initial commit
parent
47c8bd6fb0
commit
4751d60fe4
65
conf
65
conf
|
@ -1,63 +1,54 @@
|
|||
#!/usr/bin/env bash
|
||||
if ! [ -e deploy_key ] || ! [ -e secrets.nix ]
|
||||
set -xeuo pipefail
|
||||
if ! [ -e secrets.nix ]
|
||||
then
|
||||
git crypt unlock
|
||||
sudo chgrp nixbld deploy_key
|
||||
chmod 640 deploy_key
|
||||
fi
|
||||
export NIX_PATH="ssh-id-file=$PWD/deploy_key":secrets=$PWD/secrets.nix:yori-nix=$PWD
|
||||
function get_channel {
|
||||
case $1 in
|
||||
git)
|
||||
echo "nixpkgs=https://github.com/NixOS/nixpkgs/archive/master.tar.gz"
|
||||
;;
|
||||
stable)
|
||||
echo "nixpkgs=https://nixos.org/channels/nixos-18.03/nixexprs.tar.xz"
|
||||
;;
|
||||
checkout)
|
||||
echo "nixpkgs=$PWD/../projects/nixpkgs"
|
||||
;;
|
||||
channel)
|
||||
echo "/nix/var/nix/profiles/per-user/root/channels/nixos"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
case $1 in
|
||||
cloc)
|
||||
exec cloc --read-lang-def=deploy/nix_cloc .
|
||||
;;
|
||||
# TODO: remove nixpkgs dependency
|
||||
export NIX_PATH=yori-nix=$PWD:nixpkgs=channel:nixos-unstable
|
||||
host=$1
|
||||
TARGET_HOST=$(nix eval --raw -f vpn.nix ips.$host)
|
||||
#TARGET_HOST=192.168.178.1
|
||||
case $2 in
|
||||
copy-keys)
|
||||
$0 exec "$2" nix build -f "\\<nixpkgs/nixos\\>" config.deployment.keys-copy --out-link copy-keys
|
||||
TARGET_HOST=$(jq -r ".$2.host"<servers.json)
|
||||
$0 exec "$2" nix build -f "<nixpkgs/nixos>" config.deployment.keys-copy --out-link copy-keys
|
||||
./copy-keys/bin/copy-keys "$TARGET_HOST"
|
||||
# rm ./copy-keys
|
||||
;;
|
||||
exec)
|
||||
CHANNEL=$(jq -r ".$2.pkgs"<servers.json)
|
||||
export NIX_PATH="$(get_channel "$CHANNEL"):nixos-config=$PWD/logical/$2.nix:$NIX_PATH"
|
||||
eval "${@:3}"
|
||||
channel_url=$(get_channel "$CHANNEL")
|
||||
export NIX_PATH="$channel_url:nixos-config=$PWD/logical/$2.nix:$NIX_PATH"
|
||||
"${@:3}"
|
||||
;;
|
||||
ssh)
|
||||
TARGET_HOST=$(jq -r ".$2.host"<servers.json)
|
||||
ssh root@"$TARGET_HOST"
|
||||
;;
|
||||
repl)
|
||||
exec "$0" exec "$2" nix repl "\\<nixpkgs\\>" "\\<nixpkgs/nixos\\>"
|
||||
exec "$0" exec "$2" nix repl '<nixpkgs>' '<nixpkgs/nixos>'
|
||||
;;
|
||||
build)
|
||||
exec "$0" exec "$2" nixos-rebuild build
|
||||
nix build -f servers.nix "$host" --show-trace
|
||||
;;
|
||||
copy)
|
||||
TARGET_HOST=$(jq -r ".$2.host"<servers.json)
|
||||
exec "$0" exec "$2" nixos-rebuild build --build-host localhost --target-host root@"$TARGET_HOST"
|
||||
nix copy -f servers.nix "$host" --show-trace --to "ssh://$TARGET_HOST"
|
||||
;;
|
||||
test)
|
||||
outPath=$(nix-build servers.nix -A "$host")
|
||||
nix copy -f servers.nix "$host" --show-trace --to "ssh://$TARGET_HOST"
|
||||
ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration test
|
||||
;;
|
||||
boot)
|
||||
TARGET_HOST=$(jq -r ".$2.host"<servers.json)
|
||||
exec "$0" exec "$2" nixos-rebuild --build-host localhost --target-host root@"$TARGET_HOST" boot
|
||||
outPath=$(nix-build servers.nix -A "$host")
|
||||
nix copy "$outPath" --show-trace --to "ssh://$TARGET_HOST"
|
||||
ssh root@"$TARGET_HOST" nix-env -p "/nix/var/nix/profiles/system" --set "$outPath"
|
||||
ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration boot
|
||||
;;
|
||||
switch)
|
||||
TARGET_HOST=$(jq -r ".$2.host"<servers.json)
|
||||
exec "$0" exec "$2" nixos-rebuild --build-host localhost --target-host root@"$TARGET_HOST" switch
|
||||
outPath=$(nix-build servers.nix -A "$host")
|
||||
nix copy "$outPath" --show-trace --to "ssh://$TARGET_HOST"
|
||||
ssh root@"$TARGET_HOST" nix-env -p "/nix/var/nix/profiles/system" --set "$outPath"
|
||||
ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration switch
|
||||
;;
|
||||
|
||||
|
||||
|
|
|
@ -1,5 +0,0 @@
|
|||
Nix
|
||||
filter remove_matches ^\s*#
|
||||
filter remove_inline #.*$
|
||||
extension nix
|
||||
3rd_gen_scale 3.9
|
BIN
deploy_key
BIN
deploy_key
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -13,6 +13,7 @@
|
|||
"https://cache.nixos.org"
|
||||
"https://disciplina.cachix.org"
|
||||
];
|
||||
trustedUsers = [ "root" "lars" ];
|
||||
};
|
||||
users.users.lars = {
|
||||
isNormalUser = true;
|
||||
|
@ -20,4 +21,5 @@
|
|||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBze0fBV/Fpz9bz1WKkbPlj8h526ZfduOcQVlA+7j0+yzlT+jX6nLNjXNmIi6JZoERj8lG4/avkagldj+wwqWrKM2xOMgIUx34i+br5+U4Y7DedljfPV9k8eE55SI4BjfO697V7BhHP4eooRUjNVmqSmRAld06hJzMj7irGWHK+RPrK0M1BvGgSV5pL50jzQGd2unxvNuxSk1rWBNfNEGt6ok0G8/ud0Gw5QbcYWzbbnKBB8JsgBct22txtcgVbRyqftD+vpFl0Oyq4tiQbSHqa8qpFyV/wTf4Cs1Zz7WrqH+2xfx+oUsCOfMKuvCI8FKtriAWEmfOM42bBi50v2kj"
|
||||
];
|
||||
};
|
||||
boot.kernelPackages = pkgs.linuxPackages_4_19;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,42 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
imports =
|
||||
[ ../physical/3950x.nix
|
||||
../roles/workstation.nix
|
||||
];
|
||||
|
||||
nixpkgs.overlays = [ (import (builtins.fetchTarball https://github.com/colemickens/nixpkgs-wayland/archive/master.tar.gz)) ];
|
||||
system.stateVersion = "19.09";
|
||||
|
||||
networking.wireguard.interfaces = {
|
||||
wg-lumi = {
|
||||
privateKeyFile = "/home/yorick/engineering/lumi/secrets/devel/vpn/wg/workstations.yorick-homepc.key";
|
||||
ips = [ "10.109.0.18" ];
|
||||
peers = [ {
|
||||
publicKey = "6demp+PX2XyVoMovDj4xHQ2ZHKoj4QAF8maWpjcyzzI=";
|
||||
endpoint = "wg.lumi.guide:31727";
|
||||
allowedIPs = [ "10.96.0.0/12" "10.0.12.0/22" "10.0.1.0/26" ];
|
||||
}];
|
||||
postSetup = "ip link set dev wg-lumi mtu 1408";
|
||||
};
|
||||
};
|
||||
|
||||
# development
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
enableTCPIP = true;
|
||||
package = pkgs.postgresql_10;
|
||||
};
|
||||
# users.users.pie = {
|
||||
# isNormalUser = true;
|
||||
# openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDpj2GrPpXtAp9Is0wDyQNl8EQnBiITkSAjhf7EjIqX" ];
|
||||
# };
|
||||
# services.nfs.server = {
|
||||
# enable = true;
|
||||
# exports = ''
|
||||
# /export 10.40.0.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash)
|
||||
# /export/nfs/client1 10.40.0.0/24(insecure,rw,sync,no_subtree_check,crossmnt,all_squash,anonuid=0,anongid=0,no_root_squash)
|
||||
# /export/nfs/client1/nix 10.40.0.0/24(insecure,ro,sync,no_subtree_check,crossmnt)
|
||||
# '';
|
||||
# };
|
||||
}
|
|
@ -1,19 +1,74 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
imports = [
|
||||
<yori-nix/physical/fractal.nix>
|
||||
<yori-nix/roles/server.nix>
|
||||
../physical/fractal.nix
|
||||
../roles/server.nix
|
||||
../roles/homeserver.nix
|
||||
../services/torrent-wg.nix
|
||||
];
|
||||
|
||||
|
||||
system.stateVersion = "15.09";
|
||||
networking.hostId = "0702dbe9";
|
||||
|
||||
services.nginx.enable = true;
|
||||
services.yorick = {
|
||||
public = { enable = true; vhost = "pub.yori.cc"; };
|
||||
gogs = { enable = true; vhost = "git.yori.cc"; };
|
||||
quassel.enable = true;
|
||||
services.nginx.virtualHosts."${config.networking.hostName}" = {
|
||||
enableACME = lib.mkForce false;
|
||||
forceSSL = lib.mkForce false;
|
||||
default = true;
|
||||
};
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
services.yorick.torrent-vpn = {
|
||||
enable = true; name = "mullvad-nl3"; namespace = "torrent";
|
||||
};
|
||||
services.plex = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
};
|
||||
services.victoriametrics = {
|
||||
enable = true;
|
||||
retentionPeriod = 12;
|
||||
};
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
extraFlags = [
|
||||
"--web.enable-admin-api"
|
||||
];
|
||||
# victoriametrics
|
||||
extraConfig.remote_write = [ { url = "http://127.0.0.1:8428/api/v1/write"; } ];
|
||||
scrapeConfigs = [ {
|
||||
job_name = "smartmeter";
|
||||
# prometheus doesn't support mdns :thinking_face:
|
||||
static_configs = [ { targets = [ "192.168.178.30" ]; } ];
|
||||
scrape_interval = "10s";
|
||||
} {
|
||||
job_name = "node";
|
||||
static_configs = [ { targets = [ "localhost:9100" ]; } ];
|
||||
# } {
|
||||
# job_name = "unifi";
|
||||
# static_configs = [ { targets = [ "localhost:9130" ]; } ];
|
||||
} {
|
||||
job_name = "thermometer";
|
||||
static_configs = [ { targets = [ "192.168.178.21:8000" ]; } ];
|
||||
}];
|
||||
exporters.node.enable = true;
|
||||
# exporters.unifi = {
|
||||
# enable = true;
|
||||
# unifiAddress = "https://woodhouse.home.yori.cc:8443";
|
||||
# unifiInsecure = true;
|
||||
# unifiUsername = "ReadOnlyUser";
|
||||
# unifiPassword = "ReadOnlyPassword";
|
||||
# };
|
||||
};
|
||||
networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 3000 9090 ];
|
||||
networking.firewall.allowedTCPPorts = [ 1883 ];
|
||||
networking.firewall.allowedUDPPorts = [ 1883 ];
|
||||
services.rabbitmq = {
|
||||
enable = true;
|
||||
plugins = [ "rabbitmq_mqtt" "rabbitmq_management" ];
|
||||
};
|
||||
services.grafana = {
|
||||
enable = true;
|
||||
addr = "0.0.0.0";
|
||||
domain = "grafana.yori.cc";
|
||||
};
|
||||
|
||||
|
||||
}
|
||||
|
|
|
@ -1,15 +1,30 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ <yori-nix/physical/xps9360.nix>
|
||||
<yori-nix/roles/workstation.nix>
|
||||
[ ../physical/xps9360.nix
|
||||
../roles/workstation.nix
|
||||
];
|
||||
|
||||
|
||||
nixpkgs.overlays = [ (import (builtins.fetchTarball https://github.com/colemickens/nixpkgs-wayland/archive/master.tar.gz)) ];
|
||||
system.stateVersion = "17.09";
|
||||
|
||||
services.xserver.displayManager.sessionCommands = ''
|
||||
${pkgs.xorg.xrandr}/bin/xrandr --dpi 192
|
||||
'';
|
||||
networking.wireguard.interfaces = {
|
||||
wg-lumi = {
|
||||
privateKeyFile = "/home/yorick/engineering/lumi/secrets/devel/vpn/wg/workstations.yorick.key";
|
||||
ips = [ "10.109.0.10" ];
|
||||
peers = [ {
|
||||
publicKey = "6demp+PX2XyVoMovDj4xHQ2ZHKoj4QAF8maWpjcyzzI=";
|
||||
endpoint = "wg.lumi.guide:31727";
|
||||
allowedIPs = [ "10.96.0.0/12" "10.0.12.0/22" "10.0.1.0/26" ];
|
||||
}];
|
||||
postSetup = "ip link set dev wg-lumi mtu 1371";
|
||||
};
|
||||
};
|
||||
|
||||
# development
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
enableTCPIP = true;
|
||||
package = pkgs.postgresql_10;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -3,42 +3,51 @@
|
|||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
sslforward = proxyPass: {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
inherit proxyPass;
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
vpn = import ../vpn.nix;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
<yori-nix/physical/kassala.nix>
|
||||
<yori-nix/roles/server.nix>
|
||||
../modules/muflax-blog.nix
|
||||
../physical/hetznercloud.nix
|
||||
../roles/server.nix
|
||||
(builtins.fetchTarball {
|
||||
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.1/nixos-mailserver-v2.2.1.tar.gz";
|
||||
sha256 = "03d49v8qnid9g9rha0wg2z6vic06mhp0b049s3whccn1axvs2zzx";
|
||||
})
|
||||
../modules/muflax-blog.nix
|
||||
];
|
||||
|
||||
system.stateVersion = "16.03";
|
||||
system.stateVersion = "19.03";
|
||||
|
||||
services.nginx.enable = true;
|
||||
services.yorick = {
|
||||
public = { enable = true; vhost = "pub.yori.cc"; };
|
||||
website = { enable = true; vhost = "yorickvanpelt.nl"; };
|
||||
mail = {
|
||||
enable = true;
|
||||
mainUser = "yorick";
|
||||
users.yorick = {
|
||||
password = (import <yori-nix/secrets.nix>).yorick_mailPassword;
|
||||
domains = ["yori.cc" "yorickvanpelt.nl"];
|
||||
git = { enable = true; vhost = "git.yori.cc"; };
|
||||
muflax-church = { enable = true; vhost = "muflax.church"; };
|
||||
};
|
||||
mailserver = rec {
|
||||
enable = true;
|
||||
fqdn = "pennyworth.yori.cc";
|
||||
domains = [ "yori.cc" "yorickvanpelt.nl" ];
|
||||
loginAccounts = {
|
||||
"yorick@yori.cc" = {
|
||||
hashedPassword = (import ../secrets.nix).yorick_mailPassword;
|
||||
catchAll = domains;
|
||||
aliases = [ "@yori.cc" "@yorickvanpelt.nl" ];
|
||||
};
|
||||
};
|
||||
xmpp = {
|
||||
enable = false;
|
||||
vhost = "yori.cc";
|
||||
admins = [ "yorick@yori.cc" ];
|
||||
};
|
||||
certificateScheme = 3;
|
||||
enableImapSsl = true;
|
||||
};
|
||||
services.nginx.virtualHosts."yori.cc" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
globalRedirect = "yorickvanpelt.nl";
|
||||
};
|
||||
|
||||
|
||||
|
||||
|
||||
services.muflax-blog = {
|
||||
enable = true;
|
||||
|
@ -50,41 +59,36 @@
|
|||
private_key = "/root/keys/http.muflax.key";
|
||||
};
|
||||
};
|
||||
users.extraUsers.git = {
|
||||
createHome = true;
|
||||
home = config.services.gitea.stateDir; extraGroups = [ "git" ]; useDefaultShell = true;};
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
user = "git";
|
||||
database.user = "root";
|
||||
database.name = "gogs";
|
||||
#dump.enable = true; TODO: backups
|
||||
domain = "git.yori.cc";
|
||||
rootUrl = "https://git.yori.cc/";
|
||||
httpAddress = "localhost";
|
||||
cookieSecure = true;
|
||||
extraConfig = ''
|
||||
[service]
|
||||
REGISTER_EMAIL_CONFIRM = false
|
||||
ENABLE_NOTIFY_MAIL = false
|
||||
DISABLE_REGISTRATION = true
|
||||
REQUIRE_SIGNIN_VIEW = false
|
||||
[picture]
|
||||
DISABLE_GRAVATAR = false
|
||||
[mailer]
|
||||
ENABLED = false
|
||||
AVATAR_UPLOAD_PATH = ${config.services.gitea.stateDir}/data/avatars
|
||||
services.nginx.commonHttpConfig = ''
|
||||
access_log off;
|
||||
'';
|
||||
services.nginx.virtualHosts = {
|
||||
"yori.cc" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
globalRedirect = "yorickvanpelt.nl";
|
||||
};
|
||||
"grafana.yori.cc" = sslforward "http://${vpn.ips.frumar}:3000";
|
||||
"ubiquiti.yori.cc" = sslforward "https://${vpn.ips.woodhouse}:8443";
|
||||
"prometheus.yori.cc" = {
|
||||
# only over vpn
|
||||
listen = [ { addr = "10.209.0.1"; port = 80; } ];
|
||||
locations."/".proxyPass = "http://10.209.0.3:9090";
|
||||
};
|
||||
"pub.yori.cc".locations."/muflax/".extraConfig = ''
|
||||
rewrite ^/muflax/(.*)$ https://alt.muflax.church/$1 permanent;
|
||||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."git.yori.cc" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString config.services.gitea.httpPort}";
|
||||
extraConfig = ''
|
||||
proxy_buffering off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
deployment.keyys = [ <yori-nix/keys/http.muflax.key> ];
|
||||
networking.firewall.allowedUDPPorts = [ 31790 ]; # wg
|
||||
networking.wireguard.interfaces.wg-y.peers =
|
||||
lib.mkForce (lib.mapAttrsToList (machine: publicKey: {
|
||||
inherit publicKey;
|
||||
allowedIPs = [ "${vpn.ips.${machine}}/32" ];
|
||||
}) vpn.keys);
|
||||
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
|
||||
environment.noXlibs = true;
|
||||
users.users.yorick.packages = with pkgs; [
|
||||
python2 sshfs-fuse weechat
|
||||
];
|
||||
}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
secrets = import <secrets>;
|
||||
#secrets = import <secrets>;
|
||||
mkFuseMount = device: opts: {
|
||||
# todo: "ServerAliveCountMax=3" "ServerAliveInterval=30"
|
||||
|
||||
|
@ -16,24 +16,47 @@ in
|
|||
imports = [
|
||||
<yori-nix/physical/nuc.nix>
|
||||
<yori-nix/roles/graphical.nix>
|
||||
#<yori-nix/roles/homeserver.nix>
|
||||
];
|
||||
|
||||
system.stateVersion = "17.09";
|
||||
# nixpkgs.overlays = [ (import (builtins.fetchTarball https://github.com/colemickens/nixpkgs-wayland/archive/master.tar.gz)) ];
|
||||
# system.stateVersion = "17.09";
|
||||
|
||||
# fuse mounts
|
||||
system.fsPackages = [ pkgs.sshfsFuse ];
|
||||
|
||||
|
||||
# programs.sway = {
|
||||
# enable = true;
|
||||
# extraSessionCommands = ''
|
||||
# export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${lib.makeLibraryPath (with pkgs; [ libxkbcommon libglvnd wayland ])}
|
||||
# '';
|
||||
# };
|
||||
#fileSystems."/mnt/frumar" = mkFuseMount "yorick@${secrets.hostnames.frumar}:/data/yorick" [];
|
||||
#fileSystems."/mnt/oxygen" = mkFuseMount "yorick@oxygen.obfusk.ch:" [];
|
||||
#fileSystems."/mnt/nyamsas" = mkFuseMount "yorick@nyamsas.quezacotl.nl:" ["port=1337"];
|
||||
hardware.bluetooth.enable = true;
|
||||
|
||||
# kodi ports
|
||||
networking.firewall.allowedTCPPorts = [7 8080 9090 9777];
|
||||
networking.firewall.allowedTCPPorts = [7 8080 8443 9090 9777];
|
||||
users.users.tv = {
|
||||
isNormalUser = true;
|
||||
uid = 1043;
|
||||
extraGroups = [ "wheel" ];
|
||||
hashedPassword = "$6$hD4ESAGS8O1d$yctx6spOPZ0nt/6cgYpsWZ86UoXw3ISRpf2gbdhbl8JgDz6Psjx6JCqJ9NsMi5BHnXlgRRK/z2SVrTjHEsqQR.";
|
||||
packages = with pkgs; [ plex-media-player ];
|
||||
};
|
||||
services.xserver.windowManager.i3.enable = true;
|
||||
networking.useNetworkd = true;
|
||||
networking.dhcpcd.enable = false;
|
||||
services.resolved.enable = true;
|
||||
services.nscd.enable = false;
|
||||
networking.interfaces.eno1.useDHCP = true;
|
||||
networking.useDHCP = false;
|
||||
#services.xserver.enable = lib.mkForce false;
|
||||
# services.unifi = {
|
||||
# enable = true;
|
||||
# unifiPackage = pkgs.unifiStable;
|
||||
# };
|
||||
# todo: debug:
|
||||
services.resolved.extraConfig = "MulticastDNS=true";
|
||||
systemd.network.networks."40-eno1".networkConfig.MulticastDNS="yes";
|
||||
services.fstrim.enable = true;
|
||||
}
|
||||
|
|
|
@ -1,59 +0,0 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
cfg = config.services.backup;
|
||||
inherit (lib) mkEnableOption mkOption types mkIf
|
||||
flip mapAttrs' nameValuePair;
|
||||
in
|
||||
{
|
||||
|
||||
options.services.backup = {
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
backups = mkOption {
|
||||
type = types.loaOf types.optionSet;
|
||||
options = {
|
||||
dir = mkOption { type = types.str; };
|
||||
remote = mkOption { type = types.str; };
|
||||
keyfile = mkOption { type = types.str; };
|
||||
keyid = mkOption { type = types.str; default = "root"; };
|
||||
exclude = mkOption { type = types.str; default = ""; };
|
||||
interval = mkOption { type = types.str; default = "weekly"; };
|
||||
};
|
||||
};
|
||||
};
|
||||
config = mkIf cfg.enable {
|
||||
# TODO: generate key in pre-start?
|
||||
systemd.services = let
|
||||
sectionToService = name: data: with data; {
|
||||
description = "Back up ${name}";
|
||||
serviceConfig = {
|
||||
IOSchedulingClass="idle";
|
||||
#Type = "oneshot";
|
||||
};
|
||||
script = ''
|
||||
source ${keyfile}
|
||||
${pkgs.duplicity}/bin/duplicity ${dir} ${remote} \
|
||||
--ssl-cacert-file /etc/ssl/certs/ca-bundle.crt \
|
||||
--encrypt-key ${keyid} \
|
||||
--exclude-filelist ${pkgs.writeText "dupignore" exclude} \
|
||||
--asynchronous-upload \
|
||||
--volsize 100 \
|
||||
--allow-source-mismatch
|
||||
'';
|
||||
after = ["network.target" "network-online.target"];
|
||||
wants = ["network-online.target"];
|
||||
};
|
||||
in flip mapAttrs' cfg.backups (name: data: nameValuePair
|
||||
("backup-${name}")
|
||||
(sectionToService name data));
|
||||
systemd.timers = flip mapAttrs' cfg.backups (name: data: nameValuePair
|
||||
("backup-${name}")
|
||||
({
|
||||
description = "Periodically backups ${name}";
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnCalendar = data.interval;
|
||||
Unit = "backup-${name}.service";
|
||||
};
|
||||
}));
|
||||
};
|
||||
}
|
|
@ -1,287 +0,0 @@
|
|||
# https://github.com/valeriangalliat/nixos-mailz
|
||||
# manual actions:
|
||||
# run sa-update
|
||||
# configure DNS (dkim at /var/lib/dkim/*/default.txt)
|
||||
# mkdir /var/empty/.spamassassin
|
||||
# chown -R spamd /var/empty/.spamassassin
|
||||
# possibly unneeded:
|
||||
# chgrp -R vmail /var/spool/mail
|
||||
# chmod g+rwx /var/spool/mail
|
||||
# TODO: rspamd?
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.mailz;
|
||||
|
||||
alldomains = lib.concatLists (mapAttrsToList (n: usr: usr.domains) cfg.users);
|
||||
|
||||
files = {
|
||||
credentials = pkgs.writeText "credentials"
|
||||
(concatStringsSep "\n"
|
||||
(flip mapAttrsToList cfg.users
|
||||
(user: options: "${user} ${options.password}")));
|
||||
|
||||
# dovecot2
|
||||
users = pkgs.writeText "users"
|
||||
(concatStringsSep "\n"
|
||||
(flip mapAttrsToList cfg.users
|
||||
(user: options: "${user}:${options.password}:::::")));
|
||||
|
||||
domains = pkgs.writeText "domains"
|
||||
(concatStringsSep "\n" alldomains);
|
||||
|
||||
spamassassinSieve = pkgs.writeText "spamassassin.sieve" ''
|
||||
require "fileinto";
|
||||
if header :contains "X-Spam-Flag" "YES" {
|
||||
fileinto "Spam";
|
||||
}
|
||||
'';
|
||||
|
||||
};
|
||||
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
options = {
|
||||
services.mailz = {
|
||||
domain = mkOption {
|
||||
default = cfg.networking.hostName;
|
||||
type = types.str;
|
||||
description = "Domain for this mail server.";
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
default = "vmail";
|
||||
type = types.str;
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
default = "vmail";
|
||||
type = types.str;
|
||||
};
|
||||
|
||||
uid = mkOption {
|
||||
default = 2000;
|
||||
type = types.int;
|
||||
};
|
||||
|
||||
gid = mkOption {
|
||||
default = 2000;
|
||||
type = types.int;
|
||||
};
|
||||
|
||||
dkimDirectory = mkOption {
|
||||
default = "/var/lib/dkim";
|
||||
type = types.str;
|
||||
description = "Where to store DKIM keys.";
|
||||
};
|
||||
|
||||
dkimBits = mkOption {
|
||||
type = types.int;
|
||||
default = 2048;
|
||||
description = "Size of the generated DKIM key.";
|
||||
};
|
||||
|
||||
mainUser = mkOption {
|
||||
example = "root";
|
||||
type = types.str;
|
||||
};
|
||||
|
||||
keydir = mkOption {
|
||||
type = types.str;
|
||||
description = "The place to look for the ssl key";
|
||||
default = "${config.security.acme.directory}/${cfg.domain}";
|
||||
};
|
||||
|
||||
users = mkOption {
|
||||
default = { };
|
||||
type = types.loaOf types.optionSet;
|
||||
description = ''
|
||||
Attribute set of users.
|
||||
'';
|
||||
|
||||
options = {
|
||||
password = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The user password, generated with
|
||||
<literal>smtpctl encrypt</literal>.
|
||||
'';
|
||||
};
|
||||
domains = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = ["example.com"];
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
example = {
|
||||
"foo" = {
|
||||
password = "encrypted";
|
||||
};
|
||||
"bar" = {
|
||||
password = "encrypted";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf (cfg.users != { }) {
|
||||
system.activationScripts.mailz = ''
|
||||
# Make sure SpamAssassin database is present
|
||||
#if ! [ -d /etc/spamassassin ]; then
|
||||
# cp -r ${pkgs.spamassassin}/share/spamassassin /etc
|
||||
#fi
|
||||
|
||||
# Make sure a DKIM private key exist
|
||||
if ! [ -d ${cfg.dkimDirectory} ]; then
|
||||
mkdir -p ${cfg.dkimDirectory}
|
||||
chmod 700 ${cfg.dkimDirectory}
|
||||
chown ${config.services.rmilter.user} ${cfg.dkimDirectory}
|
||||
fi
|
||||
# Generate missing keys
|
||||
'' +
|
||||
(lib.concatMapStringsSep "\n" (domain: ''
|
||||
if ! [ -e ${cfg.dkimDirectory}/${domain}.default.key ]; then
|
||||
${pkgs.opendkim}/bin/opendkim-genkey --bits ${toString cfg.dkimBits} --domain ${domain} --directory ${cfg.dkimDirectory} --selector default
|
||||
mv ${cfg.dkimDirectory}/default.private ${cfg.dkimDirectory}/${domain}.default.key
|
||||
mv ${cfg.dkimDirectory}/default.txt ${cfg.dkimDirectory}/${domain}.default.txt
|
||||
chown ${config.services.rmilter.user} ${cfg.dkimDirectory}/${domain}.default.*
|
||||
fi
|
||||
'') alldomains);
|
||||
services.rspamd.enable = true;
|
||||
services.rmilter = {
|
||||
enable = true;
|
||||
socketActivation = false;
|
||||
#debug = true;
|
||||
rspamd.enable = true;
|
||||
postfix.enable = true;
|
||||
extraConfig = ''
|
||||
dkim {
|
||||
domain {
|
||||
key = ${cfg.dkimDirectory};
|
||||
domain = "*";
|
||||
selector = "default";
|
||||
};
|
||||
header_canon = relaxed;
|
||||
body_canon = relaxed;
|
||||
sign_alg = sha256;
|
||||
};
|
||||
'';
|
||||
};
|
||||
|
||||
services.postfix = {
|
||||
enable = true;
|
||||
destination = alldomains ++ ["$myhostname" "localhost.$mydomain" "$mydomain" "localhost"];
|
||||
sslCert = "${cfg.keydir}/fullchain.pem";
|
||||
sslKey = "${cfg.keydir}/key.pem";
|
||||
postmasterAlias = cfg.mainUser;
|
||||
enableSubmission = true;
|
||||
virtual = lib.concatStringsSep "\n" (lib.mapAttrsToList (name: usr:
|
||||
lib.concatMapStringsSep "\n" (dom: "@${dom} ${name}") usr.domains) cfg.users);
|
||||
extraConfig = ''
|
||||
mailbox_transport = lmtp:unix:dovecot-lmtp
|
||||
'';
|
||||
submissionOptions = {
|
||||
"smtpd_tls_security_level" = "encrypt";
|
||||
"smtpd_sasl_auth_enable" = "yes";
|
||||
"smtpd_sasl_type" = "dovecot";
|
||||
"smtpd_sasl_path" = "/var/lib/postfix/auth";
|
||||
"smtpd_client_restrictions" = "permit_sasl_authenticated,reject";
|
||||
#"milter_macro_daemon_name" = "ORIGINATING";
|
||||
};
|
||||
};
|
||||
|
||||
services.dovecot2 = {
|
||||
enable = true;
|
||||
enablePop3 = false;
|
||||
enableLmtp = true;
|
||||
mailLocation = "maildir:/var/spool/mail/%n";
|
||||
mailUser = cfg.user;
|
||||
mailGroup = cfg.group;
|
||||
modules = [ pkgs.dovecot_pigeonhole ];
|
||||
sslServerCert = "${cfg.keydir}/fullchain.pem";
|
||||
sslServerKey = "${cfg.keydir}/key.pem";
|
||||
enablePAM = false;
|
||||
sieveScripts = { before = files.spamassassinSieve; };
|
||||
extraConfig = ''
|
||||
postmaster_address = postmaster@${head alldomains}
|
||||
|
||||
service lmtp {
|
||||
unix_listener /var/lib/postfix/queue/dovecot-lmtp {
|
||||
mode = 0660
|
||||
user = postfix
|
||||
group = postfix
|
||||
}
|
||||
}
|
||||
service auth {
|
||||
unix_listener /var/lib/postfix/auth {
|
||||
mode = 0660
|
||||
# Assuming the default Postfix user and group
|
||||
user = postfix
|
||||
group = postfix
|
||||
}
|
||||
}
|
||||
|
||||
userdb {
|
||||
driver = passwd-file
|
||||
args = username_format=%n ${files.users}
|
||||
default_fields = uid=${cfg.user} gid=${cfg.user} home=/var/spool/mail/%n
|
||||
}
|
||||
|
||||
passdb {
|
||||
driver = passwd-file
|
||||
args = username_format=%n ${files.users}
|
||||
}
|
||||
|
||||
namespace inbox {
|
||||
inbox = yes
|
||||
|
||||
mailbox Sent {
|
||||
auto = subscribe
|
||||
special_use = \Sent
|
||||
}
|
||||
|
||||
mailbox Drafts {
|
||||
auto = subscribe
|
||||
special_use = \Drafts
|
||||
}
|
||||
|
||||
mailbox Spam {
|
||||
auto = create
|
||||
special_use = \Junk
|
||||
}
|
||||
|
||||
mailbox Trash {
|
||||
auto = subscribe
|
||||
special_use = \Trash
|
||||
}
|
||||
|
||||
mailbox Archive {
|
||||
auto = subscribe
|
||||
special_use = \Archive
|
||||
}
|
||||
}
|
||||
|
||||
protocol lmtp {
|
||||
mail_plugins = $mail_plugins sieve
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
users.extraUsers = optional (cfg.user == "vmail") {
|
||||
uid = cfg.uid;
|
||||
group = cfg.group;
|
||||
};
|
||||
|
||||
users.extraGroups = optional (cfg.group == "vmail") {
|
||||
gid = cfg.gid;
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 25 587 993 ];
|
||||
};
|
||||
}
|
|
@ -8,11 +8,11 @@ in
|
|||
options."nixos-in-place" = {
|
||||
enable = mkEnableOption "enable nixos-in-place FS";
|
||||
rootfs = mkOption {
|
||||
type = types.string;
|
||||
type = types.str;
|
||||
description = "device name for root fs";
|
||||
};
|
||||
swapfs = mkOption {
|
||||
type = types.string;
|
||||
type = types.str;
|
||||
description = "device name for root fs";
|
||||
};
|
||||
};
|
||||
|
|
|
@ -8,7 +8,7 @@ let
|
|||
in {
|
||||
options.services.tor.service-keys = mkOption {
|
||||
default = {};
|
||||
type = with types; loaOf string;
|
||||
type = with types; loaOf str;
|
||||
};
|
||||
|
||||
config = mkIf (service-keys != {}) {
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let cfg = config.services.victoriametrics; in
|
||||
{
|
||||
options.services.victoriametrics = with lib; {
|
||||
enable = mkEnableOption "victoriametrics";
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.victoriametrics;
|
||||
defaultText = "pkgs.victoriametrics";
|
||||
description = ''
|
||||
The VictoriaMetrics distribution to use.
|
||||
'';
|
||||
};
|
||||
http = mkOption {
|
||||
default = ":8428";
|
||||
type = types.str;
|
||||
description = ''
|
||||
The listen address for the http interface.
|
||||
'';
|
||||
};
|
||||
retentionPeriod = mkOption {
|
||||
type = types.int;
|
||||
default = 1;
|
||||
description = ''
|
||||
Retention period in months.
|
||||
'';
|
||||
};
|
||||
extraOptions = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = ''
|
||||
Extra options to pass to VictoriaMetrics. See
|
||||
the README or victoriametrics -help for more
|
||||
information.
|
||||
'';
|
||||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
systemd.services.victoriametrics = {
|
||||
description = "VictoriaMetrics time series database";
|
||||
serviceConfig = {
|
||||
StateDirectory = "victoriametrics";
|
||||
DynamicUser = true;
|
||||
ExecStart = "${cfg.package}/bin/victoria-metrics -storageDataPath=/var/lib/victoriametrics -httpListenAddr ${cfg.http} -retentionPeriod ${toString cfg.retentionPeriod} ${lib.concatStringsSep " " cfg.extraOptions}";
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,38 @@
|
|||
{
|
||||
"niv": {
|
||||
"branch": "master",
|
||||
"description": "Easy dependency management for Nix projects",
|
||||
"homepage": "https://github.com/nmattia/niv",
|
||||
"owner": "nmattia",
|
||||
"repo": "niv",
|
||||
"rev": "c8f74f44b5f5df2c8f20a1834460d012e74d78f9",
|
||||
"sha256": "0zmhxgl37f1p2aiqjmiccflpgga6phj6vmqs3jd33z0frj6hsy5c",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/nmattia/niv/archive/c8f74f44b5f5df2c8f20a1834460d012e74d78f9.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"nixos-hardware": {
|
||||
"branch": "master",
|
||||
"description": "A collection of NixOS modules covering hardware quirks.",
|
||||
"homepage": "",
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "89c4ddb0e60e5a643ab15f68b2f4ded43134f492",
|
||||
"sha256": "1a0mplnj0zx33f4lm7kwg6z6iwgdkg2pxy58plkj6w59ibfl2l27",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/nixos/nixos-hardware/archive/89c4ddb0e60e5a643ab15f68b2f4ded43134f492.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"nixpkgs": {
|
||||
"branch": "nixos-19.03",
|
||||
"description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
|
||||
"homepage": "https://github.com/NixOS/nixpkgs",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs-channels",
|
||||
"rev": "c8db7a8a16ee9d54103cade6e766509e1d1c8d7b",
|
||||
"sha256": "1b3h4mwpi10blzpvgsc0191k4shaw3nw0qd2p82hygbr8vv4g9dv",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/NixOS/nixpkgs-channels/archive/c8db7a8a16ee9d54103cade6e766509e1d1c8d7b.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
}
|
||||
}
|
|
@ -0,0 +1,136 @@
|
|||
# This file has been generated by Niv.
|
||||
|
||||
let
|
||||
|
||||
#
|
||||
# The fetchers. fetch_<type> fetches specs of type <type>.
|
||||
#
|
||||
|
||||
fetch_file = pkgs: spec:
|
||||
if spec.builtin or true then
|
||||
builtins_fetchurl { inherit (spec) url sha256; }
|
||||
else
|
||||
pkgs.fetchurl { inherit (spec) url sha256; };
|
||||
|
||||
fetch_tarball = pkgs: spec:
|
||||
if spec.builtin or true then
|
||||
builtins_fetchTarball { inherit (spec) url sha256; }
|
||||
else
|
||||
pkgs.fetchzip { inherit (spec) url sha256; };
|
||||
|
||||
fetch_git = spec:
|
||||
builtins.fetchGit { url = spec.repo; inherit (spec) rev ref; };
|
||||
|
||||
fetch_builtin-tarball = spec:
|
||||
builtins.trace
|
||||
''
|
||||
WARNING:
|
||||
The niv type "builtin-tarball" will soon be deprecated. You should
|
||||
instead use `builtin = true`.
|
||||
|
||||
$ niv modify <package> -a type=tarball -a builtin=true
|
||||
''
|
||||
builtins_fetchTarball { inherit (spec) url sha256; };
|
||||
|
||||
fetch_builtin-url = spec:
|
||||
builtins.trace
|
||||
''
|
||||
WARNING:
|
||||
The niv type "builtin-url" will soon be deprecated. You should
|
||||
instead use `builtin = true`.
|
||||
|
||||
$ niv modify <package> -a type=file -a builtin=true
|
||||
''
|
||||
(builtins_fetchurl { inherit (spec) url sha256; });
|
||||
|
||||
#
|
||||
# Various helpers
|
||||
#
|
||||
|
||||
# The set of packages used when specs are fetched using non-builtins.
|
||||
mkPkgs = sources:
|
||||
if hasNixpkgsPath
|
||||
then
|
||||
if hasThisAsNixpkgsPath
|
||||
then import (builtins_fetchTarball { inherit (mkNixpkgs sources) url sha256; }) {}
|
||||
else import <nixpkgs> {}
|
||||
else
|
||||
import (builtins_fetchTarball { inherit (mkNixpkgs sources) url sha256; }) {};
|
||||
|
||||
mkNixpkgs = sources:
|
||||
if builtins.hasAttr "nixpkgs" sources
|
||||
then sources.nixpkgs
|
||||
else abort
|
||||
''
|
||||
Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
|
||||
add a package called "nixpkgs" to your sources.json.
|
||||
'';
|
||||
|
||||
hasNixpkgsPath = (builtins.tryEval <nixpkgs>).success;
|
||||
hasThisAsNixpkgsPath =
|
||||
(builtins.tryEval <nixpkgs>).success && <nixpkgs> == ./.;
|
||||
|
||||
# The actual fetching function.
|
||||
fetch = pkgs: name: spec:
|
||||
|
||||
if ! builtins.hasAttr "type" spec then
|
||||
abort "ERROR: niv spec ${name} does not have a 'type' attribute"
|
||||
else if spec.type == "file" then fetch_file pkgs spec
|
||||
else if spec.type == "tarball" then fetch_tarball pkgs spec
|
||||
else if spec.type == "git" then fetch_git spec
|
||||
else if spec.type == "builtin-tarball" then fetch_builtin-tarball spec
|
||||
else if spec.type == "builtin-url" then fetch_builtin-url spec
|
||||
else
|
||||
abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
|
||||
|
||||
# Ports of functions for older nix versions
|
||||
|
||||
# a Nix version of mapAttrs if the built-in doesn't exist
|
||||
mapAttrs = builtins.mapAttrs or (
|
||||
f: set: with builtins;
|
||||
listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
|
||||
);
|
||||
|
||||
# fetchTarball version that is compatible between all the versions of Nix
|
||||
builtins_fetchTarball = { url, sha256 }@attrs:
|
||||
let
|
||||
inherit (builtins) lessThan nixVersion fetchTarball;
|
||||
in
|
||||
if lessThan nixVersion "1.12" then
|
||||
fetchTarball { inherit url; }
|
||||
else
|
||||
fetchTarball attrs;
|
||||
|
||||
# fetchurl version that is compatible between all the versions of Nix
|
||||
builtins_fetchurl = { url, sha256 }@attrs:
|
||||
let
|
||||
inherit (builtins) lessThan nixVersion fetchurl;
|
||||
in
|
||||
if lessThan nixVersion "1.12" then
|
||||
fetchurl { inherit url; }
|
||||
else
|
||||
fetchurl attrs;
|
||||
|
||||
# Create the final "sources" from the config
|
||||
mkSources = config:
|
||||
mapAttrs (
|
||||
name: spec:
|
||||
if builtins.hasAttr "outPath" spec
|
||||
then abort
|
||||
"The values in sources.json should not have an 'outPath' attribute"
|
||||
else
|
||||
spec // { outPath = fetch config.pkgs name spec; }
|
||||
) config.sources;
|
||||
|
||||
# The "config" used by the fetchers
|
||||
mkConfig =
|
||||
{ sourcesFile ? ./sources.json
|
||||
}: rec {
|
||||
# The sources, i.e. the attribute set of spec name to spec
|
||||
sources = builtins.fromJSON (builtins.readFile sourcesFile);
|
||||
# The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
|
||||
pkgs = mkPkgs sources;
|
||||
};
|
||||
in
|
||||
mkSources (mkConfig {}) //
|
||||
{ __functor = _: settings: mkSources (mkConfig settings); }
|
|
@ -1,16 +1,3 @@
|
|||
[ (self: super: {
|
||||
gogitget = super.callPackage ./gogitget.nix {};
|
||||
shallot = super.callPackage ./shallot.nix {};
|
||||
yori-cc = super.callPackage ./yori-cc.nix {};
|
||||
gitea =
|
||||
super.gitea.overrideDerivation (o: rec {
|
||||
version = "1.4.1";
|
||||
name = "gitea-${version}";
|
||||
src = self.fetchFromGitHub {
|
||||
owner = "go-gitea";
|
||||
repo = "gitea";
|
||||
rev = "v${version}";
|
||||
sha256 = "1mid67c4021m7mi4ablx1w5v43831gzn8xpg8n30a4zmr70781wm";
|
||||
};
|
||||
});
|
||||
})]
|
||||
|
|
|
@ -1,14 +0,0 @@
|
|||
{ stdenv, fetchurl }:
|
||||
stdenv.mkDerivation rec {
|
||||
target = "QCA6174";
|
||||
branch = "4.4.1.c1";
|
||||
version = "${branch}-00042";
|
||||
name = "${target}-firmware-${version}";
|
||||
src = fetchurl {
|
||||
url = "https://github.com/kvalo/ath10k-firmware/raw/master/${target}/hw3.0/${branch}/firmware-6.bin_RM.${version}-QCARMSWP-1";
|
||||
sha256 = "01vvz3qhqw5l3yilcqgk1spk4y9k4qy7na7a57cbl037r231szdh";
|
||||
};
|
||||
buildCommand = ''
|
||||
install -D $src $out/lib/firmware/ath10k/${target}/hw3.0/firmware-6.bin
|
||||
'';
|
||||
}
|
|
@ -1,20 +0,0 @@
|
|||
# this is the secure fetchgit, but it actually works
|
||||
{ fetchgit, writeScript, openssh, stdenv }: args: derivation ((fetchgit args).drvAttrs // {
|
||||
SSH_AUTH_SOCK = if (builtins.tryEval <ssh-auth-sock>).success
|
||||
then builtins.toString <ssh-auth-sock>
|
||||
else null;
|
||||
GIT_SSH = writeScript "fetchgit-ssh" ''
|
||||
#! ${stdenv.shell}
|
||||
TEMP_ID=$(mktemp)
|
||||
cp ${let
|
||||
sshIdFile = if (builtins.tryEval <ssh-id-file>).success
|
||||
then <ssh-id-file>
|
||||
else builtins.trace ''
|
||||
That didn't work.
|
||||
'' "/var/lib/empty/config";
|
||||
in builtins.toString sshIdFile} $TEMP_ID
|
||||
chown `whoami` $TEMP_ID
|
||||
chmod 400 $TEMP_ID
|
||||
exec -a ssh ${openssh}/bin/ssh -F /dev/null -i $TEMP_ID -o StrictHostKeyChecking=no "$@"
|
||||
'';
|
||||
})
|
|
@ -1,24 +0,0 @@
|
|||
with import <nixpkgs> {};
|
||||
|
||||
stdenv.mkDerivation {
|
||||
name = "shallot-0.0.3-alpha";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
rev = "831de01b13b309933d32efe8388444ef6a831cfb";
|
||||
owner = "katmagic";
|
||||
repo = "Shallot";
|
||||
sha256 = "0zlgl13vmv6zj1jk5cfjqg66n3qq9yp2202llpgvfl16rzxrlv5r";
|
||||
};
|
||||
|
||||
buildInputs = [openssl];
|
||||
|
||||
buildPhase = ''
|
||||
./configure
|
||||
make
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin
|
||||
mv shallot $out/bin
|
||||
'';
|
||||
}
|
|
@ -1,14 +1,11 @@
|
|||
{ stdenv, callPackage }:
|
||||
|
||||
let gogitget = callPackage ./gogitget.nix {}; in
|
||||
|
||||
stdenv.mkDerivation {
|
||||
name = "yori-cc-1.3.5";
|
||||
name = "yori-cc-1.5";
|
||||
|
||||
src = gogitget {
|
||||
"url" = "git@git.yori.cc:yorick/yori-cc.git";
|
||||
"rev" = "f049e4330dfb64bbbaf700897269c003fce8b5c4";
|
||||
"sha256" = "1x8knlsp7cx52sr15gr0yhj1vl8ncznrqn4nvaycgwmhr1kysffr";
|
||||
src = builtins.fetchGit {
|
||||
url = "git@git.yori.cc:yorick/yori-cc.git";
|
||||
rev = "68c75ab84cceaf98dd8fd0646b97d73f966b8962";
|
||||
};
|
||||
|
||||
buildInputs = [ ];
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "rpool/root/nixos";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/home" =
|
||||
{ device = "rpool/home";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/5D0A-7902";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-uuid/61a23e27-2cd4-4456-bcde-aec68be04239"; }
|
||||
];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 32;
|
||||
# High-DPI console
|
||||
#i18n.consoleFont = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
|
||||
}
|
|
@ -0,0 +1,22 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let sources = import ../nix/sources.nix;
|
||||
in
|
||||
{
|
||||
imports =
|
||||
[ ./.
|
||||
./3950x-hardware-config.nix
|
||||
"${sources.nixos-hardware}/common/cpu/amd"
|
||||
];
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
boot.kernelModules = [ "nct6775" ];
|
||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
networking.hostId = "c7736638";
|
||||
services.zfs.autoScrub.enable = true;
|
||||
services.zfs.trim.enable = true;
|
||||
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.enp9s0.useDHCP = true;
|
||||
}
|
|
@ -0,0 +1,22 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/1396f814-6cc2-4988-992a-3558fa1ac5a2";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-uuid/5f8f358d-f63c-48ad-a322-d1aeb403e4ff"; }
|
||||
];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 4;
|
||||
}
|
|
@ -1,44 +1,3 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let cfg = config.hardware.yorick; in
|
||||
with lib;
|
||||
{
|
||||
options.hardware.yorick = {
|
||||
cpu = mkOption {
|
||||
type = types.nullOr (types.enum ["intel" "virtual"]);
|
||||
};
|
||||
gpu = mkOption {
|
||||
type = types.nullOr (types.enum ["intel" "nvidia"]);
|
||||
default = null;
|
||||
};
|
||||
laptop = mkEnableOption "laptop settings";
|
||||
};
|
||||
config = mkMerge [
|
||||
(mkIf (cfg.gpu == "intel") {
|
||||
# https://wiki.archlinux.org/index.php/Dell_XPS_13_(9360)#Module-based_Powersaving_Options
|
||||
boot.kernelParams = ["i915.enable_fbc=1" "i915.enable_guc_loading=1" "i915.enable_guc_submission=1" "i915.enable_huc=1" "i915.enable_psr=2"];
|
||||
# now we wait until enable_psr=1 is fixed
|
||||
services.xserver.videoDrivers = ["modesetting"];
|
||||
hardware.opengl.extraPackages = [ pkgs.vaapiIntel ];
|
||||
})
|
||||
(mkIf (cfg.gpu == "nvidia") {
|
||||
boot.kernelModules = ["nvidiabl"];
|
||||
services.xserver.videoDrivers = ["nvidia"];
|
||||
boot.extraModulePackages = [config.boot.kernelPackages.nvidiabl];
|
||||
})
|
||||
(mkIf (cfg.cpu == "intel") {
|
||||
hardware.cpu.intel.updateMicrocode = true;
|
||||
boot.kernelModules = ["kvm-intel"];
|
||||
})
|
||||
(mkIf (cfg.laptop) {
|
||||
services.xserver.libinput.enable = true;
|
||||
|
||||
networking.wireless.enable = true;
|
||||
hardware.bluetooth.enable = true;
|
||||
# gotta go faster
|
||||
networking.dhcpcd.extraConfig = ''
|
||||
noarp
|
||||
'';
|
||||
services.thermald.enable = true;
|
||||
})
|
||||
];
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
}
|
||||
|
|
|
@ -1,22 +1,21 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let sources = import ../nix/sources.nix;
|
||||
in
|
||||
{
|
||||
imports =
|
||||
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
|
||||
<yori-nix/physical>
|
||||
[ ./.
|
||||
"${sources.nixos-hardware}/common/cpu/intel"
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" ];
|
||||
hardware.yorick.cpu = "intel";
|
||||
|
||||
# Use the GRUB 2 boot loader.
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
# Define on which hard drive you want to install Grub.
|
||||
boot.loader.grub.device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S21PNXAG441016B";
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
version = 2;
|
||||
# Define on which hard drive you want to install Grub.
|
||||
device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S21PNXAG441016B";
|
||||
};
|
||||
|
||||
|
||||
fileSystems."/" =
|
||||
|
@ -28,6 +27,16 @@
|
|||
swapDevices =
|
||||
[ { device = "/dev/disk/by-label/nixos-swap"; }
|
||||
];
|
||||
fileSystems."/data" =
|
||||
{ device = "frumar-new";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/data/plexmedia" =
|
||||
{ device = "frumar-new/plexmedia";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
nix.maxJobs = 4;
|
||||
services.avahi.interfaces = [ "enp2s0" ];
|
||||
}
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
ipconf = (import ../secrets.nix).ipconf.${config.networking.hostName};
|
||||
in
|
||||
{
|
||||
imports =
|
||||
# todo: impure:
|
||||
[ <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
|
||||
];
|
||||
|
||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
version = 2;
|
||||
device = "/dev/sda";
|
||||
};
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/sda1";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 1;
|
||||
#services.nscd.enable = false;
|
||||
networking.dhcpcd.enable = false;
|
||||
systemd.network.enable = true;
|
||||
systemd.network.networks."40-hetzner" = {
|
||||
DHCP = "ipv4";
|
||||
address = [ ipconf.mainIPv6 ];
|
||||
gateway = [ "fe80::1" ];
|
||||
matchConfig.Name = "ens3";
|
||||
};
|
||||
services.fstrim.enable = true;
|
||||
}
|
|
@ -7,7 +7,7 @@
|
|||
./hp8570w/powerdown.nix
|
||||
];
|
||||
|
||||
hardware.yorick = { cpu = "intel"; gpu = "nvidia"; laptop = true; };
|
||||
hardware.yorick = { cpu = "intel"; gpu = "nvidia"; };
|
||||
|
||||
boot = {
|
||||
loader.grub = {
|
||||
|
@ -48,4 +48,16 @@
|
|||
|
||||
#services.tcsd.enable = true; # it has a TPM. maybe use this?
|
||||
#environment.systemPackages = with pkgs; [tpm-tools];
|
||||
services.xserver.libinput.enable = true;
|
||||
|
||||
networking.wireless.enable = true;
|
||||
hardware.bluetooth.enable = true;
|
||||
# gotta go faster
|
||||
networking.dhcpcd.extraConfig = ''
|
||||
noarp
|
||||
'';
|
||||
services.thermald.enable = true;
|
||||
boot.kernelModules = ["nvidiabl"];
|
||||
services.xserver.videoDrivers = ["nvidia"];
|
||||
boot.extraModulePackages = [config.boot.kernelPackages.nvidiabl];
|
||||
}
|
||||
|
|
|
@ -1,50 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
ipconf = (import <secrets>).ipconf.${config.networking.hostName};
|
||||
in
|
||||
{
|
||||
imports = [ ../modules/nixos-in-place.nix <yori-nix/physical> ];
|
||||
"nixos-in-place" = {
|
||||
enable = true;
|
||||
rootfs = "/dev/disk/by-uuid/7165e542-0995-474c-a228-9592339e0604";
|
||||
swapfs = "/dev/disk/by-uuid/baaf824a-bee0-4037-a237-3a69f1db7985";
|
||||
};
|
||||
# fs layout:
|
||||
# before: /nixos/nix/* /boot/grub/menu.lst
|
||||
# after: /nix/* /old-root/boot/grub/menu.lst
|
||||
boot = {
|
||||
kernelPackages = pkgs.linuxPackages_latest;
|
||||
blacklistedKernelModules = ["coretemp"];
|
||||
# use grub 1, don't install
|
||||
loader.grub = {
|
||||
version = 1;
|
||||
extraPerEntryConfig = "root (hd0,0)"; # do we need this?
|
||||
mirroredBoots = [{
|
||||
path = "/old-root/boot";
|
||||
devices = ["nodev"];
|
||||
}];
|
||||
splashImage = null;
|
||||
};
|
||||
initrd.availableKernelModules = [ "xen_blkfront" ];
|
||||
};
|
||||
sound.enable = false;
|
||||
networking = {
|
||||
usePredictableInterfaceNames = false; # only eth0
|
||||
interfaces.eth0 = {
|
||||
useDHCP = false;
|
||||
inherit (ipconf) ipv4 ipv6;
|
||||
};
|
||||
inherit (ipconf) nameservers;
|
||||
# ideally, it should add a route for this automatically
|
||||
#defaultGateway = ipconf.gateway4;
|
||||
#defaultGateway6 = ipconf.gateway6;
|
||||
};
|
||||
systemd.services."network-setup".postStart = with ipconf; ''
|
||||
ip route add ${gateway4} dev eth0 || true
|
||||
ip route add default via ${gateway4} || true
|
||||
ip -6 route add ${gateway6} dev eth0 || true
|
||||
ip -6 route add default via ${gateway6} || true
|
||||
'';
|
||||
nix.maxJobs = lib.mkDefault 2;
|
||||
hardware.yorick.cpu = "virtual";
|
||||
}
|
|
@ -1,4 +0,0 @@
|
|||
builtins.fetchTarball {
|
||||
url = "https://github.com/NixOS/nixos-hardware/archive/d534770be7f699b3332ef09bd043745a38d115ad.tar.gz";
|
||||
sha256 = "0h4xzs0bp0v01rzqm023ia2rgmcxv32jdiinp7ylxxh384vf5h0h";
|
||||
}
|
|
@ -1,40 +1,41 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let sources = import ../nix/sources.nix;
|
||||
in
|
||||
{
|
||||
|
||||
imports =
|
||||
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
|
||||
<yori-nix/physical>
|
||||
"${sources.nixos-hardware}/common/cpu/intel"
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
|
||||
hardware.yorick = { cpu = "intel"; gpu = "intel"; };
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/fa5026b1-0f73-4233-a417-780c65f3f038";
|
||||
fsType = "btrfs";
|
||||
options = ["defaults" "relatime" "discard"];
|
||||
{ device = "/dev/disk/by-uuid/3e148654-0ed8-4354-8159-e3499c6fa299";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/729B-0F6C";
|
||||
{ device = "/dev/disk/by-uuid/439E-26EA";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-uuid/086b6aaa-a737-4747-91d6-b4923bf14858"; }
|
||||
];
|
||||
swapDevices = [ ];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 4;
|
||||
services.xserver.videoDrivers = ["intel"];
|
||||
networking.wireless.enable = true;
|
||||
environment.systemPackages = with pkgs; [
|
||||
btrfs-progs
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
|
||||
nixpkgs.config.packageOverrides = pkgs: {
|
||||
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
|
||||
};
|
||||
hardware.opengl.extraPackages = with pkgs; [
|
||||
intel-media-driver # only available starting nixos-19.03 or the current nixos-unstable
|
||||
];
|
||||
}
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
};
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-uuid/d9c4c15b-0e9c-47f6-8675-93b1b8de5f9d"; }
|
||||
[ { device = "/dev/disk/by-uuid/198ddaba-a849-41de-993d-862c2d37937a"; }
|
||||
];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 4;
|
||||
|
|
|
@ -1,26 +1,43 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let sources = import ../nix/sources.nix;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
"${import ./nixos-hardware.nix}/dell/xps/13-9360"
|
||||
"${sources.nixos-hardware}/dell/xps/13-9360"
|
||||
./xps9360-hardware-config.nix
|
||||
];
|
||||
|
||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
boot.kernelParams = [ "i915.enable_psr=0" ];
|
||||
boot.kernelModules = [ "i8k" ];
|
||||
boot.extraModprobeConfig = ''
|
||||
options i8k ignore_dmi=1
|
||||
'';
|
||||
fileSystems."/".options = ["defaults" "relatime" "discard"];
|
||||
|
||||
boot.initrd.luks.devices."nix-crypt".allowDiscards = true;
|
||||
|
||||
# intel huc, guc. qca6174 (older firmware)
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
|
||||
# hardware is thermal-limited
|
||||
services.thermald.enable = lib.mkDefault true;
|
||||
services.undervolt = rec {
|
||||
enable = true;
|
||||
coreOffset = "-50";
|
||||
gpuOffset = "-50";
|
||||
uncoreOffset = "-50";
|
||||
analogioOffset = "-50";
|
||||
};
|
||||
services.tlp.extraConfig = ''
|
||||
CPU_SCALING_GOVERNOR_ON_AC=performance
|
||||
CPU_SCALING_GOVERNOR_ON_BAT=powersave
|
||||
'';
|
||||
|
||||
services.xserver.libinput.enable = true;
|
||||
|
||||
networking.wireless.enable = true;
|
||||
networking.wireless = {
|
||||
enable = false;
|
||||
iwd.enable = true;
|
||||
};
|
||||
hardware.bluetooth.enable = true;
|
||||
|
||||
services.udev.packages = [ pkgs.crda ];
|
||||
hardware.firmware = [ pkgs.wireless-regdb ];
|
||||
# gotta go faster
|
||||
networking.dhcpcd.extraConfig = ''
|
||||
noarp
|
||||
|
|
|
@ -1,39 +1,41 @@
|
|||
let secrets = import <secrets>;
|
||||
let secrets = import ../secrets.nix;
|
||||
in
|
||||
{ config, pkgs, lib, ...}:
|
||||
{ config, pkgs, lib, name, ...}:
|
||||
let
|
||||
machine = lib.removeSuffix ".nix" (builtins.baseNameOf <nixos-config>);
|
||||
machine = name;
|
||||
vpn = import ../vpn.nix;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
../modules/tor-hidden-service.nix
|
||||
../modules/nginx.nix
|
||||
<yori-nix/deploy/keys.nix>
|
||||
<yori-nix/services>
|
||||
../deploy/keys.nix
|
||||
../services
|
||||
];
|
||||
networking.hostName = secrets.hostnames.${machine};
|
||||
time.timeZone = "Europe/Amsterdam";
|
||||
users.mutableUsers = false;
|
||||
users.extraUsers.root = {
|
||||
openssh.authorizedKeys.keys = config.users.extraUsers.yorick.openssh.authorizedKeys.keys;
|
||||
users.users.root = {
|
||||
openssh.authorizedKeys.keys = config.users.users.yorick.openssh.authorizedKeys.keys;
|
||||
# root password is useful from console, ssh has password logins disabled
|
||||
hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own
|
||||
|
||||
};
|
||||
services.timesyncd.enable = true;
|
||||
users.extraUsers.yorick = {
|
||||
users.users.yorick = {
|
||||
isNormalUser = true;
|
||||
uid = 1000;
|
||||
extraGroups = ["wheel"];
|
||||
group = "users";
|
||||
openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [yorick];
|
||||
openssh.authorizedKeys.keys = with (import ../sshkeys.nix); yorick;
|
||||
hashedPassword = secrets.yorick_hashedPassword;
|
||||
};
|
||||
|
||||
# Nix
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
nixpkgs.overlays = import ../packages;
|
||||
|
||||
nix.buildCores = config.nix.maxJobs;
|
||||
#nix.buildCores = config.nix.maxJobs;
|
||||
|
||||
# Networking
|
||||
networking.enableIPv6 = true;
|
||||
|
@ -47,17 +49,17 @@ in
|
|||
|
||||
environment.systemPackages = with pkgs; [
|
||||
# v important.
|
||||
cowsay ponysay
|
||||
cowsay #ponysay
|
||||
ed # ed, man!
|
||||
sl
|
||||
rlwrap
|
||||
|
||||
vim
|
||||
#vim
|
||||
|
||||
# system stuff
|
||||
ethtool inetutils
|
||||
pciutils usbutils
|
||||
iotop powertop htop
|
||||
/*iotop*/ powertop htop
|
||||
psmisc lsof
|
||||
smartmontools hdparm
|
||||
lm_sensors
|
||||
|
@ -73,19 +75,40 @@ in
|
|||
|
||||
# archiving
|
||||
xdelta
|
||||
libarchive
|
||||
atool
|
||||
unrar p7zip
|
||||
unzip zip
|
||||
|
||||
# network
|
||||
nmap mtr bind
|
||||
socat netcat-openbsd
|
||||
lftp wget rsync
|
||||
|
||||
git
|
||||
rxvt_unicode.terminfo
|
||||
#gitMinimal
|
||||
#rxvt_unicode.terminfo
|
||||
];
|
||||
nix.gc.automatic = true;
|
||||
|
||||
}
|
||||
services.avahi = {
|
||||
ipv6 = true;
|
||||
hostName = machine;
|
||||
};
|
||||
deployment.keyys = [ (<yori-nix/keys>+"/wg.${machine}.key") ];
|
||||
networking.wireguard.interfaces.wg-y = {
|
||||
privateKeyFile = "/root/keys/wg.${machine}.key";
|
||||
ips = [ vpn.ips.${machine} ];
|
||||
listenPort = 31790;
|
||||
peers = [ {
|
||||
publicKey = vpn.keys.pennyworth;
|
||||
endpoint = "pennyworth.yori.cc:31790";
|
||||
allowedIPs = [ "10.209.0.0/24" ];
|
||||
persistentKeepalive = 30;
|
||||
}];
|
||||
postSetup = "ip link set dev wg-y mtu 1371";
|
||||
};
|
||||
security.acme.email = "acme@yori.cc";
|
||||
security.acme.acceptTerms = true;
|
||||
nix.binaryCachePublicKeys =
|
||||
[ "yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0=" ];
|
||||
|
||||
nix.trustedUsers = ["@wheel"];
|
||||
}
|
||||
|
|
|
@ -1,27 +1,12 @@
|
|||
let secrets = import <secrets>;
|
||||
in
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
imports = [ <yori-nix/roles> ];
|
||||
in { config, lib, pkgs, ... }: {
|
||||
imports = [ ./. ];
|
||||
options.yorick.support32bit = with lib;
|
||||
mkOption { type = types.bool; default = false; };
|
||||
mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
config = {
|
||||
# Enable the X11 windowing system.
|
||||
services.xserver = {
|
||||
enable = true;
|
||||
libinput = {
|
||||
naturalScrolling = true;
|
||||
tappingDragLock = false;
|
||||
};
|
||||
layout = "us";
|
||||
xkbOptions = "caps:escape";
|
||||
displayManager.slim.defaultUser = "yorick";
|
||||
# xkbOptions = "eurosign:e";
|
||||
windowManager.i3 = {
|
||||
enable = true;
|
||||
package = pkgs.i3-gaps;
|
||||
};
|
||||
};
|
||||
hardware.opengl = {
|
||||
enable = true;
|
||||
driSupport32Bit = config.yorick.support32bit;
|
||||
|
@ -31,30 +16,37 @@ in
|
|||
enable = true;
|
||||
support32Bit = config.yorick.support32bit;
|
||||
};
|
||||
users.extraUsers.yorick.extraGroups = ["video"];
|
||||
users.users.yorick.extraGroups = [ "video" ];
|
||||
# fix backlight permissions
|
||||
services.udev.extraRules = ''
|
||||
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness"
|
||||
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness"
|
||||
'';
|
||||
services.udev.extraRules = ''
|
||||
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness"
|
||||
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness"
|
||||
'';
|
||||
|
||||
fonts = {
|
||||
enableFontDir = true;
|
||||
enableGhostscriptFonts = true;
|
||||
fonts = with pkgs; [
|
||||
corefonts # Micrsoft free fonts
|
||||
inconsolata # monospaced
|
||||
source-code-pro
|
||||
ubuntu_font_family # Ubuntu fonts
|
||||
source-han-sans-japanese
|
||||
iosevka
|
||||
];
|
||||
fonts = {
|
||||
enableFontDir = true;
|
||||
enableGhostscriptFonts = true;
|
||||
fonts = with pkgs; [
|
||||
corefonts # Micrsoft free fonts
|
||||
inconsolata # monospaced
|
||||
source-code-pro
|
||||
ubuntu_font_family # Ubuntu fonts
|
||||
source-han-sans-japanese
|
||||
iosevka
|
||||
font-awesome
|
||||
];
|
||||
};
|
||||
# spotify
|
||||
networking.firewall.allowedTCPPorts = [ 55025 57621 ];
|
||||
networking.firewall.allowedUDPPorts = [ 55025 57621 ];
|
||||
|
||||
services.openssh.forwardX11 = true;
|
||||
|
||||
programs.sway = {
|
||||
enable = true;
|
||||
extraSessionCommands = ''
|
||||
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${lib.makeLibraryPath (with pkgs; [ libxkbcommon libglvnd wayland ])}
|
||||
'';
|
||||
};
|
||||
};
|
||||
# spotify
|
||||
networking.firewall.allowedTCPPorts = [55025 57621];
|
||||
networking.firewall.allowedUDPPorts = [55025 57621];
|
||||
|
||||
users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword;
|
||||
services.openssh.forwardX11 = true;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
{lib, ...}: {
|
||||
users.users.lars = {
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbieYUtRGQ4nf4glQvrZDn72doP6W2uw2z9VqFq5sZLROXYa4jW8nwx4h+BiArGs+VPwn6lfsP19PX6yNIk74C/SkO26S1Zvbe7ffNusi6PH2BQIOWeAYKk+eZH+ZOeD8z07uDB7QffwRLwzSaPFg+zfRzsMFoXH/GE9qOQ4lnfk8czTZL7zbZf/yS7mDFztClXFciYsVwgRXNiFpfc+9mOkU0oBWtGo/WGUhB0Hds3a4ylyjjVAcC/l1H2bvc/Q3d6bbn23pUFl2V78Yg1B4b1MT34qbBV6whXAQd7KM9tND2ZhpF2XQ7Spi1QlOac0jup+sE+3bbvcjNqTI05DwJO/dX5F2gSAFkvSY4ZPqSX5ilE/hj4DQuhRgLmQdbVl5IFV9aLYqUvJcCqX9jRFMly4YTFXsFz18rGkxOYGZabcE1usBM2zRVDTtEP6Si5ii76Ocvp8aNFBB2Kf1whg8tziTv3kQEQ9fd2sRtE2J3xveJiwXjUBU2uikSOKe8JP47Tb6PYlv7Ty/6OI51aUQn++R72VNajdBJ1r1osp7leqTJ+sXuLlWLo/a7lDpDmgEI7dbxqmpjLcMce0JzqLKlP1Q2U/nkYy86xkjSTH1rNUI2JAbJx3iTcGy7bq12yfjNfcGAqY4GVXvisK1cpbF0RCjaFExwtmzorljHh6ZHjQ=="
|
||||
];
|
||||
};
|
||||
services.avahi = {
|
||||
enable = true;
|
||||
nssmdns = true;
|
||||
publish = {
|
||||
enable = true;
|
||||
addresses = true;
|
||||
};
|
||||
};
|
||||
networking.firewall.logRefusedConnections = lib.mkForce true;
|
||||
}
|
|
@ -1,10 +1,11 @@
|
|||
{
|
||||
imports = [ <yori-nix/roles> ];
|
||||
imports = [ ./. ];
|
||||
|
||||
services.nixosManual.enable = false;
|
||||
documentation.nixos.enable = false;
|
||||
services.sshguard.enable = true;
|
||||
programs.mosh.enable = true;
|
||||
|
||||
environment.noXlibs = true;
|
||||
networking.firewall.logRefusedConnections = false; # Silence logging of scanners and knockers
|
||||
networking.firewall.logRefusedConnections = false; # Silence logging of scanners and knockers
|
||||
|
||||
}
|
||||
|
|
|
@ -1,39 +1,45 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
nixNetrcFile = pkgs.runCommand "nix-netrc-file"
|
||||
{ hostname = "cache.lumi.guide";
|
||||
username = "lumi";
|
||||
} ''
|
||||
cat > $out <<EOI
|
||||
machine $hostname
|
||||
login $username
|
||||
password ${builtins.readFile /home/yorick/engineering/lumi/secrets/shared/passwords/nix-serve-password}
|
||||
EOI
|
||||
'';
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
<yori-nix/roles/graphical.nix>
|
||||
./graphical.nix
|
||||
];
|
||||
users.extraUsers.yorick.extraGroups = [ "input" "wireshark" ];
|
||||
users.extraUsers.yorick.extraGroups = [ "input" "wireshark" "dialout" ];
|
||||
services.printing = {
|
||||
enable = true;
|
||||
drivers = [ pkgs.gutenprint ];
|
||||
};
|
||||
environment.systemPackages = [pkgs.ghostscript pkgs.yubikey-manager];
|
||||
#services.xserver.displayManager.sessionCommands = ''
|
||||
# gpg-connect-agent /bye
|
||||
# unset SSH_AGENT_PID
|
||||
# export SSH_AUTH_SOCK="''${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"
|
||||
#'';
|
||||
virtualisation.virtualbox.host.enable = true;
|
||||
environment.systemPackages = with pkgs; [
|
||||
pkgs.ghostscript pkgs.yubikey-manager
|
||||
];
|
||||
virtualisation.virtualbox.host.enable = false;
|
||||
yorick.support32bit = true;
|
||||
# yubikey
|
||||
hardware.u2f.enable = true;
|
||||
services.pcscd.enable = true;
|
||||
sound.enable = true;
|
||||
#environment.systemPackages = [pkgs.yubikey-manager];
|
||||
fonts.fonts = [ pkgs.emojione ];
|
||||
# bluetooth headphones
|
||||
hardware.pulseaudio.package = pkgs.pulseaudioFull;
|
||||
# japanese typing
|
||||
i18n.inputMethod = {
|
||||
enabled = "fcitx";
|
||||
fcitx.engines = with pkgs.fcitx-engines; [ mozc ];
|
||||
};
|
||||
programs.wireshark.enable = true;
|
||||
nix = {
|
||||
gc.automatic = pkgs.lib.mkOverride 30 false;
|
||||
binaryCaches = [
|
||||
"https://cache.nixos.org"
|
||||
"https://cache.lumi.guide/"
|
||||
"s3://yorick-cache?endpoint=s3.eu-central-1.wasabisys.com&profile=wasabi-private"
|
||||
#"https://nixpkgs-wayland.cachix.org"
|
||||
];
|
||||
trustedBinaryCaches = config.nix.binaryCaches ++ [
|
||||
"ssh://yorick@jupiter.serokell.io"
|
||||
|
@ -45,7 +51,20 @@
|
|||
"serokell-1:aIojg2Vxgv7MkzPJoftOO/I8HKX622sT+c0fjnZBLj0="
|
||||
"cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE="
|
||||
"serokell.cachix.org-1:5DscEJD6c1dD1Mc/phTIbs13+iW22AVbx0HqiSb+Lq8="
|
||||
"disciplina.cachix.org-1:zDeIFV5cu22v04EUuRITz/rYxpBCGKY82x0mIyEYjxE="
|
||||
"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
|
||||
];
|
||||
extraOptions = ''
|
||||
netrc-file = ${nixNetrcFile}
|
||||
'';
|
||||
};
|
||||
services.avahi = {
|
||||
enable = true;
|
||||
nssmdns = true;
|
||||
};
|
||||
virtualisation.libvirtd.enable = true;
|
||||
users.users.yorick.extraGroups = [ "libvirtd" ];
|
||||
users.users.yorick.shell = pkgs.fish;
|
||||
services.udev.extraRules = ''
|
||||
SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5bf0", MODE="0664", GROUP="dialout"
|
||||
'';
|
||||
}
|
||||
|
|
BIN
secrets.nix
BIN
secrets.nix
Binary file not shown.
22
servers.json
22
servers.json
|
@ -1,22 +0,0 @@
|
|||
{
|
||||
"pennyworth": {
|
||||
"pkgs": "stable",
|
||||
"host": "pennyworth.yori.cc"
|
||||
},
|
||||
"jarvis": {
|
||||
"pkgs": "channel",
|
||||
"host": "jarvis.home.yori.cc"
|
||||
},
|
||||
"ascanius": {
|
||||
"pkgs": "channel",
|
||||
"host": "ascanius.home.yori.cc"
|
||||
},
|
||||
"woodhouse": {
|
||||
"pkgs": "channel",
|
||||
"host": "woodhouse.home.yori.cc"
|
||||
},
|
||||
"frumar": {
|
||||
"pkgs": "channel",
|
||||
"host": "frumar.yori.cc"
|
||||
}
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
let
|
||||
lib = import <nixpkgs/lib>;
|
||||
n = url: conf: let
|
||||
c = import "${url}/nixos/lib/eval-config.nix" {
|
||||
modules = [ ./roles conf ];
|
||||
extraArgs.name = lib.removeSuffix ".nix" (builtins.baseNameOf conf);
|
||||
extraArgs.nixpkgs = url;
|
||||
};
|
||||
in c.config.system.build // c;
|
||||
git = n "https://github.com/NixOS/nixpkgs/archive/master.tar.gz";
|
||||
stable = n (builtins.fetchTarball "channel:nixos-20.03");
|
||||
unstable = n (builtins.fetchTarball "channel:nixos-unstable-small");
|
||||
checkout = n ../projects/nixpkgs;
|
||||
channel = n "/nix/var/nix/profiles/per-user/root/channels/nixos";
|
||||
in
|
||||
{
|
||||
pennyworth = (unstable ./logical/pennyworth.nix).toplevel;
|
||||
jarvis = (channel ./logical/jarvis.nix).toplevel;
|
||||
blackadder = (channel ./logical/blackadder.nix).toplevel;
|
||||
ascanius = (channel ./logical/ascanius.nix).toplevel;
|
||||
woodhouse = (channel ./logical/woodhouse.nix).toplevel; # 192.168.178.39
|
||||
frumar = (channel ./logical/frumar.nix).toplevel; # frumar.local
|
||||
zazu = (stable ./logical/zazu.nix).toplevel;
|
||||
}
|
|
@ -1,10 +1,8 @@
|
|||
{
|
||||
imports = [
|
||||
./gogs.nix
|
||||
./mail.nix
|
||||
./git.nix
|
||||
./muflax-church.nix
|
||||
./pub.nix
|
||||
./quassel.nix
|
||||
./website.nix
|
||||
./xmpp.nix
|
||||
];
|
||||
}
|
||||
|
|
|
@ -0,0 +1,52 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.services.yorick.git;
|
||||
inherit (cfg) vhost;
|
||||
in
|
||||
{
|
||||
options.services.yorick.git = with lib; {
|
||||
enable = mkEnableOption "git";
|
||||
vhost = mkOption { type = types.str; };
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
users.extraUsers.git = {
|
||||
createHome = true;
|
||||
home = config.services.gitea.stateDir; extraGroups = [ "git" ]; useDefaultShell = true;
|
||||
};
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
user = "git";
|
||||
database.user = "root";
|
||||
database.name = "gogs";
|
||||
database.createDatabase = false;
|
||||
#dump.enable = true; TODO: backups
|
||||
domain = cfg.vhost;
|
||||
rootUrl = "https://${cfg.vhost}/";
|
||||
httpAddress = "localhost";
|
||||
cookieSecure = true;
|
||||
log.level = "Warn";
|
||||
disableRegistration = true;
|
||||
settings.service = {
|
||||
REGISTER_EMAIL_CONFIRM = false;
|
||||
ENABLE_NOTIFY_MAIL = false;
|
||||
REQUIRE_SIGNIN_VIEW = false;
|
||||
};
|
||||
settings.picture.DISABLE_GRAVATAR = false;
|
||||
settings.mailer = {
|
||||
ENABLED = false;
|
||||
AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/data/avatars";
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts.${vhost} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString config.services.gitea.httpPort}";
|
||||
extraConfig = ''
|
||||
proxy_buffering off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -5,9 +5,9 @@ in
|
|||
{
|
||||
options.services.yorick.gogs = with lib; {
|
||||
enable = mkEnableOption "gogs";
|
||||
dir = mkOption { type = types.string; default = "/var/gogs"; };
|
||||
dir = mkOption { type = types.str; default = "/var/gogs"; };
|
||||
port = mkOption { type = types.int; default = 8001; };
|
||||
vhost = mkOption { type = types.string; };
|
||||
vhost = mkOption { type = types.str; };
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
|
|
|
@ -1,38 +0,0 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
cfg = config.services.yorick.mail;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
../modules/mailz.nix
|
||||
../modules/backup.nix
|
||||
];
|
||||
options.services.yorick.mail = with lib; {
|
||||
enable = mkEnableOption "mail service";
|
||||
mainUser = mkOption { type = types.string; };
|
||||
users = mkOption {};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
# email
|
||||
services.mailz = rec {
|
||||
domain = config.networking.hostName;
|
||||
keydir = "${config.security.acme.directory}/${domain}";
|
||||
inherit (cfg) mainUser users;
|
||||
};
|
||||
security.acme.certs.${config.networking.hostName}.postRun = ''
|
||||
systemctl reload dovecot2.service postfix.service
|
||||
'';
|
||||
services.backup = {
|
||||
enable = true;
|
||||
backups = {
|
||||
mail = {
|
||||
dir = "/var/spool/mail";
|
||||
remote = "webdavs://mail@yorickvp.stackstorage.com/remote.php/webdav//mail_bak";
|
||||
keyfile = "/var/backup/creds";
|
||||
interval = "daily";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
|
@ -3,7 +3,7 @@ let cfg = config.services.yorick.public; in
|
|||
{
|
||||
options.services.yorick.public = {
|
||||
enable = lib.mkEnableOption "public hosting";
|
||||
vhost = lib.mkOption { type = lib.types.string; };
|
||||
vhost = lib.mkOption { type = lib.types.str; };
|
||||
};
|
||||
#imports = [../modules/nginx.nix];
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
|
|
@ -9,10 +9,10 @@ in
|
|||
options.services.yorick = {
|
||||
website = {
|
||||
enable = mkEnableOption "yoricc website";
|
||||
vhost = mkOption { type = types.string; };
|
||||
vhost = mkOption { type = types.str; };
|
||||
pkg = mkOption { type = types.package; default = yoricc; };
|
||||
};
|
||||
redirect = mkOption { type = types.loaOf types.string; default = []; };
|
||||
redirect = mkOption { type = types.loaOf types.str; default = []; };
|
||||
};
|
||||
config.services.nginx.virtualHosts = with cfg; mkIf enable {
|
||||
${vhost} = {
|
||||
|
|
|
@ -8,8 +8,8 @@ in
|
|||
{
|
||||
options.services.yorick.xmpp = with lib; {
|
||||
enable = mkEnableOption "xmpp";
|
||||
vhost = mkOption { type = types.string; };
|
||||
admins = mkOption { type = types.listOf types.string; };
|
||||
vhost = mkOption { type = types.str; };
|
||||
admins = mkOption { type = types.listOf types.str; };
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
# XMPP
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
{
|
||||
public = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZv+hBDmjxF8h9Gxwvy0o7sMgOsqwp8pVj9AlpG90Y7agvkOm2IGtFueVfiDe0yWPXT0/EIiVWcPhWwcVkbY/BkypPJSMLnlcQ6ld+aO1g+BtdDaVuxcTSvQ77UCT2p+wftxoq1EiUdlhTsXpPucrBd+5NOde+jlPBE4qChIAf2zhOIByJAGT+M4Ie3eV4p5S9LB9CMI4s32gNUBbSA8UDmkjpBXkf9a1TZzdkOGWUmUFXt53/O8LZlGK9kkA5TsjM2xaxDjCLWf5wEcey4JsEggi1prE4aB68Q7+kdbvDiVSEFyZn0A/A9RXHBRAgW8yPdh+EGC56iDW/wkGxWBY5";
|
||||
deploy = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGGQytwzcR2DrnYQlnZSbXNpSClCFFvy4gqak8r7u8nYplu5azdq6yNN5TRAEoseiTl2WbdnwgVNluze5FF8a5p2XDyu754YF9nyNbQvzWt5dyjFLemDbj5vAzUnQY+52L9qwo5OK3oG2qZx76T7B5CnEN/JDJxGT3xveRyVUSTnNj/N0iiYVsOcEzGpkdKf/5QOGHuZWJrqwz2CNalKbXAJU9mEOHAH+fSxSmf99YCwwF+GyfYUL3eGIZ9CP1pUQX0CZKq8APW+rLlXJuGOrLTNYWd2jTzea95oiyMQeDhidTeyyPWi2GI32tRHVegg6wMzFo7b/m1f/BI18h9psn";
|
||||
yorick = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDo1N5E6qkb3McJOvv0PqI7E8iYLAcjil5RWc+zeTtN/";
|
||||
yorick = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDo1N5E6qkb3McJOvv0PqI7E8iYLAcjil5RWc+zeTtN/" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFQm2OJ8PlnDHfI7FV3hddXP0t2jgKAiCnnuWIc+LK4dnyGmlC/ihIe9KhSENZEnzVAXnYAMOoOvpkVa5p0Itf1n0anCK3k2vDq0Jz9nY3ZXmkSHE09QGCpSG8kU6j+zWJPo2jWYNtxYMRmmHAuzzOdlPY9Q199PEvHVaqzpSVhIdhqhEcmap8oqHW6KbJu+17nLGGQB5XiTB1SlTxbg62copA9KMcvQzNGIooKs5QyrU/B0g05EfbogH7xOLbwYAK676DTUBEcKpEUYFMMv+DBcU4cH2EI6UTLxI5ohrS1pxk20zu5nTRMlQRUETpWN4EbEPfOzF8FW1YOwdttfCas8D6Y6t9gA4o8GpylBG9AElVw7VyOFeBR+AtchormH+wH6nZEvzs6wg2d84I8xo5qYGUJIQS7OYxypjlY01IFCCa/7rjzXGDmdWAP/UEu85ys9FSryn9Ey5DXDQOqhMHguOwQDUyaArWyRCCBzKbx6cPZw2D9bLfDxbnaC2/5dVyxHJXoWmwneX2E/UT5QwtG1nyLShIZhYgO9lfDpO61Mz9Jjap3sj6mJPxHZc5SGye0j47xV6kX4vbSgfoSHHnasaI3fR2ZBS7tnfq1ebxXqFFSPHK6uHjLgDHtkMisvjOVZnybuXB296pjv6K1o2G3qlUnImOqfxZxvuy4Xl/mw== cardno:000607186578"];
|
||||
}
|
||||
|
|
|
@ -0,0 +1,21 @@
|
|||
{
|
||||
ips = {
|
||||
pennyworth = "10.209.0.1";
|
||||
jarvis = "10.209.0.2";
|
||||
frumar = "10.209.0.3";
|
||||
woodhouse = "10.209.0.4";
|
||||
ascanius = "10.209.0.5";
|
||||
blackadder = "10.209.0.6";
|
||||
zazu = "10.209.0.7";
|
||||
};
|
||||
keys = {
|
||||
# for i in wg.*.key; do echo $(echo $i | cut -d. -f2) = \"$(wg pubkey < $i)\"\;; done
|
||||
ascanius = "zZ3gegDspSKBJutp99VzODZNcJ1qQF3OH2nrlxhICwI=";
|
||||
blackadder = "+SfIbW9/MmA5iIVUUzkKPeWmZvwhP8y9qWo67o2UZUA=";
|
||||
frumar = "UpFw4KmrvmOWdMOJ+LHvMzgN7cQMnasqlkzF8/apoGI=";
|
||||
jarvis = "2/Qaq5uiy8uGGnZLIfjeomL47XjZCsJ1dDFDD9Nlq3E=";
|
||||
pennyworth = "XoeUMsiSOWBFEFuAu+S4iQd3MzkyGhIj9dtxzZ0I500=";
|
||||
woodhouse = "ICzlnC4zKUYvpQ0o5AFq2rG7CCqWUFVn3UqkLSoYNgI=";
|
||||
zazu = "6X5EdNMO1MtFi18LCRGZ2cBD0d50Wq+pwkwVubjY1Ew=";
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue