From 64b3a072e7a66c792edc9f5e2fdd836ecda4d5e3 Mon Sep 17 00:00:00 2001 From: randomizedcoder Date: Thu, 30 May 2024 10:51:53 -0700 Subject: [PATCH 1/3] nftables --- Makefile | 8 ++++++++ hp0/configuration.nix | 20 +++++++++++++++++++- hp3/configuration.nix | 20 +++++++++++++++++++- 3 files changed, 46 insertions(+), 2 deletions(-) create mode 100644 Makefile diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..31a2a9d --- /dev/null +++ b/Makefile @@ -0,0 +1,8 @@ +# +# Makefile +# +hp0: + scp ./hp0/configuration.nix hp0: + +hp3: + scp ./hp3/configuration.nix hp3: \ No newline at end of file diff --git a/hp0/configuration.nix b/hp0/configuration.nix index be22a74..2e0a404 100644 --- a/hp0/configuration.nix +++ b/hp0/configuration.nix @@ -169,6 +169,8 @@ wget tcpdump iproute2 + nftables + iptables pciutils usbutils iw @@ -194,13 +196,29 @@ # services.openssh.enable = true; services.openssh.enable = true; - # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; + # https://nixos.wiki/wiki/Firewall + # https://scvalex.net/posts/54/ + # nft --stateless list table filter + networking.firewall = { + enable = true; + allowedTCPPorts = [ + 22 # ssh + 5001 # iperf2 + ]; + # allowedTCPPorts = [ 22 5001 ]; + # #allowedUDPPortRanges = [ + # # { from = 4000; to = 4007; } + # # { from = 8000; to = 8010; } + # #]; + }; + # networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ]; + # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/hp3/configuration.nix b/hp3/configuration.nix index 74299ce..0d279ce 100644 --- a/hp3/configuration.nix +++ b/hp3/configuration.nix @@ -169,6 +169,8 @@ wget tcpdump iproute2 + nftables + iptables pciutils usbutils iw @@ -194,13 +196,29 @@ # services.openssh.enable = true; services.openssh.enable = true; - # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; + # https://nixos.wiki/wiki/Firewall + # https://scvalex.net/posts/54/ + # nft --stateless list table filter + networking.firewall = { + enable = true; + allowedTCPPorts = [ + 22 # ssh + 5001 # iperf2 + ]; + # allowedTCPPorts = [ 22 5001 ]; + # #allowedUDPPortRanges = [ + # # { from = 4000; to = 4007; } + # # { from = 8000; to = 8010; } + # #]; + }; + # networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ]; + # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave From 6d2fa3c89c7ef2dd26793a68063918b85da21cf4 Mon Sep 17 00:00:00 2001 From: randomizedcoder Date: Sat, 1 Jun 2024 09:55:42 -0700 Subject: [PATCH 2/3] sysctls --- Makefile | 8 +++- hp0/configuration.nix | 88 ++++++++++++++++++++++++++++++++++--------- hp3/configuration.nix | 88 ++++++++++++++++++++++++++++++++++--------- 3 files changed, 148 insertions(+), 36 deletions(-) diff --git a/Makefile b/Makefile index 31a2a9d..a14c0df 100644 --- a/Makefile +++ b/Makefile @@ -1,8 +1,12 @@ # # Makefile # +.PHONY: all + +all: hp0 hp3 + hp0: - scp ./hp0/configuration.nix hp0: + scp ./hp0/configuration.nix hp0: hp3: - scp ./hp3/configuration.nix hp3: \ No newline at end of file + scp ./hp3/configuration.nix hp3: \ No newline at end of file diff --git a/hp0/configuration.nix b/hp0/configuration.nix index 2e0a404..5fb971e 100644 --- a/hp0/configuration.nix +++ b/hp0/configuration.nix @@ -3,6 +3,7 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). # sudo nixos-rebuild switch +# sudo nix-channel --update # nix-shell -p vim # nmcli device wifi connect MYSSID password PWORD # systemctl restart display-manager.service @@ -10,6 +11,7 @@ { config, pkgs, ... }: # https://nixos.wiki/wiki/FAQ#How_can_I_install_a_package_from_unstable_while_remaining_on_the_stable_channel.3F +# https://discourse.nixos.org/t/differences-between-nix-channels/13998 { imports = @@ -24,8 +26,46 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + # https://nixos.wiki/wiki/Linux_kernel + boot.kernelPackages = pkgs.linuxPackages_latest; + #boot.kernelPackages = pkgs.linuxPackages_rpi4 + + # https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html + boot.kernel.sysctl = { + # detect dead connections more quickly + "net.ipv4.tcp_keepalive_intvl" = 30; + #net.ipv4.tcp_keepalive_intvl = 75 + "net.ipv4.tcp_keepalive_probes" = 4; + #net.ipv4.tcp_keepalive_probes = 9 + "net.ipv4.tcp_keepalive_time" = 120; + #net.ipv4.tcp_keepalive_time = 7200 + # 30 * 4 = 120 seconds. / 60 = 2 minutes + # default: 75 seconds * 9 = 675 seconds. /60 = 11.25 minutes + "net.ipv4.tcp_rmem" = "4096 1000000 16000000"; + "net.ipv4.tcp_wmem" = "4096 1000000 16000000"; + #net.ipv4.tcp_rmem = 4096 131072 6291456 + #net.ipv4.tcp_wmem = 4096 16384 4194304 + # enable Enable reuse of TIME-WAIT sockets globally + "net.ipv4.tcp_tw_reuse" = 1; + #net.ipv4.tcp_tw_reuse=2 + "net.ipv4.tcp_timestamps" = 1; + "net.ipv4.tcp_ecn" = 1; + "net.core.rmem_default" = 26214400; + "net.core.rmem_max" = 26214400; + "net.core.wmem_default" = 26214400; + "net.core.wmem_max" = 26214400; + #net.core.optmem_max = 20480 + #net.core.rmem_default = 212992 + #net.core.rmem_max = 212992 + #net.core.wmem_default = 212992 + #net.core.wmem_max = 212992 + "net.ipv4.ip_local_port_range" = "1025 65535"; + #net.ipv4.ip_local_port_range ="32768 60999" + }; + # https://nixos.wiki/wiki/Networking - networking.hostName = "hp0"; # Define your hostname. + # https://nlewo.github.io/nixos-manual-sphinx/configuration/ipv4-config.xml.html + networking.hostName = "hp0"; # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. networking.wireless = { enable = true; # Enables wireless support via wpa_supplicant. @@ -49,10 +89,10 @@ #networking.networkmanager.enable = true; networking.hosts = { - "172.16.40.198" = ["hp0"]; - # "172.16.40.35" = ["hp1"]; - # "172.16.40.71" = ["hp2"]; - "172.16.40.146" = ["hp3"]; + "172.16.40.198" = ["hp0eth"]; + "172.16.40.152" = ["hp0wifi"]; + "172.16.40.146" = ["hp3eth"]; + "172.16.40.130" = ["hp3wifi"]; }; # Set your time zone. @@ -97,6 +137,14 @@ tmux screen # + libgcc + # https://nixos.wiki/wiki/C + # https://search.nixos.org/packages?channel=24.05&show=gcc&from=0&size=50&sort=relevance&type=packages&query=gcc + gcc + automake + gnumake + pkg-config + # perl python3 # @@ -106,16 +154,20 @@ htop minicom # + ethtool iproute2 vlan tcpdump wireshark - flent iperf2 + netperf + flent bpftools iw wirelesstools wpa_supplicant_ro_ssids + # + hwloc # go # https://nixos.wiki/wiki/Go # https://nixos.org/manual/nixpkgs/stable/#sec-language-go @@ -190,10 +242,6 @@ enableSSHSupport = true; }; - # List services that you want to enable: - - # Enable the OpenSSH daemon. - # services.openssh.enable = true; services.openssh.enable = true; # Open ports in the firewall. @@ -204,18 +252,24 @@ # https://nixos.wiki/wiki/Firewall # https://scvalex.net/posts/54/ - # nft --stateless list table filter + # sudo nft --stateless list table filter + # sudo sudo iptables-save networking.firewall = { - enable = true; + enable = false; allowedTCPPorts = [ 22 # ssh 5001 # iperf2 ]; - # allowedTCPPorts = [ 22 5001 ]; - # #allowedUDPPortRanges = [ - # # { from = 4000; to = 4007; } - # # { from = 8000; to = 8010; } - # #]; + # allowedTCPPorts = [ 22 5001 ]; + # #allowedUDPPortRanges = [ + # # { from = 4000; to = 4007; } + # # { from = 8000; to = 8010; } + # #]; + # NixOS automagically creates stateful connection tracking, which we don't want + # for performance reasons + # extraCommands = '' + # iptables --delete nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept || true + # ''; }; # networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ]; diff --git a/hp3/configuration.nix b/hp3/configuration.nix index 0d279ce..3eb9519 100644 --- a/hp3/configuration.nix +++ b/hp3/configuration.nix @@ -3,6 +3,7 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). # sudo nixos-rebuild switch +# sudo nix-channel --update # nix-shell -p vim # nmcli device wifi connect MYSSID password PWORD # systemctl restart display-manager.service @@ -10,6 +11,7 @@ { config, pkgs, ... }: # https://nixos.wiki/wiki/FAQ#How_can_I_install_a_package_from_unstable_while_remaining_on_the_stable_channel.3F +# https://discourse.nixos.org/t/differences-between-nix-channels/13998 { imports = @@ -24,8 +26,46 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + # https://nixos.wiki/wiki/Linux_kernel + boot.kernelPackages = pkgs.linuxPackages_latest; + #boot.kernelPackages = pkgs.linuxPackages_rpi4 + + # https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html + boot.kernel.sysctl = { + # detect dead connections more quickly + "net.ipv4.tcp_keepalive_intvl" = 30; + #net.ipv4.tcp_keepalive_intvl = 75 + "net.ipv4.tcp_keepalive_probes" = 4; + #net.ipv4.tcp_keepalive_probes = 9 + "net.ipv4.tcp_keepalive_time" = 120; + #net.ipv4.tcp_keepalive_time = 7200 + # 30 * 4 = 120 seconds. / 60 = 2 minutes + # default: 75 seconds * 9 = 675 seconds. /60 = 11.25 minutes + "net.ipv4.tcp_rmem" = "4096 1000000 16000000"; + "net.ipv4.tcp_wmem" = "4096 1000000 16000000"; + #net.ipv4.tcp_rmem = 4096 131072 6291456 + #net.ipv4.tcp_wmem = 4096 16384 4194304 + # enable Enable reuse of TIME-WAIT sockets globally + "net.ipv4.tcp_tw_reuse" = 1; + #net.ipv4.tcp_tw_reuse=2 + "net.ipv4.tcp_timestamps" = 1; + "net.ipv4.tcp_ecn" = 1; + "net.core.rmem_default" = 26214400; + "net.core.rmem_max" = 26214400; + "net.core.wmem_default" = 26214400; + "net.core.wmem_max" = 26214400; + #net.core.optmem_max = 20480 + #net.core.rmem_default = 212992 + #net.core.rmem_max = 212992 + #net.core.wmem_default = 212992 + #net.core.wmem_max = 212992 + "net.ipv4.ip_local_port_range" = "1025 65535"; + #net.ipv4.ip_local_port_range ="32768 60999" + }; + # https://nixos.wiki/wiki/Networking - networking.hostName = "hp3"; # Define your hostname. + # https://nlewo.github.io/nixos-manual-sphinx/configuration/ipv4-config.xml.html + networking.hostName = "hp3"; # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. networking.wireless = { enable = true; # Enables wireless support via wpa_supplicant. @@ -49,10 +89,10 @@ #networking.networkmanager.enable = true; networking.hosts = { - "172.16.40.198" = ["hp0"]; - # "172.16.40.35" = ["hp1"]; - # "172.16.40.71" = ["hp2"]; - "172.16.40.146" = ["hp3"]; + "172.16.40.198" = ["hp0eth"]; + "172.16.40.152" = ["hp0wifi"]; + "172.16.40.146" = ["hp3eth"]; + "172.16.40.130" = ["hp3wifi"]; }; # Set your time zone. @@ -97,6 +137,14 @@ tmux screen # + libgcc + # https://nixos.wiki/wiki/C + # https://search.nixos.org/packages?channel=24.05&show=gcc&from=0&size=50&sort=relevance&type=packages&query=gcc + gcc + automake + gnumake + pkg-config + # perl python3 # @@ -106,16 +154,20 @@ htop minicom # + ethtool iproute2 vlan tcpdump wireshark - flent iperf2 + netperf + flent bpftools iw wirelesstools wpa_supplicant_ro_ssids + # + hwloc # go # https://nixos.wiki/wiki/Go # https://nixos.org/manual/nixpkgs/stable/#sec-language-go @@ -190,10 +242,6 @@ enableSSHSupport = true; }; - # List services that you want to enable: - - # Enable the OpenSSH daemon. - # services.openssh.enable = true; services.openssh.enable = true; # Open ports in the firewall. @@ -204,18 +252,24 @@ # https://nixos.wiki/wiki/Firewall # https://scvalex.net/posts/54/ - # nft --stateless list table filter + # sudo nft --stateless list table filter + # sudo sudo iptables-save networking.firewall = { - enable = true; + enable = false; allowedTCPPorts = [ 22 # ssh 5001 # iperf2 ]; - # allowedTCPPorts = [ 22 5001 ]; - # #allowedUDPPortRanges = [ - # # { from = 4000; to = 4007; } - # # { from = 8000; to = 8010; } - # #]; + # allowedTCPPorts = [ 22 5001 ]; + # #allowedUDPPortRanges = [ + # # { from = 4000; to = 4007; } + # # { from = 8000; to = 8010; } + # #]; + # NixOS automagically creates stateful connection tracking, which we don't want + # for performance reasons + # extraCommands = '' + # iptables --delete nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept || true + # ''; }; # networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ]; From f6ca2f3165b4aa869362dbedcac79ea4958cdb61 Mon Sep 17 00:00:00 2001 From: randomizedcoder Date: Sat, 1 Jun 2024 12:09:59 -0700 Subject: [PATCH 3/3] modules --- Makefile | 11 +- hp0/configuration.nix | 210 ++----------------------------------- hp3/configuration.nix | 210 ++----------------------------------- modules/firewall.nix | 32 ++++++ modules/home-manager.nix | 78 ++++++++++++++ modules/hosts.nix | 10 ++ modules/il8n.nix | 18 ++++ modules/sysctl.nix | 36 +++++++ modules/systemPackages.nix | 23 ++++ modules/wireless.nix | 16 +++ nix_switch.bash | 4 + 11 files changed, 244 insertions(+), 404 deletions(-) create mode 100644 modules/firewall.nix create mode 100644 modules/home-manager.nix create mode 100644 modules/hosts.nix create mode 100644 modules/il8n.nix create mode 100644 modules/sysctl.nix create mode 100644 modules/systemPackages.nix create mode 100644 modules/wireless.nix create mode 100644 nix_switch.bash diff --git a/Makefile b/Makefile index a14c0df..c643d46 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,14 @@ all: hp0 hp3 hp0: - scp ./hp0/configuration.nix hp0: + scp -C ./hp0/* hp0: + scp -C ./modules/* hp0: + scp -C ./nix_switch.bash hp0: hp3: - scp ./hp3/configuration.nix hp3: \ No newline at end of file + scp -C ./hp3/* hp3: + scp -C ./modules/* hp3: + scp -C ./nix_switch.bash hp3: + +# +# end \ No newline at end of file diff --git a/hp0/configuration.nix b/hp0/configuration.nix index 5fb971e..e25f509 100644 --- a/hp0/configuration.nix +++ b/hp0/configuration.nix @@ -14,12 +14,21 @@ # https://discourse.nixos.org/t/differences-between-nix-channels/13998 { + # https://nixos.wiki/wiki/NixOS_modules imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix # sudo nix-channel --add https://github.com/nix-community/home-manager/archive/release-23.11.tar.gz home-manager # sudo nix-channel --update + # + ./sysctl.nix + ./wireless.nix + ./hosts.nix + ./firewall.nix + ./il8n.nix + ./systemPackages.nix + ./home-manager.nix ]; # Bootloader. @@ -30,89 +39,19 @@ boot.kernelPackages = pkgs.linuxPackages_latest; #boot.kernelPackages = pkgs.linuxPackages_rpi4 - # https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html - boot.kernel.sysctl = { - # detect dead connections more quickly - "net.ipv4.tcp_keepalive_intvl" = 30; - #net.ipv4.tcp_keepalive_intvl = 75 - "net.ipv4.tcp_keepalive_probes" = 4; - #net.ipv4.tcp_keepalive_probes = 9 - "net.ipv4.tcp_keepalive_time" = 120; - #net.ipv4.tcp_keepalive_time = 7200 - # 30 * 4 = 120 seconds. / 60 = 2 minutes - # default: 75 seconds * 9 = 675 seconds. /60 = 11.25 minutes - "net.ipv4.tcp_rmem" = "4096 1000000 16000000"; - "net.ipv4.tcp_wmem" = "4096 1000000 16000000"; - #net.ipv4.tcp_rmem = 4096 131072 6291456 - #net.ipv4.tcp_wmem = 4096 16384 4194304 - # enable Enable reuse of TIME-WAIT sockets globally - "net.ipv4.tcp_tw_reuse" = 1; - #net.ipv4.tcp_tw_reuse=2 - "net.ipv4.tcp_timestamps" = 1; - "net.ipv4.tcp_ecn" = 1; - "net.core.rmem_default" = 26214400; - "net.core.rmem_max" = 26214400; - "net.core.wmem_default" = 26214400; - "net.core.wmem_max" = 26214400; - #net.core.optmem_max = 20480 - #net.core.rmem_default = 212992 - #net.core.rmem_max = 212992 - #net.core.wmem_default = 212992 - #net.core.wmem_max = 212992 - "net.ipv4.ip_local_port_range" = "1025 65535"; - #net.ipv4.ip_local_port_range ="32768 60999" - }; - # https://nixos.wiki/wiki/Networking # https://nlewo.github.io/nixos-manual-sphinx/configuration/ipv4-config.xml.html networking.hostName = "hp0"; - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - networking.wireless = { - enable = true; # Enables wireless support via wpa_supplicant. - environmentFile = "/home/das/wireless.env"; - networks."devices".psk = "performance"; - #networks."devices".psk = "@PSK_DEVICES@"; - extraConfig = "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel"; - # output ends up in /run/wpa_supplicant/wpa_supplicant.conf - }; - # https://linux.die.net/man/5/wpa_supplicant.conf - # https://nixos.wiki/wiki/Wpa_supplicant - # https://nixos.org/manual/nixos/stable/options#opt-networking.wireless.environmentFile - # https://blog.stigok.com/2021/05/04/getting-wpa-cli-to-work-in-nixos.html # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - # Enable networking networking.networkmanager.enable = false; - #networking.networkmanager.enable = true; - - networking.hosts = { - "172.16.40.198" = ["hp0eth"]; - "172.16.40.152" = ["hp0wifi"]; - "172.16.40.146" = ["hp3eth"]; - "172.16.40.130" = ["hp3wifi"]; - }; # Set your time zone. time.timeZone = "America/Los_Angeles"; - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - i18n.extraLocaleSettings = { - LC_ADDRESS = "en_US.UTF-8"; - LC_IDENTIFICATION = "en_US.UTF-8"; - LC_MEASUREMENT = "en_US.UTF-8"; - LC_MONETARY = "en_US.UTF-8"; - LC_NAME = "en_US.UTF-8"; - LC_NUMERIC = "en_US.UTF-8"; - LC_PAPER = "en_US.UTF-8"; - LC_TELEPHONE = "en_US.UTF-8"; - LC_TIME = "en_US.UTF-8"; - }; - # Enable touchpad support (enabled default in most desktopManager). # services.xserver.libinput.enable = true; @@ -129,107 +68,6 @@ ]; }; - # https://nix-community.github.io/home-manager/index.xhtml#ch-installation - users.users.eve.isNormalUser = true; - home-manager.users.das = { pkgs, ... }: { - home.packages = with pkgs; [ - # - tmux - screen - # - libgcc - # https://nixos.wiki/wiki/C - # https://search.nixos.org/packages?channel=24.05&show=gcc&from=0&size=50&sort=relevance&type=packages&query=gcc - gcc - automake - gnumake - pkg-config - # - perl - python3 - # - gawk - jq - git - htop - minicom - # - ethtool - iproute2 - vlan - tcpdump - wireshark - iperf2 - netperf - flent - bpftools - iw - wirelesstools - wpa_supplicant_ro_ssids - # - hwloc - # go - # https://nixos.wiki/wiki/Go - # https://nixos.org/manual/nixpkgs/stable/#sec-language-go - # https://nixos.wiki/wiki/FAQ#How_can_I_install_a_package_from_unstable_while_remaining_on_the_stable_channel.3F - libcap - gcc - # thunderbird - go - # rust - # https://nixos.wiki/wiki/Rust - pkgs.cargo - pkgs.rustc - ]; - - programs.bash.enable = true; - home.stateVersion = "23.11"; - - programs.vim = { - enable = true; - plugins = with pkgs.vimPlugins; [ vim-airline ]; - settings = { ignorecase = true; }; - extraConfig = '' - set mouse=a - ''; - }; - #ldflags = [ - # "-X main.Version=${version}" - # "-X main.Commit=${version}" - #]; - - programs.git = { - enable = true; - userEmail = "dave.seddon.ca@gmail.com"; - userName = "randomizedcoder "; - #signing.key = "GPG-KEY-ID"; - #signing.signByDefault = true; - }; - nixpkgs.config.allowUnfree = true; - }; - - # Allow unfree packages - nixpkgs.config.allowUnfree = true; - - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - # wget - vim - curl - wget - tcpdump - iproute2 - nftables - iptables - pciutils - usbutils - iw - wirelesstools - wpa_supplicant_ro_ssids - ]; - # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; @@ -244,35 +82,6 @@ services.openssh.enable = true; - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # https://nixos.wiki/wiki/Firewall - # https://scvalex.net/posts/54/ - # sudo nft --stateless list table filter - # sudo sudo iptables-save - networking.firewall = { - enable = false; - allowedTCPPorts = [ - 22 # ssh - 5001 # iperf2 - ]; - # allowedTCPPorts = [ 22 5001 ]; - # #allowedUDPPortRanges = [ - # # { from = 4000; to = 4007; } - # # { from = 8000; to = 8010; } - # #]; - # NixOS automagically creates stateful connection tracking, which we don't want - # for performance reasons - # extraCommands = '' - # iptables --delete nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept || true - # ''; - }; - # networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ]; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave @@ -286,5 +95,4 @@ # services.qemuGuest.enable = true; # https://wiki.nixos.org/wiki/Laptop - } diff --git a/hp3/configuration.nix b/hp3/configuration.nix index 3eb9519..133d046 100644 --- a/hp3/configuration.nix +++ b/hp3/configuration.nix @@ -14,12 +14,21 @@ # https://discourse.nixos.org/t/differences-between-nix-channels/13998 { + # https://nixos.wiki/wiki/NixOS_modules imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix # sudo nix-channel --add https://github.com/nix-community/home-manager/archive/release-23.11.tar.gz home-manager # sudo nix-channel --update + # + ./sysctl.nix + ./wireless.nix + ./hosts.nix + ./firewall.nix + ./il8n.nix + ./systemPackages.nix + ./home-manager.nix ]; # Bootloader. @@ -30,89 +39,19 @@ boot.kernelPackages = pkgs.linuxPackages_latest; #boot.kernelPackages = pkgs.linuxPackages_rpi4 - # https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html - boot.kernel.sysctl = { - # detect dead connections more quickly - "net.ipv4.tcp_keepalive_intvl" = 30; - #net.ipv4.tcp_keepalive_intvl = 75 - "net.ipv4.tcp_keepalive_probes" = 4; - #net.ipv4.tcp_keepalive_probes = 9 - "net.ipv4.tcp_keepalive_time" = 120; - #net.ipv4.tcp_keepalive_time = 7200 - # 30 * 4 = 120 seconds. / 60 = 2 minutes - # default: 75 seconds * 9 = 675 seconds. /60 = 11.25 minutes - "net.ipv4.tcp_rmem" = "4096 1000000 16000000"; - "net.ipv4.tcp_wmem" = "4096 1000000 16000000"; - #net.ipv4.tcp_rmem = 4096 131072 6291456 - #net.ipv4.tcp_wmem = 4096 16384 4194304 - # enable Enable reuse of TIME-WAIT sockets globally - "net.ipv4.tcp_tw_reuse" = 1; - #net.ipv4.tcp_tw_reuse=2 - "net.ipv4.tcp_timestamps" = 1; - "net.ipv4.tcp_ecn" = 1; - "net.core.rmem_default" = 26214400; - "net.core.rmem_max" = 26214400; - "net.core.wmem_default" = 26214400; - "net.core.wmem_max" = 26214400; - #net.core.optmem_max = 20480 - #net.core.rmem_default = 212992 - #net.core.rmem_max = 212992 - #net.core.wmem_default = 212992 - #net.core.wmem_max = 212992 - "net.ipv4.ip_local_port_range" = "1025 65535"; - #net.ipv4.ip_local_port_range ="32768 60999" - }; - # https://nixos.wiki/wiki/Networking # https://nlewo.github.io/nixos-manual-sphinx/configuration/ipv4-config.xml.html networking.hostName = "hp3"; - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - networking.wireless = { - enable = true; # Enables wireless support via wpa_supplicant. - environmentFile = "/home/das/wireless.env"; - networks."devices".psk = "performance"; - #networks."devices".psk = "@PSK_DEVICES@"; - extraConfig = "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel"; - # output ends up in /run/wpa_supplicant/wpa_supplicant.conf - }; - # https://linux.die.net/man/5/wpa_supplicant.conf - # https://nixos.wiki/wiki/Wpa_supplicant - # https://nixos.org/manual/nixos/stable/options#opt-networking.wireless.environmentFile - # https://blog.stigok.com/2021/05/04/getting-wpa-cli-to-work-in-nixos.html # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - # Enable networking networking.networkmanager.enable = false; - #networking.networkmanager.enable = true; - - networking.hosts = { - "172.16.40.198" = ["hp0eth"]; - "172.16.40.152" = ["hp0wifi"]; - "172.16.40.146" = ["hp3eth"]; - "172.16.40.130" = ["hp3wifi"]; - }; # Set your time zone. time.timeZone = "America/Los_Angeles"; - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - i18n.extraLocaleSettings = { - LC_ADDRESS = "en_US.UTF-8"; - LC_IDENTIFICATION = "en_US.UTF-8"; - LC_MEASUREMENT = "en_US.UTF-8"; - LC_MONETARY = "en_US.UTF-8"; - LC_NAME = "en_US.UTF-8"; - LC_NUMERIC = "en_US.UTF-8"; - LC_PAPER = "en_US.UTF-8"; - LC_TELEPHONE = "en_US.UTF-8"; - LC_TIME = "en_US.UTF-8"; - }; - # Enable touchpad support (enabled default in most desktopManager). # services.xserver.libinput.enable = true; @@ -129,107 +68,6 @@ ]; }; - # https://nix-community.github.io/home-manager/index.xhtml#ch-installation - users.users.eve.isNormalUser = true; - home-manager.users.das = { pkgs, ... }: { - home.packages = with pkgs; [ - # - tmux - screen - # - libgcc - # https://nixos.wiki/wiki/C - # https://search.nixos.org/packages?channel=24.05&show=gcc&from=0&size=50&sort=relevance&type=packages&query=gcc - gcc - automake - gnumake - pkg-config - # - perl - python3 - # - gawk - jq - git - htop - minicom - # - ethtool - iproute2 - vlan - tcpdump - wireshark - iperf2 - netperf - flent - bpftools - iw - wirelesstools - wpa_supplicant_ro_ssids - # - hwloc - # go - # https://nixos.wiki/wiki/Go - # https://nixos.org/manual/nixpkgs/stable/#sec-language-go - # https://nixos.wiki/wiki/FAQ#How_can_I_install_a_package_from_unstable_while_remaining_on_the_stable_channel.3F - libcap - gcc - # thunderbird - go - # rust - # https://nixos.wiki/wiki/Rust - pkgs.cargo - pkgs.rustc - ]; - - programs.bash.enable = true; - home.stateVersion = "23.11"; - - programs.vim = { - enable = true; - plugins = with pkgs.vimPlugins; [ vim-airline ]; - settings = { ignorecase = true; }; - extraConfig = '' - set mouse=a - ''; - }; - #ldflags = [ - # "-X main.Version=${version}" - # "-X main.Commit=${version}" - #]; - - programs.git = { - enable = true; - userEmail = "dave.seddon.ca@gmail.com"; - userName = "randomizedcoder "; - #signing.key = "GPG-KEY-ID"; - #signing.signByDefault = true; - }; - nixpkgs.config.allowUnfree = true; - }; - - # Allow unfree packages - nixpkgs.config.allowUnfree = true; - - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - # wget - vim - curl - wget - tcpdump - iproute2 - nftables - iptables - pciutils - usbutils - iw - wirelesstools - wpa_supplicant_ro_ssids - ]; - # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; @@ -244,35 +82,6 @@ services.openssh.enable = true; - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # https://nixos.wiki/wiki/Firewall - # https://scvalex.net/posts/54/ - # sudo nft --stateless list table filter - # sudo sudo iptables-save - networking.firewall = { - enable = false; - allowedTCPPorts = [ - 22 # ssh - 5001 # iperf2 - ]; - # allowedTCPPorts = [ 22 5001 ]; - # #allowedUDPPortRanges = [ - # # { from = 4000; to = 4007; } - # # { from = 8000; to = 8010; } - # #]; - # NixOS automagically creates stateful connection tracking, which we don't want - # for performance reasons - # extraCommands = '' - # iptables --delete nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept || true - # ''; - }; - # networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ]; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave @@ -286,5 +95,4 @@ # services.qemuGuest.enable = true; # https://wiki.nixos.org/wiki/Laptop - } diff --git a/modules/firewall.nix b/modules/firewall.nix new file mode 100644 index 0000000..449b44f --- /dev/null +++ b/modules/firewall.nix @@ -0,0 +1,32 @@ +{ config, pkgs, ... }: + +{ + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # https://nixos.wiki/wiki/Firewall + # https://scvalex.net/posts/54/ + # sudo nft --stateless list table filter + # sudo sudo iptables-save + networking.firewall = { + enable = false; + allowedTCPPorts = [ + 22 # ssh + 5001 # iperf2 + ]; + # allowedTCPPorts = [ 22 5001 ]; + # #allowedUDPPortRanges = [ + # # { from = 4000; to = 4007; } + # # { from = 8000; to = 8010; } + # #]; + # NixOS automagically creates stateful connection tracking, which we don't want + # for performance reasons + # extraCommands = '' + # iptables --delete nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept || true + # ''; + }; + # networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ]; +} \ No newline at end of file diff --git a/modules/home-manager.nix b/modules/home-manager.nix new file mode 100644 index 0000000..dacccc2 --- /dev/null +++ b/modules/home-manager.nix @@ -0,0 +1,78 @@ +{ config, pkgs, ... }: + +{ + # https://nix-community.github.io/home-manager/index.xhtml#ch-installation + home-manager.users.das = { pkgs, ... }: { + home.packages = with pkgs; [ + # + tmux + screen + # + libgcc + # https://nixos.wiki/wiki/C + # https://search.nixos.org/packages?channel=24.05&show=gcc&from=0&size=50&sort=relevance&type=packages&query=gcc + gcc + automake + gnumake + pkg-config + # + perl + python3 + # + gawk + jq + git + htop + minicom + # + ethtool + iproute2 + vlan + tcpdump + wireshark + iperf2 + netperf + flent + bpftools + # + hwloc + # go + # https://nixos.wiki/wiki/Go + # https://nixos.org/manual/nixpkgs/stable/#sec-language-go + # https://nixos.wiki/wiki/FAQ#How_can_I_install_a_package_from_unstable_while_remaining_on_the_stable_channel.3F + libcap + gcc + # thunderbird + go + # rust + # https://nixos.wiki/wiki/Rust + pkgs.cargo + pkgs.rustc + ]; + + programs.bash.enable = true; + home.stateVersion = "23.11"; + + programs.vim = { + enable = true; + plugins = with pkgs.vimPlugins; [ vim-airline ]; + settings = { ignorecase = true; }; + extraConfig = '' + set mouse=a + ''; + }; + #ldflags = [ + # "-X main.Version=${version}" + # "-X main.Commit=${version}" + #]; + + programs.git = { + enable = true; + userEmail = "dave.seddon.ca@gmail.com"; + userName = "randomizedcoder "; + #signing.key = "GPG-KEY-ID"; + #signing.signByDefault = true; + }; + nixpkgs.config.allowUnfree = true; + }; +} \ No newline at end of file diff --git a/modules/hosts.nix b/modules/hosts.nix new file mode 100644 index 0000000..f1a6785 --- /dev/null +++ b/modules/hosts.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: + +{ + networking.hosts = { + "172.16.40.198" = ["hp0eth"]; + "172.16.40.152" = ["hp0wifi"]; + "172.16.40.146" = ["hp3eth"]; + "172.16.40.130" = ["hp3wifi"]; + }; +} \ No newline at end of file diff --git a/modules/il8n.nix b/modules/il8n.nix new file mode 100644 index 0000000..6a67b6f --- /dev/null +++ b/modules/il8n.nix @@ -0,0 +1,18 @@ +{ config, pkgs, ... }: + +{ + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + }; +} \ No newline at end of file diff --git a/modules/sysctl.nix b/modules/sysctl.nix new file mode 100644 index 0000000..c7cbf61 --- /dev/null +++ b/modules/sysctl.nix @@ -0,0 +1,36 @@ +{ config, pkgs, ... }: + +{ + # https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html + boot.kernel.sysctl = { + # detect dead connections more quickly + "net.ipv4.tcp_keepalive_intvl" = 30; + #net.ipv4.tcp_keepalive_intvl = 75 + "net.ipv4.tcp_keepalive_probes" = 4; + #net.ipv4.tcp_keepalive_probes = 9 + "net.ipv4.tcp_keepalive_time" = 120; + #net.ipv4.tcp_keepalive_time = 7200 + # 30 * 4 = 120 seconds. / 60 = 2 minutes + # default: 75 seconds * 9 = 675 seconds. /60 = 11.25 minutes + "net.ipv4.tcp_rmem" = "4096 1000000 16000000"; + "net.ipv4.tcp_wmem" = "4096 1000000 16000000"; + #net.ipv4.tcp_rmem = 4096 131072 6291456 + #net.ipv4.tcp_wmem = 4096 16384 4194304 + # enable Enable reuse of TIME-WAIT sockets globally + "net.ipv4.tcp_tw_reuse" = 1; + #net.ipv4.tcp_tw_reuse=2 + "net.ipv4.tcp_timestamps" = 1; + "net.ipv4.tcp_ecn" = 1; + "net.core.rmem_default" = 26214400; + "net.core.rmem_max" = 26214400; + "net.core.wmem_default" = 26214400; + "net.core.wmem_max" = 26214400; + #net.core.optmem_max = 20480 + #net.core.rmem_default = 212992 + #net.core.rmem_max = 212992 + #net.core.wmem_default = 212992 + #net.core.wmem_max = 212992 + "net.ipv4.ip_local_port_range" = "1025 65535"; + #net.ipv4.ip_local_port_range ="32768 60999" + }; +} \ No newline at end of file diff --git a/modules/systemPackages.nix b/modules/systemPackages.nix new file mode 100644 index 0000000..213e4dd --- /dev/null +++ b/modules/systemPackages.nix @@ -0,0 +1,23 @@ +{ config, pkgs, ... }: + +{ + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + # $ nix search wget + environment.systemPackages = with pkgs; [ + # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + # wget + vim + curl + wget + tcpdump + iproute2 + nftables + iptables + pciutils + usbutils + iw + wirelesstools + wpa_supplicant_ro_ssids + ]; +} \ No newline at end of file diff --git a/modules/wireless.nix b/modules/wireless.nix new file mode 100644 index 0000000..b03aa69 --- /dev/null +++ b/modules/wireless.nix @@ -0,0 +1,16 @@ +{ config, pkgs, ... }: + +{ + networking.wireless = { + enable = true; # Enables wireless support via wpa_supplicant. + environmentFile = "/home/das/wireless.env"; + networks."devices".psk = "performance"; + #networks."devices".psk = "@PSK_DEVICES@"; + extraConfig = "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel"; + # output ends up in /run/wpa_supplicant/wpa_supplicant.conf + }; + # https://linux.die.net/man/5/wpa_supplicant.conf + # https://nixos.wiki/wiki/Wpa_supplicant + # https://nixos.org/manual/nixos/stable/options#opt-networking.wireless.environmentFile + # https://blog.stigok.com/2021/05/04/getting-wpa-cli-to-work-in-nixos.html +} \ No newline at end of file diff --git a/nix_switch.bash b/nix_switch.bash new file mode 100644 index 0000000..76ebabb --- /dev/null +++ b/nix_switch.bash @@ -0,0 +1,4 @@ +#!/run/current-system/sw/bin/bash +# +sudo cp ./*.nix /etc/nixos/ +sudo nixos-rebuild switch