mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-11-25 17:46:14 +01:00
Cleanup omen
Signed-off-by: magic_rb <magic_rb@redalder.org>
This commit is contained in:
magic_rb
parent
c45d848571
commit
d89deacd3e
|
|
@ -50,31 +50,15 @@ in {
|
|||
./users.nix
|
||||
./nixpkgs.nix
|
||||
./firewall.nix
|
||||
./microvm.nix
|
||||
./impermenance.nix
|
||||
./numen.nix
|
||||
../../../overlays/ifstate/module.nix
|
||||
# ./test-vm.nix
|
||||
|
||||
inputs.microvm.nixosModules.host
|
||||
inputs.notnft.nixosModules.default
|
||||
inputs.self.nixosModules.notnft
|
||||
inputs.self.nixosModules.microvm-extras-host
|
||||
inputs.impermenance.nixosModules.impermanence
|
||||
];
|
||||
|
||||
_module.args.nixinate = {
|
||||
host = secret.network.ips.omen.vpn or "";
|
||||
sshUser = "main";
|
||||
|
||||
buildOn = "local";
|
||||
substituteOnTarget = true;
|
||||
hermetic = false;
|
||||
nixOptions = [
|
||||
"--override-input secret path://$HOME/dotfiles/secret"
|
||||
];
|
||||
};
|
||||
|
||||
services.fwupd.enable = true;
|
||||
|
||||
services.syncthing = {
|
||||
|
|
@ -94,24 +78,6 @@ in {
|
|||
];
|
||||
|
||||
environment.systemPackages = [
|
||||
# (pkgs.man-pages.overrideAttrs (old: rec {
|
||||
# version = "6.05.01";
|
||||
# src = pkgs.fetchurl {
|
||||
# url = "mirror://kernel/linux/docs/man-pages/${old.pname}-${version}.tar.xz";
|
||||
# hash = "sha256-uWq2tEpojJHRtXLlL+zlGeHP0rtMM/5wFPw/0e8/nK4=";
|
||||
# };
|
||||
# nativeBuildInputs = with pkgs; [
|
||||
# git
|
||||
# (pkgs.callPackage inputs.nixpkgs-272363.legacyPackages.${pkgs.stdenv.system}.groff.override {})
|
||||
# ];
|
||||
# }))
|
||||
# (pkgs.man-pages-posix.overrideAttrs (old: rec {
|
||||
# version = "2021-02-14";
|
||||
# src = pkgs.fetchurl {
|
||||
# url = "mirror://kernel/linux/docs/man-pages/man-pages-posix/${old.pname}-${version}.tar.xz";
|
||||
# hash = "";
|
||||
# };
|
||||
# }))
|
||||
pkgs.man-pages-posix
|
||||
];
|
||||
documentation.dev.enable = true;
|
||||
|
|
@ -122,28 +88,6 @@ in {
|
|||
time.timeZone = "Europe/Amsterdam";
|
||||
system.stateVersion = "23.05";
|
||||
|
||||
security.pam.services.sshd.rules.session.pam_exec = let
|
||||
sudoLogin = pkgs.writeShellScript "sudologin" ''
|
||||
echo TESTING > /tmp/pamtest
|
||||
'';
|
||||
in {
|
||||
modulePath = "pam_exec.so";
|
||||
args = [(toString sudoLogin)];
|
||||
control = "optional";
|
||||
order = config.security.pam.services.sshd.rules.session.limits.order + 10;
|
||||
};
|
||||
|
||||
security.pam.services.sudo.rules.session.pam_exec = let
|
||||
sudoLogin = pkgs.writeShellScript "sudologin" ''
|
||||
echo TESTING > /tmp/pamtest
|
||||
'';
|
||||
in {
|
||||
modulePath = "pam_exec.so";
|
||||
args = [(toString sudoLogin)];
|
||||
control = "optional";
|
||||
order = config.security.pam.services.sudo.rules.session.limits.order + 10;
|
||||
};
|
||||
|
||||
virtualisation.podman.enable = true;
|
||||
|
||||
virtualisation.podman.defaultNetwork.settings.subnets = [
|
||||
|
|
|
|||
|
|
@ -6,11 +6,15 @@
|
|||
...
|
||||
}: {
|
||||
networking.notnft.postStop = ''
|
||||
# ${lib.getExe' pkgs.podman "podman"} network reload -a
|
||||
if systemctl status podman ; then
|
||||
${lib.getExe' pkgs.podman "podman"} network reload -a
|
||||
fi
|
||||
'';
|
||||
|
||||
networking.notnft.postStart = ''
|
||||
# ${lib.getExe' pkgs.podman "podman"} network reload -a
|
||||
if systemctl status podman ; then
|
||||
${lib.getExe' pkgs.podman "podman"} network reload -a
|
||||
fi
|
||||
'';
|
||||
|
||||
networking.notnft.rules = let
|
||||
|
|
@ -33,7 +37,6 @@
|
|||
[(is.eq meta.oifname "uk3s0") (mangle meta.nftrace 1)]
|
||||
[(is.eq meta.iifname "uk3s0") (mangle meta.nftrace 1)];
|
||||
in
|
||||
# pkgs.writeText "nftables.json" (builtins.toJSON (with notnft.dsl; with payload; ruleset
|
||||
with notnft.dsl;
|
||||
with payload;
|
||||
ruleset {
|
||||
|
|
|
|||
|
|
@ -60,68 +60,6 @@ in {
|
|||
|
||||
hardware.tuxedo-keyboard.enable = true;
|
||||
|
||||
# specialisation.nvidia-sync.configuration = {
|
||||
# environment.variables.NIXOS_SPECIALIZATION = "nvidia-sync";
|
||||
# boot.loader.grub.enable = mkOverride 0 false;
|
||||
|
||||
# hardware.nvidia = {
|
||||
# powerManagement.enable = mkForce false;
|
||||
# powerManagement.finegrained = mkForce false;
|
||||
# prime.offload.enableOffloadCmd = mkForce false;
|
||||
# prime.offload.enable = mkForce false;
|
||||
# prime.sync.enable = true;
|
||||
# };
|
||||
# };
|
||||
|
||||
# specialisation.nouveau.configuration = {
|
||||
# environment.variables.NIXOS_SPECIALIZATION = "nouveau";
|
||||
# boot.loader.grub.enable = mkOverride 0 false;
|
||||
|
||||
# hardware.nvidia = mapAttrs (_: v: mkForce v) {
|
||||
# powerManagement.enable = false;
|
||||
# powerManagement.finegrained = false;
|
||||
# prime.offload.enableOffloadCmd = false;
|
||||
# prime.offload.enable = false;
|
||||
# nvidiaPersistenced = false;
|
||||
|
||||
# prime.reverseSync.enable = false;
|
||||
# };
|
||||
# services.xserver.videoDrivers = mkForce ["modesetting" "nouveau"];
|
||||
# };
|
||||
|
||||
# specialisation.no-nvidia.configuration = {
|
||||
# environment.variables.NIXOS_SPECIALIZATION = "no-nvidia";
|
||||
# boot.loader.grub.enable = mkOverride 0 false;
|
||||
|
||||
# hardware.nvidia = mapAttrs (_: v: mkForce v) {
|
||||
# powerManagement.enable = false;
|
||||
# powerManagement.finegrained = false;
|
||||
# prime.offload.enableOffloadCmd = false;
|
||||
# prime.offload.enable = false;
|
||||
# nvidiaPersistenced = false;
|
||||
|
||||
# prime.reverseSync.enable = false;
|
||||
# };
|
||||
# services.xserver.videoDrivers = mkForce ["modesetting"];
|
||||
|
||||
# boot.extraModprobeConfig = ''
|
||||
# blacklist nouveau
|
||||
# options nouveau modeset=0
|
||||
# '';
|
||||
|
||||
# services.udev.extraRules = ''
|
||||
# # Remove NVIDIA USB xHCI Host Controller devices, if present
|
||||
# ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{power/control}="auto", ATTR{remove}="1"
|
||||
# # Remove NVIDIA USB Type-C UCSI devices, if present
|
||||
# ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c8000", ATTR{power/control}="auto", ATTR{remove}="1"
|
||||
# # Remove NVIDIA Audio devices, if present
|
||||
# ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{power/control}="auto", ATTR{remove}="1"
|
||||
# # Remove NVIDIA VGA/3D controller devices
|
||||
# ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x03[0-9]*", ATTR{power/control}="auto", ATTR{remove}="1"
|
||||
# '';
|
||||
# boot.blacklistedKernelModules = ["nouveau" "nvidia" "nvidia_drm" "nvidia_modeset"];
|
||||
# };
|
||||
|
||||
hardware.nvidia = {
|
||||
nvidiaPersistenced = true;
|
||||
|
||||
|
|
|
|||
|
|
@ -108,8 +108,8 @@ in {
|
|||
serviceConfig.ExecStart = "/bin/sh ${rollbackStart}";
|
||||
};
|
||||
|
||||
systemd.services."mount-old-homes" = {
|
||||
description = "Mount old versions of home dataset";
|
||||
systemd.services."mount-old-datasets" = {
|
||||
description = "Mount old versions of datasets";
|
||||
|
||||
wantedBy = ["local-fs.target"];
|
||||
after = ["local-fs.target"];
|
||||
|
|
|
|||
|
|
@ -1,138 +0,0 @@
|
|||
{
|
||||
pkgs,
|
||||
inputs',
|
||||
...
|
||||
}: {
|
||||
environment.systemPackages = [
|
||||
inputs'.microvm.packages.${pkgs.stdenv.system}.microvm
|
||||
];
|
||||
|
||||
services.ifstate = {
|
||||
enable = true;
|
||||
settings = {
|
||||
ignore.ifname = [
|
||||
"^wlan0$"
|
||||
"^mvm0$"
|
||||
"^wg0$"
|
||||
"^mvm-test$"
|
||||
"^lo$"
|
||||
];
|
||||
|
||||
interfaces = [
|
||||
{
|
||||
name = "test-veth1";
|
||||
link = {
|
||||
kind = "veth";
|
||||
peer = "test-veth0";
|
||||
peer_netns = "tenant1";
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
namespaces.tenant1.interfaces = [
|
||||
{
|
||||
name = "test-veth0";
|
||||
link = {
|
||||
kind = "veth";
|
||||
peer = "test-veth1";
|
||||
peer_netns = null;
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
systemd.network.netdevs."mvm0" = {
|
||||
netdevConfig = {
|
||||
Name = "mvm0";
|
||||
Kind = "bridge";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.network.networks."10-mvm0" = {
|
||||
matchConfig.Name = "mvm0";
|
||||
networkConfig.Address = "10.80.1.1/24";
|
||||
linkConfig.RequiredForOnline = "yes";
|
||||
};
|
||||
|
||||
systemd.network.networks."11-mvm-test" = {
|
||||
matchConfig.Name = "mvm-test";
|
||||
networkConfig.Bridge = "mvm0";
|
||||
linkConfig.RequiredForOnline = "no";
|
||||
};
|
||||
|
||||
microvm.services.tcpUdp.test-ssh = {
|
||||
hostName = "test";
|
||||
port = 22;
|
||||
protocol = ["tcp"];
|
||||
};
|
||||
|
||||
microvm.services.http.test = {
|
||||
hostName = "test";
|
||||
port = 80;
|
||||
};
|
||||
|
||||
microvm.services.icmp.test = {
|
||||
hostName = "test";
|
||||
};
|
||||
|
||||
microvm.connections.http = [
|
||||
{
|
||||
target = "test";
|
||||
}
|
||||
];
|
||||
microvm.connections.tcpUdp = [
|
||||
{
|
||||
target = "test-ssh";
|
||||
}
|
||||
];
|
||||
microvm.connections.icmp = [
|
||||
{
|
||||
target = "test";
|
||||
}
|
||||
];
|
||||
|
||||
microvm.vms = {
|
||||
test.config = {
|
||||
imports = [inputs'.self.nixosModules.microvm-extras];
|
||||
|
||||
microvm = {
|
||||
hostName = "test";
|
||||
hostsHostName = "omen";
|
||||
groupId = 1;
|
||||
taskId = 2;
|
||||
};
|
||||
|
||||
microvm.hypervisor = "cloud-hypervisor";
|
||||
microvm.shares = [
|
||||
{
|
||||
source = "/nix/store";
|
||||
mountPoint = "/nix/.ro-store";
|
||||
tag = "ro-store";
|
||||
proto = "virtiofs";
|
||||
}
|
||||
];
|
||||
microvm.storeOnDisk = false;
|
||||
|
||||
networking.firewall.allowedTCPPorts = [80 22];
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."example.com" = {
|
||||
root = "/var/www/blog";
|
||||
};
|
||||
};
|
||||
|
||||
users.users.root.password = "";
|
||||
services.getty.helpLine = ''
|
||||
Log in as "root" with an empty password.
|
||||
'';
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings.PermitRootLogin = "yes";
|
||||
};
|
||||
|
||||
system.stateVersion = "23.05";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -26,16 +26,6 @@ in {
|
|||
useDHCP = false;
|
||||
};
|
||||
|
||||
networking.notnft.rules = with notnft.dsl;
|
||||
with payload;
|
||||
ruleset {
|
||||
filter = add table {family = f: f.inet;} {
|
||||
trace =
|
||||
add chain
|
||||
[(is.eq ip.protocol (f: f.icmp)) (mangle meta.nftrace 1)];
|
||||
};
|
||||
};
|
||||
|
||||
services.networkd-dispatcher = {
|
||||
enable = true;
|
||||
rules.wlan-eth-switch = {
|
||||
|
|
|
|||
|
|
@ -1,18 +0,0 @@
|
|||
{
|
||||
pkgs,
|
||||
inputs',
|
||||
...
|
||||
}: {
|
||||
services.udev.extraRules = ''
|
||||
KERNEL=="uinput", GROUP="input", MODE="0660", OPTIONS+="static_node=uinput"
|
||||
'';
|
||||
users.users.main = {
|
||||
extraGroups = [
|
||||
"input"
|
||||
];
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
inputs'.numen-nix.packages.${pkgs.stdenv.system}.default
|
||||
];
|
||||
}
|
||||
|
|
@ -18,6 +18,6 @@
|
|||
home-manager.users.main = {
|
||||
imports = [(inputs'.self + "/home-manager/modules/profiles/workstation.nix")];
|
||||
|
||||
home.stateVersion = "21.05";
|
||||
home.stateVersion = "23.11";
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue