First CommitHEADmaster

4 files changed, 317 insertions, 0 deletions

diff --git a/configuration.nix b/configuration.nix
new file mode 100644
index 0000000..c70a6ec
--- /dev/null
+++ b/configuration.nix
@@ -0,0 +1,64 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+      ./local.nix
+      ./domain.nix
+      ./desktop.nix
+    ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  nixpkgs.config.allowUnfree = true;
+
+  services.btrfs.autoScrub.enable = true;
+  services.btrfs.autoScrub.fileSystems = [ "/" ];
+
+  boot.loader.efi.canTouchEfiVariables = false;
+  boot.loader.efi.efiSysMountPoint = "/efi";
+  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.loader.grub.device = "nodev";
+  boot.loader.grub.efiSupport = true;
+
+  # powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = true;
+  hardware.cpu.amd.updateMicrocode = true;
+
+  time.timeZone = "America/Vancouver";
+
+  systemd.oomd.enable = false;
+  security.polkit.enable = lib.mkForce false;
+
+  environment.systemPackages = with pkgs; [
+    vim
+    llvm
+    file
+    tmux
+    gnumake
+    bmake
+    git
+    gcc12
+    binutils
+    wine
+    vmware-workstation
+  ];
+
+  services.cron.enable = true;
+
+  services.openssh.enable = true;
+  services.openssh.permitRootLogin = "yes";
+
+  services.vnstat.enable = true;
+
+  system.copySystemConfiguration = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+
diff --git a/desktop.nix b/desktop.nix
new file mode 100644
index 0000000..cb4a198
--- /dev/null
+++ b/desktop.nix
@@ -0,0 +1,47 @@
+{ config, lib, pkgs, ... }:
+
+{
+  networking.networkmanager.enable = true;
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  services.xserver.displayManager.lightdm.enable = false;
+  services.xserver.enable = true;
+  services.xserver.layout = "us";
+  services.printing.enable = true;
+  sound.enable = true;
+  services.pipewire.enable = true;
+  services.pipewire.pulse.enable = true;
+  # services.xserver.libinput.enable = true;
+  services.tlp.enable = true;
+  services.tlp.settings = {
+    START_CHARGE_THRESH_BAT0 = 70;
+    STOP_CHARGE_THRESH_BAT0 = 75;
+  };
+
+  services.dnscrypt-proxy2.enable = true;
+  services.dnscrypt-proxy2.settings = {
+    listen_addresses = [ "127.0.0.1:5533" ];
+    timeout = 5000;
+    keepalive = 30;
+    use_syslog = true;
+    bootstrap_resolvers = [ "127.0.0.1:9052" ];
+    ignore_system_dns = true;
+  };
+  environment.etc."resolv.conf".text = "nameserver 127.0.0.1";
+  networking.networkmanager.dns = "dnsmasq";
+  environment.etc."NetworkManager/dnsmasq.d/dns.conf".text = ''
+interface=lo
+listen-address=127.0.0.1
+no-resolv
+port=9052
+'';
+
+  services.dnsmasq.enable = true;
+  services.dnsmasq.servers = [
+    "127.0.0.1#5533"
+  ];
+  services.dnsmasq.extraConfig = ''
+no-resolv
+  '';
+}
+
diff --git a/domain.nix b/domain.nix
new file mode 100644
index 0000000..89c4399
--- /dev/null
+++ b/domain.nix
@@ -0,0 +1,197 @@
+{ config, lib, pkgs, ... }:
+
+{
+  nixpkgs.overlays = [ (self: super:
+    {
+      samba = super.samba.override { enableLDAP = true; };
+      sudo = super.sudo.override { withSssd = true; };
+    }) ];
+
+  networking.timeServers = [
+    "dc1.ad.yuuta.moe"
+  ];
+
+  networking.search = "ad.yuuta.moe";
+  networking.domain = "ad.yuuta.moe";
+
+  services.ntp.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    python39Packages.dnspython
+    python310Packages.dnspython
+    dig # nsupdate(1)
+  ];
+
+  networking.wireguard.interfaces.internal = {
+    mtu = 1340;
+    peers = [
+    {
+      publicKey = "DLhfohNTrZh45K/IRaJscUfUh3igTv2XAFkDmKrN2kQ=";
+      allowedIPs = [ "10.0.2.0/24" "10.0.1.0/24" ];
+      endpoint = "23.154.81.12:60011";
+      persistentKeepalive = 25;
+    }
+    ];
+  };
+
+  krb5.enable = true;
+  krb5.libdefaults = {
+    default_realm = "AD.YUUTA.MOE";
+    dns_lookup_realm = true;
+    dns_lookup_kdc = true;
+    ticket_lifetime = "24h";
+    renew_lifetime = "7d";
+    forwardable = true;
+    rdns = false;
+    default_ccache_name = "KEYRING:persistent:%{uid}";
+  };
+  krb5.domain_realm = {
+    ".ad.yuuta.moe" = "AD.YUUTA.MOE";
+  };
+
+  services.sssd.enable = true;
+  # Cherry pick from 48b0aa71646b3600f37dfa258c9fe16d7bb6747f
+  # Fix sssctl
+  environment.etc."sssd/sssd.conf".source = "/var/lib/sssd/sssd.conf";
+  services.sssd.config = ''
+[sssd]
+config_file_version = 2
+domains = ad.yuuta.moe
+services = nss, pam, sudo, autofs
+
+[domain/ad.yuuta.moe]
+cache_credentials = true
+
+id_provider = ad
+auth_provider = ad
+access_provider = ad
+sudo_provider = ad
+
+default_shell = /run/current-system/sw/bin/bash
+# override_shell = /usr/bin/fish
+fallback_homedir = /home/%u
+
+ldap_sudo_search_base = ou=sudoers,dc=ad,dc=yuuta,dc=moe
+
+krb5_renew_interval = 10h
+krb5_ccname_template = KEYRING:persistent:%U
+krb5_store_password_if_offline = true
+
+[autofs]
+ldap_autofs_search_base = ou=AutoFS,ou=Domain Computers,dc=ad,dc=yuuta,dc=moe
+'';
+  services.openssh.extraConfig = ''
+GSSAPIAuthentication yes
+'';
+
+  # services.nscd.enable = false;
+  environment.etc."nsswitch.conf".text = ''
+# sssd
+sudoers: files sss
+automount: files sss
+'';
+
+  services.autofs.enable = true;
+  services.autofs.debug = true;
+  services.autofs.autoMaster = "# Use LDAP";
+
+  boot.supportedFilesystems = [ "nfs" ];
+  # Domain is handled automatically.
+  # services.nfs.idmapd.settings = {
+  #   General = {
+  #     Domain = "ad.yuuta.moe";
+  #   };
+  # };
+
+  boot.extraModprobeConfig = ''
+options nfs nfs4_disable_idmapping=0
+options nfsd nfs4_disable_idmapping=0
+'';
+
+  services.samba.enable = true;
+  # services.samba.package = pkgs.samba4Full;
+  services.samba.configText = ''
+[global]
+  security = ads
+  realm = AD.YUUTA.MOE
+  workgroup = YUUTA
+
+  log file = /var/log/samba/%m.log
+
+  kerberos method = secrets and keytab
+
+  client signing = yes
+  client use spnego = yes
+'';
+
+  services.dnsmasq.enable = true;
+  services.dnsmasq.servers = [
+    "/ad.yuuta.moe/10.0.1.2"
+    "/in-addr.arpa/10.0.1.2"
+  ];
+  programs.ssh.extraConfig = ''
+    Host *.ad.yuuta.moe
+        GSSAPIAuthentication yes
+        GSSAPIDelegateCredentials yes
+  '';
+
+  security.pam.services.sshd.makeHomeDir = true;
+  security.pam.services.login.makeHomeDir = true;
+
+  security.pki.certificates = [ ''
+Yuuta
+=========
+-----BEGIN CERTIFICATE-----
+MIIJGDCCBwCgAwIBAgIQUO5CWfFhBolDqnnAFe61MzANBgkqhkiG9w0BAQ0FADAR
+MQ8wDQYDVQQDDAZST09UQ0EwHhcNMjIwNDA0MTk0NjAwWhcNNDIwNDA0MTk1NTU5
+WjARMQ8wDQYDVQQDDAZST09UQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQC67MLXzJ5Xer6PsCuzjoNR+6wdEOIdczlH3RRxtGpjQ4cw0gVhyDpK2Mkd
+eewY2Sp5KicKiGPtwBiu72K6fVqfwbsvqVDPfPvIRfaEe+gCqmvybXn10jpdiIMV
+UhmW2/Mon8tVDn2MC78QZP4yqkIff0p8sTlgELhH/NK5nC6ffFdO60HWML7RhqOw
+GDZyKJbHunHs5X5R+rY/D9Vu1Bwo2hWSzHDjbRDErxARqrf75KE6KpsqqvNdNWnx
+cBLEgdvkJPO9aZ1wk52hMPQgv1/INJUpR4ndPHOUU2gX1+mlveWeIvyLt2/KOsdF
+ILBvJFqtATFgnNJU+nZxHqHyA3MadGRvYKYkgoif0vVYsTbkYQCxrFNr1QT7H7nP
+DqNsF+IBPKmDxnnCL+udVJnXJy/YrUw9jeur+QZCHl42JB1Ft+1u11dUREunMbJZ
+A2b9CUEcZLn7HMEDcUe9hvqLp60a1wIFJ3GDagHt/eH7PNaiBejoxAqSsjfVPqBX
+8lz+yJ8tzue2O4ietYLdtLElVJN+opjth0By9oyYzNZvAv5hNtjOAaa1FjALXXWP
+nLAOl5fAQaTLq1FxYw0dLoVyfGzazIKMVnihWoljzzrQ1HKLyqX0hHF3nSZkl3t9
+xeL8LHZwHXAj7susg5TPnlLPm0VJMgk+MJAYzQQNpBWWf2Oa3QIDAQABo4IEajCC
+BGYwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFA9a2yPE
+TwIF+bXh5afzREa7LvazMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6Ly9ob21lLnl1
+dXRhLm1vZS9jZHAvUm9vdENBLmNybDAQBgkrBgEEAYI3FQEEAwIBADCCA5cGA1Ud
+IASCA44wggOKMIIBKgYLKwYBBAGG/lIFAQEwggEZMIHuBggrBgEFBQcCAjCB4R6B
+3gBUAGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABpAG8AbgAgAEEAdQB0AGgA
+bwByAGkAdAB5ACAAaQBzACAAYQBuACAAaQBuAHQAZQByAG4AYQBsACAAcgBlAHMA
+bwB1AHIAYwBlAC4AIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAcwAgAGkAcwBzAHUA
+ZQBkACAAYgB5ACAAdABoAGkAcwAgAEMAQQAgAGEAcgBlACAAZgBvAHIAIABpAG4A
+dABlAHIAbgBhAGwAIAB1AHMAZQAgAG8AbgBsAHkALjAmBggrBgEFBQcCARYaaHR0
+cHM6Ly9ob21lLnl1dXRhLm1vZS9jcHMwggEqBgsrBgEEAYb+UgUBAjCCARkwge4G
+CCsGAQUFBwICMIHhHoHeAFQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGkA
+bwBuACAAQQB1AHQAaABvAHIAaQB0AHkAIABpAHMAIABhAG4AIABpAG4AdABlAHIA
+bgBhAGwAIAByAGUAcwBvAHUAcgBjAGUALgAgAEMAZQByAHQAaQBmAGkAYwBhAHQA
+ZQBzACAAaQBzAHMAdQBlAGQAIABiAHkAIAB0AGgAaQBzACAAQwBBACAAYQByAGUA
+IABmAG8AcgAgAGkAbgB0AGUAcgBuAGEAbAAgAHUAcwBlACAAbwBuAGwAeQAuMCYG
+CCsGAQUFBwIBFhpodHRwczovL2hvbWUueXV1dGEubW9lL2NwczCCASoGCysGAQQB
+hv5SBQEDMIIBGTCB7gYIKwYBBQUHAgIwgeEegd4AVABoAGkAcwAgAEMAZQByAHQA
+aQBmAGkAYwBhAHQAaQBvAG4AIABBAHUAdABoAG8AcgBpAHQAeQAgAGkAcwAgAGEA
+bgAgAGkAbgB0AGUAcgBuAGEAbAAgAHIAZQBzAG8AdQByAGMAZQAuACAAQwBlAHIA
+dABpAGYAaQBjAGEAdABlAHMAIABpAHMAcwB1AGUAZAAgAGIAeQAgAHQAaABpAHMA
+IABDAEEAIABhAHIAZQAgAGYAbwByACAAaQBuAHQAZQByAG4AYQBsACAAdQBzAGUA
+IABvAG4AbAB5AC4wJgYIKwYBBQUHAgEWGmh0dHBzOi8vaG9tZS55dXV0YS5tb2Uv
+Y3BzMEMGCCsGAQUFBwEBBDcwNTAzBggrBgEFBQcwAoYnaHR0cDovL2hvbWUueXV1
+dGEubW9lL1B1YmxpYy9Sb290Q0EuY3J0MA0GCSqGSIb3DQEBDQUAA4ICAQBpep0v
+TUIgb5gQ58gVM1zsPKgXlp2qLsTsbKkhSopsPmkrM8iCIVmZSthmJ9netyhb5pLG
+RYX2wQLnk/6CxI0Ky0ja1Ljk8OmxlZ37pVSCb0A9+sxNdOb6rOjsuBJhxrG4gWoQ
+LWTw52axvAspwkMfy3WK/AiU8KfnTI/PnlxevZPk4DqA3r+Cl8EeuRAVjm8vfNjF
+41kChxjlzkkNdKi1+e0Ne9V+KBhlkGA7RRe7IZfGiCqZ3qF1gs3JlnupZvUibFVJ
+E1i3GJrFglMoG5MPF2Ta3EGwqhJG5cp72IQ6+V3fTVKMu4gS+Xr3EK1y2P4ti8UN
+btWp0VRk0n8hH2lJtaWPW0pzYyaCb0TLxsy6b1N2Ky0Md1gGkJizKCxqok+D92un
+wOrPStBc/v2/B7RksJCr1QdVVWJNkrDbacgGBAJbrnEfiwvggOuLoW/VmGC9HG05
+UQhG2AyTL/ZG52JFr1HvpPKmoR37Ovh6AUA3InI3fFQ4aITojai/PLeFwKPdAO6B
+BqTIRcc3pekpcFTxyV1/aJixdXXeuPK2PGdHjvaeb2oR6R3xW89K1enn71MQ/4gw
+vrUSgPWrir+zgQWs0SELJe48QqLez1Gzg5ToWF67YGUMMp03w5FEG00+qsWUBgbV
+AN+3FUEMFG+GcubnaIQlcx2rC5r/cJWTaeDZZw==
+-----END CERTIFICATE-----
+'' ];
+}
+
diff --git a/local.nix b/local.nix
new file mode 100644
index 0000000..6cdabdf
--- /dev/null
+++ b/local.nix
@@ -0,0 +1,9 @@
+{ config, lib, pkgs, ... }:
+
+{
+  networking.hostName = "xyz";
+  networking.wireguard.interfaces.internal = {
+    ips = [ "10.0.3.x/24" ];
+    privateKey = "xxx";
+  };
+}