diff --git a/README.md b/README.md index 2b62a43b..bf40e24c 100644 --- a/README.md +++ b/README.md @@ -9,13 +9,13 @@ sudo git clone --recursive https://git.sysctl.io/albert/nix /etc/nixos/git sudo chown -R albert:root /etc/nixos/git ``` -* Installing a system from the ISO: +* Installation: ``` nixos-install [] # or ./docs/install.sh [] ``` -* Post install: +* Post install (home-manager, GPG keys, SOPS, etc) ``` nix develop -c /etc/nixos/git/docs/setup.sh ``` @@ -27,8 +27,8 @@ nix develop -c /etc/nixos/git/docs/setup.sh | framework-server | sysctl.io - main server, framework 13th gen mainboard | Done | | nixos-desktop | My main desktop | Done | | nixos-framework | My AMD Framework 13 laptop | Done | -| nixos-vm-01 | A NixOS VM used for testing | Done | | osaka-linode-01 | Osaka Linode relay for sysctl.io external connections | Done | +| milan-linode-01 | Milan Linode DERP relay for Tailscale | Done | | piaware-rpi4 | FlightAware for Raspberry Pi | Done | | quitman-rpi4 | Raspberry Pi at my parents house. Headscale Exit Node | On Hold | | nuc-server | Second NUC server at my brothers house | On Hold | @@ -48,22 +48,16 @@ nix develop -c /etc/nixos/git/docs/setup.sh * [ ] Try this https://www.ntop.org/products/traffic-analysis/ntop/ * [ ] Podman mgiration - Potentially use nix-defined containers. -## Packaging -* [ ] Try packaging BoxBuddy - [Link](https://github.com/Dvlv/BoxBuddyRS) - ## General * [ ] Security hardening / scans / etc * [ ] Where possible, convert cronjobs to systemd services / timers -* [ ] Replace fuzzel with rofi -* [ ] Update disko configs away from 'table' - * See ./nixos/hosts/nixos-framework/disks-gpt.nix ## Home-Manager * [ ] Figure out what the home-manager `account` options are for. * [ ] Find a way to remove all default search engines in Firefox (Google, Amazon, etc) ## Desktop / GUI -* [ ] rofi - bitwarden-cli / bitwarden-menu ([Link](https://search.nixos.org/packages?channel=23.05&show=bitwarden-menu&from=0&size=50&sort=relevance&type=packages&query=bitwarden)) +* [ ] rofi - rbw integration * [ ] Set up PyRadio with Nightride.FM Completed ToDo List [here](./docs/complete.md) @@ -123,6 +117,7 @@ Completed ToDo List [here](./docs/complete.md) 3. Save and reboot 4. Run `sudo sbctl create-keys` 5. Run `sudo sbctl enroll-keys` +6. Reboot and verify with `bootctl status` # Manual: GPG Keys 1. Import the user private key: `gpg --import gpg/users/albert/privkey.asc` @@ -134,7 +129,8 @@ Completed ToDo List [here](./docs/complete.md) # Secrets 1. Run `nix-develop` in `/etc/nixos/git` to import new keys 2. To edit a file: `sops secrets/file.yml"` -3. When you add a new machine, you must update the secrets files encryption. +3. When you add a new machine, you must update the secrets files encryption. + * Ensure `.sops.yaml` has the updated fingerprint and file mappings. * Run `sops updatekeys secrets/file.yaml` and commit the change. # Troubleshooting @@ -151,17 +147,11 @@ Completed ToDo List [here](./docs/complete.md) ├── home-manager │   ├── common │   │   ├── desktops -│   │   │   ├── gnome -│   │   │   ├── hyprland -│   │   │   │   ├── assets -│   │   │   │   └── components -│   │   │   └── plasma6 │   │   └── software │   │   ├── cli │   │   └── gui │   ├── hosts │   └── users -│   └── albert ├── keys │   ├── hosts │   ├── ssh @@ -170,18 +160,19 @@ Completed ToDo List [here](./docs/complete.md) ├── nixos │   ├── common │   │   ├── desktops -│   │   │   ├── gnome -│   │   │   ├── hyprland -│   │   │   └── plasma6 │   │   ├── modules │   │   ├── services │   │   └── software │   │   ├── cli │   │   └── gui │   ├── hosts +│   ├── containers │   └── users -│   └── albert ├── secrets +│   ├── containers +│   └── hosts ├── stylix +│   ├── common +│   └── themes └── wallpapers ``` diff --git a/docs/complete.md b/docs/complete.md index 48640d56..d3986a39 100644 --- a/docs/complete.md +++ b/docs/complete.md @@ -153,3 +153,6 @@ * [x] Edit the hosts file * [x] Syncthing * [x] Try starship.rs - A powerline replacement - [Link](https://starship.rs/guide/#%F0%9F%9A%80-installation) +* [x] Replace fuzzel with rofi +* [x] Update disko configs away from 'table' + * See ./nixos/hosts/nixos-framework/disks-gpt.nix diff --git a/lib/default.nix b/lib/default.nix index 26bbd579..0ae1808e 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -51,8 +51,7 @@ ]; autoStart = true; privateNetwork = true; - # hostBridge = "br0"; - hostAddress = "192.168.2.1"; + hostBridge = "br0"; localAddress = "192.168.2.2/24"; restartIfChanged = true; enableTun = true; diff --git a/nixos/containers/default.nix b/nixos/containers/default.nix index f2cb7a21..c2fd2a1d 100644 --- a/nixos/containers/default.nix +++ b/nixos/containers/default.nix @@ -3,12 +3,12 @@ ./${hostname} ../users/${username} ../common/modules/nixos.nix - ../common/modules/networking.nix + ../common/modules/networking.nix # Services - ../common/services/promtail.nix - ../common/services/telegraf.nix - ../common/services/tailscale.nix - ../common/services/openssh.nix + ../common/services/promtail.nix + ../common/services/telegraf.nix + ../common/services/tailscale.nix + ../common/services/openssh.nix ]; # Generic Tailscale configs are in /nixos/common/services/tailscale.nix # Set up the secrets file: @@ -24,6 +24,5 @@ boot.isContainer = true; services.tailscale.authKeyFile = "/run/secrets/tailscale_key"; networking.hostName = "${hostname}"; - # networking.interfaces."eth0".useDHCP = true; system.stateVersion = stateVersion; } diff --git a/nixos/hosts/framework-server/containers.nix b/nixos/hosts/framework-server/containers.nix index de013627..8bd0fff6 100644 --- a/nixos/hosts/framework-server/containers.nix +++ b/nixos/hosts/framework-server/containers.nix @@ -1,4 +1,4 @@ -{ config, lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }: +{ lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }: let libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; }; lanInterface = "enp0s13f0u4"; @@ -7,14 +7,12 @@ in { rdesktop = libx.mkContainer { hostname = "rdesktop"; }; }; - networking.firewall.extraCommands = '' - iptables -w -t nat -A nixos-nat-post -s ${config.containers.rdesktop.localAddress} -j MASQUERADE - ''; - - networking.nat = { - enable = true; - internalInterfaces = [ "ve-rdesktop" ]; - externalInterface = lanInterface; - extraCommands = "iptables -t nat -A POSTROUTING -o ${lanInterface} -j MASQUERADE"; + networking = { + nat.enable = true; + nat.internalInterfaces = [ "ve-+" ]; + nat.externalInterface = lanInterface; + nat.extraCommands = ''iptables -t nat -A POSTROUTING -o ${lanInterface} -j MASQUERADE''; + networkmanager.unmanaged = [ "interface-name:ve-*" ]; + firewall.trustedInterfaces = [ "ve-+" ]; }; }