diff --git a/nixos/systems/omen/default.nix b/nixos/systems/omen/default.nix index 000cdbb..0ece7c8 100644 --- a/nixos/systems/omen/default.nix +++ b/nixos/systems/omen/default.nix @@ -50,31 +50,15 @@ in { ./users.nix ./nixpkgs.nix ./firewall.nix - ./microvm.nix ./impermenance.nix - ./numen.nix ../../../overlays/ifstate/module.nix # ./test-vm.nix - inputs.microvm.nixosModules.host inputs.notnft.nixosModules.default inputs.self.nixosModules.notnft - inputs.self.nixosModules.microvm-extras-host inputs.impermenance.nixosModules.impermanence ]; - _module.args.nixinate = { - host = secret.network.ips.omen.vpn or ""; - sshUser = "main"; - - buildOn = "local"; - substituteOnTarget = true; - hermetic = false; - nixOptions = [ - "--override-input secret path://$HOME/dotfiles/secret" - ]; - }; - services.fwupd.enable = true; services.syncthing = { @@ -94,24 +78,6 @@ in { ]; environment.systemPackages = [ - # (pkgs.man-pages.overrideAttrs (old: rec { - # version = "6.05.01"; - # src = pkgs.fetchurl { - # url = "mirror://kernel/linux/docs/man-pages/${old.pname}-${version}.tar.xz"; - # hash = "sha256-uWq2tEpojJHRtXLlL+zlGeHP0rtMM/5wFPw/0e8/nK4="; - # }; - # nativeBuildInputs = with pkgs; [ - # git - # (pkgs.callPackage inputs.nixpkgs-272363.legacyPackages.${pkgs.stdenv.system}.groff.override {}) - # ]; - # })) - # (pkgs.man-pages-posix.overrideAttrs (old: rec { - # version = "2021-02-14"; - # src = pkgs.fetchurl { - # url = "mirror://kernel/linux/docs/man-pages/man-pages-posix/${old.pname}-${version}.tar.xz"; - # hash = ""; - # }; - # })) pkgs.man-pages-posix ]; documentation.dev.enable = true; @@ -122,28 +88,6 @@ in { time.timeZone = "Europe/Amsterdam"; system.stateVersion = "23.05"; - security.pam.services.sshd.rules.session.pam_exec = let - sudoLogin = pkgs.writeShellScript "sudologin" '' - echo TESTING > /tmp/pamtest - ''; - in { - modulePath = "pam_exec.so"; - args = [(toString sudoLogin)]; - control = "optional"; - order = config.security.pam.services.sshd.rules.session.limits.order + 10; - }; - - security.pam.services.sudo.rules.session.pam_exec = let - sudoLogin = pkgs.writeShellScript "sudologin" '' - echo TESTING > /tmp/pamtest - ''; - in { - modulePath = "pam_exec.so"; - args = [(toString sudoLogin)]; - control = "optional"; - order = config.security.pam.services.sudo.rules.session.limits.order + 10; - }; - virtualisation.podman.enable = true; virtualisation.podman.defaultNetwork.settings.subnets = [ diff --git a/nixos/systems/omen/firewall.nix b/nixos/systems/omen/firewall.nix index 50bf317..989fdea 100644 --- a/nixos/systems/omen/firewall.nix +++ b/nixos/systems/omen/firewall.nix @@ -6,11 +6,15 @@ ... }: { networking.notnft.postStop = '' - # ${lib.getExe' pkgs.podman "podman"} network reload -a + if systemctl status podman ; then + ${lib.getExe' pkgs.podman "podman"} network reload -a + fi ''; networking.notnft.postStart = '' - # ${lib.getExe' pkgs.podman "podman"} network reload -a + if systemctl status podman ; then + ${lib.getExe' pkgs.podman "podman"} network reload -a + fi ''; networking.notnft.rules = let @@ -33,7 +37,6 @@ [(is.eq meta.oifname "uk3s0") (mangle meta.nftrace 1)] [(is.eq meta.iifname "uk3s0") (mangle meta.nftrace 1)]; in - # pkgs.writeText "nftables.json" (builtins.toJSON (with notnft.dsl; with payload; ruleset with notnft.dsl; with payload; ruleset { diff --git a/nixos/systems/omen/hardware.nix b/nixos/systems/omen/hardware.nix index f7fb3fe..2295fa2 100644 --- a/nixos/systems/omen/hardware.nix +++ b/nixos/systems/omen/hardware.nix @@ -60,68 +60,6 @@ in { hardware.tuxedo-keyboard.enable = true; - # specialisation.nvidia-sync.configuration = { - # environment.variables.NIXOS_SPECIALIZATION = "nvidia-sync"; - # boot.loader.grub.enable = mkOverride 0 false; - - # hardware.nvidia = { - # powerManagement.enable = mkForce false; - # powerManagement.finegrained = mkForce false; - # prime.offload.enableOffloadCmd = mkForce false; - # prime.offload.enable = mkForce false; - # prime.sync.enable = true; - # }; - # }; - - # specialisation.nouveau.configuration = { - # environment.variables.NIXOS_SPECIALIZATION = "nouveau"; - # boot.loader.grub.enable = mkOverride 0 false; - - # hardware.nvidia = mapAttrs (_: v: mkForce v) { - # powerManagement.enable = false; - # powerManagement.finegrained = false; - # prime.offload.enableOffloadCmd = false; - # prime.offload.enable = false; - # nvidiaPersistenced = false; - - # prime.reverseSync.enable = false; - # }; - # services.xserver.videoDrivers = mkForce ["modesetting" "nouveau"]; - # }; - - # specialisation.no-nvidia.configuration = { - # environment.variables.NIXOS_SPECIALIZATION = "no-nvidia"; - # boot.loader.grub.enable = mkOverride 0 false; - - # hardware.nvidia = mapAttrs (_: v: mkForce v) { - # powerManagement.enable = false; - # powerManagement.finegrained = false; - # prime.offload.enableOffloadCmd = false; - # prime.offload.enable = false; - # nvidiaPersistenced = false; - - # prime.reverseSync.enable = false; - # }; - # services.xserver.videoDrivers = mkForce ["modesetting"]; - - # boot.extraModprobeConfig = '' - # blacklist nouveau - # options nouveau modeset=0 - # ''; - - # services.udev.extraRules = '' - # # Remove NVIDIA USB xHCI Host Controller devices, if present - # ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{power/control}="auto", ATTR{remove}="1" - # # Remove NVIDIA USB Type-C UCSI devices, if present - # ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c8000", ATTR{power/control}="auto", ATTR{remove}="1" - # # Remove NVIDIA Audio devices, if present - # ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{power/control}="auto", ATTR{remove}="1" - # # Remove NVIDIA VGA/3D controller devices - # ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x03[0-9]*", ATTR{power/control}="auto", ATTR{remove}="1" - # ''; - # boot.blacklistedKernelModules = ["nouveau" "nvidia" "nvidia_drm" "nvidia_modeset"]; - # }; - hardware.nvidia = { nvidiaPersistenced = true; diff --git a/nixos/systems/omen/impermenance.nix b/nixos/systems/omen/impermenance.nix index 1a2380c..64881a8 100644 --- a/nixos/systems/omen/impermenance.nix +++ b/nixos/systems/omen/impermenance.nix @@ -108,8 +108,8 @@ in { serviceConfig.ExecStart = "/bin/sh ${rollbackStart}"; }; - systemd.services."mount-old-homes" = { - description = "Mount old versions of home dataset"; + systemd.services."mount-old-datasets" = { + description = "Mount old versions of datasets"; wantedBy = ["local-fs.target"]; after = ["local-fs.target"]; diff --git a/nixos/systems/omen/microvm.nix b/nixos/systems/omen/microvm.nix deleted file mode 100644 index 5ae1e43..0000000 --- a/nixos/systems/omen/microvm.nix +++ /dev/null @@ -1,138 +0,0 @@ -{ - pkgs, - inputs', - ... -}: { - environment.systemPackages = [ - inputs'.microvm.packages.${pkgs.stdenv.system}.microvm - ]; - - services.ifstate = { - enable = true; - settings = { - ignore.ifname = [ - "^wlan0$" - "^mvm0$" - "^wg0$" - "^mvm-test$" - "^lo$" - ]; - - interfaces = [ - { - name = "test-veth1"; - link = { - kind = "veth"; - peer = "test-veth0"; - peer_netns = "tenant1"; - }; - } - ]; - - namespaces.tenant1.interfaces = [ - { - name = "test-veth0"; - link = { - kind = "veth"; - peer = "test-veth1"; - peer_netns = null; - }; - } - ]; - }; - }; - - systemd.network.netdevs."mvm0" = { - netdevConfig = { - Name = "mvm0"; - Kind = "bridge"; - }; - }; - - systemd.network.networks."10-mvm0" = { - matchConfig.Name = "mvm0"; - networkConfig.Address = "10.80.1.1/24"; - linkConfig.RequiredForOnline = "yes"; - }; - - systemd.network.networks."11-mvm-test" = { - matchConfig.Name = "mvm-test"; - networkConfig.Bridge = "mvm0"; - linkConfig.RequiredForOnline = "no"; - }; - - microvm.services.tcpUdp.test-ssh = { - hostName = "test"; - port = 22; - protocol = ["tcp"]; - }; - - microvm.services.http.test = { - hostName = "test"; - port = 80; - }; - - microvm.services.icmp.test = { - hostName = "test"; - }; - - microvm.connections.http = [ - { - target = "test"; - } - ]; - microvm.connections.tcpUdp = [ - { - target = "test-ssh"; - } - ]; - microvm.connections.icmp = [ - { - target = "test"; - } - ]; - - microvm.vms = { - test.config = { - imports = [inputs'.self.nixosModules.microvm-extras]; - - microvm = { - hostName = "test"; - hostsHostName = "omen"; - groupId = 1; - taskId = 2; - }; - - microvm.hypervisor = "cloud-hypervisor"; - microvm.shares = [ - { - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - tag = "ro-store"; - proto = "virtiofs"; - } - ]; - microvm.storeOnDisk = false; - - networking.firewall.allowedTCPPorts = [80 22]; - - services.nginx = { - enable = true; - virtualHosts."example.com" = { - root = "/var/www/blog"; - }; - }; - - users.users.root.password = ""; - services.getty.helpLine = '' - Log in as "root" with an empty password. - ''; - services.openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - }; - - system.stateVersion = "23.05"; - }; - }; -} diff --git a/nixos/systems/omen/networking.nix b/nixos/systems/omen/networking.nix index dbf72bf..62d8937 100644 --- a/nixos/systems/omen/networking.nix +++ b/nixos/systems/omen/networking.nix @@ -26,16 +26,6 @@ in { useDHCP = false; }; - networking.notnft.rules = with notnft.dsl; - with payload; - ruleset { - filter = add table {family = f: f.inet;} { - trace = - add chain - [(is.eq ip.protocol (f: f.icmp)) (mangle meta.nftrace 1)]; - }; - }; - services.networkd-dispatcher = { enable = true; rules.wlan-eth-switch = { diff --git a/nixos/systems/omen/numen.nix b/nixos/systems/omen/numen.nix deleted file mode 100644 index 3853de7..0000000 --- a/nixos/systems/omen/numen.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - pkgs, - inputs', - ... -}: { - services.udev.extraRules = '' - KERNEL=="uinput", GROUP="input", MODE="0660", OPTIONS+="static_node=uinput" - ''; - users.users.main = { - extraGroups = [ - "input" - ]; - }; - - environment.systemPackages = [ - inputs'.numen-nix.packages.${pkgs.stdenv.system}.default - ]; -} diff --git a/nixos/systems/omen/users.nix b/nixos/systems/omen/users.nix index 3344ae5..ce6a409 100644 --- a/nixos/systems/omen/users.nix +++ b/nixos/systems/omen/users.nix @@ -18,6 +18,6 @@ home-manager.users.main = { imports = [(inputs'.self + "/home-manager/modules/profiles/workstation.nix")]; - home.stateVersion = "21.05"; + home.stateVersion = "23.11"; }; }