jakalx/nixos-config
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add initial configuration for dregil

Browse source
This commit is contained in:
Alexander Kobjolke 2023-03-10 18:31:32 +01:00
parent d6ab6b3f48
commit 193639d884
4 changed files with 237 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

173
hosts/dregil/default.nix Normal file
View file

@ -0,0 +1,173 @@
{ config, lib, pkgs, ... }:
let extIface = "ens3";
in {
imports = [ # Include the results of the hardware scan.
./hardware-configuration.nix
];
nix.package = pkgs.nixUnstable;
nix.extraOptions = ''
experimental-features = nix-command flakes ca-derivations
'';
#nix.registry.nixpkgs.flake = nixpkgs;
# Binary Cache for Haskell.nix
nix.settings.trusted-public-keys =
[ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
#nix.binaryCaches = [ "https://hydra.iohk.io" ];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
# boot.loader.grub.efiSupport = true;
# boot.loader.grub.efiInstallAsRemovable = true;
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
# boot.loader.systemd-boot.enable = true;
# Set your time zone.
time.timeZone = "Europe/Berlin";
age.secrets = {
# mailPass.file = ../../secrets/mailPass.age;
# wireguard-thrall.file = ../../secrets/wireguard-thrall.age;
};
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking = {
hostName = "dregil";
domain = "failco.de";
wireless.enable = true;
useDHCP = true;
enableIPv6 = true;
firewall = {
allowedTCPPorts = [ 22 ];
allowedUDPPorts = [ 42666 ];
};
# wireguard.interfaces = {
# wg0 = {
# ips = [ "10.0.0.1/24" ];
# listenPort = 42666;
#
# privateKeyFile = config.age.secrets.wireguard-thrall.path;
# peers = [
# {
# # my phone
# publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
# allowedIPs = [ "10.0.0.2/32" ];
# }
# {
# # my tablet
# publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
# allowedIPs = [ "10.0.0.3/32" ];
# }
# ];
# };
# };
};
security.acme = {
acceptTerms = true;
defaults.email = "alex@jakalx.net";
};
security.sudo = {
enable = true;
execWheelOnly = true;
extraRules = [{
groups = [ "wheel" ];
commands = [{
command = "/run/current-system/sw/bin/nixos-rebuild";
options = [ "NOPASSWD" ];
}];
}];
};
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "dvorak";
};
# Define a user account. Don't forget to set a password with passwd.
users.users.alex = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
shell = pkgs.zsh;
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget
rsync
htop
tmux
git
#agenix.defaultPackage.x86_64-linux
restic # fast and secure backup
rclone
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
programs.neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
};
# enable zsh globally in order to get home.sessionPath to propagate :()
programs.zsh.enable = true;
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.lorri.enable = true;
# configure backup via restic to gdrive
services.restic.backups = { };
services.keybase = { enable = true; };
services.syncthing = {
enable = true;
user = "alex";
dataDir = "/home/alex/sync";
overrideDevices =
true; # overrides any devices added or deleted through the WebUI
overrideFolders =
true; # overrides any folders added or deleted through the WebUI
folders = {
"org" = {
path = "/home/alex/org";
devices = [ "thrall" "redmi" ];
};
"scan" = {
path = "/home/alex/media/scan";
devices = [ "thrall" "redmi" ];
};
};
devices = {
"redmi" = {
id = "C43WITF-2HS2UCD-X6QFM4H-SC7XQJ7-X5F73EB-7FZHMII-KQNSH5D-NMICIAW";
};
};
};
system.stateVersion = "20.09"; # Did you read the comment?
}

29
hosts/thrall/default.nix
View file

@ -55,8 +55,8 @@ in {
defaultGateway = "195.90.208.1";
nameservers = [ "1.1.1.1" "8.8.8.8" ];
firewall = {
allowedTCPPorts = [ 22 80 443 5000 ];
allowedUDPPorts = [ 42666 ];
allowedTCPPorts = [ 22 53 80 443 5000 ];
allowedUDPPorts = [ 53 42666 ];
};
# wireguard related config
@ -70,18 +70,27 @@ in {
listenPort = 42666;
postSetup = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
'';
privateKeyFile = config.age.secrets.wireguard-thrall.path;
peers = [{
# my phone
publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
allowedIPs = [ "10.0.0.2/32" ];
}];
peers = [
{
# my phone
publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
allowedIPs = [ "10.0.0.2/32" ];
}
{
# my tablet
publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
allowedIPs = [ "10.0.0.3/32" ];
}
];
};
};
};
@ -151,6 +160,12 @@ in {
# List services that you want to enable:
# depending on wireguard
services.kresd = {
enable = true;
listenPlain = [ "[::1]:53" "127.0.0.1:53" "10.0.0.1:53" ];
};
# Enable the OpenSSH daemon.
services.openssh.enable = true;