mlaga97/mlaga97-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
mlaga97-nix/systems/bastion/configuration.nix
Lauren Lagarde a625ba6f41 Significantly improve bastion network configuration
2025-07-27 17:59:44 -05:00

287 lines
8 KiB
Nix
Raw Blame History

# WARNING: BUILT-IN ETHERNET HARDWARE IS BORKED!!!
# https://xcp-ng.org/docs/networking.html#intel-i218-i219-slow-speed
# https://serverfault.com/questions/581265/disable-tcp-checksum-offloading-on-kvm-virtual-network
{ pkgs, ... }: {
# System Info:
# - Model: Dell OptiPlex 7060 Micro
# - CPU: Intel Core i7-8700T (6C/12T, Passmark: 2301/10172)
# - RAM: 32GB
# - Storage:
# - PNY CS900 PNY244624111201023FB 1TB SATA SSD
# - Samsung 970 EVO Plus S58SNG0MA07159M 500GB NVMe SSD
# - WD MyBook 25EE 3145484E3348454E 8TB External HDD
imports = [
# Core Features
../../nixos/features/base.nix
../../nixos/features/tui-apps.nix
../../nixos/features/openssh-server.nix
# Core Tweaks
../../nixos/tweaks/zram.nix
../../nixos/tweaks/enable_flakes.nix
../../nixos/tweaks/disable_nixos_user.nix
../../nixos/tweaks/systemd-resolved_nonsense.nix
# Dotspace
../../secrets/dotspace.nix
../../secrets/dotspace_shares.nix
../../nixos/features/stronghold-binary-cache.nix
# Users
../../users/lauren_lagarde/lauren_lagarde.nix
../../users/ashley_funkhouser/ashley_funkhouser.nix
# Bastion Features
../../nixos/features/hardware/yubikey.nix
../../nixos/features/virtualization/dockge.nix
../../nixos/features/virtualization/docker.nix
../../nixos/features/virtualization/libvirt-host.nix
# Bastion Tweaks
../../nixos/tweaks/zfs.nix
../../nixos/tweaks/disable_firewall.nix
# Bastion IRL
../../nixos/features/gpu/intel.nix
../../nixos/tweaks/powersave.nix
../../nixos/features/frigate-mpv-cage.nix
];
##############################################################################
##############################################################################
##############################################################################
# Bootloader / Kernel
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub = {
enable = true;
zfsSupport = true;
efiSupport = true;
};
##############################################################################
##############################################################################
##############################################################################
# Local Filesystems
boot.loader.grub.mirroredBoots = [
{
devices = [ "nodev" ];
path = "/boot0";
}
{
devices = [ "nodev" ];
path = "/boot1";
}
];
fileSystems = {
"/" = {
device = "bastion-root/root";
fsType = "zfs";
};
"/boot0" = {
device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNG0MA07159M-part1";
fsType = "vfat";
options = [ "nofail" ];
};
"/boot1" = {
device = "/dev/disk/by-id/ata-PNY_CS900_1TB_SSD_PNY244624111201023FB-part1";
fsType = "vfat";
options = [ "nofail" ];
};
"/exports/Frigate" = {
device = "bastion-frigate";
fsType = "zfs";
};
"/exports/MyBook" = {
device = "MyBook/root";
fsType = "zfs";
options = [ "nofail" ];
};
};
##############################################################################
##############################################################################
##############################################################################
# Services
hardware.coral.pcie.enable = true;
services.apcupsd = {
enable = true;
configText = ''
UPSTYPE usb
NISIP 0.0.0.0
BATTERYLEVEL 5
MINUTES 3
'';
};
services.cron = {
enable = true;
mailto = "";
systemCronJobs = [
"* * * * * lauren_lagarde /home/lauren_lagarde/bin/PublishStats > /dev/null"
# Sync Restic from Archive to MyBook daily at 0600
"0 6 * * * root /home/lauren_lagarde/bin/SyncRestic > /dev/null"
# Copy footage from Frigate to MyBook and clear up space on both every 10 minutes
"*/10 * * * * root /home/lauren_lagarde/bin/MaintainFrigate > /dev/null"
# Grab a still photo from all cameras once per minute
"* * * * * root /home/lauren_lagarde/bin/GetAllCameraImages > /dev/null"
# TODO: Automatically Collate Camera Images Monthly
];
};
services.samba = {
enable = true;
openFirewall = true;
settings = {
Frigate = {
path = "/exports/Frigate";
comment = "NVR Local Storage";
writable = "yes";
browseable = "yes";
"force user" = "nobody";
"force group" = "users";
"create mask" = "775";
"force create mode" = "775";
"security mask" = "775";
"force security mode" = "775";
"directory mask" = "2775";
"force directory mode" = "2775";
"directory security mask" = "2775";
"force directory security mode" = "2775";
};
MyBook = {
path = "/exports/MyBook";
comment = "External Storage";
writable = "yes";
browseable = "yes";
"force user" = "nobody";
"force group" = "users";
"create mask" = "775";
"force create mode" = "775";
"security mask" = "775";
"force security mode" = "775";
"directory mask" = "2775";
"force directory mode" = "2775";
"directory security mask" = "2775";
"force directory security mode" = "2775";
};
};
};
##############################################################################
##############################################################################
##############################################################################
# Networking
networking.useNetworkd = true;
systemd.network = {
enable = true;
# Configure Physical Interfaces
links."10-usb0" = {
linkConfig.Name = "usb0";
matchConfig.PermanentMACAddress = "8c:ae:4c:dd:f7:aa"; # 2.5Gb USB NIC
};
# Declare VLAN Interfaces
netdevs."10-usb0-vlan-wan" = {
netdevConfig = {
Kind = "vlan";
Name = "usb0";
};
vlanConfig.Id = 288;
};
# Declare Bridge Interfaces
netdevs."10-br-lan".netdevConfig = {
Kind = "bridge";
Name = "br-lan";
MACAddress = "56:66:4b:dd:9b:0e";
};
netdevs."10-br-wan".netdevConfig = {
Kind = "bridge";
Name = "br-wan";
};
# Add Bridge Members
networks."20-eno0" = {
matchConfig.Name = "eno0";
networkConfig.Bridge = "br-lan";
linkConfig.RequiredForOnline = "enslaved";
};
networks."20-usb0" = {
matchConfig.Name = "usb0";
networkConfig = {
VLAN = [
"usb0-wan"
];
Bridge = "br-lan";
};
linkConfig.RequiredForOnline = "enslaved";
};
networks."20-usb0-wan" = {
matchConfig.Name = "usb0-wan";
networkConfig.Bridge = "br-wan";
};
# Actual Network Configs
networks."30-br-lan" = {
matchConfig.Name = "br-lan";
address = [ "192.168.2.51/24" ];
routes = [ { Gateway = "192.168.2.1"; } ];
networkConfig.IPv6AcceptRA = true;
linkConfig.RequiredForOnline = "routable";
};
networks."90-tinc" = {
matchConfig.Name = "tinc.dotspace";
address = [ "10.86.84.105/32" ];
routes = [ { Destination = "10.86.84.0/24"; } ];
};
};
services.tinc.networks.dotspace = {
name = "bastion";
ed25519PrivateKeyFile = "/root/tinc/mlaga97space_ed25519_key.priv";
chroot = false;
settings.ConnectTo = [ "fortress" "citadel" ];
};
##############################################################################
##############################################################################
##############################################################################
# System Users
users.users = {
bastion = {
isNormalUser = true;
extraGroups = [ "wheel" ];
initialHashedPassword = "$y$j9T$WThHVbTQdHbv4mI0m4EjK/$LA.4Uf95jD/rJpLVf0kbfH0wFBj4FHCimV6xiDfLOD/";
};
dotspace = {
isNormalUser = true;
shell = pkgs.shadow;
initialHashedPassword = "$y$j9T$cH1b/0aafCTaHyWigarb70$bS6WFrbYV4xUZwVtqDCepydOhEol1DqmokBfkGmvRcA";
};
};
}
Reference in a new issue View git blame Copy permalink