aboutsummaryrefslogtreecommitdiffstats
path: root/hosts/arrakis
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--hosts/arrakis/default.nix133
-rw-r--r--hosts/arrakis/hardware-configuration.nix29
-rw-r--r--hosts/arrakis/services.nix47
3 files changed, 118 insertions, 91 deletions
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix
index 80509cb..204f30c 100644
--- a/hosts/arrakis/default.nix
+++ b/hosts/arrakis/default.nix
@@ -3,9 +3,9 @@
initrd.kernelModules = [ "zfs" ];
kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
- "net.ipv4.conf.all.proxy_arp" = 1;
+ #"net.ipv4.conf.all.proxy_arp" = 1;
};
- kernelPackages = pkgs.linuxPackages_6_12;
+ kernelPackages = pkgs.master.linuxPackages_6_15;
loader = {
efi = {
canTouchEfiVariables = true;
@@ -20,7 +20,7 @@
timeout = 3;
};
supportedFilesystems = [ "zfs" ];
- #zfs.package = pkgs.master.zfs;
+ zfs.package = pkgs.master.zfs;
};
environment.etc."nftables-vpn.conf".text = ''
@@ -76,37 +76,38 @@
}
'';
- environment.systemPackages = with pkgs; [
- angband
- assaultcube
- master.bsdgames
- bzflag
- extremetuxracer
- #frozen-bubble
- hedgewars
- kobodeluxe
- lidarr
- mailutils
- megacmd
- moc
- nethack
- openttd
- pixcat
- prowlarr
- qbittorrent-nox
- radarr
- rdiff-backup
- readarr
- #scorched3d
- signal-desktop
- sonarr
- superTux
- superTuxKart
- umoria
- warzone2100
- wpa_supplicant
- xonotic-sdl
- master.xpilot-ng
+ environment.systemPackages = [
+ pkgs.angband
+ #pkgs.assaultcube
+ pkgs.bsdgames
+ pkgs.bzflag
+ pkgs.extremetuxracer
+ #pkgs.frozen-bubble
+ pkgs.hedgewars
+ pkgs.kobodeluxe
+ pkgs.lidarr
+ pkgs.mailutils
+ pkgs.megacmd
+ pkgs.moc
+ pkgs.nethack
+ #pkgs.openttd
+ pkgs.prowlarr
+ pkgs.qbittorrent-nox
+ pkgs.radarr
+ pkgs.rdiff-backup
+ pkgs.readarr
+ #pkgs.scorched3d
+ pkgs.signal-desktop
+ pkgs.sonarr
+ pkgs.superTux
+ pkgs.superTuxKart
+ pkgs.umoria
+ pkgs.vial
+ pkgs.warzone2100
+ #pkgs.wine9_22.wineWowPackages.stagingFull
+ pkgs.wpa_supplicant
+ pkgs.xonotic-sdl
+ #pkgs.xpilot-ng
];
imports = [
@@ -114,20 +115,21 @@
./hardware-configuration.nix
./services.nix
../common/core
- ../common/optional/adb.nix
- ../common/optional/db.nix
+ #../common/optional/adb.nix
+ #../common/optional/db.nix
../common/optional/dev.nix
- ../common/optional/ebooks.nix
+ #../common/optional/ebooks.nix
../common/optional/games.nix
../common/optional/google-authenticator.nix
../common/optional/misc.nix
../common/optional/multimedia.nix
- ../common/optional/pipewire.nix
- ../common/optional/sdr.nix
+ #../common/optional/pipewire.nix
+ #../common/optional/sdr.nix
../common/optional/services/chrony.nix
../common/optional/services/openssh.nix
- ../common/optional/services/xorg.nix
- ../common/optional/sound.nix
+ #../common/optional/services/xorg.nix
+ #../common/optional/sound.nix
+ ../common/optional/wdt.nix
../common/optional/zfs.nix
../common/users/nipsy
../common/users/root
@@ -136,13 +138,13 @@
networking = {
defaultGateway = {
address = "192.168.1.1";
- interface = "wlp5s0";
+ interface = "enp6s0";
};
domain = "bitgnome.net";
hostId = "2ae4c89f";
hostName = "arrakis";
interfaces = {
- wlp5s0 = {
+ enp6s0 = {
ipv4.addresses = [
{ address = "192.168.1.2"; prefixLength = 24; }
];
@@ -193,6 +195,11 @@
presharedKeyFile = "${config.sops.secrets."wireguard/timetrad_psk".path}";
publicKey = "/lWCEMGRIr3Gl/3GQYuweAKylhH5H2KqamiXeocYFVM=";
}
+ { # fangorn
+ allowedIPs = [ "10.4.20.9/32" ];
+ presharedKeyFile = "${config.sops.secrets."wireguard/fangorn_psk".path}";
+ publicKey = "G4oahOfaCR+ecXLGM2ilPYzqX6x8v/6z8VIo2vP2RC4=";
+ }
{ # ginaz
allowedIPs = [ "10.4.20.254/32" ];
presharedKeyFile = "${config.sops.secrets."wireguard/ginaz_psk".path}";
@@ -216,12 +223,6 @@
nixpkgs = {
config = {
allowUnfree = true;
- permittedInsecurePackages = [
- "aspnetcore-runtime-6.0.36"
- "aspnetcore-runtime-wrapped-6.0.36"
- "dotnet-sdk-6.0.428"
- "dotnet-sdk-wrapped-6.0.428"
- ];
};
hostPlatform = "x86_64-linux";
overlays = [
@@ -230,12 +231,10 @@
outputs.overlays.modifications
outputs.overlays.master-packages
outputs.overlays.stable-packages
+ #outputs.overlays.wine9_22-packages
];
};
- services.openssh.settings.X11Forwarding = true;
- services.xserver.videoDrivers = [ "nvidia" ];
-
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = ../secrets/arrakis.yaml;
@@ -243,8 +242,10 @@
secrets = {
"nftables/ssh" = {};
"nix-access-token-github" = {};
+ "ssh_config".path = "/root/.ssh/config";
"wireguard/arrakis_key" = {};
"wireguard/black-sheep_psk" = {};
+ "wireguard/fangorn_psk" = {};
"wireguard/ginaz_psk" = {};
"wireguard/homer_psk" = {};
"wireguard/lilnasx_psk" = {};
@@ -287,26 +288,26 @@
after = [ "zfs-import-data.service" ];
description = "Bind NFS exports to ZFS paths";
script = ''
- ${pkgs.util-linux}/bin/mount /srv/nfs/keepers
- ${pkgs.util-linux}/bin/mount /srv/nfs/movies
- ${pkgs.util-linux}/bin/mount /srv/nfs/tv
+ ${pkgs.util-linux}/bin/mount --onlyonce /srv/nfs/keepers || ${pkgs.coreutils}/bin/true
+ ${pkgs.util-linux}/bin/mount --onlyonce /srv/nfs/movies || ${pkgs.coreutils}/bin/true
+ ${pkgs.util-linux}/bin/mount --onlyonce /srv/nfs/tv || ${pkgs.coreutils}/bin/true
'';
wantedBy = [ "local-fs.target" ];
};
"nftables-extra" = let rules_script = ''
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { http, https } counter accept # 80, 443'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport 2049 counter accept'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 5121 counter accept # Neverwinter Nights Server'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" tcp dport { http, https } counter accept # 80, 443'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" tcp dport 2049 counter accept'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport 5121 counter accept # Neverwinter Nights Server'
${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "veth.host" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 15637 counter accept # Enshrouded'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 51820 counter accept # WireGuard'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport 15637 counter accept # Enshrouded'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport 51820 counter accept # WireGuard'
${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path}
''; in {
description = "nftables extra firewall rules";
diff --git a/hosts/arrakis/hardware-configuration.nix b/hosts/arrakis/hardware-configuration.nix
index 3c508e5..c7a6652 100644
--- a/hosts/arrakis/hardware-configuration.nix
+++ b/hosts/arrakis/hardware-configuration.nix
@@ -50,16 +50,35 @@
hardware = {
bluetooth.enable = true;
+
graphics = {
enable = true;
- extraPackages = with pkgs; [ nvidia-vaapi-driver ];
- extraPackages32 = with pkgs.pkgsi686Linux; [ nvidia-vaapi-driver ];
+ extraPackages = [ pkgs.nvidia-vaapi-driver ];
+ extraPackages32 = [ pkgs.pkgsi686Linux.nvidia-vaapi-driver ];
};
- nvidia = {
+
+ nvidia = let
+ betaPkg = config.boot.kernelPackages.nvidiaPackages.beta;
+ pkgAfterFbc = if builtins.hasAttr betaPkg.version pkgs.nvidia-patch-list.fbc then pkgs.nvidia-patch.patch-fbc betaPkg else betaPkg;
+ finalPkg = if builtins.hasAttr betaPkg.version pkgs.nvidia-patch-list.nvenc then pkgs.nvidia-patch.patch-nvenc pkgAfterFbc else pkgAfterFbc;
+ in {
modesetting.enable = true;
open = true;
- package = pkgs.nvidia-patch.patch-nvenc (pkgs.nvidia-patch.patch-fbc config.boot.kernelPackages.nvidiaPackages.beta);
- #package = config.boot.kernelPackages.nvidiaPackages.beta;
+ package = if finalPkg == betaPkg then betaPkg else finalPkg;
+ };
+
+ printers = let
+ brother = "Brother_HL-L2340D";
+ ip = "192.168.1.20";
+ in {
+ ensureDefaultPrinter = brother;
+ ensurePrinters = [{
+ name = brother;
+ deviceUri = "ipp://${ip}/ipp";
+ model = "everywhere";
+ description = lib.replaceStrings [ "_" ] [ " " ] brother;
+ location = "home";
+ }];
};
};
}
diff --git a/hosts/arrakis/services.nix b/hosts/arrakis/services.nix
index b026cc1..3b62e18 100644
--- a/hosts/arrakis/services.nix
+++ b/hosts/arrakis/services.nix
@@ -19,12 +19,6 @@
services = {
- avahi = {
- enable = true;
- nssmdns4 = true;
- openFirewall = true;
- };
-
cgit = {
"arrakis.bitgnome.net" = {
enable = true;
@@ -58,13 +52,13 @@
cron.enable = true;
- #dictd.enable = true;
+ dictd.enable = true;
iperf3.openFirewall = true;
jellyfin = {
enable = true;
- package = pkgs.master.jellyfin;
+ #package = pkgs.master.jellyfin;
};
nfs = {
@@ -97,9 +91,10 @@
];
config = {
- environment.systemPackages = with pkgs; [
- git
- rsync
+ environment.systemPackages = [
+ pkgs.git
+ pkgs.iperf
+ pkgs.rsync
];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
@@ -109,8 +104,8 @@
openFirewall = true;
settings = {
- PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
+ PasswordAuthentication = false;
};
};
@@ -229,7 +224,15 @@
};
};
+ openssh.settings = {
+ StreamLocalBindUnlink = true;
+ };
+
postfix = let my_email = "nipsy@bitgnome.net"; in {
+ config.smtpd_tls_chain_files = [
+ "/var/lib/acme/arrakis.bitgnome.net/key.pem"
+ "/var/lib/acme/arrakis.bitgnome.net/fullchain.pem"
+ ];
enable = true;
extraAliases = ''
nipsy: ${my_email}
@@ -238,8 +241,6 @@
relayHost = "mail.bitgnome.net";
relayPort = 587;
rootAlias = my_email;
- sslCert = "/var/lib/acme/arrakis.bitgnome.net/fullchain.pem";
- sslKey = "/var/lib/acme/arrakis.bitgnome.net/key.pem";
};
printing.enable = true;
@@ -291,16 +292,16 @@
device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800014";
options = "-a -o on -S on -m ${my_email_addr}";
}
- #{
- # device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUEZNL";
- # options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
- #}
{
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUUSXL";
+ device = "/dev/disk/by-id/ata-WDC_WUH722020ALE604_2LG5X74K";
+ options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/ata-WDC_WUH722020ALE604_2LGHJAUF";
options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
}
{
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV0H5L";
+ device = "/dev/disk/by-id/ata-WDC_WUH722020ALE604_2LG26NHF";
options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
}
{
@@ -326,6 +327,12 @@
];
};
+ udev.packages = [
+ pkgs.vial
+ ];
+
+ xserver.videoDrivers = [ "nvidia" ];
+
};
#systemd.services.nginx.serviceConfig.ProtectHome = lib.mkForce false;
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-03 18:59:36 +0000