2023-11-22 17:54:05 +00:00
{ pkgs , config , lib , modulesPath , . . . }: {
2023-11-22 17:28:55 +00:00
imports = [
2023-11-22 17:54:05 +00:00
( modulesPath + " / i n s t a l l e r / s c a n / n o t - d e t e c t e d . n i x " )
2023-11-22 17:28:55 +00:00
./modules/disk-config.nix
2023-11-24 12:52:51 +00:00
./modules/custom
2023-11-22 18:31:37 +00:00
./modules/uptimed.nix
2023-11-22 17:28:55 +00:00
] ;
2023-11-05 17:43:32 +00:00
2023-11-22 17:54:05 +00:00
boot = {
kernelModules = [ " k v m - i n t e l " ] ;
extraModulePackages = [ ] ;
initrd = {
availableKernelModules = [
" a h c i "
" x h c i _ p c i "
" n v m e "
" u s b h i d "
" u s b _ s t o r a g e "
" s d _ m o d "
" s d h c i _ p c i "
] ;
kernelModules = [ ] ;
} ;
loader = {
systemd-boot . enable = true ;
efi . canTouchEfiVariables = true ;
} ;
2023-11-05 17:43:32 +00:00
} ;
time . timeZone = " E u r o p e / A m s t e r d a m " ;
i18n = {
defaultLocale = " e n _ U S . U T F - 8 " ;
extraLocaleSettings = {
LC_ADDRESS = " n l _ N L . U T F - 8 " ;
LC_IDENTIFICATION = " n l _ N L . U T F - 8 " ;
LC_MEASUREMENT = " n l _ N L . U T F - 8 " ;
LC_MONETARY = " n l _ N L . U T F - 8 " ;
LC_NAME = " n l _ N L . U T F - 8 " ;
LC_NUMERIC = " n l _ N L . U T F - 8 " ;
LC_PAPER = " n l _ N L . U T F - 8 " ;
LC_TELEPHONE = " n l _ N L . U T F - 8 " ;
LC_TIME = " n l _ N L . U T F - 8 " ;
} ;
} ;
services = {
openssh = {
enable = true ;
settings = {
PasswordAuthentication = false ;
KbdInteractiveAuthentication = false ;
} ;
} ;
xserver = {
layout = " u s " ;
xkbVariant = " " ;
} ;
} ;
users . users . root . openssh . authorizedKeys . keys = [
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I O o d p L r + F D R y K y H j u c H i z N L V F H Z 5 A Q m E 9 G m x M n O s S o a w p i m k u n i s @ t h i n k p a d p i m "
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I N U Z p 4 B C x f 7 u L a 1 Q W o n x / C r f 8 t Y Z 5 M K I Z + E u a B a 8 2 L r V u s e r @ u s e r - l a p t o p "
] ;
2023-11-22 15:53:34 +00:00
programs = {
ssh = {
knownHosts = {
dmz = {
hostNames = [ " * . d m z " ] ;
publicKey =
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I A X 2 I h g H N x C 6 J T v L u 9 c e j + i W u G + u J F M X n 4 A i R r o 9 5 3 3 x " ;
certAuthority = true ;
} ;
hypervisors = {
hostNames = [ " * . h y p " ] ;
publicKey =
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I F z R k H 3 d / K V J Q o u s w Y / D M p e n W b D F V O n I 3 V u t 0 x R 0 e 1 t b " ;
certAuthority = true ;
} ;
2023-11-05 17:43:32 +00:00
} ;
} ;
2023-11-22 15:53:34 +00:00
neovim = {
enable = true ;
vimAlias = true ;
viAlias = true ;
} ;
2023-11-05 17:43:32 +00:00
} ;
2023-11-22 17:54:05 +00:00
nixpkgs = {
config . allowUnfree = true ;
hostPlatform = " x 8 6 _ 6 4 - l i n u x " ;
} ;
2023-11-05 17:43:32 +00:00
2023-11-22 15:53:34 +00:00
environment . systemPackages = with pkgs ; [
neofetch
wget
git
btop
htop
ripgrep
dig
tree
file
2023-11-29 09:02:50 +00:00
k3s
2023-11-22 15:53:34 +00:00
] ;
2023-11-05 17:43:32 +00:00
2023-11-22 17:54:05 +00:00
networking = {
firewall . enable = false ;
useDHCP = false ;
2023-11-08 20:16:51 +00:00
2023-11-22 17:54:05 +00:00
nftables = {
enable = true ;
checkRuleset = true ;
ruleset = builtins . readFile ./nftables.conf ;
} ;
2023-11-08 20:16:51 +00:00
} ;
2023-11-05 17:43:32 +00:00
system . stateVersion = " 2 3 . 0 5 " ;
systemd . network = {
enable = true ;
netdevs = {
" 2 0 - v l a n d m z " = {
netdevConfig = {
Kind = " v l a n " ;
Name = " v l a n d m z " ;
} ;
vlanConfig . Id = 30 ;
} ;
" 2 0 - b r i d g e d m z " = {
netdevConfig = {
Kind = " b r i d g e " ;
Name = " b r i d g e d m z " ;
} ;
} ;
} ;
networks = {
" 3 0 - m a i n - n i c " = {
matchConfig . Name = " e n * " ;
2023-11-11 23:04:37 +00:00
networkConfig = { DHCP = " y e s " ; } ;
vlan = [ " v l a n d m z " ] ;
2023-11-05 17:43:32 +00:00
} ;
" 4 0 - v l a n d m z " = {
matchConfig . Name = " v l a n d m z " ;
networkConfig = {
IPv6AcceptRA = false ;
LinkLocalAddressing = " n o " ;
Bridge = " b r i d g e d m z " ;
} ;
linkConfig . RequiredForOnline = " e n s l a v e d " ;
} ;
" 4 0 - b r i d g e d m z " = {
matchConfig . Name = " b r i d g e d m z " ;
networkConfig = {
IPv6AcceptRA = false ;
LinkLocalAddressing = " n o " ;
} ;
linkConfig . RequiredForOnline = " c a r r i e r " ;
} ;
} ;
} ;
2023-11-22 17:54:05 +00:00
hardware . cpu . intel . updateMicrocode =
lib . mkDefault config . hardware . enableRedistributableFirmware ;
2023-11-24 12:52:51 +00:00
age . identityPaths = [ " / r o o t / a g e _ e d 2 5 5 1 9 " ] ;
2023-11-29 09:02:50 +00:00
services . k3s . enable = true ;
services . k3s . role = " s e r v e r " ;
2023-12-14 20:42:58 +00:00
# Temporary fix: by default the full hostname of the server (jefke.hyp) is not included into the Subject Alternative Name of certificates of the server.
# We can hardcode this as a CLI flag to k3s.
services . k3s . extraFlags = " - - t l s - s a n j e f k e . h y p - - d a t a - d i r / m n t / d a t a / k 3 s " ;
virtualisation . libvirtd . enable = true ;
2023-12-15 13:34:33 +00:00
system . activationScripts . k3s-bootstrap . text =
let
k3sBootstrapFile = pkgs . writeTextFile {
name = " k 3 s - b o o t s t r a p " ;
text = ''
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRoleBinding
metadata :
name : pim-cluster-admin
roleRef :
apiGroup : rbac . authorization . k8s . io
kind : ClusterRole
name : cluster-admin
subjects :
- apiGroup : rbac . authorization . k8s . io
kind : User
name : pim
'' ;
} ;
in
''
ln - sf $ { k3sBootstrapFile } /mnt/data/k3s/server/manifests/k3s-bootstrap.yaml
'' ;
2023-11-05 17:43:32 +00:00
}