2024-03-25 19:13:05 +00:00
# SPDX-FileCopyrightText: 2024 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
{ depot , lib , pkgs , config , . . . }:
{
imports = [
../lib/zfs.nix
2024-03-28 00:19:18 +00:00
./bgp.nix
2024-03-25 19:13:05 +00:00
../lib/bgp.nix
2024-03-26 19:00:40 +00:00
../lib/gitlab-runner-cacher.nix
#../lib/nixbuild-distributed.nix # error: build of '/nix/store/3r7456yr8r9g4fl7w6xbgqlbsdjwfvr4-stdlib-pkgs.json.drv' on 'ssh://eu.nixbuild.net' failed: unexpected: Built outputs are invalid
2024-03-25 19:13:05 +00:00
] ;
# Otherwise _this_ machine won't enumerate things properly.
boot . zfs . devNodes = " / d e v / d i s k / b y - i d " ;
boot . initrd = {
availableKernelModules = [
" n v m e "
" x h c i _ p c i "
" a h c i "
" u s b _ s t o r a g e "
" u s b h i d "
" s d _ m o d "
" s r _ m o d "
] ;
2024-03-25 20:17:52 +00:00
systemd . enable = true ;
2024-03-25 19:13:05 +00:00
} ;
2024-03-25 20:17:52 +00:00
security . tpm2 . enable = true ;
2024-03-25 19:13:05 +00:00
boot . kernelModules = [ " k v m - a m d " ] ;
hardware . cpu . amd . updateMicrocode = true ;
boot . kernelParams = [
" n o m o d e s e t "
] ;
2024-03-25 20:17:52 +00:00
environment . systemPackages = with pkgs ; [
clevis
] ;
2024-03-25 19:13:05 +00:00
# Use the systemd-boot EFI boot loader.
boot . loader . systemd-boot . enable = true ;
boot . loader . efi . canTouchEfiVariables = true ;
powerManagement . cpuFreqGovernor = lib . mkDefault " p e r f o r m a n c e " ;
fileSystems = let
zfs = device : {
device = device ;
fsType = " z f s " ;
} ;
in {
" / " = zfs " z b o o t / l o c a l / r o o t " ;
" / n i x " = zfs " z b o o t / l o c a l / n i x " ;
" / p e r s i s t " = zfs " z b o o t / s a f e / p e r s i s t " ;
" / s t o r e " = zfs " z u 2 / s a f e / s t o r e " ;
2024-03-25 22:14:11 +00:00
" / h o m e " = zfs " z u 2 / s a f e / h o m e " ;
2024-03-25 19:13:05 +00:00
" / b o o t " = {
device = " / d e v / d i s k / b y - l a b e l / E S P " ;
fsType = " v f a t " ;
} ;
" / b o o t 2 " = {
device = " / d e v / d i s k / b y - l a b e l / E S P 2 " ;
fsType = " v f a t " ;
} ;
} ;
boot . loader . systemd-boot . extraInstallCommands = ''
rsync - a /boot / /boot2 /
'' ;
2024-03-26 19:00:40 +00:00
nix . settings . max-jobs = lib . mkDefault 64 ;
2024-03-25 19:13:05 +00:00
# Networking!
networking = {
hostName = " r e x x a r " ;
domain = " a s 2 0 5 4 7 9 . n e t " ;
hostId = " b 4 6 c 2 a e 9 " ;
useNetworkd = true ;
} ;
systemd . network = {
networks . " 1 0 - e n p 9 s 0 f 0 " = {
matchConfig . Name = " e n p 9 s 0 f 0 " ;
networkConfig . VLAN = [ " v l - v e l o x 1 " " v l - l i n x " ] ;
} ;
networks . " 1 0 - e n p 9 s 0 f 1 " = {
matchConfig . Name = " e n p 9 s 0 f 1 " ;
networkConfig . VLAN = [ " v l - v e l o x 2 " ] ;
} ;
netdevs . " 2 0 - v l - v e l o x 1 " = {
netdevConfig = {
Name = " v l - v e l o x 1 " ;
Kind = " v l a n " ;
MACAddress = " 8 C : 1 F : 6 4 : 0 B : 6 F : 0 0 " ;
} ;
vlanConfig = {
Id = 100 ;
} ;
} ;
networks . " 2 0 - v l - v e l o x 1 " = {
matchConfig . Name = " v l - v e l o x 1 " ;
address = [
" 1 9 5 . 7 4 . 5 5 . 2 1 / 3 1 "
" 2 a 0 3 : e e 4 0 : 8 0 8 0 : 9 : 1 : : 2 / 1 2 6 "
] ;
networkConfig . DNS = [
" 2 0 0 1 : 4 8 6 0 : 4 8 6 0 : : 8 8 8 8 "
" 2 0 0 1 : 4 8 6 0 : 4 8 6 0 : : 8 8 4 4 "
" 8 . 8 . 8 . 8 "
" 8 . 8 . 4 . 4 "
" 1 . 1 . 1 . 1 "
] ;
networkConfig . DNSDefaultRoute = true ;
routes = [ { routeConfig = {
Gateway = " 1 9 5 . 7 4 . 5 5 . 2 0 " ;
} ; } { routeConfig = {
Gateway = " 2 a 0 3 : e e 4 0 : 8 0 8 0 : 9 : 1 : : 1 " ;
} ; } ] ;
} ;
netdevs . " 2 0 - v l - v e l o x 2 " = {
netdevConfig = {
Name = " v l - v e l o x 2 " ;
Kind = " v l a n " ;
MACAddress = " 8 C : 1 F : 6 4 : 0 B : 6 F : 0 1 " ;
} ;
vlanConfig = {
Id = 100 ;
} ;
} ;
networks . " 2 0 - v l - v e l o x 2 " = {
matchConfig . Name = " v l - v e l o x 2 " ;
address = [
" 1 9 5 . 7 4 . 5 5 . 2 3 / 3 1 "
" 2 a 0 3 : e e 4 0 : 8 0 8 0 : 9 : 2 : : 2 / 1 2 6 "
] ;
networkConfig . DNS = [
" 2 0 0 1 : 4 8 6 0 : 4 8 6 0 : : 8 8 8 8 "
" 2 0 0 1 : 4 8 6 0 : 4 8 6 0 : : 8 8 4 4 "
" 8 . 8 . 8 . 8 "
" 8 . 8 . 4 . 4 "
" 1 . 1 . 1 . 1 "
] ;
networkConfig . DNSDefaultRoute = true ;
routes = [ { routeConfig = {
Gateway = " 1 9 5 . 7 4 . 5 5 . 2 2 " ;
} ; } { routeConfig = {
Gateway = " 2 a 0 3 : e e 4 0 : 8 0 8 0 : 9 : 2 : : 1 " ;
} ; } ] ;
} ;
netdevs . " 2 0 - v l - l i n x " = {
netdevConfig = {
Name = " v l - l i n x " ;
Kind = " v l a n " ;
MACAddress = " 8 C : 1 F : 6 4 : 0 B : 6 F : 0 2 " ;
} ;
vlanConfig = {
Id = 200 ;
} ;
} ;
networks . " 2 0 - v l - l i n x " = {
matchConfig . Name = " v l - l i n x " ;
address = [
" 1 9 5 . 6 6 . 2 2 4 . 5 8 / 2 1 "
" 2 0 0 1 : 7 f 8 : 4 : : 3 : 2 2 a 7 : 1 / 4 8 "
] ;
networkConfig = {
IPv6LinkLocalAddressGenerationMode = " e u i 6 4 " ;
LLMNR = false ;
MulticastDNS = false ;
IPv6AcceptRA = false ;
IPv4ProxyARP = false ;
IPv6ProxyNDP = false ;
IPv6SendRA = false ;
} ;
} ;
} ;
my . ip . tailscale = " 1 0 0 . 9 7 . 1 1 0 . 4 8 " ;
my . ip . tailscale6 = " f d 7 a : 1 1 5 c : a 1 e 0 : : 3 a 0 1 : 6 e 3 0 " ;
#my.coredns.bind = [ "bond0" "tailscale0" "127.0.0.1" "::1" ];
services . openssh . hostKeys = [
{
path = " / p e r s i s t / e t c / s s h / s s h _ h o s t _ e d 2 5 5 1 9 _ k e y " ;
type = " e d 2 5 5 1 9 " ;
}
{
path = " / p e r s i s t / e t c / s s h / s s h _ h o s t _ r s a _ k e y " ;
type = " r s a " ;
bits = 4096 ;
}
] ;
systemd . mounts = let
bindMount' = dir : {
unitConfig . RequiresMountsFor = dir ;
options = " b i n d " ;
what = " / p e r s i s t ${ dir } " ;
where = dir ;
} ;
bindMountSvc = dir : svc : ( bindMount' dir ) // {
requiredBy = [ svc ] ;
before = [ svc ] ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
} ;
bindMountSvcDynamic = dir : svc : ( bindMount' " / v a r / l i b / p r i v a t e / ${ dir } " ) // {
requiredBy = [ svc ] ;
before = [ svc ] ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
} ;
bindMount = dir : ( bindMount' dir ) // {
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
} ;
in [
( bindMountSvc " / v a r / l i b / t a i l s c a l e " " t a i l s c a l e d . s e r v i c e " )
( bindMountSvc " / v a r / l i b / l i b v i r t " " l i b v i r t . s e r v i c e " )
] ;
2024-03-28 00:19:18 +00:00
boot . kernel . sysctl = {
" n e t . i p v 4 . i p _ f o r w a r d " = 1 ;
" n e t . i p v 6 . c o n f . a l l . f o r w a r d i n g " = 1 ;
" n e t . i p v 4 . c o n f . v l - l i n x . a r p _ a n n o u n c e " = 1 ;
" n e t . i p v 4 . c o n f . v l - l i n x . a r p _ i g n o r e " = 1 ;
" n e t . i p v 4 . n e i g h . v l - l i n x . b a s e _ r e a c h a b l e _ t i m e _ m s " = 14400000 ;
" n e t . i p v 6 . n e i g h . v l - l i n x . b a s e _ r e a c h a b l e _ t i m e _ m s " = 14400000 ;
} ;
2024-03-26 19:00:40 +00:00
boot . binfmt . emulatedSystems = [ " a a r c h 6 4 - l i n u x " ] ;
2024-03-25 19:13:05 +00:00
system . stateVersion = " 2 4 . 0 5 " ;
}