From 92997820758a01ea7d8d09f012922d4b19de93d7 Mon Sep 17 00:00:00 2001 From: Jimbo Date: Wed, 6 Nov 2024 22:39:23 -0500 Subject: [PATCH] Fix firewall and add back leash while I figure out why disko is failing --- flake.nix | 1 + hosts/firefly/boot/default.nix | 2 +- hosts/leash/boot/default.nix | 42 ++++++++ hosts/leash/default.nix | 15 +++ hosts/leash/disko/default.nix | 96 +++++++++++++++++++ hosts/leash/hardware/default.nix | 35 +++++++ hosts/leash/id_ed25519.pub | 1 + .../home/programs/terminal/ranger/default.nix | 3 +- modules/home/settings/gtk/default.nix | 1 + .../disks/impermanence/jimbo/default.nix | 2 +- .../devices/networking/firewall/default.nix | 13 ++- 11 files changed, 203 insertions(+), 8 deletions(-) create mode 100644 hosts/leash/boot/default.nix create mode 100644 hosts/leash/default.nix create mode 100644 hosts/leash/disko/default.nix create mode 100644 hosts/leash/hardware/default.nix create mode 100644 hosts/leash/id_ed25519.pub diff --git a/flake.nix b/flake.nix index a7b5a3c..339d62f 100644 --- a/flake.nix +++ b/flake.nix @@ -81,6 +81,7 @@ lacros = mkNix [ ./hosts/lacros ]; # Dell Chromebook redmond = mkNix [ ./hosts/redmond ]; # Lenovo Dual-Boot Laptop treefruit = mkNix [ ./hosts/treefruit ]; # Macbook Pro 14,1 + leash = mkNix [ ./hosts/leash ]; # Portable Hard-Drive cyberspark = mkNix [ ./hosts/cyberspark ]; # Dell Optiplex 7010 bomberman = mkNix [ ./hosts/bomberman ]; # Oracle ARM diff --git a/hosts/firefly/boot/default.nix b/hosts/firefly/boot/default.nix index 5aef54f..00431e1 100644 --- a/hosts/firefly/boot/default.nix +++ b/hosts/firefly/boot/default.nix @@ -57,7 +57,7 @@ in { }; }; - # Additional entry to boot from the second GPU + # Use second GPU on boot specialisation.gputwo.configuration = { boot.kernelParams = commonKernelParams ++ [ "vfio-pci.ids=10de:2504,10de:228e" ]; }; diff --git a/hosts/leash/boot/default.nix b/hosts/leash/boot/default.nix new file mode 100644 index 0000000..678b7f6 --- /dev/null +++ b/hosts/leash/boot/default.nix @@ -0,0 +1,42 @@ +{ config, pkgs, ... }: +{ + boot = { + kernelPackages = pkgs.unstable.linuxPackages_latest; + kernel.sysctl."vm.max_map_count" = 2147483642; + kernelParams = [ + "nvidia_drm.fbdev=1" + "nouveau.config=NvGspRm=1" + ]; + + initrd.systemd = { + enable = true; + services.root-reset = { + description = "Reset root and snapshot last boot"; + wantedBy = [ "initrd.target" ]; + after = [ "dev-${config.networking.hostName}-root.device" ]; + before = [ "sysroot.mount" ]; + unitConfig.DefaultDependencies = "no"; + serviceConfig.Type = "oneshot"; + script = '' + mkdir -p /mnt + mount /dev/${config.networking.hostName}/root /mnt + + if [[ -e /mnt/prev ]]; then + btrfs subvolume delete /mnt/prev + fi + + btrfs subvolume snapshot /mnt/root /mnt/prev + + btrfs subvolume list -o /mnt/root | cut -f9 -d' ' | while read subvolume; do + btrfs subvolume delete "/mnt/$subvolume" + done + + btrfs subvolume delete /mnt/root + btrfs subvolume create /mnt/root + + umount /mnt + ''; + }; + }; + }; +} diff --git a/hosts/leash/default.nix b/hosts/leash/default.nix new file mode 100644 index 0000000..8cea3ef --- /dev/null +++ b/hosts/leash/default.nix @@ -0,0 +1,15 @@ +{ ... }: +{ + imports = [ + ./boot + ./disko + ./hardware + ../../modules/system + ]; + + system.lanzaboote.enable = true; + system.wireguard.client.enable = false; + system.video.nvidia.enable = true; + + networking.hostName = "leash"; +} diff --git a/hosts/leash/disko/default.nix b/hosts/leash/disko/default.nix new file mode 100644 index 0000000..714e3a9 --- /dev/null +++ b/hosts/leash/disko/default.nix @@ -0,0 +1,96 @@ +{ disko, config, ... }: +{ + imports = [ disko.nixosModules.disko ]; + + disko.devices = { + disk = { + "${config.networking.hostName}" = { + type = "disk"; + device = "/dev/sdi"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "2G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "${config.networking.hostName}-disk"; + settings.allowDiscards = true; + passwordFile = "/tmp/secret.key"; + content = { + type = "lvm_pv"; + vg = "${config.networking.hostName}"; + }; + }; + }; + }; + }; + }; + }; + + lvm_vg = { + "${config.networking.hostName}" = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/prev" = { + mountpoint = "/prev"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + + # Impermanence + "/persist" = { + mountpoint = "/persist"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/persist/.snapshots" = { }; + + "/jimbo" = { + mountpoint = "/persist/home/jimbo"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/jimbo/.snapshots" = { }; + }; + }; + }; + swap = { + size = "2G"; + content = { + type = "swap"; + discardPolicy = "both"; + }; + }; + }; + }; + }; + }; + + # Needed for impermanence + fileSystems = { + "/persist".neededForBoot = true; + "/persist/home/jimbo".neededForBoot = true; + }; +} diff --git a/hosts/leash/hardware/default.nix b/hosts/leash/hardware/default.nix new file mode 100644 index 0000000..5aaaa62 --- /dev/null +++ b/hosts/leash/hardware/default.nix @@ -0,0 +1,35 @@ +{ config, lib, modulesPath, ... }: +{ + boot = { + initrd = { + availableKernelModules = [ + "nvme" + "xhci_pci" + "ahci" + "usbhid" + "usb_storage" + "sd_mod" + ]; + kernelModules = [ + "dm-snapshot" + "vfio" + "vfio_pci" + "vfio_iommu_type1" + "kvm-amd" + ]; + }; + }; + + fileSystems = { + # Remote + "/home/jimbo/JimboNFS" = { + device = "${config.ips.wgSpan}.1:/export/JimboNFS"; + fsType = "nfs4"; + options = [ "x-systemd.automount" "_netdev" "nofail" "noauto" ]; + }; + }; + + networking.useDHCP = lib.mkDefault true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/leash/id_ed25519.pub b/hosts/leash/id_ed25519.pub new file mode 100644 index 0000000..e36a85d --- /dev/null +++ b/hosts/leash/id_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2lMkUd+BbXITE5LTg94hEzmA6UKsIIbaf5YOjGoLzl diff --git a/modules/home/programs/terminal/ranger/default.nix b/modules/home/programs/terminal/ranger/default.nix index dc88d22..3ab4e45 100644 --- a/modules/home/programs/terminal/ranger/default.nix +++ b/modules/home/programs/terminal/ranger/default.nix @@ -105,7 +105,8 @@ ".local/share/ranger/bookmarks".text = '' # Local files h:/home/jimbo/ - k:/home/jimbo/Downloads + k:/home/jimbo/Keepers + j:/home/jimbo/Downloads v:/home/jimbo/Videos c:/home/jimbo/.config l:/home/jimbo/.local diff --git a/modules/home/settings/gtk/default.nix b/modules/home/settings/gtk/default.nix index 4bff99e..9fe0937 100644 --- a/modules/home/settings/gtk/default.nix +++ b/modules/home/settings/gtk/default.nix @@ -32,6 +32,7 @@ gtk3 = { bookmarks = [ + "file:///home/jimbo/Keepers" "file:///home/jimbo/Downloads" "file:///home/jimbo/Documents" "file:///home/jimbo/Videos" diff --git a/modules/system/devices/disks/impermanence/jimbo/default.nix b/modules/system/devices/disks/impermanence/jimbo/default.nix index 04efb35..a399812 100644 --- a/modules/system/devices/disks/impermanence/jimbo/default.nix +++ b/modules/system/devices/disks/impermanence/jimbo/default.nix @@ -4,7 +4,7 @@ hideMounts = true; users.jimbo = { directories = [ - "Downloads" + "Keepers" "Documents" "Pictures" "Videos" diff --git a/modules/system/devices/networking/firewall/default.nix b/modules/system/devices/networking/firewall/default.nix index 272f098..567c539 100644 --- a/modules/system/devices/networking/firewall/default.nix +++ b/modules/system/devices/networking/firewall/default.nix @@ -14,11 +14,14 @@ networking = { firewall = { allowPing = false; - extraInputRules = lib.mkIf (!config.system.firewall.server.enable) '' - ip saddr { ${config.ips.server}, ${config.ips.wgSpan}.1 } accept comment "Accept Server" - '' // lib.mkIf config.system.firewall.server.enable '' - ip saddr { ${config.ips.localSpan}.0/24, ${config.ips.wgSpan}.0/24 } tcp dport 2049 accept comment "Accept NFS" - ip saddr { ${config.ips.pc}, ${config.secrets.lunaIP}, ${config.secrets.cornIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP" + extraInputRules = '' + ${lib.optionalString (!config.system.firewall.server.enable) '' + ip saddr { ${config.ips.server}, ${config.ips.wgSpan}.1 } accept comment "Accept Server" + ''} + ${lib.optionalString config.system.firewall.server.enable '' + ip saddr { ${config.ips.localSpan}.0/24, ${config.ips.wgSpan}.0/24 } tcp dport 2049 accept comment "Accept NFS" + ip saddr { ${config.ips.pc}, ${config.secrets.lunaIP}, ${config.secrets.cornIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP" + ''} ''; };