From 4c1dcec61beddedcf15e19fa1ce2b74b54e14556 Mon Sep 17 00:00:00 2001 From: autumn Date: Mon, 27 Oct 2025 13:09:00 -0600 Subject: [PATCH] add hoardfrost --- flake.nix | 14 ++ home/autumn/sysconfs/hoardfrost.nix | 65 ++++++++ system/hoardfrost/configuration.nix | 134 ++++++++++++++++ system/hoardfrost/flake.lock | 48 ++++++ system/hoardfrost/flake.nix | 39 +++++ system/hoardfrost/hardware-configuration.nix | 38 +++++ system/packages/rust-motd/rust-motd.nix | 57 +++++++ system/packages/sddm/bincache.nix | 14 ++ system/packages/starship/starship.toml | 118 ++++++++++++++ system/services/containerization/docker.nix | 12 ++ system/services/containerization/mealie.nix | 38 +++++ .../services/containerization/stirlingpdf.nix | 19 +++ system/services/containerization/transtun.nix | 55 +++++++ .../endlessh => services}/endlessh.nix | 0 system/services/hickory-dns-bak.nix | 118 ++++++++++++++ system/services/hickory-dns.nix | 151 ++++++++++++++++++ system/services/openssh.nix | 8 + system/services/samba.nix | 44 +++++ system/services/tailscale.nix | 7 + 19 files changed, 979 insertions(+) create mode 100644 home/autumn/sysconfs/hoardfrost.nix create mode 100644 system/hoardfrost/configuration.nix create mode 100644 system/hoardfrost/flake.lock create mode 100644 system/hoardfrost/flake.nix create mode 100644 system/hoardfrost/hardware-configuration.nix create mode 100644 system/packages/rust-motd/rust-motd.nix create mode 100644 system/packages/sddm/bincache.nix create mode 100644 system/packages/starship/starship.toml create mode 100644 system/services/containerization/docker.nix create mode 100644 system/services/containerization/mealie.nix create mode 100644 system/services/containerization/stirlingpdf.nix create mode 100644 system/services/containerization/transtun.nix rename system/{packages/endlessh => services}/endlessh.nix (100%) create mode 100644 system/services/hickory-dns-bak.nix create mode 100644 system/services/hickory-dns.nix create mode 100644 system/services/openssh.nix create mode 100644 system/services/samba.nix create mode 100644 system/services/tailscale.nix diff --git a/flake.nix b/flake.nix index 2876e20..6506f8a 100644 --- a/flake.nix +++ b/flake.nix @@ -69,6 +69,13 @@ ./home/autumn/sysconfs/wsl-hive.nix ]; }; + "autumn@hoardfrost" = home-manager.lib.homeManagerConfiguration{ + extraSpecialArgs = specialArgs; + pkgs = pkgs; + modules = [ + ./home/autumn/sysconfs/hoadfrost.nix + ]; + }; }; nixosConfigurations = { "yukigekko" = nixpkgs.lib.nixosSystem{ @@ -86,6 +93,13 @@ ./system/lesbos/configuration.nix ]; }; + "hoardfrost" = nixpkgs.lib.nixosSystem{ + system = system; + specialArgs = specialArgs; + modules = [ + ./system/hoardfrost/configuration.nix + ] + }; "wsl-hive" = nixpkgs.lib.nixosSystem{ specialArgs = specialArgs; system = system; diff --git a/home/autumn/sysconfs/hoardfrost.nix b/home/autumn/sysconfs/hoardfrost.nix new file mode 100644 index 0000000..2b0eadd --- /dev/null +++ b/home/autumn/sysconfs/hoardfrost.nix @@ -0,0 +1,65 @@ +{config, pkgs, ...}: + +{ + home = { + username = "autumn"; + homeDirectory = "/home/autumn"; + stateVersion = "25.11"; + packages = with pkgs; [ + htop + gnumake + neofetch + oh-my-zsh + ]; + }; + xdg.configFile."starship.toml".source = ./packages/starship/starship.toml; + # programs.bash.initExtra = [ + # "zsh" + # "starship init zsh" + # ]; + programs.starship.enable = true; + programs.starship.enableZshIntegration = true; + programs.git = { + enable = true; + userEmail = "autumnal.musing@gmail.com"; + userName = "autumn"; + }; + + programs.zsh = { + enable = true; + antidote = { + enable = true; + plugins = [ + "zsh-users/zsh-autosuggestions" + "zsh-users/zsh-syntax-highlighting" + ]; + useFriendlyNames = true; + }; + autosuggestion = { + enable = true; + }; + shellAliases = { + ".." = "cd .."; + "..." = "cd ../.."; + "...." = "cd ../../.."; + "pls" = "pls -d typ -d perm -d user -d group -d size -d mtime -d git"; + "z" = "zoxide"; + }; + sessionVariables ={ + SERVDIR = "/srv/samba/hoardfrost/mainstore"; + }; + oh-my-zsh = { + enable = true; + plugins = [ + "git" + "sudo" + "colored-man-pages" + "colorize" + "cp" + # "zoxide" + # "ssh-agent" + "command-not-found" + ]; + }; + }; +} diff --git a/system/hoardfrost/configuration.nix b/system/hoardfrost/configuration.nix new file mode 100644 index 0000000..340cf6b --- /dev/null +++ b/system/hoardfrost/configuration.nix @@ -0,0 +1,134 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + + ../packages/rust-motd/rust-motd.nix + + ../services/samba.nix + ../services/openssh.nix + ../services/endlessh.nix + # ./services/currents.nix + #. ./services/tailscale.nix. + + # ./services/containerization/currents.nix + ../services/containerization/docker.nix + ../services/containerization/mealie.nix + ../services/containerization/transtun.nix + ../services/containerization/stirlingpdf.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + nix.settings.experimental-features = ["nix-command" "flakes"]; + services.tailscale.enable = true; + + networking.hostName = "hoardfrost"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Enable networking + networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "America/Denver"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + }; + + # Configure keymap in X11 + services = { + xserver.xkb = { + layout = "us"; + variant = ""; + }; + }; + networking.firewall.enable = true; + networking.firewall.allowPing = true; + networking.firewall.allowedTCPPorts = [ 22 53 137 138 139 389 445 2022 8080 5657 41641]; + networking.firewall.allowedUDPPorts = [ 22 53 137 138 139 389 445 2022 41641]; + + # Define a user account. Don't forget to set a password with ‘passwd’. + programs.zsh.enable = true; + users = { + defaultUserShell = pkgs.zsh; + users.autumn = { + isNormalUser = true; + description = "autumn"; + extraGroups = [ "networkmanager" "wheel" ]; + }; + }; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + helix + git + nil + inetutils + nh + toybox + nodejs_24 + jdk17 + # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + # wget + ]; + virtualisation.podman = { + enable = true; + + }; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "25.05"; # Did you read the comment? + +} diff --git a/system/hoardfrost/flake.lock b/system/hoardfrost/flake.lock new file mode 100644 index 0000000..1ea6611 --- /dev/null +++ b/system/hoardfrost/flake.lock @@ -0,0 +1,48 @@ +{ + "nodes": { + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1761191301, + "narHash": "sha256-xsRL2Oyb4YRZZ1Tu4WzR2uFg1n931bH+PfLdFcqtLg8=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "4958aafe7b237dc1e857fb0c916efff72075048f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1761114652, + "narHash": "sha256-f/QCJM/YhrV/lavyCVz8iU3rlZun6d+dAiC3H+CDle4=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "01f116e4df6a15f4ccdffb1bcd41096869fb385c", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "home-manager": "home-manager", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/system/hoardfrost/flake.nix b/system/hoardfrost/flake.nix new file mode 100644 index 0000000..d1d4f0c --- /dev/null +++ b/system/hoardfrost/flake.nix @@ -0,0 +1,39 @@ +{ + description = "Hoardfrost multipurpose server"; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable"; + home-manager.url = "github:nix-community/home-manager"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = {self, nixpkgs, home-manager, ...}@inputs: + let + system = "x86_64-linux"; + pkgs = nixpkgs.legacyPackages.${system}; + timezone = "America/Denver"; + locale = "en_US.UTF-8"; + specialArgs = { + inherit inputs; + inherit system; + inherit timezone; + inherit locale; + }; + in { + + homeConfigurations.autumn = home-manager.lib.homeManagerConfiguration{ + extraSpecialArgs = specialArgs; + pkgs = pkgs; + modules = [ + ./home.nix + ]; + }; + nixosConfigurations.hoardfrost = nixpkgs.lib.nixosSystem{ + system = system; + specialArgs = specialArgs; + modules = [ + ./configuration.nix + ]; + }; + }; +} diff --git a/system/hoardfrost/hardware-configuration.nix b/system/hoardfrost/hardware-configuration.nix new file mode 100644 index 0000000..9fd6338 --- /dev/null +++ b/system/hoardfrost/hardware-configuration.nix @@ -0,0 +1,38 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/4f1eff7d-8a8c-4a7f-857b-f4e58b7a5f90"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/C802-4F6B"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/system/packages/rust-motd/rust-motd.nix b/system/packages/rust-motd/rust-motd.nix new file mode 100644 index 0000000..3b7b8f7 --- /dev/null +++ b/system/packages/rust-motd/rust-motd.nix @@ -0,0 +1,57 @@ +{config, pkgs, ...}: +{ + environment.systemPackages = with pkgs; [figlet]; + programs.rust-motd = { + enable = true; + order = [ + "global" + "banner" + "weather" + "uptime" + "last_login" + "memory" + "service_status" + "filesystems" + "load_avg" + ]; + settings = { + global = { + version = "1.0"; + }; + banner = { + color = "blue"; + command = "hostname | figlet -f sblood"; + }; + weather = { + loc = "Denver,Colorado"; + style = "full"; + }; + service_status = { + samba = "samba-wsdd.service"; + openssh = "sshd.service"; + mealie = "podman-postgres-mealie.service"; + stirling = "podman-stirling-pdf.service"; + tbrowser = "podman-torrent-browser.service"; + seas = "podman-transmission-openvpn.service"; + tailscale = "tailscaled.service"; + firewall = "firewall.service"; + endlessh = "endlessh.service"; + }; + uptime = { + prefix = "up"; + }; + memory = { + swap_pos = "beside"; + }; + last_login = { + autumn = 2; + }; + filesystems = { + root = "/"; + }; + load_avg = { + format = "Load (1, 5, 15 min.): {one:.02}, {five:.02}, {fifteen:.02}"; + }; + }; + }; +} diff --git a/system/packages/sddm/bincache.nix b/system/packages/sddm/bincache.nix new file mode 100644 index 0000000..c3d852e --- /dev/null +++ b/system/packages/sddm/bincache.nix @@ -0,0 +1,14 @@ + +{ config, pkgs, ... }: + +{ + # Configure systems to use Hydra as a binary cache substituter + nix.settings = { + substituters = [ + "http://rhiannon.coven.systems:3000" + ]; + trusted-public-keys = [ + "rhiannon.coven.systems:f8KiECrc7rY3vDMSy7sACyToxRLPECtQTcm6p8LFMPk=" + ]; + }; +} diff --git a/system/packages/starship/starship.toml b/system/packages/starship/starship.toml new file mode 100644 index 0000000..f9ee848 --- /dev/null +++ b/system/packages/starship/starship.toml @@ -0,0 +1,118 @@ +add_newline = true + +[aws] +disabled = true + +[battery] +disabled = true + +[character] +success_symbol = "[](bold green)" +error_symbol = "[](bold red)" +vicmd_symbol = "[](bold green)" + +[cmd_duration] + +[conda] + +[directory] +truncation_length = 3 + +[dotnet] +disabled = true + +[env_var] +disabled = true + +[elixir] +symbol = " " + +[elm] +symbol = " " + +[git_branch] +symbol = " " + +[git_commit] +disabled = false +commit_hash_length = 4 + +[git_state] +disabled = true + +[git_status] +conflicted = "=${count}" +ahead = "⇡${count}" +behind = "⇣${count}" +diverged = "⇕⇡${ahead_count}⇣${behind_count}" +untracked = "?${count}" +stashed = "\\$${count}" +modified = "!${count}" +staged = "+${count}" +renamed = "»${count}" +deleted = "✘${count}" + +[gcloud] +disabled = true + +[golang] +symbol = " " + +[hostname] + +[jobs] + +[kubernetes] +symbol = " " +disabled = false + +[line_break] +disabled = false + +[lua] +symbol = " " +lua_binary = "luajit" + +[nix_shell] +disabled = true + +[memory_usage] +disabled = true + +[java] +symbol = " " + +[julia] + +[nim] + +[nodejs] +symbol = " " + +[package] +symbol = " " + +[php] +symbol = " " + +[python] +symbol = " " + +[ruby] +symbol = " " + +[rust] +symbol = " " + +[scala] +symbol = " " + +[terraform] +symbol = " " +format = "via [$symbol$version]($style)" + +[time] +disabled = true + +[username] +disabled = false diff --git a/system/services/containerization/docker.nix b/system/services/containerization/docker.nix new file mode 100644 index 0000000..c728388 --- /dev/null +++ b/system/services/containerization/docker.nix @@ -0,0 +1,12 @@ +{config, pkgs, ...}: +{ + environment.systemPackages = with pkgs;[ + podman + docker-compose + ]; + + virtualisation = { + docker.enable = true; + }; + users.users.autumn.extraGroups = ["docker"]; +} diff --git a/system/services/containerization/mealie.nix b/system/services/containerization/mealie.nix new file mode 100644 index 0000000..d7f62df --- /dev/null +++ b/system/services/containerization/mealie.nix @@ -0,0 +1,38 @@ +{config, pkgs, ...}: +{ + virtualisation.oci-containers.containers = { + mealie = { + image = "ghcr.io/mealie-recipes/mealie:v3.3.2"; + ports = [ + "9000:9000" + ]; + volumes = [ + "/home/autumn/mealie/mealie-data:/app/data" + ]; + environment = { + DB_ENGINE= "postgres"; + POSTGRES_USER = "mealie"; + POSTGRES_PASSWORD = "mealie"; + POSTGRES_SERVER = "localhost:5432"; + POSTGRES_PORT = "5432"; + POSTGRES_DB = "mealie"; + TZ = "America/Denver"; + }; + dependsOn = [ + "postgres-mealie" + ]; + }; + postgres-mealie = { + image = "postgres:17"; + environment = { + POSTGRES_USER = "mealie"; + POSTGRES_PASSWORD = "mealie"; + PGUSER = "mealie"; + POSTGRES_DB = "mealie"; + }; + volumes = [ + "/home/autumn/mealie/mealie-pgdata:/var/lib/postgresql/data" + ]; + }; + }; +} diff --git a/system/services/containerization/stirlingpdf.nix b/system/services/containerization/stirlingpdf.nix new file mode 100644 index 0000000..7766525 --- /dev/null +++ b/system/services/containerization/stirlingpdf.nix @@ -0,0 +1,19 @@ +{config, pkgs, ...}: +{ + + virtualisation.oci-containers.containers.stirling-pdf = { + image = "stirlingtools/stirling-pdf:latest"; + ports = ["8079:8080"]; + volumes = [ + "/home/autumn/StirlingPDF/trainingData:/usr/share/tessdata" + "/home/autumn/StirlingPDF/extraConfigs:/configs" + "/home/autumn/StirlingPDF/customFiles:/customFiles/" + "/home/autumn/StirlingPDF/logs:/logs/" + "/home/autumn/StirlingPDF/pipeline:/pipeline/" + ]; + environment = { + DISABLE_ADDITIONAL_FEATURES="true"; + LANGS="en_US"; + }; + }; +} diff --git a/system/services/containerization/transtun.nix b/system/services/containerization/transtun.nix new file mode 100644 index 0000000..49ea4b2 --- /dev/null +++ b/system/services/containerization/transtun.nix @@ -0,0 +1,55 @@ +{config, pkgs, ...}: +{ + virtualisation.oci-containers.containers.transmission-openvpn = { + image = "haugene/transmission-openvpn:latest"; + + ports = [ + "9091:9091" + ]; + + volumes = [ + "/home/autumn/transtun/holding-cell:/data" + "/home/autumn/transtun/mullvad_userpass.txt:/config/openvpn-credentials.txt" + "/home/autumn/transtun/notify-download.sh:/etc/transmission/notify-download.sh:ro" + ]; + + environment = { + OPENVPN_PROVIDER = "MULLVAD"; + OPENVPN_USERNAME = "9413153196446212"; + OPENVPN_CONFIG = "ca_van"; + LOCAL_NETWORK = "10.0.0.0/16"; + OPENVPN_OPTS = "--dev tun0"; + TRANSMISSION_RPC_BIND_ADDRESS = "0.0.0.0"; + TRANSMISSION_RPC_WHITELIST = "*"; + TRANSMISSION_RPC_WHITELIST_ENABLED = "false"; + TRANSMISSION_SCRIPT_TORRENT_DONE_ENABLED = "true"; + TRANSMISSION_SCRIPT_TORRENT_DONE_FILENAME = "/etc/transmission/notify-download.sh"; + }; + + extraOptions = [ + "--cap-add=NET_ADMIN" + "--cap-add=SYS_MODULE" + "--device=/dev/net/tun:/dev/net/tun" + "--privileged" + ]; + + autoStart = true; + }; + + # Firefox browser container (working version without VPN) + virtualisation.oci-containers.containers.torrent-browser = { + image = "jlesage/firefox:latest"; + + ports = [ + "8080:5800" # Firefox web interface + ]; + + environment = { + DISPLAY = ":0"; + APP_NAME = "Torrent Browser"; + APP_ICON = "https://raw.githubusercontent.com/jlesage/docker-templates/master/jlesage/images/firefox-icon.png"; + }; + + autoStart = true; + }; +} \ No newline at end of file diff --git a/system/packages/endlessh/endlessh.nix b/system/services/endlessh.nix similarity index 100% rename from system/packages/endlessh/endlessh.nix rename to system/services/endlessh.nix diff --git a/system/services/hickory-dns-bak.nix b/system/services/hickory-dns-bak.nix new file mode 100644 index 0000000..0d8ee9f --- /dev/null +++ b/system/services/hickory-dns-bak.nix @@ -0,0 +1,118 @@ +{ config, pkgs, lib, ... }: + +# Define your DNS records declaratively +let + dnsRecords = { + "lan." = { + ttl = 86400; # Time-to-live for records in this zone + ns = [ "hoardfrost.lan." ]; # Nameserver record + soa = { + nameServer = "hoardfrost.lan."; + adminEmail = "root.lan."; + serial = "2025091901"; # Update this serial number with each change + refresh = "3600"; + retry = "1800"; + expire = "604800"; + minimum = "86400"; + }; + + # Define your host records (A for IPv4, AAAA for IPv6) + records = { + # Your NixOS server acting as the DNS server + hoardfrost = [ + { type = "A"; content = "10.0.0.217"; } + { type = "AAAA"; content = "2601:282:180:630::803b"; } + ]; + + # Other devices on your local network + router = [ + { type = "A"; content = "10.0.0.1"; } + { type = "AAAA"; content = "fe80::1"; } + ]; + + yukigekko = [ + { type = "A"; content = "10.0.0.210"; } + { type = "AAAA"; content = "2601:282:180:630::e2e"; } + ]; + + wesbos = [ + { type = "A"; content = "10.0.0.110";} + # { type = "AAAA"; content = "";} + ]; + + wsl-hive = [ + {type = "A"; content = "172.18.84.193";} + {type = "AAAA"; content = "fe80::215:5dff:fec1:e4b5";} + ]; + }; + }; + }; + + # This function generates the zone file string from the Nix expression + generateZoneFile = zoneName: zoneConfig: + let + soaRecord = "${zoneName} ${toString zoneConfig.ttl} IN SOA ${zoneConfig.soa.nameServer} ${zoneConfig.soa.adminEmail} ( ${zoneConfig.soa.serial} ${zoneConfig.soa.refresh} ${zoneConfig.soa.retry} ${zoneConfig.soa.expire} ${zoneConfig.soa.minimum} )"; + nsRecords = lib.concatStringsSep "\n" (lib.map (ns: "${zoneName} ${toString zoneConfig.ttl} IN NS ${ns}") zoneConfig.ns); + hostRecords = lib.concatStringsSep "\n" (lib.flatten (lib.mapAttrsToList (hostname: records: + lib.map (record: "${hostname}.${zoneName} ${toString zoneConfig.ttl} IN ${record.type} ${record.content}") records + ) zoneConfig.records)); + in + '' + $ORIGIN ${zoneName} + ${soaRecord} + ${nsRecords} + ${hostRecords} + ''; + + # Generate the zone file using the `generateZoneFile` function + lanZoneFile = pkgs.writeText "lan.zone" (generateZoneFile "lan." dnsRecords."lan."); + + # Configure hickory-dns with the generated zone file + hickoryConfig = pkgs.writeText "hickory-config.toml" '' + listen_addrs_ipv4 = ["127.0.0.1", "10.0.0.217"] # Change to your NixOS server's IPv4 + listen_addrs_ipv6 = ["::1", "fe80::215:5dff:fec1:e4b5"] # Change to your NixOS server's IPv6 + + # Configure as an authoritative server for the local zone + [[zones]] + zone = "lan." + zone_type = "Primary" + file = "${lanZoneFile}" + + # Configure as a recursive resolver for all other queries + [[recursor]] + # All queries *not* matching the "lan." zone will be forwarded here. + [[recursor.forwarders]] + name_servers = ["8.8.8.8:53", "[2001:4860:4860::8888]:53"] + # All other DNS queries will be handled recursively, starting from the root hints. + ''; + +in +{ + systemd.services.hickory-dns = { + enable = true; + description = "Hickory DNS with local zone"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + User = "hickory"; + Group = "hickory"; + ExecStart = "${pkgs.hickory-dns}/bin/hickory-dns -c ${hickoryConfig}"; + Restart = "on-failure"; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + DynamicUser = true; + StateDirectory = "hickory"; + }; + }; + + users.groups.hickory = {}; + users.users.hickory = { + isSystemUser = true; + group = "hickory"; + }; + + environment.systemPackages = [ pkgs.hickory-dns ]; + + # Configure your NixOS machine to use itself as the DNS resolver + services.resolved.enable = false; + networking.nameservers = [ "127.0.0.1" "fdaa:a00:0:1::100" ]; +} diff --git a/system/services/hickory-dns.nix b/system/services/hickory-dns.nix new file mode 100644 index 0000000..195cfd9 --- /dev/null +++ b/system/services/hickory-dns.nix @@ -0,0 +1,151 @@ +{ config, pkgs, lib, ... }: + +# Define your DNS records declaratively +let + dnsRecords = { + "lan." = { + ttl = 86400; # Time-to-live for records in this zone + ns = [ "hoardfrost.lan." ]; # Nameserver record + soa = { + nameServer = "hoardfrost.lan."; + adminEmail = "root.lan."; + serial = "2025012001"; # Increment serial for changes + refresh = "3600"; + retry = "1800"; + expire = "604800"; + minimum = "86400"; + }; + + # Define your host records (A for IPv4, AAAA for IPv6) + records = { + # Your NixOS server acting as the DNS server + hoardfrost = [ + { type = "A"; content = "10.0.0.217"; } + { type = "AAAA"; content = "2601:282:180:630::cc03"; } + ]; + + # Other devices on your local network + router = [ + { type = "A"; content = "10.0.0.1"; } + { type = "AAAA"; content = "fe80::1"; } + ]; + + yukigekko = [ + { type = "A"; content = "10.0.0.210"; } + { type = "AAAA"; content = "2601:282:180:630::e2e"; } + ]; + + wesbos = [ + { type = "A"; content = "10.0.0.110";} + # { type = "AAAA"; content = "";} + ]; + + wsl-hive = [ + {type = "A"; content = "172.18.84.193";} + {type = "AAAA"; content = "fe80::215:5dff:fec1:e813";} + ]; + }; + }; + }; + + # This function generates the zone file string from the Nix expression + generateZoneFile = zoneName: zoneConfig: + let + soaRecord = "${zoneName} ${toString zoneConfig.ttl} IN SOA ${zoneConfig.soa.nameServer} ${zoneConfig.soa.adminEmail} ( ${zoneConfig.soa.serial} ${zoneConfig.soa.refresh} ${zoneConfig.soa.retry} ${zoneConfig.soa.expire} ${zoneConfig.soa.minimum} )"; + nsRecords = lib.concatStringsSep "\n" (map (ns: "${zoneName} ${toString zoneConfig.ttl} IN NS ${ns}") zoneConfig.ns); + hostRecords = lib.concatStringsSep "\n" (lib.flatten (lib.mapAttrsToList (hostname: records: + map (record: "${hostname}.${zoneName} ${toString zoneConfig.ttl} IN ${record.type} ${record.content}") records + ) zoneConfig.records)); + in + '' + $ORIGIN ${zoneName} + ${soaRecord} + ${nsRecords} + ${hostRecords} + ''; + + # Generate the zone file using the `generateZoneFile` function + lanZoneFile = pkgs.writeText "lan.zone" (generateZoneFile "lan." dnsRecords."lan."); + + # Configure hickory-dns with the generated zone file + hickoryConfig = pkgs.writeText "hickory-config.toml" '' + listen_addrs_ipv4 = ["127.0.0.1", "10.0.0.217"] # Change to your NixOS server's IPv4 + listen_addrs_ipv6 = ["::1", "2601:282:180:630::cc03"] # Change to your NixOS server's IPv6 + + # Configure as an authoritative server for the local zone + [[zones]] + zone = "lan." + zone_type = "Primary" + file = "${lanZoneFile}" + + # Note: Recursive resolution is not supported in Hickory DNS 0.25.2 + # This server will only serve the local zone + ''; + +in +{ + systemd.services.hickory-dns = { + enable = true; + description = "Hickory DNS authoritative server for local zone"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + User = "hickory"; + Group = "hickory"; + ExecStart = "${pkgs.hickory-dns}/bin/hickory-dns -c ${hickoryConfig}"; + Restart = "on-failure"; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + DynamicUser = true; + StateDirectory = "hickory"; + }; + }; + + users.groups.hickory = {}; + users.users.hickory = { + isSystemUser = true; + group = "hickory"; + }; + + environment.systemPackages = [ pkgs.hickory-dns ]; + + # Configure systemd-resolved to use Unbound + services.resolved.enable = true; + services.resolved.dnssec = "false"; + services.resolved.extraConfig = '' + DNS=127.0.0.1@5353 + ''; + + # Configure Unbound as recursive resolver for external queries + services.unbound = { + enable = true; + settings = { + server = { + interface = [ "127.0.0.1" ]; + port = 5353; # Use different port to avoid conflict with Hickory DNS + access-control = [ "127.0.0.1 allow" ]; + hide-identity = true; + hide-version = true; + }; + forward-zone = [ + { + name = "lan."; + forward-addr = [ "127.0.0.1@53" ]; # Forward lan. queries to Hickory DNS + } + { + name = "."; + forward-addr = [ + "8.8.8.8#dns.google" + "2001:4860:4860::8888#dns.google" + ]; + } + ]; + }; + }; + + # Configure NetworkManager to use systemd-resolved and ignore DHCP DNS + networking.networkmanager.dns = "systemd-resolved"; + networking.networkmanager.settings.main.dns = "none"; + + # Set the system to use local DNS + networking.nameservers = [ "127.0.0.1" ]; +} diff --git a/system/services/openssh.nix b/system/services/openssh.nix new file mode 100644 index 0000000..298813a --- /dev/null +++ b/system/services/openssh.nix @@ -0,0 +1,8 @@ +{config, pkgs, ...}: +{ + services.openssh = { + enable = true; + passwordAuthentication = true; + ports = [2022]; + }; +} diff --git a/system/services/samba.nix b/system/services/samba.nix new file mode 100644 index 0000000..60802b7 --- /dev/null +++ b/system/services/samba.nix @@ -0,0 +1,44 @@ +{config, pkgs, ...}: +{ + services.samba = { + enable = true; + # securityType = "user"; + openFirewall = true; + settings = { + global = { + "workgroup" = "WORKGROUP"; + "server string" = "smbnix"; + # "netbios name" = "smbnix"; + "security" = "user"; + }; + "public" = { + "path" = "/srv/samba/hoardfrost/mainstore"; + "browseable" = "yes"; + public = "yes"; + "read only" = "no"; + "guest ok" = "yes"; + "create mask" = "0644"; + "directory mask" = "0755"; + # "force user" = "autumn"; + # "force group" = "groupname"; + "valid users" = "autumn lia madeleine"; + }; + "private" = { + "path" = "/srv/samba/hoardfrost/private"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "autumn"; + # "force group" = "groupname"; + "valid users" = "autumn"; + }; + }; + }; + services.samba-wsdd = { + enable = true; + openFirewall = true; + discovery = true; + }; +} diff --git a/system/services/tailscale.nix b/system/services/tailscale.nix new file mode 100644 index 0000000..acc75a2 --- /dev/null +++ b/system/services/tailscale.nix @@ -0,0 +1,7 @@ +{config, pkgs, ...}: +{ + services.tailscale = { + enable = true; + + }; +}