restructure hosts

2025-10-17 16:03:44 -05:00
parent d4f55ea042
commit 25122a4c9c
7 changed files with 54 additions and 12 deletions
--- a/hosts/nixos/default.nix
+++ b/hosts/nixos/default.nix
@@ -0,0 +1,69 @@
+{
+  pkgs,
+  config,
+  lib,
+  inputs,
+  ...
+}: {
+
+  imports = [
+    inputs.autoaspm.nixosModules.default
+  ];
+
+  # base system package install list
+  environment.systemPackages = with pkgs; [
+    wget
+    curl
+    rsync
+    git
+    age
+    fzf
+    neofetch
+    usbutils
+    pciutils
+    python3
+    vim
+    lf
+    btop
+    powertop
+  ];
+
+  # set timezone
+  time.timeZone = "America/Chicago";
+
+  # allow proprietary packages
+  nixpkgs.config.allowUnfree = true;
+
+  # power management
+  services.autoaspm.enable = true;
+  powerManagement.powertop.enable = true;
+
+  # enable flakes
+  nix.settings.experimental-features = ["nix-command" "flakes"];
+  users.defaultUserShell = pkgs.zsh;
+
+  # passwordless rebuild
+  security.sudo.extraRules = [
+    {
+      users = ["blake"];
+      commands = [
+        {
+          command = "/run/current-system/sw/bin/nixos-rebuild";
+          options = ["NOPASSWD"];
+        }
+        {
+          command = "/run/current-system/sw/bin/systemctl";
+          options = ["NOPASSWD"];
+        }
+        {
+          command = "/run/current-system/sw/bin/journalctl";
+          options = ["NOPASSWD"];
+        }
+        {
+          command = "/run/current-system/sw/bin/tailscale";
+          options = ["NOPASSWD"];
+        }
+      ];
+    }
+  ];
+}
--- a/hosts/nixos/snowbelle/configuration.nix
+++ b/hosts/nixos/snowbelle/configuration.nix
@@ -0,0 +1,145 @@
+{ config, lib, stable_pkgs, unstable_pkgs, ... }:
+
+let
+  pkgs = stable_pkgs.x86_64;
+  unstable = unstable_pkgs.x86_64;
+in
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../../hosts
+      ../../../users/blake
+      ../../../modules/system
+      ../../../modules/holocron
+      ../../../modules/homelab
+      ../../../modules/homelab/minecraft_recpro
+    ];
+
+  system = {
+    ssh.enable = true;
+    backups.enable = true;
+    backups.repo = "/holocron/archives/servers/snowbelle";
+    sops.enable = true;
+    podman.enable = true;
+    yubikey.enable = true;
+    syncthing.enable = true;
+    tailscale.enable = true;
+    nvidia.enable = true;
+  };
+  holocron = {
+    copyparty.enable = true;
+    ensure_perms.enable = true;
+    zfs.enable = true;
+    smb.enable = true;
+    nfs.enable = true;
+  };
+  homelab = {
+    enable = true;
+    motd.enable = true;
+    gitea.enable = true;
+    glance.enable = true;
+    immich.enable = true;
+    hass.enable = true;
+    jellyfin.enable = true;
+    audiobookshelf.enable = true;
+    yacreader.enable = true;
+    qbittorrent.enable = true;
+    sonarr.enable = true;
+    radarr.enable = true;
+    bazarr.enable = true;
+    prowlarr.enable = true;
+    flaresolverr.enable = true;
+    zigbee2mqtt.enable = true;
+    mosquitto.enable = true;
+    caddy.enable = true;
+    uptime-kuma.enable = true;
+    vaultwarden.enable = true;
+  };
+  gameservers = {
+    minecraft_recpro.enable = true;
+  };
+
+  # boot (systemd is going on me)
+  boot.loader.systemd-boot.enable = true;   # systemd your pretty cool ya know
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.initrd.systemd.enable = true;  # better logging
+
+  # setup hostname and networking stack
+  services.resolved = {
+    enable = true;
+    fallbackDns = [ "1.1.1.1" "9.9.9.9" ];
+    dnsovertls = "opportunistic";
+  };
+  networking = {
+    hostName = "snowbelle"; # hostname
+    hostId = "3e6e7055";    # zfs wants this
+    networkmanager = {
+      enable = true;  # the goat
+      dns = "systemd-resolved"; # the backup dancer!
+      ensureProfiles.profiles = {
+        vpn = {
+          ethernet.mac-address = "7a:e4:07:8d:22:76";
+          connection.type = "vlan";
+          connection.id = "vpn";
+          connection.interface-name = "enp89s0.69";   # or just "vpn-vlan"
+          vlan.interface-name = "enp89s0.69";   # or just "vpn-vlan"
+          vlan.parent = "enp89s0";
+          vlan.id = 69;
+          #ipv4.dns = "9.9.9.9";
+        };
+      };
+    };
+  };
+
+  
+
+  hardware.bluetooth.enable = true;
+
+
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [
+    80      # set - http
+    111     # set - portmapper for nfs
+    139     # set - smb
+    443     # set - https
+    445     # set - cifs
+    1198
+    1883    # set - mqtt
+    2049    # set - nfs
+    2222    # srv - syncthing
+    7100    # srv - jellyfin
+    7101    # srv - audiobookshelf
+    7102    # srv - yacreader
+    7103    # srv - qbittorrent
+    7104    # srv - prowlarr
+    7105    # srv - bazarr
+    7106    # srv - sonarr
+    7107    # srv - radarr
+    7120    # srv - flaresolverr
+    5701    # srv - archivebox
+    7502    # srv - kiwix
+    7567    # srv - gitea ssh
+    7700    # srv - glance
+    7701    # srv - vaultwarden
+    7702    # srv - immich
+    7703    # srv - gitea
+    7704    # srv - hass
+    7705    # srv - zigbee2mqtt
+    7901    # srv - uptime kuma
+    7902    # srv - copyparty
+    25777   # srv - minecraft
+    25565   #        ^  ^  ^
+    25566   #        |  |  |
+    25567   #        |  |  |
+  ];
+
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = true;
+
+  system.stateVersion = "25.05"; # Did you read the comment?
+
+}
+
--- a/hosts/nixos/snowbelle/hardware-configuration.nix
+++ b/hosts/nixos/snowbelle/hardware-configuration.nix
@@ -0,0 +1,52 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "uas" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/8bc3b53e-804f-44d5-8da3-9913dda0e5c2";
+      fsType = "btrfs";
+      options = [ "subvol=@root" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/8bc3b53e-804f-44d5-8da3-9913dda0e5c2";
+      fsType = "btrfs";
+      options = [ "subvol=@nix" ];
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/8bc3b53e-804f-44d5-8da3-9913dda0e5c2";
+      fsType = "btrfs";
+      options = [ "subvol=@home" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/4CD7-D44A";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp89s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/nixos/vaniville/configuration.nix
+++ b/hosts/nixos/vaniville/configuration.nix
@@ -0,0 +1,154 @@
+{ config, lib, stable_pkgs, unstable_pkgs, ... }:
+
+let
+  pkgs = stable_pkgs.x86_64;
+  unstable = unstable_pkgs.x86_64;
+in
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../users/users.nix
+      ../../modules/system
+    ];
+
+  modules = {
+    system = {
+      tailscale.enable = true;
+    };
+  };
+
+
+  # use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # setup hostname and networking stack
+  networking.hostName = "vaniville"; # Define your hostname.
+  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+
+  # set timezone
+  time.timeZone = "America/Chicago";
+
+  # define shell
+  programs.zsh.enable = true;
+  users.defaultUserShell = pkgs.zsh;
+
+  # package install list
+  environment.systemPackages = with pkgs; [
+    vim 
+    rsync
+    wget
+    git
+    iptables
+    nettools
+    neofetch
+    btop
+  ];
+
+  # allow proprietary packages
+  nixpkgs.config.allowUnfree = true;
+
+  # enable flakes
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  # Open ports in the firewall.
+  networking.firewall.enable = true;
+  networking.firewall.extraCommands = ''
+    HOMELAB_IP="10.10.0.10"         # destination address
+    PUBLIC_IF="eth0"                # vps public interface
+    TAILSCALE_IF="tailscale0"       # tailscale interface
+    
+    # flush rules (avoid dupes)
+    iptables -F
+    iptables -t nat -F
+    iptables -t mangle -F
+    iptables -X
+    
+    # set defualt policies
+    iptables -P INPUT DROP
+    iptables -P FORWARD DROP
+    iptables -P OUTPUT ACCEPT
+    
+    # allow loopback
+    iptables -A INPUT -i lo -j ACCEPT
+    iptables -A OUTPUT -o lo -j ACCEPT
+    
+    # allow replys
+    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+    iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+    
+    # allow vps outbound
+    iptables -A OUTPUT -o eth0 -j ACCEPT
+    
+    # general settings
+    sysctl -w net.ipv4.ip_forward=1                                 # enable ip forwarding
+    iptables -t nat -A POSTROUTING -o $TAILSCALE_IF -j MASQUERADE   # postrouting masquerade (outgoing packets appear to come from vps tailscale ip)
+    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT    # allows pings
+    iptables -A INPUT -p tcp --dport 22 -j ACCEPT                   # allows ssh
+    
+    
+    # --- minecraft ---
+    # port: 25777 tcp & udp
+    # prerouting:
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 25777 -j DNAT --to-destination $HOMELAB_IP:25777     # tcp packets on port 25777
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p udp --dport 25777 -j DNAT --to-destination $HOMELAB_IP:25777     # udp packets on port 25777
+    # forwards:
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 25777 -j ACCEPT       # vps -> homelab: tcp on port 25777
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p udp --dport 25777 -j ACCEPT       # vps -> homelab: udp on port 25777
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 25777 -j ACCEPT       # homelab -> vps: tcp on port 25777
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p udp --sport 25777 -j ACCEPT       # homelab -> vps: udp on port 25777
+    
+    # --- reverse proxy ---
+    # ports: 80 & 443 tcp
+    # prerouting:
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 80  -j DNAT --to-destination $HOMELAB_IP:80          # tcp packets on port 80
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 443 -j DNAT --to-destination $HOMELAB_IP:443         # tcp packets on port 443
+    # forwards:
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 80 -j ACCEPT          # vps -> homelab: tcp on port 80
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 80 -j ACCEPT          # homelab -> vps: tcp on port 80
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 443 -j ACCEPT         # vps -> homelab: tcp on port 443
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 443 -j ACCEPT         # homelab -> vps: tcp on port 443
+    
+    # --- gitea ssh ---
+    # port: 7567 tcp
+    # prerouting:
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 7567 -j DNAT --to-destination $HOMELAB_IP:7567       # tcp packets on port 7567
+    # forwards:
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 7567 -j ACCEPT        # vps -> homelab: tcp on port 7567
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 7567 -j ACCEPT        # homelab -> vps: tcp on port 7567
+    
+    # --- rustdesk ---
+    # ports 2114-2119
+    # hbbs ports
+    # 21115 tcp (nat type test)
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 21115 -j DNAT --to-destination $HOMELAB_IP:21115     # tcp packets on port 21115
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 21115 -j ACCEPT                               # vps -> homelab: tcp on port 21115
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 21115 -j ACCEPT                               # homelab -> vps: tcp on port 21115
+    # 21116 tcp&udp (id registration, heartbeat, TCP hole punching)
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 21116 -j DNAT --to-destination $HOMELAB_IP:21116     # tcp packets on port 21116
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 21116 -j ACCEPT                               # vps -> homelab: tcp on port 21116
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 21116 -j ACCEPT                               # homelab -> vps: tcp on port 21116
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p udp --dport 21116 -j DNAT --to-destination $HOMELAB_IP:21116     # udp packets on port 21116
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p udp --dport 21116 -j ACCEPT                               # vps -> homelab: tcp on port 21116
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p udp --sport 21116 -j ACCEPT                               # homelab -> vps: tcp on port 21116
+    # 21118 tcp (web client support)
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 21118 -j DNAT --to-destination $HOMELAB_IP:21118     # tcp packets on port 21118
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 21118 -j ACCEPT                               # vps -> homelab: tcp on port 21118
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 21118 -j ACCEPT                               # homelab -> vps: tcp on port 21118
+    # hbbr ports
+    # 21117 tcp (relay services)
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 21117 -j DNAT --to-destination $HOMELAB_IP:21117     # tcp packets on port 21117
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 21117 -j ACCEPT                               # vps -> homelab: tcp on port 21117
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 21117 -j ACCEPT                               # homelab -> vps: tcp on port 21117
+    # 21119 tcp (web client support)
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 21119 -j DNAT --to-destination $HOMELAB_IP:21119     # tcp packets on port 21119
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 21119 -j ACCEPT                               # vps -> homelab: tcp on port 21119
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 21119 -j ACCEPT
+  '';
+
+
+  system.stateVersion = "25.05"; # Did you read the comment?
+
+}
+