Updates
This commit is contained in:
parent
6602c122d7
commit
cf9ae184fc
5 changed files with 29 additions and 39 deletions
33
README.md
33
README.md
|
@ -9,13 +9,13 @@ sudo git clone --recursive https://git.sysctl.io/albert/nix /etc/nixos/git
|
||||||
sudo chown -R albert:root /etc/nixos/git
|
sudo chown -R albert:root /etc/nixos/git
|
||||||
```
|
```
|
||||||
|
|
||||||
* Installing a system from the ISO:
|
* Installation:
|
||||||
```
|
```
|
||||||
nixos-install <Hostname> [<Username>]
|
nixos-install <Hostname> [<Username>]
|
||||||
# or
|
# or
|
||||||
./docs/install.sh <Hostname> [<Username>]
|
./docs/install.sh <Hostname> [<Username>]
|
||||||
```
|
```
|
||||||
* Post install:
|
* Post install (home-manager, GPG keys, SOPS, etc)
|
||||||
```
|
```
|
||||||
nix develop -c /etc/nixos/git/docs/setup.sh
|
nix develop -c /etc/nixos/git/docs/setup.sh
|
||||||
```
|
```
|
||||||
|
@ -27,8 +27,8 @@ nix develop -c /etc/nixos/git/docs/setup.sh
|
||||||
| framework-server | sysctl.io - main server, framework 13th gen mainboard | Done |
|
| framework-server | sysctl.io - main server, framework 13th gen mainboard | Done |
|
||||||
| nixos-desktop | My main desktop | Done |
|
| nixos-desktop | My main desktop | Done |
|
||||||
| nixos-framework | My AMD Framework 13 laptop | Done |
|
| nixos-framework | My AMD Framework 13 laptop | Done |
|
||||||
| nixos-vm-01 | A NixOS VM used for testing | Done |
|
|
||||||
| osaka-linode-01 | Osaka Linode relay for sysctl.io external connections | Done |
|
| osaka-linode-01 | Osaka Linode relay for sysctl.io external connections | Done |
|
||||||
|
| milan-linode-01 | Milan Linode DERP relay for Tailscale | Done |
|
||||||
| piaware-rpi4 | FlightAware for Raspberry Pi | Done |
|
| piaware-rpi4 | FlightAware for Raspberry Pi | Done |
|
||||||
| quitman-rpi4 | Raspberry Pi at my parents house. Headscale Exit Node | On Hold |
|
| quitman-rpi4 | Raspberry Pi at my parents house. Headscale Exit Node | On Hold |
|
||||||
| nuc-server | Second NUC server at my brothers house | On Hold |
|
| nuc-server | Second NUC server at my brothers house | On Hold |
|
||||||
|
@ -48,22 +48,16 @@ nix develop -c /etc/nixos/git/docs/setup.sh
|
||||||
* [ ] Try this https://www.ntop.org/products/traffic-analysis/ntop/
|
* [ ] Try this https://www.ntop.org/products/traffic-analysis/ntop/
|
||||||
* [ ] Podman mgiration - Potentially use nix-defined containers.
|
* [ ] Podman mgiration - Potentially use nix-defined containers.
|
||||||
|
|
||||||
## Packaging
|
|
||||||
* [ ] Try packaging BoxBuddy - [Link](https://github.com/Dvlv/BoxBuddyRS)
|
|
||||||
|
|
||||||
## General
|
## General
|
||||||
* [ ] Security hardening / scans / etc
|
* [ ] Security hardening / scans / etc
|
||||||
* [ ] Where possible, convert cronjobs to systemd services / timers
|
* [ ] Where possible, convert cronjobs to systemd services / timers
|
||||||
* [ ] Replace fuzzel with rofi
|
|
||||||
* [ ] Update disko configs away from 'table'
|
|
||||||
* See ./nixos/hosts/nixos-framework/disks-gpt.nix
|
|
||||||
|
|
||||||
## Home-Manager
|
## Home-Manager
|
||||||
* [ ] Figure out what the home-manager `account` options are for.
|
* [ ] Figure out what the home-manager `account` options are for.
|
||||||
* [ ] Find a way to remove all default search engines in Firefox (Google, Amazon, etc)
|
* [ ] Find a way to remove all default search engines in Firefox (Google, Amazon, etc)
|
||||||
|
|
||||||
## Desktop / GUI
|
## Desktop / GUI
|
||||||
* [ ] rofi - bitwarden-cli / bitwarden-menu ([Link](https://search.nixos.org/packages?channel=23.05&show=bitwarden-menu&from=0&size=50&sort=relevance&type=packages&query=bitwarden))
|
* [ ] rofi - rbw integration
|
||||||
* [ ] Set up PyRadio with Nightride.FM
|
* [ ] Set up PyRadio with Nightride.FM
|
||||||
|
|
||||||
Completed ToDo List [here](./docs/complete.md)
|
Completed ToDo List [here](./docs/complete.md)
|
||||||
|
@ -123,6 +117,7 @@ Completed ToDo List [here](./docs/complete.md)
|
||||||
3. Save and reboot
|
3. Save and reboot
|
||||||
4. Run `sudo sbctl create-keys`
|
4. Run `sudo sbctl create-keys`
|
||||||
5. Run `sudo sbctl enroll-keys`
|
5. Run `sudo sbctl enroll-keys`
|
||||||
|
6. Reboot and verify with `bootctl status`
|
||||||
|
|
||||||
# Manual: GPG Keys
|
# Manual: GPG Keys
|
||||||
1. Import the user private key: `gpg --import gpg/users/albert/privkey.asc`
|
1. Import the user private key: `gpg --import gpg/users/albert/privkey.asc`
|
||||||
|
@ -134,7 +129,8 @@ Completed ToDo List [here](./docs/complete.md)
|
||||||
# Secrets
|
# Secrets
|
||||||
1. Run `nix-develop` in `/etc/nixos/git` to import new keys
|
1. Run `nix-develop` in `/etc/nixos/git` to import new keys
|
||||||
2. To edit a file: `sops secrets/file.yml"`
|
2. To edit a file: `sops secrets/file.yml"`
|
||||||
3. When you add a new machine, you must update the secrets files encryption.
|
3. When you add a new machine, you must update the secrets files encryption.
|
||||||
|
* Ensure `.sops.yaml` has the updated fingerprint and file mappings.
|
||||||
* Run `sops updatekeys secrets/file.yaml` and commit the change.
|
* Run `sops updatekeys secrets/file.yaml` and commit the change.
|
||||||
|
|
||||||
# Troubleshooting
|
# Troubleshooting
|
||||||
|
@ -151,17 +147,11 @@ Completed ToDo List [here](./docs/complete.md)
|
||||||
├── home-manager
|
├── home-manager
|
||||||
│ ├── common
|
│ ├── common
|
||||||
│ │ ├── desktops
|
│ │ ├── desktops
|
||||||
│ │ │ ├── gnome
|
|
||||||
│ │ │ ├── hyprland
|
|
||||||
│ │ │ │ ├── assets
|
|
||||||
│ │ │ │ └── components
|
|
||||||
│ │ │ └── plasma6
|
|
||||||
│ │ └── software
|
│ │ └── software
|
||||||
│ │ ├── cli
|
│ │ ├── cli
|
||||||
│ │ └── gui
|
│ │ └── gui
|
||||||
│ ├── hosts
|
│ ├── hosts
|
||||||
│ └── users
|
│ └── users
|
||||||
│ └── albert
|
|
||||||
├── keys
|
├── keys
|
||||||
│ ├── hosts
|
│ ├── hosts
|
||||||
│ ├── ssh
|
│ ├── ssh
|
||||||
|
@ -170,18 +160,19 @@ Completed ToDo List [here](./docs/complete.md)
|
||||||
├── nixos
|
├── nixos
|
||||||
│ ├── common
|
│ ├── common
|
||||||
│ │ ├── desktops
|
│ │ ├── desktops
|
||||||
│ │ │ ├── gnome
|
|
||||||
│ │ │ ├── hyprland
|
|
||||||
│ │ │ └── plasma6
|
|
||||||
│ │ ├── modules
|
│ │ ├── modules
|
||||||
│ │ ├── services
|
│ │ ├── services
|
||||||
│ │ └── software
|
│ │ └── software
|
||||||
│ │ ├── cli
|
│ │ ├── cli
|
||||||
│ │ └── gui
|
│ │ └── gui
|
||||||
│ ├── hosts
|
│ ├── hosts
|
||||||
|
│ ├── containers
|
||||||
│ └── users
|
│ └── users
|
||||||
│ └── albert
|
|
||||||
├── secrets
|
├── secrets
|
||||||
|
│ ├── containers
|
||||||
|
│ └── hosts
|
||||||
├── stylix
|
├── stylix
|
||||||
|
│ ├── common
|
||||||
|
│ └── themes
|
||||||
└── wallpapers
|
└── wallpapers
|
||||||
```
|
```
|
||||||
|
|
|
@ -153,3 +153,6 @@
|
||||||
* [x] Edit the hosts file
|
* [x] Edit the hosts file
|
||||||
* [x] Syncthing
|
* [x] Syncthing
|
||||||
* [x] Try starship.rs - A powerline replacement - [Link](https://starship.rs/guide/#%F0%9F%9A%80-installation)
|
* [x] Try starship.rs - A powerline replacement - [Link](https://starship.rs/guide/#%F0%9F%9A%80-installation)
|
||||||
|
* [x] Replace fuzzel with rofi
|
||||||
|
* [x] Update disko configs away from 'table'
|
||||||
|
* See ./nixos/hosts/nixos-framework/disks-gpt.nix
|
||||||
|
|
|
@ -51,8 +51,7 @@
|
||||||
];
|
];
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
# hostBridge = "br0";
|
hostBridge = "br0";
|
||||||
hostAddress = "192.168.2.1";
|
|
||||||
localAddress = "192.168.2.2/24";
|
localAddress = "192.168.2.2/24";
|
||||||
restartIfChanged = true;
|
restartIfChanged = true;
|
||||||
enableTun = true;
|
enableTun = true;
|
||||||
|
|
|
@ -3,12 +3,12 @@
|
||||||
./${hostname}
|
./${hostname}
|
||||||
../users/${username}
|
../users/${username}
|
||||||
../common/modules/nixos.nix
|
../common/modules/nixos.nix
|
||||||
../common/modules/networking.nix
|
../common/modules/networking.nix
|
||||||
# Services
|
# Services
|
||||||
../common/services/promtail.nix
|
../common/services/promtail.nix
|
||||||
../common/services/telegraf.nix
|
../common/services/telegraf.nix
|
||||||
../common/services/tailscale.nix
|
../common/services/tailscale.nix
|
||||||
../common/services/openssh.nix
|
../common/services/openssh.nix
|
||||||
];
|
];
|
||||||
# Generic Tailscale configs are in /nixos/common/services/tailscale.nix
|
# Generic Tailscale configs are in /nixos/common/services/tailscale.nix
|
||||||
# Set up the secrets file:
|
# Set up the secrets file:
|
||||||
|
@ -24,6 +24,5 @@
|
||||||
boot.isContainer = true;
|
boot.isContainer = true;
|
||||||
services.tailscale.authKeyFile = "/run/secrets/tailscale_key";
|
services.tailscale.authKeyFile = "/run/secrets/tailscale_key";
|
||||||
networking.hostName = "${hostname}";
|
networking.hostName = "${hostname}";
|
||||||
# networking.interfaces."eth0".useDHCP = true;
|
|
||||||
system.stateVersion = stateVersion;
|
system.stateVersion = stateVersion;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }:
|
{ lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }:
|
||||||
let
|
let
|
||||||
libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; };
|
libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; };
|
||||||
lanInterface = "enp0s13f0u4";
|
lanInterface = "enp0s13f0u4";
|
||||||
|
@ -7,14 +7,12 @@ in {
|
||||||
rdesktop = libx.mkContainer { hostname = "rdesktop"; };
|
rdesktop = libx.mkContainer { hostname = "rdesktop"; };
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.extraCommands = ''
|
networking = {
|
||||||
iptables -w -t nat -A nixos-nat-post -s ${config.containers.rdesktop.localAddress} -j MASQUERADE
|
nat.enable = true;
|
||||||
'';
|
nat.internalInterfaces = [ "ve-+" ];
|
||||||
|
nat.externalInterface = lanInterface;
|
||||||
networking.nat = {
|
nat.extraCommands = ''iptables -t nat -A POSTROUTING -o ${lanInterface} -j MASQUERADE'';
|
||||||
enable = true;
|
networkmanager.unmanaged = [ "interface-name:ve-*" ];
|
||||||
internalInterfaces = [ "ve-rdesktop" ];
|
firewall.trustedInterfaces = [ "ve-+" ];
|
||||||
externalInterface = lanInterface;
|
|
||||||
extraCommands = "iptables -t nat -A POSTROUTING -o ${lanInterface} -j MASQUERADE";
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue