From 7a450258d4524cdf3dde583db179d94f45dc04f6 Mon Sep 17 00:00:00 2001 From: Lyn Date: Sat, 19 Oct 2024 04:08:28 +0200 Subject: [PATCH 01/10] wireguard gateway draft added --- flake.nix | 15 +++++++--- hosts/wg_gateway/default.nix | 17 +++++++++++ hosts/wg_gateway/hardware_configuration.nix | 33 +++++++++++++++++++++ 3 files changed, 61 insertions(+), 4 deletions(-) create mode 100644 hosts/wg_gateway/default.nix create mode 100644 hosts/wg_gateway/hardware_configuration.nix diff --git a/flake.nix b/flake.nix index b5f59d4..c29dbe7 100644 --- a/flake.nix +++ b/flake.nix @@ -35,21 +35,28 @@ modules = [ ./hosts/forgenite imports - ]; + ]; }; "forgejo-ci" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ ./hosts/forgejo-ci imports - ]; + ]; }; "supernova" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ ./hosts/supernova - imports - ]; + imports + ]; + }; + "wg_gateway" = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./hosts/wg_gateway + imports + ]; }; }; }; diff --git a/hosts/wg_gateway/default.nix b/hosts/wg_gateway/default.nix new file mode 100644 index 0000000..4a023bf --- /dev/null +++ b/hosts/wg_gateway/default.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + + lyn.kernel.latest.enable = true; + lyn.kernel.hardened.enable =true; + lyn.profiles.base.enable = true; + lyn.users.lyn.enable = true; + + networking.hostName = "wg_gateway"; # Define your hostname. +} \ No newline at end of file diff --git a/hosts/wg_gateway/hardware_configuration.nix b/hosts/wg_gateway/hardware_configuration.nix new file mode 100644 index 0000000..59930cf --- /dev/null +++ b/hosts/wg_gateway/hardware_configuration.nix @@ -0,0 +1,33 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/8585b573-d3d6-48a3-91cf-76d198ea3046"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/0e0e9cca-0017-47aa-93f8-3231a29fd772"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} \ No newline at end of file From 21cbd69e02d8840fce5fe074a06bb79fd3b81df4 Mon Sep 17 00:00:00 2001 From: Lyn Date: Sat, 19 Oct 2024 04:12:19 +0200 Subject: [PATCH 02/10] filename typo --- .../{hardware_configuration.nix => hardware-configuration.nix} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename hosts/wg_gateway/{hardware_configuration.nix => hardware-configuration.nix} (100%) diff --git a/hosts/wg_gateway/hardware_configuration.nix b/hosts/wg_gateway/hardware-configuration.nix similarity index 100% rename from hosts/wg_gateway/hardware_configuration.nix rename to hosts/wg_gateway/hardware-configuration.nix From 5962560c87a534806636b9bbfe202b1728ae814d Mon Sep 17 00:00:00 2001 From: Lyn Date: Sat, 19 Oct 2024 04:17:26 +0200 Subject: [PATCH 03/10] small tweaks for hetzner aarch64 instance --- flake.nix | 2 +- hosts/wg_gateway/default.nix | 2 ++ hosts/wg_gateway/hardware-configuration.nix | 3 ++- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index c29dbe7..fe02894 100644 --- a/flake.nix +++ b/flake.nix @@ -52,7 +52,7 @@ ]; }; "wg_gateway" = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; + system = "aarch64-linux"; modules = [ ./hosts/wg_gateway imports diff --git a/hosts/wg_gateway/default.nix b/hosts/wg_gateway/default.nix index 4a023bf..4d3f0e7 100644 --- a/hosts/wg_gateway/default.nix +++ b/hosts/wg_gateway/default.nix @@ -14,4 +14,6 @@ lyn.users.lyn.enable = true; networking.hostName = "wg_gateway"; # Define your hostname. + + system.stateVersion = "24.05"; } \ No newline at end of file diff --git a/hosts/wg_gateway/hardware-configuration.nix b/hosts/wg_gateway/hardware-configuration.nix index 59930cf..ec93d26 100644 --- a/hosts/wg_gateway/hardware-configuration.nix +++ b/hosts/wg_gateway/hardware-configuration.nix @@ -8,8 +8,9 @@ [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.initrd.kernelModules = [ "virtio_gpu" ]; + boot.kernelParams = [ "console=tty" ]; boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; From cfe7efce1084556dee70cafdfcb09bb13a13e45e Mon Sep 17 00:00:00 2001 From: Lyn Date: Sat, 19 Oct 2024 04:21:40 +0200 Subject: [PATCH 04/10] hostname fixed --- flake.nix | 4 ++-- hosts/{wg_gateway => wg-gateway}/default.nix | 2 +- hosts/{wg_gateway => wg-gateway}/hardware-configuration.nix | 0 3 files changed, 3 insertions(+), 3 deletions(-) rename hosts/{wg_gateway => wg-gateway}/default.nix (86%) rename hosts/{wg_gateway => wg-gateway}/hardware-configuration.nix (100%) diff --git a/flake.nix b/flake.nix index fe02894..142fa23 100644 --- a/flake.nix +++ b/flake.nix @@ -51,10 +51,10 @@ imports ]; }; - "wg_gateway" = nixpkgs.lib.nixosSystem { + "wg-gateway" = nixpkgs.lib.nixosSystem { system = "aarch64-linux"; modules = [ - ./hosts/wg_gateway + ./hosts/wg-gateway imports ]; }; diff --git a/hosts/wg_gateway/default.nix b/hosts/wg-gateway/default.nix similarity index 86% rename from hosts/wg_gateway/default.nix rename to hosts/wg-gateway/default.nix index 4d3f0e7..cdf0e85 100644 --- a/hosts/wg_gateway/default.nix +++ b/hosts/wg-gateway/default.nix @@ -13,7 +13,7 @@ lyn.profiles.base.enable = true; lyn.users.lyn.enable = true; - networking.hostName = "wg_gateway"; # Define your hostname. + networking.hostName = "wg-gateway"; # Define your hostname. system.stateVersion = "24.05"; } \ No newline at end of file diff --git a/hosts/wg_gateway/hardware-configuration.nix b/hosts/wg-gateway/hardware-configuration.nix similarity index 100% rename from hosts/wg_gateway/hardware-configuration.nix rename to hosts/wg-gateway/hardware-configuration.nix From aa7c61019bf03a07380c54435daedd54bc18b64f Mon Sep 17 00:00:00 2001 From: Lyn Date: Sat, 19 Oct 2024 04:45:20 +0200 Subject: [PATCH 05/10] correction for accidentially creating an x86 server -_- --- hosts/wg-gateway/default.nix | 16 ++++++++++++++-- hosts/wg-gateway/hardware-configuration.nix | 15 ++++++++++----- 2 files changed, 24 insertions(+), 7 deletions(-) diff --git a/hosts/wg-gateway/default.nix b/hosts/wg-gateway/default.nix index cdf0e85..eca3c9d 100644 --- a/hosts/wg-gateway/default.nix +++ b/hosts/wg-gateway/default.nix @@ -5,15 +5,27 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix ]; - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/sda"; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; lyn.kernel.latest.enable = true; lyn.kernel.hardened.enable =true; lyn.profiles.base.enable = true; lyn.users.lyn.enable = true; + # network networking.hostName = "wg-gateway"; # Define your hostname. + systemd.network.enable = true; + systemd.network.networks."10-wan" = { + matchConfig.Name = "enp1s0"; + networkConfig.DHCP = "ipv4"; + address = [ + "2a01:4f8:1c1b:d2db::/64" + ]; + routes = [ + { routeConfig.Gateway = "fe80::1"; } + ]; + }; system.stateVersion = "24.05"; } \ No newline at end of file diff --git a/hosts/wg-gateway/hardware-configuration.nix b/hosts/wg-gateway/hardware-configuration.nix index ec93d26..e336471 100644 --- a/hosts/wg-gateway/hardware-configuration.nix +++ b/hosts/wg-gateway/hardware-configuration.nix @@ -7,20 +7,25 @@ imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.kernelModules = [ "virtio_gpu" ]; boot.kernelParams = [ "console=tty" ]; - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_scsi" "sr_mod" ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/8585b573-d3d6-48a3-91cf-76d198ea3046"; + { device = "/dev/disk/by-uuid/7cb49846-af34-40ec-b144-decc9c284e94"; fsType = "ext4"; }; + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/BEFA-C7BC"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + swapDevices = - [ { device = "/dev/disk/by-uuid/0e0e9cca-0017-47aa-93f8-3231a29fd772"; } + [ { device = "/dev/disk/by-uuid/63e6e56c-9fbd-4bc2-a0e7-8be171565710"; } ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking @@ -30,5 +35,5 @@ networking.useDHCP = lib.mkDefault true; # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; } \ No newline at end of file From 361a93aa9591b8c08caa453a21620bb8b481a3bc Mon Sep 17 00:00:00 2001 From: Lyn Date: Sat, 19 Oct 2024 04:52:38 +0200 Subject: [PATCH 06/10] network config quickfix --- hosts/wg-gateway/hardware-configuration.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/hosts/wg-gateway/hardware-configuration.nix b/hosts/wg-gateway/hardware-configuration.nix index e336471..c601b11 100644 --- a/hosts/wg-gateway/hardware-configuration.nix +++ b/hosts/wg-gateway/hardware-configuration.nix @@ -28,11 +28,6 @@ [ { device = "/dev/disk/by-uuid/63e6e56c-9fbd-4bc2-a0e7-8be171565710"; } ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; From 49f86b0c5a6afd663f502b1ce8eaee58cf0405f6 Mon Sep 17 00:00:00 2001 From: Lyn Date: Sat, 19 Oct 2024 04:59:51 +0200 Subject: [PATCH 07/10] network quickfix 2 --- hosts/wg-gateway/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/wg-gateway/default.nix b/hosts/wg-gateway/default.nix index eca3c9d..eae46fe 100644 --- a/hosts/wg-gateway/default.nix +++ b/hosts/wg-gateway/default.nix @@ -14,6 +14,7 @@ lyn.users.lyn.enable = true; # network + networking.useDHCP = false; networking.hostName = "wg-gateway"; # Define your hostname. systemd.network.enable = true; systemd.network.networks."10-wan" = { From a1483840932ab58fd80604dd7ae1f196eb385df6 Mon Sep 17 00:00:00 2001 From: Lyn Date: Sat, 19 Oct 2024 05:08:50 +0200 Subject: [PATCH 08/10] hardening apparently doesn't work on aarch64 hetzner servers? --- hosts/wg-gateway/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/wg-gateway/default.nix b/hosts/wg-gateway/default.nix index eae46fe..0eab142 100644 --- a/hosts/wg-gateway/default.nix +++ b/hosts/wg-gateway/default.nix @@ -9,7 +9,6 @@ boot.loader.efi.canTouchEfiVariables = true; lyn.kernel.latest.enable = true; - lyn.kernel.hardened.enable =true; lyn.profiles.base.enable = true; lyn.users.lyn.enable = true; From f967160ad98bd3bfe5b854f39fa01890a54fb0fd Mon Sep 17 00:00:00 2001 From: Lyn Date: Sat, 19 Oct 2024 05:14:16 +0200 Subject: [PATCH 09/10] wait can we enable secure boot on this VPS? --- hosts/wg-gateway/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/wg-gateway/default.nix b/hosts/wg-gateway/default.nix index 0eab142..67b7fa6 100644 --- a/hosts/wg-gateway/default.nix +++ b/hosts/wg-gateway/default.nix @@ -10,6 +10,7 @@ lyn.kernel.latest.enable = true; lyn.profiles.base.enable = true; + lyn.profiles.secureboot.enable = true; lyn.users.lyn.enable = true; # network From 46a97e6a06dd1898c00ac2b98d5a57bf6036752c Mon Sep 17 00:00:00 2001 From: Lyn Date: Sat, 19 Oct 2024 06:56:40 +0200 Subject: [PATCH 10/10] removed enable.nix because it does nothing anyway --- meta/default.nix | 1 - meta/enable.nix | 7 ------- 2 files changed, 8 deletions(-) delete mode 100644 meta/enable.nix diff --git a/meta/default.nix b/meta/default.nix index f669d22..90405b7 100644 --- a/meta/default.nix +++ b/meta/default.nix @@ -1,7 +1,6 @@ { imports = [ ./mkLocalMods.nix -# ./enable.nix ]; } diff --git a/meta/enable.nix b/meta/enable.nix deleted file mode 100644 index a7ecc46..0000000 --- a/meta/enable.nix +++ /dev/null @@ -1,7 +0,0 @@ -{lib, config, ...}: { - config.lyn.lib.enable = list: lib.genAttrs - list - ( - name: {enable = true;} - ); -}