{ config, pkgs, ... }: { boot = { initrd.kernelModules = [ "zfs" ]; kernel.sysctl = { "net.ipv4.ip_forward" = true; }; kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; loader = { efi = { canTouchEfiVariables = true; efiSysMountPoint = "/efiboot/efi1"; }; systemd-boot = { enable = true; extraInstallCommands = '' ${pkgs.coreutils}/bin/cp -r /efiboot/efi1/* /efiboot/efi2 ''; }; timeout = 3; }; supportedFilesystems = [ "zfs" ]; }; #environment.systemPackages = with pkgs; [ # wpa_supplicant # somethingelse #]; imports = [ ./hardware-configuration.nix ./services.nix ../common/core ../common/optional/services/asterisk.nix ../common/optional/services/kea.nix ../common/optional/services/nsd.nix ../common/optional/services/openssh.nix ../common/optional/zfs.nix ../common/users/nipsy ../common/users/root ]; networking = { hostId = "f9ca5efe"; hostName = "darkstar"; defaultGateway = "192.168.1.1"; domain = "bitgnome.net"; firewall = { allowedTCPPorts = [ 53 # domain ]; allowedUDPPorts = [ 53 # domain ]; }; interfaces = { enp116s0 = { ipv4.addresses = [ { address = "192.168.1.16"; prefixLength = 24; } ]; }; vlan201 = { useDHCP = true; }; }; nameservers = [ "192.168.1.1" ]; #nat = { # enable = true; # #enableIPv6 = true; # externalInterface = "vlan201"; # internalInterfaces = [ "enp116s0" ]; #}; nftables.enable = true; #useDHCP = false; vlans = { vlan201 = { id=201; interface="enp117s0"; }; }; #wireless.iwd = { # enable = true; # settings = { # IPv6 = { # Enabled = true; # }; # Settings = { # AutoConnect = true; # }; # }; #}; }; sops = { age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; defaultSopsFile = ../secrets/darkstar.yaml; secrets = { "kea-dhcp4_conf" = {}; "nftables/forward" = {}; "nftables/ssh" = {}; "nftables/voip" = {}; }; }; system.stateVersion = "23.11"; systemd.services."nftables-extra" = { description = "nftables extra firewall rules"; script = '' ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/forward".path} ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/voip".path} ''; serviceConfig = { RemainAfterExit = true; Type = "oneshot"; }; unitConfig = { ConditionPathExists = [ config.sops.secrets."nftables/forward".path config.sops.secrets."nftables/ssh".path config.sops.secrets."nftables/voip".path ]; }; wantedBy = [ "multi-user.target" ]; }; systemd.paths."nftables-extra" = { pathConfig = { PathExists = [ config.sops.secrets."nftables/forward".path config.sops.secrets."nftables/ssh".path config.sops.secrets."nftables/voip".path ]; }; wantedBy = [ "multi-user.target" ]; }; }