home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

commit a8a672b36323e94e9ff549b4b8d5746b61f5aa90
parent a65b8d6dbf555cc27d0b944db8406d9ec858a6fc
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Thu,  5 Sep 2024 00:36:58 +0200

modules.profiles cleaned-up

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
Mflake.nix | 6------
Msystems/hosts/kerkouane.nix | 16+++++++---------
Msystems/modules/core/default.nix | 16+++++++++++++++-
Asystems/modules/core/i18n.nix | 24++++++++++++++++++++++++
Dsystems/modules/profiles/base.nix | 45---------------------------------------------
Msystems/modules/profiles/default.nix | 3++-
Dsystems/modules/profiles/docker.stable.nix | 72------------------------------------------------------------------------
Dsystems/modules/profiles/docker/my-seccomp.json | 1041-------------------------------------------------------------------------------
Dsystems/modules/profiles/i18n.nix | 24------------------------
Dsystems/modules/profiles/wireguard.server.nix | 39---------------------------------------
Msystems/modules/services/default.nix | 1+
Asystems/modules/services/wireguard.server.nix | 39+++++++++++++++++++++++++++++++++++++++
12 files changed, 88 insertions(+), 1238 deletions(-)

diff --git a/flake.nix b/flake.nix @@ -56,12 +56,6 @@ ./systems/modules/virtualisation/default.nix ./systems/modules/virtualisation/buildkit.nix ./systems/modules/services/default.nix - # FIXME: migrate this to elsewhere, or at least split it - # Profiles probably need to go away - ./systems/modules/profiles/base.nix - ./systems/modules/profiles/builder.nix - ./systems/modules/profiles/i18n.nix - ./systems/modules/profiles/wireguard.server.nix inputs.sops-nix.nixosModules.sops # inputs.envfs.nixosModules.envfs { diff --git a/systems/hosts/kerkouane.nix b/systems/hosts/kerkouane.nix @@ -126,21 +126,19 @@ in buildCores = 1; }; - # FIXME: deprecated, move to modules - profiles = { + modules.services = { wireguard.server.enable = true; - }; - - modules.services.ssh = { - enable = true; - extraConfig = '' - Match User nginx + ssh = { + enable = true; + extraConfig = '' + Match User nginx ChrootDirectory /var/www ForceCommand interfal-sftp AllowTcpForwarding no PermitTunnel no X11Forwarding no - ''; + ''; + }; }; networking.firewall.allowPing = true; diff --git a/systems/modules/core/default.nix b/systems/modules/core/default.nix @@ -10,13 +10,27 @@ let in { imports = [ + ./binfmt.nix ./boot.nix ./config.nix + ./i18n.nix ./nix.nix ./users.nix - ./binfmt.nix ]; + environment.systemPackages = with pkgs; [ + cachix + file + htop + iotop + lsof + netcat + psmisc + pv + tree + vim + wget + ]; # FIXME fix tmpOnTmpfs # systemd.additionalUpstreamSystemUnits = [ "tmp.mount" ]; diff --git a/systems/modules/core/i18n.nix b/systems/modules/core/i18n.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.core.i18n; +in +{ + options = { + core.i18n = { + enable = mkOption { + default = true; + description = "Enable i18n profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + console.keyMap = "fr-bepo"; + console.font = "Lat2-Terminus16"; + i18n = { + defaultLocale = "en_US.UTF-8"; + }; + }; +} diff --git a/systems/modules/profiles/base.nix b/systems/modules/profiles/base.nix @@ -1,45 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - cfg = config.profiles.base; -in -{ - options = { - profiles.base = { - enable = mkOption { - default = true; - description = "Enable base profile"; - type = types.bool; - }; - }; - }; - config = mkIf cfg.enable { - environment.pathsToLink = [ - "/share/nix-direnv" - ]; - environment = { - variables = { - EDITOR = pkgs.lib.mkOverride 0 "vim"; - }; - systemPackages = with pkgs; [ - cachix - direnv - # exa # TODO: switch to eza in 2024 - file - htop - iotop - lsof - netcat - psmisc - pv - tmux - tree - vim - vrsync - wget - gnumake - ]; - }; - }; -} diff --git a/systems/modules/profiles/default.nix b/systems/modules/profiles/default.nix @@ -1,6 +1,7 @@ { imports = [ - ./work.nix + ./builder.nix ./home.nix + ./work.nix ]; } diff --git a/systems/modules/profiles/docker.stable.nix b/systems/modules/profiles/docker.stable.nix @@ -1,72 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - cfg = config.profiles.docker; -in -{ - options = { - profiles.docker = { - enable = mkEnableOption "Enable docker profile"; - package = mkOption { - default = pkgs.docker-edge; - description = "docker package to be used"; - type = types.package; - }; - runcPackage = mkOption { - default = pkgs.runc; - description = "runc package to be used"; - type = types.package; - }; - - }; - }; - config = mkIf cfg.enable { - virtualisation = { - containerd = { - enable = true; - }; - buildkitd = { - enable = true; - settings = { - grpc = { - # FIXME(vdemeester) move TCP behind an option (and not 0.0.0.0) - address = [ "unix:///run/buildkit/buildkitd.sock" "tcp://0.0.0.0:1234" ]; - }; - worker.oci = { - enabled = false; - }; - worker.containerd = { - enabled = true; - platforms = [ "linux/amd64" "linux/arm64" ]; - namespace = "buildkit"; - }; - registry = { - "r.svc.home:5000" = { - http = true; - insecure = true; - }; - "r.svc.home" = { - http = true; - insecure = true; - }; - }; - }; - }; - docker = { - enable = true; - package = cfg.package; - liveRestore = false; - storageDriver = "overlay2"; - extraOptions = "--experimental --add-runtime docker-runc=${cfg.runcPackage}/bin/runc --default-runtime=docker-runc --containerd=/run/containerd/containerd.sock"; - }; - }; - environment.etc."docker/daemon.json".text = '' - {"features":{"buildkit": true}, "insecure-registries": ["172.30.0.0/16", "192.168.12.0/16", "massimo.home:5000", "r.svc.home:5000", "r.svc.home" ]} - ''; - environment.systemPackages = with pkgs; [ - docker-buildx - ]; - networking.firewall.trustedInterfaces = [ "docker0" ]; - }; -} diff --git a/systems/modules/profiles/docker/my-seccomp.json b/systems/modules/profiles/docker/my-seccomp.json @@ -1,1041 +0,0 @@ -{ - "defaultAction": "SCMP_ACT_ERRNO", - "defaultErrnoRet": 38, - "defaultErrno": "ENOSYS", - "archMap": [ - { - "architecture": "SCMP_ARCH_X86_64", - "subArchitectures": [ - "SCMP_ARCH_X86", - "SCMP_ARCH_X32" - ] - }, - { - "architecture": "SCMP_ARCH_AARCH64", - "subArchitectures": [ - "SCMP_ARCH_ARM" - ] - }, - { - "architecture": "SCMP_ARCH_MIPS64", - "subArchitectures": [ - "SCMP_ARCH_MIPS", - "SCMP_ARCH_MIPS64N32" - ] - }, - { - "architecture": "SCMP_ARCH_MIPS64N32", - "subArchitectures": [ - "SCMP_ARCH_MIPS", - "SCMP_ARCH_MIPS64" - ] - }, - { - "architecture": "SCMP_ARCH_MIPSEL64", - "subArchitectures": [ - "SCMP_ARCH_MIPSEL", - "SCMP_ARCH_MIPSEL64N32" - ] - }, - { - "architecture": "SCMP_ARCH_MIPSEL64N32", - "subArchitectures": [ - "SCMP_ARCH_MIPSEL", - "SCMP_ARCH_MIPSEL64" - ] - }, - { - "architecture": "SCMP_ARCH_S390X", - "subArchitectures": [ - "SCMP_ARCH_S390" - ] - } - ], - "syscalls": [ - { - "names": [ - "bdflush", - "io_pgetevents", - "kexec_file_load", - "kexec_load", - "migrate_pages", - "move_pages", - "nfsservctl", - "nice", - "oldfstat", - "oldlstat", - "oldolduname", - "oldstat", - "olduname", - "pciconfig_iobase", - "pciconfig_read", - "pciconfig_write", - "sgetmask", - "ssetmask", - "swapcontext", - "swapoff", - "swapon", - "sysfs", - "uselib", - "userfaultfd", - "ustat", - "vm86", - "vm86old", - "vmsplice" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": {}, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "_llseek", - "_newselect", - "accept", - "accept4", - "access", - "adjtimex", - "alarm", - "bind", - "brk", - "capget", - "capset", - "chdir", - "chmod", - "chown", - "chown32", - "clock_adjtime", - "clock_adjtime64", - "clock_getres", - "clock_getres_time64", - "clock_gettime", - "clock_gettime64", - "clock_nanosleep", - "clock_nanosleep_time64", - "clone", - "clone3", - "close", - "close_range", - "connect", - "copy_file_range", - "creat", - "dup", - "dup2", - "dup3", - "epoll_create", - "epoll_create1", - "epoll_ctl", - "epoll_ctl_old", - "epoll_pwait", - "epoll_pwait2", - "epoll_wait", - "epoll_wait_old", - "eventfd", - "eventfd2", - "execve", - "execveat", - "exit", - "exit_group", - "faccessat", - "faccessat2", - "fadvise64", - "fadvise64_64", - "fallocate", - "fanotify_mark", - "fchdir", - "fchmod", - "fchmodat", - "fchown", - "fchown32", - "fchownat", - "fcntl", - "fcntl64", - "fdatasync", - "fgetxattr", - "flistxattr", - "flock", - "fork", - "fremovexattr", - "fsconfig", - "fsetxattr", - "fsmount", - "fsopen", - "fspick", - "fstat", - "fstat64", - "fstatat64", - "fstatfs", - "fstatfs64", - "fsync", - "ftruncate", - "ftruncate64", - "futex", - "futex_time64", - "futimesat", - "get_robust_list", - "get_thread_area", - "getcpu", - "getcwd", - "getdents", - "getdents64", - "getegid", - "getegid32", - "geteuid", - "geteuid32", - "getgid", - "getgid32", - "getgroups", - "getgroups32", - "getitimer", - "get_mempolicy", - "getpeername", - "getpgid", - "getpgrp", - "getpid", - "getppid", - "getpriority", - "getrandom", - "getresgid", - "getresgid32", - "getresuid", - "getresuid32", - "getrlimit", - "getrusage", - "getsid", - "getsockname", - "getsockopt", - "gettid", - "gettimeofday", - "getuid", - "getuid32", - "getxattr", - "inotify_add_watch", - "inotify_init", - "inotify_init1", - "inotify_rm_watch", - "io_cancel", - "io_destroy", - "io_getevents", - "io_setup", - "io_submit", - "ioctl", - "ioprio_get", - "ioprio_set", - "ipc", - "keyctl", - "kill", - "lchown", - "lchown32", - "lgetxattr", - "link", - "linkat", - "listen", - "listxattr", - "llistxattr", - "lremovexattr", - "lseek", - "lsetxattr", - "lstat", - "lstat64", - "madvise", - "mbind", - "memfd_create", - "memfd_secret", - "mincore", - "mkdir", - "mkdirat", - "mknod", - "mknodat", - "mlock", - "mlock2", - "mlockall", - "mmap", - "mmap2", - "mount", - "move_mount", - "mprotect", - "mq_getsetattr", - "mq_notify", - "mq_open", - "mq_timedreceive", - "mq_timedreceive_time64", - "mq_timedsend", - "mq_timedsend_time64", - "mq_unlink", - "mremap", - "msgctl", - "msgget", - "msgrcv", - "msgsnd", - "msync", - "munlock", - "munlockall", - "munmap", - "name_to_handle_at", - "nanosleep", - "newfstatat", - "open", - "openat", - "openat2", - "open_tree", - "pause", - "pidfd_getfd", - "pidfd_open", - "pidfd_send_signal", - "pipe", - "pipe2", - "pivot_root", - "pkey_alloc", - "pkey_free", - "pkey_mprotect", - "poll", - "ppoll", - "ppoll_time64", - "prctl", - "pread64", - "preadv", - "preadv2", - "prlimit64", - "pselect6", - "pselect6_time64", - "pwrite64", - "pwritev", - "pwritev2", - "read", - "readahead", - "readdir", - "readlink", - "readlinkat", - "readv", - "reboot", - "recv", - "recvfrom", - "recvmmsg", - "recvmmsg_time64", - "recvmsg", - "remap_file_pages", - "removexattr", - "rename", - "renameat", - "renameat2", - "restart_syscall", - "rmdir", - "rseq", - "rt_sigaction", - "rt_sigpending", - "rt_sigprocmask", - "rt_sigqueueinfo", - "rt_sigreturn", - "rt_sigsuspend", - "rt_sigtimedwait", - "rt_sigtimedwait_time64", - "rt_tgsigqueueinfo", - "sched_get_priority_max", - "sched_get_priority_min", - "sched_getaffinity", - "sched_getattr", - "sched_getparam", - "sched_getscheduler", - "sched_rr_get_interval", - "sched_rr_get_interval_time64", - "sched_setaffinity", - "sched_setattr", - "sched_setparam", - "sched_setscheduler", - "sched_yield", - "seccomp", - "select", - "semctl", - "semget", - "semop", - "semtimedop", - "semtimedop_time64", - "send", - "sendfile", - "sendfile64", - "sendmmsg", - "sendmsg", - "sendto", - "setns", - "set_mempolicy", - "set_robust_list", - "set_thread_area", - "set_tid_address", - "setfsgid", - "setfsgid32", - "setfsuid", - "setfsuid32", - "setgid", - "setgid32", - "setgroups", - "setgroups32", - "setitimer", - "setpgid", - "setpriority", - "setregid", - "setregid32", - "setresgid", - "setresgid32", - "setresuid", - "setresuid32", - "setreuid", - "setreuid32", - "setrlimit", - "setsid", - "setsockopt", - "setuid", - "setuid32", - "setxattr", - "shmat", - "shmctl", - "shmdt", - "shmget", - "shutdown", - "sigaltstack", - "signalfd", - "signalfd4", - "sigreturn", - "socketcall", - "socketpair", - "splice", - "stat", - "stat64", - "statfs", - "statfs64", - "statx", - "symlink", - "symlinkat", - "sync", - "sync_file_range", - "syncfs", - "sysinfo", - "syslog", - "tee", - "tgkill", - "time", - "timer_create", - "timer_delete", - "timer_getoverrun", - "timer_gettime", - "timer_gettime64", - "timer_settime", - "timer_settime64", - "timerfd_create", - "timerfd_gettime", - "timerfd_gettime64", - "timerfd_settime", - "timerfd_settime64", - "times", - "tkill", - "truncate", - "truncate64", - "ugetrlimit", - "umask", - "umount", - "umount2", - "uname", - "unlink", - "unlinkat", - "unshare", - "utime", - "utimensat", - "utimensat_time64", - "utimes", - "vfork", - "wait4", - "waitid", - "waitpid", - "write", - "writev" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": {}, - "excludes": {} - }, - { - "names": [ - "personality" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 0, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ], - "comment": "", - "includes": {}, - "excludes": {} - }, - { - "names": [ - "personality" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 8, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ], - "comment": "", - "includes": {}, - "excludes": {} - }, - { - "names": [ - "personality" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 131072, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ], - "comment": "", - "includes": {}, - "excludes": {} - }, - { - "names": [ - "personality" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 131080, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ], - "comment": "", - "includes": {}, - "excludes": {} - }, - { - "names": [ - "personality" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 4294967295, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ], - "comment": "", - "includes": {}, - "excludes": {} - }, - { - "names": [ - "sync_file_range2" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "arches": [ - "ppc64le" - ] - }, - "excludes": {} - }, - { - "names": [ - "arm_fadvise64_64", - "arm_sync_file_range", - "sync_file_range2", - "breakpoint", - "cacheflush", - "set_tls" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "arches": [ - "arm", - "arm64" - ] - }, - "excludes": {} - }, - { - "names": [ - "arch_prctl" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "arches": [ - "amd64", - "x32" - ] - }, - "excludes": {} - }, - { - "names": [ - "modify_ldt" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "arches": [ - "amd64", - "x32", - "x86" - ] - }, - "excludes": {} - }, - { - "names": [ - "s390_pci_mmio_read", - "s390_pci_mmio_write", - "s390_runtime_instr" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "arches": [ - "s390", - "s390x" - ] - }, - "excludes": {} - }, - { - "names": [ - "open_by_handle_at" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_DAC_READ_SEARCH" - ] - }, - "excludes": {} - }, - { - "names": [ - "open_by_handle_at" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_DAC_READ_SEARCH" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "bpf", - "fanotify_init", - "lookup_dcookie", - "perf_event_open", - "quotactl", - "setdomainname", - "sethostname", - "setns" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_ADMIN" - ] - }, - "excludes": {} - }, - { - "names": [ - "bpf", - "fanotify_init", - "lookup_dcookie", - "perf_event_open", - "quotactl", - "setdomainname", - "sethostname", - "setns" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_ADMIN" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "chroot" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_CHROOT" - ] - }, - "excludes": {} - }, - { - "names": [ - "chroot" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_CHROOT" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "delete_module", - "init_module", - "finit_module", - "query_module" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_MODULE" - ] - }, - "excludes": {} - }, - { - "names": [ - "delete_module", - "init_module", - "finit_module", - "query_module" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_MODULE" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "acct" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_PACCT" - ] - }, - "excludes": {} - }, - { - "names": [ - "acct" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_PACCT" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "kcmp", - "process_madvise", - "process_vm_readv", - "process_vm_writev", - "ptrace" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_PTRACE" - ] - }, - "excludes": {} - }, - { - "names": [ - "kcmp", - "process_madvise", - "process_vm_readv", - "process_vm_writev", - "ptrace" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_PTRACE" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "iopl", - "ioperm" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_RAWIO" - ] - }, - "excludes": {} - }, - { - "names": [ - "iopl", - "ioperm" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_RAWIO" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "settimeofday", - "stime", - "clock_settime", - "clock_settime64" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_TIME" - ] - }, - "excludes": {} - }, - { - "names": [ - "settimeofday", - "stime", - "clock_settime", - "clock_settime64" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_TIME" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "vhangup" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_TTY_CONFIG" - ] - }, - "excludes": {} - }, - { - "names": [ - "vhangup" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_TTY_CONFIG" - ] - }, - "errnoRet": 1, - "errno": "EPERM" - }, - { - "names": [ - "socket" - ], - "action": "SCMP_ACT_ERRNO", - "args": [ - { - "index": 0, - "value": 16, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - }, - { - "index": 2, - "value": 9, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_AUDIT_WRITE" - ] - }, - "errnoRet": 22, - "errno": "EINVAL" - }, - { - "names": [ - "socket" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 2, - "value": 9, - "valueTwo": 0, - "op": "SCMP_CMP_NE" - } - ], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_AUDIT_WRITE" - ] - } - }, - { - "names": [ - "socket" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 16, - "valueTwo": 0, - "op": "SCMP_CMP_NE" - } - ], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_AUDIT_WRITE" - ] - } - }, - { - "names": [ - "socket" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 2, - "value": 9, - "valueTwo": 0, - "op": "SCMP_CMP_NE" - } - ], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_AUDIT_WRITE" - ] - } - }, - { - "names": [ - "socket" - ], - "action": "SCMP_ACT_ALLOW", - "args": null, - "comment": "", - "includes": { - "caps": [ - "CAP_AUDIT_WRITE" - ] - }, - "excludes": {} - } - ] -} diff --git a/systems/modules/profiles/i18n.nix b/systems/modules/profiles/i18n.nix @@ -1,24 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - cfg = config.profiles.i18n; -in -{ - options = { - profiles.i18n = { - enable = mkOption { - default = true; - description = "Enable i18n profile"; - type = types.bool; - }; - }; - }; - config = mkIf cfg.enable { - console.keyMap = "fr-bepo"; - console.font = "Lat2-Terminus16"; - i18n = { - defaultLocale = "en_US.UTF-8"; - }; - }; -} diff --git a/systems/modules/profiles/wireguard.server.nix b/systems/modules/profiles/wireguard.server.nix @@ -1,39 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - cfg = config.profiles.wireguard.server; - - secretPath = ../../../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); - allowedIPs = lists.optionals secretCondition (import secretPath).wireguard.kerkouane.allowedIPs; - listenPort = if secretCondition then (import secretPath).wg.listenPort else 0; - peers = lists.optionals secretCondition (import secretPath).wg.peers; -in -{ - options = { - profiles.wireguard.server = { - enable = mkEnableOption "Enable wireguard.server profile"; - }; - }; - config = mkIf cfg.enable { - # boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; - environment.systemPackages = [ pkgs.wireguard-tools ]; - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - networking.firewall.extraCommands = '' - iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE - iptables -A FORWARD -i wg+ -j ACCEPT - ''; - networking.firewall.allowedUDPPorts = [ 51820 ]; - networking.firewall.trustedInterfaces = [ "wg0" ]; - networking.wireguard.enable = true; - networking.wireguard.interfaces = { - "wg0" = { - ips = allowedIPs; - listenPort = listenPort; - privateKeyFile = "/etc/nixos/secrets/wireguard/private.key"; - peers = peers; - }; - }; - }; -} diff --git a/systems/modules/services/default.nix b/systems/modules/services/default.nix @@ -9,5 +9,6 @@ ./ssh.nix ./syncthing.nix ./wireguard.client.nix + ./wireguard.server.nix ]; } diff --git a/systems/modules/services/wireguard.server.nix b/systems/modules/services/wireguard.server.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.modules.services.wireguard.server; + + secretPath = ../../../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + allowedIPs = lists.optionals secretCondition (import secretPath).wireguard.kerkouane.allowedIPs; + listenPort = if secretCondition then (import secretPath).wg.listenPort else 0; + peers = lists.optionals secretCondition (import secretPath).wg.peers; +in +{ + options = { + modules.services.wireguard.server = { + enable = mkEnableOption "Enable wireguard.server profile"; + }; + }; + config = mkIf cfg.enable { + # boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; + environment.systemPackages = [ pkgs.wireguard-tools ]; + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + networking.firewall.extraCommands = '' + iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE + iptables -A FORWARD -i wg+ -j ACCEPT + ''; + networking.firewall.allowedUDPPorts = [ 51820 ]; + networking.firewall.trustedInterfaces = [ "wg0" ]; + networking.wireguard.enable = true; + networking.wireguard.interfaces = { + "wg0" = { + ips = allowedIPs; + listenPort = listenPort; + privateKeyFile = "/etc/nixos/secrets/wireguard/private.key"; + peers = peers; + }; + }; + }; +}