Add t470s config

2020-09-02 16:13:34 +02:00 · 2020-09-02 16:13:34 +02:00 · c0ec382ef8
commit c0ec382ef8
parent 78b46dfe8c
4 changed files with 324 additions and 0 deletions
--- a/hardware/t470s.nix
+++ b/hardware/t470s.nix
@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot.initrd.availableKernelModules = [
+    "i915"
+  ];
+
+  environment.systemPackages = with pkgs; [
+    intel-media-driver
+    libva
+    libva-utils
+    libva1
+  ];
+  hardware.opengl.extraPackages = lib.singleton pkgs.vaapiIntel;
+}
--- a/lxc.nix
+++ b/lxc.nix
@ -0,0 +1,78 @@
+{ config, lib, pkgs, ... }: 
+
+let
+  dnsmasq = pkgs.dnsmasq;
+  stateDir = "/var/lib/dnsmasq";
+  dnsmasqConf = pkgs.writeText "dnsmasq-lxc.conf" ''
+    dhcp-leasefile=${stateDir}/dnsmasq-lxc.leases
+    strict-order
+    bind-interfaces
+    listen-address=10.0.3.1
+    dhcp-range=10.0.3.2,10.0.3.254
+    dhcp-lease-max=253
+    dhcp-no-override
+    dhcp-authoritative
+  '';
+in
+{
+  virtualisation = {
+    lxc.enable = true;
+    lxc.defaultConfig = ''
+      lxc.net.0.type = veth
+      lxc.net.0.link = lxcbr0
+      lxc.net.0.flags = up
+      lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
+      lxc.apparmor.profile = lxc-default-with-nesting
+      lxc.apparmor.allow_nesting = 1
+    '';
+  };
+  networking = {
+    bridges.lxcbr0 = {
+      interfaces = [ ];
+    };
+    interfaces.lxcbr0.ipv4.addresses = [{ address = "10.0.3.1"; prefixLength = 24; }];
+    firewall.interfaces.lxcbr0 = {
+      allowedTCPPorts = [
+        53 # DNS
+      ];
+      allowedUDPPorts = [
+        53 # DNS
+        67 # DHCP
+      ];
+    };
+    firewall.extraCommands = ''
+      iptables -t mangle -A POSTROUTING -o lxcbr0 -p udp -j CHECKSUM --checksum-fill
+      '';
+    networkmanager.unmanaged = ["lxcbr0"];
+    nat = {
+      enable = true;
+      internalInterfaces = ["lxcbr0"];
+      internalIPs = ["10.0.3.1"];
+    };
+  };
+
+  systemd.services."dnsmasq-lxc" = {
+      description = "Dnsmasq Daemon for LXC";
+      after = [ "network.target" "systemd-resolved.service" ];
+      wantedBy = [ "multi-user.target" ];
+      path = [ dnsmasq ];
+      preStart = ''
+        mkdir -m 755 -p ${stateDir}
+        touch ${stateDir}/dnsmasq-lxc.leases
+        dnsmasq --test -C ${dnsmasqConf}
+      '';
+      #chown -R dnsmasq ${stateDir}
+      #touch /etc/dnsmasq-{conf,resolv}.conf
+      serviceConfig = {
+        Type = "dbus";
+        BusName = "uk.org.thekelleys.dnsmasq-lxc";
+        ExecStart = "${dnsmasq}/bin/dnsmasq -k --enable-dbus --user=dnsmasq -C ${dnsmasqConf}";
+        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        PrivateTmp = true;
+        ProtectSystem = true;
+        ProtectHome = true;
+        Restart = "on-failure";
+      };
+      #restartTriggers = [ config.environment.etc.hosts.source ];
+  };
+}
--- a/machines/t470s/configuration.nix
+++ b/machines/t470s/configuration.nix
@ -0,0 +1,201 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+      ../../hardware/t470s.nix
+      ../../sway.nix
+      ../../unstable.nix
+      ../../fish.nix
+      ../../autologin.nix
+      ../../lxc.nix
+    ];
+
+  # Use the GRUB 2 boot loader.
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.efiSysMountPoint = "/boot";
+      efi.canTouchEfiVariables = true;
+    };
+    initrd = {
+      availableKernelModules = [
+        "aes_x86_64"
+        "aesni_intel"
+        "cryptd"
+      ];
+      luks.devices = {
+        pvcrypt = {
+          device = "/dev/disk/by-uuid/edd860f1-13e5-4301-bfb9-58d0b0bd1c74";
+          preLVM = true;
+        };
+      };
+    };
+  };
+
+  networking = {
+    hostName = "mercury";
+    interfaces.enp0s31f6.useDHCP = true;
+    networkmanager.enable = true;
+    useDHCP = false;
+  };
+
+  i18n.defaultLocale = "de_DE.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "neo";
+  };
+
+  time.timeZone = "Europe/Berlin";
+
+  environment.systemPackages = with pkgs; [
+    file
+    firefox-wayland
+    fzf
+    git
+    htop
+    ike
+    jq
+    neovim
+    pavucontrol
+    redir
+    ripgrep
+    spice-gtk
+    tcpdump
+    usbutils
+    virt-manager
+  ];
+
+  fonts.fonts = with pkgs; [
+    powerline-fonts
+    roboto
+    font-awesome
+  ];
+
+  environment.variables.EDITOR = "nvim";
+
+  nixpkgs.overlays = [
+    (self: super: {
+      neovim = super.neovim.override {
+        viAlias = true;
+        vimAlias = true;
+      };
+    })
+  ];
+
+  programs.mtr.enable = true;
+  
+  programs.gnupg.agent = {
+     enable = true;
+     pinentryFlavor = "qt";
+  };
+
+  sound.enable = true;
+  hardware.pulseaudio.enable = true;
+  hardware.pulseaudio.extraModules = [ pkgs.pulseaudio-modules-bt ];
+
+  hardware.bluetooth.enable = true;
+  services.blueman.enable = true;
+  services.ofono.enable = true;
+
+  services.udisks2.enable = true;
+  
+  services.openssh.enable = true;
+
+
+  virtualisation = {
+    docker.enable = true;
+    libvirtd.enable = true;
+  };
+
+  # https://github.com/NixOS/nixpkgs/issues/60594
+  security.wrappers.spice-client-glib-usb-acl-helper.source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";
+
+  security.polkit.enable = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.jal = {
+    isNormalUser = true;
+    extraGroups = [
+      "dialout"
+      "docker"
+      "libvirtd"
+      "networkmanager"
+      "video"
+      "wheel"
+    ]; # Enable ‘sudo’ for the user.
+    shell = pkgs.fish;
+  };
+
+  autologin.username = "jal";
+
+  networking.wg-quick.interfaces.wgawsjal = {
+    address = [ "10.254.254.6/30" ];
+    privateKeyFile = "/root/wireguard-keys/wgawsjal";
+    listenPort = 33580;
+    #mtu = 1419
+    #mtu = 1408
+    mtu = 1358;
+
+    peers = [
+      {
+        publicKey = "5B5Ad+C05saQZaVXw7nc9/htshzcPV5Suj2I8P4Ndik=";
+        endpoint = "3.121.44.55:2048";
+        persistentKeepalive = 10;
+        allowedIPs = [
+          "10.254.254.4/30" # tunnel transport
+          "10.10.7.0/24"    # NETWAYS
+          "10.158.128.0/23" # Approvals (instance.tradebyte.com)
+          "10.158.240.0/20" # TB.Shift development
+          "10.18.0.0/16"    # AWS IT
+          "10.250.0.0/16"   # AWS CCS
+          #10.10.7.6/32
+          #10.10.7.52/32
+          #10.10.7.218/32
+          #10.10.7.248/32
+        ];
+      }
+    ];
+  };
+  networking.firewall.allowedUDPPorts = [
+    33580 # wireguard
+  ];
+
+  services.dnsmasq = {
+    enable = true;
+    resolveLocalQueries = true;
+    servers = [
+      "194.150.168.168" # dns.as250.net Berlin/Frankfurt
+      "195.160.173.53" # dnscache.berlin.ccc.de
+      "46.182.19.48" # digitalcourage
+      "/sv.tb/192.168.99.17"
+      "/abc.tb/192.168.99.44"
+      "/sys.tradebyte.com/10.10.7.64"
+      "/core.tradebyte.com/10.10.7.64"
+      "/corp.ad.zalando.net/10.160.19.100"
+      "/7.10.10.in-addr.arpa/10.10.7.64"
+    ];
+    extraConfig = ''
+      interface=lo
+      listen-address=::1
+      listen-address=127.0.0.1
+      bind-interfaces
+    '';
+  };
+
+
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "20.03"; # Did you read the comment?
+
+}
--- a/machines/t470s/hardware-configuration.nix
+++ b/machines/t470s/hardware-configuration.nix
@ -0,0 +1,30 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/e3bcb091-0b8d-41a1-b023-f9c2285ec7e8";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/AFAC-E399";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 4;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+}