summaryrefslogtreecommitdiff
path: root/hosts/poweredge
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/poweredge')
-rw-r--r--hosts/poweredge/configuration.nix35
-rw-r--r--hosts/poweredge/ddns-updater.nix19
-rw-r--r--hosts/poweredge/fileshares.nix44
-rw-r--r--hosts/poweredge/hardware-configuration.nix50
-rw-r--r--hosts/poweredge/networking.nix87
-rw-r--r--hosts/poweredge/notification-mailer.nix27
-rw-r--r--hosts/poweredge/resources/secrets/ddns-updater-config.yaml16
-rw-r--r--hosts/poweredge/resources/secrets/mailer-pass.yaml16
-rw-r--r--hosts/poweredge/resources/secrets/wg1.yaml16
-rw-r--r--hosts/poweredge/wg1.nix7
10 files changed, 317 insertions, 0 deletions
diff --git a/hosts/poweredge/configuration.nix b/hosts/poweredge/configuration.nix
new file mode 100644
index 0000000..16a2686
--- /dev/null
+++ b/hosts/poweredge/configuration.nix
@@ -0,0 +1,35 @@
+{ config, lib, pkgs, ... }: let
+ serverEmail = "poweredge@tjkeller.xyz";
+in {
+ imports = [
+ ./ddns-updater.nix
+ ./fileshares.nix
+ ./networking.nix
+ #./notification-mailer.nix # TODO move some of this stuff to archetype
+ ./wg1.nix
+ ];
+
+ # Setup bootloader
+ boot._loader.enable = true;
+
+ # Enable common options
+ _archetypes = {
+ profiles.headless = {
+ enable = true;
+ home.users.timmy.enable = true;
+ };
+ profiles.zfs.enable = true;
+ profiles.router.enable = true;
+ };
+
+ # Enable smartd
+ services.smartd.enable = true; # TODO move to archetype
+
+ # Enable user timmy
+ _users.timmy.enable = true;
+
+ # Without this, "ZFS requires networking.hostId to be set" will be raised
+ networking.hostId = "4d9e002f";
+
+ system.stateVersion = "25.11";
+}
diff --git a/hosts/poweredge/ddns-updater.nix b/hosts/poweredge/ddns-updater.nix
new file mode 100644
index 0000000..103c23b
--- /dev/null
+++ b/hosts/poweredge/ddns-updater.nix
@@ -0,0 +1,19 @@
+{ config, lib, ... }: {
+ # Password file for mail application password
+ sops.secrets.ddns-updater-config.sopsFile = ./resources/secrets/ddns-updater-config.yaml;
+
+ # Enable ddns updater
+ services.ddns-updater = {
+ enable = true;
+ environment = {
+ SERVER_ENABLED="no";
+ CONFIG_FILEPATH = config.sops.secrets.ddns-updater-config.path;
+ PERIOD = "5m";
+ };
+ };
+
+ # FIXME Required root permissions to open secret
+ systemd.services.ddns-updater = {
+ serviceConfig.DynamicUser = lib.mkForce false;
+ };
+}
diff --git a/hosts/poweredge/fileshares.nix b/hosts/poweredge/fileshares.nix
new file mode 100644
index 0000000..4593ef8
--- /dev/null
+++ b/hosts/poweredge/fileshares.nix
@@ -0,0 +1,44 @@
+{
+ # TODO make user for ps2
+ services._fileShares.enable = true;
+ services._fileShares.shares = {
+ PS2 = {
+ path = "/media/storage/games/ps2";
+ smb = {
+ enable = true;
+ allowUser = "ps2";
+ extraOptions = {
+ "min protocol" = "NT1";
+ "max protocol" = "NT1";
+ };
+ };
+ };
+ WinBackups = {
+ path = "/media/storage/backups/windows";
+ smb.enable = true;
+ };
+ pictures = {
+ path = "/media/storage/pictures";
+ nfs.enable = true;
+ };
+ tapes = {
+ path = "/media/storage/tapes";
+ nfs.enable = true;
+ };
+ backups = {
+ path = "/media/storage/backups";
+ nfs.enable = true;
+ };
+ };
+
+ users.users = {
+ ps2 = {
+ isSystemUser = true;
+ password = "ps2";
+ group = "ps2";
+ };
+ };
+ users.groups = {
+ ps2 = {};
+ };
+}
diff --git a/hosts/poweredge/hardware-configuration.nix b/hosts/poweredge/hardware-configuration.nix
new file mode 100644
index 0000000..0fcc098
--- /dev/null
+++ b/hosts/poweredge/hardware-configuration.nix
@@ -0,0 +1,50 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+ imports =
+ [ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
+
+ boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "megaraid_sas" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+ boot.initrd.kernelModules = [ ];
+ boot.kernelModules = [ "kvm-intel" ];
+ boot.extraModulePackages = [ ];
+
+ fileSystems."/" =
+ { device = "zpool/root";
+ fsType = "zfs";
+ options = [ "zfsutil" ];
+ };
+
+ fileSystems."/nix" =
+ { device = "zpool/nix";
+ fsType = "zfs";
+ options = [ "zfsutil" ];
+ };
+
+ fileSystems."/var" =
+ { device = "zpool/var";
+ fsType = "zfs";
+ options = [ "zfsutil" ];
+ };
+
+ fileSystems."/home" =
+ { device = "zpool/home";
+ fsType = "zfs";
+ options = [ "zfsutil" ];
+ };
+
+ fileSystems."/boot" =
+ { device = "/dev/disk/by-uuid/D083-98C0";
+ fsType = "vfat";
+ options = [ "fmask=0022" "dmask=0022" ];
+ };
+
+ swapDevices = [ ];
+
+ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+ hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/hosts/poweredge/networking.nix b/hosts/poweredge/networking.nix
new file mode 100644
index 0000000..7632a86
--- /dev/null
+++ b/hosts/poweredge/networking.nix
@@ -0,0 +1,87 @@
+{
+ networking = {
+ enableIPv6 = false;
+ # Label lan and wan interfaces
+ _interfaceLabels = {
+ enable = true;
+ interfaces = {
+ lan0 = "50:9a:4c:5d:c3:7a";
+ wan0 = "50:9a:4c:5d:c3:7b";
+ };
+ };
+ # Set ip addresses
+ interfaces = {
+ lan0.ipv4.addresses = [{
+ address = "192.168.1.1";
+ prefixLength = 24;
+ }];
+ wan0.useDHCP = true;
+ };
+ # Firewall rules
+ firewall = {
+ interfaces.wan0 = {
+ allowedUDPPorts = [ 51820 ];
+ };
+ };
+ # Additional advanced rules
+ # TODO add multi NAT feature to router service
+ nftables = {
+ enable = true;
+ tables = {
+ # NAT/masquerade wg1 allowing lan0 clients to access wg1
+ wg-nat = {
+ family = "ip";
+ content = ''
+ chain post {
+ type nat hook postrouting priority srcnat; policy accept;
+ iifname "lan0" oifname "wg1" masquerade comment "lan0 => wg1"
+ }
+ '';
+ };
+ };
+ };
+ };
+
+ services._router = {
+ dnsDhcpConfig = {
+ localDomain = "home.lan";
+ dhcp = {
+ defaultGateway = "192.168.1.1";
+ localhostIp = "192.168.1.1";
+ rangeStart = "192.168.1.50";
+ rangeEnd = "192.168.1.250";
+ # TODO think about moving leases to another file
+ staticLeases = {
+ idrac-7N94GK2 = {
+ macAddress = "50:9a:4c:5d:c3:7c";
+ staticIp = "192.168.1.3";
+ };
+ OpenWrt-Attic = {
+ macAddress = "34:98:b5:60:5e:be";
+ staticIp = "192.168.1.4";
+ };
+ OpenWrt-Basement = {
+ macAddress = "8c:3b:ad:35:c7:8c";
+ staticIp = "192.168.1.5";
+ };
+ ArcherC54 = {
+ macAddress = "12:eb:b6:13:f9:e2";
+ staticIp = "192.168.1.6";
+ };
+ T495 = {
+ macAddress = "04:33:c2:9d:34:74";
+ staticIp = "192.168.1.11";
+ };
+ optiplex = {
+ macAddress = "e4:54:e8:bc:ba:05";
+ staticIp = "192.168.1.12";
+ };
+ X230 = {
+ macAddress = "84:3a:4b:60:34:c4";
+ staticIp = "192.168.1.13";
+ };
+ };
+ };
+ };
+ };
+}
diff --git a/hosts/poweredge/notification-mailer.nix b/hosts/poweredge/notification-mailer.nix
new file mode 100644
index 0000000..d8fddc7
--- /dev/null
+++ b/hosts/poweredge/notification-mailer.nix
@@ -0,0 +1,27 @@
+{ config, ... }: let
+ serverEmail = "server-notifications@tjkeller.xyz";
+in {
+ # Mailer password secret for mail application password
+ sops.secrets.mailerPassword.sopsFile = ./resources/secrets/mailer-pass.yaml;
+
+ # Enable mta for system event notifications
+ services.mail._mailer = {
+ sender = {
+ host = "mail.tjkeller.xyz";
+ user = serverEmail;
+ from = serverEmail;
+ passwordFile = config.sops.secrets.mailerPassword.path;
+ };
+ recipient = serverEmail;
+ };
+
+ # Enable zed mailer module
+ services.zfs._zedMailer.enable = true;
+
+ # Enable smartd notifications
+ services.smartd.notifications.mail = {
+ enable = true;
+ sender = serverEmail;
+ recipient = serverEmail;
+ };
+}
diff --git a/hosts/poweredge/resources/secrets/ddns-updater-config.yaml b/hosts/poweredge/resources/secrets/ddns-updater-config.yaml
new file mode 100644
index 0000000..3be017b
--- /dev/null
+++ b/hosts/poweredge/resources/secrets/ddns-updater-config.yaml
@@ -0,0 +1,16 @@
+ddns-updater-config: ENC[AES256_GCM,data:vJ3z4R6P1gHKfkm6L2mQl68MKDJwpMNmrAOQo+4GkO2NC6EjKTLoSKhFiaGWVjMm7nrVfYRV+U/6b4VJXV4qURWhsm41t3x8zXAtt0viLC6pv+uMtuxadhU2Zxij4U2bSiMn6sSbfHd3uGIym7FnfOIL3LPEanVMuRUk20a0ZgHBdq1BPk6r5V8AoGfsu1XWHTvnO4ggg9oQPtGhurKTXixTD0Rb1Iv43JXLXqK/O3JGD5h4XbDmXB9eTqiBHUgZ0E4F5SE23L5mO0kI0TNNph2lTHXdfB+5,iv:xFry3gzdvvYh127yhYySvp5UHDa8Y+t/bg2+mwJ/HXo=,tag:pH2CE2l2UpNJiLJ+tjVvqQ==,type:str]
+sops:
+ age:
+ - recipient: age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWitQcVlaTmFVaHIraHlT
+ VFBDVEtlQUlqckN4eFF3YU95N3ZNU3JQcFNzCnkrR2xmTEtyUHRWQlRnTWZSaGVT
+ U0wvcGt6R0w4L3dSakVDVWVpTUhWbWMKLS0tIGVKSXVTL1B2L2FlSkQwSDVYd3Fk
+ WE8rLy81UEU5ZG9SaHRLOHNqOWUzWnMKBFtzJ9frroYk6hoW+1ww/3LpxCEa1Vtr
+ KNNnHKry8lQQDmalN5ZVYMTVAlTnQQ6QE7DxBukUwWYmizQ+BY8HDg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2026-03-31T01:47:37Z"
+ mac: ENC[AES256_GCM,data:8ozC5JWR/s3nNK+njc7zO32/7ptd//wuWGWZPHXrPV1iVyYndczGgu0ekEyKeRCn/WwGE5pyt32gy0l2Y+k7j7mV6GJguy6qhltani6Mz2Gfy5sRohn5s2rBDTiSYEVAgGTRt56DLxGD36P6xFPm+wHGspjCzNALrPretuN5xFg=,iv:+/mlXEMEO80pDVpFwZmnyywvHR/V9zHkbloF/e/dJ6Q=,tag:O+Ox0xUzERjeB+VftiUNEg==,type:str]
+ unencrypted_suffix: _unencrypted
+ version: 3.12.1
diff --git a/hosts/poweredge/resources/secrets/mailer-pass.yaml b/hosts/poweredge/resources/secrets/mailer-pass.yaml
new file mode 100644
index 0000000..331bd66
--- /dev/null
+++ b/hosts/poweredge/resources/secrets/mailer-pass.yaml
@@ -0,0 +1,16 @@
+pass: ENC[AES256_GCM,data:RHOvLwbDIb8FZ+dG66e5U43qR0aXlLLZGAnlbRjSl8hxCMEtJ4940nggiaIV75jCaiWyLutay7MrKPKZBHDZwBIqcJYQRWm1zWGkoZi0/bX38vUFWOpI4qku9fIB2qll,iv:bqEnTagxlRqlAmMgFCtXXCSSlODE598yoV4fU0jSYL8=,tag:c/ZiGCDSb8quDoYiIKbMeQ==,type:str]
+sops:
+ age:
+ - recipient: age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUXlZaUhSUkNGK2xpVzRp
+ OEhYMTV6bnpPZC9tdHZWbnZxcUp6WWVLMnhFCmZmckVBckdRS1g0MjJQdE80S2Js
+ aGlNek1nSmU2aGI4cWVXR0NmbjJwa00KLS0tIDJ3N3BoenQ5ZW02K3BLNWxkWU5y
+ Ym56YzI5Zk9KeFhzZXJXR3NoOUl0ckEKOLweZrk/Pe6BG48+RrwOxyOy0Zb768aZ
+ YIxTBv/qSzZei6VqZHiIwTUEMyE7z3CS0dBFws6q4fB4LfIpv6fiYg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2026-03-31T01:37:29Z"
+ mac: ENC[AES256_GCM,data:WIGXvuwB4bcBDfMRrrMQ7faUkxFdreyYiuy6bNPI2pzvvUFTSo/lJTv/DjisSARdYmFHFvdResIXUjg75Sc2I5IrvRxZxnYqx/3z5k/WOFWb8HSKH2H+OUHtLkqWJSCQ9YBuX2tys93mEXgwchPpn4nzVaYBgxZl54F3icX7tsE=,iv:BS9KPGkVaH0G0bAZz6+LR0NDcmqw6khOkih5DyvGyug=,tag:dA9YVL1xEqUqe6hDzOH7XQ==,type:str]
+ unencrypted_suffix: _unencrypted
+ version: 3.12.1
diff --git a/hosts/poweredge/resources/secrets/wg1.yaml b/hosts/poweredge/resources/secrets/wg1.yaml
new file mode 100644
index 0000000..6610514
--- /dev/null
+++ b/hosts/poweredge/resources/secrets/wg1.yaml
@@ -0,0 +1,16 @@
+wg1: ENC[AES256_GCM,data:1IySjV57HcywgiCZ/ZYbcr4Y9EbLrb6bE4kpG1DmDsLiRVFSfZA1UOoMGosot+7YiuE4xfZNHGSnzDrpE73gi5E9qYlvjhOfyLq06a1lK7Q0Wo/QrH9eSH05h6SA4E8sE0w2aKY/6cWfLaXTP1d7xLJA1OOCy7y+wIXrHQcA/TI5XIxikFSe+tT7rhKz128u6MIGl8VWzCp4RmoN94MAgWp0RoVt0VSHlvNPTbMuTZI0YPN1NgHjcf7KWnit33GXydmAWr+wym/oxxdT77O6wMPcGIsxmMLOPNy3K1sTezGTPSS1CSVniKIIW2HYZepGfaTlKwBFIn7ctmMrBvqmMcHiW+QIPwWbOC8UWHJAGklv3vCa7Q8XDUKlOPNdS0o73jb+BVUJWerwR4ik6NPu/H/lWgIETg1pd/Qv//nGsPeGRIUFKyKxoL/5E67+pA==,iv:d+T6wKhV1i/2kae03VPLMaTFB2yleeDFPm1lrfjvkx8=,tag:h/41zAlfz6oBo8jqz9NW7A==,type:str]
+sops:
+ age:
+ - recipient: age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxOFFVRFl2MDhiUVRPdnZJ
+ b3BSZ0pSaG8vR3o3SGlmVENvN3ZObHU3eUc4CmJrdk8rbXpBMWhTZ2hvdlk0VWo1
+ ejdnTDR4bFlUUXc4Smd0NEp6b3crZFUKLS0tIFBsQUdRWjZLSDY1ZlFaRDdLOVhs
+ MFFGY0NSU3NaK2U0U1NndUIyYm54ZWsKZ6q9j1fNaNSzBA0rbZYyUWt3U2V/7/9/
+ FZTKd8mH/uCoxvK8unlVZ9uYNADRh2smp7LwK1AWie/6khAIFqVBeg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2026-03-31T02:00:52Z"
+ mac: ENC[AES256_GCM,data:VXBQSegpiLmT5pF0XVB8NTVzhn4QDE2WfVznANVdrXC4BqFYoQXscW+4BcMmwkUqz5MjeKNF4KgRwtpKWVyRXG7EXVEGeA/NdysAxM9eSD4YrQZLqWzG8UKStyFG7jgHw/YA3H94hJ3rYnhsA9Kb3DHEmnQSZskTOmn2ppyUunQ=,iv:/rVWmaXl149Prhv35wBDZN6c+HgQ6PYSb8RIE30t7MI=,tag:SZ7mI9XDsIjhliFyWO14ug==,type:str]
+ unencrypted_suffix: _unencrypted
+ version: 3.12.1
diff --git a/hosts/poweredge/wg1.nix b/hosts/poweredge/wg1.nix
new file mode 100644
index 0000000..d94efb6
--- /dev/null
+++ b/hosts/poweredge/wg1.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, inputs, ... }: {
+ sops.secrets.wg1.sopsFile = ./resources/secrets/wg1.yaml;
+
+ networking.wg-quick.interfaces = {
+ wg1.configFile = config.sops.secrets.wg1.path;
+ };
+}
generated by cgit v1.2.3 (git 2.25.1) at 2026-04-07 17:11:52 +0000