From 9a37d9eb2fe1e3c800f37a41c646b0d81d8d662c Mon Sep 17 00:00:00 2001 From: materus Date: Sun, 18 May 2025 15:47:12 +0200 Subject: [PATCH] Update --- flake.org | 2 +- nix/common-os.nix | 35 +++++++++- nix/common.nix | 16 +++-- nix/default.nix | 5 +- nix/hosts/materusPC-private.nix | Bin 36 -> 355 bytes nix/hosts/materusPC.nix | 116 +++++++++++++++++++++++++++++++- nix/variables-private.nix | Bin 986 -> 1036 bytes private/materusPC-secrets.yaml | Bin 0 -> 2217 bytes 8 files changed, 161 insertions(+), 13 deletions(-) create mode 100644 private/materusPC-secrets.yaml diff --git a/flake.org b/flake.org index d72aa8a..0a920e8 100644 --- a/flake.org +++ b/flake.org @@ -5,7 +5,7 @@ #+OPTIONS: \n:t #+auto_tangle: t - + * Flakes ** Main Flake Flake of entire repo. [[./flake.nix][link]] diff --git a/nix/common-os.nix b/nix/common-os.nix index cd1067d..5b75eca 100644 --- a/nix/common-os.nix +++ b/nix/common-os.nix @@ -1,4 +1,35 @@ -{...}: +# * Common OS { - + mkkArg, + config, + ... +}: +{ + + imports = [ + mkkArg.current.sops-nix.nixosModules.sops +# * Config +# ** Assertions + { + assertions = [ + { + assertion = builtins.pathExists (config.konfig.vars.path.mkk + "/host/keys/ssh_host_ed25519_key"); + message = "Not found host ed25519 key"; + } + { + assertion = builtins.pathExists (config.konfig.vars.path.mkk + "/host/keys//ssh_host_rsa_key"); + message = "Not found host RSA key"; + } + ]; + } +# ** Variables + { + mkk.commonVariables = { + path = { + mkk = "/mkk"; + }; + }; + } +# * Common OS END + ]; } diff --git a/nix/common.nix b/nix/common.nix index 9f0bb62..270176d 100644 --- a/nix/common.nix +++ b/nix/common.nix @@ -8,8 +8,8 @@ }: { imports = [ - (if mkkArg.isDecrypted then ./variables-private.nix else {}) -# * NIX & NIXPKGS +# * Config +# ** NIX & NIXPKGS { nixpkgs.config = { allowUnfree = lib.mkDefault true; @@ -172,7 +172,7 @@ }; } -# * Assertions +# ** Assertions { config.assertions = [ { @@ -186,9 +186,15 @@ } ]; } -# * Args +# ** Args { + imports = [ + (if mkkArg.isDecrypted then ./variables-private.nix else {}) + (if mkkArg.isOs then ./common-os.nix else {}) + ]; options.konfig = lib.mkOption { default = { }; }; + options.mkk.commonVariables = lib.mkOption { default = { }; }; + config = { konfig = { unstable = mkkArg.unstable; @@ -207,7 +213,7 @@ arg = mkkArg; rootFlake = (builtins.getFlake mkkArg.configRootPath); - vars = { }; + vars = config.mkk.commonVariables; }; _module.args.konfig = config.konfig; }; diff --git a/nix/default.nix b/nix/default.nix index 747bc14..ee5f7f9 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -46,10 +46,12 @@ in current = (if isStable then stable else unstable); isDecrypted = (isDecrypted (if isStable then stable else unstable).nixpkgs system); isStable = isStable; + isOs = true; } // extraArgs; }; modules = [ + ./common.nix ./hosts/${hostname}.nix ( if @@ -62,8 +64,7 @@ in else { } ) - ./common.nix - ./common-os.nix + ] ++ extraModules; }; diff --git a/nix/hosts/materusPC-private.nix b/nix/hosts/materusPC-private.nix index d2a8f651bd028f5e5df9639e2444d6af0becc349..8092d47d59b0bd45462339976ab5e43f67f921a5 100644 GIT binary patch literal 355 zcmV-p0i6B-M@dveQdv+`0KUp;>)cSlbvkl6=vnhjCyQMi=1?ez)x}da8$27Hn0uEn z&a@E(WFy1$r8gs?yl>m{@LA?KYi5D2B+R(P#6mEKw}AUBq;9Swa)d zAp?o^Mj6bl@WGJ2B4RZJfpMs5FCL@EY$-E2ED-CcKpiVV{`SE)IKxv{f7xM4u_cHS z%4RY4_*X-eWbksxpGq`fIo}5ckP@6?xyfSC$7)t|M6K1x86Sh=T7ssZHX7N5#$%K4 z{Z8m|z&c)P2k&)XpjL-8H-7(s$u>Bcmqh>y#;zPn>RZOrj1ggWRms=mz7ww_PFV2i~KJG0aYLCrUcw(}eS0M-``ZU6uP diff --git a/nix/hosts/materusPC.nix b/nix/hosts/materusPC.nix index 11e1754..6a443f9 100644 --- a/nix/hosts/materusPC.nix +++ b/nix/hosts/materusPC.nix @@ -9,19 +9,50 @@ { imports = [ # * CONFIG -# ** Nix System Settings +# ** General Settings +# *** SOPS + { + sops.age.generateKey = false; + sops.gnupg.home = null; + sops.gnupg.sshKeyPaths = [ ]; + sops.age.sshKeyPaths = [ (konfig.vars.path.mkk + "/host/keys/ssh_host_ed25519_key") ]; + sops.defaultSopsFile = konfig.rootFlake + "/private/materusPC-secrets.yaml"; + #sops.secrets."users/materus" = { neededForUsers = true; }; + sops.secrets.wireguard = { }; + + services.openssh.hostKeys = [ + { + bits = 4096; + path = konfig.vars.path.mkk + "/host/keys/ssh_host_rsa_key"; + type = "rsa"; + } + { + path = konfig.vars.path.mkk + "/host/keys/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + } +# *** Nix System Settings { nixpkgs.hostPlatform = "x86_64-linux"; system.copySystemConfiguration = false; system.stateVersion = "23.05"; } # ** Network +# *** Firewall & Others { + services = { + syncthing = { + enable = true; + user = "materus"; + dataDir = "/home/materus"; + }; + }; + networking.hostName = "materusPC"; networking.useDHCP = lib.mkDefault true; networking.wireless.iwd.enable = true; - networking.networkmanager.enable = true; - #networking.networkmanager.wifi.backend = "iwd"; + networking.firewall.enable = true; networking.firewall = { @@ -35,9 +66,85 @@ ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport ${konfig.vars.wireguard.ports.materusPC} -j RETURN || true ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport ${konfig.vars.wireguard.ports.materusPC} -j RETURN || true ''; + + allowedTCPPorts = [ + 24800 + 5900 + 5357 + 4656 + 8080 + 9943 + 9944 + # Syncthing + 22000 + config.services.syncthing.relay.statusPort + config.services.syncthing.relay.port + ]; + allowedUDPPorts = [ + (lib.strings.toInt konfig.vars.wireguard.ports.materusPC) + 24800 + 5900 + 3702 + 4656 + 6000 + 9943 + 9944 + # Syncthing + 22000 + 21027 + # Zomboid + 17000 + 17001 + ]; }; } +# *** NetworkManager + { + sops.templates."networkmanager.env".content = '' + WIREGUARD_PRIVATEKEY="${config.sops.placeholder.wireguard}" + ''; + networking.networkmanager.ensureProfiles.environmentFiles = [ + config.sops.templates."networkmanager.env".path + ]; + networking.networkmanager.enable = true; + #networking.networkmanager.wifi.backend = "iwd"; + + networking.networkmanager.settings = { + connectivity = { + uri = "http://nmcheck.gnome.org/check_network_status.txt"; + }; + }; + + networking.networkmanager.ensureProfiles.profiles = { + wg0 = { + connection = { + id = "wg0"; + type = "wireguard"; + interface-name = "wg0"; + }; + wireguard = { + private-key = "$WIREGUARD_PRIVATEKEY"; + }; + "wireguard-peer.${konfig.vars.wireguard.pubKeys.valkyrie}" = { + endpoint = "${konfig.vars.ip.valkyrie.ipv4}:${konfig.vars.wireguard.ports.valkyrie}"; + allowed-ips = "${konfig.vars.wireguard.masks.general};"; + persistent-keepalive = "20"; + }; + ipv4 = { + address1 = "${konfig.vars.wireguard.ip.materusPC}/23"; + dns = "${konfig.vars.wireguard.ip.valkyrie};"; + method = "manual"; + never-default = "true"; + }; + ipv6 = { + addr-gen-mode = "stable-privacy"; + method = "disabled"; + }; + proxy = { }; + }; + }; + } # ** Hardware # *** Filesystems { @@ -219,6 +326,9 @@ # *** Firmware & Others { + hardware.uinput.enable = true; + hardware.steam-hardware.enable = true; + hardware.firmware = with pkgs; [ konfig.nixerusPkgs.amdgpu-pro-libs.firmware.vcn konfig.nixerusPkgs.amdgpu-pro-libs.firmware diff --git a/nix/variables-private.nix b/nix/variables-private.nix index 95a556e2776af6f49360c5f5a56ac347b041085b..59020ececb2f6c71d22dd5943fad90f4b76363aa 100644 GIT binary patch literal 1036 zcmV+n1oQg$^q`O0Kz;&yK#+*LsO#Q2jSzQi7$zvpjYWG9=lnvrR|DZt} zO#O)b+yg!N7Sr!H)16Q6AC#uy)!Y$29Dir1Oj?Ja2$};QMoLkT34-0!>ymgl$C<(C z*-Tz+VI*Zdipz%nBWzA|>ZCua^!A{fOvlRVGTGE zsu3~2uyLVn5fibkGpL-Ohg#{=(9&kh zYZ&swSAHWfg+y)f)A8K^k#5^5poX+iG#4u(CID&~c%)c+?M@IWI?OI(duaWY62jOL zjD@-c%QTkpKcV?pU@e#;B5JV#pHM*ehX5ManjNQue~R{qaHS&-WOsxA11PKLJL}$- zB4Fd^L#`}8Y%rSmz>W0C*2!?v0!sfciZGs;Wm4Vg1N%Rt47{rNd^+za_P+4DEiCpq z4(5SCDG55+4;CM51m-mJapf%x#3mWd+-+-`9`K84@M*5yz1vNgNC&unpc>m?VfZJ( z{hl1!-FOz&K$8uV)I+Yo@Y66KAu6lQW@JQFi76&$&}8fxC)uFI7&GtH{rz$ zN~CO1D(y2NE>WyF!kg&h%mcZCKUc!{xcmaTi^}4FaZ3P^K!zFOz(Vrn2ETsoC`k?w zt`JZ}Rdo?jY!Y>o60NZ)`Pq3i+vi(vNRSiK)d{#`?DP6 zERi{w8i;Hv4-IQTDR*yR zd$7-dt=`ynX(Z7|C92ep$Wxm=u^JxEnq=A4=b)4{VkTq4J)oFtT`fn+s)7YU)HV?@@!*TJ0w?q&~0Vn$k>GW~9;qZqs~Y zT?IIu)~m*urjWSkHEMrECM8XTt@%L?W=<%l#=J3$@b!&1%rLaJ(u5GPD0)V{TRHSDr$4zVs+R(XAa9L7niL+eFNAA!^?B+cXpzEvQhEnx~({Lr|12y?UZ zxiSTlDz54HXJVHB%po;`MuZypg->gFfyGT4U?{{f%V;mSYy2rJ*?OT4z#zMT!xVxzV2JrQ6~qvDVANo>4-=8y zVpcroNJZ9F(#woaARq8jygl!oKOk~gm2m|MH7vj2cper`2@ZDna$L2uq&^Y4Gtwg~ zcd>$HVeiJ?&!<|7tfph^t<&Yny@~YLPNDpo(sPS_&z6-3!ZFd4n4nuLN<&}vt}ldU zidzRa@z2a$oY~e8thUwZyz!G=+eTp}Qw I0X`F8Dw3n+r2qf` diff --git a/private/materusPC-secrets.yaml b/private/materusPC-secrets.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b131fbfa969e098e7462dd073cc3c4380494dfeb GIT binary patch literal 2217 zcmV;a2v+w1M@dveQdv+`077g4qIh=dn^RfcqOjqTED1mQ=TiLG&QDZYTm|=7zAe}a zGFt@~QpdqBIRYNbrePMo;7YeGLT$I|_*_1qU zgyCfqRULfAX0%@VNvHZMp1Dwm%aT|3UOGP^Lp z{O22<;T0Ot4MxbiN3M%nQV>RLefsLk<*W)_?V=dTx5KQ@Fcycf8+AZLt_4sc%_daQ z-@$rw-I&Q6QeZl2hm8D24FSxcZ$B7_vAuS12Gqi?v^Mn{@}Jj;L+eMIqvGi8wB@eQ z#oz+<;$qtfT$7dyYkE66Va$MgjC-74Qfv3kuR05tk}MV+p1&E_;aGb2H|UW&XpHZB zLHVju_j#^Vc>`CUfim%lGw%&>Tb+WLv3Ux(Oz`{2mf)s8xDK3Eufb1i8>r7niREdWX3Hh@c__lWFMh;z~b2 zFz5}ys;Dizy|C&)p+tCBV!@J_Dz0!6;eii>dM4U(JHTmlS@k44NdXyx6Ol{xL$r9) z!LFUv2sT1P;n}VwIoTjuFLCptSGXq7(54pk-<94l@=!%Pj@K*Xw6+j?`jPP;n0a0V zTrci5$PKC%Cn1#IR1Mx-b7+-@j!+QXO zk4Kt55BlJ7CLef-WjE_@Go~VaSguFYhNRc3X+|}?t)hU8Fd-^=yA^4}cv~y#(i4== z)-W)lR6kwih{pb66>JX`LriDx)YrQ9FhdG9JC~+?hN6Umz!1}MrPL@%Fo@K6gIcem zBg1C^M5d#TK*me_P*zI*1~y!>Tp7)k5G|BT8GjuDVs`FDn9H4ur3lR|v08P58A~Vl z3Rl4VWUNW7%>h%L2N@WhY3%oQf$qp((;T_$CF4R`bl==U9Y@y9E3#+KR!ft3Q*T z;b`nu{}zieUx1!0n(p4i1Ay&R!dY5D)c=*Z;gf`NaHPBn+C+mOKE5eDVCXOLCQH&KS|>Q z)L}c7ImF-jtZRQ@5SBkB!B$sl5vthTLQ6*Mps(n{1PRU`T^Hu6jZa%#J zPO%ri(Ha*0(fHVJ?^E2{OeJb@huc$FNB(uocj8VW31Kv*GAHCGUAZ# z_NlH$teI$DEYOtHx4SsY55+19SjNTMbr-BMIX|7WO zlW4;@g}@*wl^w6937&^vX@OtQ6+ zqkj5VT97SXRdSmd{CqQ!uA_weI#X)Mx!!}Psiz@UZQ;X<9|@{4->4eh_1>+l5{7CUh*YWOu z=y^n?x$S3R2?r^@O54dS`!=gH3o7W?`>I43i*3}`iY3oL6L12F%?<+fXq{n;Nk$$7qG3 zZ28!=GxSTu^Nnb;cBCCGqvD+l6_O<3#Y^Rkkplr@=>$dK?kR&u ztE(P>v`-=$*NfdfOv09B1hqTGLMZEvnvcHC-fYk+l*$}21eP^l>Q63g8=k2Zz1#~h rWKcQ#%dLaS{O!;5>QdiJEMwxMeC7N0ZrnU~pEcyz5FaA*!cR7TtBXv) literal 0 HcmV?d00001