nixos raspberry pi

hardware-raspberry-pi.nix

{ config, lib, pkgs, modulesPath, ... }:

{
  imports =
    [
    "${fetchTarball "https://github.com/NixOS/nixos-hardware/archive/2a7063461c3751d83869a2a0a8ebc59e34bec5b2.tar.gz" }/raspberry-pi/4"
    ];

  boot.kernelPackages = pkgs.linuxPackages_rpi4;
  boot.kernel.sysctl."vm.swappiness" = 0;
  boot.tmpOnTmpfs = true;

  fileSystems = {
    "/boot/firmware" = {
      device = "/dev/disk/by-label/FIRMWARE";
      fsType = "vfat";
      options = [ "nofail" "noauto" ];
    };
    "/var/log" = {
      device = "none";
      fsType = "tmpfs";
      options = [ "defaults" "size=256M" "mode=755" ];
    };
    "/" = {
      device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
      options = [ "noatime" ];
    };
  };


  boot.initrd.availableKernelModules = [
	  "reset-raspberrypi" # https://github.com/NixOS/nixpkgs/pull/143885
		  "xhci_pci" # from hardware configuration
  ];

  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

host-bb8.nix

{ config, pkgs, lib, ... }:

let
  nara = import ../apps/nara-arm.nix { inherit pkgs; };

in {
  imports = [
    ../hardware/raspberry-pi.nix
    ../profiles/common.nix
    ../profiles/edge.nix
    ../profiles/dns-server.nix
  ];

  networking.hostName = "bb8";
  time.timeZone = "America/Toronto";

  systemd.services.nara-music-station = (nara.mkNara "bb8");

  services.journald.extraConfig = "Storage=volatile";

  virtualisation.oci-containers.containers = {
    traefik.ports = [ "192.168.90.56:80:80" "192.168.90.56:443:443" ];
  };

  networking = {
	  firewall = {
		  allowedTCPPorts = [ 80 443 ];
		  allowedUDPPorts = [ ];
	  };

    useDHCP = false;
    dhcpcd.enable = false;
    usePredictableInterfaceNames = lib.mkForce false;

    defaultGateway = "192.168.90.1";
    nameservers = [ "192.168.90.1" ];

    interfaces.eth0 = {
      ipv4.addresses = [
        { address = "192.168.90.56"; prefixLength = 24; }
      ];
    };
  };
}

profiles-common.nix

{ config, lib, pkgs, modulesPath, ... }:

let
  unstable = import <nixos-unstable> { config = { allowUnfree = true; }; };

  sshKeysUrl = pkgs.fetchurl {
	  url = "https://github.com/eljojo.keys?1";
	  sha256 = "10mx82w2wrkk17li83gpp2ln1qna91d43sgj13qywayc2msymclf";
  };
  sshKeys = (lib.splitString "\n" (builtins.readFile sshKeysUrl));

in {
  imports =
    [
      (modulesPath + "/profiles/base.nix")
      ./security.nix
      ./docker.nix
    ];

  i18n = {
    defaultLocale = "en_US.UTF-8";
  };

  console = {
    font = "Lat2-Terminus16";
    keyMap = "us";
  };

  hardware.enableRedistributableFirmware = true;

  boot.cleanTmpDir = true;

  # safety glasses ON
  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_5_15_hardened;
  security.allowSimultaneousMultithreading = true;
  boot.supportedFilesystems = lib.mkForce [ "btrfs" "vfat" "xfs" "cifs" "ext4" "nfs" "rpc_pipefs" "nfsd" ];

  services.tailscale = { enable = true ; package = unstable.tailscale; } ;
  systemd.services.tailscaled.wantedBy = [ "network-online.target" "multi-user.target" "network.target" "sshd.service" ];
  security.sudo.wheelNeedsPassword = false;

  networking = {
	  firewall.enable = true;
	  firewall.allowPing = true;
	  firewall.allowedTCPPorts = [ 22 ];
	  firewall.allowedUDPPorts = [ config.services.tailscale.port  ];
	  firewall.trustedInterfaces = ["tailscale0"];
  };

  nixpkgs.config = {
	  allowUnfree = true;
  };

  services.chrony.enable = true;
  programs.mtr.enable = true;
  programs.mosh.enable = true;
  programs.vim.defaultEditor = true;

  services.openssh.enable = true;
  services.openssh.passwordAuthentication = false;
  services.openssh.challengeResponseAuthentication = false;
  services.fail2ban = {
	  enable = true;
	  maxretry = 5;
	  ignoreIP = [
		  "127.0.0.0/8"
		  "192.168.90.0/24"
		  "174.115.97.0"
	  ];
  };


  environment.systemPackages = with pkgs; [
	  service-wrapper coreutils-prefixed # unsure what i need this for
	  wget htop tmux silver-searcher git unstable.go curl
	  traceroute iftop iotop bind unstable.tailscale whois
	  vim
    jq # nara
    tree
    openssl # many things work better with this
    inetutils # telnet
    unstable.vault
  ];

  users.users.root = {
    openssh.authorizedKeys.keys = sshKeys;
  };
  users.users.jojo = {
    isNormalUser = true;
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
    shell = pkgs.zsh;
    openssh.authorizedKeys.keys = sshKeys;
  };

  system.autoUpgrade.enable = true;
  system.autoUpgrade.allowReboot = false;
  system.autoUpgrade.dates = "Saturday *-*-* 8:00";
  nix.gc.automatic = true;
  nix.gc.dates = "Saturday *-*-* 10:00";
  nix.gc.options = "--delete-older-than 60d";
  nix.autoOptimiseStore = true;

  services.cron = {
	  enable = true;
	  systemCronJobs = [
		# min hour day-of-month month day-of-week
		"@weekly   root    nix-collect-garbage >> /tmp/cron.log"
		"@monthly  root    nix-collect-garbage -d >> /tmp/cron.log" # delete all old system version
	  ];
  };

  programs.zsh = {
	  enable = true;
	  enableCompletion = true;
	  autosuggestions.enable = true;
	  syntaxHighlighting.enable = true;
	  shellAliases = {
		  st = "git status";
		  gd = "git diff";
		  ga = "git add";
		  gc = "git commit";
		  push = "git push";
		  pull = "git pull origin --ff-only";
	  };

  };
  programs.bash.shellAliases = config.programs.zsh.shellAliases;

  system.activationScripts.binbash =
      ''
        mkdir -m 0755 -p /bin
	ln -sfn "${pkgs.bashInteractive}/bin/bash" /bin/.bash.tmp
	mv /bin/.bash.tmp /bin/bash # atomically replace /bin/bash
      '';

}

profiles-dns-server.nix

{ config, lib, pkgs, ... }:

let

hintsFile = "/var/lib/unbound/root.hints";

in {
  imports =
    [
    ];

  config.services.adguardhome.enable = true;

  config.services.unbound = {
    enable = true;
    resolveLocalQueries = false;

    settings = {
	    server = {
		    interface = [ "0.0.0.0" ];
		    port = 5353;
		    do-ip4 = "yes";
		    do-ip6 = "yes";
		    do-udp = "yes";
		    do-tcp = "yes";

		    private-address = [
			    "192.168.0.0/16"
			    "10.0.0.0/8"
			    "fd00::/8"
			    "fe80::/10"
		    ];

		    access-control = [
			    "192.168.0.0/16 allow"
			    "10.0.0.0/8 allow"
			    "127.0.0.0/8 allow"
		    ];

		    unblock-lan-zones = "yes";
		    insecure-lan-zones = "yes";
		    private-domain = [
			    "eljojo.casa"
			    "eljojo.net"
		    ];
		    domain-insecure = [
			    "eljojo.casa"
		    ];

		# cache size
		    rrset-cache-size = "256m";
		    msg-cache-size = "128m";

		# TTL bounds for cache
		    cache-min-ttl = 3600;
		    cache-max-ttl = 86400;

		# One thread should be sufficient, probably increases cache hits
		    num-threads = 1;

		    root-hints = hintsFile;

		# https://calomel.org/unbound_dns.html
		    rrset-roundrobin = "yes";
		    so-reuseport = "yes";
		    aggressive-nsec = "yes";

		# Ensure kernel buffer is large enough to not loose messages in traffic spikes
		    so-rcvbuf = "1m";

		# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
		    harden-dnssec-stripped = "yes";

		# Reduce EDNS reassembly buffer size.
		# Suggested by the unbound man page to reduce fragmentation reassembly problems
		    edns-buffer-size = 1472;

		# Perform prefetching of close to expired message cache entries
		# This only applies to domains that have been frequently queried
		    prefetch = "yes";
		    prefetch-key = "yes";

		# Trust glue only if it is within the servers authority
		    harden-glue = "yes";

		# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
		# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
		    use-caps-for-id = "no";

		# See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for details
		    qname-minimisation = "yes";
	    };
    };

  };

  config.boot.kernel.sysctl."net.core.rmem_max" = 1048576;

  config.networking.firewall = {
	  allowedTCPPorts = [ 3000 4433 853 784 ];
	  allowedUDPPorts = [ 53 5353 853 784];
  };

  config.services.cron = {
	  systemCronJobs = [
	  "@monthly   root   ${pkgs.wget}/bin/wget https://www.internic.net/domain/named.root -qO ${hintsFile} && chown unbound:unbound ${hintsFile}"
	  ];
  };
}

sd-card-build.sh

#!/usr/bin/env bash
# based on https://github.com/lucernae/nixos-pi
# and https://nix.dev/tutorials/installing-nixos-on-a-raspberry-pi
nix-build '<nixpkgs/nixos>' -A config.system.build.sdImage -I nixos-config=./configuration.sdImage.nix   --argstr system aarch64-linux   --option sandbox false --show-trace

sd-card-configuration.sdImage.nix

{ config, pkgs, lib, ... }:
{

  imports = [
    <nixpkgs/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix>

    # For nixpkgs cache
    <nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>

    ../profiles/common.nix
    ../hardware/raspberry-pi.nix
  ];

  sdImage.compressImage = false;
  sdImage.firmwareSize = 256; # larger default for future needs

  # NixOS wants to enable GRUB by default
  boot.loader.grub.enable = false;
  # Enables the generation of /boot/extlinux/extlinux.conf
  boot.loader.generic-extlinux-compatible.enable = true;

  # Networking
  networking = {
    # useDHCP = true;
    interfaces.eth0 = {
      useDHCP = true;
      # I used DHCP because sometimes I disconnect the LAN cable
      #ipv4.addresses = [{
      #  address = "192.168.100.3";
      #  prefixLength = 24;
      #}];
    };
  };
}