diff options
| -rw-r--r-- | configuration.nix | 9 | ||||
| -rw-r--r-- | impermanence.nix | 84 | ||||
| -rw-r--r-- | router.nix | 72 |
3 files changed, 92 insertions, 73 deletions
diff --git a/configuration.nix b/configuration.nix index b066ff3..78a98a1 100644 --- a/configuration.nix +++ b/configuration.nix @@ -32,12 +32,15 @@ extraGroups = [ "wheel" "wireshark" ]; shell = pkgs.fish; hashedPassword = "REDACTED"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPC69ml72mqbn7L3QkpsCJuWdrKFYFNd0MaS5xERbuSF" + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEdUe7mxGdV/Q37RKndPzDHisFb7q/xm+L97jcGluSDOA8MGt/+wTxpyGxfyEqaMvwV2bakaMVHTB3711dDu5kE=" + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLZ6OVyjTvWx9gvS+/DvkQW5VvLBbykq/0AV5mYDLADDtIOaDVscQ3lGOcUsga1ODNSl14MSV63bE8VtHfG1HOc=" + ]; }; programs.fish.enable = true; - programs.wireshark.enable = true; - environment.systemPackages = with pkgs; [ neovim curl @@ -74,6 +77,4 @@ # # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . system.stateVersion = "25.05"; # Did you read the comment? - } - diff --git a/impermanence.nix b/impermanence.nix index 0592049..d3dae53 100644 --- a/impermanence.nix +++ b/impermanence.nix @@ -1,40 +1,56 @@ -{ lib, ... }: { - boot.initrd.postResumeCommands = lib.mkAfter '' - mkdir /btrfs_tmp - mount /dev/disk/by-partlabel/disk-main-root /btrfs_tmp # CONFIRM THIS IS CORRECT FROM findmnt - if [[ -e /btrfs_tmp/root ]]; then - mkdir -p /btrfs_tmp/old_roots - timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") - mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" - fi +# sudo mount --ro /dev/nvme0n1p2 ./mnt --mkdir +# ls mnt/old_roots - delete_subvolume_recursively() { - IFS=$'\n' - for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do - delete_subvolume_recursively "/btrfs_tmp/$i" - done - btrfs subvolume delete "$1" - } +{ lib, config, ... }: +let + cfg = config.oden.persist; +in +{ + options.oden.persist = with lib; with types; { + directories = mkOption { + type = listOf str; + default = []; + description = "Directories that should be persisted"; + }; + }; + config = { + boot.initrd.postResumeCommands = lib.mkAfter '' + mkdir /btrfs_tmp + mount /dev/disk/by-partlabel/disk-main-root /btrfs_tmp # CONFIRM THIS IS CORRECT FROM findmnt + if [[ -e /btrfs_tmp/root ]]; then + mkdir -p /btrfs_tmp/old_roots + timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") + mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" + fi - for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do - delete_subvolume_recursively "$i" - done + delete_subvolume_recursively() { + IFS=$'\n' + for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + delete_subvolume_recursively "/btrfs_tmp/$i" + done + btrfs subvolume delete "$1" + } + + for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do + delete_subvolume_recursively "$i" + done - btrfs subvolume create /btrfs_tmp/root - umount /btrfs_tmp - ''; + btrfs subvolume create /btrfs_tmp/root + umount /btrfs_tmp + ''; - environment.persistence."/nix/persist" = { - hideMounts = true; - directories = [ - "/var/log" - "/var/lib/nixos" - "/var/lib/systemd/coredump" - ]; - files = [ - "/etc/machine-id" - "/etc/ssh/ssh_host_ed25519_key" - "/etc/ssh/ssh_host_ed25519_key.pub" - ]; + environment.persistence."/nix/persist" = { + hideMounts = true; + directories = cfg.directories ++ [ + "/var/log" + "/var/lib/nixos" + "/var/lib/systemd" + ]; + files = [ + "/etc/machine-id" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + ]; + }; }; } @@ -5,22 +5,44 @@ let in { boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true; - networking.nftables.enable = true; - networking.firewall.filterForward = true; - networking.nat = { + + networking = { + nftables.enable = true; + firewall.filterForward = true; + nat = { + enable = true; + externalInterface = "enp8s0"; + internalInterfaces = [ "br0" ]; + # forwardPorts = [{ sourcePort = 1234; destination = "10.69.0.2:12345"; }]; + }; + bridges.br0.interfaces = [ lanInterface wifiInterface ]; + interfaces.br0.ipv4.addresses = [{ + address = "10.69.0.1"; + prefixLength = 16; + }]; + networkmanager = { + enable = true; + unmanaged = [ "interface-name:${lanInterface}" "interface-name:${wifiInterface}" ]; + }; + }; + services.hostapd = { enable = true; - externalInterface = "enp8s0"; - internalInterfaces = [ "br0" ]; - # forwardPorts = [{ - # sourcePort = 1234; - # destination = "10.69.0.2:12345"; - # }]; + radios.${wifiInterface} = { + countryCode = "SE"; + band = "2g"; + channel = 12; + networks.${wifiInterface} = { + ssid = "Heidrun"; + authentication = { + mode = "wpa3-sae"; + saePasswords = [ + { password = "REDACTED"; } + ]; + }; + }; + }; }; - networking.bridges.br0.interfaces = [ lanInterface wifiInterface ]; - networking.interfaces.br0.ipv4.addresses = [{ - address = "10.69.0.1"; - prefixLength = 16; - }]; + services.kea.dhcp4 = { enable = true; settings = { @@ -49,25 +71,5 @@ in }]; }; }; - networking.networkmanager = { - enable = true; - unmanaged = [ "interface-name:${lanInterface}" "interface-name:${wifiInterface}" ]; - }; - services.hostapd = { - enable = true; - radios.${wifiInterface} = { - countryCode = "SE"; - band = "2g"; - channel = 12; - networks.${wifiInterface} = { - ssid = "Heidrun"; - authentication = { - mode = "wpa3-sae"; - saePasswords = [ - { password = "REDACTED"; } - ]; - }; - }; - }; - }; + oden.persist.directories = [ "/var/lib/private/kea" ]; } |