diff --git a/config/common-lxc.nix b/config/common-lxc.nix index 2824373..76df404 100644 --- a/config/common-lxc.nix +++ b/config/common-lxc.nix @@ -8,11 +8,8 @@ with lib; { manageNetwork = true; manageHostName = true; }; - nixpkgs.hostPlatform.system = "x86_64-linux"; + kyouma.machine-type.virtual = true; + kyouma.machine-type.headless = true; + deployment.tags = [ "pve-lxc" ]; networking.useDHCP = false; - - system.autoUpgrade.enable = true; - nix.optimise.automatic = true; - nix.gc.automatic = true; - nix.gc.options = "--delete-older-than 2d"; } diff --git a/config/common-nginx.nix b/config/common-nginx.nix index b9ba1ba..92780be 100644 --- a/config/common-nginx.nix +++ b/config/common-nginx.nix @@ -1,4 +1,5 @@ { config, pkgs, lib, ... }: with lib; { + deployment.tags = [ "web" ]; security.dhparams.enable = true; security.dhparams.params.nginx = {}; security.acme = { diff --git a/config/common/default.nix b/config/common/default.nix index 5b6b400..a9f1a45 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -6,6 +6,7 @@ with lib; { ../../modules ./networking.nix ./openssh.nix + ./kernel.nix ]; environment.systemPackages = with pkgs; [ kitty.terminfo @@ -28,7 +29,7 @@ with lib; { deployment.targetPort = mkDefault 22; deployment.targetUser = mkDefault null; - nix.settings.trusted-users = [ "roo" "@wheel" ]; + nix.settings.trusted-users = [ "root" "@wheel" ]; security.dhparams.defaultBitSize = 4096; system.activationScripts.motd.text = let @@ -40,17 +41,19 @@ with lib; { cat << EOF > $root/motd Welcome to ${cfg.distroName} ${cfg.release} ("${cfg.codeName}") on - $(${pkgs.figlet}/bin/figlet ${config.networking.hostName}).${config.networking.domain} + $(${pkgs.figlet}/bin/figlet -lt ${config.networking.hostName} | sed -e 's/[[:space:]]*$//').${config.networking.domain} - Last deployed on $(date -d @$(cat "$deployment_folder/date")) + Last deployed on $(date "+%F %T %Z" -d @$(cat "$deployment_folder/date")) EOF ''; users.motdFile = "/nix/var/lib/deployment/motd"; nix.gc.automatic = true; nix.gc.options = "--delete-older-than 7d"; + nix.optimise.automatic = true; services.journald.extraConfig = "SystemMaxUse=256M"; nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nixpkgs.hostPlatform.system = "x86_64-linux"; system.stateVersion = "23.11"; time.timeZone = mkDefault "CET"; diff --git a/config/common/kernel.nix b/config/common/kernel.nix new file mode 100644 index 0000000..fd22995 --- /dev/null +++ b/config/common/kernel.nix @@ -0,0 +1,55 @@ +{ config, lib, ... }: with lib; { + boot.kernel.sysctl = mkIf config.kyouma.machine-type.physical (mkMerge [{ + "kernel.yama.ptrace_scope" = 1; + "kernel.kptr_restric" = 2; + "kernel.ftrace_enabled" = 0; + "kernel.panic" = -1; + + "net.core.default_qdisc" = "fq"; + "net.ipv4.tcp_congestion_control" = "bbr"; + + "net.ipv4.tcp_ecn" = 1; + "net.ipv4.tcp_fastopen" = 3; + "net.ipv4.tcp_slow_start_after_idle" = 0; + "net.ipv4.tcp_tw_reuse" = 1; + "net.ipv4.tcp_mtu_probing" = 1; + "net.ipv4.tcp_mtu_probe_floor" = 1220; + + "net.ipv4.tcp_keepalive_time" = 60; + "net.ipv4.tcp_keepalive_probes" = 6; + "net.ipv4.tcp_keepalive_intvl" = 10; + + "net.core.rmem_default" = 16777216; + "net.core.rmem_max" = 56623104; + "net.core.wmem_default" = 16777216; + "net.core.wmem_max" = 56623104; + "net.core.optmem_max" = 65536; + "net.ipv4.tcp_rmem" = "4096 1048576 56623104"; + "net.ipv4.tcp_wmem" = "4096 65536 56623104"; + "net.ipv4.tcp_notsent_lowat" = 16384; + "net.ipv4.udp_rmem_min" = 9216; + "net.ipv4.udp_wmem_min" = 9216; + + "net.ipv4.ip_local_port_range" = "16384 65535"; + + "net.ipv6.conf.all.mtu" = 1452; + "net.ipv6.conf.default.mtu" = 1452; + + "net.core.bpf_jit_enable" = 1; + "net.core.bpf_jit_harden" = 1; + + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + + "net.ipv4.conf.all.accept_source_route" = 0; + + } (mkIf (!config.kyouma.machine-type.router) { + # Enable strict source route filtering + # Disable on BGP routers + "net.ipv4.conf.all.rp_filter" = 1; + "net.ipv4.conf.default.rp_filter" = 1; + }) + ]); +} diff --git a/config/headless.nix b/config/headless.nix index ac0ae52..2dfb592 100644 --- a/config/headless.nix +++ b/config/headless.nix @@ -1,3 +1,4 @@ { config, lib, ... }: with lib; { services.openssh.enable = mkDefault true; + services.vnstat.enable = mkDefault true; } diff --git a/config/hosts/crime/configuration.nix b/config/hosts/crime/configuration.nix new file mode 100644 index 0000000..90a55df --- /dev/null +++ b/config/hosts/crime/configuration.nix @@ -0,0 +1,18 @@ +{ config, pkgs, ... }: { + imports = [ + ../../common + ../../common-lxc.nix + ../../common-nginx.nix + ../../headless.nix + ]; + networking = { + hostName = "crime"; + firewall.allowedTCPPorts = [ 80 443 ]; + firewall.allowedUDPPorts = [ 443 ]; + }; + systemd.network.networks."98-eth-default" = { + address = [ + "2a0f:be01:0:100::1337/128" + ]; + }; +} diff --git a/config/hosts/web-dus/configuration.nix b/config/hosts/web-dus/configuration.nix index a976db8..bd36ef3 100644 --- a/config/hosts/web-dus/configuration.nix +++ b/config/hosts/web-dus/configuration.nix @@ -12,6 +12,10 @@ in { imports = [ inputs.fernglas.nixosModules.default inputs.kyouma-www.nixosModules.default + ../../common + ../../common-lxc.nix + ../../common-nginx.nix + ../../headless.nix ]; networking = { hostName = "web-dus"; @@ -23,7 +27,6 @@ in { "2a0f:be01:0:100::1312/128" ]; }; - services.vnstat.enable = true; services.vyosBld = { enable = true; output = "/nix/var/www/kyouma.net/vyos"; diff --git a/flake.lock b/flake.lock index 34b4dda..6613dd9 100644 --- a/flake.lock +++ b/flake.lock @@ -61,11 +61,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1705415185, - "narHash": "sha256-3sAayXCMBqdEdKqAcGd41K2u0HYAWYu3J9rfIKBfLR4=", + "lastModified": 1705420537, + "narHash": "sha256-/zPsJsNFQF1xFIDY9np9TAK7JaiFLDcEhErNfcoyvIc=", "ref": "refs/heads/main", - "rev": "d2fa7e29cdb68657be67f869383b37ab0dbf168f", - "revCount": 28, + "rev": "b908e77c7173c6c425cbf085972f5ebbc7b83522", + "revCount": 15, "type": "git", "url": "ssh://git@git.bsd.gay/snaki/kyouma-net.git" }, @@ -76,11 +76,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1704786394, - "narHash": "sha256-aJM0ln9fMGWw1+tjyl5JZWZ3ahxAA2gw2ZpZY/hkEMs=", + "lastModified": 1705312285, + "narHash": "sha256-rd+dY+v61Y8w3u9bukO/hB55Xl4wXv4/yC8rCGVnK5U=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "b34a6075e9e298c4124e35c3ccaf2210c1f3a43b", + "rev": "bee2202bec57e521e3bd8acd526884b9767d7fa0", "type": "github" }, "original": { @@ -123,11 +123,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1704722960, - "narHash": "sha256-mKGJ3sPsT6//s+Knglai5YflJUF2DGj7Ai6Ynopz0kI=", + "lastModified": 1705316053, + "narHash": "sha256-J2Ey5mPFT8gdfL2XC0JTZvKaBw/b2pnyudEXFvl+dQM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "317484b1ead87b9c1b8ac5261a8d2dd748a0492d", + "rev": "c3e128f3c0ecc1fb04aef9f72b3dcc2f6cecf370", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index ff0ea03..a5e09ae 100644 --- a/flake.nix +++ b/flake.nix @@ -11,31 +11,17 @@ colmena = { meta = { allowApplyAll = false; - nixpkgs = self.legacyPackages.x86_64-linux; + nixpkgs = nixpkgs.legacyPackages.x86_64-linux; specialArgs = { inherit inputs; }; }; + web-dus = { + imports = [ ./config/hosts/web-dus/configuration.nix ]; + }; + crime = { + imports = [ ./config/hosts/crime/configuration.nix ]; + }; }; nixosConfigurations = { - web02 = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { inherit inputs; }; - modules = [ - ./config/common - ./config/common-lxc.nix - ./config/common-nginx.nix - ./config/hosts/web-dus/configuration.nix - ]; - }; - crime = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { inherit inputs; }; - modules = [ - .config/common - .config/common-lxc.nix - .config/common-nginx.nix - .config/hosts/crime/configuration.nix - ]; - }; # ryuuko = nixpkgs.lib.nixosSystem { # system = "x86_64-linux"; # specialArgs = attrs; @@ -46,5 +32,10 @@ # ]; # }; }; + devShells.x86_64-linux.default = let + pkgs = nixpkgs.legacyPackages.x86_64-linux; + in pkgs.mkShell { + packages = [ pkgs.colmena ]; + }; }; } diff --git a/modules/default.nix b/modules/default.nix index dfe2cd6..2771d99 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,5 +1,6 @@ { ... }: { imports = [ ./vhost + ./machine-type ]; } diff --git a/modules/machine-type/default.nix b/modules/machine-type/default.nix new file mode 100644 index 0000000..d7e448f --- /dev/null +++ b/modules/machine-type/default.nix @@ -0,0 +1,44 @@ +{ config, lib, ...}: with lib; { + options.kyouma.machine-type = { + physical = mkOption { + type = types.bool; + default = false; + description = mdDoc "Mark machine as physical."; + }; + + virtual = mkOption { + type = types.bool; + default = false; + description = mdDoc "Mark machine as virtual."; + }; + + router = mkOption { + type = types.bool; + default = false; + description = mdDoc "Mark machine as router."; + }; + + headless = mkOption { + type = types.bool; + default = false; + description = mdDoc "Mark machine as headless."; + }; + + graphical = mkOption { + type = types.bool; + default = false; + description = mdDoc "Mark machine as graphical."; + }; + + portable = mkOption { + type = types.bool; + default = false; + description = mdDoc "Mark machine as portable."; + }; + }; + config = let + cfg = config.kyouma.machine-type; + in { + deployment.tags = mkIf cfg.router [ "router" ]; + }; +}