From fd69ebbaad366cca94f13489723ce003bea69c36 Mon Sep 17 00:00:00 2001 From: Mathias Magnusson Date: Fri, 10 Oct 2025 18:42:56 +0200 Subject: Initial commit --- .editorconfig | 5 +++ configuration.nix | 88 ++++++++++++++++++++++++++++++++++++++++++++++ disko.nix | 49 ++++++++++++++++++++++++++ flake.lock | 65 ++++++++++++++++++++++++++++++++++ flake.nix | 17 +++++++++ hardware-configuration.nix | 26 ++++++++++++++ impermanence.nix | 40 +++++++++++++++++++++ router.nix | 50 ++++++++++++++++++++++++++ 8 files changed, 340 insertions(+) create mode 100644 .editorconfig create mode 100644 configuration.nix create mode 100644 disko.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hardware-configuration.nix create mode 100644 impermanence.nix create mode 100644 router.nix diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..a1b35eb --- /dev/null +++ b/.editorconfig @@ -0,0 +1,5 @@ +root = true + +[*] +indent_size = 2 +indent_style = space diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..7eb5a30 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,88 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ config, lib, pkgs, inputs, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./disko.nix + ./impermanence.nix + ./router.nix + ]; + + hardware.graphics.extraPackages = with pkgs; [ vpl-gpu-rt intel-media-driver ]; + hardware.graphics.enable = true; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "oden"; + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + # Set your time zone. + time.timeZone = "Europe/Stockholm"; + + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "mod-dh-iso-us"; + }; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.mathias = { + isNormalUser = true; + extraGroups = [ "wheel" "wireshark" ]; + shell = pkgs.fish; + hashedPassword = "REDACTED"; + }; + + programs.fish.enable = true; + + programs.wireshark.enable = true; + + # List packages installed in system profile. + # You can use https://search.nixos.org/ to find more packages (and options). + environment.systemPackages = with pkgs; [ + neovim + curl + git + (ffmpeg.override { withVpl = true; }) + ]; + + services.openssh.enable = true; + services.openssh.settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + + nix.registry.nixpkgs.flake = inputs.nixpkgs; + nix.extraOptions = '' + experimental-features = nix-command flakes + ''; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "25.05"; # Did you read the comment? + +} + diff --git a/disko.nix b/disko.nix new file mode 100644 index 0000000..1f89ffa --- /dev/null +++ b/disko.nix @@ -0,0 +1,49 @@ +{ + disko.devices.disk.main = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions.ESP = { + priority = 1; + name = "ESP"; + start = "1M"; + end = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + partitions.root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ "subvol=root" "compress=zstd" "noatime" ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ "subvol=home" "compress=zstd" "noatime" ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "subvol=nix" "compress=zstd" "noatime" ]; + }; + "/nix/persist" = { + mountpoint = "/nix/persist"; + mountOptions = [ "subvol=persist" "compress=zstd" "noatime" ]; + }; + }; + }; + }; + }; + }; + + fileSystems."/nix/persist".neededForBoot = true; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..5b0620f --- /dev/null +++ b/flake.lock @@ -0,0 +1,65 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1746728054, + "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=", + "owner": "nix-community", + "repo": "disko", + "rev": "ff442f5d1425feb86344c028298548024f21256d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "latest", + "repo": "disko", + "type": "github" + } + }, + "impermanence": { + "locked": { + "lastModified": 1737831083, + "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1758791193, + "narHash": "sha256-F8WmEwFoHsnix7rt290R0rFXNJiMbClMZyIC/e+HYf0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "25e53aa156d47bad5082ff7618f5feb1f5e02d01", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "impermanence": "impermanence", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..89a530a --- /dev/null +++ b/flake.nix @@ -0,0 +1,17 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; + disko.url = "github:nix-community/disko/latest"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + impermanence.url = "github:nix-community/impermanence"; + }; + outputs = inputs@{ self, nixpkgs, disko, impermanence, ... }: { + nixosConfigurations.oden = nixpkgs.lib.nixosSystem { + modules = [ ./configuration.nix disko.nixosModules.disko impermanence.nixosModules.impermanence ]; + specialArgs = { + inherit inputs; + }; + }; + }; +} + diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..df42bc0 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,26 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp8s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp9s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/impermanence.nix b/impermanence.nix new file mode 100644 index 0000000..0592049 --- /dev/null +++ b/impermanence.nix @@ -0,0 +1,40 @@ +{ lib, ... }: { + boot.initrd.postResumeCommands = lib.mkAfter '' + mkdir /btrfs_tmp + mount /dev/disk/by-partlabel/disk-main-root /btrfs_tmp # CONFIRM THIS IS CORRECT FROM findmnt + if [[ -e /btrfs_tmp/root ]]; then + mkdir -p /btrfs_tmp/old_roots + timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") + mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" + fi + + delete_subvolume_recursively() { + IFS=$'\n' + for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + delete_subvolume_recursively "/btrfs_tmp/$i" + done + btrfs subvolume delete "$1" + } + + for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do + delete_subvolume_recursively "$i" + done + + btrfs subvolume create /btrfs_tmp/root + umount /btrfs_tmp + ''; + + environment.persistence."/nix/persist" = { + hideMounts = true; + directories = [ + "/var/log" + "/var/lib/nixos" + "/var/lib/systemd/coredump" + ]; + files = [ + "/etc/machine-id" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + ]; + }; +} diff --git a/router.nix b/router.nix new file mode 100644 index 0000000..ad58ba8 --- /dev/null +++ b/router.nix @@ -0,0 +1,50 @@ +{ ... }: +let + lanInterface = "enp5s0f0u2"; +in +{ + boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true; + networking.nftables.enable = true; + networking.firewall.filterForward = true; + networking.nat = { + enable = true; + externalInterface = "enp8s0"; + internalInterfaces = [ lanInterface ]; + forwardPorts = [{ + sourcePort = 1234; + destination = "10.69.0.2:12345"; + }]; + }; + networking.interfaces.${lanInterface}.ipv4.addresses = [{ + address = "10.69.0.1"; + prefixLength = 16; + }]; + services.kea.dhcp4 = { + enable = true; + settings = { + interfaces-config = { + interfaces = [ lanInterface ]; + service-sockets-max-retries = 200000; + service-sockets-retry-wait-time = 5000; + }; + lease-database = { + name = "/var/lib/kea/dhcp4-leases.csv"; + type = "memfile"; + }; + valid-lifetime = 4000; + renew-timer = 2000; + rebind-timer = 3500; + subnet4 = [{ + id = 1; + subnet = "10.69.0.0/16"; + pools = [{ + pool = "10.69.0.2 - 10.69.0.254"; + }]; + option-data = [ + { name = "routers"; data = "10.69.0.1"; } + { name = "domain-name-servers"; data = "1.1.1.1, 1.0.0.1"; } + ]; + }]; + }; + }; +} -- cgit v1.2.3