nixos-conf/machine-confs/helium.nix

{ pkgs, config, ... }:
{
  networking = {
    hostName = "helium";

    wg-quick.interfaces = {
      wg0 = {
        autostart = true;
        address = [ "${config.custom.gua_pref}ff::2/64" ];
        dns = [
          "${config.custom.gua_pref}ff::1"
          "vsinerva.fi"
        ];
        privateKeyFile = "/root/wireguard-keys/privatekey-home";
        listenPort = 51820;

        peers = [
          {
            publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34=";
            presharedKeyFile = "/root/wireguard-keys/psk-home";
            allowedIPs = [ "::/0" ];
            endpoint = "wg.vsinerva.fi:51820";
          }
        ];
      };
      wg1 = {
        autostart = false;
        address = [ "10.100.0.7/24" ];
        dns = [ "1.1.1.1" ];
        privateKeyFile = "/root/wireguard-keys/privatekey-netflix";
        listenPort = 51820;

        peers = [
          {
            publicKey = "XSYHg0utIR1j7kRsWFwuWNo4RPD47KP53cVa6qDPtRE=";
            allowedIPs = [
              "0.0.0.0/0"
              "192.168.0.0/24"
            ];
            endpoint = "netflix.vsinerva.fi:51821";
          }
        ];
      };
    };
  };
  # Dirty hack to fix autostart failing due to DNS lookups
  systemd.services."wg-quick-wg0".serviceConfig = {
    Restart = "on-failure";
    RestartSec = "1s";
  };
  services.clatd = {
    enable = true;
    settings.clat-v6-addr = "${config.custom.gua_pref}ff::c2";
  };
  systemd.services.clatd.wants = [ "wg-quick-wg0.service" ];

  services.openssh.enable = pkgs.lib.mkForce false;
  services.fail2ban.enable = pkgs.lib.mkForce false;

  imports = [
    ../base.nix
    ../users/vili.nix
    ../desktop.nix
    ../development.nix
    ../services/syncthing.nix
    ../services/redshift.nix
    ../services/moonlight.nix
    ../hardware-specific/onlykey.nix
    ../hardware-specific/keychron-q11.nix
    ../hardware-specific/trackball.nix
    ../hardware-specific/amd-laptop.nix
    ../hardware-specific/usb-automount.nix
  ];

  services.xserver.displayManager.setupCommands = ''
    ${pkgs.xorg.xrandr}/bin/xrandr --output DisplayPort-0 --auto --pos 0x0 --primary --output eDP --auto --pos 3840x360
  '';

  system.autoUpgrade.allowReboot = pkgs.lib.mkForce false;

  swapDevices = pkgs.lib.mkForce [
    {
      device = "/var/lib/swapfile";
      size = 16 * 1024;
    }
  ];

  boot = {
    loader.timeout = 3;
    initrd.luks = {
      fido2Support = true;
      devices."luks-f6e1979b-0dee-4ee9-8170-10490019854b".fido2 = {
        passwordLess = true;
        credential = "df9233221fa09173fea61d8b8516d184f8ede475024a88201b34d838ecf306ee070052dae2262619c1da2be7562ec9dd94888c71a9326fea70dfe16214b5ea8ec014d86afa01";
      };
    };
    resumeDevice = "/dev/mapper/luks-f6e1979b-0dee-4ee9-8170-10490019854b";
    kernelParams = [ "resume_offset=44537856" ];
  };
}
Centralize IPv6 GUA prefix configuration 2025-02-21 12:36:07 +02:00			`{ pkgs, config, ... }:`
Init 2024-05-23 13:39:48 +03:00			`{`
Auto-indent every file 2024-06-02 05:53:39 +03:00			`networking = {`
			`hostName = "helium";`
Split generic parts out of machine-confs/helium.nix 2024-06-06 21:12:13 +03:00
Auto-indent every file 2024-06-02 05:53:39 +03:00			`wg-quick.interfaces = {`
			`wg0 = {`
Finalize IPv6 conf for now 2024-09-25 13:38:25 +03:00			`autostart = true;`
Centralize IPv6 GUA prefix configuration 2025-02-21 12:36:07 +02:00			`address = [ "${config.custom.gua_pref}ff::2/64" ];`
Format every file 2024-06-02 16:18:19 +03:00			`dns = [`
Centralize IPv6 GUA prefix configuration 2025-02-21 12:36:07 +02:00			`"${config.custom.gua_pref}ff::1"`
Format every file 2024-06-02 16:18:19 +03:00			`"vsinerva.fi"`
			`];`
Auto-indent every file 2024-06-02 05:53:39 +03:00			`privateKeyFile = "/root/wireguard-keys/privatekey-home";`
			`listenPort = 51820;`
Init 2024-05-23 13:39:48 +03:00
Auto-indent every file 2024-06-02 05:53:39 +03:00			`peers = [`
			`{`
			`publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34=";`
Add PSK file to home WG conf 2024-10-03 17:46:45 +03:00			`presharedKeyFile = "/root/wireguard-keys/psk-home";`
Transition to new opnsense setup 2025-02-19 03:40:26 +02:00			`allowedIPs = [ "::/0" ];`
Change WG port number 2024-09-25 15:18:04 +03:00			`endpoint = "wg.vsinerva.fi:51820";`
Auto-indent every file 2024-06-02 05:53:39 +03:00			`}`
			`];`
			`};`
			`wg1 = {`
			`autostart = false;`
			`address = [ "10.100.0.7/24" ];`
			`dns = [ "1.1.1.1" ];`
			`privateKeyFile = "/root/wireguard-keys/privatekey-netflix";`
Initial wireguard IPv6 test 2024-09-24 20:01:29 +03:00			`listenPort = 51820;`
Init 2024-05-23 13:39:48 +03:00
Auto-indent every file 2024-06-02 05:53:39 +03:00			`peers = [`
			`{`
			`publicKey = "XSYHg0utIR1j7kRsWFwuWNo4RPD47KP53cVa6qDPtRE=";`
Format every file 2024-06-02 16:18:19 +03:00			`allowedIPs = [`
			`"0.0.0.0/0"`
			`"192.168.0.0/24"`
			`];`
Auto-indent every file 2024-06-02 05:53:39 +03:00			`endpoint = "netflix.vsinerva.fi:51821";`
			`}`
			`];`
			`};`
			`};`
			`};`
'Fix' wireguard autostart 2024-08-01 22:12:02 +03:00			`# Dirty hack to fix autostart failing due to DNS lookups`
Finalize IPv6 conf for now 2024-09-25 13:38:25 +03:00			`systemd.services."wg-quick-wg0".serviceConfig = {`
'Fix' wireguard autostart 2024-08-01 22:12:02 +03:00			`Restart = "on-failure";`
			`RestartSec = "1s";`
			`};`
New clatd test 2024-09-28 23:31:40 +03:00			`services.clatd = {`
			`enable = true;`
Centralize IPv6 GUA prefix configuration 2025-02-21 12:36:07 +02:00			`settings.clat-v6-addr = "${config.custom.gua_pref}ff::c2";`
New clatd test 2024-09-28 23:31:40 +03:00			`};`
			`systemd.services.clatd.wants = [ "wg-quick-wg0.service" ];`
Init 2024-05-23 13:39:48 +03:00
Disable ssh and fail2ban from helium, as they are not needed 2024-07-31 00:54:56 +03:00			`services.openssh.enable = pkgs.lib.mkForce false;`
			`services.fail2ban.enable = pkgs.lib.mkForce false;`

Auto-indent every file 2024-06-02 05:53:39 +03:00			`imports = [`
			`../base.nix`
Reorganize files into folders 2024-06-06 16:53:15 +03:00			`../users/vili.nix`
Auto-indent every file 2024-06-02 05:53:39 +03:00			`../desktop.nix`
			`../development.nix`
Split generic parts out of machine-confs/helium.nix 2024-06-06 21:12:13 +03:00			`../services/syncthing.nix`
			`../services/redshift.nix`
Add basic conf for sunshine game streaming on NixOS 2025-01-11 14:27:15 +02:00			`../services/moonlight.nix`
Move onlykey conf 2025-02-20 20:53:22 +02:00			`../hardware-specific/onlykey.nix`
Split generic parts out of machine-confs/helium.nix 2024-06-06 21:12:13 +03:00			`../hardware-specific/keychron-q11.nix`
			`../hardware-specific/trackball.nix`
			`../hardware-specific/amd-laptop.nix`
			`../hardware-specific/usb-automount.nix`
Auto-indent every file 2024-06-02 05:53:39 +03:00			`];`
Init 2024-05-23 13:39:48 +03:00
Split generic parts out of machine-confs/helium.nix 2024-06-06 21:12:13 +03:00			`services.xserver.displayManager.setupCommands = ''`
Partially revert laptop conf 2024-12-06 19:25:57 +02:00			`${pkgs.xorg.xrandr}/bin/xrandr --output DisplayPort-0 --auto --pos 0x0 --primary --output eDP --auto --pos 3840x360`
Split generic parts out of machine-confs/helium.nix 2024-06-06 21:12:13 +03:00			`'';`
Init 2024-05-23 13:39:48 +03:00
Disable reboot for helium and lithium, since they are regularly rebooted anyway 2024-09-09 15:52:21 +03:00			`system.autoUpgrade.allowReboot = pkgs.lib.mkForce false;`

Adjust default swap size 2024-08-28 11:52:00 +03:00			`swapDevices = pkgs.lib.mkForce [`
			`{`
			`device = "/var/lib/swapfile";`
			`size = 16 * 1024;`
			`}`
			`];`

Split generic parts out of machine-confs/helium.nix 2024-06-06 21:12:13 +03:00			`boot = {`
Reduce bootloader timeout on helium 2024-10-18 12:40:23 +03:00			`loader.timeout = 3;`
FIDO2 LUKS 2024-10-16 18:05:15 +03:00			`initrd.luks = {`
			`fido2Support = true;`
			`devices."luks-f6e1979b-0dee-4ee9-8170-10490019854b".fido2 = {`
			`passwordLess = true;`
			`credential = "df9233221fa09173fea61d8b8516d184f8ede475024a88201b34d838ecf306ee070052dae2262619c1da2be7562ec9dd94888c71a9326fea70dfe16214b5ea8ec014d86afa01";`
			`};`
			`};`
Split generic parts out of machine-confs/helium.nix 2024-06-06 21:12:13 +03:00			`resumeDevice = "/dev/mapper/luks-f6e1979b-0dee-4ee9-8170-10490019854b";`
			`kernelParams = [ "resume_offset=44537856" ];`
Format every file 2024-06-02 16:18:19 +03:00			`};`
Init 2024-05-23 13:39:48 +03:00			`}`