2024-03-25 19:13:05 +00:00
# SPDX-FileCopyrightText: 2024 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
{ depot , lib , pkgs , config , . . . }:
{
imports = [
../lib/zfs.nix
2024-03-28 00:19:18 +00:00
./bgp.nix
2024-03-25 19:13:05 +00:00
../lib/bgp.nix
2024-03-26 19:00:40 +00:00
../lib/gitlab-runner-cacher.nix
#../lib/nixbuild-distributed.nix # error: build of '/nix/store/3r7456yr8r9g4fl7w6xbgqlbsdjwfvr4-stdlib-pkgs.json.drv' on 'ssh://eu.nixbuild.net' failed: unexpected: Built outputs are invalid
2024-03-25 19:13:05 +00:00
] ;
# Otherwise _this_ machine won't enumerate things properly.
boot . zfs . devNodes = " / d e v / d i s k / b y - i d " ;
boot . initrd = {
availableKernelModules = [
" n v m e "
" x h c i _ p c i "
" a h c i "
" u s b _ s t o r a g e "
" u s b h i d "
" s d _ m o d "
" s r _ m o d "
] ;
2024-03-25 20:17:52 +00:00
systemd . enable = true ;
2024-03-25 19:13:05 +00:00
} ;
2024-03-25 20:17:52 +00:00
security . tpm2 . enable = true ;
2024-03-25 19:13:05 +00:00
boot . kernelModules = [ " k v m - a m d " ] ;
hardware . cpu . amd . updateMicrocode = true ;
boot . kernelParams = [
" n o m o d e s e t "
] ;
2024-03-25 20:17:52 +00:00
environment . systemPackages = with pkgs ; [
clevis
] ;
2024-03-25 19:13:05 +00:00
# Use the systemd-boot EFI boot loader.
boot . loader . systemd-boot . enable = true ;
boot . loader . efi . canTouchEfiVariables = true ;
powerManagement . cpuFreqGovernor = lib . mkDefault " p e r f o r m a n c e " ;
fileSystems = let
zfs = device : {
device = device ;
fsType = " z f s " ;
} ;
in {
" / " = zfs " z b o o t / l o c a l / r o o t " ;
" / n i x " = zfs " z b o o t / l o c a l / n i x " ;
" / p e r s i s t " = zfs " z b o o t / s a f e / p e r s i s t " ;
" / s t o r e " = zfs " z u 2 / s a f e / s t o r e " ;
2024-03-25 22:14:11 +00:00
" / h o m e " = zfs " z u 2 / s a f e / h o m e " ;
2024-03-25 19:13:05 +00:00
" / b o o t " = {
device = " / d e v / d i s k / b y - l a b e l / E S P " ;
fsType = " v f a t " ;
} ;
" / b o o t 2 " = {
device = " / d e v / d i s k / b y - l a b e l / E S P 2 " ;
fsType = " v f a t " ;
} ;
} ;
boot . loader . systemd-boot . extraInstallCommands = ''
rsync - a /boot / /boot2 /
'' ;
2024-03-26 19:00:40 +00:00
nix . settings . max-jobs = lib . mkDefault 64 ;
2024-03-25 19:13:05 +00:00
# Networking!
networking = {
hostName = " r e x x a r " ;
domain = " a s 2 0 5 4 7 9 . n e t " ;
hostId = " b 4 6 c 2 a e 9 " ;
useNetworkd = true ;
2024-04-04 22:51:55 +00:00
firewall = {
allowedUDPPorts = [
51821 51822 51823
] ;
} ;
2024-03-25 19:13:05 +00:00
} ;
2024-04-04 22:51:55 +00:00
systemd . network = let
wireguard = { name , listenPort , privateKey , publicKey , endpoint ? null }: {
netdevConfig = {
Name = name ;
Kind = " w i r e g u a r d " ;
Description = " W i r e G u a r d t u n n e l ${ name } " ;
} ;
wireguardConfig = {
ListenPort = listenPort ;
PrivateKeyFile = privateKey ;
} ;
wireguardPeers = [ {
wireguardPeerConfig = lib . mkMerge [ {
PublicKey = publicKey ;
AllowedIPs = [
" 0 . 0 . 0 . 0 / 0 "
" : : / 0 "
] ;
} ( lib . mkIf ( endpoint != null ) {
Endpoint = endpoint ;
} ) ] ;
} ] ;
} ;
swannWireguard = args : wireguard ( args // {
privateKey = config . my . vault . secrets . wg-swann-private . path ;
publicKey = " X y f o v U P 6 G U w I g 1 5 t 5 U W x i c f x o o e t o / U / 7 n L s 7 Z u 8 H H 4 = " ;
} ) ;
cofractalWireguard = args : wireguard ( args // {
privateKey = config . my . vault . secrets . wg-cofractal-ams01-private . path ;
publicKey = " q K i 6 m W I h V 2 n 1 6 L G H 1 6 I u g 5 W + B x 4 F x 7 e p r x C g A / 1 R a 1 g = " ;
} ) ;
in {
netdevs . " 4 0 - w g - s w a n n - e e " = swannWireguard {
name = " w g - s w a n n - e e " ;
listenPort = 51821 ;
} ;
netdevs . " 4 0 - w g - s w a n n - g n e t " = swannWireguard {
name = " w g - s w a n n - g n e t " ;
listenPort = 51822 ;
endpoint = " 1 8 5 . 2 5 0 . 1 8 9 . 2 0 : 5 1 8 2 2 " ;
} ;
netdevs . " 4 0 - w g - c o f r a c t a l " = cofractalWireguard {
name = " w g - c o f r a c t a l " ;
listenPort = 51823 ;
endpoint = " [ 2 a 0 9 : a 4 4 6 : 1 3 3 7 : f f f f : : 1 0 ] : 5 1 8 2 3 " ;
} ;
networks . " 4 0 - w g - s w a n n - e e " = {
matchConfig . Name = " w g - s w a n n - e e " ;
address = [
" 9 2 . 1 1 8 . 3 0 . 3 / 3 1 "
" 2 a 0 9 : a 4 4 2 : : 2 : 2 / 6 4 "
] ;
} ;
networks . " 4 0 - w g - s w a n n - g n e t " = {
matchConfig . Name = " w g - s w a n n - g n e t " ;
address = [
" 9 2 . 1 1 8 . 3 0 . 5 / 3 1 "
" 2 a 0 9 : a 4 4 2 : : 3 : 2 / 6 4 "
] ;
2024-03-25 19:13:05 +00:00
} ;
2024-04-04 22:51:55 +00:00
networks . " 4 0 - w g - c o f r a c t a l " = {
matchConfig . Name = " w g - c o f r a c t a l " ;
address = [
" 1 6 9 . 2 5 4 . 2 0 0 . 0 / 3 1 "
] ;
} ;
networks . " 1 0 - u s b 0 " = {
matchConfig . Name = " u s b 0 " ;
address = [
" 1 6 9 . 2 5 4 . 0 . 1 / 2 4 "
# IPMI 169.254.0.17
] ;
} ;
networks . " 1 0 - e n p 1 9 3 s 0 f 0 n p 0 " = {
matchConfig . Name = " e n p 1 9 3 s 0 f 0 n p 0 " ;
# Telia
address = [
" 6 2 . 1 1 5 . 1 5 0 . 1 0 5 / 3 1 "
" 2 0 0 1 : 2 0 3 5 : 0 : 1 f 7 e : : 2 / 1 2 6 "
] ;
} ;
networks . " 1 0 - e n p 1 9 3 s 0 f 1 n p 1 " = {
matchConfig . Name = " e n p 1 9 3 s 0 f 1 n p 1 " ;
networkConfig . VLAN = [ " v l - v e l o x 1 " ] ;
} ;
# enp9s0f0 - previously velox copper cable 1, now enp193s0f1np1 via 10G
2024-03-25 19:13:05 +00:00
networks . " 1 0 - e n p 9 s 0 f 1 " = {
matchConfig . Name = " e n p 9 s 0 f 1 " ;
2024-04-04 22:51:55 +00:00
networkConfig . VLAN = [ " v l - v e l o x 2 " " v l - l i n x " ] ;
2024-03-25 19:13:05 +00:00
} ;
netdevs . " 2 0 - v l - v e l o x 1 " = {
netdevConfig = {
Name = " v l - v e l o x 1 " ;
Kind = " v l a n " ;
MACAddress = " 8 C : 1 F : 6 4 : 0 B : 6 F : 0 0 " ;
} ;
vlanConfig = {
Id = 100 ;
} ;
} ;
networks . " 2 0 - v l - v e l o x 1 " = {
matchConfig . Name = " v l - v e l o x 1 " ;
address = [
" 1 9 5 . 7 4 . 5 5 . 2 1 / 3 1 "
" 2 a 0 3 : e e 4 0 : 8 0 8 0 : 9 : 1 : : 2 / 1 2 6 "
] ;
networkConfig . DNS = [
" 2 0 0 1 : 4 8 6 0 : 4 8 6 0 : : 8 8 8 8 "
" 2 0 0 1 : 4 8 6 0 : 4 8 6 0 : : 8 8 4 4 "
" 8 . 8 . 8 . 8 "
" 8 . 8 . 4 . 4 "
" 1 . 1 . 1 . 1 "
] ;
networkConfig . DNSDefaultRoute = true ;
routes = [ { routeConfig = {
Gateway = " 1 9 5 . 7 4 . 5 5 . 2 0 " ;
} ; } { routeConfig = {
Gateway = " 2 a 0 3 : e e 4 0 : 8 0 8 0 : 9 : 1 : : 1 " ;
} ; } ] ;
} ;
netdevs . " 2 0 - v l - v e l o x 2 " = {
netdevConfig = {
Name = " v l - v e l o x 2 " ;
Kind = " v l a n " ;
MACAddress = " 8 C : 1 F : 6 4 : 0 B : 6 F : 0 1 " ;
} ;
vlanConfig = {
Id = 100 ;
} ;
} ;
networks . " 2 0 - v l - v e l o x 2 " = {
matchConfig . Name = " v l - v e l o x 2 " ;
address = [
" 1 9 5 . 7 4 . 5 5 . 2 3 / 3 1 "
" 2 a 0 3 : e e 4 0 : 8 0 8 0 : 9 : 2 : : 2 / 1 2 6 "
] ;
networkConfig . DNS = [
" 2 0 0 1 : 4 8 6 0 : 4 8 6 0 : : 8 8 8 8 "
" 2 0 0 1 : 4 8 6 0 : 4 8 6 0 : : 8 8 4 4 "
" 8 . 8 . 8 . 8 "
" 8 . 8 . 4 . 4 "
" 1 . 1 . 1 . 1 "
] ;
networkConfig . DNSDefaultRoute = true ;
routes = [ { routeConfig = {
Gateway = " 1 9 5 . 7 4 . 5 5 . 2 2 " ;
} ; } { routeConfig = {
Gateway = " 2 a 0 3 : e e 4 0 : 8 0 8 0 : 9 : 2 : : 1 " ;
} ; } ] ;
} ;
netdevs . " 2 0 - v l - l i n x " = {
netdevConfig = {
Name = " v l - l i n x " ;
Kind = " v l a n " ;
MACAddress = " 8 C : 1 F : 6 4 : 0 B : 6 F : 0 2 " ;
} ;
vlanConfig = {
Id = 200 ;
} ;
} ;
networks . " 2 0 - v l - l i n x " = {
matchConfig . Name = " v l - l i n x " ;
address = [
" 1 9 5 . 6 6 . 2 2 4 . 5 8 / 2 1 "
" 2 0 0 1 : 7 f 8 : 4 : : 3 : 2 2 a 7 : 1 / 4 8 "
] ;
networkConfig = {
IPv6LinkLocalAddressGenerationMode = " e u i 6 4 " ;
LLMNR = false ;
MulticastDNS = false ;
IPv6AcceptRA = false ;
IPv4ProxyARP = false ;
IPv6ProxyNDP = false ;
IPv6SendRA = false ;
} ;
} ;
2024-04-04 22:51:55 +00:00
networks . " 6 0 - l o " = {
matchConfig . Name = " l o " ;
addresses = [ {
addressConfig . Address = " 1 2 7 . 0 . 0 . 1 / 8 " ;
addressConfig . Scope = " h o s t " ;
} {
addressConfig . Address = " : : 1 / 1 2 8 " ;
} {
addressConfig . Address = " 9 2 . 1 1 8 . 3 0 . 2 5 1 / 3 2 " ;
} {
addressConfig . Address = " 2 a 0 9 : a 4 4 2 : 1 0 0 0 : : / 1 2 8 " ;
} ] ;
} ;
2024-03-25 19:13:05 +00:00
} ;
my . ip . tailscale = " 1 0 0 . 9 7 . 1 1 0 . 4 8 " ;
my . ip . tailscale6 = " f d 7 a : 1 1 5 c : a 1 e 0 : : 3 a 0 1 : 6 e 3 0 " ;
#my.coredns.bind = [ "bond0" "tailscale0" "127.0.0.1" "::1" ];
services . openssh . hostKeys = [
{
path = " / p e r s i s t / e t c / s s h / s s h _ h o s t _ e d 2 5 5 1 9 _ k e y " ;
type = " e d 2 5 5 1 9 " ;
}
{
path = " / p e r s i s t / e t c / s s h / s s h _ h o s t _ r s a _ k e y " ;
type = " r s a " ;
bits = 4096 ;
}
] ;
systemd . mounts = let
bindMount' = dir : {
unitConfig . RequiresMountsFor = dir ;
options = " b i n d " ;
what = " / p e r s i s t ${ dir } " ;
where = dir ;
} ;
bindMountSvc = dir : svc : ( bindMount' dir ) // {
requiredBy = [ svc ] ;
before = [ svc ] ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
} ;
bindMountSvcDynamic = dir : svc : ( bindMount' " / v a r / l i b / p r i v a t e / ${ dir } " ) // {
requiredBy = [ svc ] ;
before = [ svc ] ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
} ;
bindMount = dir : ( bindMount' dir ) // {
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
} ;
in [
( bindMountSvc " / v a r / l i b / t a i l s c a l e " " t a i l s c a l e d . s e r v i c e " )
( bindMountSvc " / v a r / l i b / l i b v i r t " " l i b v i r t . s e r v i c e " )
] ;
2024-03-28 00:19:18 +00:00
boot . kernel . sysctl = {
" n e t . i p v 4 . i p _ f o r w a r d " = 1 ;
" n e t . i p v 6 . c o n f . a l l . f o r w a r d i n g " = 1 ;
" n e t . i p v 4 . c o n f . v l - l i n x . a r p _ a n n o u n c e " = 1 ;
" n e t . i p v 4 . c o n f . v l - l i n x . a r p _ i g n o r e " = 1 ;
" n e t . i p v 4 . n e i g h . v l - l i n x . b a s e _ r e a c h a b l e _ t i m e _ m s " = 14400000 ;
" n e t . i p v 6 . n e i g h . v l - l i n x . b a s e _ r e a c h a b l e _ t i m e _ m s " = 14400000 ;
} ;
2024-03-26 19:00:40 +00:00
boot . binfmt . emulatedSystems = [ " a a r c h 6 4 - l i n u x " ] ;
2024-04-04 22:51:55 +00:00
my . vault . secrets = let
wireguardSecret = key : {
group = " s y s t e m d - n e t w o r k " ;
template = ''
{ { - with secret " k v / a p p s / w i r e g u a r d / r e x x a r " - } }
{ { - . Data . data . ${ key } - } }
{ { - end - } }
'' ;
} ;
in {
wg-swann-private = wireguardSecret " p r i v a t e K e y T o S w a n n " ;
wg-cofractal-ams01-private = wireguardSecret " p r i v a t e K e y T o C o f r a c t a l A m s 0 1 " ;
} ;
2024-03-25 19:13:05 +00:00
system . stateVersion = " 2 4 . 0 5 " ;
}