From 0af68cd830cd940f597b557bae018e45e6441cdc Mon Sep 17 00:00:00 2001 From: Michael Date: Thu, 7 Oct 2021 01:05:02 +0100 Subject: [PATCH] updated 20.09 server configuration Signed-off-by: Michael --- configuration.nix | 46 +++++++++++++------ hardware-configuration.nix | 40 ++++++++--------- hardware.nix | 10 +++++ networking.nix | 92 +++++++++++++++++++++----------------- nix-containers.nix | 30 +++---------- packages.nix | 5 +-- services.nix | 74 +++++++++++++++++++++++------- users.nix | 25 +++++++---- vim.nix | 2 +- virtualisation.nix | 9 ++++ 10 files changed, 203 insertions(+), 130 deletions(-) create mode 100644 hardware.nix create mode 100644 virtualisation.nix diff --git a/configuration.nix b/configuration.nix index 8a62df4..0883355 100644 --- a/configuration.nix +++ b/configuration.nix @@ -10,34 +10,52 @@ ./hardware-configuration.nix ./packages.nix ./networking.nix + ./hardware.nix ./services.nix + ./virtualisation.nix ./users.nix ./nix-containers.nix ]; boot = { loader = { - # Use the systemd-boot EFI boot loader. systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; - - extraModulePackages = [ config.boot.kernelPackages.wireguard ]; + kernel.sysctl = { + "fs.inotify.max_user_watches" = 204800; + }; }; - # Select internationalisation properties. - i18n = { - consoleFont = "Lat2-Terminus16"; - consoleKeyMap = "uk"; - defaultLocale = "en_GB.UTF-8"; + zramSwap = { + enable = true; + algorithm = "zstd"; + memoryPercent = 50; }; # Set your time zone. time.timeZone = "Europe/London"; - # This value determines the NixOS release with which your system is to be - # compatible, in order to avoid breaking some software such as database - # servers. You should change this only after NixOS release notes say you - # should. - system.stateVersion = "19.09"; # Did you read the comment? -} + # Select internationalisation properties. + i18n.defaultLocale = "en_GB.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "uk"; + }; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.09"; # Did you read the comment? +} \ No newline at end of file diff --git a/hardware-configuration.nix b/hardware-configuration.nix index 78e6fbb..914e01f 100644 --- a/hardware-configuration.nix +++ b/hardware-configuration.nix @@ -1,44 +1,40 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, modulesPath, ... }: { imports = - [ + [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sd_mod" "sr_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/5f03569f-83a4-45a6-b316-bb792c758ac2"; - fsType = "btrfs"; - options = [ "subvol=nixos" ]; - }; - - fileSystems."/home" = - { device = "/dev/disk/by-uuid/5f03569f-83a4-45a6-b316-bb792c758ac2"; - fsType = "btrfs"; - options = [ "subvol=home" ]; - }; - - fileSystems."/mnt/storage" = - { device = "/dev/disk/by-uuid/d3ba175c-aa96-4613-a9e0-d34ad59616e6"; + { device = "/dev/disk/by-uuid/e578fb8d-c975-4ee8-9f3e-ca2b5a8ef98c"; fsType = "ext4"; }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/A649-113E"; + { device = "/dev/disk/by-uuid/9CF7-499F"; fsType = "vfat"; }; - swapDevices = - [ { device = "/dev/disk/by-uuid/d3b1291d-2f47-460a-b39b-3aafcd7b1e89"; } - ]; + fileSystems."/home" = + { device = "/dev/disk/by-uuid/82220da3-bc20-4ee4-9fc6-a7c47482fc94"; + fsType = "ext4"; + }; + + fileSystems."/mnt/storage" = + { device = "/dev/disk/by-uuid/42a9220c-0857-45a3-98a9-7bcfff31d95c"; + fsType = "btrfs"; + options = [ "subvol=storage" ]; + }; + + swapDevices = [ ]; - nix.maxJobs = lib.mkDefault 2; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; -} +} \ No newline at end of file diff --git a/hardware.nix b/hardware.nix new file mode 100644 index 0000000..fad78c0 --- /dev/null +++ b/hardware.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: + +{ + sound.enable = false; + hardware = { + pulseaudio = { + enable = false; + }; + }; +} \ No newline at end of file diff --git a/networking.nix b/networking.nix index e6f69d0..56e96ab 100644 --- a/networking.nix +++ b/networking.nix @@ -3,17 +3,22 @@ { networking = { hostName = "nixos-server"; - defaultGateway = "10.0.20.1"; + defaultGateway = { + address = "10.0.20.1"; + interface = "bond0"; + }; nameservers = [ "10.0.20.1" ]; - nat = { - enable = true; - externalInterface = "enp2s0"; - internalInterfaces = [ "wg0" ]; + bonds.bond0 = { + interfaces = [ "enp3s0f0" "enp3s0f1" ]; + driverOptions = { + mode = "802.3ad"; + }; }; interfaces = { - enp2s0 = { + enp2s0.useDHCP = false; + bond0 = { ipv4.addresses = [ { address = "10.0.20.28"; prefixLength = 24; @@ -23,46 +28,49 @@ prefixLength = 128; } ]; }; + internal.useDHCP = true; }; - wireguard.interfaces = { - wg0 = { - ips = [ "10.0.0.1/24" ]; - privateKeyFile = "/home/michael/.wireguard/wg0-privkey"; - listenPort = 45904; - peers = [ { - publicKey = "Pc/zbM+9SBYi7xgcrM6XSvvWUePydfg41ZSHSdhFsB8="; - allowedIPs = [ "10.0.0.2/32" ]; - } { - publicKey = "RRybMt8Y8XhdqBqise5ooghYHOXdTjEWlxJ7rj5yB0A="; - allowedIPs = [ "10.0.0.3/32" ]; - } { - publicKey = "B63CWCXFW7YIZDRO/yGFrSr/xeHtUHi7z2v9rpiwOXY="; - allowedIPs = [ "10.0.0.4/32" ]; - } { - publicKey = "qel9ErmlZ6eQmnXEqOoon3pOfJWe+NvqTZ6o9ucZKFo="; - allowedIPs = [ "10.0.0.5/32" ]; - } ]; + vlans = { + internal = { + id = 10; + interface = "bond0"; }; }; - firewall = { - enable = true; - allowedTCPPorts = [ - 80 # http - 22 # ssh - 5201 # iperf - 2049 # nfs - 8000 # 0cd.xyz - ]; - allowedUDPPorts = [ - 45904 # wireguard - 5201 # iperf - ]; - - extraCommands = '' - iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o enp2s0 -j MASQUERADE - ''; + wireguard.interfaces = { + wg0 = { + ips = [ "10.0.24.1" ]; + privateKeyFile = "/home/michael/wireguard/privkey"; + listenPort = 45904; }; }; -} + + firewall = { + enable = true; + allowPing = true; + allowedTCPPorts = [ + 22 # ssh + ]; + interfaces = { + internal = { + allowedTCPPorts = [ + 873 # rsync + 139 # samba + 445 # samba + 2049 # nfs + ]; + allowedUDPPorts = [ + 137 # samba + 138 # samba + ]; + }; + }; + }; + + /*proxy = { + default = "http://10.0.20.1:8118"; + noProxy = "127.0.0.1,localhost,internal.domain"; + };*/ + }; +} \ No newline at end of file diff --git a/nix-containers.nix b/nix-containers.nix index f39b9df..373c45c 100644 --- a/nix-containers.nix +++ b/nix-containers.nix @@ -4,16 +4,16 @@ containers = { nginx = { autoStart = false; - config = { config, pkgs, ... }: { + config = { config, pkgs, ...}: { networking = { firewall.allowedTCPPorts = [ 80 ]; }; services.nginx = { enable = true; virtualHosts = { - www = { - listen = [ - { addr = "0.0.0.0"; port = 80; } + www ={ + listen = [ + { addr = "0.0.0.0"; port = 80; } { addr = "[::]"; port = 80; } ]; serverName = "nixos-server"; @@ -26,24 +26,6 @@ }; }; }; - }; - ocd = { - autoStart = false; - bindMounts = { - "/go" = { - hostPath = "/home/michael/go"; - isReadOnly = false; - }; - }; - config = { config, pkgs, ... }: { - networking = { - firewall.allowedTCPPorts = [ 8000 ]; - }; - environment.systemPackages = with pkgs; [ - go_bootstrap - ]; - }; - }; + }; }; -} - +} \ No newline at end of file diff --git a/packages.nix b/packages.nix index e53800a..8d9b7b9 100644 --- a/packages.nix +++ b/packages.nix @@ -18,13 +18,10 @@ nix-zsh-completions zsh-completions lm_sensors - wireguard - wireguard-tools nmap iperf3 - go_1_12 smartmontools - python37Packages.glances + btrfs-progs ]; programs = { diff --git a/services.nix b/services.nix index ae0fa66..3d21ad6 100644 --- a/services.nix +++ b/services.nix @@ -2,6 +2,7 @@ { services = { + printing.enable = false; openssh = { enable = true; ports = [ 22 ]; @@ -11,25 +12,68 @@ challengeResponseAuthentication = false; }; + rsyncd = { + enable = true; + settings = { + storage = { + path = "/mnt/storage"; + uid = "michael"; + gid = "michael"; + comment = "storage drive"; + read_only = "no"; + }; + }; + }; + nfs.server = { enable = true; exports = '' - /mnt/storage 10.0.20.2(rw,nohide,no_root_squash,no_subtree_check) - /mnt/storage/backup 10.0.20.2(rw,nohide,no_root_squash,no_subtree_check) - /mnt/storage 10.0.1.5(rw,nohide,no_root_squash,no_subtree_check) + /mnt/storage 10.0.25.1(rw,nohide,no_root_squash,no_subtree_check) + /mnt/storage 10.0.25.5(rw,nohide,no_root_squash,no_subtree_check) ''; }; - }; - /*systemd = { - services.ocd = { - description = "0cd.xyz-go web server"; - after = [ "network.target" ]; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.bash}/bin/bash /srv/0cd.xyz-go/run.sh"; + + samba = { + enable = true; + securityType = "user"; + extraConfig = '' + workgroup WORKGROUP + server string = smbnix + netbios name = smbnix + security = user + hosts allow = 10.0.25.0 localhost + hosts deny = 0.0.0.0/0 + guest account = nobody + map to guest = bad user + ''; + shares = { + storage = { + path = "/srv/storage"; + "read only" = false; + browseable = "yes"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "valid users" = "michael"; + comment = "storage drive"; + }; }; - wantedBy = [ "multi-user.target" ]; }; - services.ocd.enable = true; - };*/ -} + + openiscsi = { + enable = true; + name = "iqn.2021-05.org.linux-iscsi.nixos"; + discoverPortal = "10.0.25.1:3260"; + }; + + cron = { + enable = true; + systemCronJobs = [ + "00 7 * * * root rsync -arq --delete rsync://10.0.25.1:/forums/ /mnt/storage/backup/forum" + "00 8 * * * root rsync -arq --delete rsync://10.0.25.1/bitwarden/ /mnt/storage/backup/bitwarden" + "10 8 * * * root rsync -arq --delete rsync://10.0.25.1/opt/gitea/ /mnt/storage/backup/gitea" + "15 8 * * * root rsync -arq --delete rsync://10.0.25.1/opt/radicale/ /mnt/storage/backup/radicale" + ]; + }; + }; +} \ No newline at end of file diff --git a/users.nix b/users.nix index f9e9abb..0391ba7 100644 --- a/users.nix +++ b/users.nix @@ -1,12 +1,21 @@ { config, pkgs, ... }: { - users.users.michael = { - isNormalUser = true; - home = "/home/michael"; - description = "Michael"; - extraGroups = [ "wheel" "michael" ]; - shell = pkgs.zsh; - uid = 1000; + users.users = { + michael = { + isNormalUser = true; + home = "/home/michael"; + description = "Michael"; + extraGroups = [ "wheel" "michael" "docker" ]; + shell = pkgs.zsh; + uid = 1000; + }; }; -} + + users.groups = { + michael = { + name = "michael"; + gid = 1000; + }; + }; +} \ No newline at end of file diff --git a/vim.nix b/vim.nix index 4d9df28..b4ade78 100644 --- a/vim.nix +++ b/vim.nix @@ -71,4 +71,4 @@ let &guicursor = &guicursor . ",a:blinkon0" :set tabstop=4 shiftwidth=4 expandtab :set number ''; -} +} \ No newline at end of file diff --git a/virtualisation.nix b/virtualisation.nix new file mode 100644 index 0000000..845bc72 --- /dev/null +++ b/virtualisation.nix @@ -0,0 +1,9 @@ +{ config, pkgs, ... }: + +{ + virtualisation = { + docker = { + enable = true; + }; + }; +}