diff --git a/hosts/pennsardin/configuration.nix b/hosts/pennsardin/configuration.nix index 4d26e18..8acbd41 100644 --- a/hosts/pennsardin/configuration.nix +++ b/hosts/pennsardin/configuration.nix @@ -2,7 +2,6 @@ imports = [ ../../profiles/workstation-bspwm.nix ../../modules/hardware/bepovim.nix -# ../../modules/dev/qemu.nix ../../modules/common/nix.nix ]; @@ -49,6 +48,11 @@ users.lomig = import ../../hm/users/lomig-desktop.nix; }; + networking = { + firewall.allowedTCPPorts = [5900 5901 5902]; + bridges.br0.interfaces = ["enp11s0"]; + }; + system.stateVersion = "25.05"; # pour éviter les hurlements inutiles } diff --git a/hosts/terre-neuvas/configuration.nix b/hosts/terre-neuvas/configuration.nix index d7dc8f4..86b0267 100644 --- a/hosts/terre-neuvas/configuration.nix +++ b/hosts/terre-neuvas/configuration.nix @@ -20,7 +20,6 @@ boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "terre-neuvas"; # Define your hostname. - networking.networkmanager.enable = true; # Configure keymap in X11 services.xserver.xkb = { @@ -33,7 +32,7 @@ users.users.lomig = { isNormalUser = true; - extraGroups = ["networkmanager" "lp" "wheel" "docker" ]; + extraGroups = [ "lp" "wheel" "docker" ]; shell = pkgs.zsh; }; @@ -49,6 +48,41 @@ git hugo ]; - networking.firewall.allowedTCPPorts = [ 80 ]; + networking = { + useNetworkd = true ; + firewall.allowedTCPPorts = [ 22 80 5900 5901 5902 ]; + interfaces.eno1.useDHCP = false ; + interfaces.br0 = { + useDHCP = false ; + ipv4.addresses = [ + { + address = "192.168.0.3"; + prefixLength = 24 ; + } + ]; + }; + defaultGateway = { + interface = "br0" ; + address = "192.168.0.254" ; + }; + nameservers = [ "192.168.0.254" "1.1.1.1" ]; + bridges.br0.interfaces = [ "eno1" ]; + }; + systemd.network = { + enable = true ; + netdevs."br0" = { + netdevConfig = { + Name = "br0"; + Kind = "bridge"; + }; + }; + networks."br0" = { + matchConfig.Name = "br0" ; + }; + networks."eno1" = { + matchConfig.Name = "eno1"; + networkConfig.Bridge = "br0"; + }; + }; system.stateVersion = "25.05"; # Did you read the comment? } diff --git a/hosts/terre-neuvas/hardware.nix b/hosts/terre-neuvas/hardware.nix index 9bb56d2..8c1dc15 100644 --- a/hosts/terre-neuvas/hardware.nix +++ b/hosts/terre-neuvas/hardware.nix @@ -10,7 +10,7 @@ boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; + boot.kernelModules = lib.mkAfter [ "kvm-intel" "tun" ]; boot.extraModulePackages = [ ]; fileSystems."/" = @@ -37,7 +37,7 @@ # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; + # networking.useDHCP = lib.mkDefault true; # networking.interfaces.eno1.useDHCP = lib.mkDefault true; # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; diff --git a/modules/common/networking.nix b/modules/common/networking.nix index 20186a4..17e8015 100644 --- a/modules/common/networking.nix +++ b/modules/common/networking.nix @@ -1,8 +1,7 @@ _: { networking = { - networkmanager.enable = true; nameservers = ["1.1.1.1" "8.8.8.8"]; - dhcpcd.extraConfig = "nohook resolv.conf"; +# dhcpcd.extraConfig = "nohook resolv.conf"; firewall.enable = true; interfaces.enp11s0.wakeOnLan.enable = true ; }; diff --git a/modules/common/qemu.nix b/modules/common/qemu.nix new file mode 100644 index 0000000..a701233 --- /dev/null +++ b/modules/common/qemu.nix @@ -0,0 +1,37 @@ +{ + lib, + pkgs, + ... +}: { + boot.kernelModules = lib.mkAfter ["tun"]; + environment.systemPackages = with pkgs; [ + qemu_kvm + virtiofsd + ]; + + services = { + udev.extraRules = '' + SUBSYSTEM=="vfio", GROUP="kvm", MODE="0660" + ''; + spice-vdagentd.enable = true; + resolved.enable = true; + }; + + virtualisation.libvirtd = { + enable = true; + qemu = { + swtpm.enable = true; + ovmf.enable = true; + ovmf.packages = [pkgs.OVMFFull.fd]; + runAsRoot = false; + }; + }; + + users.users.lomig.extraGroups = ["libvirtd" "kvm" "input"]; + + environment.etc."qemu/bridge.conf".text = '' + allow br0 + ''; +} +# vim: set ts=2 sw=2 sts=2 et : + diff --git a/modules/dev/qemu.nix b/modules/dev/qemu.nix deleted file mode 100644 index e70e4ab..0000000 --- a/modules/dev/qemu.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ - lib, - pkgs, - ... -}: { - imports = [ -# ../virtual/truenas.nix - ]; - boot.kernelModules = lib.mkAfter ["tun"]; - environment.systemPackages = with pkgs; [ - qemu_kvm - virtiofsd - ]; - - services = { - udev.extraRules = '' - # SUBSYSTEM=="block", ENV{ID_SERIAL}=="wwn-0x50000c500b0179482", GROUP="disk", MODE="0660" - # SUBSYSTEM=="block", ENV{ID_SERIAL}=="wwn-0x50000c500cc529430", GROUP="disk", MODE="0660" - # SUBSYSTEM=="block", ENV{ID_SERIAL}=="wwn-0x50000c500cc53994a", GROUP="disk", MODE="0660" - # SUBSYSTEM=="block", ENV{ID_SERIAL}=="wwn-0x50000c500cc5551d4", GROUP="disk", MODE="0660" - SUBSYSTEM=="vfio", GROUP="kvm", MODE="0660" - ''; - spice-vdagentd.enable = true; - resolved.enable = true; - }; - - virtualisation.libvirtd = { - enable = true; - qemu = { - swtpm.enable = true; - ovmf.enable = true; - ovmf.packages = [pkgs.OVMFFull.fd]; - runAsRoot = false; - }; - }; - - users.users.lomig.extraGroups = ["libvirtd" "kvm" "input"]; - networking = { - firewall.allowedTCPPorts = [5900 5901 5902]; - useDHCP = false; - bridges.br0.interfaces = ["enp11s0"]; - }; - - systemd.network.networks."10-br0" = { - matchConfig.Name = "br0"; - networkConfig.DHCP = "yes"; - }; - - environment.etc."qemu/bridge.conf".text = '' - allow br0 - ''; -} -# vim: set ts=2 sw=2 sts=2 et : - diff --git a/modules/sites/levr.porzh.me.nix b/modules/sites/levr.porzh.me.nix index c5c5ee2..bd556c7 100644 --- a/modules/sites/levr.porzh.me.nix +++ b/modules/sites/levr.porzh.me.nix @@ -42,8 +42,8 @@ # ----------------------------------------------------------------- # 3️⃣ Ouverture du firewall (ports 80 et 443) # ----------------------------------------------------------------- - networking.firewall.allowedTCPPorts = [ - 80 # HTTP (pour la redirection ACME) - 443 # HTTPS (site final) - ]; +# networking.firewall.allowedTCPPorts = [ +# 80 # HTTP (pour la redirection ACME) +# 443 # HTTPS (site final) +# ]; } diff --git a/profiles/server-selfhosted.nix b/profiles/server-selfhosted.nix index 23492a2..c5a3bed 100644 --- a/profiles/server-selfhosted.nix +++ b/profiles/server-selfhosted.nix @@ -2,7 +2,7 @@ imports = [ ../modules/roles/server.nix ../modules/common/base.nix - ../modules/common/networking.nix + ../modules/common/qemu.nix ../modules/services/printing.nix # ../modules/services/goaccess.nix ../modules/sites/porzh.me.nix diff --git a/profiles/workstation-bspwm.nix b/profiles/workstation-bspwm.nix index 9db2891..44f789a 100644 --- a/profiles/workstation-bspwm.nix +++ b/profiles/workstation-bspwm.nix @@ -14,6 +14,7 @@ ../modules/services/printing.nix ../modules/common/lockscreen.nix ../modules/common/energy.nix + ../modules/common/qemu.nix ]; services.openssh = {