From c8990196b72ac0ef4131427017c7e25c74c769c7 Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Sat, 4 Jan 2025 16:02:31 -0500 Subject: [PATCH 01/10] wip: added valefor machine config --- modules/machine/valefor/configuration.nix | 113 ++++++++++++++++++ modules/machine/valefor/default.nix | 6 + .../valefor/hardware-configuration.nix | 0 3 files changed, 119 insertions(+) create mode 100644 modules/machine/valefor/configuration.nix create mode 100644 modules/machine/valefor/default.nix create mode 100644 modules/machine/valefor/hardware-configuration.nix diff --git a/modules/machine/valefor/configuration.nix b/modules/machine/valefor/configuration.nix new file mode 100644 index 0000000..04b5fd7 --- /dev/null +++ b/modules/machine/valefor/configuration.nix @@ -0,0 +1,113 @@ +{ + config, + lib, + pkgs, + userName, + ... +}: { + imports = [ + ../../graphics + ../../pwrMgmt + ../../networking/core.nix + ../../networking/dns.nix + ../../virtualization/podman.nix + ]; + + # Enable flakes for NixOS + nix.settings.experimental-features = ["nix-command" "flakes"]; + + # Custom kernel/boot stuff + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Enable Bluetooth if present + hardware.bluetooth.enable = true; + + # Set your timezone + time.timeZone = "America/Detroit"; + + # Install packages to be installed system-wide + environment.systemPackages = with pkgs; [ + vim + neovim + git + patchelf + ]; + + # Set the EDITOR global environment variable to neovim + environment.variables.EDITOR = "nvim"; + + # Enable OpenSSH + services.openssh.enable = true; + + # Enable keyring + services.gnome.gnome-keyring.enable = true; + + # Enable GnuPG + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + # Enable SUID wrappers (some programs need them) + programs.mtr.enable = true; + + # Enable Polkit + security.polkit.enable = true; + + # Graphics module (../../graphics/default.nix) + graphics = { + enable = true; + gpuVendor = "intel"; + wayland.enable = true; + vulkan.enable = true; + }; + + # Power management (see ../../pwrMgmt/default.nix) + pwrMgmt = { + enable = true; + cpuFreqGovernor = "performance"; + powertop.enable = false; + }; + + # Podman module (see ../../virtualization/podman.nix) + podman = { + enable = true; + extraPackages = with pkgs; [ + docker-credential-helpers + toolbox + cosign + crane + podman-tui + podman-desktop + ]; + }; + + # Core networking module (see ../../networking/core.nix) + networking = { + firewall = { + enable = true; + udpPorts = { + dns.enable = true; + } + }; + networkmanager.enable = true; + udpPorts.dns.enable = true; + }; + + # DNS module (see ../../networking/dns.nix) + dns = { + technitium = { + enable = true; + } + }; + + # Enable dconf + programs.dconf.enable = true; + + # Add username to groups "wheel" and "video" - more may be added here later + users.users.${userName}.extraGroups = ["wheel" "podman" "network"]; + + system.stateVersion = "24.11"; +} diff --git a/modules/machine/valefor/default.nix b/modules/machine/valefor/default.nix new file mode 100644 index 0000000..187a110 --- /dev/null +++ b/modules/machine/valefor/default.nix @@ -0,0 +1,6 @@ +{...}: { + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ]; +} diff --git a/modules/machine/valefor/hardware-configuration.nix b/modules/machine/valefor/hardware-configuration.nix new file mode 100644 index 0000000..e69de29 -- 2.45.2 From 30b7d23b3a24e690131e0eab00a67e6d49b4c017 Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Sat, 4 Jan 2025 18:10:18 -0500 Subject: [PATCH 02/10] added hardware config for valefor --- flake.nix | 30 +++++++------- .../valefor/hardware-configuration.nix | 39 +++++++++++++++++++ 2 files changed, 54 insertions(+), 15 deletions(-) diff --git a/flake.nix b/flake.nix index 63300fe..2276c7a 100644 --- a/flake.nix +++ b/flake.nix @@ -82,21 +82,21 @@ inherit userName userEmail; hostname = "valefor"; }; - # modules = [ - # nix-ld.nixosModules.nix-ld - # ./modules/nix-core.nix - # ./modules/host-users.nix - # - # home-manager.nixosModules.home-manager - # { - # home-manager.useGlobalPkgs = true; - # home-manager.useUserPackages = true; - # home-manager.extraSpecialArgs = extraSpecialArgs; - # home-manager.users.${userName}.imports = [ - # ./home - # ]; - # } - # ]; + modules = [ + nix-ld.nixosModules.nix-ld + ./modules/nix-core.nix + ./modules/host-users.nix + + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.extraSpecialArgs = extraSpecialArgs; + home-manager.users.${userName}.imports = [ + ./home + ]; + } + ]; }; # Storage, status, game, and media server diff --git a/modules/machine/valefor/hardware-configuration.nix b/modules/machine/valefor/hardware-configuration.nix index e69de29..abd4c35 100644 --- a/modules/machine/valefor/hardware-configuration.nix +++ b/modules/machine/valefor/hardware-configuration.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/ff89bde1-4b33-4277-b649-b92700b2406c"; + fsType = "xfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/3A4B-6866"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} -- 2.45.2 From 65bf72cd5be0e2e6863032630d51829a1f5d0d22 Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Sat, 4 Jan 2025 18:16:47 -0500 Subject: [PATCH 03/10] fixed syntax errors --- modules/machine/valefor/configuration.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/machine/valefor/configuration.nix b/modules/machine/valefor/configuration.nix index 04b5fd7..1b23678 100644 --- a/modules/machine/valefor/configuration.nix +++ b/modules/machine/valefor/configuration.nix @@ -90,17 +90,16 @@ enable = true; udpPorts = { dns.enable = true; - } + }; }; networkmanager.enable = true; - udpPorts.dns.enable = true; }; # DNS module (see ../../networking/dns.nix) dns = { technitium = { enable = true; - } + }; }; # Enable dconf -- 2.45.2 From 539f0db8d115639068d4758058e7e7e24e9c4b0c Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Sat, 4 Jan 2025 18:20:00 -0500 Subject: [PATCH 04/10] fixed valefor config again very obv --- flake.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index 2276c7a..21e9401 100644 --- a/flake.nix +++ b/flake.nix @@ -84,9 +84,9 @@ }; modules = [ nix-ld.nixosModules.nix-ld - ./modules/nix-core.nix - ./modules/host-users.nix - + ./modules/common + ./modules/machine/valefor + home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; -- 2.45.2 From 1484f3a04e5c59bf8527e75d638456acdb7e1a4d Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Sat, 4 Jan 2025 18:23:17 -0500 Subject: [PATCH 05/10] be more explicit in defining dns --- modules/machine/valefor/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/machine/valefor/configuration.nix b/modules/machine/valefor/configuration.nix index 1b23678..b61ecab 100644 --- a/modules/machine/valefor/configuration.nix +++ b/modules/machine/valefor/configuration.nix @@ -100,6 +100,7 @@ technitium = { enable = true; }; + bind.enable = false; }; # Enable dconf -- 2.45.2 From 1f5eda31b2a2c02aa64d69249c4907161e089614 Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Sat, 4 Jan 2025 18:46:37 -0500 Subject: [PATCH 06/10] removed throw, renamed services.named to services.bind --- modules/networking/dns.nix | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/modules/networking/dns.nix b/modules/networking/dns.nix index 1a94c8b..fc9b9a1 100644 --- a/modules/networking/dns.nix +++ b/modules/networking/dns.nix @@ -69,16 +69,9 @@ in { }; }; - # Validate that only one DNS server is enabled - imports = [ - (lib.mkIf (cfg.bind.enable && cfg.technitium.enable) (throw "Only one DNS server can be enabled at a time")) - ]; - - # Implementation of the configuration config = lib.mkMerge [ - # BIND DNS Server Configuration (lib.mkIf cfg.bind.enable { - services.named = { + services.bind = { enable = true; interfaces = cfg.bind.settings.interfaces; zones = @@ -97,9 +90,7 @@ in { environment.systemPackages = [pkgs.bind]; }) - # Technitium DNS Server Configuration (lib.mkIf cfg.technitium.enable { - # Create a systemd service for Technitium systemd.services.technitium-dns = { description = "Technitium DNS Server"; wantedBy = ["multi-user.target"]; @@ -123,8 +114,8 @@ in { }; networking.firewall = { - allowedTCPPorts = [cfg.technitium.settings.port]; - allowedUDPPorts = [cfg.technitium.settings.port]; + allowedTCPPorts = [53 cfg.technitium.settings.port]; + allowedUDPPorts = [53 cfg.technitium.settings.port]; }; environment.systemPackages = [pkgs.technitium]; -- 2.45.2 From f10c3e7a8c8010570cb4802a58da614811926517 Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Sat, 4 Jan 2025 18:51:51 -0500 Subject: [PATCH 07/10] fixed bind interfaces --- modules/machine/valefor/configuration.nix | 15 ++------------- modules/networking/dns.nix | 11 +++++++++-- 2 files changed, 11 insertions(+), 15 deletions(-) diff --git a/modules/machine/valefor/configuration.nix b/modules/machine/valefor/configuration.nix index b61ecab..bb96494 100644 --- a/modules/machine/valefor/configuration.nix +++ b/modules/machine/valefor/configuration.nix @@ -86,26 +86,15 @@ # Core networking module (see ../../networking/core.nix) networking = { - firewall = { - enable = true; - udpPorts = { - dns.enable = true; - }; - }; + firewall.enable = true; networkmanager.enable = true; }; # DNS module (see ../../networking/dns.nix) dns = { - technitium = { - enable = true; - }; - bind.enable = false; + technitium.enable = true; }; - # Enable dconf - programs.dconf.enable = true; - # Add username to groups "wheel" and "video" - more may be added here later users.users.${userName}.extraGroups = ["wheel" "podman" "network"]; diff --git a/modules/networking/dns.nix b/modules/networking/dns.nix index fc9b9a1..2d0ccb0 100644 --- a/modules/networking/dns.nix +++ b/modules/networking/dns.nix @@ -13,7 +13,13 @@ in { interfaces = lib.mkOption { type = lib.types.listOf lib.types.str; default = ["127.0.0.1"]; - description = "Network interfaces BIND should listen on"; + description = "Network interfaces BIND should listen on (IPv4)"; + }; + + interfaces6 = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = ["::1"]; + description = "Network interfaces BIND should listen on (IPv6)"; }; zones = lib.mkOption { @@ -73,7 +79,8 @@ in { (lib.mkIf cfg.bind.enable { services.bind = { enable = true; - interfaces = cfg.bind.settings.interfaces; + listenOn = cfg.bind.settings.interfaces; + listenOnIpv6 = cfg.bind.settings.interfaces6; zones = map (zone: { name = zone.name; -- 2.45.2 From a1eb9b74c29770e239d423d29741f5c63c5d8a10 Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Sat, 4 Jan 2025 18:56:53 -0500 Subject: [PATCH 08/10] fixed networkmanager --- modules/networking/core.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/core.nix b/modules/networking/core.nix index 98d8ef1..cc0eada 100644 --- a/modules/networking/core.nix +++ b/modules/networking/core.nix @@ -137,7 +137,7 @@ in { }; networking.networkmanager = { - enable = cfg.networkManager.enable; + enable = lib.mkForce cfg.networkManager.enable; packages = cfg.networkManager.extraPlugins; }; }; -- 2.45.2 From b5b66f1c1b71f1d9879a7ff4cbe4827b4e5640d3 Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Sat, 4 Jan 2025 19:07:36 -0500 Subject: [PATCH 09/10] redefining custom networking namespace --- modules/machine/cloud/configuration.nix | 3 ++- modules/machine/valefor/configuration.nix | 2 +- modules/networking/core.nix | 7 +++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/machine/cloud/configuration.nix b/modules/machine/cloud/configuration.nix index cde372b..08b6b10 100644 --- a/modules/machine/cloud/configuration.nix +++ b/modules/machine/cloud/configuration.nix @@ -23,6 +23,7 @@ in { ../../apps/gaming.nix ../../graphics ../../pwrMgmt + ../../networking/core.nix ../../sound/pipewire.nix ../../sound/shairport.nix ../../virtualization/podman.nix @@ -140,7 +141,7 @@ in { }; # Core networking module (see ../../networking/core.nix) - networking = { + network = { firewall.enable = true; networkmanager.enable = true; }; diff --git a/modules/machine/valefor/configuration.nix b/modules/machine/valefor/configuration.nix index bb96494..9e657c5 100644 --- a/modules/machine/valefor/configuration.nix +++ b/modules/machine/valefor/configuration.nix @@ -85,7 +85,7 @@ }; # Core networking module (see ../../networking/core.nix) - networking = { + network = { firewall.enable = true; networkmanager.enable = true; }; diff --git a/modules/networking/core.nix b/modules/networking/core.nix index cc0eada..613237c 100644 --- a/modules/networking/core.nix +++ b/modules/networking/core.nix @@ -3,10 +3,9 @@ lib, ... }: let - cfg = config.networking; + cfg = config.network; in { - options.networking = { - # Firewall Configuration + options.network = { firewall = { enable = lib.mkEnableOption { type = lib.types.bool; @@ -111,7 +110,7 @@ in { }; config = { - networking.firewall = { + network.firewall = { enable = cfg.firewall.enable; allowedTCPPorts = -- 2.45.2 From 1c054207b2adeeec2748f9b63f308089d5132a44 Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Sat, 4 Jan 2025 19:27:42 -0500 Subject: [PATCH 10/10] refactored custom core networking --- modules/networking/core.nix | 129 ++++++++---------------------------- 1 file changed, 27 insertions(+), 102 deletions(-) diff --git a/modules/networking/core.nix b/modules/networking/core.nix index 613237c..1db0c63 100644 --- a/modules/networking/core.nix +++ b/modules/networking/core.nix @@ -7,85 +7,24 @@ in { options.network = { firewall = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = true; - description = "Enable system firewall"; - }; - + enable = lib.mkEnableOption "system firewall"; tcpPorts = { - # Predefined, default common service ports - ssh = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = false; - description = "Open SSH service port (22)"; - }; - }; - web = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = false; - description = "Open common web service ports (80, 443)"; - }; - }; - smtp = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = false; - description = "Open SMTP service ports (25, 465, 587)"; - }; - }; - imap = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = false; - description = "Open IMAP service ports (143, 993)"; - }; - }; - mysql = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = false; - description = "Open MySQL service port (3306)"; - }; - }; - mssql = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = false; - description = "Open Microsoft SQL Server service port (1433)"; - }; - }; - postgres = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = false; - description = "Open Postgres service port (5432)"; - }; - }; + ssh.enable = lib.mkEnableOption "SSH service port (22)"; + web.enable = lib.mkEnableOption "common web service ports (80, 443)"; + smtp.enable = lib.mkEnableOption "SMTP service ports (25, 465, 587)"; + imap.enable = lib.mkEnableOption "IMAP service ports (143, 993)"; + mysql.enable = lib.mkEnableOption "MySQL service port (3306)"; + mssql.enable = lib.mkEnableOption "Microsoft SQL Server service port (1433)"; + postgres.enable = lib.mkEnableOption "Postgres service port (5432)"; allowedPorts = lib.mkOption { type = lib.types.listOf lib.types.port; default = []; description = "List of custom TCP ports to open"; }; }; - udpPorts = { - dns = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = false; - description = "Open DNS service port (53)"; - }; - }; - ntp = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = false; - description = "Open NTP service port (123)"; - }; - }; + dns.enable = lib.mkEnableOption "DNS service port (53)"; + ntp.enable = lib.mkEnableOption "NTP service port (123)"; allowedPorts = lib.mkOption { type = lib.types.listOf lib.types.port; default = []; @@ -93,14 +32,8 @@ in { }; }; }; - networkManager = { - enable = lib.mkEnableOption { - type = lib.types.bool; - default = true; - description = "Enable NetworkManager for network connection management"; - }; - + enable = lib.mkEnableOption "NetworkManager for network connection management"; extraPlugins = lib.mkOption { type = lib.types.listOf lib.types.package; default = []; @@ -108,33 +41,25 @@ in { }; }; }; - config = { - network.firewall = { + networking.firewall = { enable = cfg.firewall.enable; - - allowedTCPPorts = - ( - lib.optionals - cfg.firewall.tcpPorts.ssh.enable [22] - cfg.firewall.tcpPorts.web.enable [80 443] - cfg.firewall.tcpPorts.smtp.enable [25 465 587] - cfg.firewall.tcpPorts.imap.enable [143 993] - cfg.firewall.tcpPorts.mysql.enable [3306] - cfg.firewall.tcpPorts.mssql.enable [1433] - cfg.firewall.tcpPorts.postgres.enable [5432] - ) - ++ cfg.firewall.tcpPorts.allowedPorts; - - allowedUDPPorts = - ( - lib.optionals - cfg.firewall.udpPorts.dns.enable [53] - cfg.firewall.udpPorts.ntp.enable [123] - ) - ++ cfg.firewall.udpPorts.allowedPorts; + allowedTCPPorts = lib.flatten [ + (lib.optionals cfg.firewall.tcpPorts.ssh.enable [22]) + (lib.optionals cfg.firewall.tcpPorts.web.enable [80 443]) + (lib.optionals cfg.firewall.tcpPorts.smtp.enable [25 465 587]) + (lib.optionals cfg.firewall.tcpPorts.imap.enable [143 993]) + (lib.optionals cfg.firewall.tcpPorts.mysql.enable [3306]) + (lib.optionals cfg.firewall.tcpPorts.mssql.enable [1433]) + (lib.optionals cfg.firewall.tcpPorts.postgres.enable [5432]) + cfg.firewall.tcpPorts.allowedPorts + ]; + allowedUDPPorts = lib.flatten [ + (lib.optionals cfg.firewall.udpPorts.dns.enable [53]) + (lib.optionals cfg.firewall.udpPorts.ntp.enable [123]) + cfg.firewall.udpPorts.allowedPorts + ]; }; - networking.networkmanager = { enable = lib.mkForce cfg.networkManager.enable; packages = cfg.networkManager.extraPlugins; -- 2.45.2