mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

idk

Browse Source
This commit is contained in:
mjallen18
2025-08-21 15:39:24 -05:00
parent 1faa099900
commit 7e82df3df7
14 changed files with 768 additions and 346 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
modules/nixos/disko/aarch64-linux/default.nix
View File

@@ -2,23 +2,78 @@
config, config,
lib, lib,
system, system,
namespace,
... ...
}: }:
let let
cfg = config.${namespace}.hardware.disko;
isArm = builtins.match "aarch64*" system != null; isArm = builtins.match "aarch64*" system != null;
rootDisk = "/dev/nvme0n1"; rootDisk = "/dev/nvme0n1";
in
{ # BTRFS root partition configuration
config = lib.mkIf isArm { btrfsRoot = {
disko.devices = { name = "btrfs-root";
nodev."/" = { size = "100%";
fsType = "tmpfs"; content = {
type = "btrfs";
extraArgs = [ "-f" ]; # Override existing partition
# Subvolumes must set a mountpoint in order to be mounted,
# unless their parent is mounted
subvolumes = {
"home" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/home";
};
"root" = {
mountOptions = [ mountOptions = [
"mode=755" "compress=zstd"
"defaults" "noatime"
"size=2G" ];
mountpoint = "/root";
};
"nix" = {
mountOptions = [
"compress=zstd"
"noatime"
];
mountpoint = "/nix";
};
"etc" = {
mountOptions = [
"compress=zstd"
"noatime"
];
mountpoint = "/etc";
};
"log" = {
mountOptions = [
"compress=zstd"
"noatime"
];
mountpoint = "/var/log";
};
};
};
};
# BCacheFS root partition configuration
bcachefsRoot = {
size = "100%";
content = {
type = "bcachefs";
# This refers to a filesystem in the `bcachefs_filesystems` attrset below.
filesystem = "mounted_subvolumes_in_multi";
label = "ssd.ssd1";
extraFormatArgs = [
"--discard"
]; ];
}; };
};
in
{
imports = [ ../options.nix ];
config = lib.mkIf (isArm && cfg.enable) {
disko.devices = {
# root disk setup # root disk setup
disk.main = { disk.main = {
type = "disk"; type = "disk";
@@ -58,23 +113,12 @@ in
}; };
}; };
root = { root = if cfg.filesystem == "btrfs" then btrfsRoot else bcachefsRoot;
size = "100%";
content = {
type = "bcachefs";
# This refers to a filesystem in the `bcachefs_filesystems` attrset below.
filesystem = "mounted_subvolumes_in_multi";
label = "ssd.ssd1";
extraFormatArgs = [
"--discard"
];
};
};
}; };
}; };
}; };
bcachefs_filesystems = { bcachefs_filesystems = lib.mkIf (cfg.filesystem == "bcachefs") {
mounted_subvolumes_in_multi = { mounted_subvolumes_in_multi = {
type = "bcachefs_filesystem"; type = "bcachefs_filesystem";
# passwordFile = "/etc/nixos/pool.jwe"; # passwordFile = "/etc/nixos/pool.jwe";

5
modules/nixos/disko/options.nix
View File

@@ -3,5 +3,10 @@ with lib;
{ {
options.${namespace}.hardware.disko = { options.${namespace}.hardware.disko = {
enable = mkEnableOption "enable disko"; enable = mkEnableOption "enable disko";
filesystem = mkOption {
type = types.enum [ "bcachefs" "btrfs" ];
default = "btrfs";
description = "Filesystem to use for the root partition";
};
}; };
} }

92
modules/nixos/disko/x86_64-linux/default.nix
View File

@@ -1,16 +1,80 @@
{ {
config,
lib, lib,
system, system,
namespace,
... ...
}: }:
let let
cfg = config.${namespace}.hardware.disko;
isArm = builtins.match "aarch64*" system != null; isArm = builtins.match "aarch64*" system != null;
rootDisk = "/dev/nvme0n1"; rootDisk = "/dev/nvme0n1";
# BTRFS root partition configuration
btrfsRoot = {
name = "btrfs-root";
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # Override existing partition
# Subvolumes must set a mountpoint in order to be mounted,
# unless their parent is mounted
subvolumes = {
"home" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/home";
};
"root" = {
mountOptions = [
"compress=zstd"
"noatime"
];
mountpoint = "/root";
};
"nix" = {
mountOptions = [
"compress=zstd"
"noatime"
];
mountpoint = "/nix";
};
"etc" = {
mountOptions = [
"compress=zstd"
"noatime"
];
mountpoint = "/etc";
};
"log" = {
mountOptions = [
"compress=zstd"
"noatime"
];
mountpoint = "/var/log";
};
};
};
};
# BCacheFS root partition configuration
bcachefsRoot = {
size = "100%";
content = {
type = "bcachefs";
# This refers to a filesystem in the `bcachefs_filesystems` attrset below.
filesystem = "mounted_subvolumes_in_multi";
label = "ssd.ssd1";
extraFormatArgs = [
"--discard"
];
};
};
in in
{ {
imports = [ ../options.nix ]; imports = [ ../options.nix ];
config = lib.mkIf (!isArm) { config = lib.mkIf (!isArm && cfg.enable) {
disko.devices = { disko.devices = lib.mkMerge [
{
disk = { disk = {
main = { main = {
device = rootDisk; device = rootDisk;
@@ -30,24 +94,13 @@ in
}; };
}; };
root = { root = if cfg.filesystem == "btrfs" then btrfsRoot else bcachefsRoot;
size = "100%";
content = {
type = "bcachefs";
# This refers to a filesystem in the `bcachefs_filesystems` attrset below.
filesystem = "mounted_subvolumes_in_multi";
label = "ssd.ssd1";
extraFormatArgs = [
"--discard"
];
};
};
}; };
}; };
}; };
}; };
bcachefs_filesystems = { bcachefs_filesystems = lib.mkIf (cfg.filesystem == "bcachefs") {
mounted_subvolumes_in_multi = { mounted_subvolumes_in_multi = {
type = "bcachefs_filesystem"; type = "bcachefs_filesystem";
# passwordFile = "/etc/nixos/pool.jwe"; # passwordFile = "/etc/nixos/pool.jwe";
@@ -71,6 +124,15 @@ in
mountpoint = "/partition-root"; mountpoint = "/partition-root";
}; };
}; };
} (lib.mkIf (cfg.filesystem == "btrfs") {
nodev."/" = {
fsType = "tmpfs";
mountOptions = [
"mode=755"
"defaults"
"size=25%"
];
}; };
})];
}; };
} }

221
modules/nixos/impermanence/default.nix
View File

@@ -1,83 +1,22 @@
# { ... }:
# {
# # Set up impernance configuration for things like bluetooth
# # In this configuration with /etc and /var/log being persistent, only directories outside of that need to be done here. See hardware configuration for all mountpoints.
# environment.persistence."/nix/persist/system" = {
# hideMounts = true;
# directories = [
# "/var/lib/bluetooth"
# "/var/lib/iwd"
# "/var/lib/nixos"
# "/var/lib/libvirt"
# "/var/lib/waydroid"
# "/var/lib/systemd/coredump"
# "/etc/NetworkManager/system-connections"
# "/var/lib/tailscale"
# "/var/lib/homeassistant"
# "/var/lib/mosquitto"
# "/var/lib/music-assistant"
# "/var/lib/postgresql"
# "/var/lib/zigbee2mqtt"
# {
# directory = "/var/lib/colord";
# user = "colord";
# group = "colord";
# mode = "u=rwx,g=rx,o=";
# }
# {
# directory = "/etc/nix";
# user = "root";
# group = "root";
# mode = "u=rwx,g=rx,o=rx";
# }
# {
# directory = "/var/lib/private/authentik/media";
# user = "authentik";
# group = "authentik";
# mode = "u=rwx,g=,o=";
# }
# {
# directory = "/var/lib/private";
# mode = "u=rwx,g=rx,o=";
# }
# {
# directory = "/media/nas";
# user = "nas-apps";
# group = "jallen-nas";
# mode = "u=rwx,g=rx,o=rx";
# }
# {
# directory = "/var/lib/crowdsec";
# user = "crowdsec";
# group = "crowdsec";
# mode = "u=rwx,g=rwx,o=rx";
# }
# {
# directory = "/plugins-storage";
# user = "traefik";
# group = "traefik";
# mode = "u=rwx,g=rwx,o=rx";
# }
# ];
# files = [
# "/etc/machine-id"
# ];
# };
# security.sudo.extraConfig = ''
# # rollback results in sudo lectures after each reboot
# Defaults lecture = never
# '';
# }
{ {
config, config,
lib, lib,
... ...
}: }:
with lib; with lib;
let
cfg = config.mjallen.impermanence;
in
{ {
imports = [ ./options.nix ];
config = mkIf cfg.enable {
security.sudo.extraConfig = ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
system.activationScripts = { system.activationScripts = {
"var-lib-private-permissions" = { "var-lib-private-permissions" = {
deps = [ "createPersistentStorageDirs" ]; deps = [ "createPersistentStorageDirs" ];
@@ -87,6 +26,7 @@ with lib;
''; '';
}; };
}; };
boot.initrd.systemd.services.rootfs-cleanup = { boot.initrd.systemd.services.rootfs-cleanup = {
description = "Clean file system root"; description = "Clean file system root";
wantedBy = [ wantedBy = [
@@ -101,7 +41,7 @@ with lib;
unitConfig.DefaultDependencies = "no"; unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
script = script =
if config.fileSystems."/".fsType == "btrfs" then if (hasAttr "/" config.fileSystems) && (config.fileSystems."/".fsType == "btrfs") then
'' ''
# workaround for machines without working rtc battery # workaround for machines without working rtc battery
# The time may not yet be correctly set, so wait until it is # The time may not yet be correctly set, so wait until it is
@@ -131,7 +71,7 @@ with lib;
btrfs subvolume create /btrfs_tmp/root btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp umount /btrfs_tmp
'' ''
else else if (hasAttr "/" config.fileSystems) && (config.fileSystems."/".fsType == "bcachefs") then
'' ''
# workaround for machines without working rtc battery # workaround for machines without working rtc battery
# The time may not yet be correctly set, so wait until it is # The time may not yet be correctly set, so wait until it is
@@ -149,60 +89,103 @@ with lib;
done done
bcachefs subvolume create /root_tmp/root bcachefs subvolume create /root_tmp/root
''; ''
else
# For tmpfs or other filesystems, do nothing
"";
}; };
# assertions = [
# {
# assertion = hasAttr "/" config.fileSystems;
# message = "To use impermanence, you need to define a root volume";
# }
# { assertions = [
# assertion = {
# if hasAttr "/" config.fileSystems then assertion = hasAttr "/" config.fileSystems;
# config.fileSystems."/".fsType == "btrfs" || config.fileSystems."/".fsType == "bcachefs" message = "To use impermanence, you need to define a root volume";
# else }
# false;
# message = "rootfs must be btrfs or bcachefs";
# }
# { {
# assertion = assertion =
# if hasAttr "/" config.fileSystems then if hasAttr "/" config.fileSystems then
# any ( config.fileSystems."/".fsType == "btrfs" || config.fileSystems."/".fsType == "bcachefs" || config.fileSystems."/".fsType == "tmpfs"
# t: t == "subvol=root" || t == "subvol=/root" || t == "X-mount.subdir=root" else
# ) config.fileSystems."/".options false;
# else message = "rootfs must be btrfs, bcachefs, or tmpfs";
# false; }
# message = "rootfs must mount subvolume root";
# }
# {
# assertion = !config.boot.isContainer;
# message = "impermanence is not supported in containers";
# }
# ];
fileSystems."/persistent" = { {
neededForBoot = true; assertion =
}; if hasAttr "/" config.fileSystems && (config.fileSystems."/".fsType == "btrfs" || config.fileSystems."/".fsType == "bcachefs") then
environment.persistence."/persistent" = { any (
enable = true; t: t == "subvol=root" || t == "subvol=/root" || t == "X-mount.subdir=root"
) config.fileSystems."/".options
else
true;
message = "btrfs or bcachefs rootfs must mount subvolume root";
}
{
assertion = !config.boot.isContainer;
message = "impermanence is not supported in containers";
}
];
environment.persistence.${cfg.persistencePath} = {
hideMounts = true; hideMounts = true;
directories = [ directories = [
"/var/log" "/var/lib/bluetooth"
"/var/lib/iwd"
"/var/lib/nixos" "/var/lib/nixos"
"/var/cache" "/var/lib/libvirt"
"/var/lib/waydroid"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
"/var/lib/tailscale"
"/var/lib/homeassistant"
"/var/lib/mosquitto"
"/var/lib/music-assistant"
"/var/lib/postgresql"
"/var/lib/zigbee2mqtt"
{
directory = "/var/lib/colord";
user = "colord";
group = "colord";
mode = "u=rwx,g=rx,o=";
}
{
directory = "/etc/nix";
user = "root";
group = "root";
mode = "u=rwx,g=rx,o=rx";
}
{
directory = "/var/lib/private/authentik/media";
user = "authentik";
group = "authentik";
mode = "u=rwx,g=,o=";
}
{
directory = "/var/lib/private";
mode = "u=rwx,g=rx,o=";
}
{
directory = "/media/nas";
user = "nas-apps";
group = "jallen-nas";
mode = "u=rwx,g=rx,o=rx";
}
{
directory = "/var/lib/crowdsec";
user = "crowdsec";
group = "crowdsec";
mode = "u=rwx,g=rwx,o=rx";
}
{
directory = "/plugins-storage";
user = "traefik";
group = "traefik";
mode = "u=rwx,g=rwx,o=rx";
}
]; ];
files = [ files = [
"/etc/ssh/ssh_host_ecdsa_key" "/etc/machine-id"
"/etc/ssh/ssh_host_ecdsa_key.pub"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
]; ];
}; };
systemd.tmpfiles.rules = [ };
"d /persistent/var/cache 1777 root root 7d -"
];
} }

12
modules/nixos/impermanence/options.nix Normal file
View File

@@ -0,0 +1,12 @@
{ lib, namespace, ... }:
with lib;
{
options.${namespace}.impermanence = {
enable = mkEnableOption "enable impermanence";
persistencePath = mkOption {
type = types.str;
default = "/nix/persist/system";
description = "Path to the persistence directory";
};
};
}

194
modules/nixos/network/default.nix
View File

@@ -1,6 +1,7 @@
{ {
config, config,
lib, lib,
pkgs,
namespace, namespace,
... ...
}: }:
@@ -9,113 +10,45 @@ let
cfg = config.${namespace}.network; cfg = config.${namespace}.network;
in in
{ {
options.${namespace}.network = with types; { imports = [
hostName = lib.mkOption { ./options.nix
type = str; ];
default = "nixos";
description = "The hostname of the system.";
};
ipv4 = {
method = mkOption {
type = types.str;
default = "auto";
};
address = lib.mkOption {
type = types.str;
default = "10.0.1.1";
};
gateway = lib.mkOption {
type = types.str;
default = "10.0.1.1";
};
dns = lib.mkOption {
type = types.str;
default = "10.0.1.1";
};
};
};
config = { config = {
networking = { networking = {
hostName = lib.mkForce cfg.hostName; hostName = lib.mkForce cfg.hostName;
# Enable Network Manager # Use networkd if enabled
networkmanager = { useNetworkd = lib.mkIf cfg.useNetworkd true;
# Set default gateway and nameservers if in manual mode
defaultGateway = lib.mkIf (cfg.ipv4.method == "manual") {
address = cfg.ipv4.gateway;
interface = lib.mkIf (cfg.ipv4.interface != "") cfg.ipv4.interface;
};
nameservers = lib.mkIf (cfg.ipv4.method == "manual") [ cfg.ipv4.dns ];
# Set hostId if provided
hostId = lib.mkIf (cfg.hostId != "") cfg.hostId;
# Configure NAT if enabled
nat = lib.mkIf cfg.nat.enable {
enable = true; enable = true;
wifi.powersave = lib.mkDefault false; internalInterfaces = cfg.nat.internalInterfaces;
settings.connectivity.uri = lib.mkDefault "http://nmcheck.gnome.org/check_network_status.txt"; externalInterface = cfg.nat.externalInterface;
ensureProfiles = { enableIPv6 = cfg.nat.enableIPv6;
environmentFiles = [
config.sops.secrets.wifi.path
];
profiles = {
"Joey's Jungle 6G" = {
connection = {
id = "Joey's Jungle 6G";
type = "wifi";
};
ipv4 =
if (cfg.ipv4.method == "auto") then
{
method = "auto";
}
else
{
address1 = cfg.ipv4.address;
dns = cfg.ipv4.dns;
gateway = cfg.ipv4.gateway;
method = "manual";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
wifi = {
mode = "infrastructure";
ssid = "Joey's Jungle 6G";
};
wifi-security = {
key-mgmt = "sae";
psk = "$PSK";
};
}; };
"Joey's Jungle 5G" = { # Configure firewall
connection = {
id = "Joey's Jungle 5G";
type = "wifi";
};
ipv4 =
if (cfg.ipv4.method == "auto") then
{
method = "auto";
}
else
{
address1 = cfg.ipv4.address;
dns = cfg.ipv4.dns;
gateway = cfg.ipv4.gateway;
method = "manual";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
wifi = {
mode = "infrastructure";
ssid = "Joey's Jungle 5G";
};
wifi-security = {
key-mgmt = "sae";
psk = "$PSK";
};
};
};
};
};
firewall = { firewall = {
enable = cfg.firewall.enable;
allowPing = cfg.firewall.allowPing;
allowedTCPPorts = cfg.firewall.allowedTCPPorts;
allowedUDPPorts = cfg.firewall.allowedUDPPorts;
trustedInterfaces = cfg.firewall.trustedInterfaces;
# Default port ranges for KDE Connect
allowedTCPPortRanges = [ allowedTCPPortRanges = [
{ {
from = 1714; from = 1714;
@@ -123,7 +56,72 @@ in
} }
]; ];
allowedUDPPortRanges = config.networking.firewall.allowedTCPPortRanges; allowedUDPPortRanges = config.networking.firewall.allowedTCPPortRanges;
# Extra firewall commands
extraCommands = lib.mkIf (cfg.extraFirewallCommands != "") cfg.extraFirewallCommands;
}; };
# Configure iwd if enabled
wireless.iwd = lib.mkIf cfg.iwd.enable {
enable = true;
settings = cfg.iwd.settings;
};
# Configure NetworkManager
networkmanager = mkMerge [
# Disable NetworkManager when iwd is enabled
(mkIf cfg.iwd.enable {
enable = mkForce false;
wifi.backend = mkForce "iwd";
})
# Enable NetworkManager when wifi is enabled and iwd is disabled
(mkIf (cfg.wifi.enable && !cfg.iwd.enable) {
enable = true;
wifi.powersave = cfg.wifi.powersave;
settings.connectivity.uri = mkDefault "http://nmcheck.gnome.org/check_network_status.txt";
# Configure WiFi profiles if any are defined
ensureProfiles = mkIf (cfg.wifi.profiles != {}) {
environmentFiles = [
config.sops.secrets.wifi.path
];
profiles = mapAttrs
(name: profile: {
connection = {
id = name;
type = "wifi";
};
ipv4 =
if (cfg.ipv4.method == "auto") then
{
method = "auto";
}
else
{
address1 = cfg.ipv4.address;
dns = cfg.ipv4.dns;
gateway = cfg.ipv4.gateway;
method = "manual";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
wifi = {
mode = "infrastructure";
ssid = profile.ssid;
};
wifi-security = {
key-mgmt = profile.keyMgmt;
psk = profile.psk;
};
})
cfg.wifi.profiles;
};
})
];
}; };
}; };
} }

160
modules/nixos/network/options.nix Normal file
View File

@@ -0,0 +1,160 @@
{
lib,
namespace,
...
}:
with lib;
{
options.${namespace}.network = with types; {
hostName = lib.mkOption {
type = str;
default = "nixos";
description = "The hostname of the system.";
};
ipv4 = {
method = mkOption {
type = types.str;
default = "auto";
description = "Method for IPv4 configuration (auto or manual).";
};
address = lib.mkOption {
type = types.str;
default = "10.0.1.1/24";
description = "IPv4 address with subnet mask (e.g., 10.0.1.1/24).";
};
gateway = lib.mkOption {
type = types.str;
default = "10.0.1.1";
description = "IPv4 default gateway.";
};
interface = lib.mkOption {
type = types.str;
default = "";
description = "Interface for the default gateway (required when using networkd).";
};
dns = lib.mkOption {
type = types.str;
default = "10.0.1.1";
description = "IPv4 DNS server.";
};
};
useNetworkd = mkOption {
type = types.bool;
default = false;
description = "Whether to use systemd-networkd for networking.";
};
nat = {
enable = mkOption {
type = types.bool;
default = false;
description = "Whether to enable NAT.";
};
internalInterfaces = mkOption {
type = types.listOf types.str;
default = [];
description = "List of internal interfaces for NAT.";
};
externalInterface = mkOption {
type = types.str;
default = "";
description = "External interface for NAT.";
};
enableIPv6 = mkOption {
type = types.bool;
default = false;
description = "Whether to enable IPv6 NAT.";
};
};
firewall = {
enable = mkOption {
type = types.bool;
default = true;
description = "Whether to enable the firewall.";
};
allowPing = mkOption {
type = types.bool;
default = true;
description = "Whether to allow ICMP ping.";
};
allowedTCPPorts = mkOption {
type = types.listOf types.port;
default = [];
description = "List of allowed TCP ports.";
};
allowedUDPPorts = mkOption {
type = types.listOf types.port;
default = [];
description = "List of allowed UDP ports.";
};
trustedInterfaces = mkOption {
type = types.listOf types.str;
default = [];
description = "List of trusted interfaces.";
};
};
wifi = {
enable = mkOption {
type = types.bool;
default = true;
description = "Whether to enable WiFi configuration.";
};
powersave = mkOption {
type = types.bool;
default = false;
description = "Whether to enable WiFi power saving.";
};
profiles = mkOption {
type = types.attrsOf (types.submodule {
options = {
ssid = mkOption {
type = types.str;
description = "SSID of the WiFi network.";
};
psk = mkOption {
type = types.str;
default = "$PSK";
description = "PSK environment variable for the WiFi password.";
};
keyMgmt = mkOption {
type = types.str;
default = "sae";
description = "Key management type (e.g., sae, wpa-psk).";
};
};
});
default = {};
description = "WiFi network profiles.";
};
};
hostId = mkOption {
type = types.str;
default = "";
description = "Host ID for ZFS and other services.";
};
iwd = {
enable = mkOption {
type = types.bool;
default = false;
description = "Whether to enable iwd for wireless networking.";
};
settings = mkOption {
type = types.attrs;
default = {};
description = "Settings for iwd.";
};
};
extraFirewallCommands = mkOption {
type = types.str;
default = "";
description = "Extra commands for the firewall.";
};
};
}

24
systems/aarch64-linux/macbook-pro-nixos/default.nix
View File

@@ -15,7 +15,7 @@ in
imports = [ imports = [
./boot.nix ./boot.nix
./hardware-configuration.nix ./hardware-configuration.nix
./networking.nix # ./networking.nix - moved to modules/nixos/network
./services.nix ./services.nix
]; ];
@@ -58,6 +58,28 @@ in
}; };
network = { network = {
hostName = "macbook-pro-nixos"; hostName = "macbook-pro-nixos";
wifi.enable = false;
iwd = {
enable = true;
settings = {
General = {
EnableNetworkConfiguration = true;
};
Rank = {
BandModifier2_4GHz = 1.0;
BandModifier5GHz = 5.0;
BandModifier6GHz = 10.0;
};
Network = {
AutoConnect = true;
};
};
};
extraFirewallCommands = ''
iptables -I INPUT -m pkttype --pkt-type multicast -j ACCEPT
iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT
iptables -I INPUT -p udp -m udp --match multiport --dports 1990,2021 -j ACCEPT
'';
}; };
}; };

22
systems/aarch64-linux/pi4/default.nix
View File

@@ -17,13 +17,31 @@ in
imports = [ imports = [
./adguard.nix ./adguard.nix
./boot.nix ./boot.nix
./networking.nix # ./networking.nix - moved to modules/nixos/network
./sops.nix ./sops.nix
]; ];
${namespace} = { ${namespace} = {
hardware.disko.enable = true; hardware.disko.enable = true;
network.hostName = "pi4"; network = {
hostName = "pi4";
ipv4 = {
method = "manual";
address = "10.0.1.2/24";
gateway = "10.0.1.1";
dns = "1.1.1.1";
};
firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
wifi = {
enable = true;
powersave = false;
};
};
}; };
# Configure nixpkgs # Configure nixpkgs

11
systems/aarch64-linux/pi5/default.nix
View File

@@ -17,7 +17,7 @@ in
{ {
imports = [ imports = [
./boot.nix ./boot.nix
./networking.nix # ./networking.nix - moved to modules/nixos/network
./services.nix ./services.nix
./sops.nix ./sops.nix
]; ];
@@ -27,6 +27,15 @@ in
desktop.hyprland.enable = false; desktop.hyprland.enable = false;
network = { network = {
hostName = "pi5"; hostName = "pi5";
ipv4 = {
method = "manual";
gateway = "10.0.1.1";
dns = "10.0.1.1";
};
firewall = {
enable = true;
allowPing = true;
};
}; };
}; };

13
systems/x86_64-linux/desktop/default.nix
View File

@@ -28,7 +28,7 @@ in
./configuration.nix ./configuration.nix
./filesystems.nix ./filesystems.nix
./hardware-configuration.nix ./hardware-configuration.nix
# ./networking.nix # ./networking.nix - moved to modules/nixos/network
./nix.nix ./nix.nix
./sops.nix ./sops.nix
@@ -38,10 +38,21 @@ in
]; ];
${namespace} = { ${namespace} = {
hardware.disko.enable = false;
bootloader.lanzaboote.enable = true; bootloader.lanzaboote.enable = true;
desktop.gnome.enable = true; desktop.gnome.enable = true;
network = { network = {
hostName = "matt-nixos"; hostName = "matt-nixos";
wifi = {
enable = true;
powersave = false;
profiles = {
"Joey's Jungle 6G" = {
ssid = "Joey's Jungle 6G";
keyMgmt = "sae";
};
};
};
}; };
user = { user = {
passwordFile = passwordFile; passwordFile = passwordFile;

63
systems/x86_64-linux/nas/default.nix
View File

@@ -17,7 +17,7 @@
./boot.nix ./boot.nix
./apps.nix ./apps.nix
./grafana.nix ./grafana.nix
./networking.nix # ./networking.nix - moved to modules/nixos/network
./ups.nix ./ups.nix
./users.nix ./users.nix
./samba.nix ./samba.nix
@@ -44,6 +44,67 @@
ipv4 = { ipv4 = {
address = "10.0.1.3/24"; address = "10.0.1.3/24";
method = "manual"; method = "manual";
gateway = "10.0.1.1";
interface = "wlp6s0";
};
useNetworkd = true;
hostId = "4b501480";
nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = "wlp6s0";
enableIPv6 = true;
};
firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = [
8008 # restic
9000 # authentik
2342 # grafana
51820 # wireguard
1025
1143
10200
10300
8127
9980 # onlyoffice
4000 # netbootxyz
4080 # netbootxyz
3000 # gitea
2222 # gitea ssh
3300
9898
6754 # lubelogger
2283 # immich
4444 # code-server
9012
8192
];
allowedUDPPorts = [
8008 # restic
9000 # authentik
2342 # grafana
51820 # wireguard
1025
1143
10200
10300
8127
9980 # onlyoffice
4000 # netbootxyz
4080 # netbootxyz
3000 # gitea
2222 # gitea ssh
3300
9898
6754 # lubelogger
2283 # immich
4444 # code-server
9012
8192
];
trustedInterfaces = [ "tailscale0" ];
}; };
}; };
user = { user = {

28
systems/x86_64-linux/nuc/default.nix
View File

@@ -6,7 +6,7 @@
{ {
imports = [ imports = [
./boot.nix ./boot.nix
./networking.nix # ./networking.nix - moved to modules/nixos/network
./users.nix ./users.nix
./sops.nix ./sops.nix
]; ];
@@ -18,7 +18,31 @@
${namespace} = { ${namespace} = {
services.home-assistant.enable = true; services.home-assistant.enable = true;
hardware.disko.enable = true; hardware.disko.enable = true;
network.hostName = "nuc-nixos"; network = {
hostName = "nuc-nixos";
useNetworkd = true;
ipv4 = {
method = "manual";
address = "10.0.1.4/24";
gateway = "10.0.1.1";
dns = "10.0.1.1";
};
wifi = {
enable = true;
profiles = {
"Joey's Jungle 6G" = {
ssid = "Joey's Jungle 6G";
keyMgmt = "sae";
};
};
};
firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = [ 8192 ];
allowedUDPPorts = [ 8192 ];
};
};
}; };
# Enable nix flakes and nix-command tools # Enable nix flakes and nix-command tools

17
systems/x86_64-linux/steamdeck/default.nix
View File

@@ -15,17 +15,30 @@
./boot.nix ./boot.nix
./configuration.nix ./configuration.nix
./jovian.nix ./jovian.nix
./networking.nix # ./networking.nix - moved to modules/nixos/network
./sops.nix ./sops.nix
]; ];
${namespace} = { ${namespace} = {
hardware.disko.enable = true; hardware.disko.enable = true;
impermanence.enable = true;
bootloader.lanzaboote.enable = true; bootloader.lanzaboote.enable = true;
desktop.gnome.enable = true; desktop.gnome.enable = true;
user = { user = {
name = "deck"; name = "deck";
}; };
network.hostName = "steamdeck"; network = {
hostName = "steamdeck";
wifi = {
enable = true;
powersave = false;
profiles = {
"Joey's Jungle 5G" = {
ssid = "Joey's Jungle 5G";
keyMgmt = "sae";
};
};
};
};
}; };
} }