Update mercury config

2021-09-29 20:25:03 +02:00 · 2021-09-29 20:25:03 +02:00 · 4e6ba82cb8
commit 4e6ba82cb8
parent 5ce1576f07
3 changed files with 68 additions and 32 deletions
--- a/lxc.nix
+++ b/lxc.nix
@ -12,6 +12,11 @@ let
    dhcp-lease-max=253
    dhcp-no-override
    dhcp-authoritative
+    domain=develop.sys.tradebyte.com
+    local=/develop.sys.tradebyte.com/
+    dns-loop-detect
+    neg-ttl=5
+    server=127.0.0.1
  '';
 in
 {
@ -75,4 +80,6 @@ in
      };
      #restartTriggers = [ config.environment.etc.hosts.source ];
  };
+
+  boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ];
 }
--- a/machines/t470s/configuration.nix
+++ b/machines/t470s/configuration.nix
@ -16,9 +16,17 @@
      ../../lxc.nix
      ../../obs.nix
    ];
+  
+  nix = {
+    daemonNiceLevel = 19;
+    daemonIONiceLevel = 7;
+  };
+
+  hardware.cpu.intel.updateMicrocode = true;

  # Use the GRUB 2 boot loader.
  boot = {
+    cleanTmpDir = true;
    loader = {
      systemd-boot.enable = true;
      efi.efiSysMountPoint = "/boot";
@ -26,7 +34,7 @@
    };
    initrd = {
      availableKernelModules = [
-        "aes_x86_64"
+        "aes_generic"
        "aesni_intel"
        "cryptd"
      ];
@ -42,8 +50,19 @@
  networking = {
    hostName = "mercury";
    interfaces.enp0s31f6.useDHCP = true;
-    networkmanager.enable = true;
+    networkmanager = {
+      enable = true;
+    };
    useDHCP = false;
+
+    firewall = {
+      allowedUDPPorts = [
+        53
+      ];
+      allowedTCPPorts = [
+        53
+      ];
+    };
  };

  i18n.defaultLocale = "de_DE.UTF-8";
@ -63,6 +82,7 @@
    ike
    jq
    neovim
+    openconnect
    pavucontrol
    redir
    ripgrep
@ -98,7 +118,9 @@

  sound.enable = true;
  hardware.pulseaudio.enable = true;
-  hardware.pulseaudio.extraModules = [ pkgs.pulseaudio-modules-bt ];
+  hardware.pulseaudio.extraModules = [
+    pkgs.pulseaudio-modules-bt
+  ];

  hardware.bluetooth.enable = true;
  services.blueman.enable = true;
@ -108,12 +130,18 @@
  
  services.openssh.enable = true;

+  services.udev.extraRules = ''
+    # mute indicator
+    SUBSYSTEM=="tty", ATTRS{idVendor}=="1eaf", ATTRS{idProduct}=="6d75", SYMLINK+="mute-indicator"
+  '';

  virtualisation = {
    docker.enable = true;
    libvirtd.enable = true;
  };

+  #virtualisation.docker.extraOptions = "--dns 172.17.0.1";
+
  # https://github.com/NixOS/nixpkgs/issues/60594
  security.wrappers.spice-client-glib-usb-acl-helper.source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";

@ -135,37 +163,27 @@

  autologin.username = "jal";

-  networking.wg-quick.interfaces.wgawsjal = {
-    address = [ "10.254.254.6/30" ];
-    privateKeyFile = "/root/wireguard-keys/wgawsjal";
-    listenPort = 33580;
-    #mtu = 1419
-    #mtu = 1408
-    mtu = 1358;
+  networking.wg-quick.interfaces.tbcore = {
+    address = [
+      "172.27.27.16/32"
+    ];
+    privateKeyFile = "/root/wireguard-keys/tradebyte-core";
+    listenPort = 51930;

    peers = [
      {
-        publicKey = "5B5Ad+C05saQZaVXw7nc9/htshzcPV5Suj2I8P4Ndik=";
-        endpoint = "3.121.44.55:2048";
-        persistentKeepalive = 10;
+        publicKey = "K5vF/yTag6NnWjZsMug63DERdCFRfHoqxVkgKH55oFE=";
+        endpoint = "194.33.184.175:51930";
+        #endpoint = "ccs-emergency-vpn.core.tradebyte.com:51930";
+        persistentKeepalive = 25;
        allowedIPs = [
-          "10.254.254.4/30" # tunnel transport
-          "10.10.7.0/24"    # NETWAYS
-          "10.158.128.0/23" # Approvals (instance.tradebyte.com)
-          "10.158.240.0/20" # TB.Shift development
-          "10.18.0.0/16"    # AWS IT
-          "10.250.0.0/16"   # AWS CCS
-          #10.10.7.6/32
-          #10.10.7.52/32
-          #10.10.7.218/32
-          #10.10.7.248/32
+          "10.18.0.0/16"
+          "10.158.128.0/23"
+          "10.158.224.0/20"
        ];
      }
    ];
  };
-  networking.firewall.allowedUDPPorts = [
-    33580 # wireguard
-  ];

  services.dnsmasq = {
    enable = true;
@ -177,20 +195,24 @@
      "/sv.tb/192.168.99.17"
      "/abc.tb/192.168.99.44"
      "/sys.tradebyte.com/10.10.7.64"
-      "/core.tradebyte.com/10.10.7.64"
+      "/core.tradebyte.com/10.170.254.30"
+      "/instance.tradebyte.com/10.170.254.30"
      "/corp.ad.zalando.net/10.160.19.100"
      "/7.10.10.in-addr.arpa/10.10.7.64"
+      "/develop.sys.tradebyte.com/10.0.3.1"
+      "/internal.production.core.tradebyte.com/10.158.224.2"
    ];
    extraConfig = ''
+      no-resolv
      interface=lo
      listen-address=::1
      listen-address=127.0.0.1
      bind-interfaces
+      dns-loop-detect
+      neg-ttl=5
    '';
  };

-
-
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/machines/t470s/hardware-configuration.nix
+++ b/machines/t470s/hardware-configuration.nix
@ -14,8 +14,14 @@
  boot.extraModulePackages = [ ];

  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/e3bcb091-0b8d-41a1-b023-f9c2285ec7e8";
-      fsType = "ext4";
+    { device = "/dev/disk/by-uuid/11ad51ac-32f6-45e5-8420-0b1295a5f645";
+      fsType = "btrfs";
+      options = [
+        "discard=async"
+        "noatime"
+        "subvol=/nixos"
+        "compress=zstd:12"
+      ];
    };

  fileSystems."/boot" =
@ -26,5 +32,6 @@
  swapDevices = [ ];

  nix.maxJobs = lib.mkDefault 4;
-  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  #powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
 }