commit da7addb4320dc62750081c4789fc37fccd7f57b1
parent 9f10f941d6bf5b4e3459034c54f4cf99c753a056
Author: Katja (ctucx) <git@ctu.cx>
Date: Sat, 15 Mar 2025 00:24:06 +0100
parent 9f10f941d6bf5b4e3459034c54f4cf99c753a056
Author: Katja (ctucx) <git@ctu.cx>
Date: Sat, 15 Mar 2025 00:24:06 +0100
move network and initrd-ssh configuration from nodes to nixos-common config
7 files changed, 105 insertions(+), 213 deletions(-)
M
|
99
+++++++++++++++++++++++++++++++++++++++++++++++++------------------------------
diff --git a/configurations/common/common.nix b/configurations/common/common.nix @@ -18,14 +18,22 @@ in { systemConfig = config; }; - users.katja = { - home.sessionVariables = { - NIXPKGS_PATH = NIXPKGS_PATH; - NIX_PATH = "nixpkgs=${NIXPKGS_PATH}"; - }; - }; - sharedModules = [ + { + home.sessionVariables = { + NIXPKGS_PATH = NIXPKGS_PATH; + NIX_PATH = "nixpkgs=${NIXPKGS_PATH}"; + }; + + home.language = { + "base" = "en_US.UTF-8"; + "time" = "de_DE.utf8"; + "address" = "de_DE.utf8"; + "monetary" = "de_DE.utf8"; + "paper" = "de_DE.utf8"; + }; + } + ctucxConfig.homeManager.programs.bash ctucxConfig.homeManager.programs.starship ctucxConfig.homeManager.programs.mcfly @@ -50,9 +58,18 @@ in { ]; nix = { - nixPath = lib.mkForce [ "nixpkgs=${NIXPKGS_PATH}" ]; + nixPath = lib.mkForce [ "nixpkgs=${NIXPKGS_PATH}" ]; + + channel.enable = lib.mkForce false; + + optimise.automatic = lib.mkDefault true; + + gc.automatic = lib.mkDefault true; + gc.options = "--delete-older-than 3d"; + settings = { nix-path = config.nix.nixPath; + auto-optimise-store = true; trusted-users = [ "@wheel" ]; experimental-features = [ "nix-command" "flakes" ]; extra-substituters = [
diff --git a/configurations/nixos/default.nix b/configurations/nixos/default.nix @@ -1,7 +1,8 @@ -{ inputs, secrets, nodeName, config, ctucxConfig, lib, pkgs, ... }: +{ inputs, secrets, nodeName, node, config, ctucxConfig, lib, pkgs, ... }: let - katja-pubkey = builtins.readFile "${pkgs.ctucx-website}/ssh_pubkey.asc"; + katja-pubkey = builtins.readFile "${pkgs.ctucx-website}/ssh_pubkey.asc"; + defaultResolvers = [ "[2620:fe::fe]" "[2620:fe::9]" "[2606:4700:4700::1111]" "1.1.1.1" "9.9.9.9" ]; in { @@ -9,19 +10,69 @@ in { ctucxConfig.common ]; + age.secrets.katjaPassword.file = secrets.allNodes.passwords.katja; + age.secrets.acmeTSIGKey.file = secrets."${config.networking.hostName}".acmeTSigKey; + boot.loader.efi.canTouchEfiVariables = lib.mkDefault true; boot.loader.systemd-boot.enable = lib.mkDefault true; - boot.initrd.kernelModules = [ "ipv6" ]; + boot.initrd = { + availableKernelModules = [ "ipv6" ]; + systemd = let + askPass = pkgs.writeShellScriptBin "cryptsetup-askpass" "systemctl default"; + in { + enable = lib.mkDefault true; + network = lib.mkIf config.systemd.network.enable config.systemd.network; + storePaths = [ "${askPass}/bin/cryptsetup-askpass" ]; + users.root.shell = "${askPass}/bin/cryptsetup-askpass"; + }; + + network.enable = lib.mkDefault true; + network.ssh = { + enable = lib.mkDefault true; + port = 22; + hostKeys = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; + authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); + }; + }; - networking.hostName = lib.mkDefault nodeName; - networking.domain = lib.mkDefault "ctu.cx"; + networking = { + useNetworkd = lib.mkDefault true; + useDHCP = lib.mkDefault false; + + hostName = lib.mkDefault nodeName; + domain = lib.mkDefault "ctu.cx"; + + nftables.enable = lib.mkDefault true; + firewall.enable = lib.mkDefault true; + }; + + systemd.network.networks = lib.mkIf (node ? mainInterface) { + "5-mainInterface" = { + enable = lib.mkDefault true; + name = node.mainInterface; + dns = defaultResolvers |> lib.map (value: value |> lib.replaceStrings [ "[" "]" ] [ "" "" ]); + gateway = [ node.defaultGateway6 node.defaultGateway4 ]; + address = [ + "${node.ip6Address}/${toString node.ip6PrefixLength}" + "${node.ip4Address}/${toString node.ip4PrefixLength}" + ]; + }; + }; i18n.defaultLocale = "en_US.UTF-8"; i18n.supportedLocales = [ "de_DE.UTF-8/UTF-8" "en_US.UTF-8/UTF-8" ]; - age.secrets.katjaPassword.file = secrets.allNodes.passwords.katja; - age.secrets.acmeTSIGKey.file = secrets."${config.networking.hostName}".acmeTSigKey; + users = { + mutableUsers = false; + users.root.openssh.authorizedKeys.keys = [ katja-pubkey ]; + users.katja = { + isNormalUser = true; + hashedPasswordFile = config.age.secrets.katjaPassword.path; + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + openssh.authorizedKeys.keys = [ katja-pubkey ]; + }; + }; system = { nixos.revision = lib.mkIf (inputs.nixpkgs.sourceInfo ? rev) inputs.nixpkgs.sourceInfo.rev; @@ -46,13 +97,8 @@ in { }; }; - nix = { - channel.enable = lib.mkForce false; - settings = { - auto-optimise-store = true; - # Free up to 1GiB whenever there is less than 100MiB left. min-free = toString (100 * 1024 * 1024); max-free = toString (1024 * 1024 * 1024); @@ -61,12 +107,8 @@ in { daemonCPUSchedPolicy = lib.mkDefault "idle"; daemonIOSchedClass = lib.mkDefault "idle"; - optimise.automatic = lib.mkDefault true; - optimise.dates = [ "12:00" "15:00" "18:00" "21:00" ]; - - gc.automatic = lib.mkDefault true; - gc.options = "--delete-older-than 3d"; - gc.dates = "18:00"; + optimise.dates = [ "12:00" "15:00" "18:00" "21:00" ]; + gc.dates = "18:00"; }; systemd.services = let @@ -113,7 +155,7 @@ in { logind.killUserProcesses = lib.mkDefault true; nginx = { - resolver.addresses = lib.mkDefault [ "[2620:fe::fe]" "[2620:fe::9]" "[2606:4700:4700::1111]" "1.1.1.1" "9.9.9.9" ]; + resolver.addresses = lib.mkDefault defaultResolvers; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; @@ -173,23 +215,4 @@ in { }; }; - users.mutableUsers = false; - users.users.root.openssh.authorizedKeys.keys = [ katja-pubkey ]; - users.users.katja = { - isNormalUser = true; - hashedPasswordFile = config.age.secrets.katjaPassword.path; - extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - openssh.authorizedKeys.keys = [ katja-pubkey ]; - }; - - home-manager.users.katja = { - home.language = { - "base" = "en_US.UTF-8"; - "time" = "de_DE.utf8"; - "address" = "de_DE.utf8"; - "monetary" = "de_DE.utf8"; - "paper" = "de_DE.utf8"; - }; - }; - }
diff --git a/nodes/briefkasten/default.nix b/nodes/briefkasten/default.nix @@ -4,7 +4,7 @@ sshPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8mi9ZKPdhn20g9gyxE7NYBq/vAKemW4lhaQlLw5QVc"; - interface = "brlan"; + mainInterface = "brlan"; ip4IsPrivate = true; ip4Address = "10.0.0.1"; @@ -59,22 +59,14 @@ # seems to make realtek ethernet faster? kernelParams = [ "pcie_aspm=off" ]; - initrd.systemd.enable = true; - initrd.systemd.strip = false; - - initrd.network.ssh = { - enable = true; - port = 22; - hostKeys = [ "/nix/persist/etc/ssh/ssh_host_ed25519_key" ]; - authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); - }; - + initrd.network.ssh.hostKeys = [ "/nix/persist/etc/ssh/ssh_host_ed25519_key" ]; }; nix.optimise.automatic = false; nix.gc.automatic = false; networking.domain = "home.ctu.cx"; + systemd.network.networks."5-mainInterface".enable = false; services = { email-notify.enable = true;
diff --git a/nodes/hector/default.nix b/nodes/hector/default.nix @@ -4,7 +4,7 @@ sshPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILONdCJED/Lmd215tO8KBkJSl1E9ZdMyC+syxSqmo7o"; - interface = "ens3"; + mainInterface = "ens3"; ip4IsPrivate = false; ip4Address = "194.59.205.194"; @@ -63,54 +63,6 @@ age.secrets.resticServerBriefkasten.file = secrets.allNodes.resticServer.briefkasten; age.secrets.resticServerWanderduene.file = secrets.allNodes.resticServer.wanderduene; - boot.initrd.network = { - enable = true; - ssh = { - enable = true; - port = 22; - hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ]; - authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); - }; - - postCommands = '' - ip link set dev ${node.interface} up - - ip addr add ${node.ip4Address}/${toString node.ip4PrefixLength} dev ${node.interface} - ip route add default via ${node.defaultGateway4} dev ${node.interface} onlink - - ip addr add ${node.ip6Address}/${toString node.ip6PrefixLength} dev ${node.interface} - ip route add default via ${node.defaultGateway6} dev ${node.interface} onlink - - echo 'cryptsetup-askpass' >> /root/.profile - ''; - }; - - networking = { - useNetworkd = true; - useDHCP = false; - - nftables.enable = true; - firewall.enable = true; - - nameservers = [ "8.8.8.8" "1.1.1.1" ]; - - defaultGateway.interface = node.interface; - defaultGateway.address = node.defaultGateway4; - - defaultGateway6.interface = node.interface; - defaultGateway6.address = node.defaultGateway6; - - interfaces.ens3.ipv4.addresses = [{ - address = node.ip4Address; - prefixLength = node.ip4PrefixLength; - }]; - - interfaces.ens3.ipv6.addresses = [{ - address = node.ip6Address; - prefixLength = node.ip6PrefixLength; - }]; - }; - services.syncthing.dataDir = "/home/katja/syncthing"; services.email-notify.enable = true;
diff --git a/nodes/seifenkiste/default.nix b/nodes/seifenkiste/default.nix @@ -16,6 +16,7 @@ ]; boot = { + #because of lanzaboote loader.systemd-boot.enable = lib.mkForce false; lanzaboote.enable = true; @@ -23,8 +24,7 @@ kernelPackages = pkgs.linuxPackages_latest; - plymouth.enable = true; - initrd.systemd.enable = true; + plymouth.enable = true; #silent boot consoleLogLevel = 0; @@ -32,8 +32,10 @@ initrd.verbose = false; }; + networking.useNetworkd = false; + nix.settings.experimental-features = [ "pipe-operator" ]; - nix.gc.automatic = lib.mkForce false; + nix.gc.automatic = lib.mkForce false; services.fprintd.enable = true; services.fwupd.enable = true;
diff --git a/nodes/trabbi/default.nix b/nodes/trabbi/default.nix @@ -4,7 +4,7 @@ sshPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBwzDl1dHpDIZxFfRBLQyFn85RVTsg7OgO3Eahdn3FTJ"; - interface = "ens3"; + mainInterface = "ens3"; ip4IsPrivate = false; ip4Address = "94.16.104.148"; @@ -32,54 +32,6 @@ age.secrets.resticServerBriefkasten.file = secrets.allNodes.resticServer.briefkasten; age.secrets.resticServerWanderduene.file = secrets.allNodes.resticServer.wanderduene; - boot.initrd.network = { - enable = true; - ssh = { - enable = true; - port = 22; - hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ]; - authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); - }; - - postCommands = '' - ip link set dev ${node.interface} up - - ip addr add ${node.ip4Address}/${toString node.ip4PrefixLength} dev ${node.interface} - ip route add default via ${node.defaultGateway4} dev ${node.interface} onlink - - ip addr add ${node.ip6Address}/${toString node.ip6PrefixLength} dev ${node.interface} - ip route add default via ${node.defaultGateway6} dev ${node.interface} onlink - - echo 'cryptsetup-askpass' >> /root/.profile - ''; - }; - - networking = { - useNetworkd = true; - useDHCP = false; - - nftables.enable = true; - firewall.enable = true; - - nameservers = [ "8.8.8.8" "1.1.1.1" ]; - - defaultGateway.interface = node.interface; - defaultGateway.address = node.defaultGateway4; - - defaultGateway6.interface = node.interface; - defaultGateway6.address = node.defaultGateway6; - - interfaces.ens3.ipv4.addresses = [{ - address = node.ip4Address; - prefixLength = node.ip4PrefixLength; - }]; - - interfaces.ens3.ipv6.addresses = [{ - address = node.ip6Address; - prefixLength = node.ip6PrefixLength; - }]; - }; - services.email-notify.enable = true; system.stateVersion = "23.11";
diff --git a/nodes/wanderduene/default.nix b/nodes/wanderduene/default.nix @@ -4,7 +4,7 @@ sshPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8uAvUnwhg3pnCdaaoclWDKV275SyNSyrkJON+R5Boi"; - interface = "ens3"; + mainInterface = "ens3"; ip4IsPrivate = false; ip4Address = "194.36.145.49"; @@ -36,64 +36,15 @@ dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (dnsNix.combinators.host node.ip4Address node.ip6Address); age.secrets.wireguardPrivKey = { - file = secrets.wanderduene.wireguardPrivKey; + file = secrets.wanderduene.wireguardPrivKey; owner = "systemd-network"; group = "systemd-network"; }; boot.kernel.sysctl."net.ipv6.conf.all.proxy_ndp" = true; - boot.initrd.network = { - enable = true; - ssh = { - enable = true; - port = 22; - hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ]; - authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); - }; - - postCommands = '' - ip link set dev ${node.interface} up - - ip addr add ${node.ip4Address}/${toString node.ip4PrefixLength} dev ${node.interface} - ip route add default via ${node.defaultGateway4} dev ${node.interface} onlink - - ip addr add ${node.ip6Address}/${toString node.ip6PrefixLength} dev ${node.interface} - ip route add default via ${node.defaultGateway6} dev ${node.interface} onlink - - echo 'cryptsetup-askpass' >> /root/.profile - ''; - }; - - networking = { - useNetworkd = true; - useDHCP = false; - - nftables.enable = true; - firewall.enable = true; - firewall.allowedUDPPorts = [ 51820 ]; - - nameservers = [ "8.8.8.8" "1.1.1.1" ]; - - defaultGateway.interface = node.interface; - defaultGateway.address = node.defaultGateway4; - - defaultGateway6.interface = node.interface; - defaultGateway6.address = node.defaultGateway6; - - interfaces.ens3.ipv4.addresses = [{ - address = node.ip4Address; - prefixLength = node.ip4PrefixLength; - }]; - - interfaces.ens3.ipv6.addresses = [{ - address = node.ip6Address; - prefixLength = node.ip6PrefixLength; - }]; - }; + networking.firewall.allowedUDPPorts = [ config.systemd.network.netdevs."20-wg0".wireguardConfig.ListenPort ]; systemd.network = { - wait-online.enable = false; - config.networkConfig = { IPv6Forwarding = true; }; @@ -117,12 +68,14 @@ }]; }; - networks."20-wg0" ={ - matchConfig.Name = "wg0"; + networks."5-mainInterface".enable = true; - routes = [{ + networks."20-wg0" = { + name = "wg0"; + routes = [{ Destination = "2a03:4000:4d:5e:acab::/112"; }]; + linkConfig.RequiredForOnline = false; }; }; @@ -134,6 +87,7 @@ }; }; + system.stateVersion = "23.05"; home-manager.users.katja.home.stateVersion = "23.05";