false";
};
networking = {
enableIPv6 = true;
usePredictableInterfaceNames = true;
useDHCP = false;
dhcpcd.enable = false;
# nftables.enable = true;
domain = "wg.ataraxiadev.com";
};
# enp0s18
systemd.network = {
enable = true;
wait-online.ignoredInterfaces = [ "lo" ];
networks = {
"10-wan" = with interfaces.main'; {
matchConfig.Name = ifname;
address = [ IPv4.address IPv6.address ];
routes = [
{
routeConfig.Gateway = IPv4.gateway;
routeConfig.GatewayOnLink = true;
}
{
routeConfig.Gateway = IPv6.gateway;
routeConfig.GatewayOnLink = true;
}
];
linkConfig.RequiredForOnline = true;
domains = [ config.networking.domain ];
networkConfig = {
DHCP = "no";
IPForward = true;
IPv6PrivacyExtensions = true;
LinkLocalAddressing = "ipv6";
IPv6AcceptRA = true;
DNS = IPv4.dns ++ IPv6.dns;
};
};
};
};
}

39
machines/NixOS-VPS/nix.nix Normal file
View File

@ -0,0 +1,39 @@
{ config, lib, inputs, ... }: {
nix = {
nixPath = lib.mkForce [ "self=/etc/self/compat" "nixpkgs=/etc/nixpkgs" ];
registry.self.flake = inputs.self;
registry.nixpkgs.flake = inputs.nixpkgs;
optimise.automatic = lib.mkDefault true;
extraOptions = ''
builders-use-substitutes = true
experimental-features = nix-command flakes
flake-registry = ${inputs.flake-registry}/flake-registry.json
'';
settings = {
auto-optimise-store = false;
require-sigs = true;
substituters = [
"https://cache.nixos.org"
"https://nix-community.cachix.org"
"https://nixpkgs-wayland.cachix.org"
"https://hyprland.cachix.org"
"https://ataraxiadev-foss.cachix.org"
"https://cache.ataraxiadev.com/ataraxiadev"
"https://numtide.cachix.org"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"ataraxiadev-foss.cachix.org-1:ws/jmPRUF5R8TkirnV1b525lP9F/uTBsz2KraV61058="
"ataraxiadev:/V5bNjSzHVGx6r2XA2fjkgUYgqoz9VnrAHq45+2FJAs="
"numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
];
trusted-users = [ "root" config.mainuser "@wheel" ];
use-xdg-base-directories = true;
};
};
environment.etc.nixpkgs.source = inputs.nixpkgs;
environment.etc.self.source = inputs.self;
}

1
machines/NixOS-VPS/system Normal file
View File

@ -0,0 +1 @@
x86_64-linux

57
machines/NixOS-VPS/wireguard.nix Normal file
View File

@ -0,0 +1,57 @@
{ config, lib, pkgs, ... }:
let
inherit (import ./hardware/networks.nix) interfaces wireguardPort wireguardPeers;
wireguardIFName = interfaces.wireguard0.ifname;
ataraxiaPeerAddresses = with wireguardPeers.ataraxia; [ "${IPv4}/32" "${IPv6}/128" ];
in {
environment.systemPackages = [ pkgs.wireguard-tools ];
networking.nftables.enable = true;
networking.firewall = {
allowedUDPPorts = [ wireguardPort ];
checkReversePath = "loose";
};
boot.kernelModules = [ "wireguard" "nft_fib_ipv4" "nft_fib_ipv6" "nft_fib_inet" ];
systemd.network = {
wait-online.ignoredInterfaces = [ wireguardIFName ];
netdevs."90-${wireguardIFName}" = {
netdevConfig = {
Name = wireguardIFName;
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = "/var/lib/wireguard/private";
ListenPort = wireguardPort;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "qjkV4V0on7H3hXG7udKOv4Qu/IUBrsDcXNZt3MupP3o=";
PresharedKeyFile = "/var/lib/wireguard/ataraxia-psk";
AllowedIPs = lib.concatStringsSep "," ataraxiaPeerAddresses;
};
}
];
};
networks."90-${wireguardIFName}" = with interfaces.wireguard0; {
matchConfig.Name = wireguardIFName;
address = [
"${IPv4.address}/16"
"${IPv6.address}/64"
];
linkConfig = {
MTUBytes = "1360";
};
DHCP = "no";
networkConfig = {
IPForward = true;
IPMasquerade = "both";
# Quad9 dns
DNS = [ "9.9.9.9" "149.112.112.112" "2620:fe::fe" "2620:fe::9" ];
};
};
};
}

5
profiles/overlay.nix
View File

@ -5,6 +5,10 @@ let
config = config.nixpkgs.config;
localSystem = { inherit system; };
};
stable = import inputs.nixpkgs-stable {
config = config.nixpkgs.config;
localSystem = { inherit system; };
};
nur = import inputs.nur {
nurpkgs = import inputs.nixpkgs {
system = "x86_64-linux";
@ -15,6 +19,7 @@ with lib; {
nixpkgs.overlays = [
nur.repos.ataraxiasjel.overlays.default
nur.repos.ataraxiasjel.overlays.grub2-argon2
inputs.deploy-rs.overlay
(final: prev:
{
attic = inputs.attic.packages.${system}.attic;