From 9f33f70d1216f95a9833574a5b935e19778487a8 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Thu, 25 Jan 2024 11:31:05 +0100 Subject: [PATCH] burnham: init. defiant: add wireguard --- flake.nix | 18 ++++++++++++ hosts/burnham/configuration.nix | 36 ++++++++++++++++++++++++ hosts/burnham/hardware-configuration.nix | 30 ++++++++++++++++++++ hosts/burnham/home.nix | 19 +++++++++++++ hosts/defiant/configuration.nix | 5 +++- hosts/defiant/services/wireguard.nix | 35 +++++++++++++++++++++++ 6 files changed, 142 insertions(+), 1 deletion(-) create mode 100644 hosts/burnham/configuration.nix create mode 100644 hosts/burnham/hardware-configuration.nix create mode 100644 hosts/burnham/home.nix create mode 100644 hosts/defiant/services/wireguard.nix diff --git a/flake.nix b/flake.nix index e8f368b..a48e790 100644 --- a/flake.nix +++ b/flake.nix @@ -95,6 +95,24 @@ } ]; }; + burnham = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { + inherit inputs; + }; + modules = [ + # Overlays-module makes "pkgs.unstable" available in configuration.nix + ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) + + ./hosts/burnham/configuration.nix + sops-nix.nixosModules.sops + home-manager.nixosModules.home-manager { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users."felixalb" = import ./hosts/burnham/home.nix; + } + ]; + }; redshirt = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { diff --git a/hosts/burnham/configuration.nix b/hosts/burnham/configuration.nix new file mode 100644 index 0000000..8cc45d4 --- /dev/null +++ b/hosts/burnham/configuration.nix @@ -0,0 +1,36 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../base.nix + ../../common/metrics-exporters.nix + ./hardware-configuration.nix + + # Infrastructure + # ./services/wireguard.nix + + ]; + + boot.loader.systemd-boot.enable = lib.mkForce false; + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + + networking = { + hostName = "burnham"; + defaultGateway = "192.168.11.1"; + interfaces.ens18.ipv4 = { + addresses = [ + { address = "192.168.11.109"; prefixLength = 24; } + ]; + }; + hostId = "8e24f235"; + }; + + # sops.defaultSopsFile = ../../secrets/burnham/burnham.yaml; + + environment.variables = { EDITOR = "vim"; }; + + system.stateVersion = "23.11"; +} + diff --git a/hosts/burnham/hardware-configuration.nix b/hosts/burnham/hardware-configuration.nix new file mode 100644 index 0000000..73b8273 --- /dev/null +++ b/hosts/burnham/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/31ff6d37-52d6-43c3-a214-5d38a6c38b0e"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/cce59ee7-7c83-4165-a9b0-f950cd2e3273"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/burnham/home.nix b/hosts/burnham/home.nix new file mode 100644 index 0000000..84fa68e --- /dev/null +++ b/hosts/burnham/home.nix @@ -0,0 +1,19 @@ +{ pkgs, lib, ... }: +{ + home.packages = with pkgs; [ + bat + bottom + ncdu + neofetch + ]; + + imports = [ + ./../../home/base.nix + ]; + + programs = { + zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config"; + }; + + home.stateVersion = "23.05"; +} diff --git a/hosts/defiant/configuration.nix b/hosts/defiant/configuration.nix index dcd76ff..069d11b 100644 --- a/hosts/defiant/configuration.nix +++ b/hosts/defiant/configuration.nix @@ -6,12 +6,15 @@ ../../base.nix ../../common/metrics-exporters.nix ./hardware-configuration.nix - ./libvirt.nix + # Infrastructure + ./libvirt.nix ./services/nginx.nix ./services/pihole.nix ./services/postgresql.nix + ./services/wireguard.nix + # Services ./services/flame.nix ./services/gitea.nix ./services/hedgedoc.nix diff --git a/hosts/defiant/services/wireguard.nix b/hosts/defiant/services/wireguard.nix new file mode 100644 index 0000000..98448cd --- /dev/null +++ b/hosts/defiant/services/wireguard.nix @@ -0,0 +1,35 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.networking.wireguard.interfaces."wg0"; +in { + networking = { + nat = { + enable = true; + externalInterface = "enp3s0"; + internalInterfaces = [ "wg0" ]; + }; + firewall.allowedUDPPorts = [ cfg.listenPort ]; + + wireguard.interfaces."wg0" = { + ips = [ "10.100.0.1/24" ]; + listenPort = 51820; + privateKeyFile = "/etc/wireguard/defiant.private"; + + peers = [ + { # Burnham + publicKey = "JcfyrMoZmnbibVLaIKuGSARAX2alFv4kwLbJaLBNbzo="; + allowedIPs = [ + "10.100.0.2/32" + # "192.168.11.0/24" + ]; + } + { # Sulu + publicKey = "j6YVekgGS4nhL5zUiOTeK2BVQkYGlTQaiUpwcqQyfRk="; + allowedIPs = [ + "10.100.0.3/32" + ]; + } + ]; + }; + }; +}