aboutsummaryrefslogtreecommitdiff
path: root/systems
diff options
context:
space:
mode:
authorKenny Ballou <kb@devnulllabs.io>2022-05-02 12:02:22 -0600
committerKenny Ballou <kb@devnulllabs.io>2022-05-02 12:02:22 -0600
commit0c430822cedee96a23fe8a12cc8e0719f8517916 (patch)
tree638fa989f241bb081a1b87045b3ab9370eabe4c4 /systems
parent47a9a452e34408d6661b5d4a6fe5b1de0e3e22ed (diff)
downloaddotfiles-0c430822cedee96a23fe8a12cc8e0719f8517916.tar.gz
dotfiles-0c430822cedee96a23fe8a12cc8e0719f8517916.tar.xz
machines: add koi
Signed-off-by: Kenny Ballou <kb@devnulllabs.io>
Diffstat (limited to 'systems')
-rw-r--r--systems/koi.scm198
-rw-r--r--systems/koi/nftables-rules.nft75
2 files changed, 273 insertions, 0 deletions
diff --git a/systems/koi.scm b/systems/koi.scm
new file mode 100644
index 00000000..992c3e6e
--- /dev/null
+++ b/systems/koi.scm
@@ -0,0 +1,198 @@
+(define-module (systems koi)
+ #:use-module (guix)
+ #:use-module (guix records)
+ #:use-module (guix utils)
+ #:use-module (gnu)
+ #:use-module (gnu packages)
+ #:use-module (gnu services avahi)
+ #:use-module (gnu services base)
+ #:use-module (gnu services cups)
+ #:use-module (gnu services dbus)
+ #:use-module (gnu services desktop)
+ #:use-module (gnu services linux)
+ #:use-module (gnu services mcron)
+ #:use-module (gnu services networking)
+ #:use-module (gnu services nix)
+ #:use-module (gnu services pm)
+ #:use-module (gnu services security-token)
+ #:use-module (gnu services ssh)
+ #:use-module (gnu services xorg)
+ #:use-module (gnu system file-systems)
+ #:use-module (gnu system nss)
+ #:use-module (gnu packages gnome)
+ #:use-module (nongnu packages linux)
+ #:use-module (nongnu packages mozilla)
+ #:use-module (nongnu packages printers)
+ #:use-module (nongnu system linux-initrd)
+ #:use-module (kbg)
+ #:use-module (kbg packages profiles base)
+ #:use-module (kbg packages profiles desktop)
+ #:use-module (kbg packages gnome)
+ #:use-module (kbg services desktop)
+ #:use-module (kbg services nftables)
+ #:use-module ((kbg system mcron) :prefix mcron:)
+ #:use-module (kbg system xorg))
+
+(define nfs-mount-options
+ (alist->file-system-options
+ '("rw"
+ "_netdev"
+ "noauto"
+ "exec"
+ ("rsize" . "1048576")
+ ("wsize" . "1048756")
+ ("timeo" . "600"))))
+
+(define koi-system
+ (operating-system
+ (kernel linux-lts)
+ (firmware (list linux-firmware))
+ (initrd microcode-initrd)
+ (host-name "koi")
+ (timezone "America/Boise")
+ (locale "en_US.utf8")
+
+ (initrd-modules (append (list "dm-raid" "raid1")
+ %base-initrd-modules))
+
+ (keyboard-layout (keyboard-layout "us" #:options '("ctrl:nocaps")))
+
+ (bootloader (bootloader-configuration
+ (bootloader grub-efi-bootloader)
+ (targets '("/boot/efi"))
+ (keyboard-layout keyboard-layout)))
+
+ (mapped-devices
+ (list (mapped-device
+ (source (list "/dev/sda1" "/dev/sdb1"))
+ (target "/dev/md1")
+ (type raid-device-mapping))
+ (mapped-device
+ ;; (source "/dev/md1")
+ (source (uuid "4808204d-0116-4234-b931-6cc6161d5f3b"))
+ (target "luks-4808204d-0116-4234-b931-6cc6161d5f3b")
+ (type luks-device-mapping))
+ (mapped-device
+ (source (uuid "ddb3da26-ac44-4f4a-b01a-6b21967df63d"))
+ ;; (source "/dev/nvme0n1p2")
+ (target "luks-ddb3da26-ac44-4f4a-b01a-6b21967df63d")
+ (type luks-device-mapping))))
+
+ (file-systems (append
+ (list (file-system
+ (device "/dev/mapper/luks-ddb3da26-ac44-4f4a-b01a-6b21967df63d")
+ (mount-point "/")
+ (type "ext4")
+ (dependencies mapped-devices))
+ (file-system
+ (device "/dev/mapper/luks-4808204d-0116-4234-b931-6cc6161d5f3b")
+ (mount-point "/home")
+ (type "xfs")
+ (dependencies mapped-devices))
+ (file-system
+ (mount-point "/media/kb/documents")
+ (device "baal:/srv/documents")
+ (type "nfs4")
+ (mount-may-fail? #t)
+ (mount? #t)
+ (create-mount-point? #t)
+ (options nfs-mount-options)
+ (dependencies mapped-devices))
+ (file-system
+ (mount-point "/media/kb/downloads")
+ (device "baal:/srv/downloads")
+ (type "nfs4")
+ (mount-may-fail? #t)
+ (mount? #t)
+ (create-mount-point? #t)
+ (options nfs-mount-options)
+ (dependencies mapped-devices))
+ (file-system
+ (mount-point "/media/kb/music")
+ (device "baal:/srv/music")
+ (type "nfs4")
+ (mount-may-fail? #t)
+ (mount? #t)
+ (create-mount-point? #t)
+ (options nfs-mount-options)
+ (dependencies mapped-devices))
+ (file-system
+ (mount-point "/media/kb/pictures")
+ (device "baal:/srv/pictures")
+ (type "nfs4")
+ (mount-may-fail? #t)
+ (mount? #t)
+ (create-mount-point? #t)
+ (options nfs-mount-options)
+ (dependencies mapped-devices))
+ (file-system
+ (mount-point "/media/kb/videos")
+ (device "baal:/srv/videos")
+ (type "nfs4")
+ (mount-may-fail? #t)
+ (mount? #t)
+ (create-mount-point? #t)
+ (options nfs-mount-options)
+ (dependencies mapped-devices))
+ (file-system
+ (device (uuid "C08E-E6C4" 'fat32))
+ (mount-point "/boot/efi")
+ (type "vfat")))
+ %base-file-systems))
+
+ (swap-devices (list (swap-space (target "/swapfile")
+ (dependencies mapped-devices))))
+
+ (users (cons (user-account
+ (name "kb")
+ (group "users")
+ (supplementary-groups '("audio"
+ "input"
+ "kvm"
+ "lp"
+ "netdev"
+ "tty"
+ "video"
+ "wheel")))
+ %base-user-accounts))
+
+ ;; This is where we specify system-wide packages.
+ (packages (append %kbg-base-packages
+ %kbg-bare-desktop-packages
+ %base-packages))
+
+ (services (append (list (service gnome-desktop-service-type
+ (gnome-desktop-configuration
+ (gnome gnome-sans-ssh-agent)))
+ (service cups-service-type
+ (cups-configuration
+ (web-interface? #t)))
+ (set-xorg-configuration
+ (xorg-configuration
+ (keyboard-layout keyboard-layout)
+ (extra-config (list %xorg-libinput-config))))
+ (service nix-service-type)
+ (service pcscd-service-type)
+ (service tlp-service-type
+ (tlp-configuration
+ (cpu-scaling-governor-on-ac (list "performance"))
+ (cpu-scaling-min-freq-on-ac 3200000)
+ (cpu-boost-on-ac? #t)
+ (energy-perf-policy-on-ac "performance")
+ (pcie-aspm-on-ac "performance")))
+ (service openssh-service-type
+ (openssh-configuration
+ (x11-forwarding? #f)
+ (password-authentication? #f)
+ (permit-root-login 'prohibit-password)))
+ (nftables-service "koi")
+ (simple-service 'my-cron-jobs
+ mcron-service-type
+ (list mcron:guix-gc-repair-job
+ mcron:updatedb-job)))
+ %kbg-desktop-services))
+
+ ;; Allow resolution of '.local' host names with mDNS.
+ (name-service-switch %mdns-host-lookup-nss)))
+
+koi-system
diff --git a/systems/koi/nftables-rules.nft b/systems/koi/nftables-rules.nft
new file mode 100644
index 00000000..2e68f351
--- /dev/null
+++ b/systems/koi/nftables-rules.nft
@@ -0,0 +1,75 @@
+table inet filter {
+ chain input {
+ type filter hook input priority 0; policy drop;
+ ct state invalid counter drop comment "drop invalid packets"
+ ct state established,related counter accept comment "accept related connections"
+ iif lo counter accept
+ iif != lo ip daddr 127.0.0.1/8 counter drop
+ iif != lo ip6 daddr ::1/128 counter drop
+ ip protocol icmp counter accept
+ ip6 nexthdr ipv6-icmp counter accept
+ udp dport domain ip saddr 172.16.0.0/12 counter accept
+ tcp dport ssh ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept
+ tcp dport 3000 ip saddr 127.0.0.1/8 counter accept
+ tcp dport 8000 ip saddr 127.0.0.1/8 counter accept
+ tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept
+ tcp dport 1714-1764 ip saddr 10.0.0.0/8 counter accept comment "KDEConnect"
+ udp dport 1714-1764 ip saddr 10.0.0.0/8 counter accept comment "KDEConnect"
+ tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept
+ counter
+ }
+
+ chain forward {
+ type filter hook forward priority 0; policy drop;
+ ct state established,related counter accept
+ counter
+ }
+
+ chain output {
+ type filter hook output priority 0; policy drop;
+ ct state established,related counter accept
+ icmp type echo-request counter accept
+ icmp type echo-reply counter accept
+ ip daddr 127.0.0.0/8 counter accept
+ ip6 daddr ::1 counter accept
+ udp dport domain counter accept
+ tcp dport 853 counter accept comment "DNS over TLS"
+ udp dport 853 counter accept comment "DNS over TLS"
+ tcp dport http counter accept
+ tcp dport https counter accept
+ udp dport https counter accept
+ tcp dport ssh counter accept
+ tcp dport bootps counter accept
+ udp dport bootps counter accept
+ tcp dport ntp counter accept
+ udp dport ntp counter accept
+ tcp dport nntps counter accept
+ udp dport nntps counter accept
+ tcp dport submission counter accept
+ tcp dport imaps counter accept
+ tcp dport 2222 counter accept
+ tcp dport hkp counter accept
+ udp dport hkp counter accept
+ tcp dport 9100 counter accept
+ tcp dport git counter accept
+ udp dport git counter accept
+ tcp dport rsync counter accept
+ udp dport rsync counter accept
+ tcp dport 8000 counter accept
+ tcp dport http-alt counter accept
+ udp dport openvpn counter accept
+ tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept
+ tcp dport 5222 counter accept comment "XMPP"
+ tcp dport 6697 counter accept comment "IRC"
+ tcp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS"
+ udp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS"
+ tcp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS"
+ udp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS"
+ udp dport 19302-19309 counter accept comment "Google Meet Ports"
+ tcp dport 1714-1764 counter accept comment "KDEConnect"
+ udp dport 1714-1764 counter accept comment "KDEConnect"
+ udp dport 51820 counter accept comment "WireGuard"
+ tcp dport 9876 counter accept comment "yggdrasil"
+ counter
+ }
+}
generated by cgit v1.2.1 (git 2.18.0) at 2024-05-19 00:13:18 +0000