This commit is contained in:
albert 2024-03-27 10:10:20 +09:00
parent 6602c122d7
commit cf9ae184fc
No known key found for this signature in database
GPG key ID: 64F6C4EB46C4543A
5 changed files with 29 additions and 39 deletions

View file

@ -9,13 +9,13 @@ sudo git clone --recursive https://git.sysctl.io/albert/nix /etc/nixos/git
sudo chown -R albert:root /etc/nixos/git sudo chown -R albert:root /etc/nixos/git
``` ```
* Installing a system from the ISO: * Installation:
``` ```
nixos-install <Hostname> [<Username>] nixos-install <Hostname> [<Username>]
# or # or
./docs/install.sh <Hostname> [<Username>] ./docs/install.sh <Hostname> [<Username>]
``` ```
* Post install: * Post install (home-manager, GPG keys, SOPS, etc)
``` ```
nix develop -c /etc/nixos/git/docs/setup.sh nix develop -c /etc/nixos/git/docs/setup.sh
``` ```
@ -27,8 +27,8 @@ nix develop -c /etc/nixos/git/docs/setup.sh
| framework-server | sysctl.io - main server, framework 13th gen mainboard | Done | | framework-server | sysctl.io - main server, framework 13th gen mainboard | Done |
| nixos-desktop | My main desktop | Done | | nixos-desktop | My main desktop | Done |
| nixos-framework | My AMD Framework 13 laptop | Done | | nixos-framework | My AMD Framework 13 laptop | Done |
| nixos-vm-01 | A NixOS VM used for testing | Done |
| osaka-linode-01 | Osaka Linode relay for sysctl.io external connections | Done | | osaka-linode-01 | Osaka Linode relay for sysctl.io external connections | Done |
| milan-linode-01 | Milan Linode DERP relay for Tailscale | Done |
| piaware-rpi4 | FlightAware for Raspberry Pi | Done | | piaware-rpi4 | FlightAware for Raspberry Pi | Done |
| quitman-rpi4 | Raspberry Pi at my parents house. Headscale Exit Node | On Hold | | quitman-rpi4 | Raspberry Pi at my parents house. Headscale Exit Node | On Hold |
| nuc-server | Second NUC server at my brothers house | On Hold | | nuc-server | Second NUC server at my brothers house | On Hold |
@ -48,22 +48,16 @@ nix develop -c /etc/nixos/git/docs/setup.sh
* [ ] Try this https://www.ntop.org/products/traffic-analysis/ntop/ * [ ] Try this https://www.ntop.org/products/traffic-analysis/ntop/
* [ ] Podman mgiration - Potentially use nix-defined containers. * [ ] Podman mgiration - Potentially use nix-defined containers.
## Packaging
* [ ] Try packaging BoxBuddy - [Link](https://github.com/Dvlv/BoxBuddyRS)
## General ## General
* [ ] Security hardening / scans / etc * [ ] Security hardening / scans / etc
* [ ] Where possible, convert cronjobs to systemd services / timers * [ ] Where possible, convert cronjobs to systemd services / timers
* [ ] Replace fuzzel with rofi
* [ ] Update disko configs away from 'table'
* See ./nixos/hosts/nixos-framework/disks-gpt.nix
## Home-Manager ## Home-Manager
* [ ] Figure out what the home-manager `account` options are for. * [ ] Figure out what the home-manager `account` options are for.
* [ ] Find a way to remove all default search engines in Firefox (Google, Amazon, etc) * [ ] Find a way to remove all default search engines in Firefox (Google, Amazon, etc)
## Desktop / GUI ## Desktop / GUI
* [ ] rofi - bitwarden-cli / bitwarden-menu ([Link](https://search.nixos.org/packages?channel=23.05&show=bitwarden-menu&from=0&size=50&sort=relevance&type=packages&query=bitwarden)) * [ ] rofi - rbw integration
* [ ] Set up PyRadio with Nightride.FM * [ ] Set up PyRadio with Nightride.FM
Completed ToDo List [here](./docs/complete.md) Completed ToDo List [here](./docs/complete.md)
@ -123,6 +117,7 @@ Completed ToDo List [here](./docs/complete.md)
3. Save and reboot 3. Save and reboot
4. Run `sudo sbctl create-keys` 4. Run `sudo sbctl create-keys`
5. Run `sudo sbctl enroll-keys` 5. Run `sudo sbctl enroll-keys`
6. Reboot and verify with `bootctl status`
# Manual: GPG Keys # Manual: GPG Keys
1. Import the user private key: `gpg --import gpg/users/albert/privkey.asc` 1. Import the user private key: `gpg --import gpg/users/albert/privkey.asc`
@ -135,6 +130,7 @@ Completed ToDo List [here](./docs/complete.md)
1. Run `nix-develop` in `/etc/nixos/git` to import new keys 1. Run `nix-develop` in `/etc/nixos/git` to import new keys
2. To edit a file: `sops secrets/file.yml"` 2. To edit a file: `sops secrets/file.yml"`
3. When you add a new machine, you must update the secrets files encryption. 3. When you add a new machine, you must update the secrets files encryption.
* Ensure `.sops.yaml` has the updated fingerprint and file mappings.
* Run `sops updatekeys secrets/file.yaml` and commit the change. * Run `sops updatekeys secrets/file.yaml` and commit the change.
# Troubleshooting # Troubleshooting
@ -151,17 +147,11 @@ Completed ToDo List [here](./docs/complete.md)
├── home-manager ├── home-manager
│   ├── common │   ├── common
│   │   ├── desktops │   │   ├── desktops
│   │   │   ├── gnome
│   │   │   ├── hyprland
│   │   │   │   ├── assets
│   │   │   │   └── components
│   │   │   └── plasma6
│   │   └── software │   │   └── software
│   │   ├── cli │   │   ├── cli
│   │   └── gui │   │   └── gui
│   ├── hosts │   ├── hosts
│   └── users │   └── users
│   └── albert
├── keys ├── keys
│   ├── hosts │   ├── hosts
│   ├── ssh │   ├── ssh
@ -170,18 +160,19 @@ Completed ToDo List [here](./docs/complete.md)
├── nixos ├── nixos
│   ├── common │   ├── common
│   │   ├── desktops │   │   ├── desktops
│   │   │   ├── gnome
│   │   │   ├── hyprland
│   │   │   └── plasma6
│   │   ├── modules │   │   ├── modules
│   │   ├── services │   │   ├── services
│   │   └── software │   │   └── software
│   │   ├── cli │   │   ├── cli
│   │   └── gui │   │   └── gui
│   ├── hosts │   ├── hosts
│   ├── containers
│   └── users │   └── users
│   └── albert
├── secrets ├── secrets
│   ├── containers
│   └── hosts
├── stylix ├── stylix
│   ├── common
│   └── themes
└── wallpapers └── wallpapers
``` ```

View file

@ -153,3 +153,6 @@
* [x] Edit the hosts file * [x] Edit the hosts file
* [x] Syncthing * [x] Syncthing
* [x] Try starship.rs - A powerline replacement - [Link](https://starship.rs/guide/#%F0%9F%9A%80-installation) * [x] Try starship.rs - A powerline replacement - [Link](https://starship.rs/guide/#%F0%9F%9A%80-installation)
* [x] Replace fuzzel with rofi
* [x] Update disko configs away from 'table'
* See ./nixos/hosts/nixos-framework/disks-gpt.nix

View file

@ -51,8 +51,7 @@
]; ];
autoStart = true; autoStart = true;
privateNetwork = true; privateNetwork = true;
# hostBridge = "br0"; hostBridge = "br0";
hostAddress = "192.168.2.1";
localAddress = "192.168.2.2/24"; localAddress = "192.168.2.2/24";
restartIfChanged = true; restartIfChanged = true;
enableTun = true; enableTun = true;

View file

@ -3,12 +3,12 @@
./${hostname} ./${hostname}
../users/${username} ../users/${username}
../common/modules/nixos.nix ../common/modules/nixos.nix
../common/modules/networking.nix ../common/modules/networking.nix
# Services # Services
../common/services/promtail.nix ../common/services/promtail.nix
../common/services/telegraf.nix ../common/services/telegraf.nix
../common/services/tailscale.nix ../common/services/tailscale.nix
../common/services/openssh.nix ../common/services/openssh.nix
]; ];
# Generic Tailscale configs are in /nixos/common/services/tailscale.nix # Generic Tailscale configs are in /nixos/common/services/tailscale.nix
# Set up the secrets file: # Set up the secrets file:
@ -24,6 +24,5 @@
boot.isContainer = true; boot.isContainer = true;
services.tailscale.authKeyFile = "/run/secrets/tailscale_key"; services.tailscale.authKeyFile = "/run/secrets/tailscale_key";
networking.hostName = "${hostname}"; networking.hostName = "${hostname}";
# networking.interfaces."eth0".useDHCP = true;
system.stateVersion = stateVersion; system.stateVersion = stateVersion;
} }

View file

@ -1,4 +1,4 @@
{ config, lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }: { lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }:
let let
libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; }; libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; };
lanInterface = "enp0s13f0u4"; lanInterface = "enp0s13f0u4";
@ -7,14 +7,12 @@ in {
rdesktop = libx.mkContainer { hostname = "rdesktop"; }; rdesktop = libx.mkContainer { hostname = "rdesktop"; };
}; };
networking.firewall.extraCommands = '' networking = {
iptables -w -t nat -A nixos-nat-post -s ${config.containers.rdesktop.localAddress} -j MASQUERADE nat.enable = true;
''; nat.internalInterfaces = [ "ve-+" ];
nat.externalInterface = lanInterface;
networking.nat = { nat.extraCommands = ''iptables -t nat -A POSTROUTING -o ${lanInterface} -j MASQUERADE'';
enable = true; networkmanager.unmanaged = [ "interface-name:ve-*" ];
internalInterfaces = [ "ve-rdesktop" ]; firewall.trustedInterfaces = [ "ve-+" ];
externalInterface = lanInterface;
extraCommands = "iptables -t nat -A POSTROUTING -o ${lanInterface} -j MASQUERADE";
}; };
} }