updated 20.09 server configuration

Signed-off-by: Michael <michael.lindman@gmail.com>
This commit is contained in:
Michael 2021-10-07 01:05:02 +01:00
parent dd7bf26e80
commit 0af68cd830
10 changed files with 203 additions and 130 deletions

View File

@ -10,34 +10,52 @@
./hardware-configuration.nix ./hardware-configuration.nix
./packages.nix ./packages.nix
./networking.nix ./networking.nix
./hardware.nix
./services.nix ./services.nix
./virtualisation.nix
./users.nix ./users.nix
./nix-containers.nix ./nix-containers.nix
]; ];
boot = { boot = {
loader = { loader = {
# Use the systemd-boot EFI boot loader.
systemd-boot.enable = true; systemd-boot.enable = true;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
}; };
kernel.sysctl = {
extraModulePackages = [ config.boot.kernelPackages.wireguard ]; "fs.inotify.max_user_watches" = 204800;
};
}; };
# Select internationalisation properties. zramSwap = {
i18n = { enable = true;
consoleFont = "Lat2-Terminus16"; algorithm = "zstd";
consoleKeyMap = "uk"; memoryPercent = 50;
defaultLocale = "en_GB.UTF-8";
}; };
# Set your time zone. # Set your time zone.
time.timeZone = "Europe/London"; time.timeZone = "Europe/London";
# This value determines the NixOS release with which your system is to be # Select internationalisation properties.
# compatible, in order to avoid breaking some software such as database i18n.defaultLocale = "en_GB.UTF-8";
# servers. You should change this only after NixOS release notes say you console = {
# should. font = "Lat2-Terminus16";
system.stateVersion = "19.09"; # Did you read the comment? keyMap = "uk";
};
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.09"; # Did you read the comment?
} }

View File

@ -1,44 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> [ (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" ]; boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/5f03569f-83a4-45a6-b316-bb792c758ac2"; { device = "/dev/disk/by-uuid/e578fb8d-c975-4ee8-9f3e-ca2b5a8ef98c";
fsType = "btrfs";
options = [ "subvol=nixos" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/5f03569f-83a4-45a6-b316-bb792c758ac2";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/mnt/storage" =
{ device = "/dev/disk/by-uuid/d3ba175c-aa96-4613-a9e0-d34ad59616e6";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A649-113E"; { device = "/dev/disk/by-uuid/9CF7-499F";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = fileSystems."/home" =
[ { device = "/dev/disk/by-uuid/d3b1291d-2f47-460a-b39b-3aafcd7b1e89"; } { device = "/dev/disk/by-uuid/82220da3-bc20-4ee4-9fc6-a7c47482fc94";
]; fsType = "ext4";
};
fileSystems."/mnt/storage" =
{ device = "/dev/disk/by-uuid/42a9220c-0857-45a3-98a9-7bcfff31d95c";
fsType = "btrfs";
options = [ "subvol=storage" ];
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 2;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
} }

10
hardware.nix Normal file
View File

@ -0,0 +1,10 @@
{ config, pkgs, ... }:
{
sound.enable = false;
hardware = {
pulseaudio = {
enable = false;
};
};
}

View File

@ -3,17 +3,22 @@
{ {
networking = { networking = {
hostName = "nixos-server"; hostName = "nixos-server";
defaultGateway = "10.0.20.1"; defaultGateway = {
address = "10.0.20.1";
interface = "bond0";
};
nameservers = [ "10.0.20.1" ]; nameservers = [ "10.0.20.1" ];
nat = { bonds.bond0 = {
enable = true; interfaces = [ "enp3s0f0" "enp3s0f1" ];
externalInterface = "enp2s0"; driverOptions = {
internalInterfaces = [ "wg0" ]; mode = "802.3ad";
};
}; };
interfaces = { interfaces = {
enp2s0 = { enp2s0.useDHCP = false;
bond0 = {
ipv4.addresses = [ { ipv4.addresses = [ {
address = "10.0.20.28"; address = "10.0.20.28";
prefixLength = 24; prefixLength = 24;
@ -23,46 +28,49 @@
prefixLength = 128; prefixLength = 128;
} ]; } ];
}; };
internal.useDHCP = true;
};
vlans = {
internal = {
id = 10;
interface = "bond0";
};
}; };
wireguard.interfaces = { wireguard.interfaces = {
wg0 = { wg0 = {
ips = [ "10.0.0.1/24" ]; ips = [ "10.0.24.1" ];
privateKeyFile = "/home/michael/.wireguard/wg0-privkey"; privateKeyFile = "/home/michael/wireguard/privkey";
listenPort = 45904; listenPort = 45904;
peers = [ {
publicKey = "Pc/zbM+9SBYi7xgcrM6XSvvWUePydfg41ZSHSdhFsB8=";
allowedIPs = [ "10.0.0.2/32" ];
} {
publicKey = "RRybMt8Y8XhdqBqise5ooghYHOXdTjEWlxJ7rj5yB0A=";
allowedIPs = [ "10.0.0.3/32" ];
} {
publicKey = "B63CWCXFW7YIZDRO/yGFrSr/xeHtUHi7z2v9rpiwOXY=";
allowedIPs = [ "10.0.0.4/32" ];
} {
publicKey = "qel9ErmlZ6eQmnXEqOoon3pOfJWe+NvqTZ6o9ucZKFo=";
allowedIPs = [ "10.0.0.5/32" ];
} ];
}; };
}; };
firewall = { firewall = {
enable = true; enable = true;
allowPing = true;
allowedTCPPorts = [ allowedTCPPorts = [
80 # http
22 # ssh 22 # ssh
5201 # iperf ];
interfaces = {
internal = {
allowedTCPPorts = [
873 # rsync
139 # samba
445 # samba
2049 # nfs 2049 # nfs
8000 # 0cd.xyz
]; ];
allowedUDPPorts = [ allowedUDPPorts = [
45904 # wireguard 137 # samba
5201 # iperf 138 # samba
]; ];
extraCommands = ''
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o enp2s0 -j MASQUERADE
'';
}; };
}; };
};
/*proxy = {
default = "http://10.0.20.1:8118";
noProxy = "127.0.0.1,localhost,internal.domain";
};*/
};
} }

View File

@ -4,14 +4,14 @@
containers = { containers = {
nginx = { nginx = {
autoStart = false; autoStart = false;
config = { config, pkgs, ... }: { config = { config, pkgs, ...}: {
networking = { networking = {
firewall.allowedTCPPorts = [ 80 ]; firewall.allowedTCPPorts = [ 80 ];
}; };
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts = { virtualHosts = {
www = { www ={
listen = [ listen = [
{ addr = "0.0.0.0"; port = 80; } { addr = "0.0.0.0"; port = 80; }
{ addr = "[::]"; port = 80; } { addr = "[::]"; port = 80; }
@ -27,23 +27,5 @@
}; };
}; };
}; };
ocd = {
autoStart = false;
bindMounts = {
"/go" = {
hostPath = "/home/michael/go";
isReadOnly = false;
};
};
config = { config, pkgs, ... }: {
networking = {
firewall.allowedTCPPorts = [ 8000 ];
};
environment.systemPackages = with pkgs; [
go_bootstrap
];
};
};
}; };
} }

View File

@ -18,13 +18,10 @@
nix-zsh-completions nix-zsh-completions
zsh-completions zsh-completions
lm_sensors lm_sensors
wireguard
wireguard-tools
nmap nmap
iperf3 iperf3
go_1_12
smartmontools smartmontools
python37Packages.glances btrfs-progs
]; ];
programs = { programs = {

View File

@ -2,6 +2,7 @@
{ {
services = { services = {
printing.enable = false;
openssh = { openssh = {
enable = true; enable = true;
ports = [ 22 ]; ports = [ 22 ];
@ -11,25 +12,68 @@
challengeResponseAuthentication = false; challengeResponseAuthentication = false;
}; };
rsyncd = {
enable = true;
settings = {
storage = {
path = "/mnt/storage";
uid = "michael";
gid = "michael";
comment = "storage drive";
read_only = "no";
};
};
};
nfs.server = { nfs.server = {
enable = true; enable = true;
exports = '' exports = ''
/mnt/storage 10.0.20.2(rw,nohide,no_root_squash,no_subtree_check) /mnt/storage 10.0.25.1(rw,nohide,no_root_squash,no_subtree_check)
/mnt/storage/backup 10.0.20.2(rw,nohide,no_root_squash,no_subtree_check) /mnt/storage 10.0.25.5(rw,nohide,no_root_squash,no_subtree_check)
/mnt/storage 10.0.1.5(rw,nohide,no_root_squash,no_subtree_check)
''; '';
}; };
samba = {
enable = true;
securityType = "user";
extraConfig = ''
workgroup WORKGROUP
server string = smbnix
netbios name = smbnix
security = user
hosts allow = 10.0.25.0 localhost
hosts deny = 0.0.0.0/0
guest account = nobody
map to guest = bad user
'';
shares = {
storage = {
path = "/srv/storage";
"read only" = false;
browseable = "yes";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"valid users" = "michael";
comment = "storage drive";
}; };
/*systemd = {
services.ocd = {
description = "0cd.xyz-go web server";
after = [ "network.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.bash}/bin/bash /srv/0cd.xyz-go/run.sh";
}; };
wantedBy = [ "multi-user.target" ];
}; };
services.ocd.enable = true;
};*/ openiscsi = {
enable = true;
name = "iqn.2021-05.org.linux-iscsi.nixos";
discoverPortal = "10.0.25.1:3260";
};
cron = {
enable = true;
systemCronJobs = [
"00 7 * * * root rsync -arq --delete rsync://10.0.25.1:/forums/ /mnt/storage/backup/forum"
"00 8 * * * root rsync -arq --delete rsync://10.0.25.1/bitwarden/ /mnt/storage/backup/bitwarden"
"10 8 * * * root rsync -arq --delete rsync://10.0.25.1/opt/gitea/ /mnt/storage/backup/gitea"
"15 8 * * * root rsync -arq --delete rsync://10.0.25.1/opt/radicale/ /mnt/storage/backup/radicale"
];
};
};
} }

View File

@ -1,12 +1,21 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
users.users.michael = { users.users = {
michael = {
isNormalUser = true; isNormalUser = true;
home = "/home/michael"; home = "/home/michael";
description = "Michael"; description = "Michael";
extraGroups = [ "wheel" "michael" ]; extraGroups = [ "wheel" "michael" "docker" ];
shell = pkgs.zsh; shell = pkgs.zsh;
uid = 1000; uid = 1000;
}; };
};
users.groups = {
michael = {
name = "michael";
gid = 1000;
};
};
} }

9
virtualisation.nix Normal file
View File

@ -0,0 +1,9 @@
{ config, pkgs, ... }:
{
virtualisation = {
docker = {
enable = true;
};
};
}