updated 20.09 server configuration

Signed-off-by: Michael <michael.lindman@gmail.com>

configuration.nix

@@ -10,34 +10,52 @@
       ./hardware-configuration.nix
       ./packages.nix
       ./networking.nix
+      ./hardware.nix
       ./services.nix
+      ./virtualisation.nix
       ./users.nix
       ./nix-containers.nix
     ];
 
   boot = {
     loader = {
-      # Use the systemd-boot EFI boot loader.
       systemd-boot.enable = true;
       efi.canTouchEfiVariables = true;
     };
-
+    kernel.sysctl = {
-    extraModulePackages = [ config.boot.kernelPackages.wireguard ];
+      "fs.inotify.max_user_watches" = 204800;
+    };
   };
 
-  # Select internationalisation properties.
+  zramSwap = {
-  i18n = {
+    enable = true;
-    consoleFont = "Lat2-Terminus16";
+    algorithm = "zstd";
-    consoleKeyMap = "uk";
+    memoryPercent = 50;
-    defaultLocale = "en_GB.UTF-8";
   };
 
   # Set your time zone.
   time.timeZone = "Europe/London";
 
-  # This value determines the NixOS release with which your system is to be
+  # Select internationalisation properties.
-  # compatible, in order to avoid breaking some software such as database
+  i18n.defaultLocale = "en_GB.UTF-8";
-  # servers. You should change this only after NixOS release notes say you
+  console = {
-  # should.
+    font = "Lat2-Terminus16";
-  system.stateVersion = "19.09"; # Did you read the comment?
+    keyMap = "uk";
-}
+  };
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "20.09"; # Did you read the comment?
+}

hardware-configuration.nix

@@ -1,44 +1,40 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, modulesPath, ... }:
 
 {
   imports =
-    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    [ (modulesPath + "/profiles/qemu-guest.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sd_mod" "sr_mod" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/5f03569f-83a4-45a6-b316-bb792c758ac2";
+    { device = "/dev/disk/by-uuid/e578fb8d-c975-4ee8-9f3e-ca2b5a8ef98c";
-      fsType = "btrfs";
-      options = [ "subvol=nixos" ];
-    };
-
-  fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/5f03569f-83a4-45a6-b316-bb792c758ac2";
-      fsType = "btrfs";
-      options = [ "subvol=home" ];
-    };
-
-  fileSystems."/mnt/storage" =
-    { device = "/dev/disk/by-uuid/d3ba175c-aa96-4613-a9e0-d34ad59616e6";
       fsType = "ext4";
     };
 
   fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/A649-113E";
+    { device = "/dev/disk/by-uuid/9CF7-499F";
       fsType = "vfat";
     };
 
-  swapDevices =
+  fileSystems."/home" =
-    [ { device = "/dev/disk/by-uuid/d3b1291d-2f47-460a-b39b-3aafcd7b1e89"; }
+    { device = "/dev/disk/by-uuid/82220da3-bc20-4ee4-9fc6-a7c47482fc94";
-    ];
+      fsType = "ext4";
+    };
+
+  fileSystems."/mnt/storage" = 
+    { device = "/dev/disk/by-uuid/42a9220c-0857-45a3-98a9-7bcfff31d95c";
+      fsType = "btrfs";
+      options = [ "subvol=storage" ];
+    };
+
+  swapDevices = [ ];
 
-  nix.maxJobs = lib.mkDefault 2;
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
-}
+}

hardware.nix

@@ -0,0 +1,10 @@
+{ config, pkgs, ... }:
+
+{
+  sound.enable = false;
+  hardware = {
+    pulseaudio = {
+      enable = false;
+    };
+  };
+}

networking.nix

@@ -3,17 +3,22 @@
 {
   networking = {
     hostName = "nixos-server";
-    defaultGateway = "10.0.20.1";
+    defaultGateway = {
+      address = "10.0.20.1";
+      interface = "bond0";
+    };    
     nameservers = [ "10.0.20.1" ];
 
-    nat = {
+    bonds.bond0 = {
-      enable = true;
+      interfaces = [ "enp3s0f0" "enp3s0f1" ];
-      externalInterface = "enp2s0";
+      driverOptions = {
-      internalInterfaces = [ "wg0" ];
+        mode = "802.3ad";
+      };
     };
 
     interfaces = {
-      enp2s0 = {
+      enp2s0.useDHCP = false;
+      bond0 = {
         ipv4.addresses = [ {
           address = "10.0.20.28";
           prefixLength = 24;
@@ -23,46 +28,49 @@
           prefixLength = 128;
         } ];
       };
+      internal.useDHCP = true;
     };
 
-    wireguard.interfaces = {
+    vlans = {
-      wg0 = {
+      internal = {
-        ips = [ "10.0.0.1/24" ];
+        id = 10;
-        privateKeyFile = "/home/michael/.wireguard/wg0-privkey";
+        interface = "bond0";
-        listenPort = 45904;
-        peers = [ {
-          publicKey = "Pc/zbM+9SBYi7xgcrM6XSvvWUePydfg41ZSHSdhFsB8=";
-          allowedIPs = [ "10.0.0.2/32" ];
-        } {
-          publicKey = "RRybMt8Y8XhdqBqise5ooghYHOXdTjEWlxJ7rj5yB0A=";
-          allowedIPs = [ "10.0.0.3/32" ];
-        } {
-          publicKey = "B63CWCXFW7YIZDRO/yGFrSr/xeHtUHi7z2v9rpiwOXY=";
-          allowedIPs = [ "10.0.0.4/32" ];
-        } {
-          publicKey = "qel9ErmlZ6eQmnXEqOoon3pOfJWe+NvqTZ6o9ucZKFo=";
-          allowedIPs = [ "10.0.0.5/32" ];
-          } ];
       };
     };
 
-    firewall = {
+  wireguard.interfaces = {
-      enable = true;
+    wg0 = {
-      allowedTCPPorts = [
+      ips = [ "10.0.24.1" ];
-        80   # http
+      privateKeyFile = "/home/michael/wireguard/privkey";
-        22   # ssh
+      listenPort = 45904;
-        5201 # iperf
-        2049 # nfs
-        8000 # 0cd.xyz
-      ];
-      allowedUDPPorts = [ 
-        45904 # wireguard 
-        5201  # iperf
-      ];
-
-      extraCommands = ''
-        iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o enp2s0 -j MASQUERADE
-      '';
     };
   };
-}
+
+    firewall = {
+      enable = true;
+      allowPing = true;
+      allowedTCPPorts = [
+        22  # ssh
+      ];
+      interfaces = {
+        internal = {
+          allowedTCPPorts = [
+            873  # rsync
+            139  # samba
+            445  # samba
+            2049 # nfs
+          ];
+          allowedUDPPorts = [
+            137 # samba
+            138 # samba
+          ];
+        };
+      };
+    };
+
+    /*proxy = {
+      default = "http://10.0.20.1:8118";
+      noProxy = "127.0.0.1,localhost,internal.domain";
+    };*/
+  };
+}

nix-containers.nix

@@ -4,16 +4,16 @@
   containers = {
     nginx = {
       autoStart = false;
-      config = { config, pkgs, ... }: {
+      config = { config, pkgs, ...}: {
         networking = {
           firewall.allowedTCPPorts = [ 80 ];
         };
         services.nginx = {
           enable = true;
           virtualHosts = {
-            www = {
+            www ={
-              listen = [ 
+              listen = [
-                { addr = "0.0.0.0"; port = 80; } 
+                { addr = "0.0.0.0"; port = 80; }
                 { addr = "[::]"; port = 80; }
               ];
               serverName = "nixos-server";
@@ -26,24 +26,6 @@
           };
         };
       };
-    };
+    };  
-    ocd = {
-      autoStart = false;
-      bindMounts = {
-        "/go" = {
-          hostPath = "/home/michael/go";
-          isReadOnly = false;
-        };
-      };
-      config = { config, pkgs, ... }: {
-        networking = {
-          firewall.allowedTCPPorts = [ 8000 ];
-        };
-        environment.systemPackages = with pkgs; [
-          go_bootstrap
-        ];
-      };
-    };
   };
-}
+}
-

packages.nix

@@ -18,13 +18,10 @@
     nix-zsh-completions
     zsh-completions
     lm_sensors
-    wireguard
-    wireguard-tools
     nmap
     iperf3
-    go_1_12
     smartmontools
-    python37Packages.glances
+    btrfs-progs
   ];
 
   programs = {

services.nix

@@ -2,6 +2,7 @@
 
 {
   services = {
+    printing.enable = false;
     openssh = {
       enable = true;
       ports = [ 22 ];
@@ -11,25 +12,68 @@
       challengeResponseAuthentication = false;
     };
 
+    rsyncd = {
+      enable = true;
+      settings = {
+        storage = {
+          path = "/mnt/storage";
+          uid = "michael";
+          gid = "michael";
+          comment = "storage drive";
+          read_only = "no";
+        };
+      };
+    };
+
     nfs.server = {
       enable = true;
       exports = ''
-        /mnt/storage              10.0.20.2(rw,nohide,no_root_squash,no_subtree_check)
+        /mnt/storage    10.0.25.1(rw,nohide,no_root_squash,no_subtree_check)
-        /mnt/storage/backup       10.0.20.2(rw,nohide,no_root_squash,no_subtree_check)
+        /mnt/storage    10.0.25.5(rw,nohide,no_root_squash,no_subtree_check)
-        /mnt/storage              10.0.1.5(rw,nohide,no_root_squash,no_subtree_check)
       '';
     };
-  };
+
-  /*systemd = {
+    samba = {
-    services.ocd = {
+      enable = true;
-      description = "0cd.xyz-go web server";
+      securityType = "user";
-      after = [ "network.target" ];
+      extraConfig = ''
-      serviceConfig = {
+        workgroup WORKGROUP
-        Type = "simple";
+        server string = smbnix
-        ExecStart = "${pkgs.bash}/bin/bash /srv/0cd.xyz-go/run.sh";
+        netbios name = smbnix
+        security = user
+        hosts allow = 10.0.25.0 localhost
+        hosts deny = 0.0.0.0/0
+        guest account = nobody
+        map to guest = bad user
+      '';
+      shares = {
+        storage = {
+          path = "/srv/storage";
+          "read only" = false;
+          browseable = "yes";
+          "guest ok" = "no";
+          "create mask" = "0644";
+          "directory mask" = "0755";
+          "valid users" = "michael";
+           comment = "storage drive";
+        };
       };
-      wantedBy = [ "multi-user.target" ];
     };
-    services.ocd.enable = true;
+
-  };*/
+    openiscsi = {
-}
+      enable = true;
+      name = "iqn.2021-05.org.linux-iscsi.nixos";
+      discoverPortal = "10.0.25.1:3260";
+    };
+
+    cron = {
+      enable = true;
+      systemCronJobs = [
+        "00 7 * * * root rsync -arq --delete rsync://10.0.25.1:/forums/ /mnt/storage/backup/forum"
+        "00 8 * * * root rsync -arq --delete rsync://10.0.25.1/bitwarden/ /mnt/storage/backup/bitwarden"
+        "10 8 * * * root rsync -arq --delete rsync://10.0.25.1/opt/gitea/ /mnt/storage/backup/gitea"
+        "15 8 * * * root rsync -arq --delete rsync://10.0.25.1/opt/radicale/ /mnt/storage/backup/radicale"
+      ];
+    };
+  };
+}

users.nix

@@ -1,12 +1,21 @@
 { config, pkgs, ... }:
 
 {
-  users.users.michael = {
+  users.users = {
-    isNormalUser = true;
+    michael = {
-    home = "/home/michael";
+      isNormalUser = true;
-    description = "Michael";
+      home = "/home/michael";
-    extraGroups = [ "wheel" "michael" ];
+      description = "Michael";
-    shell = pkgs.zsh;
+      extraGroups = [ "wheel" "michael" "docker" ];
-    uid = 1000;
+      shell = pkgs.zsh;
+      uid = 1000;
+    };
   };
-}
+
+  users.groups = {
+    michael = {
+      name = "michael";
+      gid = 1000;
+    };
+  };
+}

vim.nix

@@ -71,4 +71,4 @@ let &guicursor = &guicursor . ",a:blinkon0"
 :set tabstop=4 shiftwidth=4 expandtab
 :set number
   '';
-}
+}

virtualisation.nix

@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+  virtualisation = {
+    docker = {
+      enable = true;
+    };
+  };
+}