{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.c.kelder) domain prefixes;
in
{
imports = [ ./containers ];
nixos.systems.kelder = {
system = "x86_64-linux";
nixpkgs = "mine";
home-manager = "mine";
assignments = {
estuary = {
ipv4 ={
address = net.cidr.host 0 lib.my.c.colony.prefixes.vip2;
mask = 32;
gateway = null;
};
};
ctrs = {
name = "kelder-ctrs";
inherit domain;
ipv4 = {
address = net.cidr.host 1 prefixes.ctrs.v4;
gateway = null;
};
};
};
configuration = { lib, pkgs, modulesPath, config, systems, assignments, allAssignments, ... }:
let
inherit (builtins) mapAttrs;
inherit (lib) mkIf mkMerge mkForce;
inherit (lib.my) networkdAssignment;
vpnTable = 51820;
dnatMark = 123;
in
{
imports = [ ./boot.nix ];
config = {
hardware = {
enableRedistributableFirmware = true;
cpu = {
intel.updateMicrocode = true;
};
};
boot = {
loader = {
efi.canTouchEfiVariables = true;
timeout = 5;
};
kernelPackages = lib.my.c.kernel.lts pkgs;
kernelModules = [ "kvm-intel" ];
kernelParams = [ "intel_iommu=on" ];
initrd = {
availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" "usb_storage" "sd_mod" ];
kernelModules = [ "dm-snapshot" "pcspkr" ];
};
};
fileSystems = {
"/boot" = {
device = "/dev/disk/by-partuuid/cba48ae7-ad2f-1a44-b5c7-dcbb7bebf8c4";
fsType = "vfat";
};
"/nix" = {
device = "/dev/disk/by-uuid/0aab0249-700f-4856-8e16-7be3695295f5";
fsType = "ext4";
};
"/persist" = {
device = "/dev/disk/by-uuid/8c01e6b5-bdbf-4e5c-a33b-8693959ebe8a";
fsType = "ext4";
neededForBoot = true;
};
"/mnt/storage" = {
device = "/dev/disk/by-partuuid/58a2e2a8-0321-ed4e-9eed-0ac7f63acb26";
fsType = "ext4";
};
};
users = {
groups = with lib.my.c.kelder.groups; {
storage.gid = storage;
media.gid = media;
};
users = {
"${config.my.user.config.name}".extraGroups = [ "storage" "media" ];
};
};
environment = {
systemPackages = with pkgs; [
wireguard-tools
];
};
services = {
fstrim.enable = true;
lvm = {
boot.thin.enable = true;
dmeventd.enable = true;
};
getty = {
greetingLine = ''Welcome to ${config.system.nixos.distroName} ${config.system.nixos.label} (\m) - \l'';
helpLine = "\nCall Jack for help.";
};
smartd = {
enable = true;
autodetect = true;
extraOptions = [ "-A /var/log/smartd/" "--interval=600" ];
};
netdata = {
enable = true;
};
samba = {
enable = true;
enableNmbd = true;
shares = {
storage = {
path = "/mnt/storage";
browseable = "yes";
writeable = "yes";
"create mask" = "0664";
"directory mask" = "0775";
};
};
};
samba-wsdd.enable = true;
minecraft-server = {
enable = false;
package = pkgs.minecraftServers.vanilla-1-20;
declarative = true;
eula = true;
whitelist = {
devplayer0 = "6d7d971b-ce10-435b-85c5-c99c0d8d288c";
Elderlypug = "dcd2ecb9-2b5e-49cb-9d4f-f5a76162df56";
shr3kas0ras = "1d366062-12c0-4e29-aba7-6ab5d8c6bb05";
};
serverProperties = {
motd = "Simpcraft";
white-list = true;
};
};
};
networking = {
inherit domain;
};
system.nixos.distroName = "KelderOS";
systemd = {
tmpfiles.rules = [
"d /var/log/smartd 0755 root root"
];
network = {
netdevs = {
"25-ctrs".netdevConfig = {
Name = "ctrs";
Kind = "bridge";
};
"30-estuary" = {
netdevConfig = {
Name = "estuary";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."kelder/estuary-wg.key".path;
RouteTable = vpnTable;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "bP1XUNxp9i8NLOXhgPaIaRzRwi5APbam44/xjvYcyjU=";
Endpoint = "estuary-vm.${lib.my.c.colony.domain}:${toString lib.my.c.kelder.vpn.port}";
AllowedIPs = [ "0.0.0.0/0" ];
PersistentKeepalive = 25;
};
}
];
};
};
links = {
"10-et1g0" = {
matchConfig.MACAddress = "74:d4:35:e9:a1:73";
linkConfig.Name = "et1g0";
};
};
networks = {
"50-lan" = {
matchConfig.Name = "et1g0";
DHCP = "yes";
};
"80-ctrs" = mkMerge [
(networkdAssignment "ctrs" assignments.ctrs)
{
networkConfig.IPv6AcceptRA = mkForce false;
}
];
"95-estuary" = {
matchConfig.Name = "estuary";
address = with assignments.estuary; [
(with ipv4; "${address}/${toString mask}")
];
routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
{
Family = "both";
SuppressPrefixLength = 0;
Table = "main";
Priority = 100;
}
{
From = assignments.estuary.ipv4.address;
Table = vpnTable;
Priority = 100;
}
{
FirewallMark = dnatMark;
Table = vpnTable;
Priority = 100;
}
];
};
};
};
services = {
"systemd-nspawn@kelder-acquisition".serviceConfig.DeviceAllow = [
# For hardware acceleration in Jellyfin
"char-drm rw"
];
ddns-update = {
description = "DNS update script";
after = [ "network.target" ];
path = [
(pkgs.python3.withPackages (ps: [ ps.cloudflare ]))
pkgs.iproute2
];
serviceConfig = {
Type = "oneshot";
ExecStart = ''${./dns_update.py} -k ${config.age.secrets."kelder/ddclient-cloudflare.key".path} hentai.engineer kelder-local.hentai.engineer et1g0'';
};
wantedBy = [ "multi-user.target" ];
};
};
timers = {
ddns-update = {
description = "Periodically update DNS";
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "10min";
OnUnitInactiveSec = "10min";
};
};
};
};
my = {
server.enable = true;
user = {
config.name = "kontent";
};
#deploy.node.hostname = "10.16.9.21";
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFvUdJshXkqmchEgkZDn5rgtZ1NO9vbd6Px+S6YioWi";
files = {
"kelder/estuary-wg.key" = {
owner = "systemd-network";
};
"kelder/ddclient-cloudflare.key" = {};
};
};
firewall = {
trustedInterfaces = [ "ctrs" ];
tcp.allowed = [ 25565 ];
udp.allowed = [ 25565 ];
nat = {
enable = true;
externalInterface = "{ et1g0, estuary }";
forwardPorts = [
{
port = "http";
dst = allAssignments.kelder-spoder.internal.ipv4.address;
}
{
port = "https";
dst = allAssignments.kelder-spoder.internal.ipv4.address;
}
];
};
extraRules = ''
table inet filter {
chain input {
iifname et1g0 tcp dport { 139, 445, 5357 } accept
iifname et1g0 udp dport { 137, 138, 3702 } accept
}
}
table inet raw {
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
ip daddr ${assignments.estuary.ipv4.address} ct state new ct mark set ${toString dnatMark}
ip saddr ${lib.my.c.kelder.prefixes.all.v4} ct mark != 0 meta mark set ct mark
}
chain output {
type filter hook output priority mangle; policy accept;
ct mark != 0 meta mark set ct mark
}
}
table inet nat {
chain postrouting {
ip saddr ${lib.my.c.kelder.prefixes.all.v4} oifname et1g0 masquerade
}
}
'';
};
containers.instances =
let
instances = {
kelder-acquisition = {
bindMounts = {
"/dev/dri".readOnly = false;
"/mnt/media" = {
hostPath = "/mnt/storage/media";
readOnly = false;
};
};
};
kelder-spoder = {
bindMounts = {
"/mnt/storage".readOnly = false;
};
};
};
in
mkMerge [
instances
(mapAttrs (n: i: {
networking.bridge = "ctrs";
}) instances)
];
};
};
};
};
}