From ee9830b87f44ecc05bd4751cb834517dc7c5383c Mon Sep 17 00:00:00 2001 From: Kevin Kandlbinder Date: Wed, 4 Jan 2023 13:49:59 +0100 Subject: [PATCH] Reorganize project layout and add wg port option --- .gitignore | 1 + nixos/modules/default.nix | 151 +---------------------- nixos/modules/{ => kevin}/audio.nix | 0 nixos/modules/kevin/default.nix | 151 +++++++++++++++++++++++ nixos/modules/{ => kevin}/desktop.nix | 0 nixos/modules/{ => kevin}/networking.nix | 15 ++- nixos/modules/{ => kevin}/power.nix | 0 nixos/modules/{ => kevin}/ssh.nix | 0 nixos/modules/{ => kevin}/yubikey.nix | 0 9 files changed, 165 insertions(+), 153 deletions(-) create mode 100644 .gitignore rename nixos/modules/{ => kevin}/audio.nix (100%) create mode 100644 nixos/modules/kevin/default.nix rename nixos/modules/{ => kevin}/desktop.nix (100%) rename nixos/modules/{ => kevin}/networking.nix (81%) rename nixos/modules/{ => kevin}/power.nix (100%) rename nixos/modules/{ => kevin}/ssh.nix (100%) rename nixos/modules/{ => kevin}/yubikey.nix (100%) diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..82e0cdf --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/result \ No newline at end of file diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index 3533f89..b2596cd 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -1,151 +1,6 @@ -{ lib, config, pkgs, ... }: -with lib; -let cfg = config.kevin; -in { +{ ... }: +{ imports = [ - ./power.nix - ./networking.nix - ./audio.nix - ./desktop.nix - ./yubikey.nix - ./ssh.nix + ./kevin/default.nix ]; - - options.kevin = { - defaults = mkOption { - type = types.enum [ "none" "laptop" "desktop" ]; - default = "none"; - }; - }; - - config = mkIf (cfg.defaults != "none") (mkMerge [ - ({ - nixpkgs.config.allowUnfree = true; - i18n.defaultLocale = "en_US.UTF-8"; - kevin.ssh.server.enable = true; - - console = { - font = "Lat2-Terminus16"; - keyMap = "de"; - }; - - services.xserver.layout = "de"; - - environment.systemPackages = with pkgs; [ - vim - wget - curl - tmux - ]; - }) - (mkIf (cfg.defaults == "laptop" || cfg.defaults == "desktop") { - kevin.networking.enable = true; - kevin.networking.avahi.enable = true; - kevin.networking.firewall.wireguard = true; - kevin.networking.firewall.kdeConnect = true; - kevin.audio.enable = true; - kevin.desktop.enable = true; - kevin.desktop.type = "gnome"; - kevin.yubikey.enable = true; - - networking.networkmanager.enable = true; - - environment.systemPackages = with pkgs; [ - firefox - league-of-moveable-type - hunspell - hunspellDicts.de_DE - ]; - - programs.gnupg.agent = { - enable = true; - # enableSSHSupport = true; - }; - - kevin.networking.firewall.syncthing = true; - services.syncthing = { - enable = true; - user = "kevin"; - dataDir = "/home/kevin/Syncthing"; - configDir = "/home/kevin/Syncthing/.config/syncthing"; - }; - - services.fwupd.enable = true; - hardware.cpu.intel.updateMicrocode = true; - - boot.supportedFilesystems = [ "ntfs" ]; - - services.printing.enable = true; - - virtualisation.docker.enable = true; - - users.users.kevin = { - isNormalUser = true; - description = "Kevin Kandlbinder"; - extraGroups = [ "wheel" "docker" "dialout" "networkmanager" ]; - }; - kevin.ssh.authorized.kevin = true; - }) - (mkIf (cfg.defaults == "desktop") { - services.xserver.videoDrivers = [ "nvidia" ]; - hardware.opengl.enable = true; - - services.clamav.daemon.enable = true; - services.clamav.updater.enable = true; - #services.opensnitch.enable = true; - networking.hostName = "kevin-PC"; - - hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.latest; - }) - (mkIf (cfg.defaults == "laptop") { - kevin.power.mode = "laptop"; - networking.hostName = "kevin-tp-l580"; - - services.xserver.libinput.enable = true; - - hardware.opengl.extraPackages = with pkgs; [ - vaapiIntel - libvdpau-va-gl - intel-media-driver - ]; - - boot.kernel.sysctl = { - "vm.swappiness" = 1; - "vm.vfs_cache_pressure" = 50; - "vm.dirty_background_ratio" = 20; - "vm.dirty_ratio" = 50; - # these are the zen-kernel tweaks to CFS defaults (mostly) - "kernel.sched_latency_ns" = 4000000; - # should be one-eighth of sched_latency (this ratio is not - # configurable, apparently -- so while zen changes that to - # one-tenth, we cannot): - "kernel.sched_min_granularity_ns" = 500000; - "kernel.sched_wakeup_granularity_ns" = 50000; - "kernel.sched_migration_cost_ns" = 250000; - "kernel.sched_cfs_bandwidth_slice_us" = 3000; - "kernel.sched_nr_migrate" = 128; - }; - - systemd = { - extraConfig = '' - DefaultCPUAccounting=yes - DefaultMemoryAccounting=yes - DefaultIOAccounting=yes - ''; - user.extraConfig = '' - DefaultCPUAccounting=yes - DefaultMemoryAccounting=yes - DefaultIOAccounting=yes - ''; - services."user@".serviceConfig.Delegate = true; - }; - - systemd.services.nix-daemon.serviceConfig = { - CPUWeight = 20; - IOWeight = 20; - }; - - boot.kernelParams = ["cgroup_no_v1=all" "systemd.unified_cgroup_hierarchy=yes"]; - }) - ]); } diff --git a/nixos/modules/audio.nix b/nixos/modules/kevin/audio.nix similarity index 100% rename from nixos/modules/audio.nix rename to nixos/modules/kevin/audio.nix diff --git a/nixos/modules/kevin/default.nix b/nixos/modules/kevin/default.nix new file mode 100644 index 0000000..3533f89 --- /dev/null +++ b/nixos/modules/kevin/default.nix @@ -0,0 +1,151 @@ +{ lib, config, pkgs, ... }: +with lib; +let cfg = config.kevin; +in { + imports = [ + ./power.nix + ./networking.nix + ./audio.nix + ./desktop.nix + ./yubikey.nix + ./ssh.nix + ]; + + options.kevin = { + defaults = mkOption { + type = types.enum [ "none" "laptop" "desktop" ]; + default = "none"; + }; + }; + + config = mkIf (cfg.defaults != "none") (mkMerge [ + ({ + nixpkgs.config.allowUnfree = true; + i18n.defaultLocale = "en_US.UTF-8"; + kevin.ssh.server.enable = true; + + console = { + font = "Lat2-Terminus16"; + keyMap = "de"; + }; + + services.xserver.layout = "de"; + + environment.systemPackages = with pkgs; [ + vim + wget + curl + tmux + ]; + }) + (mkIf (cfg.defaults == "laptop" || cfg.defaults == "desktop") { + kevin.networking.enable = true; + kevin.networking.avahi.enable = true; + kevin.networking.firewall.wireguard = true; + kevin.networking.firewall.kdeConnect = true; + kevin.audio.enable = true; + kevin.desktop.enable = true; + kevin.desktop.type = "gnome"; + kevin.yubikey.enable = true; + + networking.networkmanager.enable = true; + + environment.systemPackages = with pkgs; [ + firefox + league-of-moveable-type + hunspell + hunspellDicts.de_DE + ]; + + programs.gnupg.agent = { + enable = true; + # enableSSHSupport = true; + }; + + kevin.networking.firewall.syncthing = true; + services.syncthing = { + enable = true; + user = "kevin"; + dataDir = "/home/kevin/Syncthing"; + configDir = "/home/kevin/Syncthing/.config/syncthing"; + }; + + services.fwupd.enable = true; + hardware.cpu.intel.updateMicrocode = true; + + boot.supportedFilesystems = [ "ntfs" ]; + + services.printing.enable = true; + + virtualisation.docker.enable = true; + + users.users.kevin = { + isNormalUser = true; + description = "Kevin Kandlbinder"; + extraGroups = [ "wheel" "docker" "dialout" "networkmanager" ]; + }; + kevin.ssh.authorized.kevin = true; + }) + (mkIf (cfg.defaults == "desktop") { + services.xserver.videoDrivers = [ "nvidia" ]; + hardware.opengl.enable = true; + + services.clamav.daemon.enable = true; + services.clamav.updater.enable = true; + #services.opensnitch.enable = true; + networking.hostName = "kevin-PC"; + + hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.latest; + }) + (mkIf (cfg.defaults == "laptop") { + kevin.power.mode = "laptop"; + networking.hostName = "kevin-tp-l580"; + + services.xserver.libinput.enable = true; + + hardware.opengl.extraPackages = with pkgs; [ + vaapiIntel + libvdpau-va-gl + intel-media-driver + ]; + + boot.kernel.sysctl = { + "vm.swappiness" = 1; + "vm.vfs_cache_pressure" = 50; + "vm.dirty_background_ratio" = 20; + "vm.dirty_ratio" = 50; + # these are the zen-kernel tweaks to CFS defaults (mostly) + "kernel.sched_latency_ns" = 4000000; + # should be one-eighth of sched_latency (this ratio is not + # configurable, apparently -- so while zen changes that to + # one-tenth, we cannot): + "kernel.sched_min_granularity_ns" = 500000; + "kernel.sched_wakeup_granularity_ns" = 50000; + "kernel.sched_migration_cost_ns" = 250000; + "kernel.sched_cfs_bandwidth_slice_us" = 3000; + "kernel.sched_nr_migrate" = 128; + }; + + systemd = { + extraConfig = '' + DefaultCPUAccounting=yes + DefaultMemoryAccounting=yes + DefaultIOAccounting=yes + ''; + user.extraConfig = '' + DefaultCPUAccounting=yes + DefaultMemoryAccounting=yes + DefaultIOAccounting=yes + ''; + services."user@".serviceConfig.Delegate = true; + }; + + systemd.services.nix-daemon.serviceConfig = { + CPUWeight = 20; + IOWeight = 20; + }; + + boot.kernelParams = ["cgroup_no_v1=all" "systemd.unified_cgroup_hierarchy=yes"]; + }) + ]); +} diff --git a/nixos/modules/desktop.nix b/nixos/modules/kevin/desktop.nix similarity index 100% rename from nixos/modules/desktop.nix rename to nixos/modules/kevin/desktop.nix diff --git a/nixos/modules/networking.nix b/nixos/modules/kevin/networking.nix similarity index 81% rename from nixos/modules/networking.nix rename to nixos/modules/kevin/networking.nix index a515263..a569563 100644 --- a/nixos/modules/networking.nix +++ b/nixos/modules/kevin/networking.nix @@ -8,6 +8,11 @@ in { avahi.enable = mkEnableOption "avahi"; ssh.enable = mkEnableOption "ssh"; firewall.wireguard = mkEnableOption "wireguard exceptions"; + firewall.wireguardPort = mkOption { + type = types.int; + default = 51820; + description = "Port used by your Wireguard"; + }; firewall.syncthing = mkEnableOption "syncthing exceptions"; firewall.kdeConnect = mkEnableOption "KDE Connect exceptions"; }; @@ -42,17 +47,17 @@ in { # if packets are still dropped, they will show up in dmesg logReversePathDrops = true; - allowedUDPPorts = [ 51820 ]; + allowedUDPPorts = [ cfg.firewall.wireguardPort ]; # wireguard trips rpfilter up extraCommands = '' - ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN - ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN + ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.firewall.wireguardPort} -j RETURN + ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.firewall.wireguardPort} -j RETURN ''; extraStopCommands = '' - ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true - ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true + ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.firewall.wireguardPort} -j RETURN || true + ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.firewall.wireguardPort} -j RETURN || true ''; }; }) diff --git a/nixos/modules/power.nix b/nixos/modules/kevin/power.nix similarity index 100% rename from nixos/modules/power.nix rename to nixos/modules/kevin/power.nix diff --git a/nixos/modules/ssh.nix b/nixos/modules/kevin/ssh.nix similarity index 100% rename from nixos/modules/ssh.nix rename to nixos/modules/kevin/ssh.nix diff --git a/nixos/modules/yubikey.nix b/nixos/modules/kevin/yubikey.nix similarity index 100% rename from nixos/modules/yubikey.nix rename to nixos/modules/kevin/yubikey.nix