Skip to content

Instantly share code, notes, and snippets.

@eljojo
Created January 9, 2022 01:12
Show Gist options
  • Save eljojo/cc871e4dfbf97f8ebb5049802068760f to your computer and use it in GitHub Desktop.
Save eljojo/cc871e4dfbf97f8ebb5049802068760f to your computer and use it in GitHub Desktop.
nixos raspberry pi
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
"${fetchTarball "https://github.com/NixOS/nixos-hardware/archive/2a7063461c3751d83869a2a0a8ebc59e34bec5b2.tar.gz" }/raspberry-pi/4"
];
boot.kernelPackages = pkgs.linuxPackages_rpi4;
boot.kernel.sysctl."vm.swappiness" = 0;
boot.tmpOnTmpfs = true;
fileSystems = {
"/boot/firmware" = {
device = "/dev/disk/by-label/FIRMWARE";
fsType = "vfat";
options = [ "nofail" "noauto" ];
};
"/var/log" = {
device = "none";
fsType = "tmpfs";
options = [ "defaults" "size=256M" "mode=755" ];
};
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = [ "noatime" ];
};
};
boot.initrd.availableKernelModules = [
"reset-raspberrypi" # https://github.com/NixOS/nixpkgs/pull/143885
"xhci_pci" # from hardware configuration
];
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}
{ config, pkgs, lib, ... }:
let
nara = import ../apps/nara-arm.nix { inherit pkgs; };
in {
imports = [
../hardware/raspberry-pi.nix
../profiles/common.nix
../profiles/edge.nix
../profiles/dns-server.nix
];
networking.hostName = "bb8";
time.timeZone = "America/Toronto";
systemd.services.nara-music-station = (nara.mkNara "bb8");
services.journald.extraConfig = "Storage=volatile";
virtualisation.oci-containers.containers = {
traefik.ports = [ "192.168.90.56:80:80" "192.168.90.56:443:443" ];
};
networking = {
firewall = {
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ ];
};
useDHCP = false;
dhcpcd.enable = false;
usePredictableInterfaceNames = lib.mkForce false;
defaultGateway = "192.168.90.1";
nameservers = [ "192.168.90.1" ];
interfaces.eth0 = {
ipv4.addresses = [
{ address = "192.168.90.56"; prefixLength = 24; }
];
};
};
}
{ config, lib, pkgs, modulesPath, ... }:
let
unstable = import <nixos-unstable> { config = { allowUnfree = true; }; };
sshKeysUrl = pkgs.fetchurl {
url = "https://github.com/eljojo.keys?1";
sha256 = "10mx82w2wrkk17li83gpp2ln1qna91d43sgj13qywayc2msymclf";
};
sshKeys = (lib.splitString "\n" (builtins.readFile sshKeysUrl));
in {
imports =
[
(modulesPath + "/profiles/base.nix")
./security.nix
./docker.nix
];
i18n = {
defaultLocale = "en_US.UTF-8";
};
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
hardware.enableRedistributableFirmware = true;
boot.cleanTmpDir = true;
# safety glasses ON
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_5_15_hardened;
security.allowSimultaneousMultithreading = true;
boot.supportedFilesystems = lib.mkForce [ "btrfs" "vfat" "xfs" "cifs" "ext4" "nfs" "rpc_pipefs" "nfsd" ];
services.tailscale = { enable = true ; package = unstable.tailscale; } ;
systemd.services.tailscaled.wantedBy = [ "network-online.target" "multi-user.target" "network.target" "sshd.service" ];
security.sudo.wheelNeedsPassword = false;
networking = {
firewall.enable = true;
firewall.allowPing = true;
firewall.allowedTCPPorts = [ 22 ];
firewall.allowedUDPPorts = [ config.services.tailscale.port ];
firewall.trustedInterfaces = ["tailscale0"];
};
nixpkgs.config = {
allowUnfree = true;
};
services.chrony.enable = true;
programs.mtr.enable = true;
programs.mosh.enable = true;
programs.vim.defaultEditor = true;
services.openssh.enable = true;
services.openssh.passwordAuthentication = false;
services.openssh.challengeResponseAuthentication = false;
services.fail2ban = {
enable = true;
maxretry = 5;
ignoreIP = [
"127.0.0.0/8"
"192.168.90.0/24"
"174.115.97.0"
];
};
environment.systemPackages = with pkgs; [
service-wrapper coreutils-prefixed # unsure what i need this for
wget htop tmux silver-searcher git unstable.go curl
traceroute iftop iotop bind unstable.tailscale whois
vim
jq # nara
tree
openssl # many things work better with this
inetutils # telnet
unstable.vault
];
users.users.root = {
openssh.authorizedKeys.keys = sshKeys;
};
users.users.jojo = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
shell = pkgs.zsh;
openssh.authorizedKeys.keys = sshKeys;
};
system.autoUpgrade.enable = true;
system.autoUpgrade.allowReboot = false;
system.autoUpgrade.dates = "Saturday *-*-* 8:00";
nix.gc.automatic = true;
nix.gc.dates = "Saturday *-*-* 10:00";
nix.gc.options = "--delete-older-than 60d";
nix.autoOptimiseStore = true;
services.cron = {
enable = true;
systemCronJobs = [
# min hour day-of-month month day-of-week
"@weekly root nix-collect-garbage >> /tmp/cron.log"
"@monthly root nix-collect-garbage -d >> /tmp/cron.log" # delete all old system version
];
};
programs.zsh = {
enable = true;
enableCompletion = true;
autosuggestions.enable = true;
syntaxHighlighting.enable = true;
shellAliases = {
st = "git status";
gd = "git diff";
ga = "git add";
gc = "git commit";
push = "git push";
pull = "git pull origin --ff-only";
};
};
programs.bash.shellAliases = config.programs.zsh.shellAliases;
system.activationScripts.binbash =
''
mkdir -m 0755 -p /bin
ln -sfn "${pkgs.bashInteractive}/bin/bash" /bin/.bash.tmp
mv /bin/.bash.tmp /bin/bash # atomically replace /bin/bash
'';
}
{ config, lib, pkgs, ... }:
let
hintsFile = "/var/lib/unbound/root.hints";
in {
imports =
[
];
config.services.adguardhome.enable = true;
config.services.unbound = {
enable = true;
resolveLocalQueries = false;
settings = {
server = {
interface = [ "0.0.0.0" ];
port = 5353;
do-ip4 = "yes";
do-ip6 = "yes";
do-udp = "yes";
do-tcp = "yes";
private-address = [
"192.168.0.0/16"
"10.0.0.0/8"
"fd00::/8"
"fe80::/10"
];
access-control = [
"192.168.0.0/16 allow"
"10.0.0.0/8 allow"
"127.0.0.0/8 allow"
];
unblock-lan-zones = "yes";
insecure-lan-zones = "yes";
private-domain = [
"eljojo.casa"
"eljojo.net"
];
domain-insecure = [
"eljojo.casa"
];
# cache size
rrset-cache-size = "256m";
msg-cache-size = "128m";
# TTL bounds for cache
cache-min-ttl = 3600;
cache-max-ttl = 86400;
# One thread should be sufficient, probably increases cache hits
num-threads = 1;
root-hints = hintsFile;
# https://calomel.org/unbound_dns.html
rrset-roundrobin = "yes";
so-reuseport = "yes";
aggressive-nsec = "yes";
# Ensure kernel buffer is large enough to not loose messages in traffic spikes
so-rcvbuf = "1m";
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped = "yes";
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size = 1472;
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch = "yes";
prefetch-key = "yes";
# Trust glue only if it is within the servers authority
harden-glue = "yes";
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id = "no";
# See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for details
qname-minimisation = "yes";
};
};
};
config.boot.kernel.sysctl."net.core.rmem_max" = 1048576;
config.networking.firewall = {
allowedTCPPorts = [ 3000 4433 853 784 ];
allowedUDPPorts = [ 53 5353 853 784];
};
config.services.cron = {
systemCronJobs = [
"@monthly root ${pkgs.wget}/bin/wget https://www.internic.net/domain/named.root -qO ${hintsFile} && chown unbound:unbound ${hintsFile}"
];
};
}
#!/usr/bin/env bash
# based on https://github.com/lucernae/nixos-pi
# and https://nix.dev/tutorials/installing-nixos-on-a-raspberry-pi
nix-build '<nixpkgs/nixos>' -A config.system.build.sdImage -I nixos-config=./configuration.sdImage.nix --argstr system aarch64-linux --option sandbox false --show-trace
{ config, pkgs, lib, ... }:
{
imports = [
<nixpkgs/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix>
# For nixpkgs cache
<nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>
../profiles/common.nix
../hardware/raspberry-pi.nix
];
sdImage.compressImage = false;
sdImage.firmwareSize = 256; # larger default for future needs
# NixOS wants to enable GRUB by default
boot.loader.grub.enable = false;
# Enables the generation of /boot/extlinux/extlinux.conf
boot.loader.generic-extlinux-compatible.enable = true;
# Networking
networking = {
# useDHCP = true;
interfaces.eth0 = {
useDHCP = true;
# I used DHCP because sometimes I disconnect the LAN cable
#ipv4.addresses = [{
# address = "192.168.100.3";
# prefixLength = 24;
#}];
};
};
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment