swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: network overhaul

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-06-15 04:36:40 +02:00
parent 22fe55c284
commit ed15ef02bb
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
34 changed files with 1704 additions and 1037 deletions
Download patch file Download diff file Expand all files Collapse all files

159
hosts/nixos/iso/default.nix
View file

@ -21,8 +21,31 @@ in
}
];
home-manager.users."${primaryUser}" = {
home = {
options.node = {
name = lib.mkOption {
description = "Node Name.";
type = lib.types.str;
};
secretsDir = lib.mkOption {
description = "Path to the secrets directory for this node.";
type = lib.types.path;
default = ./.;
};
};
config = {
node.name = "drugstore";
home-manager.users."${primaryUser}" = {
home = {
stateVersion = "23.05";
file = {
".bash_history" = {
source = self + /programs/bash/.bash_history;
};
};
};
swarselsystems.modules.general = lib.mkForce true;
};
home-manager.users.root.home = {
stateVersion = "23.05";
file = {
".bash_history" = {
@ -30,87 +53,77 @@ in
};
};
};
swarselsystems.modules.general = lib.mkForce true;
};
home-manager.users.root.home = {
stateVersion = "23.05";
file = {
".bash_history" = {
source = self + /programs/bash/.bash_history;
};
# environment.etc."issue".text = "\x1B[32m~SwarselSystems~\x1B[0m\nIP of primary interface: \x1B[31m\\4\x1B[0m\nThe Password for all users & root is '\x1B[31msetup\x1B[0m'.\nInstall the system remotely by running '\x1B[33mbootstrap -n <HOSTNAME> -d <IP_FROM_ABOVE> [--impermanence] [--encryption]\x1B[0m' on a machine with deployed secrets.\nAlternatively, run '\x1B[33mswarsel-install -d <DISK> -f <flake>\x1B[0m' for a local install.\n";
environment.etc."issue".source = "${self}/programs/etc/issue";
networking.dhcpcd.runHook = "${pkgs.utillinux}/bin/agetty --reload";
isoImage = {
makeEfiBootable = true;
makeUsbBootable = true;
squashfsCompression = "zstd -Xcompression-level 3";
};
};
# environment.etc."issue".text = "\x1B[32m~SwarselSystems~\x1B[0m\nIP of primary interface: \x1B[31m\\4\x1B[0m\nThe Password for all users & root is '\x1B[31msetup\x1B[0m'.\nInstall the system remotely by running '\x1B[33mbootstrap -n <HOSTNAME> -d <IP_FROM_ABOVE> [--impermanence] [--encryption]\x1B[0m' on a machine with deployed secrets.\nAlternatively, run '\x1B[33mswarsel-install -d <DISK> -f <flake>\x1B[0m' for a local install.\n";
environment.etc."issue".source = "${self}/programs/etc/issue";
networking.dhcpcd.runHook = "${pkgs.utillinux}/bin/agetty --reload";
nixpkgs = {
hostPlatform = lib.mkDefault "x86_64-linux";
config.allowUnfree = true;
};
isoImage = {
makeEfiBootable = true;
makeUsbBootable = true;
squashfsCompression = "zstd -Xcompression-level 3";
};
services.getty.autologinUser = lib.mkForce primaryUser;
nixpkgs = {
hostPlatform = lib.mkDefault "x86_64-linux";
config.allowUnfree = true;
};
services.getty.autologinUser = lib.mkForce primaryUser;
users = {
allowNoPasswordLogin = true;
groups.swarsel = { };
users = {
swarsel = {
name = primaryUser;
group = primaryUser;
isNormalUser = true;
password = "setup"; # this is overwritten after install
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
extraGroups = [ "wheel" ];
};
root = {
# password = lib.mkForce config.users.users.swarsel.password; # this is overwritten after install
openssh.authorizedKeys.keys = config.users.users."${primaryUser}".openssh.authorizedKeys.keys;
allowNoPasswordLogin = true;
groups.swarsel = { };
users = {
swarsel = {
name = primaryUser;
group = primaryUser;
isNormalUser = true;
password = "setup"; # this is overwritten after install
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
extraGroups = [ "wheel" ];
};
root = {
# password = lib.mkForce config.users.users.swarsel.password; # this is overwritten after install
openssh.authorizedKeys.keys = config.users.users."${primaryUser}".openssh.authorizedKeys.keys;
};
};
};
};
boot = {
loader.systemd-boot.enable = lib.mkForce true;
loader.efi.canTouchEfiVariables = true;
};
boot = {
loader.systemd-boot.enable = lib.mkForce true;
loader.efi.canTouchEfiVariables = true;
};
programs.bash.shellAliases = {
"swarsel-install" = "nix run github:Swarsel/.dotfiles#swarsel-install --";
};
programs.bash.shellAliases = {
"swarsel-install" = "nix run github:Swarsel/.dotfiles#swarsel-install --";
};
system.activationScripts.cache = {
text = ''
mkdir -p -m=0777 /home/${primaryUser}/.local/state/nix/profiles
mkdir -p -m=0777 /home/${primaryUser}/.local/state/home-manager/gcroots
mkdir -p -m=0777 /home/${primaryUser}/.local/share/nix/
printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /home/${primaryUser}/.local/share/nix/trusted-settings.json > /dev/null
mkdir -p /root/.local/share/nix/
printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /root/.local/share/nix/trusted-settings.json > /dev/null
'';
};
systemd = {
services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
targets = {
sleep.enable = false;
suspend.enable = false;
hibernate.enable = false;
hybrid-sleep.enable = false;
system.activationScripts.cache = {
text = ''
mkdir -p -m=0777 /home/${primaryUser}/.local/state/nix/profiles
mkdir -p -m=0777 /home/${primaryUser}/.local/state/home-manager/gcroots
mkdir -p -m=0777 /home/${primaryUser}/.local/share/nix/
printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /home/${primaryUser}/.local/share/nix/trusted-settings.json > /dev/null
mkdir -p /root/.local/share/nix/
printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /root/.local/share/nix/trusted-settings.json > /dev/null
'';
};
systemd = {
services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
targets = {
sleep.enable = false;
suspend.enable = false;
hibernate.enable = false;
hybrid-sleep.enable = false;
};
};
system.stateVersion = lib.mkForce "23.05";
networking = {
hostName = "drugstore";
wireless.enable = false;
};
};
system.stateVersion = lib.mkForce "23.05";
networking = {
hostName = "drugstore";
wireless.enable = false;
};
}

35
hosts/nixos/moonside/default.nix
View file

@ -26,7 +26,19 @@ in
tmp.cleanOnBoot = true;
};
environment.etc."issue".text = "\4";
environment = {
etc."issue".text = "\4";
persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
{
directory = "/var/lib/syncthing";
user = "syncthing";
group = "syncthing";
mode = "0700";
}
];
};
networking = {
nftables.enable = lib.mkForce false;
@ -41,14 +53,17 @@ in
interfaces = {
home-vpn = {
privateKeyFile = config.sops.secrets.wireguard-private-key.path;
ips = [ "192.168.3.4/24" ];
ips = [ "192.168.3.4/32" ];
peers = [
{
publicKey = "NNGvakADslOTCmN9HJOW/7qiM+oJ3jAlSZGoShg4ZWw=";
name = "moonside";
persistentKeepalive = 25;
endpoint = "${config.repo.secrets.common.ipv4}:51820";
allowedIPs = [ "192.168.3.0/24" ];
allowedIPs = [
"192.168.3.0/24"
"192.168.1.0/24"
];
}
];
};
@ -62,10 +77,22 @@ in
system.stateVersion = "23.11";
node.secretsDir = ./secrets;
services = {
nginx = {
virtualHosts = {
# "newway.swarsel.win" = {
# enableACME = true;
# forceSSL = true;
# acmeRoot = null;
# locations = {
# "/" = {
# proxyPass = "http://192.168.1.2:8080";
# extraConfig = ''
# client_max_body_size 0;
# '';
# };
# };
# };
"syncthing.swarsel.win" = {
enableACME = true;
forceSSL = true;

1
hosts/nixos/nbl-imba-2/default.nix
View file

@ -22,7 +22,6 @@ in
];
node.secretsDir = ./secrets;
swarselsystems = lib.recursiveUpdate
{
firewall = lib.mkForce true;

10
hosts/nixos/nbl-imba-2/secrets/pii.nix.enc
View file

@ -4,15 +4,19 @@
"age": [
{
"recipient": "age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQVXVBVndUU2tDdnlWd3Bu\ndi9DMzFseEtGUVFEWnVEMndWTk9GSGl2SFFjCk9QbnpYS2dYVElJQ28yWGw4Umd0\nS1k0Wk9Yc2hrUUc3dkpGb05EYkFHdVEKLS0tIDYvMUh3NEtlY3FWYVdJbTFRaXlW\neU80R1B0aHprSlI5NkJzRldOSFNMTmcKD4DCuREVbI/Qy3sEyEEWtjW/KbIPuN76\nqoteCCN4mGIR7241e5NwMRlFqxgHyod5mpJfwnUbkYBZZZ/u9PDGmw==\n-----END AGE ENCRYPTED FILE-----\n"
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjb21CZ0tQZlNKZkxKMGEz\nUlpMV3lSa1h5TXFNaEpvbWp3ZzZsMUFLd2hnCm9xQlo5Q3RsdW1tSFMxZjVKbjhM\nLzBaS3E1Z0lSQ2lQZEhtclBocE9CcXMKLS0tIHpaYjFIVVRWc2QyQ3hDWmNPODJR\nOFpPQlcwOERMYzhWV3J4ZmpIVUFXcGMKq/CmiIaBFfcx9Muj5LaTQ//ELHmC6WSG\ncJWyfZfrKcPDlXrz7+o9qufLogw3VIkCsTghqsbK6HOKGC5/FbnGSg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Z2tONmQxTUhZUW12Z2Jm\nUnoxSnpYcnZDNGNzSko1ckl2RDh3NG1VS2dFCmIwUXhmSk1OUk02S0JPVDR5UWJ4\na0gwWlg0V005ZWxYa29PZ0laS2VqM0kKLS0tIHN5SU9pQ090eHljeXJGWm5hRFQ4\nZ001Nzkyb29RYkNUMDNDNlo4YnVQeTQK34bNIBgxId2+DHKQNVV3Iro3KGkE03Sp\niB1+dADT6nRvGvoyPqnLq/NYfw7eQ6XqYt55zkdCta8v6L1UNUkw8g==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-06-11T13:48:16Z",
"mac": "ENC[AES256_GCM,data:6WiY/gpT7V+xQCuotG41Mh+dTSjYT/sg/14Gt7Z7PsrG+WRR33N1OhBV3EVdXeeE8NXkvvoZL/wypgQTWk7wfWpzwhWH478OXc3yaVx7G/nTsDhX/XjKvajpKnXLdn/s2xt9vhPmYuJidR7JYoHN4iv1Lv1eC1mAYKpW4i+sNJk=,iv:ThUxocoeMC1GAfSSeDF9P+m4BZpNuiyWiBrwDPhvNe0=,tag:AxvMKzkG1HBdUqPbbz4Qqg==,type:str]",
"pgp": [
{
"created_at": "2025-06-11T09:18:35Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAzg39i9TFW/qilR+HdUpNlgp3KXnW0kwYk7CI8Ie7RJOz\nAop/ak/nokwooxlLGJOiNsFS1//5PxiwOyxZzPmGvTTH8o8tUNZQSULhDnBKHUWG\n44KkerCk2CjbgOrcL7SzaZsFufGRJRcW1700EGatl8D3U1o94isYbArzQqjVXu7Z\nC3VRE80zV25TO9FzxCWCPOj/ML+vo+gq/rgUNQi4JKKBf01Ti142nlJ8hcMX23cb\n2KZkT0VOTz0uouc1J5hXiYmBLVEfsrKUTcamUE1S/dAGuaMe41F8oHt9Rw0YxP+g\nj1PjVuk/F44CRnVVNo8ScihNmvX+ex6+2n1JWmSFkCHtx054bMHTBiVMf86gYiy6\nUqbhuQw52U4/p3U8h7gYjU8yBuHMnCxxL3u1362lz2fDIOxyKtvMH0NGhw8cp7/+\nZbJ6fAUezn8xCXyzhl88XVYNXvM4Vjq6D3qBjjlyDJe9wXXsoPSAUNuVqBDbfnm0\ngOCnT6yOPj1Zv39IvQR+k73ISwBJySpqGgIYvjRtH0JGkXt2exayvWCqeRArkSQ4\nBITQKHFmSrBxo4ndnsTYWC+5v9VBLSUFEXpwrRZY9L5Zqw9Gyqj6hThzTMJiyaiV\ngMzK1JbGaEOd0f8QDfJfwn6VmmhW67w775V98n2wSejWb4WfogDXKe8DbIqrxp6F\nAgwDC9FRLmchgYQBEACPCA/rrYva4WKx9RrDiVkqi0sUM+xHEC17a9FyVXH+grwK\nwB+7prQjx9P4z2/qqlASuBjBjE8MvG4SIgJ6lziLstqrWpNHDuPJoXCTwdYbiqME\nb2V2VPC+PmulvUNcWDVEv4PWIYnKmvlhC/pxsyGtSfxRWgNYGCCx4eTa2OfYgswd\nnHnS+qT+cC6RTjqyeftJxlII2ocMduNpqFr9pVnPlNq3C++6bw/g/Il/YhGFJmr2\nvOl2WPhExh5CSux+oKjXdzsim1Ltz8KOmkSXNCEdI0v/X6OPNfGhnsKLYxaQMJst\nYfu8PIiVHPOYao2kVMstOeH5d/9LLV8MChKLTUelkZWrl1US0yBoCambl77Ooxx3\n14pTXosVSlShSBTGvGjlQS9Jnp+s75TMr4YoBe9UuK22iwtyq69ZKgNiAv+j0LIA\nOWSazSkbwikPsfFLmBuUWJjb5nvM9TUocDdwQIUE2AmmsXNnhnzd8CMnTRE05Go3\n4IVJXKHlKuiW53ji0b2GjPyT/WR9cLIpXRkh/ruTMQ7unljRLY9Ln92spbipg9wW\n4LXxRQ1pJcSOfMuDspLo12fts+gWaxQnkaHxRFoXORDmUmv1la1fHqFCeJRuNKIl\n+u0a9J2ra5S3f1rN2jsHcX4qLe+uq9rH/hKjPmE3CdMv0m9uifP7DfQiTnJcCdJc\nAR4qlFAxNnJyV3zavOuY410oYQYR9s9lqDWI20k1Gkgf8K668hrIPr9FeTuSCuGf\nCqjQ15D9MmBihKbB2gaMuJ6hV6+cAW6QEqUABMu7jT8oFixTHh42F8PFyxc=\n=lm7F\n-----END PGP MESSAGE-----",
"created_at": "2025-06-14T22:31:01Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAA3TBZeXf6RLph9szeqCtmoXyXDMS1l7NRjhmM85YyxcRo\nTuJQrXA8gmIAen7iVjO/FnndAqd86ddCirpBr/aEKtB9v7Poxx6A/kubV2/EurY7\ngbjWsvY/x6Cqv8IMCTkVdolZNOIYlw4bK3RqERoeWXnvCEXVK2c8fqxmcVoNv6yR\n5leIyApzs7dihbdhK+8nTunIMFJSfP+HQY/wgyowgp3cFVjPe+eTUk8T1xkrir7+\ngfddOHNKnbQWpZRBVj2NE/0dwcKX/rxPHU1sCxOg1TW05jTxavsf8x1+2ST5VLI8\nvttzB8H58OMpDZ1xgoMN7SGSWdTN7BgNcLG4rsGb/GW4+2bxJQ3hS+4aTa59ugXG\nGpqY4ooUopRyOh/hE9xqZ4CXy7IEAGbiBKnwJH+CFlXNygPSURoz9wCH5sgqQ1eA\nGfHrXcGNe2flx9gHZ3g2FUKeORs45CFQLxn2HDSuzVqn9nZfWUFddk9v7G4jSsRg\ntVrSevOXTSFzaSQr5GTQocQILG8HHkg67gKXWMNnk5CiUMVojTljcCej1F5s4Lwg\nljTfTWJMUXfD3Djc2Ap/L+PfxO/Zr0Z5glAndSFQB7aijFaQOR+TVQznRNv90UOk\nwQdF6XANcFMiK3yKQ3xZ6d7lXNTCPlLi5ngakpXhMM1lP0/xFuMWB15IL4yA1FmF\nAgwDC9FRLmchgYQBEADAz9QQ92i1rObvnk3utRhxqizU1SIKhZHEzkdJ+M/9AUQl\nDqj4ge191QMWlEh9jo5ln1abxfVMEjDbomtniPsM5kxPw9qK20M2873ibkps0yNZ\nTdqI2hhB8qBtdEOD/gKq3M27/0c3O7rpsIv8kxxdnmZ9GlRjG9c+SmVqdmZ+PLcP\nOrC+Fq8kQKhINaYdpPoT6x85FW0YLvNiR72grHOKDofqBrFChxapf4HKK6T44TX4\nPKw9G2o/XtN9Z1sfh/R44XsNwTjG8EHrwQLsFYoH3+L7UoNkkNtcwleAl0tkjyVZ\nkq4g0nJKO0KbB1HAM0opamYKOsCUaXQ1MLbXKAmIKy1wuKJR9ibH7E+2Ne41fHJv\n0v243FBnebJP5wlrDY6aBNBX5lPeJBF2q9njp2OnkHWktQD47EyhPhI0hUxN3vzL\n0dSE9/LFgWtvzXqVWIYBWMHToBBiqJRgspw3Jf4Fg0l7Q9p7u2/rwgqbIWMLIDt+\n4tn0ySuiV9jV9dVG3Ho/X7owgr57PPetTvUcU6Ph8Yiv6riLZ+qBy636iGmQd9Zz\n/8nG0BRAnU0YOdWUtvOvBvI+JC5DIs2Trj7Th0AJvlAVLiiR1+0dKk+BdNo/LGE5\nRNNgJIwGHMOZXJonuYfYe15Qy+Qcx3J/NI9VOOfSmzl7A4s8NqtuAt8FNm1cDNJc\nAZp7gi3i3PxxsEXefNMtbFDLe+5yQ4lHro47BxnNAyvnYwKC/VAiwatow9kZGNWn\nc9J/PZinOYPfalwqOl0Zn+pem0hIestNplin7v6ynxa23Cg4g1xUou0ve14=\n=UG0o\n-----END PGP MESSAGE-----",
"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
}
],

1
hosts/nixos/sync/default.nix
View file

@ -51,7 +51,6 @@ in
system.stateVersion = "23.11";
node.secretsDir = ./secrets;
services = {
nginx = {
virtualHosts = {

1
hosts/nixos/winters/default.nix
View file

@ -28,7 +28,6 @@ in
};
node.secretsDir = ./secrets;
swarselsystems = lib.recursiveUpdate
{
isImpermanence = false;