nixos/metis: move to qemu VM

inclyc · Jan 4, 2024 · b48cd45 · b48cd45
1 parent 5f5b9d8
commit b48cd45
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 20 deletions.
diff --git a/nixos/configurations/metis/default.nix b/nixos/configurations/metis/default.nix
@@ -8,8 +8,12 @@
   imports = [
     ./wireguard.nix
     ./minecraft
+    ./hardware-configuration.nix
   ];
-  nixpkgs.hostPlatform = "x86_64-linux";
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
   nix.registry.sys = {
     from = { type = "indirect"; id = "sys"; };
     flake = inputs.nixpkgs-stable;
@@ -20,15 +24,13 @@
   services.clash = {
     enable = true;
     rule.enable = true;
-    rule.enableTUN = true;
   };
 
+  services.dae.enable = true;
+
   inclyc.user.enable = true;
   inclyc.user.zsh = true;
 
-  # Proxmox-VE container, running LXC
-  boot.isContainer = true;
-
   networking.hostName = "metis";
 
   networking.dhcpcd.enable = false;
@@ -38,13 +40,13 @@
   systemd.network.enable = true;
 
   systemd.network.networks = {
-    "20-eth0@if72" = {
-      matchConfig.Name = "eth0@if72";
+    "enp6s18" = {
+      matchConfig.Name = "enp6s18";
       networkConfig = {
         DHCP = "no";
         Address = "192.168.31.6/24";
         Gateway = "192.168.31.1";
-        DNS = "159.226.39.1";
+        DNS = "223.5.5.5";
       };
     };
   };

diff --git a/nixos/configurations/metis/hardware-configuration.nix b/nixos/configurations/metis/hardware-configuration.nix
@@ -0,0 +1,51 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  zramSwap.enable = true;
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/30f213a7-0d61-4053-9e50-e02f43c16d38";
+      fsType = "btrfs";
+      options = [ "subvol=root" "compress=zstd" ];
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/30f213a7-0d61-4053-9e50-e02f43c16d38";
+      fsType = "btrfs";
+      options = [ "subvol=home" "compress=zstd" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/30f213a7-0d61-4053-9e50-e02f43c16d38";
+      fsType = "btrfs";
+      options = [ "subvol=nix" "compress=zstd" "noatime" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/B094-B461";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/nixos/modules/clash/default.nix b/nixos/modules/clash/default.nix
@@ -27,7 +27,6 @@ in
     };
     rule = {
       enable = mkEnableOption "clash rule generation";
-      enableTUN = mkEnableOption "TUN interface";
     };
   };
   config = lib.mkMerge [
@@ -46,9 +45,11 @@ in
             + " -d ${cfg.configDirectory}"
             + " -f %d/config.yaml";
           Restart = "on-failure";
-          CapabilityBoundingSet = [ "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_NET_BIND_SERVICE" ];
-          AmbientCapabilities = CapabilityBoundingSet;
-          DeviceAllowed = [ "/dev/net/tun" ];
+          CapabilityBoundingSet = [ "" ];
+          DeviceAllow = [ "" ];
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
           ProtectSystem = "strict";
           ProtectHome = "yes";
           ProtectHostname = "yes";
@@ -57,8 +58,13 @@ in
           ProtectKernelModules = "yes";
           ProtectKernelLogs = "yes";
           ProtectControlGroups = "yes";
-          ProtectProc = "yes";
+          ProtectProc = "invisible";
           LockPersonality = "yes";
+          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
         };
       };
     })
@@ -107,13 +113,7 @@ in
         sops.templates."clash-config.yaml".content = builtins.readFile ./rule.yaml + ''
           proxy-groups: ${builtins.toJSON proxyGroups}
           proxy-providers: ${builtins.toJSON proxyProviders}
-        '' + (lib.optionalString cfg.rule.enableTUN ''
-          tun:
-              enable: true
-              stack: system
-              auto-route: true
-              auto-detect-interface: true
-        '');
+        '';
       }
     ))
   ];