AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: AtaraxiaDev:89ce47d4da2fa118cf8343512c44910a790ac8d0
Branches Tags
AtaraxiaDev:master
AtaraxiaDev:dev-v2
...
compare: AtaraxiaDev:0d155fa5531f687cae0a9bdefe2a0757b9b8903b
Branches Tags
AtaraxiaDev:dev-v2
AtaraxiaDev:master

27 Commits
89ce47d4da ... 0d155fa553

Author SHA1 Message Date
Dmitriy Kholkin
0d155fa553
feat: add disko config for redshift 2025-03-10 19:10:28 +03:00
Dmitriy Kholkin
e63296d245
feat: add redshift (vps) host 2025-03-10 19:08:13 +03:00
Dmitriy Kholkin
2c03698a2f
feat: add rollback service for btrfs 2025-03-10 19:06:21 +03:00
Dmitriy Kholkin
6d85bb5bdb
fix: disable document-start rule for yamllint 2025-03-10 19:04:49 +03:00
Dmitriy Kholkin
65db257b33
feat: add sops for secrets management 2025-03-10 19:01:22 +03:00
Dmitriy Kholkin
7a910b5567
fix: postgresql backups 2025-03-10 18:46:44 +03:00
Dmitriy Kholkin
a2a0fb4a43
fix: persist some dirs by default for home dirs too 2025-03-10 18:45:57 +03:00
Dmitriy Kholkin
6d12c775c8
feat: network module for configuring networkd with bridge support 2025-03-10 18:44:16 +03:00
Dmitriy Kholkin
12651a52ee
feat: do not compress journald logs if using native fs compression 2025-03-10 18:43:40 +03:00
Dmitriy Kholkin
387086a698
feat: add empty modules for btrfs and zfs filesystems 2025-03-10 18:42:32 +03:00
Dmitriy Kholkin
bd8fa8a9ae
feat: add some files and dirs to persist by default 2025-03-10 18:39:05 +03:00
Dmitriy Kholkin
9a9abac938
fix: support persist module without home-manager on host 2025-03-10 18:38:30 +03:00
Dmitriy Kholkin
9d808421af
fix: remove erofs from kernel module blacklist for hardened profile 
system.etc.overlay requires erofs kernel module, but hardened profile from nixpkgs disables it. Patch nixpkgs and remove erofs module from blacklist.
 2025-03-10 18:37:22 +03:00
Dmitriy Kholkin
57ab28592e
feat: locale module 2025-03-10 18:35:29 +03:00
Dmitriy Kholkin
0f43c2e01d
fix: import profiles to modules 2025-03-10 18:34:51 +03:00
Dmitriy Kholkin
0bf6498de3
feat: hardened profile from nixpkgs with some additions 2025-03-10 18:34:03 +03:00
Dmitriy Kholkin
1e47f00539
feat: minimal profile from nixpkgs 2025-03-10 18:32:18 +03:00
Dmitriy Kholkin
6ed8b746cb
feat: auto-login for desktop 2025-03-10 18:31:46 +03:00
Dmitriy Kholkin
d0563f6028
feat: user module with some security 2025-03-10 18:31:24 +03:00
Dmitriy Kholkin
73c86aa500
feat: sane ssh defaults 2025-03-10 18:30:20 +03:00
Dmitriy Kholkin
05db810079
feat: module for role system 2025-03-10 18:29:45 +03:00
Dmitriy Kholkin
03df1ae699
feat: simple tailscale module to persist its directory 2025-03-10 18:23:55 +03:00
Dmitriy Kholkin
7c346eb6a8
feat: add some new inputs, update them all 2025-03-10 18:22:22 +03:00
Dmitriy Kholkin
f8dd3a3ce6
fix: exclude backblaze link for lychee 2025-03-08 15:59:43 +03:00
Dmitriy Kholkin
2ad7f5aab4
feat: add module to backup postgresql db using rustic 2025-03-08 15:58:14 +03:00
Dmitriy Kholkin
f6edb7f80d
fix: enable home-manager options eval for nixd 2025-03-08 15:36:12 +03:00
Dmitriy Kholkin
bd5f61d3c0
feat: pass secretsDir to specialArgs 2025-03-08 15:35:34 +03:00
25 changed files with 1476 additions and 57 deletions
Show Stats Expand all files Collapse all files

14
.sops.yaml Normal file
View File

@ -0,0 +1,14 @@
keys:
- &ataraxia age1n0prg9vynuwc56gn0xfe5qde8wqcd4uzg5ghhhetu2024ckvjyvqxf49el
- &redshift age1d4mqql020mpne9r3vtt4l9ywfzfq7zpa3mad33syxln2kldkjsxqgju90f
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *ataraxia
- *redshift
- path_regex: secrets/redshift/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *ataraxia
- *redshift

6
.vscode/settings.json vendored
View File

@ -16,9 +16,9 @@
"nixos": {
"expr": "(builtins.getFlake \"${workspaceFolder}\").nixosConfigurations.NixOS-VM.options",
},
// "home-manager": {
// "expr": "(builtins.getFlake \"${workspaceFolder}\").homeConfigurations.NixOS-VM.options",
// },
"home-manager": {
"expr": "(builtins.getFlake \"${workspaceFolder}\").nixosConfigurations.NixOS-VM.options.home-manager",
},
},
},
}

3
.yamllint Normal file
View File

@ -0,0 +1,3 @@
extends: default
rules:
document-start: disable

262
flake.lock generated
View File

@ -7,11 +7,11 @@
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1740828104,
"narHash": "sha256-tsbyfl+hC+p9XrQ+TlwwC7YXh9wHZlOMeGG0HQnMKQY=",
"lastModified": 1741367062,
"narHash": "sha256-xVKNSa/gzjncWJWEpdAnufTg2lU9vXKk9OjFRAAkmQE=",
"owner": "AtaraxiaSjel",
"repo": "nur",
"rev": "1aecfeba906e88c0a2f6e76d112eb81d8da12c1d",
"rev": "6b8ac8dfa8123f29f7ab68b8c82287e2fed2f49a",
"type": "github"
},
"original": {
@ -120,6 +120,28 @@
"type": "github"
}
},
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat_3",
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1727447169,
"narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
"type": "github"
},
"original": {
"owner": "serokell",
"repo": "deploy-rs",
"type": "github"
}
},
"devenv": {
"inputs": {
"cachix": "cachix",
@ -231,17 +253,17 @@
"devenv_4": {
"inputs": {
"cachix": "cachix_3",
"flake-compat": "flake-compat_3",
"flake-compat": "flake-compat_4",
"git-hooks": "git-hooks",
"nix": "nix_4",
"nixpkgs": "nixpkgs_7"
},
"locked": {
"lastModified": 1740678151,
"narHash": "sha256-q0tKL+Yny0wkLCHRBHQ97YhjorNLnbnyjc+FnQZyKkM=",
"lastModified": 1741348424,
"narHash": "sha256-nPwbJpX8AxmzbgRd2m6KHIbyN1xavq1BaBdJzO/lkW0=",
"owner": "cachix",
"repo": "devenv",
"rev": "af151da5e3d7391fe778050da00d8e7cefa2d087",
"rev": "8f8c96bb1e0c6a59a97592328dc61b9fdbe7474b",
"type": "github"
},
"original": {
@ -250,6 +272,26 @@
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1740485968,
"narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=",
"owner": "nix-community",
"repo": "disko",
"rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@ -283,6 +325,22 @@
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1733328505,
@ -366,11 +424,11 @@
"nixpkgs-lib": "nixpkgs-lib_2"
},
"locked": {
"lastModified": 1738453229,
"narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
"lastModified": 1741352980,
"narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
"rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
"type": "github"
},
"original": {
@ -430,7 +488,7 @@
},
"flake-utils_3": {
"inputs": {
"systems": "systems_2"
"systems": "systems_3"
},
"locked": {
"lastModified": 1731533236,
@ -446,6 +504,24 @@
"type": "github"
}
},
"flake-utils_4": {
"inputs": {
"systems": "systems_4"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flakey-profile": {
"locked": {
"lastModified": 1712898590,
@ -473,11 +549,11 @@
]
},
"locked": {
"lastModified": 1737465171,
"narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
"lastModified": 1740849354,
"narHash": "sha256-oy33+t09FraucSZ2rZ6qnD1Y1c8azKKmQuCvF2ytUko=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
"rev": "4a709a8ce9f8c08fa7ddb86761fe488ff7858a07",
"type": "github"
},
"original": {
@ -538,11 +614,11 @@
]
},
"locked": {
"lastModified": 1740796616,
"narHash": "sha256-JU97wIfRxeFN6rpTsUVCwWAdix+Wka4Or23907YIrFI=",
"lastModified": 1741579508,
"narHash": "sha256-skRbH+UF2ES+msEa+KWi7AQFX73S+QsGlPsyCU6XyE0=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "f0b5e7e8a75abdea32bbff09ddd7b6eeb4b9b445",
"rev": "744f749dd6fbc1489591ea370b95156858629cb9",
"type": "github"
},
"original": {
@ -600,16 +676,16 @@
},
"lite-config": {
"locked": {
"lastModified": 1740833288,
"narHash": "sha256-6wHmdkkJ8OpmOSkdYvCoq5vMYILimDM0V1iqOg4GwdY=",
"lastModified": 1741449308,
"narHash": "sha256-+DKkUwO9RxuBMTy0n8vnGzwBckMRj4KDQl3yLswq3aE=",
"owner": "ataraxiasjel",
"repo": "lite-config",
"rev": "2ea208e46d2811858c7a7be78a285e69e8b2708c",
"rev": "bf042143ef8bd2789f345268253f6f10d4678a78",
"type": "github"
},
"original": {
"owner": "ataraxiasjel",
"ref": "v0.7.0",
"ref": "v0.8.0",
"repo": "lite-config",
"type": "github"
}
@ -652,6 +728,21 @@
"type": "github"
}
},
"mk-shell-bin": {
"locked": {
"lastModified": 1677004959,
"narHash": "sha256-/uEkr1UkJrh11vD02aqufCxtbF5YnhRTIKlx5kyvf+I=",
"owner": "rrbutani",
"repo": "nix-mk-shell-bin",
"rev": "ff5d8bd4d68a347be5042e2f16caee391cd75887",
"type": "github"
},
"original": {
"owner": "rrbutani",
"repo": "nix-mk-shell-bin",
"type": "github"
}
},
"nix": {
"inputs": {
"flake-compat": "flake-compat",
@ -708,6 +799,27 @@
"type": "github"
}
},
"nix2container": {
"inputs": {
"flake-utils": "flake-utils_4",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1739638901,
"narHash": "sha256-w+mIxNbEaOh2JqDwV2BLt71GZTBMzTyHhm3JYG0rkj0=",
"owner": "nlewo",
"repo": "nix2container",
"rev": "50818838feff20902ff9004dcdef1aeb7098e488",
"type": "github"
},
"original": {
"owner": "nlewo",
"repo": "nix2container",
"type": "github"
}
},
"nix_2": {
"inputs": {
"flake-compat": [
@ -849,23 +961,26 @@
},
"nixpkgs-lib_2": {
"locked": {
"lastModified": 1738452942,
"narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
"lastModified": 1740877520,
"narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "147dee35aab2193b174e4c0868bd80ead5ce755c",
"type": "github"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-master": {
"locked": {
"lastModified": 1740833265,
"narHash": "sha256-2KvMZrAAeY7UkUB1ayK6TwVFL369xIPY6ExPvyuNLcQ=",
"lastModified": 1741607783,
"narHash": "sha256-qKrom+rflGH23CBtcmumxXCLiRpO6iMhIAv+HXT36uA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "2cf427c0455febe93e01d8f2491129698aff6fd4",
"rev": "abd72d8e98ab73f114561d986f9c069ddd800935",
"type": "github"
},
"original": {
@ -1037,11 +1152,11 @@
},
"nixpkgs_8": {
"locked": {
"lastModified": 1740695751,
"narHash": "sha256-D+R+kFxy1KsheiIzkkx/6L63wEHBYX21OIwlFV8JvDs=",
"lastModified": 1741379970,
"narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "6313551cd05425cd5b3e63fe47dbc324eabb15e4",
"rev": "36fd87baa9083f34f7f5027900b62ee6d09b1f2f",
"type": "github"
},
"original": {
@ -1151,17 +1266,22 @@
"root": {
"inputs": {
"ataraxiasjel-nur": "ataraxiasjel-nur",
"deploy-rs": "deploy-rs",
"devenv": "devenv_4",
"devenv-root": "devenv-root",
"disko": "disko",
"flake-parts": "flake-parts_4",
"flake-registry": "flake-registry",
"home-manager": "home-manager",
"impermanence": "impermanence",
"lite-config": "lite-config",
"lix-module": "lix-module",
"mk-shell-bin": "mk-shell-bin",
"nix2container": "nix2container",
"nixpkgs": "nixpkgs_8",
"nixpkgs-master": "nixpkgs-master",
"sops-nix": "sops-nix"
"sops-nix": "sops-nix",
"srvos": "srvos"
}
},
"sops-nix": {
@ -1171,11 +1291,11 @@
]
},
"locked": {
"lastModified": 1739262228,
"narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
"lastModified": 1741043164,
"narHash": "sha256-9lfmSZLz6eq9Ygr6cCmvQiiBEaPb54pUBcjvbEMPORc=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
"rev": "3f2412536eeece783f0d0ad3861417f347219f4d",
"type": "github"
},
"original": {
@ -1184,6 +1304,26 @@
"type": "github"
}
},
"srvos": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1741567682,
"narHash": "sha256-N2LArmDeNL06fLHvLmbNMG3L2fEi62+Ra4X1NkPKsKQ=",
"owner": "nix-community",
"repo": "srvos",
"rev": "4b726f14b80473a05302cdcd70d3043a183c5276",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "srvos",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
@ -1213,6 +1353,54 @@
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

42
flake.nix
View File

@ -7,15 +7,21 @@
};
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-master.url = "github:nixos/nixpkgs/master";
flake-parts.url = "github:hercules-ci/flake-parts";
lite-config.url = "github:ataraxiasjel/lite-config/v0.7.0";
devenv.url = "github:cachix/devenv";
devenv-root = {
url = "file+file:///dev/null";
flake = false;
};
mk-shell-bin.url = "github:rrbutani/nix-mk-shell-bin";
nix2container = {
url = "github:nlewo/nix2container";
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-master.url = "github:nixos/nixpkgs/master";
flake-parts.url = "github:hercules-ci/flake-parts";
lite-config.url = "github:ataraxiasjel/lite-config/v0.8.0";
flake-registry = {
url = "github:nixos/flake-registry";
flake = false;
@ -26,6 +32,14 @@
};
ataraxiasjel-nur.url = "github:AtaraxiaSjel/nur";
deploy-rs = {
url = "github:serokell/deploy-rs";
inputs.nixpkgs.follows = "nixpkgs";
};
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
impermanence.url = "github:nix-community/impermanence";
lix-module = {
# url = "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0.tar.gz";
@ -56,7 +70,7 @@
config = {
allowUnfree = true;
};
patches = [ ./patches/onlyoffice.patch ];
patches = [ ./patches/erofs-hardened.patch ];
overlays = [
inputs.ataraxiasjel-nur.overlays.default
inputs.ataraxiasjel-nur.overlays.grub2-unstable-argon2
@ -65,6 +79,7 @@
};
extraSpecialArgs = {
flake-self = self;
secretsDir = ./secrets;
};
systemModules = [
inputs.sops-nix.nixosModules.sops
@ -74,6 +89,11 @@
hostModuleDir = ./hosts;
hosts = {
NixOS-VM.system = "x86_64-linux";
# VPS
redshift = {
system = "x86_64-linux";
useHomeManager = false;
};
};
};
@ -100,6 +120,10 @@
deadnix.enable = true;
flake-checker.enable = true;
lychee.enable = true;
lychee.args = [
"--exclude"
"^https://.+\\.backblazeb2\\.com"
];
markdownlint.enable = true;
nixfmt-rfc-style.enable = true;
ripsecrets.enable = true;
@ -107,9 +131,13 @@
typos.enable = true;
yamlfmt.enable = true;
yamllint.enable = true;
yamllint.args = [
"--config-file"
".yamllint"
"--format"
"parsable"
];
};
# https://github.com/cachix/devenv/issues/528
containers = { };
};
};
}

153
hosts/redshift/default.nix Normal file
View File

@ -0,0 +1,153 @@
{
lib,
pkgs,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
./disk-config.nix
];
ataraxia.defaults.role = "server";
# Impermanence
persist.cache.clean.enable = true;
ataraxia.filesystems.btrfs.enable = true;
ataraxia.filesystems.btrfs.eraseOnBoot.enable = true;
ataraxia.filesystems.btrfs.eraseOnBoot.device = "/dev/sda4";
ataraxia.filesystems.btrfs.eraseOnBoot.systemdDevice =
"sys-devices-pci0000:00-0000:00:05.0-0000:01:01.0-virtio3-host0-target0:0:0-0:0:0:0-block-sda.device";
ataraxia.filesystems.btrfs.eraseOnBoot.eraseVolumes = [
{
vol = "rootfs";
blank = "rootfs-blank";
}
{
vol = "homefs";
blank = "homefs-blank";
}
];
ataraxia.defaults.ssh.ports = [ 32323 ];
ataraxia.network = {
enable = true;
enableIPv6 = false;
domain = "wg.ataraxiadev.com";
ifname = "enp0s18";
mac = "bc:24:11:99:d5:2f";
bridge.enable = true;
ipv4 = {
address = "104.164.54.197/24";
gateway = "104.164.54.1";
dns = [
"9.9.9.9"
"149.112.112.112"
];
};
};
services.qemuGuest.enable = lib.mkForce true;
# I don't want to specify all required kernel modules
# manually. For now at least
security.lockKernelModules = lib.mkForce false;
# scudo memalloc often borks everything
environment.memoryAllocator.provider = lib.mkForce "libc";
boot = {
initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"vfat"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
kernelModules = [ "kvm-intel" ];
kernelParams = [
"scsi_mod.use_blk_mq=1"
"kvm.ignore_msrs=1"
"kvm.report_ignored_msrs=0"
# Allow access to rescue mode with locked root user
# "rd.systemd.unit=rescue.target"
"systemd.setenv=SYSTEMD_SULOGIN_FORCE=1"
];
kernel.sysctl = {
"vm.swappiness" = 50;
"vm.vfs_cache_pressure" = 200;
"vm.dirty_background_ratio" = 1;
"vm.dirty_ratio" = 40;
"vm.page-cluster" = 0;
# proxy tuning
"net.ipv4.tcp_congestion_control" = "bbr";
"net.ipv4.tcp_slow_start_after_idle" = 0;
"net.core.default_qdisc" = "cake";
"net.core.rmem_max" = 67108864;
"net.core.wmem_max" = 67108864;
"net.core.netdev_max_backlog" = 10000;
"net.core.somaxconn" = 4096;
"net.ipv4.tcp_syncookies" = 1;
"net.ipv4.tcp_tw_reuse" = 1;
"net.ipv4.tcp_fin_timeout" = 30;
"net.ipv4.tcp_keepalive_time" = 1200;
"net.ipv4.tcp_keepalive_probes" = 5;
"net.ipv4.tcp_keepalive_intvl" = 30;
"net.ipv4.tcp_max_syn_backlog" = 8192;
"net.ipv4.tcp_max_tw_buckets" = 5000;
"net.ipv4.tcp_fastopen" = 3;
"net.ipv4.tcp_mem" = "25600 51200 102400";
"net.ipv4.udp_mem" = "25600 51200 102400";
"net.ipv4.tcp_rmem" = "4096 87380 67108864";
"net.ipv4.tcp_wmem" = "4096 65536 67108864";
"net.ipv4.tcp_mtu_probing" = 1;
};
loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
};
supportedFilesystems = [
"vfat"
"btrfs"
];
};
environment.systemPackages = builtins.attrValues {
inherit (pkgs.kitty) terminfo;
inherit (pkgs)
bat
bottom
comma
git
micro
nix-index
pwgen
rsync
;
};
services.fail2ban = {
enable = true;
maxretry = 3;
bantime = "2h";
bantime-increment = {
enable = true;
maxtime = "72h";
overalljails = true;
};
ignoreIP = [
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
];
jails = {
sshd.settings = {
backend = "systemd";
mode = "aggressive";
};
};
};
system.stateVersion = "24.11";
}

156
hosts/redshift/disk-config.nix Normal file
View File

@ -0,0 +1,156 @@
{ inputs, ... }:
{
imports = [ inputs.disko.nixosModules.disko ];
disko.devices.disk.disk1 =
let
device = "/dev/sda";
in
{
inherit device;
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
swap = {
name = "swap";
size = "1G";
content = {
type = "swap";
randomEncryption = true;
};
};
root = {
name = "root";
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" ];
postCreateHook = ''
mount -t btrfs ${device}4 /mnt
btrfs subvolume snapshot -r /mnt/rootfs /mnt/snapshots/rootfs-blank
btrfs subvolume snapshot -r /mnt/homefs /mnt/snapshots/homefs-blank
btrfs subvolume snapshot -r /mnt/persist/docker /mnt/snapshots/docker-blank
btrfs subvolume snapshot -r /mnt/persist/podman /mnt/snapshots/podman-blank
btrfs subvolume snapshot -r /mnt/persist/containers /mnt/snapshots/containers-blank
btrfs subvolume snapshot -r /mnt/persist/libvirt /mnt/snapshots/libvirt-blank
btrfs subvolume snapshot -r /mnt/persist/log /mnt/snapshots/log-blank
btrfs subvolume snapshot -r /mnt/persist/impermanence /mnt/snapshots/impermanence-blank
btrfs subvolume snapshot -r /mnt/persist/srv /mnt/snapshots/srv-blank
umount /mnt
'';
subvolumes = {
"/snapshots" = { };
"/rootfs" = {
mountpoint = "/";
mountOptions = [
"compress=zstd"
"noatime"
"autodefrag"
"ssd"
];
};
"/homefs" = {
mountpoint = "/home";
mountOptions = [
"compress=zstd"
"noatime"
"autodefrag"
"ssd"
];
};
"/persist" = { };
"/persist/nix" = {
mountpoint = "/nix";
mountOptions = [
"compress=zstd"
"noatime"
"autodefrag"
"ssd"
];
};
"/persist/srv" = {
mountpoint = "/srv";
mountOptions = [
"compress=zstd"
"noatime"
"autodefrag"
"ssd"
];
};
"/persist/docker" = {
mountpoint = "/var/lib/docker";
mountOptions = [
"compress=zstd"
"noatime"
"autodefrag"
"ssd"
];
};
"/persist/podman" = {
mountpoint = "/var/lib/podman";
mountOptions = [
"compress=zstd"
"noatime"
"autodefrag"
"ssd"
];
};
"/persist/containers" = {
mountpoint = "/var/lib/containers";
mountOptions = [
"compress=zstd"
"noatime"
"autodefrag"
"ssd"
];
};
"/persist/libvirt" = {
mountpoint = "/var/lib/libvirt";
mountOptions = [
"compress=zstd"
"noatime"
"autodefrag"
"ssd"
];
};
"/persist/log" = {
mountpoint = "/var/log";
mountOptions = [
"compress=zstd"
"noatime"
"autodefrag"
"ssd"
];
};
"/persist/impermanence" = {
mountpoint = "/persist";
mountOptions = [
"compress=zstd"
"noatime"
"autodefrag"
"ssd"
];
};
};
};
};
};
};
};
}

12
modules/home/persist/default.nix
View File

@ -1,10 +1,12 @@
{
config,
lib,
...
}:
let
inherit (lib) mkOption mkEnableOption;
inherit (lib) mkOption mkEnableOption mkIf;
inherit (lib.types) listOf path str;
cfg = config.persist;
in
{
options =
@ -45,4 +47,12 @@ in
} // common;
};
};
config = mkIf cfg.enable {
# Persist by default
persist.cache.directories = [ ".cache" ];
persist.state = {
directories = [ ".local/share/nix" ];
};
};
}

4
modules/nixos/backups/default.nix Normal file
View File

@ -0,0 +1,4 @@
{ ... }:
{
imports = [ ./postgresql.nix ];
}

108
modules/nixos/backups/postgresql.nix Normal file
View File

@ -0,0 +1,108 @@
{
config,
lib,
pkgs,
inputs,
secretsDir,
...
}:
let
inherit (lib)
mapAttrs'
mkDefault
mkIf
mkOption
nameValuePair
;
inherit (lib.types)
attrsOf
nullOr
str
submodule
;
in
{
options.backups.postgresql = mkOption {
description = ''
Periodic backups of postgresql database to create using Rustic.
'';
type = attrsOf (
submodule (
{ name, ... }:
{
options = {
dbName = mkOption {
type = str;
default = name;
description = "Name of database to backup";
};
proxyAddress = mkOption {
type = nullOr str;
default = null;
description = "Optional https proxy for connection to backblaze.";
};
};
}
)
);
default = { };
};
imports = [ inputs.ataraxiasjel-nur.nixosModules.rustic ];
config = mkIf (config.backups.postgresql != { }) {
sops.secrets.rustic-postgresql-s3-env.sopsFile = mkDefault (secretsDir + /rustic.yaml);
sops.secrets.rustic-postgresql-pass.sopsFile = mkDefault (secretsDir + /rustic.yaml);
sops.secrets.rustic-postgresql-s3-env.owner = "postgres";
sops.secrets.rustic-postgresql-pass.owner = "postgres";
services.rustic.backups = mapAttrs' (
name: backup:
nameValuePair "postgresql-${name}" {
backup = true;
prune = true;
initialize = true;
user = "postgres";
extraEnvironment.https_proxy = mkIf (backup.proxyAddress != null) backup.proxyAddress;
environmentFile = config.sops.secrets.rustic-postgresql-s3-env.path;
pruneOpts = [ "--repack-cacheable-only=false" ];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
};
# Backup postgresql db and pass it to rustic through stdin
# Runs this command:
# pg_dump ${dbName} | zstd --rsyncable --stdout - | rustic -P postgresql-authentik backup -
backupCommandPrefix = "${config.services.postgresql.package}/bin/pg_dump --clean ${backup.dbName} | ${pkgs.zstd}/bin/zstd --rsyncable --stdout - |";
extraBackupArgs = [ "-" ];
# Rustic profile yaml
settings = {
repository = {
repository = "opendal:s3";
password-file = config.sops.secrets.rustic-postgresql-pass.path;
options = {
root = backup.dbName;
bucket = "ataraxia-postgresql-backups";
region = "eu-central-003";
endpoint = "https://s3.eu-central-003.backblazeb2.com";
};
};
backup = {
host = config.networking.hostName;
label = backup.dbName;
ignore-devid = true;
group-by = "label";
skip-identical-parent = true;
stdin-filename = "${backup.dbName}.dump.zst";
};
forget = {
filter-labels = [ backup.dbName ];
group-by = "label";
prune = true;
keep-daily = 4;
keep-weekly = 2;
keep-monthly = 1;
};
};
}
) config.backups.postgresql;
};
}

122
modules/nixos/filesystems/btrfs.nix Normal file
View File

@ -0,0 +1,122 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (builtins) map;
inherit (lib)
concatStringsSep
mkIf
mkEnableOption
mkOption
mkBefore
;
inherit (lib.types)
bool
str
listOf
submodule
;
cfg = config.ataraxia.filesystems.btrfs;
eraseVolumesOpts =
{ ... }:
{
options = {
vol = mkOption {
type = str;
example = "rootfs";
description = "Name of submodule to erase";
};
blank = mkOption {
type = str;
example = "rootfs-blank";
description = "Name of submodule to clone into `vol`";
};
};
};
in
{
options.ataraxia.filesystems.btrfs = {
enable = mkEnableOption "Root on btrfs";
# Btrfs clean root
eraseOnBoot = {
enable = mkOption {
type = bool;
default = config.persist.enable;
description = "Clean btrfs subvolumes on boot";
};
device = mkOption {
type = str;
description = "Device on which is btrfs partititon";
};
systemdDevice = mkOption {
type = str;
description = "Escaped string with name of .device service";
example = "dev-disk-by\\x2did-ata\\x2dPhison_SATA_SSD_2165.device";
};
eraseVolumes = mkOption {
type = listOf (submodule eraseVolumesOpts);
default = [ ];
example = [
{
vol = "rootfs";
blank = "rootfs-blank";
}
];
description = ''
A list of subvolumes to erase on boot.
'';
};
};
};
config =
let
script = ''
mkdir -p /mnt
mount -t btrfs -o subvol=/ ${cfg.eraseOnBoot.device} /mnt
${concatStringsSep "\n" (
map (x: ''
btrfs subvolume list -o /mnt/${x.vol} |
cut -f9 -d' ' |
while read subvolume; do
echo "deleting /$subvolume subvolume..."
btrfs subvolume delete "/mnt/$subvolume"
done &&
echo "deleting /${x.vol} subvolume..."
btrfs subvolume delete /mnt/${x.vol}
echo "restoring blank ${x.blank} subvolume..."
btrfs subvolume snapshot /mnt/snapshots/${x.blank} /mnt/${x.vol}
'') cfg.eraseOnBoot.eraseVolumes
)}
umount /mnt
'';
in
mkIf cfg.enable {
boot.initrd = mkIf cfg.eraseOnBoot.enable {
postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable) (mkBefore script);
systemd.services.rollback = mkIf config.boot.initrd.systemd.enable {
description = "Rollback btrfs root subvolume to a pristine state on boot";
wantedBy = [ "initrd.target" ];
requires = [ cfg.eraseOnBoot.systemdDevice ];
after = [ cfg.eraseOnBoot.systemdDevice ];
before = [ "sysroot.mount" ];
path = [
pkgs.btrfs-progs
pkgs.coreutils
pkgs.util-linuxMinimal.mount
];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = script;
};
};
};
}

7
modules/nixos/filesystems/default.nix Normal file
View File

@ -0,0 +1,7 @@
{ ... }:
{
imports = [
./btrfs.nix
./zfs.nix
];
}

16
modules/nixos/filesystems/zfs.nix Normal file
View File

@ -0,0 +1,16 @@
{ config, lib, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.ataraxia.filesystems.zfs;
in
{
options.ataraxia.filesystems.zfs = {
enable = mkEnableOption "Root on zfs";
};
config = mkIf cfg.enable {
persist.state.files = [
"/etc/zfs/zpool.cache"
];
};
}

44
modules/nixos/locale/default.nix Normal file
View File

@ -0,0 +1,44 @@
{ config, lib, ... }:
let
inherit (lib) mkDefault mkEnableOption mkIf;
cfg = config.ataraxia.defaults.locale;
c = "C.UTF-8";
dk = "en_DK.UTF-8";
gb = "en_GB.UTF-8";
ie = "en_IE.UTF-8";
ru = "ru_RU.UTF-8";
us = "en_US.UTF-8";
lang = "en_IE:en_US:en:C:ru_RU";
in
{
options.ataraxia.defaults.locale = {
enable = mkEnableOption "Default locale settings";
};
config = mkIf cfg.enable {
environment.sessionVariables = {
XKB_DEFAULT_LAYOUT = "us,ru";
XKB_DEFAULT_OPTIONS = "grp:win_space_toggle";
};
i18n.defaultLocale = ie;
i18n.extraLocaleSettings = {
LANGUAGE = lang;
LC_TIME = dk;
LC_ADDRESS = ru;
LC_MONETARY = ru;
LC_NUMERIC = ru;
LC_PAPER = ru;
LC_TELEPHONE = ru;
};
i18n.supportedLocales = map (x: "${x}/UTF-8") [
c
dk
gb
ie
ru
us
];
time.timeZone = mkDefault "Europe/Moscow";
};
}

148
modules/nixos/network/default.nix Normal file
View File

@ -0,0 +1,148 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mkDefault
mkEnableOption
mkForce
mkIf
mkOption
optionals
;
inherit (lib.types)
bool
listOf
nullOr
str
;
cfg = config.ataraxia.network;
in
{
options.ataraxia.network = {
enable = mkEnableOption "Enable systemd-networkd bridged network";
enableIPv6 = mkEnableOption "Enable IPv6";
domain = mkOption {
type = nullOr str;
default = null;
};
ifname = mkOption {
type = str;
};
mac = mkOption {
type = str;
};
bridge = {
enable = mkOption {
type = bool;
default = true;
};
name = mkOption {
type = str;
default = "br0";
};
};
ipv4 = {
address = mkOption {
type = str;
};
gateway = mkOption {
type = str;
};
dns = mkOption {
type = listOf str;
default = [ ];
};
gatewayOnLink = mkEnableOption "Enable GatewayOnLink";
};
ipv6 = {
address = mkOption {
type = str;
};
gateway = mkOption {
type = str;
};
dns = mkOption {
type = listOf str;
default = [ ];
};
gatewayOnLink = mkEnableOption "Enable GatewayOnLink";
};
};
config = mkIf cfg.enable {
services.resolved.enable = true;
networking = {
dhcpcd.enable = false;
domain = mkIf (cfg ? domain) cfg.domain;
enableIPv6 = cfg.enableIPv6;
nftables.enable = true;
useDHCP = false;
useNetworkd = false;
usePredictableInterfaceNames = mkForce true;
firewall = {
enable = true;
allowedTCPPorts = mkDefault [ ];
allowedUDPPorts = mkDefault [ ];
};
};
systemd.network = {
enable = true;
wait-online.ignoredInterfaces = [ "lo" ];
netdevs = {
"20-${cfg.bridge.name}" = {
netdevConfig = {
Kind = "bridge";
Name = cfg.bridge.name;
MACAddress = cfg.mac;
};
};
};
networks = {
"30-${cfg.ifname}" = {
matchConfig.Name = cfg.ifname;
linkConfig.RequiredForOnline = "enslaved";
networkConfig.Bridge = cfg.bridge.name;
networkConfig.DHCP = "no";
};
"40-${cfg.bridge.name}" = {
matchConfig.Name = cfg.bridge.name;
address =
[
cfg.ipv4.address
]
++ optionals cfg.enableIPv6 [
cfg.ipv6.address
"fc00::1/64"
];
dns = cfg.ipv4.dns ++ optionals cfg.enableIPv6 cfg.ipv6.dns;
networkConfig.LinkLocalAddressing = "no";
linkConfig.RequiredForOnline = "routable";
routes =
[
{
Gateway = cfg.ipv4.gateway;
GatewayOnLink = mkIf cfg.ipv4.gatewayOnLink true;
}
]
++ optionals cfg.enableIPv6 [
{
Gateway = cfg.ipv6.gateway;
GatewayOnLink = mkIf cfg.ipv4.gatewayOnLink true;
}
];
};
};
};
system.activationScripts.udp-gro-forwarding = mkIf cfg.bridge.enable {
text = ''
${pkgs.ethtool}/bin/ethtool -K ${cfg.bridge.name} rx-udp-gro-forwarding on rx-gro-list off
'';
};
};
}

35
modules/nixos/persist/default.nix
View File

@ -15,6 +15,7 @@ let
mkMerge
mkOption
nameValuePair
optionalAttrs
;
inherit (lib.types) listOf path str;
inherit (builtins) concatMap;
@ -78,7 +79,9 @@ in
allFiles = takeAll "files" persists;
allDirectories = takeAll "directories" persists;
userPersists = mapAttrs (_: cfg: cfg.persist) config.home-manager.users;
userPersists = mapAttrs (_: cfg: cfg.persist) (
{ } // optionalAttrs (builtins.hasAttr "home-manager" config) config.home-manager.users
);
usersFlatten = mapAttrs (
name: cfg:
let
@ -97,9 +100,6 @@ in
) userPersists;
in
mkIf cfg.enable {
# Persist users uid by default
persist.state.directories = [ "/var/lib/nixos" ];
environment.persistence.${cfg.persistRoot} = {
hideMounts = true;
directories = allDirectories;
@ -143,5 +143,32 @@ in
};
}
];
fileSystems.${cfg.persistRoot}.neededForBoot = true;
# TODO: disable some dirs if using zfs
# Persist by default
persist.cache.directories = [
"/var/cache"
];
persist.state = {
directories =
[
"/var/lib/nixos"
"/var/lib/systemd"
]
++ lib.optionals config.services.mysql.enable [
config.services.mysql.dataDir
]
++ lib.optionals config.services.postgresql.enable [
"/var/lib/postgresql"
];
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
};
};
}

7
modules/nixos/profiles/default.nix Normal file
View File

@ -0,0 +1,7 @@
{ ... }:
{
imports = [
./hardened.nix
./minimal.nix
];
}

105
modules/nixos/profiles/hardened.nix Normal file
View File

@ -0,0 +1,105 @@
{
config,
lib,
modulesPath,
...
}:
let
inherit (lib)
mkDefault
mkEnableOption
mkForce
mkIf
mkMerge
;
in
{
options.ataraxia.profiles.hardened = mkEnableOption "hardened profile";
imports = [
(modulesPath + "/profiles/hardened.nix")
];
config = mkMerge [
(mkIf (!config.ataraxia.profiles.hardened) {
profiles.hardened = false;
})
(mkIf config.ataraxia.profiles.hardened {
profiles.hardened = true;
boot.kernel.sysctl = {
"dev.tty.ldisc_autoload" = mkDefault false;
"fs.protected_fifos" = mkDefault "2";
"fs.protected_regular" = mkDefault "2";
"fs.suid_dumpable" = mkDefault false;
"kernel.printk" = mkForce "3 3 3 3";
"kernel.sysrq" = mkDefault false;
"kernel.yama.ptrace_scope" = mkDefault "2";
"net.ipv4.tcp_timestamps" = mkDefault false;
"syskernel.core_pattern" = mkDefault "|/bin/false";
"net.ipv4.tcp_congestion_control" = mkDefault "bbr";
"net.core.default_qdisc" = mkDefault "cake";
"net.ipv4.conf.all.accept_source_route" = mkDefault false;
"net.ipv4.icmp_ignore_bogus_error_responses" = mkDefault true;
"net.ipv4.tcp_dsack" = mkDefault false;
"net.ipv4.tcp_fastopen" = mkDefault 3;
"net.ipv4.tcp_rfc1337" = mkDefault true;
"net.ipv4.tcp_sack" = mkDefault false;
"net.ipv4.tcp_syncookies" = mkDefault true;
"net.ipv6.conf.all.accept_ra" = mkDefault false;
"net.ipv6.conf.all.accept_source_route" = mkDefault false;
"net.ipv6.default.accept_ra" = mkDefault false;
};
boot.kernelParams = [
"lockdown=confidentiality"
"module.sig_enforce=1"
"oops=panic"
"loglevel=0"
"vsyscall=none"
];
boot.blacklistedKernelModules = [
# Obscure networking protocols
"af_802154"
"appletalk"
"atm"
"can"
"dccp"
"decnet"
"econet"
"ipx"
"n-hdlc"
"p8022"
"p8023"
"psnap"
"rds"
"sctp"
"tipc"
"x25"
# Various rare filesystems
"cifs"
"gfs2"
"hfsplus"
"jffs2"
"nfs"
"nfsv3"
"squashfs"
"udf"
"vivid"
# Disable Bluetooth
"bluetooth"
"btusb"
# Disable webcam
"uvcvideo"
# Disable Thunderbolt and FireWire to prevent DMA attacks
"firewire-core"
"thunderbolt"
];
# "always" may incurs significant performance cost
security.virtualisation.flushL1DataCache = "cond";
})
];
}

57
modules/nixos/profiles/minimal.nix Normal file
View File

@ -0,0 +1,57 @@
{
config,
lib,
...
}:
let
inherit (lib)
mkDefault
mkEnableOption
mkIf
;
in
{
options.ataraxia.profiles.minimal = mkEnableOption "minimal profile";
# Upstream nixpkgs doesn't support disabling profile
# imports = [
# (modulesPath + "/profiles/minimal.nix")
# ];
config = mkIf config.ataraxia.profiles.minimal {
# This pulls in nixos-containers which depends on Perl.
boot.enableContainers = mkDefault false;
documentation = {
enable = mkDefault false;
doc.enable = mkDefault false;
info.enable = mkDefault false;
man.enable = mkDefault false;
nixos.enable = mkDefault false;
};
environment = {
# Perl is a default package.
defaultPackages = mkDefault [ ];
stub-ld.enable = mkDefault false;
};
programs = {
# The lessopen package pulls in Perl.
less.lessopen = mkDefault null;
command-not-found.enable = mkDefault false;
};
services = {
logrotate.enable = mkDefault false;
udisks2.enable = mkDefault false;
};
xdg = {
autostart.enable = mkDefault false;
icons.enable = mkDefault false;
mime.enable = mkDefault false;
sounds.enable = mkDefault false;
};
};
}

58
modules/nixos/roles/default.nix
View File

@ -5,11 +5,17 @@
}:
let
inherit (lib)
mkDefault
mkIf
mkMerge
mkOption
recursiveUpdate
types
;
defaultUser = config.ataraxia.defaults.users.defaultUser;
fs = config.ataraxia.filesystems;
fsCompression = fs.zfs.enable || fs.btrfs.enable;
role = config.ataraxia.defaults.role;
in
{
@ -25,9 +31,51 @@ in
};
};
config = mkMerge [
(mkIf (role == "base") {
ataraxia.defaults.nix.enable = true;
})
];
config =
let
baseRole = {
ataraxia.defaults.locale.enable = mkDefault true;
ataraxia.defaults.lix.enable = mkDefault true;
ataraxia.defaults.nix.enable = mkDefault true;
ataraxia.defaults.ssh.enable = mkDefault true;
ataraxia.defaults.users.enable = mkDefault true;
persist.enable = mkDefault true;
# Do not compress journal logs if using native fs compression
services.journald.extraConfig = mkIf fsCompression (mkDefault "Compress=false");
boot.initrd.systemd.enable = mkDefault true;
services.userborn.enable = mkDefault true;
system.rebuild.enableNg = mkDefault true;
system.switch.enableNg = mkDefault true;
system.etc.overlay.enable = mkDefault true;
system.etc.overlay.mutable = mkDefault true;
zramSwap = {
enable = true;
algorithm = "zstd";
memoryPercent = 100;
};
};
serverRole = recursiveUpdate baseRole {
ataraxia.profiles.hardened = mkDefault true;
ataraxia.profiles.minimal = mkDefault true;
time.timeZone = "Etc/UTC";
};
desktopRole = recursiveUpdate baseRole {
services.getty.autologinUser = defaultUser;
location = {
provider = "manual";
latitude = 48;
longitude = 44;
};
};
in
mkMerge [
(mkIf (role == "base") baseRole)
(mkIf (role == "server") serverRole)
(mkIf (role == "desktop") desktopRole)
];
}

27
modules/nixos/ssh/default.nix Normal file
View File

@ -0,0 +1,27 @@
{ config, lib, ... }:
let
inherit (lib) mkIf mkEnableOption mkOption;
inherit (lib.types) listOf int;
cfg = config.ataraxia.defaults.ssh;
in
{
options.ataraxia.defaults.ssh = {
enable = mkEnableOption "Root on zfs";
ports = mkOption {
type = listOf int;
default = [ 22 ];
description = "OpenSSH ports to listen";
};
};
config = mkIf cfg.enable {
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.PermitRootLogin = "no";
settings.X11Forwarding = false;
extraConfig = "StreamLocalBindUnlink yes";
ports = cfg.ports;
};
};
}

108
modules/nixos/user/default.nix Normal file
View File

@ -0,0 +1,108 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkIf mkEnableOption mkOption;
inherit (lib.types) str;
cfg = config.ataraxia.defaults.users;
in
{
options.ataraxia.defaults.users = {
enable = mkEnableOption "Setting up default users";
defaultUser = mkOption {
type = str;
default = "ataraxia";
description = "Name of the default user";
};
};
config = mkIf cfg.enable {
users.mutableUsers = false;
users.groups.limits = { };
users.users.${cfg.defaultUser} = {
description = "Main user of this host.";
isNormalUser = true;
extraGroups = [
"adbusers"
"audio"
"cdrom"
"corectrl"
"dialout"
"disk"
"docker"
"input"
"kvm"
"libvirtd"
"limits"
"lp"
"lxd"
"networkmanager"
"podman"
"qemu-libvirtd"
"render"
"scanner"
"smbuser"
"systemd-journal"
"video"
"wheel"
];
uid = 1000;
hashedPassword = "$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6";
shell = pkgs.bashInteractive;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+xd8ClJPvJuAdYC9HlNnjiubEtYfvnKjYr9ROV+UmPVvI3ZITF24OaMI+fxgR0EqGfcUzSGom8528IB53Q3aFMIAaA0vKjW+jrByyB2l/k/+ttpLbH75c9WyOpAcUDTen8BhHKPyXOHoJ1jLu7GFmtPZ+mZo8thFB/VIRrwECHd8DnF0drsSCorkRp1bZC7bAHgztaYHNBUoAVGgJ7nLwW7DotlgbUEDiPJHXOxd/c/ZlXIB/cfUUqF+L5ThbMPhMcwRMspLy+nQdmHhih9k6SkvYqJoNqHT5/XeShb0RkIzvUWT2CYTPop5kAY5mMnatVTOY1FZPhHzk3G8MhOQ3r/elM/ecZxmjL8uozMN9kRGf1IL4DgQZfVqQRILdNSQGb0tfeiyirNZe1RlDw9UvMnZJOw0EkiC9lSSRhBWXXxAmxRrbNFTPQSp+/kiIGDmp2AsGhD11CfTDEU3wcLEUPBUqp1FYSzHncJyEKGy2Dpa5xaUJ0cuyGL4W3WHDXa4sTfY+AIXbQTD88Ujdsbfzyd6lrikG4D/crCurXissrh7q9DuYKWRI24cp5bw9lG33U1EXisnZqFyZNwMAmSj2QEGsHCwSevn0FgyRa2WYXgpZ9hfgY4le+ZSMo2JTosQ6DjGyxMDyQAHJ/ismTTzL67Q2p6U+73toYm62Qqdspw== (none)"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDP0/DReYSAfkucroMTdELzTORsGhhbEa+W0FDFBnwViHuoqoKvetCOkW657icexc5v/j6Ghy3+Li9twbHnEDzUJVtNtauhGMjOcUYt6pTbeJ09CGSAh+orxzeY4vXp7ANb91xW8yRn/EE4ALxqbLsc/D7TUMl11fmf0UW+kLgU5TcUYVSLMjQqBpD1Lo7lXLrImloDxe5fwoBDT09E59r9tq6+/3aHz8mpKRLsIQIV0Av00BRJ+/OVmZuBd9WS35rfkpUYmpEVInSJy3G4O6kCvY/zc9Bnh67l4kALZZ0+6W23kBGrzaRfaOtCEcscwfIu+6GXiHOL33rrMNNinF0T2942jGc18feL6P/LZCzqz8bGdFNxT43jAGPeDDcrJEWAJZFO3vVTP65dTRTHQG2KlQMzS7tcif6YUlY2JLJIb61ZfLoShH/ini/tqsGT0Be1f3ndOFt48h4XMW1oIF+EXaHYeO2UJ6855m8Wpxs4bP/jX6vMV38IvvnHy4tWD50= alukard@AMD-Workstation"
];
};
users.users.deploy = {
description = "The administrator account for deploy-rs.";
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = config.users.users.${cfg.defaultUser}.openssh.authorizedKeys.keys;
};
security.apparmor.enable = true;
security.pam.loginLimits = [
{
domain = "@limits";
item = "memlock";
type = "soft";
value = "unlimited";
}
{
domain = "@limits";
item = "memlock";
type = "hard";
value = "unlimited";
}
];
security.polkit.enable = true;
systemd.services."user@" = {
serviceConfig = {
Restart = "always";
};
};
# Disable sudo, use doas
users.allowNoPasswordLogin = true;
security.sudo.enable = lib.mkForce false;
security.doas = {
enable = true;
extraRules = [
{
users = [ cfg.defaultUser ];
keepEnv = true;
persist = true;
}
{
users = [ "deploy" ];
noPass = true;
keepEnv = true;
}
];
};
};
}

4
modules/nixos/vpn/default.nix Normal file
View File

@ -0,0 +1,4 @@
{ ... }:
{
imports = [ ./tailscale.nix ];
}

23
modules/nixos/vpn/tailscale.nix Normal file
View File

@ -0,0 +1,23 @@
{
config,
lib,
...
}:
let
inherit (lib) mkOption mkIf;
inherit (lib.types) bool;
cfg = config.ataraxia.vpn.tailscale;
in
{
options.ataraxia.vpn.tailscale = {
enable = mkOption {
type = bool;
default = config.services.tailscale.enable;
description = "Enable tailsacle";
};
};
config = mkIf cfg.enable {
persist.state.directories = [ "/var/lib/tailscale" ];
};
}

12
patches/erofs-hardened.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index dc3bf597cd4b..70a7af42358a 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -84,7 +84,6 @@ in
"befs"
"cramfs"
"efs"
- "erofs"
"exofs"
"freevxfs"
"f2fs"