{ config, pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix # ./age_secrets.nix ./www/emile.space.nix ./www/git.emile.space.nix ./www/hydra.emile.space.nix ./www/netbox.emile.space.nix # ./www/grafana.emile.space.nix ./www/photo.emile.space.nix # ./www/events.emile.space.nix ./www/tickets.emile.space.nix ./www/talks.emile.space.nix ./www/stream.emile.space.nix ./www/pgweb.emile.space.nix ./www/ctf.emile.space.nix # ./www/magic-hash.emile.space.nix # ./www/znc.emile.space.nix ./gemini/emile.space.nix ]; # Use GRUB2 as the boot loader. # We don't use systemd-boot because Hetzner uses BIOS legacy boot. boot = { #supportsInitrdSecrets = true; loader.systemd-boot.enable = false; loader.grub = { enable = true; efiSupport = false; enableCryptodisk = true; device = "nodev"; devices = [ "/dev/nvme0n1" "/dev/nvme1n1"]; }; kernelParams = [ "ip=135.181.142.139::135.181.142.129:255.255.255.192:corrino:enp35s0:off:8.8.8.8:8.8.4.4:" ]; initrd = { kernelModules = [ "dm-snapshot" ]; availableKernelModules = [ "cryptd" "aesni_intel" "igb" ];#"FIXME Your network driver" ]; network = { enable = true; ssh = { enable = true; # ssh port during boot for luks decryption port = 2222; authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys; hostKeys = [ "/initrd_ssh_host_ecdsa_key" ]; }; postCommands = '' echo 'cryptsetup-askpass' >> /root/.profile ''; }; luks = { forceLuksSupportInInitrd = true; devices = { root = { preLVM = true; device = "/dev/md1"; allowDiscards = true; }; }; }; secrets = { "/initrd_ssh_host_ecdsa_key" = "/initrd_ssh_host_ecdsa_key"; }; # The RAIDs are assembled in stage1, so we need to make the config # available there. # services.swraid.mdadmConf = config.environment.etc."mdadm.conf".text; }; # From the nixos 23.11 release notes changelog breaking changes section: # mdraid support is optional now. This reduces initramfs size and prevents # the potentially undesired automatic detection and activation of software # RAID pools. It is disabled by default in new configurations (determined # by stateVersion), but the appropriate settings will be generated by # nixos-generate-config when installing to a software RAID device, so the # standard installation procedure should be unaffected. If you have custom # configs relying on mdraid, ensure that you use stateVersion correctly or # set boot.swraid.enable manually. On systems with an updated stateVersion # we now also emit warnings if mdadm.conf does not contain the minimum # required configuration necessary to run the dynamically enabled monitoring # daemons. swraid = { enable = true; # mdadmConf = config.environment.etc."mdadm.conf".text; mdadmConf = '' HOMEHOST MAILADDR root ''; }; supportedFilesystems = [ "cifs" ]; }; # The mdadm RAID1s were created with 'mdadm --create ... --homehost=hetzner', # but the hostname for each machine may be different, and mdadm's HOMEHOST # setting defaults to '' (using the system hostname). # This results mdadm considering such disks as "foreign" as opposed to # "local", and showing them as e.g. '/dev/md/hetzner:root0' # instead of '/dev/md/root0'. # This is mdadm's protection against accidentally putting a RAID disk # into the wrong machine and corrupting data by accidental sync, see # https://bugzilla.redhat.com/show_bug.cgi?id=606481#c14 and onward. # We do not worry about plugging disks into the wrong machine because # we will never exchange disks between machines, so we tell mdadm to # ignore the homehost entirely. environment = { etc."mdadm.conf".text = '' HOMEHOST MAILADDR root ''; systemPackages = with pkgs; [ git du-dust ncdu # helix sshfs ]; }; programs = { mosh.enable = true; mtr.enable = true; }; # create a oneshot job to authenticate to Tailscale systemd.services.tailscale-autoconnect = { description = "Automatic connection to Tailscale"; # make sure tailscale is running before trying to connect to tailscale after = [ "network-pre.target" "tailscale.service" ]; wants = [ "network-pre.target" "tailscale.service" ]; wantedBy = [ "multi-user.target" ]; # set this service as a oneshot job serviceConfig.Type = "oneshot"; # have the job run this shell script script = with pkgs; '' # wait for tailscaled to settle sleep 2 # check if we are already authenticated to tailscale status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" if [ $status = "Running" ]; then # if so, then do nothing exit 0 fi # otherwise authenticate with tailscale ${tailscale}/bin/tailscale up \ --advertise-exit-node --exit-node \ -authkey tskey-auth-kfswm86CNTRL-QdFyL42rAhJDw7VZ2poVaJgDewQvmUu5K ''; # this is an old authkey which I found (was used once, now it's landed here but long expired...). I'm adding an age secret instead, although it isn't used anymore... # -authkey ${config.age.secrets.tailscale_authkey} }; networking = { hostName = "corrino"; domain = "emile.space"; # Network (Hetzner uses static IP assignments, and we don't use DHCP here) useDHCP = false; interfaces = { "enp35s0" = { ipv4.addresses = [ { address = "135.181.142.139"; prefixLength = 26; } ]; }; "enp35s0".ipv6.addresses = [ { address = "2a01:4f9:3a:16a4::1"; prefixLength = 64; } ]; }; defaultGateway = "135.181.142.129"; defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; }; nameservers = [ "8.8.8.8" "8.8.4.4" ]; firewall = { enable = true; allowedTCPPorts = [ 80 443 # normal web ]; allowedUDPPorts = [ 51820 # wireguard ]; allowedUDPPortRanges = [ { from = 60000; to = 61000; } # mosh ]; interfaces."tailscale0".allowedTCPPorts = [ 8085 # random internal web server port ]; }; nat = { enable = true; enableIPv6 = true; externalInterface = "enp35s0"; internalInterfaces = [ "wg0" ]; }; wireguard = { enable = true; interfaces."wg0" = { ips = [ "10.87.0.1/24" ]; listenPort = 51820; # This allows the wireguard server to route your traffic to the internet and hence be like a VPN # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients postSetup = '' ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.87.0.0/24 -o eth0 -j MASQUERADE ''; # This undoes the above command postShutdown = '' ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.87.0.0/24 -o eth0 -j MASQUERADE ''; privateKeyFile = config.age.secrets.wireguard_privatekey.path; peers = [ # List of allowed peers. { # Emiles-MBA publicKey = "Ebsjn7w2FeUs5lUN6ALoUcF/o9/+SopDL324YJPSCDY="; # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. allowedIPs = [ "10.87.0.2/32" ]; } { # Emiles-IphoneX publicKey = "xGfmwraI0Eh3eFEXjJrd2AYCgUM1uK4Y+FX5ACAQZ3M="; # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. allowedIPs = [ "10.87.0.3/32" ]; } ]; }; }; }; # Initial empty root password for easy login: users.users = { root = { initialHashedPassword = ""; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan" ]; packages = with pkgs; [ mdadm tailscale # random useful stuff htop git vim fd ripgrep ]; extraGroups = [ "docker" "libvirtd" ]; }; hack = { isNormalUser = true; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan" ]; extraGroups = [ "docker" "libvirtd" ]; }; tmpuser1 = { isNormalUser = true; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan" # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMMq7gVuOuJEuarcsss2pb4JJS39zW/Fuow0foyqlV5 noobtracker@noobtracker-linux" ]; }; }; services = { openssh = { settings = { PermitRootLogin = "prohibit-password"; PasswordAuthentication = false; }; enable = true; }; nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; }; tailscale = { enable = true; # use corrino as a subnet router and an exit node useRoutingFeatures = "both"; }; }; nix = { settings.experimental-features = [ "nix-command" "flakes" ]; gc = { automatic = true; dates = "daily"; options = "--delete-older-than 7d"; }; optimise = { automatic = true; dates = [ "03:45" ]; }; # we need the below in order for hydra to be allowed to access the pages extraOptions = '' allowed-uris = ssh://gitea@git.emile.space git+https://git.emile.space https://git.emile.space https://portswigger-cdn.net https://git.sr.ht/ https://gitlab.com/simple-nixos-mailserver https://github.com/nixos/nixpkgs builders-use-substitutes = true ''; buildMachines = [ { hostName = "localhost"; system = "x86_64-linux"; protocol = "ssh-ng"; maxJobs = 1; supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; } { hostName = "caladan"; system = "aarch64-darwin"; protocol = "ssh-ng"; maxJobs = 1; speedFactor = 2; supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; mandatoryFeatures = [ ]; } ]; distributedBuilds = true; }; nixpkgs.config = { allowUnfree = true; permittedInsecurePackages = [ # none :D ]; }; security = { acme = { acceptTerms = true; defaults.email = "admin+acme@emile.space"; }; }; virtualisation = { docker.enable = true; # libvirtd = { # enable = true; # qemu = { # swtpm.enable = true; # ovmf.enable = true; # ovmf.packages = [ pkgs.OVMFFull.fd ]; # }; # }; # spiceUSBRedirection.enable = true; }; # programs.virt-manager.enable = true; fileSystems."/proc" = { device = "/proc"; options = [ "nosuid" "nodev" "noexec" "relatime" # normal foo "hidepid=2" # this makes sure users can only see their own processes ]; }; fileSystems."/mnt/storagebox-bx11" = { device = "//u331921.your-storagebox.de/backup"; fsType = "cifs"; options = let automount_opts = "_netdev,x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; in ["${automount_opts},credentials=${config.age.secrets.storage_box_bx11_password.path}"]; }; # FIXME # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you # should. system.stateVersion = "22.11"; # Did you read the comment? }