michael/nixos-server-config
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Michael 2019-11-10 08:41:19 +00:00
commit 5e384cac4c
8 changed files with 349 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
configuration.nix Normal file
View File

@ -0,0 +1,43 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./packages.nix
./networking.nix
./services.nix
./users.nix
./nix-containers.nix
];
boot = {
loader = {
# Use the systemd-boot EFI boot loader.
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
extraModulePackages = [ config.boot.kernelPackages.wireguard ];
};
# Select internationalisation properties.
i18n = {
consoleFont = "Lat2-Terminus16";
consoleKeyMap = "uk";
defaultLocale = "en_GB.UTF-8";
};
# Set your time zone.
time.timeZone = "Europe/London";
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "19.09"; # Did you read the comment?
}

44
hardware-configuration.nix Normal file
View File

@ -0,0 +1,44 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/5f03569f-83a4-45a6-b316-bb792c758ac2";
fsType = "btrfs";
options = [ "subvol=nixos" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/5f03569f-83a4-45a6-b316-bb792c758ac2";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/mnt/storage" =
{ device = "/dev/disk/by-uuid/d3ba175c-aa96-4613-a9e0-d34ad59616e6";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A649-113E";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/d3b1291d-2f47-460a-b39b-3aafcd7b1e89"; }
];
nix.maxJobs = lib.mkDefault 2;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

67
networking.nix Normal file
View File

@ -0,0 +1,67 @@
{ config, pkgs, ... }:
{
networking = {
hostName = "nixos-server";
defaultGateway = "10.0.20.1";
nameservers = [ "10.0.20.1" ];
nat = {
enable = true;
externalInterface = "enp2s0";
internalInterfaces = [ "wg0" ];
};
interfaces = {
enp2s0 = {
ipv4.addresses = [ {
address = "10.0.20.28";
prefixLength = 24;
} ];
ipv6.addresses = [ {
address = "2001:470:6a49:2a:31ad:b70d:49f4:75f2";
prefixLength = 128;
} ];
};
};
wireguard.interfaces = {
wg0 = {
ips = [ "10.0.0.1/24" ];
privateKeyFile = "/home/michael/.wireguard/wg0-privkey";
listenPort = 45904;
peers = [ {
publicKey = "Pc/zbM+9SBYi7xgcrM6XSvvWUePydfg41ZSHSdhFsB8=";
allowedIPs = [ "10.0.0.2/32" ];
} {
publicKey = "RRybMt8Y8XhdqBqise5ooghYHOXdTjEWlxJ7rj5yB0A=";
allowedIPs = [ "10.0.0.3/32" ];
} {
publicKey = "B63CWCXFW7YIZDRO/yGFrSr/xeHtUHi7z2v9rpiwOXY=";
allowedIPs = [ "10.0.0.4/32" ];
} {
publicKey = "qel9ErmlZ6eQmnXEqOoon3pOfJWe+NvqTZ6o9ucZKFo=";
allowedIPs = [ "10.0.0.5/32" ];
} ];
};
};
firewall = {
enable = true;
allowedTCPPorts = [
80 # http
22 # ssh
5201 # iperf
2049 # nfs
];
allowedUDPPorts = [
45904 # wireguard
5201 # iperf
];
extraCommands = ''
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o enp2s0 -j MASQUERADE
'';
};
};
}

49
nix-containers.nix Normal file
View File

@ -0,0 +1,49 @@
{ config, pkgs, ... }:
{
containers = {
nginx = {
autoStart = false;
config = { config, pkgs, ... }: {
networking = {
firewall.allowedTCPPorts = [ 80 ];
};
services.nginx = {
enable = true;
virtualHosts = {
www = {
listen = [
{ addr = "0.0.0.0"; port = 80; }
{ addr = "[::]"; port = 80; }
];
serverName = "nixos-server";
locations = {
"/" = {
root = "/var/www";
};
};
};
};
};
};
};
ocd = {
autoStart = false;
bindMounts = {
"/go" = {
hostPath = "/home/michael/go";
isReadOnly = false;
};
};
config = { config, pkgs, ... }: {
networking = {
firewall.allowedTCPPorts = [ 8000 ];
};
environment.systemPackages = with pkgs; [
go_bootstrap
];
};
};
};
}

38
packages.nix Normal file
View File

@ -0,0 +1,38 @@
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
exa
wget
htop
git
(import ./vim.nix)
neovim
nix-index
python2
python3
usbutils
pciutils
tmux
neofetch
nix-zsh-completions
zsh-completions
lm_sensors
wireguard
wireguard-tools
nmap
iperf3
go_1_12
smartmontools
python37Packages.glances
];
programs = {
zsh = {
enable = true;
autosuggestions.enable = true;
enableCompletion = true;
ohMyZsh.enable = true;
};
};
}

22
services.nix Normal file
View File

@ -0,0 +1,22 @@
{ config, pkgs, ... }:
{
services = {
openssh = {
enable = true;
ports = [ 22 ];
passwordAuthentication = false;
permitRootLogin = "no";
authorizedKeysFiles = [ ".ssh/authorized_keys" ];
challengeResponseAuthentication = false;
};
nfs.server = {
enable = true;
exports = ''
/mnt/storage/backup 10.0.20.2(rw,nohide,no_root_squash,no_subtree_check)
/mnt/storage 10.0.1.5(rw,nohide,no_root_squash,no_subtree_check)
'';
};
};
}

12
users.nix Normal file
View File

@ -0,0 +1,12 @@
{ config, pkgs, ... }:
{
users.users.michael = {
isNormalUser = true;
home = "/home/michael";
description = "Michael";
extraGroups = [ "wheel" "michael" ];
shell = pkgs.zsh;
uid = 1000;
};
}

74
vim.nix Normal file
View File

@ -0,0 +1,74 @@
with import <nixpkgs> {};
vim_configurable.customize {
name = "vim";
vimrcConfig.customRC = ''
if v:lang =~ "utf8$" || v:lang =~ "UTF-8$"
set fileencodings=ucs-bom,utf-8,latin1
endif
set nocompatible " Use Vim defaults (much better!)
set bs=indent,eol,start " allow backspacing over everything in insert mode
"set ai " always set autoindenting on
"set backup " keep a backup file
set viminfo='20,\"50 " read/write a .viminfo file, don't store more
" than 50 lines of registers
set history=50 " keep 50 lines of command line history
set ruler " show the cursor position all the time
" Only do this part when compiled with support for autocommands
if has("autocmd")
augroup fedora
autocmd!
" In text files, always limit the width of text to 78 characters
" autocmd BufRead *.txt set tw=78
" When editing a file, always jump to the last cursor position
autocmd BufReadPost *
\ if line("'\"") > 0 && line ("'\"") <= line("$") |
\ exe "normal! g'\"" |
\ endif
" don't write swapfile on most commonly used directories for NFS mounts or USB sticks
autocmd BufNewFile,BufReadPre /media/*,/run/media/*,/mnt/* set directory=~/tmp,/var/tmp,/tmp
" start with spec file template
autocmd BufNewFile *.spec 0r /usr/share/vim/vimfiles/template.spec
augroup END
endif
if has("cscope") && filereadable("/usr/bin/cscope")
set csprg=/usr/bin/cscope
set csto=0
set cst
set nocsverb
" add any database in current directory
if filereadable("cscope.out")
cs add $PWD/cscope.out
" else add database pointed to by environment
elseif $CSCOPE_DB != ""
cs add $CSCOPE_DB
endif
set csverb
endif
" Switch syntax highlighting on, when the terminal has colors
" Also switch on highlighting the last used search pattern.
if &t_Co > 2 || has("gui_running")
syntax on
set hlsearch
endif
filetype plugin on
if &term=="xterm"
set t_Co=8
set t_Sb=[4%dm
set t_Sf=[3%dm
endif
" Don't wake up system with blinking cursor:
" http://www.linuxpowertop.org/known.php
let &guicursor = &guicursor . ",a:blinkon0"
:set tabstop=4 shiftwidth=4 expandtab
:set number
'';
}