3 files changed, 162 insertions, 148 deletions

diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix
index 976cfe9..dd2cf84 100644
--- a/hosts/arrakis/default.nix
+++ b/hosts/arrakis/default.nix
@@ -2,10 +2,12 @@
   boot = {
     initrd.kernelModules = [ "zfs" ];
     kernel.sysctl = {
+      "kernel.hostname" = "arrakis.bitgnome.net";
       "net.ipv4.ip_forward" = 1;
-      "net.ipv4.conf.all.proxy_arp" = 1;
+      "net.netfilter.nf_log_all_netns" = 1;
+      #"net.ipv4.conf.all.proxy_arp" = 1;
     };
-    kernelPackages = pkgs.linuxPackages_6_12;
+    kernelPackages = pkgs.linuxPackages_6_18;
     loader = {
       efi = {
         canTouchEfiVariables = true;
@@ -16,98 +18,91 @@
         extraInstallCommands = ''
           ${pkgs.rsync}/bin/rsync -av --delete /efiboot/efi1/ /efiboot/efi2
         '';
+        memtest86.enable = true;
       };
       timeout = 3;
     };
     supportedFilesystems = [ "zfs" ];
-    zfs.package = pkgs.master.zfs;
+    zfs.package = pkgs.zfs_unstable;
   };
 
-  environment.etc."nftables-vpn.conf".text = ''
-    # VPN firewall
-    
-    flush ruleset
-    
-    table inet filter {
-    	chain input {
-    		type filter hook input priority filter; policy drop;
-    
-    		# established/related connections
-    		ct state established,related accept
-    
-    		# invalid connections
-    		ct state invalid drop
-    
-    		# loopback interface
-    		iif lo accept
-    
-    		# ICMP (routers may also want: mld-listener-query, nd-router-solicit)
-    		#ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, packet-too-big, parameter-problem, time-exceeded } accept
-    		ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, parameter-problem, router-advertisement, source-quench, time-exceeded } accept
-    
-    		# services
-    		iif veth.vpn tcp dport 8080 accept # qBittorrent
-    		iif veth.vpn tcp dport 9696 accept # Prowlarr
-    		iifname wg1 tcp dport { 49152-65535 } accept # Transmission
-    	}
-    
-    	chain output {
-    		type filter hook output priority filter; policy drop;
-    
-    		# explicitly allow my DNS traffic without VPN
-    		skuid nipsy ip daddr 192.168.1.1 tcp dport domain accept
-    		skuid nipsy ip daddr 192.168.1.1 udp dport domain accept
-    
-    		# explicitly allow my traffic without VPN
-    		oifname veth.vpn skuid nipsy tcp sport 8080 accept # qBittorrent
-    		oifname veth.vpn skuid nipsy tcp sport 9696 accept # Prowlarr
-    		oifname veth.vpn skuid nipsy ip daddr 192.168.1.2 tcp dport { 7878, 8686, 8787, 8989 } accept # Prowlarr to { Radarr, Lidarr, Readarr, Sonarr }
-    
-    		# allow any traffic out through VPN
-    		oifname wg1 accept
-    
-    		# drop everything else
-    		counter drop
-    	}
-    
-    	chain forward {
-    		type filter hook forward priority filter; policy drop;
-    	}
-    }
-  '';
+  environment.etc = {
+    "netns/vpn/resolv.conf".text = ''
+      nameserver 10.64.0.1
+      options edns0
+    '';
+
+    "nftables-vpn.conf".text = ''
+      # VPN firewall
+  
+      flush ruleset
+  
+      table inet filter {
+      	chain input {
+      		type filter hook input priority filter; policy drop;
+  
+      		# established/related connections
+      		ct state established,related accept
+  
+      		# invalid connections
+      		ct state invalid drop
+  
+      		# loopback interface
+      		iif lo accept
+  
+      		# ICMP (routers may also want: mld-listener-query, nd-router-solicit)
+      		#ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, packet-too-big, parameter-problem, time-exceeded } accept
+      		ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, parameter-problem, router-advertisement, source-quench, time-exceeded } accept
+   
+      		# services
+      		iif veth.vpn tcp dport 8080 accept # qBittorrent
+      		iif veth.vpn tcp dport 9696 accept # Prowlarr
+      		iifname wg1 tcp dport { 49152-65535 } accept # Transmission
+  
+      		# drop everything else
+      		counter drop
+      	}
+      
+      	chain output {
+      		type filter hook output priority filter; policy drop;
+  
+      		# explicitly allow my DNS traffic without VPN
+      		skuid nipsy ip daddr 192.168.1.1 tcp dport domain accept
+      		skuid nipsy ip daddr 192.168.1.1 udp dport domain accept
+  
+      		# explicitly allow my traffic without VPN
+      		oifname veth.vpn skuid nipsy tcp sport 8080 accept # qBittorrent
+      		oifname veth.vpn skuid nipsy tcp sport 9696 accept # Prowlarr
+      		oifname veth.vpn skuid nipsy ip daddr 192.168.1.2 tcp dport { 7878, 8686, 8787, 8989 } accept # Prowlarr to { Radarr, Lidarr, Readarr, Sonarr }
+      		oif lo skuid nipsy ip daddr 192.168.1.3 tcp dport 8080 accept # Prowlarr to qBittorrent
+  
+      		# allow any traffic out through VPN
+      		oifname wg1 accept
+  
+      		# drop everything else
+      		counter drop
+      	}
+  
+      	chain forward {
+      		type filter hook forward priority filter; policy drop;
+      	}
+      }
+    '';
+  };
 
-  environment.systemPackages = with pkgs; [
-    angband
-    #assaultcube
-    bsdgames
-    bzflag
-    extremetuxracer
-    #frozen-bubble
-    hedgewars
-    kobodeluxe
-    lidarr
-    mailutils
-    megacmd
-    moc
-    nethack
-    #openttd
-    prowlarr
-    qbittorrent-nox
-    radarr
-    rdiff-backup
-    readarr
-    #scorched3d
-    signal-desktop
-    sonarr
-    superTux
-    superTuxKart
-    umoria
-    vial
-    warzone2100
-    #wine9_22.wineWowPackages.stagingFull
-    wpa_supplicant
-    xonotic-sdl
-    #xpilot-ng
+  environment.systemPackages = [
+    pkgs.bitcoind
+    #pkgs.igir
+    pkgs.lidarr
+    pkgs.mailutils
+    pkgs.megacmd
+    pkgs.prowlarr
+    pkgs.qbittorrent-nox
+    pkgs.radarr
+    pkgs.rdiff-backup
+    pkgs.readarr
+    pkgs.sonarr
+    pkgs.wpa_supplicant
   ];
 
   imports = [
@@ -115,20 +110,20 @@
     ./hardware-configuration.nix
     ./services.nix
     ../common/core
-    ../common/optional/adb.nix
-    ../common/optional/db.nix
+    #../common/optional/adb.nix
+    #../common/optional/db.nix
     ../common/optional/dev.nix
-    ../common/optional/ebooks.nix
+    #../common/optional/ebooks.nix
     ../common/optional/games.nix
     ../common/optional/google-authenticator.nix
     ../common/optional/misc.nix
     ../common/optional/multimedia.nix
-    ../common/optional/pipewire.nix
-    ../common/optional/sdr.nix
+    #../common/optional/pipewire.nix
+    #../common/optional/sdr.nix
     ../common/optional/services/chrony.nix
     ../common/optional/services/openssh.nix
-    ../common/optional/services/xorg.nix
-    ../common/optional/sound.nix
+    #../common/optional/services/xorg.nix
+    #../common/optional/sound.nix
     ../common/optional/wdt.nix
     ../common/optional/zfs.nix
     ../common/users/nipsy
@@ -138,13 +133,12 @@
   networking = {
     defaultGateway = {
       address = "192.168.1.1";
-      interface = "wlp5s0";
+      interface = "enp6s0";
     };
-    domain = "bitgnome.net";
     hostId = "2ae4c89f";
     hostName = "arrakis";
     interfaces = {
-      wlp5s0 = {
+      enp6s0 = {
         ipv4.addresses = [
           { address = "192.168.1.2"; prefixLength = 24; }
         ];
@@ -152,6 +146,9 @@
     };
     nameservers = [ "192.168.1.1" ];
     nftables.enable = true;
+    search = [
+      "bitgnome.net"
+    ];
     useDHCP = false;
     wg-quick.interfaces = {
       wg0 = {
@@ -235,9 +232,6 @@
     ];
   };
 
-  services.openssh.settings.X11Forwarding = true;
-  services.xserver.videoDrivers = [ "nvidia" ];
-
   sops = {
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
     defaultSopsFile = ../secrets/arrakis.yaml;
@@ -291,6 +285,8 @@
       after = [ "zfs-import-data.service" ];
       description = "Bind NFS exports to ZFS paths";
       script = ''
+        ${pkgs.util-linux}/bin/mount --onlyonce /srv/caladan/downloads || ${pkgs.coreutils}/bin/true
+        ${pkgs.util-linux}/bin/mount --onlyonce /srv/caladan/www || ${pkgs.coreutils}/bin/true
         ${pkgs.util-linux}/bin/mount --onlyonce /srv/nfs/keepers || ${pkgs.coreutils}/bin/true
         ${pkgs.util-linux}/bin/mount --onlyonce /srv/nfs/movies || ${pkgs.coreutils}/bin/true
         ${pkgs.util-linux}/bin/mount --onlyonce /srv/nfs/tv || ${pkgs.coreutils}/bin/true
@@ -299,18 +295,18 @@
     };
 
     "nftables-extra" = let rules_script = ''
-        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { http, https } counter accept # 80, 443'
-        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138'
-        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445'
-        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport 2049 counter accept'
-        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server'
-        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 5121 counter accept # Neverwinter Nights Server'
+        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" tcp dport { http, https } counter accept # 80, 443'
+        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138'
+        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445'
+        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" tcp dport 2049 counter accept'
+        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server'
+        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport 5121 counter accept # Neverwinter Nights Server'
         ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "veth.host" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr'
-        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr'
-        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 15637 counter accept # Enshrouded'
-        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play'
-        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play'
-        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 51820 counter accept # WireGuard'
+        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr'
+        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport 15637 counter accept # Enshrouded'
+        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play'
+        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play'
+        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport 51820 counter accept # WireGuard'
         ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path}
       ''; in {
         description = "nftables extra firewall rules";
diff --git a/hosts/arrakis/hardware-configuration.nix b/hosts/arrakis/hardware-configuration.nix
index c709789..0d24c12 100644
--- a/hosts/arrakis/hardware-configuration.nix
+++ b/hosts/arrakis/hardware-configuration.nix
@@ -21,6 +21,24 @@
     MOZ_DISABLE_RDD_SANDBOX = "1";
   };
 
+  fileSystems."/srv/caladan/downloads" = {
+    device = "/data/home/nipsy/downloads";
+    fsType = "none";
+    options = [
+      "bind"
+      "noauto"
+    ];
+  };
+
+  fileSystems."/srv/caladan/www" = {
+    device = "/data/home/nipsy/www";
+    fsType = "none";
+    options = [
+      "bind"
+      "noauto"
+    ];
+  };
+
   fileSystems."/srv/nfs/keepers" = {
     device = "/data/home/nipsy/downloads/keepers";
     fsType = "none";
@@ -53,8 +71,8 @@
 
     graphics = {
       enable = true;
-      extraPackages = with pkgs; [ nvidia-vaapi-driver ];
-      extraPackages32 = with pkgs.pkgsi686Linux; [ nvidia-vaapi-driver ];
+      extraPackages = [ pkgs.nvidia-vaapi-driver ];
+      extraPackages32 = [ pkgs.pkgsi686Linux.nvidia-vaapi-driver ];
     };
 
     nvidia = let
@@ -66,19 +84,5 @@
       open = true;
       package = if finalPkg == betaPkg then betaPkg else finalPkg;
     };
-
-    printers = let
-      brother = "Brother_HL-L2340D";
-      ip = "192.168.1.20";
-    in {
-      ensureDefaultPrinter = brother;
-      ensurePrinters = [{
-        name = brother;
-        deviceUri = "ipp://${ip}/ipp";
-        model = "everywhere";
-        description = lib.replaceStrings [ "_" ] [ " " ] brother;
-        location = "home";
-      }];
-    };
   };
 }
diff --git a/hosts/arrakis/services.nix b/hosts/arrakis/services.nix
index 9c283aa..d758d34 100644
--- a/hosts/arrakis/services.nix
+++ b/hosts/arrakis/services.nix
@@ -5,7 +5,7 @@
     	directory = *
   '';
 
-  networking.firewall.allowedTCPPorts = [ 2049 ];
+  networking.firewall.allowedTCPPorts = [ 2049 8333 ];
 
   security.acme = {
     acceptTerms = true;
@@ -65,7 +65,11 @@
       server = {
         enable = true;
         exports = ''
-          /srv/nfs	192.168.1.0/24(ro,all_squash,insecure,crossmnt,subtree_check,fsid=0)
+          /srv/caladan/downloads	192.168.1.4/32(rw,root_squash,fsid=1)
+          /srv/caladan/www	192.168.1.4/32(rw,root_squash,fsid=2)
+          /srv/nfs/keepers	192.168.1.0/24(ro,all_squash,insecure,fsid=3)
+          /srv/nfs/movies	192.168.1.0/24(ro,all_squash,insecure,fsid=4)
+          /srv/nfs/tv	192.168.1.0/24(ro,all_squash,insecure,fsid=5)
         '';
       };
       settings = {
@@ -81,8 +85,6 @@
     nginx = let
 
       sys = lib.nixosSystem {
-        system = "x86_64-linux";
-
         modules = [
           ({ config, pkgs, lib, modulesPath, ... }: {
             imports = [
@@ -91,10 +93,10 @@
             ];
 
             config = {
-              environment.systemPackages = with pkgs; [
-                git
-                iperf
-                rsync
+              environment.systemPackages = [
+                pkgs.git
+                pkgs.iperf
+                pkgs.rsync
               ];
 
               nix.settings.experimental-features = [ "nix-command" "flakes" ];
@@ -104,8 +106,8 @@
                 openFirewall = true;
 
                 settings = {
-                  PasswordAuthentication = false;
                   KbdInteractiveAuthentication = false;
+                  PasswordAuthentication = false;
                 };
               };
 
@@ -115,6 +117,7 @@
               };
             };
           })
+          { nixpkgs.hostPlatform = "x86_64-linux"; }
         ];
       };
 
@@ -224,17 +227,26 @@
       };
     };
 
+    openssh.settings = {
+      StreamLocalBindUnlink = true;
+    };
+
     postfix = let my_email = "nipsy@bitgnome.net"; in {
       enable = true;
       extraAliases = ''
         nipsy: ${my_email}
       '';
-      hostname = "${config.networking.hostName}.${config.networking.domain}";
-      relayHost = "mail.bitgnome.net";
-      relayPort = 587;
       rootAlias = my_email;
-      sslCert = "/var/lib/acme/arrakis.bitgnome.net/fullchain.pem";
-      sslKey = "/var/lib/acme/arrakis.bitgnome.net/key.pem";
+      settings.main = {
+        myhostname = "arrakis.bitgnome.net";
+        relayhost = [
+          "[mail.bitgnome.net]:587"
+        ];
+        smtpd_tls_chain_files = [
+          "/var/lib/acme/arrakis.bitgnome.net/key.pem"
+          "/var/lib/acme/arrakis.bitgnome.net/fullchain.pem"
+        ];
+      };
     };
 
     printing.enable = true;
@@ -299,32 +311,34 @@
           options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
         }
         {
-          device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUK5EL";
+          device = "/dev/disk/by-id/ata-WDC_WUH722020BLE6L4_8LKLLAAE";
           options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
         }
         {
-          device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV5JEL";
+          device = "/dev/disk/by-id/ata-WDC_WUH722020BLE6L4_8LK84H9V";
           options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
         }
         {
-          device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUZ42L";
+          device = "/dev/disk/by-id/ata-WDC_WUH722020BLE6L4_2LGKG71F";
           options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
         }
         {
-          device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV3BSL";
+          device = "/dev/disk/by-id/ata-WDC_WUH722020BLE6L4_9AG00UKJ";
           options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
         }
         {
-          device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV338L";
+          device = "/dev/disk/by-id/ata-WDC_WUH722020BLE6L4_8LG806ZA";
           options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
         }
       ];
     };
 
-    udev.packages = with pkgs; [
-      vial
+    udev.packages = [
+      pkgs.vial
     ];
 
+    xserver.videoDrivers = [ "nvidia" ];
+
   };
 
   #systemd.services.nginx.serviceConfig.ProtectHome = lib.mkForce false;