BeiNacht/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mini-2024-12-03-20-29-57

Browse Source
This commit is contained in:
Alexander Szczepanski
2024-12-03 20:29:57 +01:00
parent e57e5c4f13
commit db0bc6a35d
3 changed files with 70 additions and 159 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
configs/borg.nix Normal file
View File

@ -0,0 +1,44 @@
{config, ...}: {
sops = {
secrets = {
borg-key = {
owner = config.users.users.alex.name;
};
};
};
services = {
borgbackup.jobs.all = rec {
compression = "auto,zstd";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets.borg-key.path}";
};
extraCreateArgs = "--stats --verbose --checkpoint-interval=600 --exclude-caches";
extraPruneArgs = [
"--save-space"
"--stats"
];
extraCompactArgs = [
"--cleanup-commits"
];
environment = {
BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_ed25519";
BORG_BASE_DIR = "/persist/borg";
};
readWritePaths = ["/persist/borg"];
paths = ["/home/alex" "/persist"];
startAt = "daily";
prune.keep = {
daily = 7;
weekly = 4;
monthly = 6;
};
exclude = [
"/home/alex/mounted"
"/home/alex/.cache"
"/persist/borg"
];
};
};
}

4
configs/common-linux.nix
View File

@ -6,7 +6,7 @@
...
}: {
imports = [
../../configs/common.nix
./configs/common.nix
];
boot = {
@ -16,7 +16,7 @@
enable = true;
device = "nodev";
efiSupport = true;
configurationLimit = 5;
configurationLimit = 10;
enableCryptodisk = true;
useOSProber = true;
};

181
machine/mini/configuration.nix
View File

@ -7,31 +7,14 @@
}: {
imports = [
./hardware-configuration.nix
../../configs/borg.nix
../../configs/docker.nix
../../configs/common-linux.nix
../../configs/user.nix
];
sops = {
defaultSopsFile = ../../secrets/secrets.yaml;
validateSopsFiles = true;
age = {
sshKeyPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
secrets = {
borg-key = {
sopsFile = ../../secrets/secrets-mini.yaml;
owner = config.users.users.alex.name;
group = config.users.users.alex.group;
};
hashedPassword = {
neededForUsers = true;
};
};
defaultSopsFile = ../../secrets-mini.yaml;
};
boot = {
@ -72,34 +55,6 @@
};
nftables.enable = true;
# wireguard.interfaces = {
# wg0 = {
# ips = [ "10.100.0.3/24" ];
# privateKey = secrets.wireguard-mini-private;
# postSetup = ''
# ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp3s0 -j MASQUERADE
# '';
# # This undoes the above command
# postShutdown = ''
# ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp3s0 -j MASQUERADE
# '';
# };
# };
# nat = {
# enable = true;
# enableIPv6 = true;
# # externalInterface = "enp3s0";
# # internalInterfaces = [ "tailscale0" ];
# };
# wireless = {
# enable = true;
# networks.Skynet.psk = secrets.wifipassword;
# interfaces = [ "wlp0s20u1u1" ];
# };
};
environment = {
@ -126,123 +81,14 @@
# openFirewall = true;
};
# hostapd = {
# enable = true;
# radios = {
# wlp0s20u1u2 = {
# # wifi4.enable = false;
# # wifi5.enable = false;
# # settings.ieee80211n = true; # otherwise enabled by wifi4.enable
# networks.wlp0s20u1u2 = {
# ssid = "Skynet-Tor";
# authentication.saePasswords = [
# { password = "REMOVED_OLD_PASSWORD_FROM_HISTORY"; }
# ];
# };
# };
# };
# };
# dnsmasq = {
# enable = true;
# extraConfig = ''
# interface=wlp0s20u1u2
# bind-interfaces
# dhcp-range=192.168.12.10,192.168.12.254,24h
# '';
# };
# kea.dhcp4 = {
# enable = true;
# # interfaces = [ "wlp0s20u1u2" ];
# settings = {
# interfaces-config = {
# interfaces = [
# "wlp0s20u1u2"
# ];
# };
# lease-database = {
# name = "/var/lib/kea/dhcp4.leases";
# persist = true;
# type = "memfile";
# };
# rebind-timer = 2000;
# renew-timer = 1000;
# subnet4 = [
# {
# pools = [
# {
# pool = "192.168.12.100 - 192.168.12.240";
# }
# ];
# subnet = "192.168.12.0/24";
# }
# ];
# valid-lifetime = 4000;
# };
# };
# haveged.enable = true;
# k3s = {
# enable = true;
# role = "server";
# };
# printing = {
# enable = true;
# drivers = [ pkgs.brlaser ];
# browsing = true;
# listenAddresses = [
# "*:631"
# ]; # Not 100% sure this is needed and you might want to restrict to the local network
# allowFrom = [
# "all"
# ]; # this gives access to anyone on the interface you might want to limit it see the official documentation
# defaultShared = true; # If you want
# };
# avahi = {
# enable = true;
# publish.enable = true;
# publish.userServices = true;
# };
tailscale = {
enable = true;
useRoutingFeatures = "both";
extraUpFlags = "--advertise-exit-node --login-server=https://headscale.szczepan.ski";
};
borgbackup.jobs.home = rec {
borgbackup.jobs.all = rec {
repo = "ssh://u278697-sub8@u278697.your-storagebox.de:23/./borg-backup-mini";
compression = "auto,zstd";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets.borg-key.path}";
};
extraCreateArgs = "--stats --verbose --checkpoint-interval=600 --exclude-caches";
extraPruneArgs = [
"--save-space"
"--stats"
];
extraCompactArgs = [
"--cleanup-commits"
];
environment = {
BORG_RSH = "ssh -i /home/alex/.ssh/id_ed55129";
BORG_BASE_DIR = "/persist/borg";
};
readWritePaths = ["/persist/borg"];
paths = ["/home/alex" "/persist"];
startAt = "daily";
prune.keep = {
daily = 7;
weekly = 4;
monthly = 6;
};
exclude = [
"/home/alex/mounted"
"/home/alex/.cache"
@ -251,6 +97,27 @@
};
};
virtualisation = {
libvirtd = {
enable = true;
qemu = {
package = pkgs.qemu_kvm;
swtpm.enable = true;
ovmf = {
enable = true;
packages = [
(pkgs.OVMF.override {
secureBoot = true;
tpmSupport = true;
})
.fd
];
};
};
};
spiceUSBRedirection.enable = true;
};
powerManagement = {
enable = true;
powertop.enable = true;