config/hosts/mtworx/configuration.nix
2024-10-01 15:52:20 +03:00

264 lines
6.2 KiB
Nix

{
lib,
config,
pkgs,
myData,
...
}:
let
nvme = "/dev/disk/by-id/nvme-WD_PC_SN810_SDCQNRY-1T00-1201_23234W800017";
in
{
imports = [
../../shared/work
../../modules
../../modules/profiles/desktop
../../modules/profiles/autorandr
../../modules/profiles/btrfs
];
age.secrets = {
motiejus-work-passwd-hash.file = ../../secrets/motiejus_work_passwd_hash.age;
root-work-passwd-hash.file = ../../secrets/root_work_passwd_hash.age;
sasl-passwd.file = ../../secrets/postfix_sasl_passwd.age;
syncthing-key.file = ../../secrets/mtworx/syncthing/key.pem.age;
syncthing-cert.file = ../../secrets/mtworx/syncthing/cert.pem.age;
ssh8022-client = {
file = ../../secrets/ssh8022.age;
mode = "444";
};
};
boot = {
kernelModules = [ "kvm-intel" ];
loader.systemd-boot.enable = true;
# 6.10+ to fix audio. Thanks https://github.com/ilian/cfg/blob/4588b90e674827304cd8e0b9d1aecd75416d1cde/hosts/carbon/configuration.nix#L19
kernelPackages = pkgs.linuxPackages_6_10;
initrd = {
availableKernelModules = [
"xhci_pci"
"thunderbolt"
"nvme"
"usbhid"
"tpm_tis"
];
systemd = {
enableTpm2 = true;
emergencyAccess = true;
};
luks.devices = {
luksroot = {
device = "${nvme}-part3";
allowDiscards = true;
crypttabExtraOpts = [ "tpm2-device=auto" ];
};
};
};
};
swapDevices = [
{
device = "${nvme}-part2";
randomEncryption.enable = true;
}
];
fileSystems = {
"/" = {
device = "/dev/mapper/luksroot";
fsType = "btrfs";
options = [ "compress=zstd" ];
};
"/boot" = {
device = "${nvme}-part1";
fsType = "vfat";
};
};
hardware.cpu.intel.updateMicrocode = true;
nixpkgs.hostPlatform = "x86_64-linux";
mj = {
stateVersion = "23.11";
timeZone = "Europe/Vilnius";
username = "motiejus";
base.users = {
enable = true;
devTools = true;
root.hashedPasswordFile = config.age.secrets.root-work-passwd-hash.path;
user.hashedPasswordFile = config.age.secrets.motiejus-work-passwd-hash.path;
};
services = {
ssh8022.client = {
enable = true;
keyfile = config.age.secrets.ssh8022-client.path;
};
tailscale = {
enable = true;
verboseLogs = true;
};
btrfssnapshot = {
enable = true;
subvolumes = [
{
subvolume = "/home";
label = "5minutely";
keep = 12;
refreshInterval = "*:0/5";
}
{
subvolume = "/home";
label = "hourly";
keep = 24;
refreshInterval = "*:00:00";
}
{
subvolume = "/home";
label = "daily";
keep = 7;
refreshInterval = "daily UTC";
}
];
};
wifibackup = {
enable = true;
toPath = "/home/${config.mj.username}/M-Active/.wifi";
toUser = config.mj.username;
};
remote-builder.client =
let
host = myData.hosts."fra1-b.servers.jakst";
in
{
enable = true;
inherit (host) system supportedFeatures;
hostName = host.jakstIP;
sshKey = "/etc/ssh/ssh_host_ed25519_key";
maxJobs = 2;
};
node_exporter = {
enable = true;
extraSubnets = [ myData.subnets.vno1.cidr ];
};
deployerbot = {
follower = {
publicKeys = [ myData.hosts."fwminex.servers.jakst".publicKey ];
enable = true;
uidgid = myData.uidgid.updaterbot-deployee;
sshAllowSubnets = with myData.subnets; [ tailscale.sshPattern ];
};
};
postfix = {
enable = false;
#saslPasswdPath = config.age.secrets.sasl-passwd.path;
};
syncthing = {
enable = true;
dataDir = "/home/motiejus/";
user = "motiejus";
group = "users";
};
};
};
users = {
users.mount-test = {
name = "mount-test";
group = "mount-test";
isSystemUser = true;
};
groups.mount-test = { };
};
systemd.tmpfiles.rules = [ "d /data 0755 root root -" ];
systemd.services.mount-test = {
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
RuntimeDirectory = "mount-test";
TemporaryFileSystem = "/data";
BindPaths = [ "/home/motiejus/x:/var/run/mount-test/bind-paths/x" ];
PrivateDevices = false;
Type = "simple";
Restart = "on-failure";
RestartSec = 10;
# Hardening
NoNewPrivileges = true;
PrivateTmp = true;
PrivateMounts = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
CapabilityBoundingSet = lib.mkForce "CAP_SYS_ADMIN | CAP_SETUID | CAP_SETGID";
User = "mount-test";
Group = "mount-test";
ExecStart =
"!"
+ (lib.getExe (
pkgs.writeShellApplication {
name = "mount-test";
runtimeInputs = with pkgs; [
bindfs
util-linux
];
text = ''
set -x
mkdir -p /data/x
bindfs -d -u motiejus -g users /var/run/mount-test/bind-paths/x /data/x &
sleep 1
#exec setpriv \
# --ruid mount-test \
# --inh-caps -sys_admin,-setuid,-setgid \
touch /data/x/foo
'';
}
));
};
};
users.extraGroups.vboxusers.members = [ "motiejus" ];
environment.systemPackages = with pkgs; [ dnsmasq ];
security.tpm2.enable = true;
networking = {
hostId = "b14a02aa";
hostName = "mtworx";
domain = "motiejus.jakst";
firewall.rejectPackets = true;
};
}