2024-06-02 22:01:17 +01:00
|
|
|
|
{ config, pkgs, nixpkgs-unstable, lib, nixos-hardware, ... }:
|
2024-05-25 15:53:18 +01:00
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
imports = [
|
|
|
|
|
|
"${nixos-hardware}/raspberry-pi/5/default.nix"
|
|
|
|
|
|
./hardware-configuration.nix
|
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
|
|
config = {
|
|
|
|
|
|
system.stateVersion = "24.05";
|
|
|
|
|
|
|
|
|
|
|
|
networking.hostName = "sodium";
|
|
|
|
|
|
networking.domain = "pop.ts.hillion.co.uk";
|
|
|
|
|
|
|
|
|
|
|
|
boot.loader.systemd-boot.enable = true;
|
|
|
|
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
|
|
|
|
|
|
|
|
|
|
custom.defaults = true;
|
|
|
|
|
|
|
|
|
|
|
|
## Enable btrfs compression
|
|
|
|
|
|
fileSystems."/data".options = [ "compress=zstd" ];
|
|
|
|
|
|
fileSystems."/nix".options = [ "compress=zstd" ];
|
|
|
|
|
|
|
|
|
|
|
|
## Impermanence
|
2024-08-09 23:08:35 +01:00
|
|
|
|
custom.impermanence = {
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
cache.enable = true;
|
|
|
|
|
|
};
|
2024-06-02 22:01:17 +01:00
|
|
|
|
boot.initrd.postDeviceCommands = lib.mkAfter ''
|
|
|
|
|
|
btrfs subvolume delete /cache/tmp
|
|
|
|
|
|
btrfs subvolume snapshot /cache/empty_snapshot /cache/tmp
|
2024-08-09 23:08:35 +01:00
|
|
|
|
chmod 1777 /cache/tmp
|
2024-06-02 22:01:17 +01:00
|
|
|
|
'';
|
|
|
|
|
|
|
2024-08-01 19:16:06 +01:00
|
|
|
|
## CA server
|
|
|
|
|
|
custom.ca.service.enable = true;
|
|
|
|
|
|
|
2024-06-02 22:01:17 +01:00
|
|
|
|
### nix only supports build-dir from 2.22. bind mount /tmp to something persistent instead.
|
|
|
|
|
|
fileSystems."/tmp" = {
|
|
|
|
|
|
device = "/cache/tmp";
|
|
|
|
|
|
options = [ "bind" ];
|
|
|
|
|
|
};
|
|
|
|
|
|
# nix = {
|
|
|
|
|
|
# settings = {
|
|
|
|
|
|
# build-dir = "/cache/tmp/";
|
|
|
|
|
|
# };
|
|
|
|
|
|
# };
|
2024-05-25 15:53:18 +01:00
|
|
|
|
|
|
|
|
|
|
## Custom Services
|
|
|
|
|
|
custom.locations.autoServe = true;
|
|
|
|
|
|
|
|
|
|
|
|
# Networking
|
|
|
|
|
|
networking = {
|
|
|
|
|
|
useDHCP = false;
|
|
|
|
|
|
interfaces = {
|
|
|
|
|
|
end0 = {
|
|
|
|
|
|
name = "eth0";
|
|
|
|
|
|
useDHCP = true;
|
|
|
|
|
|
};
|
|
|
|
|
|
};
|
|
|
|
|
|
};
|
|
|
|
|
|
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
|
|
|
|
|
|
|
|
|
|
|
networking.firewall = {
|
|
|
|
|
|
trustedInterfaces = [ "tailscale0" ];
|
|
|
|
|
|
allowedTCPPorts = lib.mkForce [
|
|
|
|
|
|
];
|
|
|
|
|
|
allowedUDPPorts = lib.mkForce [ ];
|
|
|
|
|
|
interfaces = {
|
|
|
|
|
|
eth0 = {
|
|
|
|
|
|
allowedTCPPorts = lib.mkForce [
|
2024-06-10 21:29:21 +01:00
|
|
|
|
7654 # Tang
|
2024-05-25 15:53:18 +01:00
|
|
|
|
];
|
|
|
|
|
|
allowedUDPPorts = lib.mkForce [
|
|
|
|
|
|
];
|
|
|
|
|
|
};
|
|
|
|
|
|
};
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
## Tailscale
|
|
|
|
|
|
age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".file = ../../secrets/tailscale/sodium.pop.ts.hillion.co.uk.age;
|
|
|
|
|
|
services.tailscale = {
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
authKeyFile = config.age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".path;
|
|
|
|
|
|
};
|
|
|
|
|
|
};
|
|
|
|
|
|
}
|
