From 2cdcb2b6e7ca621d8d34f2634927b7784492a135 Mon Sep 17 00:00:00 2001 From: Christoph Hollizeck Date: Mon, 25 Nov 2024 23:02:09 +0100 Subject: [PATCH 1/4] rp5: move things in separate configs, to be reused --- modules/nixos/services/openssh/default.nix | 29 ++++++++ .../nixos/services/remotebuild/default.nix | 48 +++++++++++++ systems/aarch64-linux/nixberry/default.nix | 69 ++++--------------- systems/x86_64-linux/loptland/default.nix | 13 +--- 4 files changed, 92 insertions(+), 67 deletions(-) create mode 100644 modules/nixos/services/openssh/default.nix create mode 100644 modules/nixos/services/remotebuild/default.nix diff --git a/modules/nixos/services/openssh/default.nix b/modules/nixos/services/openssh/default.nix new file mode 100644 index 0000000..4ec9816 --- /dev/null +++ b/modules/nixos/services/openssh/default.nix @@ -0,0 +1,29 @@ +{ + lib, + config, + namespace, + ... +}: +let + cfg = config.${namespace}.services.openssh; + inherit (lib) mkIf mkEnableOption; +in +{ + options.${namespace}.services.openssh = { + enable = mkEnableOption "Enable SSH"; + }; + + config = mkIf cfg.enable { + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + }; + + services.fail2ban = { + enable = true; + }; + }; +} diff --git a/modules/nixos/services/remotebuild/default.nix b/modules/nixos/services/remotebuild/default.nix new file mode 100644 index 0000000..cd6b8ab --- /dev/null +++ b/modules/nixos/services/remotebuild/default.nix @@ -0,0 +1,48 @@ +{ + lib, + config, + namespace, + ... +}: +let + cfg = config.${namespace}.services.remotebuild; + inherit (lib) mkIf mkEnableOption; +in +{ + options.${namespace}.services.remotebuild = { + enable = mkEnableOption "Enable remotebuild"; + }; + + config = mkIf cfg.enable { + users.users.remotebuild = { + isNormalUser = true; + createHome = false; + group = "remotebuild"; + + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJYZjG+XPNoVHVdCel5MK4mwvtoFCqDY1WMI1yoU71Rd root@yggdrasil" + ]; + }; + + users.groups.remotebuild = { }; + + nix = { + nrBuildUsers = 64; + settings = { + trusted-users = [ "remotebuild" ]; + + min-free = 10 * 1024 * 1024; + max-free = 200 * 1024 * 1024; + + max-jobs = "auto"; + cores = 0; + }; + }; + + systemd.services.nix-daemon.serviceConfig = { + MemoryAccounting = true; + MemoryMax = "90%"; + OOMScoreAdjust = 500; + }; + }; +} diff --git a/systems/aarch64-linux/nixberry/default.nix b/systems/aarch64-linux/nixberry/default.nix index 7298601..464ec31 100644 --- a/systems/aarch64-linux/nixberry/default.nix +++ b/systems/aarch64-linux/nixberry/default.nix @@ -19,42 +19,6 @@ in raspberry-pi-5 ]; - security.sudo.wheelNeedsPassword = false; - users.users.remotebuild = { - isNormalUser = true; - createHome = false; - group = "remotebuild"; - - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJYZjG+XPNoVHVdCel5MK4mwvtoFCqDY1WMI1yoU71Rd root@yggdrasil" - ]; - }; - - users.groups.remotebuild = { }; - - nixpkgs.hostPlatform = { - system = "aarch64-linux"; - }; - - nix = { - nrBuildUsers = 64; - settings = { - trusted-users = [ "remotebuild" ]; - - min-free = 10 * 1024 * 1024; - max-free = 200 * 1024 * 1024; - - max-jobs = "auto"; - cores = 0; - }; - }; - - systemd.services.nix-daemon.serviceConfig = { - MemoryAccounting = true; - MemoryMax = "90%"; - OOMScoreAdjust = 500; - }; - services.tailscale = { enable = true; useRoutingFeatures = "server"; @@ -83,16 +47,15 @@ in }; }; }; - }; - - networking.firewall = { - allowedTCPPorts = [ - 53 - 80 - ]; - allowedUDPPorts = [ - 53 - ]; + firewall = { + allowedTCPPorts = [ + 53 + 80 + ]; + allowedUDPPorts = [ + 53 + ]; + }; }; services.adguardhome = { @@ -134,7 +97,6 @@ in "https://adguardteam.github.io/HostlistsRegistry/assets/filter_24.txt" "https://adguardteam.github.io/HostlistsRegistry/assets/filter_47.txt" ]; - }; }; @@ -165,17 +127,14 @@ in }; }; - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - }; - }; - ${namespace} = { submodules.basics = enabled; + services = { + openssh = enabled; + remotebuild = enabled; + }; + system = { # cachemiss for webkit gtk hardware.networking.enable = mkForce false; diff --git a/systems/x86_64-linux/loptland/default.nix b/systems/x86_64-linux/loptland/default.nix index 89aefe3..4dd43d3 100644 --- a/systems/x86_64-linux/loptland/default.nix +++ b/systems/x86_64-linux/loptland/default.nix @@ -39,18 +39,6 @@ in }; }; - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - }; - }; - - services.fail2ban = { - enable = true; - }; - services.nginx = { enable = true; recommendedProxySettings = true; @@ -199,6 +187,7 @@ in enable = true; inherit sopsFile; }; + openssh = enabled; }; security = { From 01ad8403a1b1cb1185a2445b7dfb656a1a574621 Mon Sep 17 00:00:00 2001 From: Christoph Hollizeck Date: Mon, 25 Nov 2024 23:19:36 +0100 Subject: [PATCH 2/4] adguardhome: increase statistic retention time --- systems/aarch64-linux/nixberry/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/systems/aarch64-linux/nixberry/default.nix b/systems/aarch64-linux/nixberry/default.nix index 464ec31..5a9e6d6 100644 --- a/systems/aarch64-linux/nixberry/default.nix +++ b/systems/aarch64-linux/nixberry/default.nix @@ -97,6 +97,11 @@ in "https://adguardteam.github.io/HostlistsRegistry/assets/filter_24.txt" "https://adguardteam.github.io/HostlistsRegistry/assets/filter_47.txt" ]; + + statistics = { + enabled = true; + interval = "8760h"; + }; }; }; From c3d019a46e63aef73a4b09f6e9354c723be63338 Mon Sep 17 00:00:00 2001 From: Christoph Hollizeck Date: Tue, 26 Nov 2024 17:05:20 +0100 Subject: [PATCH 3/4] rp5: add ethernet --- systems/aarch64-linux/nixberry/default.nix | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/systems/aarch64-linux/nixberry/default.nix b/systems/aarch64-linux/nixberry/default.nix index 5a9e6d6..a159e22 100644 --- a/systems/aarch64-linux/nixberry/default.nix +++ b/systems/aarch64-linux/nixberry/default.nix @@ -25,7 +25,7 @@ in }; networking = { - interfaces.wlan0 = { + interfaces.end0 = { ipv4.addresses = [ { address = ipAddress; @@ -34,6 +34,15 @@ in ]; useDHCP = true; }; + interfaces.wlan0 = { + ipv4.addresses = [ + { + address = "192.168.178.3"; + prefixLength = 24; + } + ]; + useDHCP = true; + }; defaultGateway = { address = "192.168.178.1"; interface = "wlan0"; From 0bbbe9a293557efcb006496ccf42cabc95cf0d73 Mon Sep 17 00:00:00 2001 From: Christoph Hollizeck Date: Sun, 26 Jan 2025 16:03:57 +0100 Subject: [PATCH 4/4] nixberry: add hostplatform --- systems/aarch64-linux/nixberry/default.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/systems/aarch64-linux/nixberry/default.nix b/systems/aarch64-linux/nixberry/default.nix index a159e22..69d20ef 100644 --- a/systems/aarch64-linux/nixberry/default.nix +++ b/systems/aarch64-linux/nixberry/default.nix @@ -4,6 +4,7 @@ lib, modulesPath, namespace, + pkgs, ... }: @@ -16,9 +17,12 @@ in { imports = with inputs.nixos-hardware.nixosModules; [ (modulesPath + "/installer/scan/not-detected.nix") - raspberry-pi-5 ]; + nixpkgs.hostPlatform = { + system = "aarch64-linux"; + }; + services.tailscale = { enable = true; useRoutingFeatures = "server"; @@ -149,6 +153,8 @@ in remotebuild = enabled; }; + apps.cli-apps.helix.pkg = pkgs.helix; + system = { # cachemiss for webkit gtk hardware.networking.enable = mkForce false;