{ lib, ... }: let inherit (lib.my) net; inherit (lib.my.c.kelder) domain prefixes ipv4MTU; in { imports = [ ./containers ]; nixos.systems.kelder = { system = "x86_64-linux"; nixpkgs = "mine"; home-manager = "mine"; assignments = { estuary = { ipv4 ={ address = net.cidr.host 0 lib.my.c.colony.prefixes.vip2; mask = 32; gateway = null; }; }; ctrs = { name = "kelder-ctrs"; inherit domain; ipv4 = { address = net.cidr.host 1 prefixes.ctrs.v4; gateway = null; }; }; }; configuration = { lib, pkgs, modulesPath, config, systems, assignments, allAssignments, ... }: let inherit (builtins) mapAttrs; inherit (lib) mkIf mkMerge mkForce; inherit (lib.my) networkdAssignment; vpnTable = 51820; dnatMark = 123; in { imports = [ ./boot.nix ]; config = { hardware = { enableRedistributableFirmware = true; cpu = { intel.updateMicrocode = true; }; }; boot = { loader = { efi.canTouchEfiVariables = true; timeout = 5; }; kernelPackages = lib.my.c.kernel.lts pkgs; kernelModules = [ "kvm-intel" ]; kernelParams = [ "intel_iommu=on" ]; initrd = { availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" "usb_storage" "sd_mod" ]; kernelModules = [ "dm-snapshot" "pcspkr" ]; }; }; fileSystems = { "/boot" = { device = "/dev/disk/by-partuuid/cba48ae7-ad2f-1a44-b5c7-dcbb7bebf8c4"; fsType = "vfat"; }; "/nix" = { device = "/dev/disk/by-uuid/0aab0249-700f-4856-8e16-7be3695295f5"; fsType = "ext4"; }; "/persist" = { device = "/dev/disk/by-uuid/8c01e6b5-bdbf-4e5c-a33b-8693959ebe8a"; fsType = "ext4"; neededForBoot = true; }; "/mnt/storage" = { device = "/dev/disk/by-partuuid/58a2e2a8-0321-ed4e-9eed-0ac7f63acb26"; fsType = "ext4"; }; }; users = { groups = with lib.my.c.kelder.groups; { storage.gid = storage; media.gid = media; }; users = { "${config.my.user.config.name}".extraGroups = [ "storage" "media" ]; }; }; environment = { systemPackages = with pkgs; [ wireguard-tools ]; }; services = { fstrim.enable = true; lvm = { boot.thin.enable = true; dmeventd.enable = true; }; getty = { greetingLine = ''Welcome to ${config.system.nixos.distroName} ${config.system.nixos.label} (\m) - \l''; helpLine = "\nCall Jack for help."; }; smartd = { enable = true; autodetect = true; extraOptions = [ "-A /var/log/smartd/" "--interval=600" ]; }; netdata = { enable = true; }; samba = { enable = true; enableNmbd = true; shares = { storage = { path = "/mnt/storage"; browseable = "yes"; writeable = "yes"; "create mask" = "0664"; "directory mask" = "0775"; }; }; }; samba-wsdd.enable = true; minecraft-server = { enable = false; package = pkgs.minecraftServers.vanilla-1-20; declarative = true; eula = true; whitelist = { devplayer0 = "6d7d971b-ce10-435b-85c5-c99c0d8d288c"; Elderlypug = "dcd2ecb9-2b5e-49cb-9d4f-f5a76162df56"; shr3kas0ras = "1d366062-12c0-4e29-aba7-6ab5d8c6bb05"; }; serverProperties = { motd = "Simpcraft"; white-list = true; }; }; }; networking = { inherit domain; }; system.nixos.distroName = "KelderOS"; systemd = { tmpfiles.rules = [ "d /var/log/smartd 0755 root root" ]; network = { netdevs = { "25-ctrs".netdevConfig = { Name = "ctrs"; Kind = "bridge"; }; "30-estuary" = { netdevConfig = { Name = "estuary"; Kind = "wireguard"; }; wireguardConfig = { PrivateKeyFile = config.age.secrets."kelder/estuary-wg.key".path; RouteTable = vpnTable; }; wireguardPeers = [ { wireguardPeerConfig = { PublicKey = "bP1XUNxp9i8NLOXhgPaIaRzRwi5APbam44/xjvYcyjU="; Endpoint = "${allAssignments.estuary.internal.ipv4.address}:${toString lib.my.c.kelder.vpn.port}"; AllowedIPs = [ "0.0.0.0/0" ]; PersistentKeepalive = 25; }; } ]; }; }; links = { "10-et1g0" = { matchConfig.MACAddress = "74:d4:35:e9:a1:73"; linkConfig.Name = "et1g0"; }; }; networks = { "50-lan" = { matchConfig.Name = "et1g0"; DHCP = "yes"; linkConfig.MTUBytes = toString ipv4MTU; }; "80-ctrs" = mkMerge [ (networkdAssignment "ctrs" assignments.ctrs) { networkConfig.IPv6AcceptRA = mkForce false; } ]; "95-estuary" = { matchConfig.Name = "estuary"; address = with assignments.estuary; [ (with ipv4; "${address}/${toString mask}") ]; routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [ { Family = "both"; SuppressPrefixLength = 0; Table = "main"; Priority = 100; } { From = assignments.estuary.ipv4.address; Table = vpnTable; Priority = 100; } { FirewallMark = dnatMark; Table = vpnTable; Priority = 100; } ]; }; }; }; services = { "systemd-nspawn@kelder-acquisition".serviceConfig.DeviceAllow = [ # For hardware acceleration in Jellyfin "char-drm rw" ]; ddns-update = { description = "DNS update script"; after = [ "network.target" ]; path = [ (pkgs.python3.withPackages (ps: [ ps.cloudflare ])) pkgs.iproute2 ]; serviceConfig = { Type = "oneshot"; ExecStart = ''${./dns_update.py} -k ${config.age.secrets."kelder/ddclient-cloudflare.key".path} hentai.engineer kelder-local.hentai.engineer et1g0''; }; wantedBy = [ "multi-user.target" ]; }; }; timers = { ddns-update = { description = "Periodically update DNS"; wantedBy = [ "timers.target" ]; timerConfig = { OnBootSec = "10min"; OnUnitInactiveSec = "10min"; }; }; }; }; my = { server.enable = true; user = { config.name = "kontent"; }; # deploy.node.hostname = "192.168.0.69"; secrets = { key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFvUdJshXkqmchEgkZDn5rgtZ1NO9vbd6Px+S6YioWi"; files = { "kelder/estuary-wg.key" = { owner = "systemd-network"; }; "kelder/ddclient-cloudflare.key" = {}; }; }; firewall = { trustedInterfaces = [ "ctrs" ]; tcp.allowed = [ 25565 ]; udp.allowed = [ 25565 ]; nat = { enable = true; externalInterface = "{ et1g0, estuary }"; forwardPorts = [ { port = "http"; dst = allAssignments.kelder-spoder.internal.ipv4.address; } { port = "https"; dst = allAssignments.kelder-spoder.internal.ipv4.address; } ]; }; extraRules = '' table inet filter { chain input { iifname et1g0 tcp dport { 139, 445, 5357 } accept iifname et1g0 udp dport { 137, 138, 3702 } accept } } table inet raw { chain prerouting { type filter hook prerouting priority mangle; policy accept; ip daddr ${assignments.estuary.ipv4.address} ct state new ct mark set ${toString dnatMark} ip saddr ${lib.my.c.kelder.prefixes.all.v4} ct mark != 0 meta mark set ct mark } chain output { type filter hook output priority mangle; policy accept; ct mark != 0 meta mark set ct mark } } table inet nat { chain postrouting { ip saddr ${lib.my.c.kelder.prefixes.all.v4} oifname et1g0 masquerade } } ''; }; containers.instances = let instances = { kelder-acquisition = { bindMounts = { "/dev/dri".readOnly = false; "/mnt/media" = { hostPath = "/mnt/storage/media"; readOnly = false; }; }; }; kelder-spoder = { bindMounts = { "/mnt/storage".readOnly = false; }; }; }; in mkMerge [ instances (mapAttrs (n: i: { networking.bridge = "ctrs"; }) instances) ]; }; }; }; }; }