diff --git a/.sops.yaml b/.sops.yaml index 72b2364..22a25c8 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,6 +6,7 @@ keys: - &framework age1w3nq2g9ctm43f43lyzfrznywqpqlrk6x9de2qy3sr05mm4yk4u3s05slw4 - &vps-arm age14l4v7kmtpp49mgngftlqquqe2u0mpdnfvnmtgqzv5zlsxh8mpvdspk3mel - &mini age1hdv2nz7r5fv6glq7jac27uf864t2668a97ptx52q57yfg4jd7ypqkag7wd + - &nixos-vm age120fg86wv7vrcw6aeuunkzr7nerpwg8w0vu08xp8v8feqawtzqquq4763cw creation_rules: - path_regex: secrets.yaml$ key_groups: @@ -15,6 +16,7 @@ creation_rules: - *vps-arm - *framework - *mini + - *nixos-vm - path_regex: secrets-desktop.yaml$ key_groups: - age: diff --git a/configs/user.nix b/configs/user.nix index a2737ae..766e4d2 100755 --- a/configs/user.nix +++ b/configs/user.nix @@ -106,30 +106,12 @@ in matchBlocks."szczepan.ski" = { hostname = "szczepan.ski"; }; matchBlocks."mini" = { hostname = "mini"; }; - matchBlocks."thinkpad" = { hostname = "thinkpad"; }; - # matchBlocks."pi" = { hostname = "10.100.0.6"; }; - # matchBlocks."vps2" = { hostname = "10.100.0.50"; }; - # matchBlocks."vps3" = { hostname = "10.100.0.100"; }; - # matchBlocks."router" = { - # hostname = "192.168.1.1"; - # user = "root"; - # localForwards = [{ - # bind.address = "127.0.0.1"; - # bind.port = 1337; - # host.address = "127.0.0.1"; - # host.port = 80; - # }]; - # }; + matchBlocks."nixos-vm" = { + hostname = "127.0.0.1"; + port = 1337; + }; - # matchBlocks."homeserver" = { - # hostname = "192.168.0.100"; - # localForwards = [{ - # bind.address = "127.0.0.1"; - # bind.port = 8385; - # host.address = "127.0.0.1"; - # host.port = 8384; - # }]; - # }; + matchBlocks."thinkpad" = { hostname = "thinkpad"; }; }; git = { diff --git a/flake.nix b/flake.nix index 189c9df..19fabcb 100644 --- a/flake.nix +++ b/flake.nix @@ -121,11 +121,12 @@ ]; }; - nixos-libvirt = nixpkgs.lib.nixosSystem { + nixos-virtualbox = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { inherit inputs outputs; }; modules = [ - ./machine/nixos-libvirt/configuration.nix + sops-nix.nixosModules.sops + ./machine/nixos-virtualbox/configuration.nix ]; }; }; diff --git a/kernelpatches/fix-netfilter-6.11.4.patch b/kernelpatches/fix-netfilter-6.11.4.patch deleted file mode 100644 index 9279808..0000000 --- a/kernelpatches/fix-netfilter-6.11.4.patch +++ /dev/null @@ -1,42 +0,0 @@ -diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c -index d80abd6ccaf8f71fa70605fef7edada827a19ceb..6dcf4bc7e30b2ae364a1cd9ac8df954a90905c52 100644 ---- a/net/netfilter/xt_NFLOG.c -+++ b/net/netfilter/xt_NFLOG.c -@@ -79,7 +79,7 @@ static struct xt_target nflog_tg_reg[] __read_mostly = { - { - .name = "NFLOG", - .revision = 0, -- .family = NFPROTO_IPV4, -+ .family = NFPROTO_IPV6, - .checkentry = nflog_tg_check, - .destroy = nflog_tg_destroy, - .target = nflog_tg, -diff --git a/net/netfilter/xt_TRACE.c b/net/netfilter/xt_TRACE.c -index f3fa4f11348cd8ad796ce94f012cd48aa7a9020f..2a029b4adbcadf95e493b153f613a210624a9101 100644 ---- a/net/netfilter/xt_TRACE.c -+++ b/net/netfilter/xt_TRACE.c -@@ -49,6 +49,7 @@ static struct xt_target trace_tg_reg[] __read_mostly = { - .target = trace_tg, - .checkentry = trace_tg_check, - .destroy = trace_tg_destroy, -+ .me = THIS_MODULE, - }, - #endif - }; -diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c -index f76fe04fc9a4e19f18ac323349ba6f22a00eafd7..65b965ca40ea7ea5d9feff381b433bf267a424c4 100644 ---- a/net/netfilter/xt_mark.c -+++ b/net/netfilter/xt_mark.c -@@ -62,7 +62,7 @@ static struct xt_target mark_tg_reg[] __read_mostly = { - { - .name = "MARK", - .revision = 2, -- .family = NFPROTO_IPV4, -+ .family = NFPROTO_IPV6, - .target = mark_tg, - .targetsize = sizeof(struct xt_mark_tginfo2), - .me = THIS_MODULE, - ---- -base-commit: 75aa74d52f43e75d0beb20572f98529071b700e5 -change-id: 20241018-xtables-typos-dfeadb8b122d diff --git a/machine/nixos-virtualbox/configuration.nix b/machine/nixos-virtualbox/configuration.nix new file mode 100755 index 0000000..b5abfa6 --- /dev/null +++ b/machine/nixos-virtualbox/configuration.nix @@ -0,0 +1,59 @@ +{ config, pkgs, lib, outputs, ... }: +{ + nixpkgs = { + config = { + allowUnfree = true; + }; + }; + + imports = [ + ./hardware-configuration.nix + ../../configs/common.nix + ../../configs/docker.nix +# ../../configs/plasma-wayland.nix +# ../../configs/user-gui.nix + ../../configs/user.nix + ]; + + sops = { + defaultSopsFile = ../../secrets.yaml; + validateSopsFiles = true; + age = { + sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = true; + }; + + secrets = { + hashedPassword = { + neededForUsers = true; + }; + }; + }; + + networking.hostName = "nixos-virtualbox"; # Define your hostname. + time.timeZone = "Europe/Berlin"; + + boot = { + loader = { + efi.canTouchEfiVariables = true; + grub = { + enable = true; + efiSupport = true; + device = "nodev"; + }; + }; + supportedFilesystems = [ "btrfs" ]; + }; + networking.networkmanager.enable = true; + programs.nix-ld.enable = true; + + # services = { + # k3s = { + # enable = true; + # role = "server"; + # }; + # }; + + system.stateVersion = "24.11"; +} diff --git a/machine/nixos-virtualbox/hardware-configuration.nix b/machine/nixos-virtualbox/hardware-configuration.nix new file mode 100644 index 0000000..ed8c0dc --- /dev/null +++ b/machine/nixos-virtualbox/hardware-configuration.nix @@ -0,0 +1,69 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "ohci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964"; + fsType = "btrfs"; + options = [ "subvol=root" "compress=zstd" "noatime" ]; + }; + + fileSystems."/home" = + { + device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964"; + fsType = "btrfs"; + options = [ "subvol=home" "compress=zstd" "noatime" ]; + }; + + fileSystems."/nix" = + { + device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964"; + fsType = "btrfs"; + options = [ "subvol=nix" "compress=zstd" "noatime" ]; + }; + + fileSystems."/persist" = + { + device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964"; + fsType = "btrfs"; + options = [ "subvol=persist" "compress=zstd" "noatime" ]; + neededForBoot = true; + }; + + fileSystems."/var/log" = + { + device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964"; + fsType = "btrfs"; + options = [ "subvol=log" "compress=zstd" "noatime" ]; + neededForBoot = true; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/6F47-35E9"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + virtualisation.virtualbox.guest.enable = true; +} diff --git a/secrets.yaml b/secrets.yaml index 9dd52d9..0864785 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -8,47 +8,56 @@ sops: - recipient: age1gjhlw6vkfers3f76yug3alwupe4jckjhg8ncr8kll5gj5g6wlqtqacqa73 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvcTFVblJnMklBeUJiVXlz - dzJTcDdQVkpNK1J0OEhYVkc2N3NaNGUvMjNzClVFVGN5S0tPSy9ob3cvaUhma2N4 - Nm0wT0RaOEdQajAwSnkvQTc2N1FRSzQKLS0tIHd6dUxzWE5XVUVwWm9CMWxTdHM4 - dXRuN045TFl0M1VwSWgwWGsxRXFVR0UKOTzo3qKjTsnWOsCKJy4gZyGjQjS7cFIE - kFdz0hRVkWrq/oenYt3xaEhf8H3bXURIhp8EnPSgo2Dr34c04AtaNw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHTk96eDJhSm1xU1JwTVVt + Um9sdHo5YzNQQkRHYVR6bnBKMFFWaGhXM3lRClZuRnRTNDZLdjM5bGp2ODVGdThm + OCtOSVMxcm90dHY0bFJTZzBINUkxek0KLS0tIERObldlbEVOQzhsQlNFQWdTc25v + cTQ1KzJtUlJmaXNucHFBb1hTU1UzOGsKvH/IyBCKA3zzW+fvASz7q0y0XPl+m/j8 + zolXT3V7Suj3QcZMhUbB4z9UdamO+nDTFmx4yio1IsaytzyHZRe9eg== -----END AGE ENCRYPTED FILE----- - recipient: age1m873zl0umr6huvs7ft98t7dg3wqx7skzgdrd6vjzeh8h6kkgdghsy5atvx enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQVdTaDdoZTh1ei9LV1Ro - UDdhQk9CU0R4Z0o1SElNOXpLcjRHR2pmK0VFCmtQUTJFVzJhMnprSFp4TFh4T3Yz - Zkk0bGR1bUp4Q2hZcHFEVUhRdDVvblUKLS0tIGFDdjNCVlplVHFxSG4zNXFtQUND - Ri9iQU5SRU5oMGdob1FDSlFmVVczU28K06xJtBqffr7G3+4ctAFf5Eh5lSHQ91Zf - lxyW9aXij61Nqhdkeo2GVtxw6Q3/MGWgacmZ5bHPaYz76YQI1ku9ag== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdjI2VFk3aU9yNVFZYVpy + QkZMZE81RVc5R1pjZGdudXdEQUh3TlFDVXpVCjlGR1Y1SFNzNC9WRFU4cTJMUDUr + M2laQ0t6YW1FZ1MwM0t5UGo3TEtmY0UKLS0tIGk0bVlJNlRoUzFQWURoSHpkSms4 + SjFCb2RqQWpkZHNCT3lJZVUrR28xUjAKyz4RIevkYEzvruaHZQVoB1DNodryzAY4 + cg1KYwUEdeysqUdUcLEnLa9uXUVZrV7ORXGPLXf4+3OuqH470LXeow== -----END AGE ENCRYPTED FILE----- - recipient: age14l4v7kmtpp49mgngftlqquqe2u0mpdnfvnmtgqzv5zlsxh8mpvdspk3mel enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlamhTbU5FclNRVEVjL01m - QWRFTGI3ZHJGTUtSNjI3cFE2NjA0SEZ1QWgwCjZRTGg5NXlCS0hxc2JCeXBBSmZ2 - bHRhQjdFUE9ZM0JmaXZOVFAxMTk4Rk0KLS0tIFJtMHpnSTNqUkExQWpUT2wvR2kv - ZjNXem1KTDN1N0RZcHBpNklFVmpZNHcKb81FFkAZVz/vVCQJlqVBrJk+jdWG3inT - x+y8BDgZ/R/J0DhxdwbWzMxBT/Agb8I3It6ixlAQlOXcbS4lQE/1WA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldlpNR0M4cm5NMUY3VjNC + V2xxejlwQlNCeVhBMVVadHNNbFNtbDY0NmxrCmNoT2hZc1E3aW5tM3NzK0pLSVJI + eEZxYmlsQXVyVUtQdi9RYW5ScHNZbzgKLS0tIExoR2Z1a2pBYjZYQ0FrbjlLV3Bm + OVR2V09mM2FEcGFIVjhoUnNhY1kyeEEKMcSdgu1Y9PrdBktjZvXQGCJeJhKKtkH2 + VByVif04bW271JLB2QgjyTJOA73RJkOZuN7fcjqHYBNVoM/NdNkOpQ== -----END AGE ENCRYPTED FILE----- - recipient: age1w3nq2g9ctm43f43lyzfrznywqpqlrk6x9de2qy3sr05mm4yk4u3s05slw4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYTnRHT1BuYjVoVllJMktR - RGMzMTBFQjRhSkMwOENZeHFJVHRxQnl5RkJZCndQRWVRWmkwYjVKT1Z2SWFnODFm - OStNRGlzSlpSaWtMNEkzbzc1ZHpZZ1EKLS0tIExQb3ZNNVl6SWVKSTVzYnJTd00v - Sjc2cWJjK3doYnBqV0cxV05ublU2ZEUKCv4pTu6qLc4EErYpucbKVV4jnRs/kl/6 - F2HgZdu+Fag2J8YqDTWJXntNKtEIfSeRy7X2BL9i98RIsqSBmMWchg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbTRZK2ZRRGVHZSthKytj + RXdlbCt3RWJNYkhJbmFwQUE1RFNqRm4rWUU0CmRoVktwVHgyTWhTb2VBa0ZJZm42 + Uldqb05qeko5dDg3RmhNSnFqMkduOTQKLS0tIHFRZDIybDNxOWgvV2xramVNMEpy + c1Q2d25YMk1HYjNJYUord1BTM01DQUUKZ3LK0ouB8xkI6veYb0C4wmtnBFKrFdYH + VTFpmrxFeP8961M9ohgK2u7z5zcL7YrIOsdqyA9Plu56/md4xn81kQ== -----END AGE ENCRYPTED FILE----- - recipient: age1hdv2nz7r5fv6glq7jac27uf864t2668a97ptx52q57yfg4jd7ypqkag7wd enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2WFFIUlFIWFptamxKd3NQ - Mk0yVnNwbXlTQ3FuUlRsWDFGdWhkTnlOc3dFClJpdlIyUHZzZTMrcXJUNngrOFo4 - TlVVYndGeHlRNFZPRXdPeE43em5PaGMKLS0tIFo4c3F4TWhJY21Xcm9EUHZxNkZX - RXBXbzJ4QVlMV0pVeHpiVXFYUU9KV2sKfXcnRRV2woD8j6Wc57vaE+jHQssiic5n - 62ob3gt7bPtZdDbTZqrZzwuiSp0NI4jTkmQyPG+E0Ehm3KX5BjXmOw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWS2FzZDZGbkFTbVA0UzV3 + TEZCKzlZOEJDM1pmU3ZoaUFhZTNiMXNvd3o4Cm1GRHgvVERRc2tYOGcrakRLeTVw + dDAyZ1VNZWt6bDQ4b2tKMk5oRzk2WW8KLS0tIEJnUjh4RjcvZTM1UW81NTB5Zmph + QnFpMXR6ZVhqamVZQ1M2aHFmQzVrNTQKuV6D+MfkcAkT8aopZ9JZsXeGJIavkoW/ + +rXWSLNwnWK84Fqiy1mu8KYId2g3dQjkn5GChpmzTB7tGGXMkIQ1Ow== + -----END AGE ENCRYPTED FILE----- + - recipient: age120fg86wv7vrcw6aeuunkzr7nerpwg8w0vu08xp8v8feqawtzqquq4763cw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3ZG9XYXBxc2pUTi9KQ2dl + Z1BjUVpsdlhRQWFNdzNvdjExV0ViYUZYNkZrCm9CSkFRRUI5Nm83NGxCZjk4MzJi + S3YvcGEvaU9NUVBiZ2l3NmVqWmlEQlkKLS0tIFZzS0Z2MTllV3pueHBWUm1va3V5 + bTVOOXJ2UGQzSUJ3SHhwbzByS1RUQWcKg5A6CPu6PgF972SimG9jE8bURR1DIh5l + mI4d72mbUkkoWwetxkUNMFOA3JJvfM+BqsPdz/gm3snfdPDEhR8Zhg== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-08-31T15:55:06Z" mac: ENC[AES256_GCM,data:KQraWMxoXkcrEHCG6R+M31qRCGMwXekA9hIgyULXLaCjkHHJ1JRovgMD0ujTgZVseLipXBCXzH2RJvErNDhozXyrSEpzU0hBb50c0BCD3yaSPojTFCHDGIt/9qi4YHVnOHBP7jVxrFSGk84TNgMqO16dUNsMu6faEYX8CpkHoZM=,iv:ci/kWQCWuV98YdCtgKqQCOgsfAup/pG4smoWvFXRWX4=,tag:2ivvnVo0+ft3BIts3axMGw==,type:str]