aboutsummaryrefslogtreecommitdiffstats
path: root/hosts/arrakis
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--hosts/arrakis/default.nix150
-rw-r--r--hosts/arrakis/hardware-configuration.nix33
-rw-r--r--hosts/arrakis/services.nix72
3 files changed, 142 insertions, 113 deletions
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix
index d4cb7f3..93f399b 100644
--- a/hosts/arrakis/default.nix
+++ b/hosts/arrakis/default.nix
@@ -2,10 +2,12 @@
boot = {
initrd.kernelModules = [ "zfs" ];
kernel.sysctl = {
+ "kernel.hostname" = "arrakis.bitgnome.net";
"net.ipv4.ip_forward" = 1;
- "net.ipv4.conf.all.proxy_arp" = 1;
+ "net.netfilter.nf_log_all_netns" = 1;
+ #"net.ipv4.conf.all.proxy_arp" = 1;
};
- kernelPackages = pkgs.linuxPackages_6_12;
+ kernelPackages = pkgs.linuxPackages_6_17;
loader = {
efi = {
canTouchEfiVariables = true;
@@ -20,93 +22,79 @@
timeout = 3;
};
supportedFilesystems = [ "zfs" ];
- #zfs.package = pkgs.master.zfs;
+ zfs.package = pkgs.zfs_unstable;
};
environment.etc."nftables-vpn.conf".text = ''
# VPN firewall
-
+
flush ruleset
-
+
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
-
+
# established/related connections
ct state established,related accept
-
+
# invalid connections
ct state invalid drop
-
+
# loopback interface
iif lo accept
-
+
# ICMP (routers may also want: mld-listener-query, nd-router-solicit)
#ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, packet-too-big, parameter-problem, time-exceeded } accept
ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, parameter-problem, router-advertisement, source-quench, time-exceeded } accept
-
+
# services
iif veth.vpn tcp dport 8080 accept # qBittorrent
iif veth.vpn tcp dport 9696 accept # Prowlarr
iifname wg1 tcp dport { 49152-65535 } accept # Transmission
+
+ # drop everything else
+ counter drop
}
chain output {
type filter hook output priority filter; policy drop;
-
+
# explicitly allow my DNS traffic without VPN
skuid nipsy ip daddr 192.168.1.1 tcp dport domain accept
skuid nipsy ip daddr 192.168.1.1 udp dport domain accept
-
+
# explicitly allow my traffic without VPN
oifname veth.vpn skuid nipsy tcp sport 8080 accept # qBittorrent
oifname veth.vpn skuid nipsy tcp sport 9696 accept # Prowlarr
oifname veth.vpn skuid nipsy ip daddr 192.168.1.2 tcp dport { 7878, 8686, 8787, 8989 } accept # Prowlarr to { Radarr, Lidarr, Readarr, Sonarr }
-
+ oif lo skuid nipsy ip daddr 192.168.1.3 tcp dport 8080 accept # Prowlarr to qBittorrent
+
# allow any traffic out through VPN
oifname wg1 accept
-
+
# drop everything else
counter drop
}
-
+
chain forward {
type filter hook forward priority filter; policy drop;
}
}
'';
- environment.systemPackages = with pkgs; [
- angband
- assaultcube
- bsdgames
- bzflag
- extremetuxracer
- #frozen-bubble
- hedgewars
- kobodeluxe
- lidarr
- mailutils
- megacmd
- moc
- nethack
- openttd
- pixcat
- prowlarr
- qbittorrent-nox
- radarr
- rdiff-backup
- readarr
- #scorched3d
- signal-desktop
- sonarr
- superTux
- superTuxKart
- umoria
- warzone2100
- wpa_supplicant
- xonotic-sdl
- xpilot-ng
+ environment.systemPackages = [
+ pkgs.bitcoind
+ #pkgs.igir
+ pkgs.lidarr
+ pkgs.mailutils
+ pkgs.megacmd
+ pkgs.prowlarr
+ pkgs.qbittorrent-nox
+ pkgs.radarr
+ pkgs.rdiff-backup
+ pkgs.readarr
+ pkgs.sonarr
+ pkgs.wpa_supplicant
];
imports = [
@@ -114,20 +102,21 @@
./hardware-configuration.nix
./services.nix
../common/core
- ../common/optional/adb.nix
- ../common/optional/db.nix
+ #../common/optional/adb.nix
+ #../common/optional/db.nix
../common/optional/dev.nix
- ../common/optional/ebooks.nix
+ #../common/optional/ebooks.nix
../common/optional/games.nix
../common/optional/google-authenticator.nix
../common/optional/misc.nix
../common/optional/multimedia.nix
- ../common/optional/pipewire.nix
- ../common/optional/sdr.nix
+ #../common/optional/pipewire.nix
+ #../common/optional/sdr.nix
../common/optional/services/chrony.nix
../common/optional/services/openssh.nix
- ../common/optional/services/xorg.nix
- ../common/optional/sound.nix
+ #../common/optional/services/xorg.nix
+ #../common/optional/sound.nix
+ ../common/optional/wdt.nix
../common/optional/zfs.nix
../common/users/nipsy
../common/users/root
@@ -136,13 +125,12 @@
networking = {
defaultGateway = {
address = "192.168.1.1";
- interface = "wlp5s0";
+ interface = "enp6s0";
};
- domain = "bitgnome.net";
hostId = "2ae4c89f";
hostName = "arrakis";
interfaces = {
- wlp5s0 = {
+ enp6s0 = {
ipv4.addresses = [
{ address = "192.168.1.2"; prefixLength = 24; }
];
@@ -150,6 +138,9 @@
};
nameservers = [ "192.168.1.1" ];
nftables.enable = true;
+ search = [
+ "bitgnome.net"
+ ];
useDHCP = false;
wg-quick.interfaces = {
wg0 = {
@@ -193,6 +184,11 @@
presharedKeyFile = "${config.sops.secrets."wireguard/timetrad_psk".path}";
publicKey = "/lWCEMGRIr3Gl/3GQYuweAKylhH5H2KqamiXeocYFVM=";
}
+ { # fangorn
+ allowedIPs = [ "10.4.20.9/32" ];
+ presharedKeyFile = "${config.sops.secrets."wireguard/fangorn_psk".path}";
+ publicKey = "G4oahOfaCR+ecXLGM2ilPYzqX6x8v/6z8VIo2vP2RC4=";
+ }
{ # ginaz
allowedIPs = [ "10.4.20.254/32" ];
presharedKeyFile = "${config.sops.secrets."wireguard/ginaz_psk".path}";
@@ -216,12 +212,6 @@
nixpkgs = {
config = {
allowUnfree = true;
- permittedInsecurePackages = [
- "aspnetcore-runtime-6.0.36"
- "aspnetcore-runtime-wrapped-6.0.36"
- "dotnet-sdk-6.0.428"
- "dotnet-sdk-wrapped-6.0.428"
- ];
};
hostPlatform = "x86_64-linux";
overlays = [
@@ -230,12 +220,10 @@
outputs.overlays.modifications
outputs.overlays.master-packages
outputs.overlays.stable-packages
+ #outputs.overlays.wine9_22-packages
];
};
- services.openssh.settings.X11Forwarding = true;
- services.xserver.videoDrivers = [ "nvidia" ];
-
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = ../secrets/arrakis.yaml;
@@ -243,8 +231,10 @@
secrets = {
"nftables/ssh" = {};
"nix-access-token-github" = {};
+ "ssh_config".path = "/root/.ssh/config";
"wireguard/arrakis_key" = {};
"wireguard/black-sheep_psk" = {};
+ "wireguard/fangorn_psk" = {};
"wireguard/ginaz_psk" = {};
"wireguard/homer_psk" = {};
"wireguard/lilnasx_psk" = {};
@@ -287,26 +277,28 @@
after = [ "zfs-import-data.service" ];
description = "Bind NFS exports to ZFS paths";
script = ''
- ${pkgs.util-linux}/bin/mount /srv/nfs/keepers
- ${pkgs.util-linux}/bin/mount /srv/nfs/movies
- ${pkgs.util-linux}/bin/mount /srv/nfs/tv
+ ${pkgs.util-linux}/bin/mount --onlyonce /srv/caladan/downloads || ${pkgs.coreutils}/bin/true
+ ${pkgs.util-linux}/bin/mount --onlyonce /srv/caladan/www || ${pkgs.coreutils}/bin/true
+ ${pkgs.util-linux}/bin/mount --onlyonce /srv/nfs/keepers || ${pkgs.coreutils}/bin/true
+ ${pkgs.util-linux}/bin/mount --onlyonce /srv/nfs/movies || ${pkgs.coreutils}/bin/true
+ ${pkgs.util-linux}/bin/mount --onlyonce /srv/nfs/tv || ${pkgs.coreutils}/bin/true
'';
wantedBy = [ "local-fs.target" ];
};
"nftables-extra" = let rules_script = ''
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { http, https } counter accept # 80, 443'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport 2049 counter accept'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 5121 counter accept # Neverwinter Nights Server'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" tcp dport { http, https } counter accept # 80, 443'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" tcp dport 2049 counter accept'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport 5121 counter accept # Neverwinter Nights Server'
${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "veth.host" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 15637 counter accept # Enshrouded'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play'
- ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 51820 counter accept # WireGuard'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport 15637 counter accept # Enshrouded'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport 51820 counter accept # WireGuard'
${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path}
''; in {
description = "nftables extra firewall rules";
diff --git a/hosts/arrakis/hardware-configuration.nix b/hosts/arrakis/hardware-configuration.nix
index 3c508e5..0d24c12 100644
--- a/hosts/arrakis/hardware-configuration.nix
+++ b/hosts/arrakis/hardware-configuration.nix
@@ -21,6 +21,24 @@
MOZ_DISABLE_RDD_SANDBOX = "1";
};
+ fileSystems."/srv/caladan/downloads" = {
+ device = "/data/home/nipsy/downloads";
+ fsType = "none";
+ options = [
+ "bind"
+ "noauto"
+ ];
+ };
+
+ fileSystems."/srv/caladan/www" = {
+ device = "/data/home/nipsy/www";
+ fsType = "none";
+ options = [
+ "bind"
+ "noauto"
+ ];
+ };
+
fileSystems."/srv/nfs/keepers" = {
device = "/data/home/nipsy/downloads/keepers";
fsType = "none";
@@ -50,16 +68,21 @@
hardware = {
bluetooth.enable = true;
+
graphics = {
enable = true;
- extraPackages = with pkgs; [ nvidia-vaapi-driver ];
- extraPackages32 = with pkgs.pkgsi686Linux; [ nvidia-vaapi-driver ];
+ extraPackages = [ pkgs.nvidia-vaapi-driver ];
+ extraPackages32 = [ pkgs.pkgsi686Linux.nvidia-vaapi-driver ];
};
- nvidia = {
+
+ nvidia = let
+ betaPkg = config.boot.kernelPackages.nvidiaPackages.beta;
+ pkgAfterFbc = if builtins.hasAttr betaPkg.version pkgs.nvidia-patch-list.fbc then pkgs.nvidia-patch.patch-fbc betaPkg else betaPkg;
+ finalPkg = if builtins.hasAttr betaPkg.version pkgs.nvidia-patch-list.nvenc then pkgs.nvidia-patch.patch-nvenc pkgAfterFbc else pkgAfterFbc;
+ in {
modesetting.enable = true;
open = true;
- package = pkgs.nvidia-patch.patch-nvenc (pkgs.nvidia-patch.patch-fbc config.boot.kernelPackages.nvidiaPackages.beta);
- #package = config.boot.kernelPackages.nvidiaPackages.beta;
+ package = if finalPkg == betaPkg then betaPkg else finalPkg;
};
};
}
diff --git a/hosts/arrakis/services.nix b/hosts/arrakis/services.nix
index ceb60c4..57542d9 100644
--- a/hosts/arrakis/services.nix
+++ b/hosts/arrakis/services.nix
@@ -5,7 +5,7 @@
directory = *
'';
- networking.firewall.allowedTCPPorts = [ 2049 ];
+ networking.firewall.allowedTCPPorts = [ 2049 8333 ];
security.acme = {
acceptTerms = true;
@@ -19,12 +19,6 @@
services = {
- avahi = {
- enable = true;
- nssmdns4 = true;
- openFirewall = true;
- };
-
cgit = {
"arrakis.bitgnome.net" = {
enable = true;
@@ -58,7 +52,7 @@
cron.enable = true;
- #dictd.enable = true;
+ dictd.enable = true;
iperf3.openFirewall = true;
@@ -71,7 +65,11 @@
server = {
enable = true;
exports = ''
- /srv/nfs 192.168.1.0/24(ro,all_squash,insecure,crossmnt,subtree_check,fsid=0)
+ /srv/caladan/downloads 192.168.1.4/32(rw,root_squash,fsid=1)
+ /srv/caladan/www 192.168.1.4/32(rw,root_squash,fsid=2)
+ /srv/nfs/keepers 192.168.1.0/24(ro,all_squash,insecure,fsid=3)
+ /srv/nfs/movies 192.168.1.0/24(ro,all_squash,insecure,fsid=4)
+ /srv/nfs/tv 192.168.1.0/24(ro,all_squash,insecure,fsid=5)
'';
};
settings = {
@@ -97,9 +95,10 @@
];
config = {
- environment.systemPackages = with pkgs; [
- git
- rsync
+ environment.systemPackages = [
+ pkgs.git
+ pkgs.iperf
+ pkgs.rsync
];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
@@ -109,8 +108,8 @@
openFirewall = true;
settings = {
- PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
+ PasswordAuthentication = false;
};
};
@@ -229,17 +228,26 @@
};
};
+ openssh.settings = {
+ StreamLocalBindUnlink = true;
+ };
+
postfix = let my_email = "nipsy@bitgnome.net"; in {
enable = true;
extraAliases = ''
nipsy: ${my_email}
'';
- hostname = "${config.networking.hostName}.${config.networking.domain}";
- relayHost = "mail.bitgnome.net";
- relayPort = 587;
rootAlias = my_email;
- sslCert = "/var/lib/acme/arrakis.bitgnome.net/fullchain.pem";
- sslKey = "/var/lib/acme/arrakis.bitgnome.net/key.pem";
+ settings.main = {
+ myhostname = "arrakis.bitgnome.net";
+ relayhost = [
+ "[mail.bitgnome.net]:587"
+ ];
+ smtpd_tls_chain_files = [
+ "/var/lib/acme/arrakis.bitgnome.net/key.pem"
+ "/var/lib/acme/arrakis.bitgnome.net/fullchain.pem"
+ ];
+ };
};
printing.enable = true;
@@ -291,41 +299,47 @@
device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800014";
options = "-a -o on -S on -m ${my_email_addr}";
}
- #{
- # device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUEZNL";
- # options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
- #}
{
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUUSXL";
+ device = "/dev/disk/by-id/ata-WDC_WUH722020ALE604_2LG5X74K";
options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
}
{
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV0H5L";
+ device = "/dev/disk/by-id/ata-WDC_WUH722020ALE604_2LGHJAUF";
options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
}
{
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUK5EL";
+ device = "/dev/disk/by-id/ata-WDC_WUH722020ALE604_2LG26NHF";
options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
}
{
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV5JEL";
+ device = "/dev/disk/by-id/ata-WDC_WUH722020BLE6L4_8LKLLAAE";
options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
}
{
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUZ42L";
+ device = "/dev/disk/by-id/ata-WDC_WUH722020BLE6L4_8LK84H9V";
options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
}
{
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV3BSL";
+ device = "/dev/disk/by-id/ata-WDC_WUH722020BLE6L4_2LGKG71F";
options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
}
{
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV338L";
+ device = "/dev/disk/by-id/ata-WDC_WUH722020BLE6L4_9AG00UKJ";
+ options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/ata-WDC_WUH722020BLE6L4_8LG806ZA";
options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
}
];
};
+ udev.packages = [
+ pkgs.vial
+ ];
+
+ xserver.videoDrivers = [ "nvidia" ];
+
};
#systemd.services.nginx.serviceConfig.ProtectHome = lib.mkForce false;
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-01 04:12:39 +0000