commit a8a672b36323e94e9ff549b4b8d5746b61f5aa90
parent a65b8d6dbf555cc27d0b944db8406d9ec858a6fc
Author: Vincent Demeester <vincent@sbr.pm>
Date: Thu, 5 Sep 2024 00:36:58 +0200
modules.profiles cleaned-up
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Diffstat:
12 files changed, 88 insertions(+), 1238 deletions(-)
diff --git a/flake.nix b/flake.nix
@@ -56,12 +56,6 @@
./systems/modules/virtualisation/default.nix
./systems/modules/virtualisation/buildkit.nix
./systems/modules/services/default.nix
- # FIXME: migrate this to elsewhere, or at least split it
- # Profiles probably need to go away
- ./systems/modules/profiles/base.nix
- ./systems/modules/profiles/builder.nix
- ./systems/modules/profiles/i18n.nix
- ./systems/modules/profiles/wireguard.server.nix
inputs.sops-nix.nixosModules.sops
# inputs.envfs.nixosModules.envfs
{
diff --git a/systems/hosts/kerkouane.nix b/systems/hosts/kerkouane.nix
@@ -126,21 +126,19 @@ in
buildCores = 1;
};
- # FIXME: deprecated, move to modules
- profiles = {
+ modules.services = {
wireguard.server.enable = true;
- };
-
- modules.services.ssh = {
- enable = true;
- extraConfig = ''
- Match User nginx
+ ssh = {
+ enable = true;
+ extraConfig = ''
+ Match User nginx
ChrootDirectory /var/www
ForceCommand interfal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
- '';
+ '';
+ };
};
networking.firewall.allowPing = true;
diff --git a/systems/modules/core/default.nix b/systems/modules/core/default.nix
@@ -10,13 +10,27 @@ let
in
{
imports = [
+ ./binfmt.nix
./boot.nix
./config.nix
+ ./i18n.nix
./nix.nix
./users.nix
- ./binfmt.nix
];
+ environment.systemPackages = with pkgs; [
+ cachix
+ file
+ htop
+ iotop
+ lsof
+ netcat
+ psmisc
+ pv
+ tree
+ vim
+ wget
+ ];
# FIXME fix tmpOnTmpfs
# systemd.additionalUpstreamSystemUnits = [ "tmp.mount" ];
diff --git a/systems/modules/core/i18n.nix b/systems/modules/core/i18n.nix
@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.core.i18n;
+in
+{
+ options = {
+ core.i18n = {
+ enable = mkOption {
+ default = true;
+ description = "Enable i18n profile";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ console.keyMap = "fr-bepo";
+ console.font = "Lat2-Terminus16";
+ i18n = {
+ defaultLocale = "en_US.UTF-8";
+ };
+ };
+}
diff --git a/systems/modules/profiles/base.nix b/systems/modules/profiles/base.nix
@@ -1,45 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let
- cfg = config.profiles.base;
-in
-{
- options = {
- profiles.base = {
- enable = mkOption {
- default = true;
- description = "Enable base profile";
- type = types.bool;
- };
- };
- };
- config = mkIf cfg.enable {
- environment.pathsToLink = [
- "/share/nix-direnv"
- ];
- environment = {
- variables = {
- EDITOR = pkgs.lib.mkOverride 0 "vim";
- };
- systemPackages = with pkgs; [
- cachix
- direnv
- # exa # TODO: switch to eza in 2024
- file
- htop
- iotop
- lsof
- netcat
- psmisc
- pv
- tmux
- tree
- vim
- vrsync
- wget
- gnumake
- ];
- };
- };
-}
diff --git a/systems/modules/profiles/default.nix b/systems/modules/profiles/default.nix
@@ -1,6 +1,7 @@
{
imports = [
- ./work.nix
+ ./builder.nix
./home.nix
+ ./work.nix
];
}
diff --git a/systems/modules/profiles/docker.stable.nix b/systems/modules/profiles/docker.stable.nix
@@ -1,72 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let
- cfg = config.profiles.docker;
-in
-{
- options = {
- profiles.docker = {
- enable = mkEnableOption "Enable docker profile";
- package = mkOption {
- default = pkgs.docker-edge;
- description = "docker package to be used";
- type = types.package;
- };
- runcPackage = mkOption {
- default = pkgs.runc;
- description = "runc package to be used";
- type = types.package;
- };
-
- };
- };
- config = mkIf cfg.enable {
- virtualisation = {
- containerd = {
- enable = true;
- };
- buildkitd = {
- enable = true;
- settings = {
- grpc = {
- # FIXME(vdemeester) move TCP behind an option (and not 0.0.0.0)
- address = [ "unix:///run/buildkit/buildkitd.sock" "tcp://0.0.0.0:1234" ];
- };
- worker.oci = {
- enabled = false;
- };
- worker.containerd = {
- enabled = true;
- platforms = [ "linux/amd64" "linux/arm64" ];
- namespace = "buildkit";
- };
- registry = {
- "r.svc.home:5000" = {
- http = true;
- insecure = true;
- };
- "r.svc.home" = {
- http = true;
- insecure = true;
- };
- };
- };
- };
- docker = {
- enable = true;
- package = cfg.package;
- liveRestore = false;
- storageDriver = "overlay2";
- extraOptions = "--experimental --add-runtime docker-runc=${cfg.runcPackage}/bin/runc --default-runtime=docker-runc --containerd=/run/containerd/containerd.sock";
- };
- };
- environment.etc."docker/daemon.json".text = ''
- {"features":{"buildkit": true}, "insecure-registries": ["172.30.0.0/16", "192.168.12.0/16", "massimo.home:5000", "r.svc.home:5000", "r.svc.home" ]}
- '';
- environment.systemPackages = with pkgs; [
- docker-buildx
- ];
- networking.firewall.trustedInterfaces = [ "docker0" ];
- };
-}
diff --git a/systems/modules/profiles/docker/my-seccomp.json b/systems/modules/profiles/docker/my-seccomp.json
@@ -1,1041 +0,0 @@
-{
- "defaultAction": "SCMP_ACT_ERRNO",
- "defaultErrnoRet": 38,
- "defaultErrno": "ENOSYS",
- "archMap": [
- {
- "architecture": "SCMP_ARCH_X86_64",
- "subArchitectures": [
- "SCMP_ARCH_X86",
- "SCMP_ARCH_X32"
- ]
- },
- {
- "architecture": "SCMP_ARCH_AARCH64",
- "subArchitectures": [
- "SCMP_ARCH_ARM"
- ]
- },
- {
- "architecture": "SCMP_ARCH_MIPS64",
- "subArchitectures": [
- "SCMP_ARCH_MIPS",
- "SCMP_ARCH_MIPS64N32"
- ]
- },
- {
- "architecture": "SCMP_ARCH_MIPS64N32",
- "subArchitectures": [
- "SCMP_ARCH_MIPS",
- "SCMP_ARCH_MIPS64"
- ]
- },
- {
- "architecture": "SCMP_ARCH_MIPSEL64",
- "subArchitectures": [
- "SCMP_ARCH_MIPSEL",
- "SCMP_ARCH_MIPSEL64N32"
- ]
- },
- {
- "architecture": "SCMP_ARCH_MIPSEL64N32",
- "subArchitectures": [
- "SCMP_ARCH_MIPSEL",
- "SCMP_ARCH_MIPSEL64"
- ]
- },
- {
- "architecture": "SCMP_ARCH_S390X",
- "subArchitectures": [
- "SCMP_ARCH_S390"
- ]
- }
- ],
- "syscalls": [
- {
- "names": [
- "bdflush",
- "io_pgetevents",
- "kexec_file_load",
- "kexec_load",
- "migrate_pages",
- "move_pages",
- "nfsservctl",
- "nice",
- "oldfstat",
- "oldlstat",
- "oldolduname",
- "oldstat",
- "olduname",
- "pciconfig_iobase",
- "pciconfig_read",
- "pciconfig_write",
- "sgetmask",
- "ssetmask",
- "swapcontext",
- "swapoff",
- "swapon",
- "sysfs",
- "uselib",
- "userfaultfd",
- "ustat",
- "vm86",
- "vm86old",
- "vmsplice"
- ],
- "action": "SCMP_ACT_ERRNO",
- "args": [],
- "comment": "",
- "includes": {},
- "excludes": {},
- "errnoRet": 1,
- "errno": "EPERM"
- },
- {
- "names": [
- "_llseek",
- "_newselect",
- "accept",
- "accept4",
- "access",
- "adjtimex",
- "alarm",
- "bind",
- "brk",
- "capget",
- "capset",
- "chdir",
- "chmod",
- "chown",
- "chown32",
- "clock_adjtime",
- "clock_adjtime64",
- "clock_getres",
- "clock_getres_time64",
- "clock_gettime",
- "clock_gettime64",
- "clock_nanosleep",
- "clock_nanosleep_time64",
- "clone",
- "clone3",
- "close",
- "close_range",
- "connect",
- "copy_file_range",
- "creat",
- "dup",
- "dup2",
- "dup3",
- "epoll_create",
- "epoll_create1",
- "epoll_ctl",
- "epoll_ctl_old",
- "epoll_pwait",
- "epoll_pwait2",
- "epoll_wait",
- "epoll_wait_old",
- "eventfd",
- "eventfd2",
- "execve",
- "execveat",
- "exit",
- "exit_group",
- "faccessat",
- "faccessat2",
- "fadvise64",
- "fadvise64_64",
- "fallocate",
- "fanotify_mark",
- "fchdir",
- "fchmod",
- "fchmodat",
- "fchown",
- "fchown32",
- "fchownat",
- "fcntl",
- "fcntl64",
- "fdatasync",
- "fgetxattr",
- "flistxattr",
- "flock",
- "fork",
- "fremovexattr",
- "fsconfig",
- "fsetxattr",
- "fsmount",
- "fsopen",
- "fspick",
- "fstat",
- "fstat64",
- "fstatat64",
- "fstatfs",
- "fstatfs64",
- "fsync",
- "ftruncate",
- "ftruncate64",
- "futex",
- "futex_time64",
- "futimesat",
- "get_robust_list",
- "get_thread_area",
- "getcpu",
- "getcwd",
- "getdents",
- "getdents64",
- "getegid",
- "getegid32",
- "geteuid",
- "geteuid32",
- "getgid",
- "getgid32",
- "getgroups",
- "getgroups32",
- "getitimer",
- "get_mempolicy",
- "getpeername",
- "getpgid",
- "getpgrp",
- "getpid",
- "getppid",
- "getpriority",
- "getrandom",
- "getresgid",
- "getresgid32",
- "getresuid",
- "getresuid32",
- "getrlimit",
- "getrusage",
- "getsid",
- "getsockname",
- "getsockopt",
- "gettid",
- "gettimeofday",
- "getuid",
- "getuid32",
- "getxattr",
- "inotify_add_watch",
- "inotify_init",
- "inotify_init1",
- "inotify_rm_watch",
- "io_cancel",
- "io_destroy",
- "io_getevents",
- "io_setup",
- "io_submit",
- "ioctl",
- "ioprio_get",
- "ioprio_set",
- "ipc",
- "keyctl",
- "kill",
- "lchown",
- "lchown32",
- "lgetxattr",
- "link",
- "linkat",
- "listen",
- "listxattr",
- "llistxattr",
- "lremovexattr",
- "lseek",
- "lsetxattr",
- "lstat",
- "lstat64",
- "madvise",
- "mbind",
- "memfd_create",
- "memfd_secret",
- "mincore",
- "mkdir",
- "mkdirat",
- "mknod",
- "mknodat",
- "mlock",
- "mlock2",
- "mlockall",
- "mmap",
- "mmap2",
- "mount",
- "move_mount",
- "mprotect",
- "mq_getsetattr",
- "mq_notify",
- "mq_open",
- "mq_timedreceive",
- "mq_timedreceive_time64",
- "mq_timedsend",
- "mq_timedsend_time64",
- "mq_unlink",
- "mremap",
- "msgctl",
- "msgget",
- "msgrcv",
- "msgsnd",
- "msync",
- "munlock",
- "munlockall",
- "munmap",
- "name_to_handle_at",
- "nanosleep",
- "newfstatat",
- "open",
- "openat",
- "openat2",
- "open_tree",
- "pause",
- "pidfd_getfd",
- "pidfd_open",
- "pidfd_send_signal",
- "pipe",
- "pipe2",
- "pivot_root",
- "pkey_alloc",
- "pkey_free",
- "pkey_mprotect",
- "poll",
- "ppoll",
- "ppoll_time64",
- "prctl",
- "pread64",
- "preadv",
- "preadv2",
- "prlimit64",
- "pselect6",
- "pselect6_time64",
- "pwrite64",
- "pwritev",
- "pwritev2",
- "read",
- "readahead",
- "readdir",
- "readlink",
- "readlinkat",
- "readv",
- "reboot",
- "recv",
- "recvfrom",
- "recvmmsg",
- "recvmmsg_time64",
- "recvmsg",
- "remap_file_pages",
- "removexattr",
- "rename",
- "renameat",
- "renameat2",
- "restart_syscall",
- "rmdir",
- "rseq",
- "rt_sigaction",
- "rt_sigpending",
- "rt_sigprocmask",
- "rt_sigqueueinfo",
- "rt_sigreturn",
- "rt_sigsuspend",
- "rt_sigtimedwait",
- "rt_sigtimedwait_time64",
- "rt_tgsigqueueinfo",
- "sched_get_priority_max",
- "sched_get_priority_min",
- "sched_getaffinity",
- "sched_getattr",
- "sched_getparam",
- "sched_getscheduler",
- "sched_rr_get_interval",
- "sched_rr_get_interval_time64",
- "sched_setaffinity",
- "sched_setattr",
- "sched_setparam",
- "sched_setscheduler",
- "sched_yield",
- "seccomp",
- "select",
- "semctl",
- "semget",
- "semop",
- "semtimedop",
- "semtimedop_time64",
- "send",
- "sendfile",
- "sendfile64",
- "sendmmsg",
- "sendmsg",
- "sendto",
- "setns",
- "set_mempolicy",
- "set_robust_list",
- "set_thread_area",
- "set_tid_address",
- "setfsgid",
- "setfsgid32",
- "setfsuid",
- "setfsuid32",
- "setgid",
- "setgid32",
- "setgroups",
- "setgroups32",
- "setitimer",
- "setpgid",
- "setpriority",
- "setregid",
- "setregid32",
- "setresgid",
- "setresgid32",
- "setresuid",
- "setresuid32",
- "setreuid",
- "setreuid32",
- "setrlimit",
- "setsid",
- "setsockopt",
- "setuid",
- "setuid32",
- "setxattr",
- "shmat",
- "shmctl",
- "shmdt",
- "shmget",
- "shutdown",
- "sigaltstack",
- "signalfd",
- "signalfd4",
- "sigreturn",
- "socketcall",
- "socketpair",
- "splice",
- "stat",
- "stat64",
- "statfs",
- "statfs64",
- "statx",
- "symlink",
- "symlinkat",
- "sync",
- "sync_file_range",
- "syncfs",
- "sysinfo",
- "syslog",
- "tee",
- "tgkill",
- "time",
- "timer_create",
- "timer_delete",
- "timer_getoverrun",
- "timer_gettime",
- "timer_gettime64",
- "timer_settime",
- "timer_settime64",
- "timerfd_create",
- "timerfd_gettime",
- "timerfd_gettime64",
- "timerfd_settime",
- "timerfd_settime64",
- "times",
- "tkill",
- "truncate",
- "truncate64",
- "ugetrlimit",
- "umask",
- "umount",
- "umount2",
- "uname",
- "unlink",
- "unlinkat",
- "unshare",
- "utime",
- "utimensat",
- "utimensat_time64",
- "utimes",
- "vfork",
- "wait4",
- "waitid",
- "waitpid",
- "write",
- "writev"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {},
- "excludes": {}
- },
- {
- "names": [
- "personality"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [
- {
- "index": 0,
- "value": 0,
- "valueTwo": 0,
- "op": "SCMP_CMP_EQ"
- }
- ],
- "comment": "",
- "includes": {},
- "excludes": {}
- },
- {
- "names": [
- "personality"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [
- {
- "index": 0,
- "value": 8,
- "valueTwo": 0,
- "op": "SCMP_CMP_EQ"
- }
- ],
- "comment": "",
- "includes": {},
- "excludes": {}
- },
- {
- "names": [
- "personality"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [
- {
- "index": 0,
- "value": 131072,
- "valueTwo": 0,
- "op": "SCMP_CMP_EQ"
- }
- ],
- "comment": "",
- "includes": {},
- "excludes": {}
- },
- {
- "names": [
- "personality"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [
- {
- "index": 0,
- "value": 131080,
- "valueTwo": 0,
- "op": "SCMP_CMP_EQ"
- }
- ],
- "comment": "",
- "includes": {},
- "excludes": {}
- },
- {
- "names": [
- "personality"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [
- {
- "index": 0,
- "value": 4294967295,
- "valueTwo": 0,
- "op": "SCMP_CMP_EQ"
- }
- ],
- "comment": "",
- "includes": {},
- "excludes": {}
- },
- {
- "names": [
- "sync_file_range2"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {
- "arches": [
- "ppc64le"
- ]
- },
- "excludes": {}
- },
- {
- "names": [
- "arm_fadvise64_64",
- "arm_sync_file_range",
- "sync_file_range2",
- "breakpoint",
- "cacheflush",
- "set_tls"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {
- "arches": [
- "arm",
- "arm64"
- ]
- },
- "excludes": {}
- },
- {
- "names": [
- "arch_prctl"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {
- "arches": [
- "amd64",
- "x32"
- ]
- },
- "excludes": {}
- },
- {
- "names": [
- "modify_ldt"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {
- "arches": [
- "amd64",
- "x32",
- "x86"
- ]
- },
- "excludes": {}
- },
- {
- "names": [
- "s390_pci_mmio_read",
- "s390_pci_mmio_write",
- "s390_runtime_instr"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {
- "arches": [
- "s390",
- "s390x"
- ]
- },
- "excludes": {}
- },
- {
- "names": [
- "open_by_handle_at"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {
- "caps": [
- "CAP_DAC_READ_SEARCH"
- ]
- },
- "excludes": {}
- },
- {
- "names": [
- "open_by_handle_at"
- ],
- "action": "SCMP_ACT_ERRNO",
- "args": [],
- "comment": "",
- "includes": {},
- "excludes": {
- "caps": [
- "CAP_DAC_READ_SEARCH"
- ]
- },
- "errnoRet": 1,
- "errno": "EPERM"
- },
- {
- "names": [
- "bpf",
- "fanotify_init",
- "lookup_dcookie",
- "perf_event_open",
- "quotactl",
- "setdomainname",
- "sethostname",
- "setns"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {
- "caps": [
- "CAP_SYS_ADMIN"
- ]
- },
- "excludes": {}
- },
- {
- "names": [
- "bpf",
- "fanotify_init",
- "lookup_dcookie",
- "perf_event_open",
- "quotactl",
- "setdomainname",
- "sethostname",
- "setns"
- ],
- "action": "SCMP_ACT_ERRNO",
- "args": [],
- "comment": "",
- "includes": {},
- "excludes": {
- "caps": [
- "CAP_SYS_ADMIN"
- ]
- },
- "errnoRet": 1,
- "errno": "EPERM"
- },
- {
- "names": [
- "chroot"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {
- "caps": [
- "CAP_SYS_CHROOT"
- ]
- },
- "excludes": {}
- },
- {
- "names": [
- "chroot"
- ],
- "action": "SCMP_ACT_ERRNO",
- "args": [],
- "comment": "",
- "includes": {},
- "excludes": {
- "caps": [
- "CAP_SYS_CHROOT"
- ]
- },
- "errnoRet": 1,
- "errno": "EPERM"
- },
- {
- "names": [
- "delete_module",
- "init_module",
- "finit_module",
- "query_module"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {
- "caps": [
- "CAP_SYS_MODULE"
- ]
- },
- "excludes": {}
- },
- {
- "names": [
- "delete_module",
- "init_module",
- "finit_module",
- "query_module"
- ],
- "action": "SCMP_ACT_ERRNO",
- "args": [],
- "comment": "",
- "includes": {},
- "excludes": {
- "caps": [
- "CAP_SYS_MODULE"
- ]
- },
- "errnoRet": 1,
- "errno": "EPERM"
- },
- {
- "names": [
- "acct"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {
- "caps": [
- "CAP_SYS_PACCT"
- ]
- },
- "excludes": {}
- },
- {
- "names": [
- "acct"
- ],
- "action": "SCMP_ACT_ERRNO",
- "args": [],
- "comment": "",
- "includes": {},
- "excludes": {
- "caps": [
- "CAP_SYS_PACCT"
- ]
- },
- "errnoRet": 1,
- "errno": "EPERM"
- },
- {
- "names": [
- "kcmp",
- "process_madvise",
- "process_vm_readv",
- "process_vm_writev",
- "ptrace"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {
- "caps": [
- "CAP_SYS_PTRACE"
- ]
- },
- "excludes": {}
- },
- {
- "names": [
- "kcmp",
- "process_madvise",
- "process_vm_readv",
- "process_vm_writev",
- "ptrace"
- ],
- "action": "SCMP_ACT_ERRNO",
- "args": [],
- "comment": "",
- "includes": {},
- "excludes": {
- "caps": [
- "CAP_SYS_PTRACE"
- ]
- },
- "errnoRet": 1,
- "errno": "EPERM"
- },
- {
- "names": [
- "iopl",
- "ioperm"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {
- "caps": [
- "CAP_SYS_RAWIO"
- ]
- },
- "excludes": {}
- },
- {
- "names": [
- "iopl",
- "ioperm"
- ],
- "action": "SCMP_ACT_ERRNO",
- "args": [],
- "comment": "",
- "includes": {},
- "excludes": {
- "caps": [
- "CAP_SYS_RAWIO"
- ]
- },
- "errnoRet": 1,
- "errno": "EPERM"
- },
- {
- "names": [
- "settimeofday",
- "stime",
- "clock_settime",
- "clock_settime64"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {
- "caps": [
- "CAP_SYS_TIME"
- ]
- },
- "excludes": {}
- },
- {
- "names": [
- "settimeofday",
- "stime",
- "clock_settime",
- "clock_settime64"
- ],
- "action": "SCMP_ACT_ERRNO",
- "args": [],
- "comment": "",
- "includes": {},
- "excludes": {
- "caps": [
- "CAP_SYS_TIME"
- ]
- },
- "errnoRet": 1,
- "errno": "EPERM"
- },
- {
- "names": [
- "vhangup"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {
- "caps": [
- "CAP_SYS_TTY_CONFIG"
- ]
- },
- "excludes": {}
- },
- {
- "names": [
- "vhangup"
- ],
- "action": "SCMP_ACT_ERRNO",
- "args": [],
- "comment": "",
- "includes": {},
- "excludes": {
- "caps": [
- "CAP_SYS_TTY_CONFIG"
- ]
- },
- "errnoRet": 1,
- "errno": "EPERM"
- },
- {
- "names": [
- "socket"
- ],
- "action": "SCMP_ACT_ERRNO",
- "args": [
- {
- "index": 0,
- "value": 16,
- "valueTwo": 0,
- "op": "SCMP_CMP_EQ"
- },
- {
- "index": 2,
- "value": 9,
- "valueTwo": 0,
- "op": "SCMP_CMP_EQ"
- }
- ],
- "comment": "",
- "includes": {},
- "excludes": {
- "caps": [
- "CAP_AUDIT_WRITE"
- ]
- },
- "errnoRet": 22,
- "errno": "EINVAL"
- },
- {
- "names": [
- "socket"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [
- {
- "index": 2,
- "value": 9,
- "valueTwo": 0,
- "op": "SCMP_CMP_NE"
- }
- ],
- "comment": "",
- "includes": {},
- "excludes": {
- "caps": [
- "CAP_AUDIT_WRITE"
- ]
- }
- },
- {
- "names": [
- "socket"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [
- {
- "index": 0,
- "value": 16,
- "valueTwo": 0,
- "op": "SCMP_CMP_NE"
- }
- ],
- "comment": "",
- "includes": {},
- "excludes": {
- "caps": [
- "CAP_AUDIT_WRITE"
- ]
- }
- },
- {
- "names": [
- "socket"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [
- {
- "index": 2,
- "value": 9,
- "valueTwo": 0,
- "op": "SCMP_CMP_NE"
- }
- ],
- "comment": "",
- "includes": {},
- "excludes": {
- "caps": [
- "CAP_AUDIT_WRITE"
- ]
- }
- },
- {
- "names": [
- "socket"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": null,
- "comment": "",
- "includes": {
- "caps": [
- "CAP_AUDIT_WRITE"
- ]
- },
- "excludes": {}
- }
- ]
-}
diff --git a/systems/modules/profiles/i18n.nix b/systems/modules/profiles/i18n.nix
@@ -1,24 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let
- cfg = config.profiles.i18n;
-in
-{
- options = {
- profiles.i18n = {
- enable = mkOption {
- default = true;
- description = "Enable i18n profile";
- type = types.bool;
- };
- };
- };
- config = mkIf cfg.enable {
- console.keyMap = "fr-bepo";
- console.font = "Lat2-Terminus16";
- i18n = {
- defaultLocale = "en_US.UTF-8";
- };
- };
-}
diff --git a/systems/modules/profiles/wireguard.server.nix b/systems/modules/profiles/wireguard.server.nix
@@ -1,39 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let
- cfg = config.profiles.wireguard.server;
-
- secretPath = ../../../secrets/machines.nix;
- secretCondition = (builtins.pathExists secretPath);
- allowedIPs = lists.optionals secretCondition (import secretPath).wireguard.kerkouane.allowedIPs;
- listenPort = if secretCondition then (import secretPath).wg.listenPort else 0;
- peers = lists.optionals secretCondition (import secretPath).wg.peers;
-in
-{
- options = {
- profiles.wireguard.server = {
- enable = mkEnableOption "Enable wireguard.server profile";
- };
- };
- config = mkIf cfg.enable {
- # boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
- environment.systemPackages = [ pkgs.wireguard-tools ];
- boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
- networking.firewall.extraCommands = ''
- iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE
- iptables -A FORWARD -i wg+ -j ACCEPT
- '';
- networking.firewall.allowedUDPPorts = [ 51820 ];
- networking.firewall.trustedInterfaces = [ "wg0" ];
- networking.wireguard.enable = true;
- networking.wireguard.interfaces = {
- "wg0" = {
- ips = allowedIPs;
- listenPort = listenPort;
- privateKeyFile = "/etc/nixos/secrets/wireguard/private.key";
- peers = peers;
- };
- };
- };
-}
diff --git a/systems/modules/services/default.nix b/systems/modules/services/default.nix
@@ -9,5 +9,6 @@
./ssh.nix
./syncthing.nix
./wireguard.client.nix
+ ./wireguard.server.nix
];
}
diff --git a/systems/modules/services/wireguard.server.nix b/systems/modules/services/wireguard.server.nix
@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.modules.services.wireguard.server;
+
+ secretPath = ../../../secrets/machines.nix;
+ secretCondition = (builtins.pathExists secretPath);
+ allowedIPs = lists.optionals secretCondition (import secretPath).wireguard.kerkouane.allowedIPs;
+ listenPort = if secretCondition then (import secretPath).wg.listenPort else 0;
+ peers = lists.optionals secretCondition (import secretPath).wg.peers;
+in
+{
+ options = {
+ modules.services.wireguard.server = {
+ enable = mkEnableOption "Enable wireguard.server profile";
+ };
+ };
+ config = mkIf cfg.enable {
+ # boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
+ environment.systemPackages = [ pkgs.wireguard-tools ];
+ boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+ networking.firewall.extraCommands = ''
+ iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE
+ iptables -A FORWARD -i wg+ -j ACCEPT
+ '';
+ networking.firewall.allowedUDPPorts = [ 51820 ];
+ networking.firewall.trustedInterfaces = [ "wg0" ];
+ networking.wireguard.enable = true;
+ networking.wireguard.interfaces = {
+ "wg0" = {
+ ips = allowedIPs;
+ listenPort = listenPort;
+ privateKeyFile = "/etc/nixos/secrets/wireguard/private.key";
+ peers = peers;
+ };
+ };
+ };
+}