nix-configs/systems/orangepihole/configuration.nix

119 lines
3.5 KiB
Nix
Raw Normal View History

2024-05-11 11:44:00 -04:00
{ config, lib, pkgs, sops, ... }:
2024-04-05 22:04:41 -04:00
{
2024-05-11 12:51:25 -04:00
imports = [ # Include the results of the hardware scan.
./hardware-configuration.nix
../../modules/common.nix
../../modules/networkd-base.nix
];
2024-04-05 22:04:41 -04:00
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.loader.timeout = 1;
2024-05-11 11:44:00 -04:00
boot.tmp.cleanOnBoot = true;
2024-04-05 22:04:41 -04:00
networking = {
hostName = "orangepihole"; # Define your hostname.
};
systemd.network.networks."40-end0" = {
matchConfig.Name = "end0";
address = [ "10.42.69.2/24" "fd72:3dd5:21ae:3c97::2/64" ];
dns = [ "10.42.69.2" "fd72:3dd5:21ae:3c97::2" ];
domains = [ "icanttype.org" ];
gateway = [ "10.42.69.1" ];
networkConfig.DHCPServer = true;
dhcpServerConfig = {
PoolOffset = 150;
EmitDNS = true;
DNS = "10.42.69.2";
EmitRouter = true;
Router = "10.42.69.1";
2024-04-25 20:43:33 -04:00
SendOption = [ "15:string:icanttype.org" "119:string:icanttype.org" ];
2024-04-05 22:04:41 -04:00
};
networkConfig.IPv6SendRA = true;
ipv6SendRAConfig.RouterLifetimeSec = 0;
ipv6SendRAConfig.EmitDNS = false;
2024-05-11 12:51:25 -04:00
ipv6Prefixes = [{ ipv6PrefixConfig.Prefix = "fd72:3dd5:21ae:3c97::/64"; }];
2024-04-05 22:04:41 -04:00
};
zramSwap.enable = true;
2024-05-11 12:51:25 -04:00
swapDevices = [{
device = "/persist/swapfile";
size = 1024;
}];
2024-05-11 13:23:02 -04:00
services = {
unbound = {
enable = true;
2024-05-16 09:39:14 -04:00
localControlSocketPath = "/var/lib/unbound/control.sock";
2024-05-11 13:23:02 -04:00
settings = {
server = {
qname-minimisation = "yes";
interface = [ "end0" ];
access-control = [ "10.0.0.0/8 allow" "fc::/7 allow" ];
};
include = [ "/etc/unbound/ads.conf" "${./unbound-local.conf}" ];
2024-04-05 22:04:41 -04:00
};
};
2024-05-11 13:23:02 -04:00
journald.storage = "volatile";
2024-04-05 22:04:41 -04:00
};
2024-05-11 12:51:25 -04:00
2024-04-05 22:04:41 -04:00
systemd = {
services.adblock = {
startAt = "daily";
2024-05-06 19:13:12 -04:00
postStop = "systemctl try-reload-or-restart unbound";
2024-04-05 22:04:41 -04:00
path = with pkgs; [ gawk wget ];
script = ''
2024-05-11 12:53:43 -04:00
wget -nv -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/tif.blacklist.conf > /tmp/new.conf
echo 'local-zone: "iogames.space." always_nxdomain' >> /tmp/new.conf
echo 'local-zone: "taming.io." always_nxdomain' >> /tmp/new.conf
awk '!seen[$0]++' /tmp/new.conf > /etc/unbound/ads.conf
rm /tmp/new.conf
2024-04-05 22:04:41 -04:00
'';
};
};
2024-05-11 11:44:00 -04:00
environment = {
systemPackages = with pkgs; [
vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
wget
];
persistence."/persist" = {
hideMounts = true;
2024-05-11 13:23:02 -04:00
directories = [ "/var/lib/nixos" "/var/lib/systemd" "/tmp" ];
2024-05-11 11:44:00 -04:00
files = [
"/etc/machine-id"
"/etc/adjtime"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
2024-05-11 12:53:43 -04:00
"/etc/unbound/ads.conf"
2024-05-11 11:44:00 -04:00
];
};
};
2024-04-05 22:04:41 -04:00
2024-04-27 22:10:36 -04:00
networking.firewall = {
allowedUDPPorts = [ 53 67 68 ];
allowedTCPPorts = [ 53 ];
};
2024-04-27 22:10:36 -04:00
2024-04-05 22:04:41 -04:00
system.stateVersion = "23.11"; # Did you read the comment?
2024-05-11 12:51:25 -04:00
sops.secrets."nixremote/sshkey" = { };
nix.buildMachines = [{
2024-04-24 12:29:46 -04:00
hostName = "zeus";
systems = [ "x86_64-linux" "aarch64-linux" ];
protocol = "ssh-ng";
2024-05-11 11:44:00 -04:00
sshKey = config.sops.secrets."nixremote/sshkey".path;
2024-04-24 12:29:46 -04:00
sshUser = "nixremote";
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}];
2024-05-11 11:44:00 -04:00
programs.ssh.extraConfig = ''
Host zeus
User nixremote
2024-05-11 13:04:32 -04:00
StrictHostKeyChecking accept-new
2024-05-11 11:44:00 -04:00
IdentitiesOnly yes
IdentityFile ${config.sops.secrets."nixremote/sshkey".path}
'';
2024-04-24 12:29:46 -04:00
nix.distributedBuilds = true;
nix.settings.max-jobs = 0;
2024-04-05 22:04:41 -04:00
}