From e65ba7c8a622aff78c5dd946e2c12ec7871d38bd Mon Sep 17 00:00:00 2001 From: Vinzenz Schroeter Date: Sun, 10 Sep 2023 14:12:01 +0200 Subject: [PATCH] prepare configuration for server use --- hardware/common-desktop.nix | 33 +++++++++++++++ hardware/default.nix | 1 + hardware/hetzner-vpn1.nix | 80 +++++++++++++++++++++++++++++++++++++ hardware/vinzenz-lpt.nix | 2 + hardware/vinzenz-pc2.nix | 2 + helpers/default.nix | 7 ++++ hetzner-vpn1.nix | 16 ++++++++ modules/default.nix | 3 +- modules/desktop/default.nix | 2 + modules/server/default.nix | 33 +++++++++++++++ vinzenz-lpt.nix | 6 ++- vinzenz-pc2.nix | 10 +++-- 12 files changed, 188 insertions(+), 7 deletions(-) create mode 100644 hardware/common-desktop.nix create mode 100644 hardware/hetzner-vpn1.nix create mode 100644 helpers/default.nix create mode 100644 hetzner-vpn1.nix create mode 100644 modules/server/default.nix diff --git a/hardware/common-desktop.nix b/hardware/common-desktop.nix new file mode 100644 index 0000000..83a34f6 --- /dev/null +++ b/hardware/common-desktop.nix @@ -0,0 +1,33 @@ +{ + lib, + config, + ... +}: let + isEnabled = config.my.hardware.common-desktop.enable; +in { + imports = [ + ]; + + options.my.hardware.common-desktop = { + enable = lib.mkEnableOption "common desktop hardware settings"; + }; + + config = lib.mkIf isEnabled { + boot.loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true; + + hardware.enableRedistributableFirmware = true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + }; +} diff --git a/hardware/default.nix b/hardware/default.nix index 3a06ecb..a5608dc 100644 --- a/hardware/default.nix +++ b/hardware/default.nix @@ -6,6 +6,7 @@ hostName: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") (builtins.toString ./. + "/${hostName}.nix") + ./common-desktop.nix ]; config = { diff --git a/hardware/hetzner-vpn1.nix b/hardware/hetzner-vpn1.nix new file mode 100644 index 0000000..7b62a41 --- /dev/null +++ b/hardware/hetzner-vpn1.nix @@ -0,0 +1,80 @@ +{ + lib, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.cleanTmpDir = true; + zramSwap.enable = true; + networking.domain = ""; + + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/77CF-345D"; + fsType = "vfat"; + }; + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"]; + boot.initrd.kernelModules = ["nvme"]; + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; + + # This file was populated at runtime with the networking + # details gathered from the active system. + networking = { + nameservers = [ + "8.8.8.8" + ]; + defaultGateway = "172.31.1.1"; + defaultGateway6 = { + address = "fe80::1"; + interface = "eth0"; + }; + dhcpcd.enable = false; + usePredictableInterfaceNames = lib.mkForce false; + interfaces = { + eth0 = { + ipv4.addresses = [ + { + address = "157.90.146.125"; + prefixLength = 32; + } + ]; + ipv6.addresses = [ + { + address = "2a01:4f8:c012:7137::1"; + prefixLength = 64; + } + { + address = "fe80::9400:2ff:fe87:7fc9"; + prefixLength = 64; + } + ]; + ipv4.routes = [ + { + address = "172.31.1.1"; + prefixLength = 32; + } + ]; + ipv6.routes = [ + { + address = "fe80::1"; + prefixLength = 128; + } + ]; + }; + }; + }; + services.udev.extraRules = '' + ATTR{address}=="96:00:02:87:7f:c9", NAME="eth0" + + ''; +} diff --git a/hardware/vinzenz-lpt.nix b/hardware/vinzenz-lpt.nix index cf01a43..3b36625 100644 --- a/hardware/vinzenz-lpt.nix +++ b/hardware/vinzenz-lpt.nix @@ -1,5 +1,7 @@ {...}: { config = { + my.hardware.common-desktop.enable = true; + boot = { initrd.availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci"]; initrd.kernelModules = []; diff --git a/hardware/vinzenz-pc2.nix b/hardware/vinzenz-pc2.nix index 8e27145..609479e 100644 --- a/hardware/vinzenz-pc2.nix +++ b/hardware/vinzenz-pc2.nix @@ -1,5 +1,7 @@ {...}: { config = { + my.hardware.common-desktop.enable = true; + boot = { initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "sd_mod"]; # "usb_storage" initrd.kernelModules = []; diff --git a/helpers/default.nix b/helpers/default.nix new file mode 100644 index 0000000..1a1041b --- /dev/null +++ b/helpers/default.nix @@ -0,0 +1,7 @@ +{lib, ...}: { + mkIfElse = p: yes: no: + lib.mkMerge [ + (mkIf p yes) + (mkIf (!p) no) + ]; +} diff --git a/hetzner-vpn1.nix b/hetzner-vpn1.nix new file mode 100644 index 0000000..b45da07 --- /dev/null +++ b/hetzner-vpn1.nix @@ -0,0 +1,16 @@ +{...}: { + imports = [ + ./modules + (import ./hardware "hetzner-vpn1") + ]; + + config = { + my = { + desktop.enable = false; + server.enable = true; + }; + users.users.root.openssh.authorizedKeys.keys = [ + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdYqY3Y1/f1bsAi5Qfyr/UWuX9ixu96IeAlhoQaJkbf'' + ]; + }; +} diff --git a/modules/default.nix b/modules/default.nix index 71d87d1..74584f5 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -4,6 +4,7 @@ ... }: let cfg = config.my; + helpers = import ../helpers; in { imports = [ ./home @@ -22,7 +23,7 @@ in { services.openssh = { enable = true; settings = { - PermitRootLogin = "no"; + PermitRootLogin = helpers.mkIfElse config.my.server.enable "yes" "no"; PasswordAuthentication = false; KbdInteractiveAuthentication = false; }; diff --git a/modules/desktop/default.nix b/modules/desktop/default.nix index 771dff8..dca0499 100644 --- a/modules/desktop/default.nix +++ b/modules/desktop/default.nix @@ -22,6 +22,8 @@ in { # Enable CUPS to print documents. printing.enable = true; + + openssh.settings.PermitRootLogin = "no"; }; # Enable sound with pipewire. diff --git a/modules/server/default.nix b/modules/server/default.nix new file mode 100644 index 0000000..a8f584c --- /dev/null +++ b/modules/server/default.nix @@ -0,0 +1,33 @@ +{ + config, + pkgs, + lib, + ... +}: let + cfg = config.my.server; +in { + imports = []; + + options.my.server = { + enable = lib.mkEnableOption "server role"; + }; + + config = lib.mkIf cfg.enable { + services = { + services.openssh.enable = true; + }; + + programs = { + }; + + networking.firewall = { + allowedTCPPortRanges = [ + { + # ssh + from = 22; + to = 22; + } + ]; + }; + }; +} diff --git a/vinzenz-lpt.nix b/vinzenz-lpt.nix index 5474c3d..eb7957d 100644 --- a/vinzenz-lpt.nix +++ b/vinzenz-lpt.nix @@ -5,8 +5,10 @@ ]; config = { - my.gnome.enable = true; - my.home.vinzenz.enable = true; + my = { + gnome.enable = true; + home.vinzenz.enable = true; + }; services.flatpak.enable = true; }; diff --git a/vinzenz-pc2.nix b/vinzenz-pc2.nix index 83ea523..200ed8a 100644 --- a/vinzenz-pc2.nix +++ b/vinzenz-pc2.nix @@ -5,10 +5,12 @@ ]; config = { - my.kde.enable = true; - my.home = { - vinzenz.enable = true; - ronja.enable = true; + my = { + kde.enable = true; + home = { + vinzenz.enable = true; + ronja.enable = true; + }; }; users.groups."games" = {