dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add outbound firewall to server & add helix and zellij

Browse source
This commit is contained in:
danny 2025-10-22 16:24:33 +08:00
parent d273765b99
commit 7fcf26263a
23 changed files with 769 additions and 145 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.prettierrc
View file

@ -1,3 +0,0 @@
{
"trailingComma": "none"
}

6
flake.lock generated
View file

@ -1907,11 +1907,11 @@
"systems": "systems_9"
},
"locked": {
"lastModified": 1760153667,
"narHash": "sha256-F7KmXT/Izse6Q6CkD5GCImoGPaDJxl03Kd7eD+eY/bU=",
"lastModified": 1761112426,
"narHash": "sha256-fa3fIyXP3xQhsPaZX4WsFwPM9g64EMOucfDEC4o8Nwc=",
"owner": "NotAShelf",
"repo": "nvf",
"rev": "9df9d51fd9fc8f9a8fc377f984ea3b7ae796172d",
"rev": "9b3e7bcf68ace2f07eb7478c40e45ce79332482b",
"type": "github"
},
"original": {

6
flake.nix
View file

@ -166,7 +166,8 @@
in
{
# ==== NixOS Configuration ==== #
nixosConfigurations = mapAttrs (
nixosConfigurations = (
mapAttrs (
hostname: conf:
let
inherit (conf) path system;
@ -224,7 +225,8 @@
(import path { inherit hostname; })
];
}
) hosts;
) hosts
);
# ==== MicroVM Packages ==== #
# packages."${system}" = {

7
helper/default.nix
View file

@ -9,6 +9,7 @@ let
optionalString
toUpper
substring
concatStringsSep
;
inherit (builtins) toJSON;
in
@ -98,4 +99,10 @@ in
};
capitalize = text: "${toUpper (substring 0 1 text)}${substring 1 (-1) text}";
nftables = {
mkElementsStatement =
elements:
optionalString (builtins.length elements > 0) "elements = { ${concatStringsSep "," elements} }";
};
}

40
home/user/nvf/default.nix
View file

@ -1,4 +1,5 @@
{
osConfig,
pkgs,
lib,
inputs,
@ -27,6 +28,7 @@ in
imports = [
./plugins/snacks-nvim
./plugins/lualine
./extra-lsp.nix
];
programs.nvf = {
@ -35,6 +37,7 @@ in
vim = {
enableLuaLoader = true;
vimAlias = true;
extraPackages = with pkgs; [ nixfmt ];
clipboard = {
enable = true;
@ -236,6 +239,7 @@ in
nowait = true;
desc = "Select terminal";
}
# Send current selection to Term
{
key = "<Leader>ts";
@ -316,9 +320,13 @@ in
lsp = {
enable = true;
formatOnSave = true;
otter-nvim.enable = true;
otter-nvim = {
enable = true;
setupOpts.handle_leading_whitespace = true;
};
nvim-docs-view.enable = true;
lspkind.enable = true;
null-ls.enable = false;
trouble = {
enable = true;
mappings = {
@ -334,6 +342,15 @@ in
};
};
formatter = {
conform-nvim = {
enable = true;
setupOpts.formatters_by_ft = {
nix = [ "nixfmt" ];
};
};
};
diagnostics = {
enable = true;
config = {
@ -358,6 +375,7 @@ in
bash.enable = true;
css.enable = true;
yaml.enable = true;
rust = {
enable = true;
lsp = {
@ -379,20 +397,17 @@ in
nix = {
enable = true;
extraDiagnostics.enable = false;
format.type = "nixfmt";
format.enable = false; # Manually configured in conform-nvim
lsp = {
server = "nil";
server = "nixd";
options = {
nix.flake.autoArchive = true;
nixos.expr =
# nix
''(builtins.getFlake "/etc/nixos").nixosConfigurations.${osConfig.networking.hostName}.options'';
home_manager.expr =
# nix
''(builtins.getFlake "/etc/nixos").nixosConfigurations.${osConfig.networking.hostName}.options.home-manager.users.type.getSubOptions []'';
};
# options = {
# nixos.expr =
# # nix
# ''(builtins.getFlake (builtins.toString ./.)).nixosConfigurations.${osConfig.networking.hostName}.options'';
# home_manager.expr =
# # nix
# ''(builtins.getFlake (builtins.toString ./.)).nixosConfigurations.${osConfig.networking.hostName}.options.home-manager.users.type.getSubOptions []'';
# };
};
};
sql.enable = true;
@ -513,6 +528,7 @@ in
yazi-nvim = {
enable = true;
mappings.openYaziDir = "<leader>e";
};
images = {

22
home/user/nvf/extra-lsp.nix Normal file
View file

@ -0,0 +1,22 @@
{ pkgs, ... }:
{
programs.nvf.settings.vim = {
diagnostics.nvim-lint.linters_by_ft = {
dockerfile = [ "hadolint" ];
};
treesitter.grammars = with pkgs.vimPlugins.nvim-treesitter-parsers; [
dockerfile
];
extraPackages = with pkgs; [
# docker
hadolint
dockerfile-language-server
docker-compose-language-service
];
lsp.servers = {
dockerls = { };
docker_compose_language_service = { };
};
};
}

16
home/user/nvf/plugins/lualine/default.nix
View file

@ -1,4 +1,4 @@
{ pkgs, lib, ... }:
{ lib, ... }:
{
programs.nvf.settings.vim.statusline = {
lualine = {
@ -48,6 +48,7 @@
''
];
c = lib.mkForce [
# lua
''
{
"diff",
@ -64,6 +65,7 @@
''
];
x = lib.mkForce [
# lua
''
{
-- Lsp server name
@ -93,6 +95,18 @@
separator = {left = ''},
}
''
# lua
''
{
-- Recording Status
function()
local reg = vim.fn.reg_recording()
if reg == "" then return "" end
return "@" .. reg
end,
}
''
# lua
''
{
"diagnostics",

2
home/user/nvf/plugins/snacks-nvim/default.nix
View file

@ -70,7 +70,7 @@ in
enabled = false;
};
explorer = {
enabled = true;
enabled = false;
};
indent = {
enabled = true;

5
home/user/nvf/plugins/snacks-nvim/keymaps.nix
View file

@ -1,10 +1,5 @@
let
keyList = [
{
key = "<leader>e";
action = "explorer()";
desc = "Toggle explorer";
}
{
key = "<leader><space>";
action = "picker.smart()";

1
home/user/shellAlias.nix
View file

@ -5,6 +5,7 @@
cat = "bat";
g = "git";
t = "tmux";
zl = "zellij";
# Nixos
rebuild = "sudo nixos-rebuild switch --flake /etc/nixos#${hostname}";

308
home/user/zellij.nix
View file

@ -1,6 +1,312 @@
{ ... }:
{
pkgs,
config,
...
}:
let
inherit (builtins) fetchurl;
inherit (config.lib.stylix) colors;
zjstatus = fetchurl {
url = "https://github.com/dj95/zjstatus/releases/download/v0.21.1/zjstatus.wasm";
sha256 = "sha256:06mfcijmsmvb2gdzsql6w8axpaxizdc190b93s3nczy212i846fw";
};
in
{
programs.zellij = {
enable = true;
attachExistingSession = true;
enableFishIntegration = true;
enableBashIntegration = true;
extraConfig = ''
keybinds clear-defaults=true {
normal {
bind "Ctrl n" { SwitchToMode "Resize"; }
bind "Ctrl p" { SwitchToMode "Pane"; }
bind "Ctrl m" { SwitchToMode "Move"; }
bind "Ctrl t" { SwitchToMode "Tab"; }
bind "Alt Shift h" { GoToPreviousTab; }
bind "Alt Shift l" { GoToNextTab; }
bind "Ctrl o" { SwitchToMode "Session"; }
bind "Ctrl /" { ToggleFloatingPanes; SwitchToMode "Normal"; }
bind "Ctrl Shift -" { Run "yazi" {
floating true
close_on_exit true
width "80%"
height "80%"
x "10%"
y "10%"
};}
}
locked {
bind "Ctrl g" { SwitchToMode "Normal"; }
}
resize {
bind "Ctrl n" "Ctrl c" "Esc" { SwitchToMode "Normal"; }
bind "h" "Left" { Resize "Increase Left"; }
bind "j" "Down" { Resize "Increase Down"; }
bind "k" "Up" { Resize "Increase Up"; }
bind "l" "Right" { Resize "Increase Right"; }
bind "H" { Resize "Decrease Left"; }
bind "J" { Resize "Decrease Down"; }
bind "K" { Resize "Decrease Up"; }
bind "L" { Resize "Decrease Right"; }
bind "=" "+" { Resize "Increase"; }
bind "-" { Resize "Decrease"; }
}
pane {
bind "Ctrl p" "Ctrl c" "Esc" { SwitchToMode "Normal"; }
bind "h" "Left" { MoveFocus "Left"; }
bind "l" "Right" { MoveFocus "Right"; }
bind "j" "Down" { MoveFocus "Down"; }
bind "k" "Up" { MoveFocus "Up"; }
bind "p" { SwitchFocus; }
bind "n" { NewPane; SwitchToMode "Normal"; }
bind "d" { NewPane "Down"; SwitchToMode "Normal"; }
bind "r" { NewPane "Right"; SwitchToMode "Normal"; }
bind "s" { NewPane "stacked"; SwitchToMode "Normal"; }
bind "x" { CloseFocus; SwitchToMode "Normal"; }
bind "F" { ToggleFocusFullscreen; SwitchToMode "Normal"; }
bind "f" { ToggleFloatingPanes; SwitchToMode "Normal"; }
bind "e" { TogglePaneEmbedOrFloating; SwitchToMode "Normal"; }
bind "R" { SwitchToMode "RenamePane"; PaneNameInput 0;}
bind "P" { TogglePanePinned; SwitchToMode "Normal"; }
bind "g" { Run "${pkgs.lazygit}/bin/lazygit" {
floating true
close_on_exit true
width "80%"
height "80%"
x "10%"
y "10%"
}; SwitchToMode "Normal"; }
}
move {
bind "Ctrl m" "Ctrl c" "Esc" { SwitchToMode "Normal"; }
bind "n" "Tab" { MovePane; }
bind "p" { MovePaneBackwards; }
bind "h" "Left" { MovePane "Left"; }
bind "j" "Down" { MovePane "Down"; }
bind "k" "Up" { MovePane "Up"; }
bind "l" "Right" { MovePane "Right"; }
}
tab {
bind "Ctrl t" "Ctrl c" "Esc" { SwitchToMode "Normal"; }
bind "r" { SwitchToMode "RenameTab"; TabNameInput 0; }
bind "h" "Left" "Up" "k" { GoToPreviousTab; }
bind "l" "Right" "Down" "j" { GoToNextTab; }
bind "n" { NewTab; SwitchToMode "Normal"; }
bind "x" { CloseTab; SwitchToMode "Normal"; }
bind "s" { ToggleActiveSyncTab; SwitchToMode "Normal"; }
bind "b" { BreakPane; SwitchToMode "Normal"; }
bind "]" { BreakPaneRight; SwitchToMode "Normal"; }
bind "[" { BreakPaneLeft; SwitchToMode "Normal"; }
bind "1" { GoToTab 1; SwitchToMode "Normal"; }
bind "2" { GoToTab 2; SwitchToMode "Normal"; }
bind "3" { GoToTab 3; SwitchToMode "Normal"; }
bind "4" { GoToTab 4; SwitchToMode "Normal"; }
bind "5" { GoToTab 5; SwitchToMode "Normal"; }
bind "6" { GoToTab 6; SwitchToMode "Normal"; }
bind "7" { GoToTab 7; SwitchToMode "Normal"; }
bind "8" { GoToTab 8; SwitchToMode "Normal"; }
bind "9" { GoToTab 9; SwitchToMode "Normal"; }
bind "Tab" { ToggleTab; }
}
scroll {
bind "Ctrl s" { SwitchToMode "Normal"; }
bind "e" { EditScrollback; SwitchToMode "Normal"; }
bind "s" { SwitchToMode "EnterSearch"; SearchInput 0; }
bind "Ctrl c" { ScrollToBottom; SwitchToMode "Normal"; }
bind "j" "Down" { ScrollDown; }
bind "k" "Up" { ScrollUp; }
bind "Ctrl f" "PageDown" "Right" "l" { PageScrollDown; }
bind "Ctrl b" "PageUp" "Left" "h" { PageScrollUp; }
bind "d" { HalfPageScrollDown; }
bind "u" { HalfPageScrollUp; }
}
search {
bind "Ctrl s" { SwitchToMode "Normal"; }
bind "Ctrl c" { ScrollToBottom; SwitchToMode "Normal"; }
bind "j" "Down" { ScrollDown; }
bind "k" "Up" { ScrollUp; }
bind "Ctrl f" "PageDown" "Right" "l" { PageScrollDown; }
bind "Ctrl b" "PageUp" "Left" "h" { PageScrollUp; }
bind "d" { HalfPageScrollDown; }
bind "u" { HalfPageScrollUp; }
bind "n" { Search "down"; }
bind "p" { Search "up"; }
bind "c" { SearchToggleOption "CaseSensitivity"; }
bind "w" { SearchToggleOption "Wrap"; }
bind "o" { SearchToggleOption "WholeWord"; }
}
entersearch {
bind "Ctrl c" "Esc" { SwitchToMode "Scroll"; }
bind "Enter" { SwitchToMode "Search"; }
}
renametab {
bind "Ctrl c" { SwitchToMode "Normal"; }
bind "Esc" { UndoRenameTab; SwitchToMode "Tab"; }
}
renamepane {
bind "Ctrl c" { SwitchToMode "Normal"; }
bind "Esc" { UndoRenamePane; SwitchToMode "Pane"; }
}
session {
bind "Ctrl o" "Ctrl c" { SwitchToMode "Normal"; }
bind "Ctrl s" { SwitchToMode "Scroll"; }
bind "d" { Detach; }
bind "w" {
LaunchOrFocusPlugin "session-manager" {
floating true
move_to_focused_tab true
};
SwitchToMode "Normal"
}
bind "c" {
LaunchOrFocusPlugin "configuration" {
floating true
move_to_focused_tab true
};
SwitchToMode "Normal"
}
bind "p" {
LaunchOrFocusPlugin "plugin-manager" {
floating true
move_to_focused_tab true
};
SwitchToMode "Normal"
}
bind "a" {
LaunchOrFocusPlugin "zellij:about" {
floating true
move_to_focused_tab true
};
SwitchToMode "Normal"
}
bind "s" {
LaunchOrFocusPlugin "zellij:share" {
floating true
move_to_focused_tab true
};
SwitchToMode "Normal"
}
}
}
plugins {
tab-bar location="zellij:tab-bar"
status-bar location="zellij:status-bar"
strider location="zellij:strider"
compact-bar location="zellij:compact-bar"
session-manager location="zellij:session-manager"
welcome-screen location="zellij:session-manager" {
welcome_screen true
}
filepicker location="zellij:strider" {
cwd "/"
}
configuration location="zellij:configuration"
plugin-manager location="zellij:plugin-manager"
about location="zellij:about"
}
web_client {
font "monospace"
}
'';
settings = {
pane_frames = false;
show_startup_tips = false;
default_layout = "compact-top-bar";
};
layouts = {
compact-top-bar = {
layout = {
_children = [
{
swap_floating_layout._children = [
{
floating_panes = {
_props = {
max_panes = 1;
};
_children = [
{
pane = {
x = "10%";
y = "10%";
height = "80%";
width = "80%";
};
}
];
};
}
];
}
{
default_tab_template._children = [
{
pane = {
size = 1;
borderless = true;
plugin = {
location = "file:${zjstatus}";
format_left = "{mode}#[bg=#${colors.base00}] {tabs}";
format_center = "";
format_right = "#[bg=#${colors.base00},fg=#${colors.base0D}]#[bg=#${colors.base0D},fg=#${colors.base01},bold] #[bg=#${colors.base02},fg=#${colors.base05},bold] {session} #[bg=#${colors.base03},fg=#${colors.base05},bold]";
format_space = "";
format_hide_on_overlength = "true";
format_precedence = "crl";
border_enabled = "false";
border_char = "";
border_format = "#[fg=#6C7086]{char}";
border_position = "top";
mode_normal = "#[bg=#${colors.base0B},fg=#${colors.base02},bold] NORMAL#[bg=#${colors.base03},fg=#${colors.base0B}]";
mode_locked = "#[bg=#${colors.base04},fg=#${colors.base02},bold] LOCKED #[bg=#${colors.base03},fg=#${colors.base04}]";
mode_resize = "#[bg=#${colors.base08},fg=#${colors.base02},bold] RESIZE#[bg=#${colors.base03},fg=#${colors.base08}]";
mode_pane = "#[bg=#${colors.base0D},fg=#${colors.base02},bold] PANE#[bg=#${colors.base03},fg=#${colors.base0D}]";
mode_tab = "#[bg=#${colors.base07},fg=#${colors.base02},bold] TAB#[bg=#${colors.base03},fg=#${colors.base07}]";
mode_scroll = "#[bg=#${colors.base0A},fg=#${colors.base02},bold] SCROLL#[bg=#${colors.base03},fg=#${colors.base0A}]";
mode_enter_search = "#[bg=#${colors.base0D},fg=#${colors.base02},bold] ENT-SEARCH#[bg=#${colors.base03},fg=#${colors.base0D}]";
mode_search = "#[bg=#${colors.base0D},fg=#${colors.base02},bold] SEARCHARCH#[bg=#${colors.base03},fg=#${colors.base0D}]";
mode_rename_tab = "#[bg=#${colors.base07},fg=#${colors.base02},bold] RENAME-TAB#[bg=#${colors.base03},fg=#${colors.base07}]";
mode_rename_pane = "#[bg=#${colors.base0D},fg=#${colors.base02},bold] RENAME-PANE#[bg=#${colors.base03},fg=#${colors.base0D}]";
mode_session = "#[bg=#${colors.base0E},fg=#${colors.base02},bold] SESSION#[bg=#${colors.base03},fg=#${colors.base0E}]";
mode_move = "#[bg=#${colors.base0F},fg=#${colors.base02},bold] MOVE#[bg=#${colors.base03},fg=#${colors.base0F}]";
mode_prompt = "#[bg=#${colors.base0D},fg=#${colors.base02},bold] PROMPT#[bg=#${colors.base03},fg=#${colors.base0D}]";
mode_tmux = "#[bg=#${colors.base09},fg=#${colors.base02},bold] TMUX#[bg=#${colors.base03},fg=#${colors.base09}]";
tab_normal = "#[bg=#${colors.base03},fg=#${colors.base0D}]#[bg=#${colors.base0D},fg=#${colors.base02},bold]{index} #[bg=#${colors.base02},fg=#${colors.base05},bold] {name}{floating_indicator}#[bg=#${colors.base03},fg=#${colors.base02},bold]";
tab_normal_fullscreen = "#[bg=#${colors.base03},fg=#${colors.base0D}]#[bg=#${colors.base0D},fg=#${colors.base02},bold]{index} #[bg=#${colors.base02},fg=#${colors.base05},bold] {name}{fullscreen_indicator}#[bg=#${colors.base03},fg=#${colors.base02},bold]";
tab_normal_sync = "#[bg=#${colors.base03},fg=#${colors.base0D}]#[bg=#${colors.base0D},fg=#${colors.base02},bold]{index} #[bg=#${colors.base02},fg=#${colors.base05},bold] {name}{sync_indicator}#[bg=#${colors.base03},fg=#${colors.base02},bold]";
tab_active = "#[bg=#${colors.base03},fg=#${colors.base09}]#[bg=#${colors.base09},fg=#${colors.base02},bold]{index} #[bg=#${colors.base02},fg=#${colors.base05},bold] {name}{floating_indicator}#[bg=#${colors.base03},fg=#${colors.base02},bold]";
tab_active_fullscreen = "#[bg=#${colors.base03},fg=#${colors.base09}]#[bg=#${colors.base09},fg=#${colors.base02},bold]{index} #[bg=#${colors.base02},fg=#${colors.base05},bold] {name}{fullscreen_indicator}#[bg=#${colors.base03},fg=#${colors.base02},bold]";
tab_active_sync = "#[bg=#${colors.base03},fg=#${colors.base09}]#[bg=#${colors.base09},fg=#${colors.base02},bold]{index} #[bg=#${colors.base02},fg=#${colors.base05},bold] {name}{sync_indicator}#[bg=#${colors.base03},fg=#${colors.base02},bold]";
tab_separator = "#[bg=#${colors.base00}] ";
tab_sync_indicator = " ";
tab_fullscreen_indicator = " 󰊓";
tab_floating_indicator = " 󰹙";
command_git_branch_command = "git rev-parse --abbrev-ref HEAD";
command_git_branch_format = "#[fg=blue] {stdout} ";
command_git_branch_interval = "10";
command_git_branch_rendermode = "static";
datetime = "#[fg=#6C7086,bold] {format} ";
datetime_format = "%A, %d %b %Y %H:%M";
datetime_timezone = "Taiwan/Taipei";
};
};
}
{ "children" = { }; }
];
}
];
};
};
};
};
}

1
system/dev/dn-pre7780/expr/netbird.nix
View file

@ -9,7 +9,6 @@ let
port = 51820;
in
{
services.netbird = {
server = {
enable = true;

1
system/dev/dn-pre7780/expr/vm-settings.nix
View file

@ -57,6 +57,7 @@ let
};
};
};
# Node
vm-2 = {
ip = "192.168.0.7";

1
system/dev/dn-pre7780/home/default.nix
View file

@ -8,6 +8,7 @@ in
home-manager.users."${username}" = {
imports = [
../../../../home/presets/basic.nix
./expr
./wm
# Bitwarden client

7
system/dev/dn-pre7780/home/expr/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
imports = [
./helix.nix
../../../../../home/user/zellij.nix
];
}

82
system/dev/dn-pre7780/home/expr/helix.nix Normal file
View file

@ -0,0 +1,82 @@
{
osConfig,
lib,
pkgs,
...
}:
{
programs.helix = {
enable = true;
extraPackages = with pkgs; [
nixd
bash-language-server
docker-language-server
fish-lsp
typescript-language-server
superhtml
hyprls
jq-lsp
vscode-json-languageserver
texlab # Latex
lua-language-server
marksman # Markdown
clang-tools # Clangd
intelephense # Php
ruff # Python
rust-analyzer
vscode-css-languageserver
systemd-lsp
taplo
vue-language-server
yaml-language-server
zls
];
settings = {
editor.cursor-shape = {
normal = "block";
insert = "bar";
select = "underline";
};
keys.normal = {
space.space = "file_picker";
G = "goto_file_end";
D = "kill_to_line_end";
V = [ "extend_to_line_bounds" ];
"$" = "goto_line_end";
"^" = "goto_line_start";
x = "delete_selection";
esc = [
"collapse_selection"
"keep_primary_selection"
];
space.w = ":w";
space.q = ":q";
};
};
languages.language = [
{
name = "nix";
auto-format = true;
}
];
languages.language-server = {
nixd = {
command = "nixd";
args = [ "--semantic-tokens=true" ];
config.nixd =
let
myFlake = ''(builtins.getFlake "/etc/nixos")'';
nixosOpts = "${myFlake}.nixosConfigurations.${osConfig.networking.hostName}.options";
in
{
nixpkgs.expr = "import ${myFlake}.inputs.nixpkgs { }";
formatting.command = [ "${lib.getExe pkgs.nixfmt}" ];
options = {
nixos.expr = nixosOpts;
home-manager.expr = "${nixosOpts}.home-manager.users.type.getSubOptions []";
};
};
};
};
};
}

24
system/dev/dn-server/default.nix
View file

@ -15,6 +15,29 @@ in
inherit hostname username;
domain = "net.dn";
hyprland.enable = false;
security = {
allowedDomains = [
"github.com"
"cache.nixos.org"
"hyprland.cachix.org"
"maps.rspamd.com"
"cdn-hub.crowdsec.net"
"api.crowdsec.net"
];
allowedIPs = [
"10.0.0.0/24"
"127.0.0.1"
];
allowedIPv6 = [
"ff02::/16"
"fe80::/10"
"::1"
];
sourceIPs = [
"10.0.0.1"
"192.168.100.0/24"
];
};
};
imports = [
@ -25,6 +48,7 @@ in
./security
./services
./sops
./options
];
environment.systemPackages = with pkgs; [

68
system/dev/dn-server/network/services.nix
View file

@ -1,14 +1,17 @@
{
config,
lib,
helper,
...
}:
let
inherit (config.systemConf) username;
inherit (config.systemConf) username security;
inherit (lib) concatStringsSep;
inherit (helper.nftables) mkElementsStatement;
ethInterface = "enp0s31f6";
sshPorts = [ 30072 ];
sshPortsString = builtins.concatStringsSep ", " (builtins.map (p: builtins.toString p) sshPorts);
sshPortsString = concatStringsSep ", " (map (p: toString p) sshPorts);
personal = {
inherit (config.networking) domain;
@ -30,7 +33,7 @@ let
masterAPIServerPort = 6443;
};
allowedSSHIPs = builtins.concatStringsSep ", " [
allowedSSHIPs = concatStringsSep ", " [
"122.117.215.55"
"192.168.100.1/24"
personal.range
@ -189,8 +192,28 @@ in
nftables = {
enable = true;
ruleset = ''
table inet wg-filter {
tables = {
filter = {
family = "inet";
content = ''
set restrict_source_ips {
type ipv4_addr
flags interval
${mkElementsStatement security.sourceIPs}
}
set ${security.rules.setName} {
type ipv4_addr
flags interval
${mkElementsStatement security.allowedIPs}
}
set ${security.rules.setNameV6} {
type ipv6_addr
flags interval
${mkElementsStatement security.allowedIPv6}
}
chain input {
type filter hook input priority 0; policy drop;
@ -206,11 +229,31 @@ in
tcp dport { ${sshPortsString} } jump ssh-filter
iifname { ${ethInterface}, ${personal.interface}, ${kube.interface} } udp dport { ${builtins.toString personal.port}, ${builtins.toString kube.port} } accept
iifname { ${ethInterface}, ${personal.interface}, ${kube.interface} } udp dport { ${toString personal.port}, ${toString kube.port} } accept
iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet
iifname ${kube.interface} ip saddr ${kube.ip} jump kube-filter
counter reject
drop
}
chain output {
type filter hook output priority 0; policy drop;
iif lo accept
# Allow DNS qeury
udp dport 53 accept
tcp dport 53 accept
meta skuid ${toString config.users.users.systemd-timesync.uid} accept
ct state vmap { invalid : drop, established : accept, related : accept }
ip saddr != @restrict_source_ips accept
ip daddr @${security.rules.setName} accept
ip6 daddr @${security.rules.setNameV6} accept
counter log prefix "OUTPUT-DROP: " flags all drop
}
chain ssh-filter {
@ -244,9 +287,10 @@ in
type nat hook postrouting priority 100; policy accept;
oifname ${ethInterface} masquerade
}
}
'';
};
};
};
wireguard = {
enable = true;
@ -323,7 +367,11 @@ in
webserver-port=8081
local-port=5359
dnsupdate=yes
primary=yes
secondary=no
allow-dnsupdate-from=10.0.0.0/24
allow-axfr-ips=10.0.0.0/24
also-notify=10.0.0.148:53
'';
secretFile = config.sops.secrets.powerdns.path;
};
@ -333,6 +381,7 @@ in
forwardZones = {
"${config.networking.domain}." = "127.0.0.1:5359";
"pre7780.dn." = "127.0.0.1:5359";
"test.local." = "127.0.0.1:5359";
};
forwardZonesRecurse = {
"." = "8.8.8.8";
@ -342,9 +391,6 @@ in
"127.0.0.0/8"
"10.0.0.0/24"
"192.168.100.0/24"
"::1/128"
"fc00::/7"
"fe80::/10"
];
yaml-settings = {
webservice.webserver = true;

5
system/dev/dn-server/options/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
./network.nix
];
}

91
system/dev/dn-server/options/network.nix Normal file
View file

@ -0,0 +1,91 @@
{
lib,
pkgs,
config,
...
}:
let
inherit (lib) mkOption types concatStringsSep;
cfg = config.systemConf.security;
in
{
options.systemConf.security = {
allowedDomains = mkOption {
type = with types; listOf str;
description = "Domains that allowed to query dns.";
default = [ ];
};
rules = {
setName = mkOption {
type = with types; str;
default = "allowed_output_ips";
readOnly = true;
};
setNameV6 = mkOption {
type = with types; str;
default = "allowed_output_ipv6";
readOnly = true;
};
};
dnsIPs = mkOption {
type = with types; listOf str;
description = "External DNS server to use";
default = [ "8.8.8.8" ];
};
allowedIPs = mkOption {
type = with types; listOf str;
description = "IPv4 that allowed to request.";
default = [ ];
};
allowedIPv6 = mkOption {
type = with types; listOf str;
description = "IPv6 that allowed to request.";
default = [ ];
};
sourceIPs = mkOption {
type = with types; listOf str;
description = "Source IPs to restrict.";
default = [ ];
};
};
config = {
environment.systemPackages = with pkgs; [
ipset
];
systemd.timers.fetch-allowed-domains = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = 10;
OnUnitActiveSec = 60;
};
};
systemd.services.fetch-allowed-domains = {
path = with pkgs; [
nftables
dig.dnsutils
];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${pkgs.writeShellScript "fetch-allowed-domains" ''
DOMAINS=(${toString (map (x: ''"${x}"'') cfg.allowedDomains)})
SETNAME="inet filter ${cfg.rules.setName}"
nft flush set $SETNAME
nft add element $SETNAME { ${concatStringsSep "," cfg.allowedIPs} }
for domain in "''${DOMAINS[@]}"; do
ips=$(dig +short A $domain | grep -E '^[0-9.]+$')
for ip in $ips; do
nft add element $SETNAME { $ip }
echo "Added $ip for $domain"
done
done
''}";
Type = "oneshot";
};
};
};
}

2
system/dev/dn-server/services/mail-server.nix
View file

@ -36,7 +36,7 @@ in
adminAccountFile = config.sops.secrets."oauth/adminEnv".path;
};
ldap = {
filter = "(&(objectClass=inetOrgPerson)(objectClass=mailRoutingObject)(uid=%{user | username}))";
filter = "(&(objectClass=inetOrgPerson)(objectClass=inetMailRoutingObject)(uid=%{user | username}))";
extraAuthConf = ''
auth_username_format = %{user | lower}
fields {

6
system/modules/stylix.nix
View file

@ -1,10 +1,12 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.systemConf) username;
inherit (lib) mkForce;
caskaydia = {
name = "CaskaydiaCove Nerd Font Mono";
@ -71,6 +73,10 @@ in
enable = true;
transparentBackground = true;
};
helix = {
enable = true;
transparent = mkForce true;
};
};
};
}

2
system/modules/virtualization.nix
View file

@ -4,6 +4,8 @@
{
virtualisation = {
docker.enable = true;
docker.daemon.settings = {
};
spiceUSBRedirection.enable = true;
};
}