nix-config/modules/system.nix
Donovan Glover d7f4e3fccc
containers: fix internet not working inside container
The wg-mullvad interface was at some point renamed to wg0-mullvad.

Note that in the future this method can be used to prevent certain
containers from accessing the internet in a similar way.
2024-10-11 16:55:44 -04:00

290 lines
5.7 KiB
Nix

{
nix-config,
pkgs,
lib,
config,
...
}:
let
inherit (lib.types) nullOr str listOf;
inherit (config.boot) isContainer;
inherit (lib)
mkOption
mkEnableOption
mkIf
singleton
optional
;
inherit (cfg)
username
iHaveLotsOfRam
hashedPassword
mullvad
allowSRB2Port
allowDevPort
postgres
;
isPhone = config.programs.calls.enable;
cfg = config.modules.system;
in
{
imports = with nix-config.inputs.home-manager.nixosModules; [ home-manager ];
options.modules.system = {
username = mkOption {
type = str;
default = "user";
};
hashedPassword = mkOption {
type = nullOr str;
default = null;
};
timeZone = mkOption {
type = str;
default = "America/New_York";
};
defaultLocale = mkOption {
type = str;
default = "ja_JP.UTF-8";
};
supportedLocales = mkOption {
type = listOf str;
default = [
"ja_JP.UTF-8/UTF-8"
"en_US.UTF-8/UTF-8"
"fr_FR.UTF-8/UTF-8"
];
};
stateVersion = mkOption {
type = str;
default = "22.11";
};
hostName = mkOption {
type = str;
default = "nixos";
};
iHaveLotsOfRam = mkEnableOption "tmpfs on /tmp";
mullvad = mkEnableOption "mullvad vpn";
postgres = mkEnableOption "postgres database for containers";
allowSRB2Port = mkEnableOption "port for srb2";
allowDevPort = mkEnableOption "port for development server";
};
config = {
boot = {
tmp = if iHaveLotsOfRam then { useTmpfs = true; } else { cleanOnBoot = true; };
binfmt.emulatedSystems = mkIf (pkgs.system == "x86_64-linux") [ "aarch64-linux" ];
loader = {
systemd-boot = mkIf (pkgs.system != "aarch64-linux") {
enable = true;
editor = false;
configurationLimit = 10;
};
timeout = 0;
efi.canTouchEfiVariables = true;
};
blacklistedKernelModules = [ "floppy" ];
};
systemd = {
extraConfig = "DefaultTimeoutStopSec=10s";
services.NetworkManager-wait-online.enable = false;
};
nix = {
package = pkgs.nixVersions.latest;
settings = {
auto-optimise-store = true;
warn-dirty = false;
allow-import-from-derivation = false;
keep-going = true;
experimental-features = [
"nix-command"
"flakes"
];
trusted-users = [
"root"
"@wheel"
];
};
};
zramSwap = {
enable = true;
memoryPercent = 100;
};
time = {
inherit (cfg) timeZone;
};
i18n = {
inherit (cfg) defaultLocale supportedLocales;
};
system = {
inherit (cfg) stateVersion;
};
users = {
mutableUsers = false;
allowNoPasswordLogin = mkIf isContainer true;
users.${username} = {
inherit hashedPassword;
isNormalUser = true;
uid = 1000;
password = mkIf (hashedPassword == null && !isContainer) (if isPhone then "1234" else username);
extraGroups =
if isContainer then
[ ]
else
[
"wheel"
"networkmanager"
"dialout"
"feedbackd"
"video"
];
};
};
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
sharedModules = singleton {
home = {
inherit (cfg) stateVersion;
};
programs.man.generateCaches = mkIf (!isPhone) true;
};
users.${username}.home = {
inherit username;
homeDirectory = "/home/${username}";
};
};
virtualisation.vmVariant = {
virtualisation = {
memorySize = 4096;
cores = 4;
sharedDirectories = {
tmp = {
source = "/tmp";
target = "/mnt";
};
};
qemu.options = [
"-device virtio-vga-gl"
"-display sdl,gl=on,show-cursor=off"
"-audio pa,model=hda"
"-full-screen"
];
};
services.interception-tools.enable = lib.mkForce false;
networking.resolvconf.enable = lib.mkForce true;
zramSwap.enable = lib.mkForce false;
boot.enableContainers = false;
};
networking = {
inherit (cfg) hostName;
networkmanager = {
enable = true;
wifi.macAddress = "random";
ethernet.macAddress = "random";
unmanaged = [ "interface-name:ve-*" ];
};
useHostResolvConf = true;
resolvconf.enable = mkIf mullvad false;
nat = mkIf mullvad {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = "wg0-mullvad";
};
firewall = {
allowedUDPPorts = [
67
68
] ++ optional allowSRB2Port [ 5029 ];
allowedTCPPorts = mkIf allowDevPort [ 3000 ];
};
};
services = {
resolved.llmnr = "false";
mullvad-vpn = mkIf mullvad {
enable = true;
enableExcludeWrapper = false;
};
postgresql = mkIf postgres {
enable = true;
ensureUsers = singleton {
name = username;
};
ensureDatabases = [
username
];
};
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
};
environment = {
systemPackages = with pkgs; [ (pass.withExtensions (ext: with ext; [ pass-otp ])) ];
defaultPackages = [ ];
gnome.excludePackages = with pkgs; [ gnome-tour ];
};
programs.command-not-found.enable = false;
};
}