diff --git a/flake.nix b/flake.nix index 63300fe..21e9401 100644 --- a/flake.nix +++ b/flake.nix @@ -82,21 +82,21 @@ inherit userName userEmail; hostname = "valefor"; }; - # modules = [ - # nix-ld.nixosModules.nix-ld - # ./modules/nix-core.nix - # ./modules/host-users.nix - # - # home-manager.nixosModules.home-manager - # { - # home-manager.useGlobalPkgs = true; - # home-manager.useUserPackages = true; - # home-manager.extraSpecialArgs = extraSpecialArgs; - # home-manager.users.${userName}.imports = [ - # ./home - # ]; - # } - # ]; + modules = [ + nix-ld.nixosModules.nix-ld + ./modules/common + ./modules/machine/valefor + + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.extraSpecialArgs = extraSpecialArgs; + home-manager.users.${userName}.imports = [ + ./home + ]; + } + ]; }; # Storage, status, game, and media server diff --git a/modules/machine/cloud/configuration.nix b/modules/machine/cloud/configuration.nix index 91ed83e..7cfb888 100644 --- a/modules/machine/cloud/configuration.nix +++ b/modules/machine/cloud/configuration.nix @@ -23,6 +23,7 @@ in { ../../apps/gaming.nix ../../graphics ../../pwrMgmt + ../../networking/core.nix ../../sound/pipewire.nix ../../sound/shairport.nix ../../virtualization/podman.nix @@ -140,7 +141,7 @@ in { }; # Core networking module (see ../../networking/core.nix) - networking = { + network = { firewall.enable = true; networkmanager.enable = true; }; diff --git a/modules/machine/valefor/configuration.nix b/modules/machine/valefor/configuration.nix new file mode 100644 index 0000000..9e657c5 --- /dev/null +++ b/modules/machine/valefor/configuration.nix @@ -0,0 +1,102 @@ +{ + config, + lib, + pkgs, + userName, + ... +}: { + imports = [ + ../../graphics + ../../pwrMgmt + ../../networking/core.nix + ../../networking/dns.nix + ../../virtualization/podman.nix + ]; + + # Enable flakes for NixOS + nix.settings.experimental-features = ["nix-command" "flakes"]; + + # Custom kernel/boot stuff + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Enable Bluetooth if present + hardware.bluetooth.enable = true; + + # Set your timezone + time.timeZone = "America/Detroit"; + + # Install packages to be installed system-wide + environment.systemPackages = with pkgs; [ + vim + neovim + git + patchelf + ]; + + # Set the EDITOR global environment variable to neovim + environment.variables.EDITOR = "nvim"; + + # Enable OpenSSH + services.openssh.enable = true; + + # Enable keyring + services.gnome.gnome-keyring.enable = true; + + # Enable GnuPG + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + # Enable SUID wrappers (some programs need them) + programs.mtr.enable = true; + + # Enable Polkit + security.polkit.enable = true; + + # Graphics module (../../graphics/default.nix) + graphics = { + enable = true; + gpuVendor = "intel"; + wayland.enable = true; + vulkan.enable = true; + }; + + # Power management (see ../../pwrMgmt/default.nix) + pwrMgmt = { + enable = true; + cpuFreqGovernor = "performance"; + powertop.enable = false; + }; + + # Podman module (see ../../virtualization/podman.nix) + podman = { + enable = true; + extraPackages = with pkgs; [ + docker-credential-helpers + toolbox + cosign + crane + podman-tui + podman-desktop + ]; + }; + + # Core networking module (see ../../networking/core.nix) + network = { + firewall.enable = true; + networkmanager.enable = true; + }; + + # DNS module (see ../../networking/dns.nix) + dns = { + technitium.enable = true; + }; + + # Add username to groups "wheel" and "video" - more may be added here later + users.users.${userName}.extraGroups = ["wheel" "podman" "network"]; + + system.stateVersion = "24.11"; +} diff --git a/modules/machine/valefor/default.nix b/modules/machine/valefor/default.nix new file mode 100644 index 0000000..187a110 --- /dev/null +++ b/modules/machine/valefor/default.nix @@ -0,0 +1,6 @@ +{...}: { + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ]; +} diff --git a/modules/machine/valefor/hardware-configuration.nix b/modules/machine/valefor/hardware-configuration.nix new file mode 100644 index 0000000..abd4c35 --- /dev/null +++ b/modules/machine/valefor/hardware-configuration.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/ff89bde1-4b33-4277-b649-b92700b2406c"; + fsType = "xfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/3A4B-6866"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/modules/networking/core.nix b/modules/networking/core.nix index 98d8ef1..1db0c63 100644 --- a/modules/networking/core.nix +++ b/modules/networking/core.nix @@ -3,90 +3,28 @@ lib, ... }: let - cfg = config.networking; + cfg = config.network; in { - options.networking = { - # Firewall Configuration + options.network = { firewall = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = true; - description = "Enable system firewall"; - }; - + enable = lib.mkEnableOption "system firewall"; tcpPorts = { - # Predefined, default common service ports - ssh = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = false; - description = "Open SSH service port (22)"; - }; - }; - web = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = false; - description = "Open common web service ports (80, 443)"; - }; - }; - smtp = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = false; - description = "Open SMTP service ports (25, 465, 587)"; - }; - }; - imap = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = false; - description = "Open IMAP service ports (143, 993)"; - }; - }; - mysql = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = false; - description = "Open MySQL service port (3306)"; - }; - }; - mssql = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = false; - description = "Open Microsoft SQL Server service port (1433)"; - }; - }; - postgres = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = false; - description = "Open Postgres service port (5432)"; - }; - }; + ssh.enable = lib.mkEnableOption "SSH service port (22)"; + web.enable = lib.mkEnableOption "common web service ports (80, 443)"; + smtp.enable = lib.mkEnableOption "SMTP service ports (25, 465, 587)"; + imap.enable = lib.mkEnableOption "IMAP service ports (143, 993)"; + mysql.enable = lib.mkEnableOption "MySQL service port (3306)"; + mssql.enable = lib.mkEnableOption "Microsoft SQL Server service port (1433)"; + postgres.enable = lib.mkEnableOption "Postgres service port (5432)"; allowedPorts = lib.mkOption { type = lib.types.listOf lib.types.port; default = []; description = "List of custom TCP ports to open"; }; }; - udpPorts = { - dns = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = false; - description = "Open DNS service port (53)"; - }; - }; - ntp = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = false; - description = "Open NTP service port (123)"; - }; - }; + dns.enable = lib.mkEnableOption "DNS service port (53)"; + ntp.enable = lib.mkEnableOption "NTP service port (123)"; allowedPorts = lib.mkOption { type = lib.types.listOf lib.types.port; default = []; @@ -94,14 +32,8 @@ in { }; }; }; - networkManager = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = true; - description = "Enable NetworkManager for network connection management"; - }; - + enable = lib.mkEnableOption "NetworkManager for network connection management"; extraPlugins = lib.mkOption { type = lib.types.listOf lib.types.package; default = []; @@ -109,35 +41,27 @@ in { }; }; }; - config = { networking.firewall = { enable = cfg.firewall.enable; - - allowedTCPPorts = - ( - lib.optionals - cfg.firewall.tcpPorts.ssh.enable [22] - cfg.firewall.tcpPorts.web.enable [80 443] - cfg.firewall.tcpPorts.smtp.enable [25 465 587] - cfg.firewall.tcpPorts.imap.enable [143 993] - cfg.firewall.tcpPorts.mysql.enable [3306] - cfg.firewall.tcpPorts.mssql.enable [1433] - cfg.firewall.tcpPorts.postgres.enable [5432] - ) - ++ cfg.firewall.tcpPorts.allowedPorts; - - allowedUDPPorts = - ( - lib.optionals - cfg.firewall.udpPorts.dns.enable [53] - cfg.firewall.udpPorts.ntp.enable [123] - ) - ++ cfg.firewall.udpPorts.allowedPorts; + allowedTCPPorts = lib.flatten [ + (lib.optionals cfg.firewall.tcpPorts.ssh.enable [22]) + (lib.optionals cfg.firewall.tcpPorts.web.enable [80 443]) + (lib.optionals cfg.firewall.tcpPorts.smtp.enable [25 465 587]) + (lib.optionals cfg.firewall.tcpPorts.imap.enable [143 993]) + (lib.optionals cfg.firewall.tcpPorts.mysql.enable [3306]) + (lib.optionals cfg.firewall.tcpPorts.mssql.enable [1433]) + (lib.optionals cfg.firewall.tcpPorts.postgres.enable [5432]) + cfg.firewall.tcpPorts.allowedPorts + ]; + allowedUDPPorts = lib.flatten [ + (lib.optionals cfg.firewall.udpPorts.dns.enable [53]) + (lib.optionals cfg.firewall.udpPorts.ntp.enable [123]) + cfg.firewall.udpPorts.allowedPorts + ]; }; - networking.networkmanager = { - enable = cfg.networkManager.enable; + enable = lib.mkForce cfg.networkManager.enable; packages = cfg.networkManager.extraPlugins; }; }; diff --git a/modules/networking/dns.nix b/modules/networking/dns.nix index 1a94c8b..2d0ccb0 100644 --- a/modules/networking/dns.nix +++ b/modules/networking/dns.nix @@ -13,7 +13,13 @@ in { interfaces = lib.mkOption { type = lib.types.listOf lib.types.str; default = ["127.0.0.1"]; - description = "Network interfaces BIND should listen on"; + description = "Network interfaces BIND should listen on (IPv4)"; + }; + + interfaces6 = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = ["::1"]; + description = "Network interfaces BIND should listen on (IPv6)"; }; zones = lib.mkOption { @@ -69,18 +75,12 @@ in { }; }; - # Validate that only one DNS server is enabled - imports = [ - (lib.mkIf (cfg.bind.enable && cfg.technitium.enable) (throw "Only one DNS server can be enabled at a time")) - ]; - - # Implementation of the configuration config = lib.mkMerge [ - # BIND DNS Server Configuration (lib.mkIf cfg.bind.enable { - services.named = { + services.bind = { enable = true; - interfaces = cfg.bind.settings.interfaces; + listenOn = cfg.bind.settings.interfaces; + listenOnIpv6 = cfg.bind.settings.interfaces6; zones = map (zone: { name = zone.name; @@ -97,9 +97,7 @@ in { environment.systemPackages = [pkgs.bind]; }) - # Technitium DNS Server Configuration (lib.mkIf cfg.technitium.enable { - # Create a systemd service for Technitium systemd.services.technitium-dns = { description = "Technitium DNS Server"; wantedBy = ["multi-user.target"]; @@ -123,8 +121,8 @@ in { }; networking.firewall = { - allowedTCPPorts = [cfg.technitium.settings.port]; - allowedUDPPorts = [cfg.technitium.settings.port]; + allowedTCPPorts = [53 cfg.technitium.settings.port]; + allowedUDPPorts = [53 cfg.technitium.settings.port]; }; environment.systemPackages = [pkgs.technitium];