2022-08-09 22:52:38 -07:00
let
nasIp = " 1 9 2 . 1 6 8 . 1 . 1 6 8 " ;
2023-11-04 16:40:01 -07:00
serverIp = " 1 9 2 . 1 6 8 . 1 . 4 4 " ;
2022-08-09 22:52:38 -07:00
in
2022-07-30 19:42:03 -07:00
{
network = {
name = " h o u s e " ;
enableRollback = true ;
description = " m a c h i n e s u s e d i n m y h o u s e " ;
storage . legacy = { } ;
} ;
2022-07-31 22:42:37 -07:00
2022-08-09 20:30:53 -07:00
defaults = { pkgs , . . . }:
{
imports = [
# make sure you have properly added the home-manager channel!
<home-manager/nixos>
] ;
2022-07-31 00:28:11 -07:00
2023-11-04 16:40:01 -07:00
networking . wireless . networks . " l b h e i m " = {
2022-09-15 22:33:54 -07:00
pskRaw = (
2023-11-04 16:40:01 -07:00
( import ../system/framework/keys.nix ) . wifi . " l b h e i m " . pskRaw
2022-09-15 22:33:54 -07:00
) ;
} ;
2022-08-09 20:30:53 -07:00
documentation . enable = false ;
2022-07-31 00:25:55 -07:00
2022-08-09 20:30:53 -07:00
# for nixops to log in and perform operations as haak (instead of root)
security . sudo . wheelNeedsPassword = false ;
2022-08-10 21:21:17 -07:00
home-manager . users . haak = ( import ../home/commandline.nix ) ;
2023-11-04 16:40:01 -07:00
# Configure the root account so that i can get in there from the framework laptop
2022-08-09 20:30:53 -07:00
users . users . root . openssh . authorizedKeys . keys = [
( import ../system/framework/keys.nix ) . ssh . public
] ;
2022-08-10 21:21:17 -07:00
users . extraUsers . root = {
shell = pkgs . zsh ;
} ;
2022-08-09 20:30:53 -07:00
environment . systemPackages = with pkgs ; [
tmux
ripgrep
2022-08-10 21:21:17 -07:00
htop
2022-08-09 20:30:53 -07:00
] ;
2022-08-10 21:21:17 -07:00
# Optimize nix store by hardlinking identitical files.
nix . settings . auto-optimise-store = true ;
# Limit the systemd journal to 100 MB of disk or the
# last 7 days of logs, whichever happens first.
services . journald . extraConfig = ''
SystemMaxUse = 1 0 0 M
MaxFileSec = 7 day
'' ;
2022-08-17 20:42:50 -07:00
# servers should not auto-upgrade; it leads to strange behavior when they
# reboot, because of creating their own, new, generation outside of
# nixops management.
system . autoUpgrade . enable = false ;
2022-08-09 20:30:53 -07:00
} ;
2022-07-31 22:42:37 -07:00
2022-08-09 22:52:38 -07:00
server =
{ nodes , . . . }:
{
2023-11-04 16:40:01 -07:00
deployment . targetHost = serverIp ;
2022-08-09 22:52:38 -07:00
imports = [ ../system/xps11/configuration.nix ] ;
2022-09-15 22:31:21 -07:00
2022-08-09 22:52:38 -07:00
fileSystems . " / s t o r a g e " = {
device = " ${ nasIp } : / s t o r a g e " ;
fsType = " n f s " ;
2023-01-28 22:48:45 -08:00
options = [ " x - s y s t e m d . a u t o m o u n t " " n o a u t o " " _ n e t d e v " ] ;
2022-08-09 22:52:38 -07:00
} ;
} ;
2022-08-09 17:11:56 -07:00
2022-08-09 23:56:09 -07:00
nas =
{ pkgs , . . . }:
{
deployment . targetHost = nasIp ;
2022-08-10 01:24:35 -07:00
imports = [
../system/svalbard/configuration.nix
2023-11-06 20:52:58 -08:00
( import ../home/programs/qbittorrent { pkgs = pkgs ; } )
2023-04-15 19:36:56 -07:00
../home/programs/beets
2022-08-10 01:24:35 -07:00
] ;
2022-09-15 22:31:21 -07:00
2022-08-09 23:56:09 -07:00
services . nfs . server . enable = true ;
services . nfs . server . exports = ''
2022-08-11 15:53:04 -07:00
/export 192.168.1.0/24 ( insecure , rw , sync , crossmnt , no_subtree_check , fsid = 0 )
/export/storage 192.168.1.0/24 ( rw , sync , nohide , no_subtree_check , insecure )
2022-08-09 23:56:09 -07:00
'' ;
2022-08-09 22:45:33 -07:00
2022-08-11 08:39:56 -07:00
networking . firewall = {
allowedTCPPorts = [ 2049 ] ; # NFS port
allowedUDPPorts = [ 51820 ] ; # Clients and peers can use the same port, see listenport
} ;
# Enable WireGuard
2022-11-12 22:47:22 -08:00
networking . wg-quick . interfaces =
let
# Public key of the server (not a file path).
publicKey = " 5 y 6 6 W S h s F X q M 5 K 7 / 4 C P E G C W f k 7 P Q y N h V B T 2 I L j b G m 2 I = " ;
in
{
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
address = [ " 1 0 . 6 4 . 1 6 8 . 2 1 3 / 3 2 " " f c 0 0 : b b b b : b b b b : b b 0 1 : : 1 : a 8 d 4 / 1 2 8 " ] ;
dns = [ " 1 0 . 6 4 . 0 . 1 " ] ;
listenPort = 51820 ; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
#privateKeyFile = "/run/keys/wireguard";
# See https://nixos.wiki/wiki/WireGuard#Tunnel_does_not_automatically_connect_despite_persistentKeepalive_being_set
# postUp = [ "wg set wg0 peer ${publicKey} persistent-keepalive 25" ];
privateKey = builtins . readFile ../../secrets/wireguard/svalbard ;
# For a client configuration, one peer entry for the server will suffice.
peers = [
# Sweden, Malmo, se15
{
inherit publicKey ;
# Forward all the traffic via VPN.
allowedIPs = [ " 0 . 0 . 0 . 0 / 0 " " : : 0 / 0 " ] ;
# Set this to the server IP and port.
endpoint = " 1 9 3 . 1 3 8 . 2 1 8 . 8 0 : 5 1 8 2 0 " ; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
# see https://nixos.wiki/wiki/WireGuard#Tunnel_does_not_automatically_connect_despite_persistentKeepalive_being_set
persistentKeepalive = 25 ;
}
] ;
} ;
2022-08-11 08:39:56 -07:00
} ;
2022-08-09 23:56:09 -07:00
} ;
2022-07-30 19:42:03 -07:00
}
