repo: ./nixos -> ./os

author: sinanmohd <sinan@sinanmohd.com> 2024-06-01 19:25:59 +0530
committer: sinanmohd <sinan@sinanmohd.com> 2024-06-01 19:26:13 +0530
commit: 8febb2fad131dc1ff42a2c667b26b013d64c17b8 (patch)
tree: cf33b3a20def6ab7836a037b5195cc617647fa9c /os/lia
parent: 5c48d5ad41221dbfa186701ba40404bd2571c242 (diff)
8 files changed, 253 insertions, 0 deletions
diff --git a/os/lia/configuration.nix b/os/lia/configuration.nix
new file mode 100644
index 0000000..ab4c46b
--- /dev/null
+++ b/os/lia/configuration.nix
@@ -0,0 +1,14 @@
+{ ... }:
+
+{
+  imports = [
+    ../common/configuration.nix
+    ./hardware-configuration.nix
+
+    ./modules/network
+    ./modules/users.nix
+    ./modules/lxc.nix
+    ./modules/sshfwd.nix
+  ];
+}
+
diff --git a/os/lia/hardware-configuration.nix b/os/lia/hardware-configuration.nix
new file mode 100644
index 0000000..8417070
--- /dev/null
+++ b/os/lia/hardware-configuration.nix
@@ -0,0 +1,29 @@
+{ modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    loader.systemd-boot.enable = true;
+    kernelModules = [ "kvm-amd" ];
+
+    initrd.availableKernelModules = [
+      "xhci_pci"
+      "ahci"
+      "usb_storage"
+      "usbhid"
+      "sd_mod"
+    ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/9ad3550b-8c9a-4541-8fac-7af185599446";
+      fsType = "ext4";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/6111-05EC";
+      fsType = "vfat";
+    };
+  };
+}
diff --git a/os/lia/modules/lxc.nix b/os/lia/modules/lxc.nix
new file mode 100644
index 0000000..259c316
--- /dev/null
+++ b/os/lia/modules/lxc.nix
@@ -0,0 +1,41 @@
+{ pkgs, ... }: let
+  container = {
+    name = "ubu";
+    distro = "ubuntu";
+    release = "jammy";
+  };
+
+  bridge = "lan";
+in {
+  virtualisation.lxc.enable = true;
+
+  environment.systemPackages = with pkgs; [ wget ];
+  systemd.services."lxc-${container.name}-provision" = {
+    description = "auto provision ${container.name} lxc container";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    stopIfChanged = false;
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+
+    path = with pkgs; [ wget lxc util-linux gnutar xz gawk ];
+    script = ''
+      if ! lxc-ls | grep -q ${container.name}; then
+          lxc-create -n ${container.name} -t download  -- \
+              --arch amd64 \
+              --release ${container.release} \
+              --dist ${container.distro}
+
+          sed 's/lxcbr0/${bridge}/g' -i /var/lib/lxc/${container.name}/config
+      fi
+
+      lxc-start -n ${container.name}
+    '';
+
+    preStop = "lxc-stop  --name ${container.name}";
+  };
+}
diff --git a/os/lia/modules/network/default.nix b/os/lia/modules/network/default.nix
new file mode 100644
index 0000000..c8d9059
--- /dev/null
+++ b/os/lia/modules/network/default.nix
@@ -0,0 +1,19 @@
+{ ... }: let
+  wan = "enp9s0";
+in
+{
+  imports = [
+    ./router.nix
+  ];
+
+  networking = {
+    interfaces.${wan}.ipv4.addresses = [{
+      address = "172.16.148.20";
+      prefixLength = 22;
+    }];
+    defaultGateway = {
+      address = "172.16.148.1";
+      interface = wan;
+    };
+  };
+}
diff --git a/os/lia/modules/network/router.nix b/os/lia/modules/network/router.nix
new file mode 100644
index 0000000..b8cac8c
--- /dev/null
+++ b/os/lia/modules/network/router.nix
@@ -0,0 +1,47 @@
+{ ... }: let
+  wanInterface = "enp9s0";
+  lanInterfaces = [ "enp1s0f0" "enp1s0f1" ];
+
+  prefix = 24;
+  subnet = "192.168.1.0";
+  host = "192.168.1.1";
+
+  leaseRangeStart = "192.168.1.100";
+  leaseRangeEnd = "192.168.1.254";
+  nameServer = [ "10.0.0.2" "10.0.0.3" ];
+in
+{
+  networking = {
+    bridges."lan".interfaces = lanInterfaces;
+
+    nat = {
+      enable = true;
+      externalInterface = wanInterface;
+      internalInterfaces = [ "lan" ];
+    };
+
+    interfaces.lan = {
+      ipv4.addresses = [{ 
+        address = host;
+        prefixLength  = prefix;
+      }];
+    };
+
+    firewall = {
+      allowedUDPPorts = [ 53 67 ];
+      allowedTCPPorts = [ 53 ];
+      extraCommands = 
+        "iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE";
+    };
+  };
+
+  services.dnsmasq = {
+    enable = true;
+
+    settings = {
+      server = nameServer;
+      dhcp-range = [ "${leaseRangeStart},${leaseRangeEnd}" ];
+      interface = [ "lan" ];
+    };
+  };
+}
diff --git a/os/lia/modules/sshfwd.nix b/os/lia/modules/sshfwd.nix
new file mode 100644
index 0000000..3c7c006
--- /dev/null
+++ b/os/lia/modules/sshfwd.nix
@@ -0,0 +1,53 @@
+{ pkgs, config, ... }: let
+  mkFwdSrv = {
+    local_port,
+    remote_port,
+    remote_user,
+    remote ? "sinanmohd.com",
+    ssh_port ? 22,
+    key ? config.sops.secrets."sshfwd/${remote}".path,
+  }: {
+    "sshfwd-${toString local_port}-${remote}:${toString remote_port}" = {
+      description = "Forwarding port ${toString local_port} to ${remote}";
+
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+      # restart rather than stop+start this unit to prevent
+      # the ssh from dying during switch-to-configuration.
+      stopIfChanged = false;
+
+      serviceConfig = {
+        ExecStart = ''
+          ${pkgs.openssh}/bin/ssh -N ${remote_user}@${remote} -p ${toString ssh_port} \
+              -R '[::]:${toString remote_port}:127.0.0.1:${toString local_port}' \
+              -o ServerAliveInterval=15 \
+              -o ExitOnForwardFailure=yes \
+              -i ${key}
+        '';
+
+        RestartSec = 3;
+        Restart = "always";
+      };
+
+    };
+  };
+in {
+  sops.secrets."sshfwd/sinanmohd.com" = {};
+  sops.secrets."sshfwd/lia.sinanmohd.com" = {};
+
+  environment.systemPackages = with pkgs; [ openssh ];
+  systemd.services
+    = (mkFwdSrv {
+        local_port = 22;
+        remote_user = "lia";
+        remote_port = 2222;
+      }) //
+      (mkFwdSrv {
+        local_port = 22;
+        remote_port = 22;
+        ssh_port = 23;
+        remote_user = "root";
+        remote = "lia.sinanmohd.com";
+      });
+}
diff --git a/os/lia/modules/users.nix b/os/lia/modules/users.nix
new file mode 100644
index 0000000..26f5dc8
--- /dev/null
+++ b/os/lia/modules/users.nix
@@ -0,0 +1,18 @@
+{ pkgs, ... }: {
+  users.users = {
+    "rohit" = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+
+      packages = with pkgs; [ git htop ];
+      openssh.authorizedKeys.keys =
+        [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZcWF1zVyxsCdZ/j+h+RlHZlyhgY2Bky03847bxFNSH rohit@victus" ];
+    };
+
+    "sharu" = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys =
+        [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAAaAUTiM3YY7E/7lq44aX+2U0IYhp2Qntu7hINcTjF sharu@lappie" ];
+    };
+  };
+}
diff --git a/os/lia/secrets.yaml b/os/lia/secrets.yaml
new file mode 100644
index 0000000..b2b5218
--- /dev/null
+++ b/os/lia/secrets.yaml
@@ -0,0 +1,32 @@
+sshfwd:
+    sinanmohd.com: ENC[AES256_GCM,data:ZB2qbUA4+AcYlIY6IaPf9aUdMV0ltdKveqVSNS2Nhq8h6kWheqWiaXgIK6vuN7oDHKomgVXWaVdxTf6OFvFQHCHMMqtm0KfvSJW+cdORpfZkEZuji5Ob/yQiNllyS8oAw9iT5YdyifLi7XkfD+dHbt+XWLQCMFPirJ8Lz6ynTYxV+N7Pu7yOhfCzPDYfqexW7Ymrjk0PI32OVgo+sE0obnASGW645dP4ydKOZM5xx9NGr/Oao2W5C61qdr2gUCoYQKZXkfItGRfCuWuCeh0ZmbxumS6Q1WeWUW09SY5NN24025TBoZgE+UdJIXuczAQy5wzpXYsDWwBXNod4gAhe76YgLydlYBpBHe6xN6OBgCewHkjCGkirHawmbYxkmJ40L6/lMFPjRmMV7yhj94Vsyx7NAW1H8yKVE/9typXUrIyxbxAOGrwy0TjlGYogAcZ7YYZ+ipmkqNlQ1pliA2Kha+2ZzPG0hV8NKhydNr0cz5ylfL4cQaAXxxg6YHOUYL0DGbfMXMpZKTt47TJcY72RWDaUr2RsmhJ+k2vNBDY3I01n9syWnlk80h2bs1ILJ5Ad3PP8Em8yGaXJLM+3,iv:VoDyy+h3UHL0YJPJ7rbgLTZZzIPCJTD8yBPXNxWjHqo=,tag:zGQXrE066SDMCwgZpC9/Pg==,type:str]
+    lia.sinanmohd.com: ENC[AES256_GCM,data:d2lDCckpWwMtGu8Ra249NnUVt4OtP7JqtVZG8YD9oLtLmAbTi4kLZnYU+0EN7Fs/Z6dxNaSkYLnvJQO08Hr1AlVT12z2TXoWKHokzgMXYKPIBhioHLXg31BAwC9T/qPraxxzY+Jo6zSuv2RK1Xi6+74w6llE9t/eY1U2nJb9VnmtsB+ae9O5BgkxSkdGL/rhnXZNk9p8OhOcmtOnm6kPHVXG0DzszpvWmalsJE3nPmyxe5zB+7+UFj8rFgcktKRoY0bhN5SOMZfFSly7nRkr3WL2mbaVZgZD2g+kvzanYU64NKF0+rbVdKf9lCgVRMSS5z22QSuKOLuZjLlCRml9y254iIVxfV+BC2Y35QMk+Aa14jlHcRowFN5KxZ3dAeuH8TfVuSg/8gfSXwTMAHTBbEDeVvomD09vmuZoVCckrAZzSEiA8alcxKyaHGw4ZiAb1e+DWRSxDDeS9iibHsKrZgZ/RstRdT2qyqF0prbY+wFbajblGrUZhbIhfkPNe67iiTD7HI0Trg3PcC8Z1m+k/gWlhERpi+74TRzHrN1/dAokLBI/j+9I3YRTWR1qNScEr5RJNZP4UQh2TlH4G//3+0J3PM8Nv0DF7cfuOFpOLrob6SAaSRv3Ctn5ZmQM4Ib8uMluFB3MFkwqD/j67EINR+OD3VShdy6ydrIuaWREejhCR3SHnoZp1OhXTNdVzXwKYwFIkjHNGs3uj4jhW37xA+8zvuuqVZUGaXbbETsgIwPrwpFaPsxORkDREVhLxTtXsuHtzASzV7GfQvtArlM1bk5Ne3S75IeSc3ZnJUuAk5fPWjuHHuMDv7FxddNHctgE/V1gmzA/w3FtfYeaG8K2ZUeh1cCxGmou6aRv7aacAB9AdKeLtzr899VYC4bnPCpWBEMgN3Nqhdo/YR3bW+3pLbV3S1M4O2FxrZHjlgS4sffHMe+kNuzVV1GEpc8xybPIS5AAeWuOankmflf+CWg6fVSinHvlwILjRrK7cMCroypPv2p4dtn4IMaJ6MGQsNzDMF7CN6H3XOmOONsnJ8h/dUL6EwJCW87gp5lC8BXcuE93LgUHAVx9SttygpaAmTIWN48BsJosWbvK5Zw7nCaCce7WtxeUuAKtHdhLsLH7WhfQL5aj3aF8xgDDM3b2qOp6gkNI0q/8L0yEGRRg70c3jAu6ojZVD4iq9hS8ct06jVzLdi4U4jTk53NAGEiMbGiSaHTlmPvjwcV1+RYUut7G/a9YVvAgbtw2TKK00EaCUNHefuzd4oWc0jiMUK8OSH9l9gT5usWXOPeexyNNLWHniMympqVoudQXSj1PEvEixXYZYZ6Vp4LuHsdTtLCsTu17J0/7Ob/PdSGXU+BtJGS+EnLbxMgMHHiWk4hd2z5h64DgC9vrSVHqFvd68gGL91bsKw6rnmtEOcuTdY4DLzP2HSGtN6Erxb52XZrVS+fm4zJO0ZR45bN29NBB1rvhUe//ln+ny6tbgJ/mQ1wJIpXtLMOeBsKZqN2x5eaCw2bFqJE+yOwFFcbwTvuyDSsCeJh40LL0Dypfc5FvYmta8rChNw+MpwC2++T/t2xgGcHpvh0o5WcdbtlUm+7H8PAqsK18DhF9GSLxEpCTS14FT5M3GFNKOYGub+Vt+jCWSPrvnZXCITNdBXR6PD47iyqY1Ot00+f213ZEfVNZayfoxr4I3JzwNLJOvdHdxIza2qAyKW+tm+2N9tp0TtGoHUE2vUc9Cm0rxw84rllywqrehwi9039bS5mn72pRtN06ZnFKQrVrx355PsAyYlQ3VkZ2wpuxVOB2i8ko0ujebgO411XjgOQBeV8lNy02AcduavRNQ5z41rBnbhuj+sI5u8xli4kPrpfqeuLACaT+eWeYSZtCy7qY75BYaguhcqKAvRUfUTMxDUyGBkUySKydcNL3ErVU47jLB8uMm8RFjzkRAEKjraR+1PH8GQ+qhTA3e6ZtzNTZ0i9c2hFT+6vrLZ7gNrpC53s3wrkK43yU5MC8JaSe3mRx9v00EqUaUYOnrJZWs5H6LXj6T2OIhQgaTs6ikvGpY4rRE7lkn2jqQAXf/9aCDuMj9fiWanCXgJ7LFSwuAESLe7CmwdNqOl2cyEns8DuChrAq7zdykBv9VbLYfijlzrD6ezcmHGImNTTG+uX2PifuvK4JphOFbmK0YWGPK6//7gJfNtUMReKuINvPZg1X8U8ayQ8btYjmzIpxJeJ2/NvZ+WoKYewttAZhSHbo75I8K1cBEjUvrevwXmPeYvG+iWYyZkYENx7gGCNGyHpdSEEYBL4QdsgkbQWJDRQ=,iv:t825d9WWByfMZXwrtKs2JBFVoEAoAXfYOBmlhWN45hU=,tag:ZVPiwtKwhdYzh4IQyzeb9Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZzlrOEpXQmdLVyt1MFRS
+            Q2JUU0N1MVNzLzVLcWhMb25uL3VsLzJrdFRNCnI1OWZFTnpqc056M0RYd3gvS1Nr
+            N2VEU1kyU3JuYjhhaUtuajg2cjQ4LzQKLS0tIE5qZmlqVGN1WXhZWkw3dGwyNTdF
+            QTd0V2V3QVVHbnhRUUt6MkRzYm5zeEEKFkqGe6Eg1BEPLqMkxUg56hc+sn0p4KZV
+            kThyib3g0KsrHpQM05v4CK0h6qlf8HXwvwJVx9tis8Nck1IW3zS8Pw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1l9kd320xj89vdr06u7ej8fhjrxl470t04trgwd3jwzczknf05aesv2pp8x
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6QzhPYXcxQ0lRS2VwaXQ4
+            V3JUVDJyenowSzhFenBKYlBEbGNXTFIxUjFNCjhmWm5aQ1lTcTJidzFiT2J4R2Ux
+            b2ZjTWQ5WWtOY1BpZHVJYzN4clNlU0kKLS0tIHpBWU5zQWNVTWZ0TTdSNFZodkVq
+            RG9hL2hlYjdaYTVJWVFlSE4xN1poUHcKe4BPaVEyc3W1hyu0jOQcEdZ1kl2aQLgZ
+            fHDs4kDeCcfJI/s5Cb/YD3cIp7HB6FBoe7LHiNiJbyJGR0wJecLqxg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-02-11T16:35:02Z"
+    mac: ENC[AES256_GCM,data:nsLGZ5wvmj25COI4G3BsS8dzwpa59zs85Ztm4eZaXITAdMjEgfmHR8eHItzchSijH+PRaJH+pZZNN3kpkDeujGYTiOzfc1t2dGA3Vx6XACCNaZs35vmvbB45VV07a5mjw/Wy3k0ZDOcRCHXQOQccaPshUMzU7FkXudm7PkvoyTM=,iv:Rgfaab+egy2/AwlM6ZMVA+7E5cqb/r9mI4ptMit/SKo=,tag:LVSYkTzTxBRAIFxDkB1asA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
author	sinanmohd <sinan@sinanmohd.com>	2024-06-01 19:25:59 +0530
committer	sinanmohd <sinan@sinanmohd.com>	2024-06-01 19:26:13 +0530
commit	8febb2fad131dc1ff42a2c667b26b013d64c17b8 (patch)
tree	cf33b3a20def6ab7836a037b5195cc617647fa9c /os/lia
parent	5c48d5ad41221dbfa186701ba40404bd2571c242 (diff)