diff --git a/conf b/conf index 8d8301a..db7410a 100755 --- a/conf +++ b/conf @@ -1,63 +1,54 @@ #!/usr/bin/env bash -if ! [ -e deploy_key ] || ! [ -e secrets.nix ] +set -xeuo pipefail +if ! [ -e secrets.nix ] then git crypt unlock - sudo chgrp nixbld deploy_key - chmod 640 deploy_key fi -export NIX_PATH="ssh-id-file=$PWD/deploy_key":secrets=$PWD/secrets.nix:yori-nix=$PWD -function get_channel { - case $1 in - git) - echo "nixpkgs=https://github.com/NixOS/nixpkgs/archive/master.tar.gz" - ;; - stable) - echo "nixpkgs=https://nixos.org/channels/nixos-18.03/nixexprs.tar.xz" - ;; - checkout) - echo "nixpkgs=$PWD/../projects/nixpkgs" - ;; - channel) - echo "/nix/var/nix/profiles/per-user/root/channels/nixos" - ;; - esac -} -case $1 in - cloc) - exec cloc --read-lang-def=deploy/nix_cloc . - ;; +# TODO: remove nixpkgs dependency +export NIX_PATH=yori-nix=$PWD:nixpkgs=channel:nixos-unstable +host=$1 +TARGET_HOST=$(nix eval --raw -f vpn.nix ips.$host) +#TARGET_HOST=192.168.178.1 +case $2 in copy-keys) - $0 exec "$2" nix build -f "\\" config.deployment.keys-copy --out-link copy-keys - TARGET_HOST=$(jq -r ".$2.host"" config.deployment.keys-copy --out-link copy-keys ./copy-keys/bin/copy-keys "$TARGET_HOST" # rm ./copy-keys ;; exec) CHANNEL=$(jq -r ".$2.pkgs"" "\\" + exec "$0" exec "$2" nix repl '' '' ;; build) - exec "$0" exec "$2" nixos-rebuild build + nix build -f servers.nix "$host" --show-trace ;; copy) - TARGET_HOST=$(jq -r ".$2.host" - + ../physical/fractal.nix + ../roles/server.nix + ../roles/homeserver.nix + ../services/torrent-wg.nix ]; - system.stateVersion = "15.09"; + networking.hostId = "0702dbe9"; services.nginx.enable = true; - services.yorick = { - public = { enable = true; vhost = "pub.yori.cc"; }; - gogs = { enable = true; vhost = "git.yori.cc"; }; - quassel.enable = true; + services.nginx.virtualHosts."${config.networking.hostName}" = { + enableACME = lib.mkForce false; + forceSSL = lib.mkForce false; + default = true; + }; + boot.supportedFilesystems = [ "zfs" ]; + services.yorick.torrent-vpn = { + enable = true; name = "mullvad-nl3"; namespace = "torrent"; + }; + services.plex = { + enable = true; + openFirewall = true; + }; + services.victoriametrics = { + enable = true; + retentionPeriod = 12; + }; + services.prometheus = { + enable = true; + extraFlags = [ + "--web.enable-admin-api" + ]; + # victoriametrics + extraConfig.remote_write = [ { url = "http://127.0.0.1:8428/api/v1/write"; } ]; + scrapeConfigs = [ { + job_name = "smartmeter"; + # prometheus doesn't support mdns :thinking_face: + static_configs = [ { targets = [ "192.168.178.30" ]; } ]; + scrape_interval = "10s"; + } { + job_name = "node"; + static_configs = [ { targets = [ "localhost:9100" ]; } ]; + # } { + # job_name = "unifi"; + # static_configs = [ { targets = [ "localhost:9130" ]; } ]; + } { + job_name = "thermometer"; + static_configs = [ { targets = [ "192.168.178.21:8000" ]; } ]; + }]; + exporters.node.enable = true; + # exporters.unifi = { + # enable = true; + # unifiAddress = "https://woodhouse.home.yori.cc:8443"; + # unifiInsecure = true; + # unifiUsername = "ReadOnlyUser"; + # unifiPassword = "ReadOnlyPassword"; + # }; + }; + networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 3000 9090 ]; + networking.firewall.allowedTCPPorts = [ 1883 ]; + networking.firewall.allowedUDPPorts = [ 1883 ]; + services.rabbitmq = { + enable = true; + plugins = [ "rabbitmq_mqtt" "rabbitmq_management" ]; + }; + services.grafana = { + enable = true; + addr = "0.0.0.0"; + domain = "grafana.yori.cc"; }; - - } diff --git a/logical/jarvis.nix b/logical/jarvis.nix index 2f715be..08db58b 100644 --- a/logical/jarvis.nix +++ b/logical/jarvis.nix @@ -1,15 +1,30 @@ { config, pkgs, lib, ... }: - { imports = - [ - + [ ../physical/xps9360.nix + ../roles/workstation.nix ]; - + nixpkgs.overlays = [ (import (builtins.fetchTarball https://github.com/colemickens/nixpkgs-wayland/archive/master.tar.gz)) ]; system.stateVersion = "17.09"; - services.xserver.displayManager.sessionCommands = '' - ${pkgs.xorg.xrandr}/bin/xrandr --dpi 192 - ''; + networking.wireguard.interfaces = { + wg-lumi = { + privateKeyFile = "/home/yorick/engineering/lumi/secrets/devel/vpn/wg/workstations.yorick.key"; + ips = [ "10.109.0.10" ]; + peers = [ { + publicKey = "6demp+PX2XyVoMovDj4xHQ2ZHKoj4QAF8maWpjcyzzI="; + endpoint = "wg.lumi.guide:31727"; + allowedIPs = [ "10.96.0.0/12" "10.0.12.0/22" "10.0.1.0/26" ]; + }]; + postSetup = "ip link set dev wg-lumi mtu 1371"; + }; + }; + + # development + services.postgresql = { + enable = true; + enableTCPIP = true; + package = pkgs.postgresql_10; + }; } diff --git a/logical/pennyworth.nix b/logical/pennyworth.nix index 582ce7b..4d3ca4c 100644 --- a/logical/pennyworth.nix +++ b/logical/pennyworth.nix @@ -3,42 +3,51 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, lib, ... }: - +let + sslforward = proxyPass: { + forceSSL = true; + enableACME = true; + locations."/" = { + inherit proxyPass; + proxyWebsockets = true; + }; + }; + vpn = import ../vpn.nix; +in { imports = [ - - - ../modules/muflax-blog.nix + ../physical/hetznercloud.nix + ../roles/server.nix + (builtins.fetchTarball { + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.1/nixos-mailserver-v2.2.1.tar.gz"; + sha256 = "03d49v8qnid9g9rha0wg2z6vic06mhp0b049s3whccn1axvs2zzx"; + }) + ../modules/muflax-blog.nix ]; - system.stateVersion = "16.03"; + system.stateVersion = "19.03"; services.nginx.enable = true; services.yorick = { public = { enable = true; vhost = "pub.yori.cc"; }; website = { enable = true; vhost = "yorickvanpelt.nl"; }; - mail = { - enable = true; - mainUser = "yorick"; - users.yorick = { - password = (import ).yorick_mailPassword; - domains = ["yori.cc" "yorickvanpelt.nl"]; + git = { enable = true; vhost = "git.yori.cc"; }; + muflax-church = { enable = true; vhost = "muflax.church"; }; + }; + mailserver = rec { + enable = true; + fqdn = "pennyworth.yori.cc"; + domains = [ "yori.cc" "yorickvanpelt.nl" ]; + loginAccounts = { + "yorick@yori.cc" = { + hashedPassword = (import ../secrets.nix).yorick_mailPassword; + catchAll = domains; + aliases = [ "@yori.cc" "@yorickvanpelt.nl" ]; }; }; - xmpp = { - enable = false; - vhost = "yori.cc"; - admins = [ "yorick@yori.cc" ]; - }; + certificateScheme = 3; + enableImapSsl = true; }; - services.nginx.virtualHosts."yori.cc" = { - enableACME = true; - forceSSL = true; - globalRedirect = "yorickvanpelt.nl"; - }; - - - services.muflax-blog = { enable = true; @@ -50,41 +59,36 @@ private_key = "/root/keys/http.muflax.key"; }; }; - users.extraUsers.git = { - createHome = true; - home = config.services.gitea.stateDir; extraGroups = [ "git" ]; useDefaultShell = true;}; - services.gitea = { - enable = true; - user = "git"; - database.user = "root"; - database.name = "gogs"; - #dump.enable = true; TODO: backups - domain = "git.yori.cc"; - rootUrl = "https://git.yori.cc/"; - httpAddress = "localhost"; - cookieSecure = true; - extraConfig = '' - [service] - REGISTER_EMAIL_CONFIRM = false - ENABLE_NOTIFY_MAIL = false - DISABLE_REGISTRATION = true - REQUIRE_SIGNIN_VIEW = false - [picture] - DISABLE_GRAVATAR = false - [mailer] - ENABLED = false - AVATAR_UPLOAD_PATH = ${config.services.gitea.stateDir}/data/avatars + services.nginx.commonHttpConfig = '' + access_log off; + ''; + services.nginx.virtualHosts = { + "yori.cc" = { + enableACME = true; + forceSSL = true; + globalRedirect = "yorickvanpelt.nl"; + }; + "grafana.yori.cc" = sslforward "http://${vpn.ips.frumar}:3000"; + "ubiquiti.yori.cc" = sslforward "https://${vpn.ips.woodhouse}:8443"; + "prometheus.yori.cc" = { + # only over vpn + listen = [ { addr = "10.209.0.1"; port = 80; } ]; + locations."/".proxyPass = "http://10.209.0.3:9090"; + }; + "pub.yori.cc".locations."/muflax/".extraConfig = '' + rewrite ^/muflax/(.*)$ https://alt.muflax.church/$1 permanent; ''; }; - services.nginx.virtualHosts."git.yori.cc" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.gitea.httpPort}"; - extraConfig = '' - proxy_buffering off; - ''; - }; - }; deployment.keyys = [ ]; + networking.firewall.allowedUDPPorts = [ 31790 ]; # wg + networking.wireguard.interfaces.wg-y.peers = + lib.mkForce (lib.mapAttrsToList (machine: publicKey: { + inherit publicKey; + allowedIPs = [ "${vpn.ips.${machine}}/32" ]; + }) vpn.keys); + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + environment.noXlibs = true; + users.users.yorick.packages = with pkgs; [ + python2 sshfs-fuse weechat + ]; } diff --git a/logical/woodhouse.nix b/logical/woodhouse.nix index 487c461..262ecee 100644 --- a/logical/woodhouse.nix +++ b/logical/woodhouse.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: let - secrets = import ; + #secrets = import ; mkFuseMount = device: opts: { # todo: "ServerAliveCountMax=3" "ServerAliveInterval=30" @@ -16,24 +16,47 @@ in imports = [ + # ]; - system.stateVersion = "17.09"; + # nixpkgs.overlays = [ (import (builtins.fetchTarball https://github.com/colemickens/nixpkgs-wayland/archive/master.tar.gz)) ]; + # system.stateVersion = "17.09"; # fuse mounts system.fsPackages = [ pkgs.sshfsFuse ]; - + # programs.sway = { + # enable = true; + # extraSessionCommands = '' + # export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${lib.makeLibraryPath (with pkgs; [ libxkbcommon libglvnd wayland ])} + # ''; + # }; #fileSystems."/mnt/frumar" = mkFuseMount "yorick@${secrets.hostnames.frumar}:/data/yorick" []; - #fileSystems."/mnt/oxygen" = mkFuseMount "yorick@oxygen.obfusk.ch:" []; - #fileSystems."/mnt/nyamsas" = mkFuseMount "yorick@nyamsas.quezacotl.nl:" ["port=1337"]; + hardware.bluetooth.enable = true; # kodi ports - networking.firewall.allowedTCPPorts = [7 8080 9090 9777]; + networking.firewall.allowedTCPPorts = [7 8080 8443 9090 9777]; users.users.tv = { isNormalUser = true; uid = 1043; extraGroups = [ "wheel" ]; hashedPassword = "$6$hD4ESAGS8O1d$yctx6spOPZ0nt/6cgYpsWZ86UoXw3ISRpf2gbdhbl8JgDz6Psjx6JCqJ9NsMi5BHnXlgRRK/z2SVrTjHEsqQR."; + packages = with pkgs; [ plex-media-player ]; }; + services.xserver.windowManager.i3.enable = true; + networking.useNetworkd = true; + networking.dhcpcd.enable = false; + services.resolved.enable = true; + services.nscd.enable = false; + networking.interfaces.eno1.useDHCP = true; + networking.useDHCP = false; + #services.xserver.enable = lib.mkForce false; + # services.unifi = { + # enable = true; + # unifiPackage = pkgs.unifiStable; + # }; + # todo: debug: + services.resolved.extraConfig = "MulticastDNS=true"; + systemd.network.networks."40-eno1".networkConfig.MulticastDNS="yes"; + services.fstrim.enable = true; } diff --git a/modules/backup.nix b/modules/backup.nix deleted file mode 100644 index 27a221f..0000000 --- a/modules/backup.nix +++ /dev/null @@ -1,59 +0,0 @@ -{ config, pkgs, lib, ... }: -let -cfg = config.services.backup; -inherit (lib) mkEnableOption mkOption types mkIf -flip mapAttrs' nameValuePair; -in -{ - - options.services.backup = { - enable = mkOption { type = types.bool; default = false; }; - backups = mkOption { - type = types.loaOf types.optionSet; - options = { - dir = mkOption { type = types.str; }; - remote = mkOption { type = types.str; }; - keyfile = mkOption { type = types.str; }; - keyid = mkOption { type = types.str; default = "root"; }; - exclude = mkOption { type = types.str; default = ""; }; - interval = mkOption { type = types.str; default = "weekly"; }; - }; - }; - }; - config = mkIf cfg.enable { - # TODO: generate key in pre-start? - systemd.services = let - sectionToService = name: data: with data; { - description = "Back up ${name}"; - serviceConfig = { - IOSchedulingClass="idle"; - #Type = "oneshot"; - }; - script = '' - source ${keyfile} - ${pkgs.duplicity}/bin/duplicity ${dir} ${remote} \ - --ssl-cacert-file /etc/ssl/certs/ca-bundle.crt \ - --encrypt-key ${keyid} \ - --exclude-filelist ${pkgs.writeText "dupignore" exclude} \ - --asynchronous-upload \ - --volsize 100 \ - --allow-source-mismatch - ''; - after = ["network.target" "network-online.target"]; - wants = ["network-online.target"]; - }; - in flip mapAttrs' cfg.backups (name: data: nameValuePair - ("backup-${name}") - (sectionToService name data)); - systemd.timers = flip mapAttrs' cfg.backups (name: data: nameValuePair - ("backup-${name}") - ({ - description = "Periodically backups ${name}"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = data.interval; - Unit = "backup-${name}.service"; - }; - })); - }; -} diff --git a/modules/mailz.nix b/modules/mailz.nix deleted file mode 100644 index 4bf7169..0000000 --- a/modules/mailz.nix +++ /dev/null @@ -1,287 +0,0 @@ -# https://github.com/valeriangalliat/nixos-mailz -# manual actions: -# run sa-update -# configure DNS (dkim at /var/lib/dkim/*/default.txt) -# mkdir /var/empty/.spamassassin -# chown -R spamd /var/empty/.spamassassin -# possibly unneeded: -# chgrp -R vmail /var/spool/mail -# chmod g+rwx /var/spool/mail -# TODO: rspamd? -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.mailz; - - alldomains = lib.concatLists (mapAttrsToList (n: usr: usr.domains) cfg.users); - - files = { - credentials = pkgs.writeText "credentials" - (concatStringsSep "\n" - (flip mapAttrsToList cfg.users - (user: options: "${user} ${options.password}"))); - - # dovecot2 - users = pkgs.writeText "users" - (concatStringsSep "\n" - (flip mapAttrsToList cfg.users - (user: options: "${user}:${options.password}:::::"))); - - domains = pkgs.writeText "domains" - (concatStringsSep "\n" alldomains); - - spamassassinSieve = pkgs.writeText "spamassassin.sieve" '' - require "fileinto"; - if header :contains "X-Spam-Flag" "YES" { - fileinto "Spam"; - } - ''; - - }; - - -in - -{ - options = { - services.mailz = { - domain = mkOption { - default = cfg.networking.hostName; - type = types.str; - description = "Domain for this mail server."; - }; - - user = mkOption { - default = "vmail"; - type = types.str; - }; - - group = mkOption { - default = "vmail"; - type = types.str; - }; - - uid = mkOption { - default = 2000; - type = types.int; - }; - - gid = mkOption { - default = 2000; - type = types.int; - }; - - dkimDirectory = mkOption { - default = "/var/lib/dkim"; - type = types.str; - description = "Where to store DKIM keys."; - }; - - dkimBits = mkOption { - type = types.int; - default = 2048; - description = "Size of the generated DKIM key."; - }; - - mainUser = mkOption { - example = "root"; - type = types.str; - }; - - keydir = mkOption { - type = types.str; - description = "The place to look for the ssl key"; - default = "${config.security.acme.directory}/${cfg.domain}"; - }; - - users = mkOption { - default = { }; - type = types.loaOf types.optionSet; - description = '' - Attribute set of users. - ''; - - options = { - password = mkOption { - type = types.str; - description = '' - The user password, generated with - smtpctl encrypt. - ''; - }; - domains = mkOption { - type = types.listOf types.str; - example = ["example.com"]; - }; - - }; - - example = { - "foo" = { - password = "encrypted"; - }; - "bar" = { - password = "encrypted"; - }; - }; - }; - }; - }; - - config = mkIf (cfg.users != { }) { - system.activationScripts.mailz = '' - # Make sure SpamAssassin database is present - #if ! [ -d /etc/spamassassin ]; then - # cp -r ${pkgs.spamassassin}/share/spamassassin /etc - #fi - - # Make sure a DKIM private key exist - if ! [ -d ${cfg.dkimDirectory} ]; then - mkdir -p ${cfg.dkimDirectory} - chmod 700 ${cfg.dkimDirectory} - chown ${config.services.rmilter.user} ${cfg.dkimDirectory} - fi - # Generate missing keys - '' + - (lib.concatMapStringsSep "\n" (domain: '' - if ! [ -e ${cfg.dkimDirectory}/${domain}.default.key ]; then - ${pkgs.opendkim}/bin/opendkim-genkey --bits ${toString cfg.dkimBits} --domain ${domain} --directory ${cfg.dkimDirectory} --selector default - mv ${cfg.dkimDirectory}/default.private ${cfg.dkimDirectory}/${domain}.default.key - mv ${cfg.dkimDirectory}/default.txt ${cfg.dkimDirectory}/${domain}.default.txt - chown ${config.services.rmilter.user} ${cfg.dkimDirectory}/${domain}.default.* - fi - '') alldomains); - services.rspamd.enable = true; - services.rmilter = { - enable = true; - socketActivation = false; - #debug = true; - rspamd.enable = true; - postfix.enable = true; - extraConfig = '' - dkim { - domain { - key = ${cfg.dkimDirectory}; - domain = "*"; - selector = "default"; - }; - header_canon = relaxed; - body_canon = relaxed; - sign_alg = sha256; - }; - ''; - }; - - services.postfix = { - enable = true; - destination = alldomains ++ ["$myhostname" "localhost.$mydomain" "$mydomain" "localhost"]; - sslCert = "${cfg.keydir}/fullchain.pem"; - sslKey = "${cfg.keydir}/key.pem"; - postmasterAlias = cfg.mainUser; - enableSubmission = true; - virtual = lib.concatStringsSep "\n" (lib.mapAttrsToList (name: usr: - lib.concatMapStringsSep "\n" (dom: "@${dom} ${name}") usr.domains) cfg.users); - extraConfig = '' - mailbox_transport = lmtp:unix:dovecot-lmtp - ''; - submissionOptions = { - "smtpd_tls_security_level" = "encrypt"; - "smtpd_sasl_auth_enable" = "yes"; - "smtpd_sasl_type" = "dovecot"; - "smtpd_sasl_path" = "/var/lib/postfix/auth"; - "smtpd_client_restrictions" = "permit_sasl_authenticated,reject"; - #"milter_macro_daemon_name" = "ORIGINATING"; - }; - }; - - services.dovecot2 = { - enable = true; - enablePop3 = false; - enableLmtp = true; - mailLocation = "maildir:/var/spool/mail/%n"; - mailUser = cfg.user; - mailGroup = cfg.group; - modules = [ pkgs.dovecot_pigeonhole ]; - sslServerCert = "${cfg.keydir}/fullchain.pem"; - sslServerKey = "${cfg.keydir}/key.pem"; - enablePAM = false; - sieveScripts = { before = files.spamassassinSieve; }; - extraConfig = '' - postmaster_address = postmaster@${head alldomains} - - service lmtp { - unix_listener /var/lib/postfix/queue/dovecot-lmtp { - mode = 0660 - user = postfix - group = postfix - } - } - service auth { - unix_listener /var/lib/postfix/auth { - mode = 0660 - # Assuming the default Postfix user and group - user = postfix - group = postfix - } - } - - userdb { - driver = passwd-file - args = username_format=%n ${files.users} - default_fields = uid=${cfg.user} gid=${cfg.user} home=/var/spool/mail/%n - } - - passdb { - driver = passwd-file - args = username_format=%n ${files.users} - } - - namespace inbox { - inbox = yes - - mailbox Sent { - auto = subscribe - special_use = \Sent - } - - mailbox Drafts { - auto = subscribe - special_use = \Drafts - } - - mailbox Spam { - auto = create - special_use = \Junk - } - - mailbox Trash { - auto = subscribe - special_use = \Trash - } - - mailbox Archive { - auto = subscribe - special_use = \Archive - } - } - - protocol lmtp { - mail_plugins = $mail_plugins sieve - } - ''; - }; - - users.extraUsers = optional (cfg.user == "vmail") { - uid = cfg.uid; - group = cfg.group; - }; - - users.extraGroups = optional (cfg.group == "vmail") { - gid = cfg.gid; - }; - - networking.firewall.allowedTCPPorts = [ 25 587 993 ]; - }; -} diff --git a/modules/nixos-in-place.nix b/modules/nixos-in-place.nix index 88204a9..d51cf01 100644 --- a/modules/nixos-in-place.nix +++ b/modules/nixos-in-place.nix @@ -8,11 +8,11 @@ in options."nixos-in-place" = { enable = mkEnableOption "enable nixos-in-place FS"; rootfs = mkOption { - type = types.string; + type = types.str; description = "device name for root fs"; }; swapfs = mkOption { - type = types.string; + type = types.str; description = "device name for root fs"; }; }; diff --git a/modules/tor-hidden-service.nix b/modules/tor-hidden-service.nix index 0774338..7a20fa9 100644 --- a/modules/tor-hidden-service.nix +++ b/modules/tor-hidden-service.nix @@ -8,7 +8,7 @@ let in { options.services.tor.service-keys = mkOption { default = {}; - type = with types; loaOf string; + type = with types; loaOf str; }; config = mkIf (service-keys != {}) { diff --git a/modules/victoriametrics.nix b/modules/victoriametrics.nix new file mode 100644 index 0000000..ef3a554 --- /dev/null +++ b/modules/victoriametrics.nix @@ -0,0 +1,49 @@ +{ config, pkgs, lib, ... }: +let cfg = config.services.victoriametrics; in +{ + options.services.victoriametrics = with lib; { + enable = mkEnableOption "victoriametrics"; + package = mkOption { + type = types.package; + default = pkgs.victoriametrics; + defaultText = "pkgs.victoriametrics"; + description = '' + The VictoriaMetrics distribution to use. + ''; + }; + http = mkOption { + default = ":8428"; + type = types.str; + description = '' + The listen address for the http interface. + ''; + }; + retentionPeriod = mkOption { + type = types.int; + default = 1; + description = '' + Retention period in months. + ''; + }; + extraOptions = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra options to pass to VictoriaMetrics. See + the README or victoriametrics -help for more + information. + ''; + }; + }; + config = lib.mkIf cfg.enable { + systemd.services.victoriametrics = { + description = "VictoriaMetrics time series database"; + serviceConfig = { + StateDirectory = "victoriametrics"; + DynamicUser = true; + ExecStart = "${cfg.package}/bin/victoria-metrics -storageDataPath=/var/lib/victoriametrics -httpListenAddr ${cfg.http} -retentionPeriod ${toString cfg.retentionPeriod} ${lib.concatStringsSep " " cfg.extraOptions}"; + }; + wantedBy = [ "multi-user.target" ]; + }; + }; +} diff --git a/nix/sources.json b/nix/sources.json new file mode 100644 index 0000000..3ce9739 --- /dev/null +++ b/nix/sources.json @@ -0,0 +1,38 @@ +{ + "niv": { + "branch": "master", + "description": "Easy dependency management for Nix projects", + "homepage": "https://github.com/nmattia/niv", + "owner": "nmattia", + "repo": "niv", + "rev": "c8f74f44b5f5df2c8f20a1834460d012e74d78f9", + "sha256": "0zmhxgl37f1p2aiqjmiccflpgga6phj6vmqs3jd33z0frj6hsy5c", + "type": "tarball", + "url": "https://github.com/nmattia/niv/archive/c8f74f44b5f5df2c8f20a1834460d012e74d78f9.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixos-hardware": { + "branch": "master", + "description": "A collection of NixOS modules covering hardware quirks.", + "homepage": "", + "owner": "nixos", + "repo": "nixos-hardware", + "rev": "89c4ddb0e60e5a643ab15f68b2f4ded43134f492", + "sha256": "1a0mplnj0zx33f4lm7kwg6z6iwgdkg2pxy58plkj6w59ibfl2l27", + "type": "tarball", + "url": "https://github.com/nixos/nixos-hardware/archive/89c4ddb0e60e5a643ab15f68b2f4ded43134f492.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixpkgs": { + "branch": "nixos-19.03", + "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to", + "homepage": "https://github.com/NixOS/nixpkgs", + "owner": "NixOS", + "repo": "nixpkgs-channels", + "rev": "c8db7a8a16ee9d54103cade6e766509e1d1c8d7b", + "sha256": "1b3h4mwpi10blzpvgsc0191k4shaw3nw0qd2p82hygbr8vv4g9dv", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs-channels/archive/c8db7a8a16ee9d54103cade6e766509e1d1c8d7b.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + } +} diff --git a/nix/sources.nix b/nix/sources.nix new file mode 100644 index 0000000..718ea6f --- /dev/null +++ b/nix/sources.nix @@ -0,0 +1,136 @@ +# This file has been generated by Niv. + +let + + # + # The fetchers. fetch_ fetches specs of type . + # + + fetch_file = pkgs: spec: + if spec.builtin or true then + builtins_fetchurl { inherit (spec) url sha256; } + else + pkgs.fetchurl { inherit (spec) url sha256; }; + + fetch_tarball = pkgs: spec: + if spec.builtin or true then + builtins_fetchTarball { inherit (spec) url sha256; } + else + pkgs.fetchzip { inherit (spec) url sha256; }; + + fetch_git = spec: + builtins.fetchGit { url = spec.repo; inherit (spec) rev ref; }; + + fetch_builtin-tarball = spec: + builtins.trace + '' + WARNING: + The niv type "builtin-tarball" will soon be deprecated. You should + instead use `builtin = true`. + + $ niv modify -a type=tarball -a builtin=true + '' + builtins_fetchTarball { inherit (spec) url sha256; }; + + fetch_builtin-url = spec: + builtins.trace + '' + WARNING: + The niv type "builtin-url" will soon be deprecated. You should + instead use `builtin = true`. + + $ niv modify -a type=file -a builtin=true + '' + (builtins_fetchurl { inherit (spec) url sha256; }); + + # + # Various helpers + # + + # The set of packages used when specs are fetched using non-builtins. + mkPkgs = sources: + if hasNixpkgsPath + then + if hasThisAsNixpkgsPath + then import (builtins_fetchTarball { inherit (mkNixpkgs sources) url sha256; }) {} + else import {} + else + import (builtins_fetchTarball { inherit (mkNixpkgs sources) url sha256; }) {}; + + mkNixpkgs = sources: + if builtins.hasAttr "nixpkgs" sources + then sources.nixpkgs + else abort + '' + Please specify either (through -I or NIX_PATH=nixpkgs=...) or + add a package called "nixpkgs" to your sources.json. + ''; + + hasNixpkgsPath = (builtins.tryEval ).success; + hasThisAsNixpkgsPath = + (builtins.tryEval ).success && == ./.; + + # The actual fetching function. + fetch = pkgs: name: spec: + + if ! builtins.hasAttr "type" spec then + abort "ERROR: niv spec ${name} does not have a 'type' attribute" + else if spec.type == "file" then fetch_file pkgs spec + else if spec.type == "tarball" then fetch_tarball pkgs spec + else if spec.type == "git" then fetch_git spec + else if spec.type == "builtin-tarball" then fetch_builtin-tarball spec + else if spec.type == "builtin-url" then fetch_builtin-url spec + else + abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; + + # Ports of functions for older nix versions + + # a Nix version of mapAttrs if the built-in doesn't exist + mapAttrs = builtins.mapAttrs or ( + f: set: with builtins; + listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set)) + ); + + # fetchTarball version that is compatible between all the versions of Nix + builtins_fetchTarball = { url, sha256 }@attrs: + let + inherit (builtins) lessThan nixVersion fetchTarball; + in + if lessThan nixVersion "1.12" then + fetchTarball { inherit url; } + else + fetchTarball attrs; + + # fetchurl version that is compatible between all the versions of Nix + builtins_fetchurl = { url, sha256 }@attrs: + let + inherit (builtins) lessThan nixVersion fetchurl; + in + if lessThan nixVersion "1.12" then + fetchurl { inherit url; } + else + fetchurl attrs; + + # Create the final "sources" from the config + mkSources = config: + mapAttrs ( + name: spec: + if builtins.hasAttr "outPath" spec + then abort + "The values in sources.json should not have an 'outPath' attribute" + else + spec // { outPath = fetch config.pkgs name spec; } + ) config.sources; + + # The "config" used by the fetchers + mkConfig = + { sourcesFile ? ./sources.json + }: rec { + # The sources, i.e. the attribute set of spec name to spec + sources = builtins.fromJSON (builtins.readFile sourcesFile); + # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers + pkgs = mkPkgs sources; + }; +in +mkSources (mkConfig {}) // + { __functor = _: settings: mkSources (mkConfig settings); } diff --git a/packages/default.nix b/packages/default.nix index bd801f7..51eef8f 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -1,16 +1,3 @@ [ (self: super: { - gogitget = super.callPackage ./gogitget.nix {}; - shallot = super.callPackage ./shallot.nix {}; yori-cc = super.callPackage ./yori-cc.nix {}; - gitea = - super.gitea.overrideDerivation (o: rec { - version = "1.4.1"; - name = "gitea-${version}"; - src = self.fetchFromGitHub { - owner = "go-gitea"; - repo = "gitea"; - rev = "v${version}"; - sha256 = "1mid67c4021m7mi4ablx1w5v43831gzn8xpg8n30a4zmr70781wm"; - }; - }); })] diff --git a/packages/firmware_qca6174.nix b/packages/firmware_qca6174.nix deleted file mode 100644 index 69832da..0000000 --- a/packages/firmware_qca6174.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ stdenv, fetchurl }: -stdenv.mkDerivation rec { - target = "QCA6174"; - branch = "4.4.1.c1"; - version = "${branch}-00042"; - name = "${target}-firmware-${version}"; - src = fetchurl { - url = "https://github.com/kvalo/ath10k-firmware/raw/master/${target}/hw3.0/${branch}/firmware-6.bin_RM.${version}-QCARMSWP-1"; - sha256 = "01vvz3qhqw5l3yilcqgk1spk4y9k4qy7na7a57cbl037r231szdh"; - }; - buildCommand = '' - install -D $src $out/lib/firmware/ath10k/${target}/hw3.0/firmware-6.bin - ''; -} diff --git a/packages/gogitget.nix b/packages/gogitget.nix deleted file mode 100644 index 6a0ef40..0000000 --- a/packages/gogitget.nix +++ /dev/null @@ -1,20 +0,0 @@ -# this is the secure fetchgit, but it actually works -{ fetchgit, writeScript, openssh, stdenv }: args: derivation ((fetchgit args).drvAttrs // { - SSH_AUTH_SOCK = if (builtins.tryEval ).success - then builtins.toString - else null; - GIT_SSH = writeScript "fetchgit-ssh" '' - #! ${stdenv.shell} - TEMP_ID=$(mktemp) - cp ${let - sshIdFile = if (builtins.tryEval ).success - then - else builtins.trace '' - That didn't work. - '' "/var/lib/empty/config"; - in builtins.toString sshIdFile} $TEMP_ID - chown `whoami` $TEMP_ID - chmod 400 $TEMP_ID - exec -a ssh ${openssh}/bin/ssh -F /dev/null -i $TEMP_ID -o StrictHostKeyChecking=no "$@" - ''; -}) diff --git a/packages/shallot.nix b/packages/shallot.nix deleted file mode 100644 index fad7a90..0000000 --- a/packages/shallot.nix +++ /dev/null @@ -1,24 +0,0 @@ -with import {}; - -stdenv.mkDerivation { - name = "shallot-0.0.3-alpha"; - - src = fetchFromGitHub { - rev = "831de01b13b309933d32efe8388444ef6a831cfb"; - owner = "katmagic"; - repo = "Shallot"; - sha256 = "0zlgl13vmv6zj1jk5cfjqg66n3qq9yp2202llpgvfl16rzxrlv5r"; - }; - - buildInputs = [openssl]; - - buildPhase = '' - ./configure - make - ''; - - installPhase = '' - mkdir -p $out/bin - mv shallot $out/bin - ''; -} \ No newline at end of file diff --git a/packages/yori-cc.nix b/packages/yori-cc.nix index 725b9f1..92f5a5f 100644 --- a/packages/yori-cc.nix +++ b/packages/yori-cc.nix @@ -1,14 +1,11 @@ { stdenv, callPackage }: -let gogitget = callPackage ./gogitget.nix {}; in - stdenv.mkDerivation { - name = "yori-cc-1.3.5"; + name = "yori-cc-1.5"; - src = gogitget { - "url" = "git@git.yori.cc:yorick/yori-cc.git"; - "rev" = "f049e4330dfb64bbbaf700897269c003fce8b5c4"; - "sha256" = "1x8knlsp7cx52sr15gr0yhj1vl8ncznrqn4nvaycgwmhr1kysffr"; + src = builtins.fetchGit { + url = "git@git.yori.cc:yorick/yori-cc.git"; + rev = "68c75ab84cceaf98dd8fd0646b97d73f966b8962"; }; buildInputs = [ ]; diff --git a/physical/3950x-hardware-config.nix b/physical/3950x-hardware-config.nix new file mode 100644 index 0000000..0b89336 --- /dev/null +++ b/physical/3950x-hardware-config.nix @@ -0,0 +1,38 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "rpool/root/nixos"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "rpool/home"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/5D0A-7902"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/61a23e27-2cd4-4456-bcde-aec68be04239"; } + ]; + + nix.maxJobs = lib.mkDefault 32; + # High-DPI console + #i18n.consoleFont = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz"; +} diff --git a/physical/3950x.nix b/physical/3950x.nix new file mode 100644 index 0000000..e44e2c4 --- /dev/null +++ b/physical/3950x.nix @@ -0,0 +1,22 @@ +{ config, pkgs, lib, ... }: +let sources = import ../nix/sources.nix; +in +{ + imports = + [ ./. + ./3950x-hardware-config.nix + "${sources.nixos-hardware}/common/cpu/amd" + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.supportedFilesystems = [ "zfs" ]; + boot.kernelModules = [ "nct6775" ]; + boot.kernelPackages = pkgs.linuxPackages_latest; + networking.hostId = "c7736638"; + services.zfs.autoScrub.enable = true; + services.zfs.trim.enable = true; + + networking.useDHCP = false; + networking.interfaces.enp9s0.useDHCP = true; +} diff --git a/physical/apu2c4.nix b/physical/apu2c4.nix new file mode 100644 index 0000000..b6eb949 --- /dev/null +++ b/physical/apu2c4.nix @@ -0,0 +1,22 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/1396f814-6cc2-4988-992a-3558fa1ac5a2"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/5f8f358d-f63c-48ad-a322-d1aeb403e4ff"; } + ]; + + nix.maxJobs = lib.mkDefault 4; +} diff --git a/physical/default.nix b/physical/default.nix index 0bac40f..c92b7a0 100644 --- a/physical/default.nix +++ b/physical/default.nix @@ -1,44 +1,3 @@ -{ config, lib, pkgs, ... }: -let cfg = config.hardware.yorick; in -with lib; { - options.hardware.yorick = { - cpu = mkOption { - type = types.nullOr (types.enum ["intel" "virtual"]); - }; - gpu = mkOption { - type = types.nullOr (types.enum ["intel" "nvidia"]); - default = null; - }; - laptop = mkEnableOption "laptop settings"; - }; - config = mkMerge [ - (mkIf (cfg.gpu == "intel") { - # https://wiki.archlinux.org/index.php/Dell_XPS_13_(9360)#Module-based_Powersaving_Options - boot.kernelParams = ["i915.enable_fbc=1" "i915.enable_guc_loading=1" "i915.enable_guc_submission=1" "i915.enable_huc=1" "i915.enable_psr=2"]; - # now we wait until enable_psr=1 is fixed - services.xserver.videoDrivers = ["modesetting"]; - hardware.opengl.extraPackages = [ pkgs.vaapiIntel ]; - }) - (mkIf (cfg.gpu == "nvidia") { - boot.kernelModules = ["nvidiabl"]; - services.xserver.videoDrivers = ["nvidia"]; - boot.extraModulePackages = [config.boot.kernelPackages.nvidiabl]; - }) - (mkIf (cfg.cpu == "intel") { - hardware.cpu.intel.updateMicrocode = true; - boot.kernelModules = ["kvm-intel"]; - }) - (mkIf (cfg.laptop) { - services.xserver.libinput.enable = true; - - networking.wireless.enable = true; - hardware.bluetooth.enable = true; - # gotta go faster - networking.dhcpcd.extraConfig = '' - noarp - ''; - services.thermald.enable = true; - }) - ]; + hardware.enableRedistributableFirmware = true; } diff --git a/physical/fractal.nix b/physical/fractal.nix index f6d5574..7471c5d 100644 --- a/physical/fractal.nix +++ b/physical/fractal.nix @@ -1,22 +1,21 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. { config, lib, pkgs, ... }: - +let sources = import ../nix/sources.nix; +in { imports = - [ - + [ ./. + "${sources.nixos-hardware}/common/cpu/intel" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" ]; - hardware.yorick.cpu = "intel"; # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - # Define on which hard drive you want to install Grub. - boot.loader.grub.device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S21PNXAG441016B"; + boot.loader.grub = { + enable = true; + version = 2; + # Define on which hard drive you want to install Grub. + device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S21PNXAG441016B"; + }; fileSystems."/" = @@ -28,6 +27,16 @@ swapDevices = [ { device = "/dev/disk/by-label/nixos-swap"; } ]; + fileSystems."/data" = + { device = "frumar-new"; + fsType = "zfs"; + }; + + fileSystems."/data/plexmedia" = + { device = "frumar-new/plexmedia"; + fsType = "zfs"; + }; nix.maxJobs = 4; + services.avahi.interfaces = [ "enp2s0" ]; } diff --git a/physical/hetznercloud.nix b/physical/hetznercloud.nix new file mode 100644 index 0000000..38e0af1 --- /dev/null +++ b/physical/hetznercloud.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: +let + ipconf = (import ../secrets.nix).ipconf.${config.networking.hostName}; +in +{ + imports = + # todo: impure: + [ + ]; + + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/sda"; + }; + + fileSystems."/" = + { device = "/dev/sda1"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + nix.maxJobs = lib.mkDefault 1; + #services.nscd.enable = false; + networking.dhcpcd.enable = false; + systemd.network.enable = true; + systemd.network.networks."40-hetzner" = { + DHCP = "ipv4"; + address = [ ipconf.mainIPv6 ]; + gateway = [ "fe80::1" ]; + matchConfig.Name = "ens3"; + }; + services.fstrim.enable = true; +} diff --git a/physical/hp8570w.nix b/physical/hp8570w.nix index 543ac75..08534a3 100644 --- a/physical/hp8570w.nix +++ b/physical/hp8570w.nix @@ -7,7 +7,7 @@ ./hp8570w/powerdown.nix ]; - hardware.yorick = { cpu = "intel"; gpu = "nvidia"; laptop = true; }; + hardware.yorick = { cpu = "intel"; gpu = "nvidia"; }; boot = { loader.grub = { @@ -48,4 +48,16 @@ #services.tcsd.enable = true; # it has a TPM. maybe use this? #environment.systemPackages = with pkgs; [tpm-tools]; + services.xserver.libinput.enable = true; + + networking.wireless.enable = true; + hardware.bluetooth.enable = true; + # gotta go faster + networking.dhcpcd.extraConfig = '' + noarp + ''; + services.thermald.enable = true; + boot.kernelModules = ["nvidiabl"]; + services.xserver.videoDrivers = ["nvidia"]; + boot.extraModulePackages = [config.boot.kernelPackages.nvidiabl]; } diff --git a/physical/kassala.nix b/physical/kassala.nix deleted file mode 100644 index b37e8c6..0000000 --- a/physical/kassala.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ config, lib, pkgs, ... }: -let - ipconf = (import ).ipconf.${config.networking.hostName}; -in -{ - imports = [ ../modules/nixos-in-place.nix ]; - "nixos-in-place" = { - enable = true; - rootfs = "/dev/disk/by-uuid/7165e542-0995-474c-a228-9592339e0604"; - swapfs = "/dev/disk/by-uuid/baaf824a-bee0-4037-a237-3a69f1db7985"; - }; - # fs layout: - # before: /nixos/nix/* /boot/grub/menu.lst - # after: /nix/* /old-root/boot/grub/menu.lst - boot = { - kernelPackages = pkgs.linuxPackages_latest; - blacklistedKernelModules = ["coretemp"]; - # use grub 1, don't install - loader.grub = { - version = 1; - extraPerEntryConfig = "root (hd0,0)"; # do we need this? - mirroredBoots = [{ - path = "/old-root/boot"; - devices = ["nodev"]; - }]; - splashImage = null; - }; - initrd.availableKernelModules = [ "xen_blkfront" ]; - }; - sound.enable = false; - networking = { - usePredictableInterfaceNames = false; # only eth0 - interfaces.eth0 = { - useDHCP = false; - inherit (ipconf) ipv4 ipv6; - }; - inherit (ipconf) nameservers; - # ideally, it should add a route for this automatically - #defaultGateway = ipconf.gateway4; - #defaultGateway6 = ipconf.gateway6; - }; - systemd.services."network-setup".postStart = with ipconf; '' - ip route add ${gateway4} dev eth0 || true - ip route add default via ${gateway4} || true - ip -6 route add ${gateway6} dev eth0 || true - ip -6 route add default via ${gateway6} || true - ''; - nix.maxJobs = lib.mkDefault 2; - hardware.yorick.cpu = "virtual"; -} diff --git a/physical/nixos-hardware.nix b/physical/nixos-hardware.nix deleted file mode 100644 index bb469e6..0000000 --- a/physical/nixos-hardware.nix +++ /dev/null @@ -1,4 +0,0 @@ -builtins.fetchTarball { - url = "https://github.com/NixOS/nixos-hardware/archive/d534770be7f699b3332ef09bd043745a38d115ad.tar.gz"; - sha256 = "0h4xzs0bp0v01rzqm023ia2rgmcxv32jdiinp7ylxxh384vf5h0h"; -} diff --git a/physical/nuc.nix b/physical/nuc.nix index b447144..afa1c7b 100644 --- a/physical/nuc.nix +++ b/physical/nuc.nix @@ -1,40 +1,41 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. { config, lib, pkgs, ... }: - +let sources = import ../nix/sources.nix; +in { + imports = [ + "${sources.nixos-hardware}/common/cpu/intel" ]; - - boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; - hardware.yorick = { cpu = "intel"; gpu = "intel"; }; - boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + fileSystems."/" = - { device = "/dev/disk/by-uuid/fa5026b1-0f73-4233-a417-780c65f3f038"; - fsType = "btrfs"; - options = ["defaults" "relatime" "discard"]; + { device = "/dev/disk/by-uuid/3e148654-0ed8-4354-8159-e3499c6fa299"; + fsType = "ext4"; }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/729B-0F6C"; + { device = "/dev/disk/by-uuid/439E-26EA"; fsType = "vfat"; }; - swapDevices = - [ { device = "/dev/disk/by-uuid/086b6aaa-a737-4747-91d6-b4923bf14858"; } - ]; + swapDevices = [ ]; nix.maxJobs = lib.mkDefault 4; - services.xserver.videoDrivers = ["intel"]; - networking.wireless.enable = true; - environment.systemPackages = with pkgs; [ - btrfs-progs + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + nixpkgs.config.packageOverrides = pkgs: { + vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; + }; + hardware.opengl.extraPackages = with pkgs; [ + intel-media-driver # only available starting nixos-19.03 or the current nixos-unstable ]; } diff --git a/physical/xps9360-hardware-config.nix b/physical/xps9360-hardware-config.nix index 87673e6..185f0db 100644 --- a/physical/xps9360-hardware-config.nix +++ b/physical/xps9360-hardware-config.nix @@ -22,7 +22,7 @@ }; swapDevices = - [ { device = "/dev/disk/by-uuid/d9c4c15b-0e9c-47f6-8675-93b1b8de5f9d"; } + [ { device = "/dev/disk/by-uuid/198ddaba-a849-41de-993d-862c2d37937a"; } ]; nix.maxJobs = lib.mkDefault 4; diff --git a/physical/xps9360.nix b/physical/xps9360.nix index af37c73..ad527c8 100644 --- a/physical/xps9360.nix +++ b/physical/xps9360.nix @@ -1,26 +1,43 @@ { config, lib, pkgs, ... }: +let sources = import ../nix/sources.nix; +in { imports = [ - "${import ./nixos-hardware.nix}/dell/xps/13-9360" + "${sources.nixos-hardware}/dell/xps/13-9360" ./xps9360-hardware-config.nix ]; boot.kernelPackages = pkgs.linuxPackages_latest; - boot.kernelParams = [ "i915.enable_psr=0" ]; + boot.kernelModules = [ "i8k" ]; + boot.extraModprobeConfig = '' + options i8k ignore_dmi=1 + ''; fileSystems."/".options = ["defaults" "relatime" "discard"]; boot.initrd.luks.devices."nix-crypt".allowDiscards = true; - # intel huc, guc. qca6174 (older firmware) - hardware.enableRedistributableFirmware = true; - - # hardware is thermal-limited - services.thermald.enable = lib.mkDefault true; + services.undervolt = rec { + enable = true; + coreOffset = "-50"; + gpuOffset = "-50"; + uncoreOffset = "-50"; + analogioOffset = "-50"; + }; + services.tlp.extraConfig = '' + CPU_SCALING_GOVERNOR_ON_AC=performance + CPU_SCALING_GOVERNOR_ON_BAT=powersave + ''; services.xserver.libinput.enable = true; - networking.wireless.enable = true; + networking.wireless = { + enable = false; + iwd.enable = true; + }; hardware.bluetooth.enable = true; + + services.udev.packages = [ pkgs.crda ]; + hardware.firmware = [ pkgs.wireless-regdb ]; # gotta go faster networking.dhcpcd.extraConfig = '' noarp diff --git a/roles/default.nix b/roles/default.nix index bd51fce..b16bd5d 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -1,39 +1,41 @@ -let secrets = import ; +let secrets = import ../secrets.nix; in -{ config, pkgs, lib, ...}: +{ config, pkgs, lib, name, ...}: let - machine = lib.removeSuffix ".nix" (builtins.baseNameOf ); + machine = name; + vpn = import ../vpn.nix; in { imports = [ ../modules/tor-hidden-service.nix ../modules/nginx.nix - - + ../deploy/keys.nix + ../services ]; networking.hostName = secrets.hostnames.${machine}; time.timeZone = "Europe/Amsterdam"; users.mutableUsers = false; - users.extraUsers.root = { - openssh.authorizedKeys.keys = config.users.extraUsers.yorick.openssh.authorizedKeys.keys; + users.users.root = { + openssh.authorizedKeys.keys = config.users.users.yorick.openssh.authorizedKeys.keys; # root password is useful from console, ssh has password logins disabled hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own }; services.timesyncd.enable = true; - users.extraUsers.yorick = { + users.users.yorick = { isNormalUser = true; uid = 1000; extraGroups = ["wheel"]; group = "users"; - openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [yorick]; + openssh.authorizedKeys.keys = with (import ../sshkeys.nix); yorick; + hashedPassword = secrets.yorick_hashedPassword; }; # Nix nixpkgs.config.allowUnfree = true; nixpkgs.overlays = import ../packages; - nix.buildCores = config.nix.maxJobs; + #nix.buildCores = config.nix.maxJobs; # Networking networking.enableIPv6 = true; @@ -47,17 +49,17 @@ in environment.systemPackages = with pkgs; [ # v important. - cowsay ponysay + cowsay #ponysay ed # ed, man! sl rlwrap - vim + #vim # system stuff ethtool inetutils pciutils usbutils - iotop powertop htop + /*iotop*/ powertop htop psmisc lsof smartmontools hdparm lm_sensors @@ -73,19 +75,40 @@ in # archiving xdelta + libarchive atool - unrar p7zip - unzip zip # network nmap mtr bind socat netcat-openbsd lftp wget rsync - git - rxvt_unicode.terminfo + #gitMinimal + #rxvt_unicode.terminfo ]; nix.gc.automatic = true; -} + services.avahi = { + ipv6 = true; + hostName = machine; + }; + deployment.keyys = [ (+"/wg.${machine}.key") ]; + networking.wireguard.interfaces.wg-y = { + privateKeyFile = "/root/keys/wg.${machine}.key"; + ips = [ vpn.ips.${machine} ]; + listenPort = 31790; + peers = [ { + publicKey = vpn.keys.pennyworth; + endpoint = "pennyworth.yori.cc:31790"; + allowedIPs = [ "10.209.0.0/24" ]; + persistentKeepalive = 30; + }]; + postSetup = "ip link set dev wg-y mtu 1371"; + }; + security.acme.email = "acme@yori.cc"; + security.acme.acceptTerms = true; + nix.binaryCachePublicKeys = + [ "yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0=" ]; + nix.trustedUsers = ["@wheel"]; +} diff --git a/roles/graphical.nix b/roles/graphical.nix index f098c1a..c7ab4a4 100644 --- a/roles/graphical.nix +++ b/roles/graphical.nix @@ -1,27 +1,12 @@ let secrets = import ; -in -{ config, lib, pkgs, ... }: -{ - imports = [ ]; +in { config, lib, pkgs, ... }: { + imports = [ ./. ]; options.yorick.support32bit = with lib; - mkOption { type = types.bool; default = false; }; + mkOption { + type = types.bool; + default = false; + }; config = { - # Enable the X11 windowing system. - services.xserver = { - enable = true; - libinput = { - naturalScrolling = true; - tappingDragLock = false; - }; - layout = "us"; - xkbOptions = "caps:escape"; - displayManager.slim.defaultUser = "yorick"; - # xkbOptions = "eurosign:e"; - windowManager.i3 = { - enable = true; - package = pkgs.i3-gaps; - }; - }; hardware.opengl = { enable = true; driSupport32Bit = config.yorick.support32bit; @@ -31,30 +16,37 @@ in enable = true; support32Bit = config.yorick.support32bit; }; - users.extraUsers.yorick.extraGroups = ["video"]; + users.users.yorick.extraGroups = [ "video" ]; # fix backlight permissions - services.udev.extraRules = '' - ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness" - ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness" - ''; + services.udev.extraRules = '' + ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness" + ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness" + ''; - fonts = { - enableFontDir = true; - enableGhostscriptFonts = true; - fonts = with pkgs; [ - corefonts # Micrsoft free fonts - inconsolata # monospaced - source-code-pro - ubuntu_font_family # Ubuntu fonts - source-han-sans-japanese - iosevka - ]; + fonts = { + enableFontDir = true; + enableGhostscriptFonts = true; + fonts = with pkgs; [ + corefonts # Micrsoft free fonts + inconsolata # monospaced + source-code-pro + ubuntu_font_family # Ubuntu fonts + source-han-sans-japanese + iosevka + font-awesome + ]; + }; + # spotify + networking.firewall.allowedTCPPorts = [ 55025 57621 ]; + networking.firewall.allowedUDPPorts = [ 55025 57621 ]; + + services.openssh.forwardX11 = true; + + programs.sway = { + enable = true; + extraSessionCommands = '' + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${lib.makeLibraryPath (with pkgs; [ libxkbcommon libglvnd wayland ])} + ''; + }; }; - # spotify - networking.firewall.allowedTCPPorts = [55025 57621]; - networking.firewall.allowedUDPPorts = [55025 57621]; - - users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword; - services.openssh.forwardX11 = true; -}; } diff --git a/roles/homeserver.nix b/roles/homeserver.nix new file mode 100644 index 0000000..a0eec7c --- /dev/null +++ b/roles/homeserver.nix @@ -0,0 +1,17 @@ +{lib, ...}: { + users.users.lars = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbieYUtRGQ4nf4glQvrZDn72doP6W2uw2z9VqFq5sZLROXYa4jW8nwx4h+BiArGs+VPwn6lfsP19PX6yNIk74C/SkO26S1Zvbe7ffNusi6PH2BQIOWeAYKk+eZH+ZOeD8z07uDB7QffwRLwzSaPFg+zfRzsMFoXH/GE9qOQ4lnfk8czTZL7zbZf/yS7mDFztClXFciYsVwgRXNiFpfc+9mOkU0oBWtGo/WGUhB0Hds3a4ylyjjVAcC/l1H2bvc/Q3d6bbn23pUFl2V78Yg1B4b1MT34qbBV6whXAQd7KM9tND2ZhpF2XQ7Spi1QlOac0jup+sE+3bbvcjNqTI05DwJO/dX5F2gSAFkvSY4ZPqSX5ilE/hj4DQuhRgLmQdbVl5IFV9aLYqUvJcCqX9jRFMly4YTFXsFz18rGkxOYGZabcE1usBM2zRVDTtEP6Si5ii76Ocvp8aNFBB2Kf1whg8tziTv3kQEQ9fd2sRtE2J3xveJiwXjUBU2uikSOKe8JP47Tb6PYlv7Ty/6OI51aUQn++R72VNajdBJ1r1osp7leqTJ+sXuLlWLo/a7lDpDmgEI7dbxqmpjLcMce0JzqLKlP1Q2U/nkYy86xkjSTH1rNUI2JAbJx3iTcGy7bq12yfjNfcGAqY4GVXvisK1cpbF0RCjaFExwtmzorljHh6ZHjQ==" + ]; + }; + services.avahi = { + enable = true; + nssmdns = true; + publish = { + enable = true; + addresses = true; + }; + }; + networking.firewall.logRefusedConnections = lib.mkForce true; +} diff --git a/roles/server.nix b/roles/server.nix index b8fe7f3..7d6dc17 100644 --- a/roles/server.nix +++ b/roles/server.nix @@ -1,10 +1,11 @@ { - imports = [ ]; + imports = [ ./. ]; - services.nixosManual.enable = false; + documentation.nixos.enable = false; services.sshguard.enable = true; + programs.mosh.enable = true; environment.noXlibs = true; - networking.firewall.logRefusedConnections = false; # Silence logging of scanners and knockers + networking.firewall.logRefusedConnections = false; # Silence logging of scanners and knockers } diff --git a/roles/workstation.nix b/roles/workstation.nix index e2b32eb..875952a 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -1,39 +1,45 @@ { config, lib, pkgs, ... }: +let + nixNetrcFile = pkgs.runCommand "nix-netrc-file" +{ hostname = "cache.lumi.guide"; + username = "lumi"; +} '' + cat > $out < + ./graphical.nix ]; - users.extraUsers.yorick.extraGroups = [ "input" "wireshark" ]; + users.extraUsers.yorick.extraGroups = [ "input" "wireshark" "dialout" ]; services.printing = { enable = true; drivers = [ pkgs.gutenprint ]; }; - environment.systemPackages = [pkgs.ghostscript pkgs.yubikey-manager]; - #services.xserver.displayManager.sessionCommands = '' - # gpg-connect-agent /bye - # unset SSH_AGENT_PID - # export SSH_AUTH_SOCK="''${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh" - #''; - virtualisation.virtualbox.host.enable = true; + environment.systemPackages = with pkgs; [ + pkgs.ghostscript pkgs.yubikey-manager + ]; + virtualisation.virtualbox.host.enable = false; yorick.support32bit = true; # yubikey hardware.u2f.enable = true; services.pcscd.enable = true; - sound.enable = true; #environment.systemPackages = [pkgs.yubikey-manager]; fonts.fonts = [ pkgs.emojione ]; # bluetooth headphones hardware.pulseaudio.package = pkgs.pulseaudioFull; - # japanese typing - i18n.inputMethod = { - enabled = "fcitx"; - fcitx.engines = with pkgs.fcitx-engines; [ mozc ]; - }; programs.wireshark.enable = true; nix = { gc.automatic = pkgs.lib.mkOverride 30 false; binaryCaches = [ "https://cache.nixos.org" + "https://cache.lumi.guide/" + "s3://yorick-cache?endpoint=s3.eu-central-1.wasabisys.com&profile=wasabi-private" + #"https://nixpkgs-wayland.cachix.org" ]; trustedBinaryCaches = config.nix.binaryCaches ++ [ "ssh://yorick@jupiter.serokell.io" @@ -45,7 +51,20 @@ "serokell-1:aIojg2Vxgv7MkzPJoftOO/I8HKX622sT+c0fjnZBLj0=" "cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE=" "serokell.cachix.org-1:5DscEJD6c1dD1Mc/phTIbs13+iW22AVbx0HqiSb+Lq8=" - "disciplina.cachix.org-1:zDeIFV5cu22v04EUuRITz/rYxpBCGKY82x0mIyEYjxE=" + "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" ]; + extraOptions = '' + netrc-file = ${nixNetrcFile} + ''; }; + services.avahi = { + enable = true; + nssmdns = true; + }; + virtualisation.libvirtd.enable = true; + users.users.yorick.extraGroups = [ "libvirtd" ]; + users.users.yorick.shell = pkgs.fish; + services.udev.extraRules = '' + SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5bf0", MODE="0664", GROUP="dialout" + ''; } diff --git a/secrets.nix b/secrets.nix index 1e8c352..e10620b 100644 Binary files a/secrets.nix and b/secrets.nix differ diff --git a/servers.json b/servers.json deleted file mode 100644 index fc44136..0000000 --- a/servers.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "pennyworth": { - "pkgs": "stable", - "host": "pennyworth.yori.cc" - }, - "jarvis": { - "pkgs": "channel", - "host": "jarvis.home.yori.cc" - }, - "ascanius": { - "pkgs": "channel", - "host": "ascanius.home.yori.cc" - }, - "woodhouse": { - "pkgs": "channel", - "host": "woodhouse.home.yori.cc" - }, - "frumar": { - "pkgs": "channel", - "host": "frumar.yori.cc" - } -} diff --git a/servers.nix b/servers.nix new file mode 100644 index 0000000..a1e7ddc --- /dev/null +++ b/servers.nix @@ -0,0 +1,24 @@ +let + lib = import ; + n = url: conf: let + c = import "${url}/nixos/lib/eval-config.nix" { + modules = [ ./roles conf ]; + extraArgs.name = lib.removeSuffix ".nix" (builtins.baseNameOf conf); + extraArgs.nixpkgs = url; + }; + in c.config.system.build // c; + git = n "https://github.com/NixOS/nixpkgs/archive/master.tar.gz"; + stable = n (builtins.fetchTarball "channel:nixos-20.03"); + unstable = n (builtins.fetchTarball "channel:nixos-unstable-small"); + checkout = n ../projects/nixpkgs; + channel = n "/nix/var/nix/profiles/per-user/root/channels/nixos"; +in +{ + pennyworth = (unstable ./logical/pennyworth.nix).toplevel; + jarvis = (channel ./logical/jarvis.nix).toplevel; + blackadder = (channel ./logical/blackadder.nix).toplevel; + ascanius = (channel ./logical/ascanius.nix).toplevel; + woodhouse = (channel ./logical/woodhouse.nix).toplevel; # 192.168.178.39 + frumar = (channel ./logical/frumar.nix).toplevel; # frumar.local + zazu = (stable ./logical/zazu.nix).toplevel; +} diff --git a/services/default.nix b/services/default.nix index eb5a420..735789a 100644 --- a/services/default.nix +++ b/services/default.nix @@ -1,10 +1,8 @@ { imports = [ - ./gogs.nix - ./mail.nix + ./git.nix + ./muflax-church.nix ./pub.nix - ./quassel.nix ./website.nix - ./xmpp.nix ]; } diff --git a/services/git.nix b/services/git.nix new file mode 100644 index 0000000..bd97b30 --- /dev/null +++ b/services/git.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.yorick.git; + inherit (cfg) vhost; +in +{ + options.services.yorick.git = with lib; { + enable = mkEnableOption "git"; + vhost = mkOption { type = types.str; }; + }; + config = lib.mkIf cfg.enable { + users.extraUsers.git = { + createHome = true; + home = config.services.gitea.stateDir; extraGroups = [ "git" ]; useDefaultShell = true; + }; + services.gitea = { + enable = true; + user = "git"; + database.user = "root"; + database.name = "gogs"; + database.createDatabase = false; + #dump.enable = true; TODO: backups + domain = cfg.vhost; + rootUrl = "https://${cfg.vhost}/"; + httpAddress = "localhost"; + cookieSecure = true; + log.level = "Warn"; + disableRegistration = true; + settings.service = { + REGISTER_EMAIL_CONFIRM = false; + ENABLE_NOTIFY_MAIL = false; + REQUIRE_SIGNIN_VIEW = false; + }; + settings.picture.DISABLE_GRAVATAR = false; + settings.mailer = { + ENABLED = false; + AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/data/avatars"; + }; + }; + services.nginx.virtualHosts.${vhost} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.gitea.httpPort}"; + extraConfig = '' + proxy_buffering off; + ''; + }; + }; + }; +} diff --git a/services/gogs.nix b/services/gogs.nix index e7c8a1e..5baf704 100644 --- a/services/gogs.nix +++ b/services/gogs.nix @@ -5,9 +5,9 @@ in { options.services.yorick.gogs = with lib; { enable = mkEnableOption "gogs"; - dir = mkOption { type = types.string; default = "/var/gogs"; }; + dir = mkOption { type = types.str; default = "/var/gogs"; }; port = mkOption { type = types.int; default = 8001; }; - vhost = mkOption { type = types.string; }; + vhost = mkOption { type = types.str; }; }; config = lib.mkIf cfg.enable { diff --git a/services/mail.nix b/services/mail.nix deleted file mode 100644 index d2df22f..0000000 --- a/services/mail.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ config, pkgs, lib, ... }: -let -cfg = config.services.yorick.mail; -in -{ - imports = [ - ../modules/mailz.nix - ../modules/backup.nix - ]; - options.services.yorick.mail = with lib; { - enable = mkEnableOption "mail service"; - mainUser = mkOption { type = types.string; }; - users = mkOption {}; - }; - config = lib.mkIf cfg.enable { - # email - services.mailz = rec { - domain = config.networking.hostName; - keydir = "${config.security.acme.directory}/${domain}"; - inherit (cfg) mainUser users; - }; - security.acme.certs.${config.networking.hostName}.postRun = '' - systemctl reload dovecot2.service postfix.service - ''; - services.backup = { - enable = true; - backups = { - mail = { - dir = "/var/spool/mail"; - remote = "webdavs://mail@yorickvp.stackstorage.com/remote.php/webdav//mail_bak"; - keyfile = "/var/backup/creds"; - interval = "daily"; - }; - }; - }; - - }; -} diff --git a/services/pub.nix b/services/pub.nix index 31d886c..8b7d340 100644 --- a/services/pub.nix +++ b/services/pub.nix @@ -3,7 +3,7 @@ let cfg = config.services.yorick.public; in { options.services.yorick.public = { enable = lib.mkEnableOption "public hosting"; - vhost = lib.mkOption { type = lib.types.string; }; + vhost = lib.mkOption { type = lib.types.str; }; }; #imports = [../modules/nginx.nix]; config = lib.mkIf cfg.enable { diff --git a/services/website.nix b/services/website.nix index 8657647..d4cec95 100644 --- a/services/website.nix +++ b/services/website.nix @@ -9,10 +9,10 @@ in options.services.yorick = { website = { enable = mkEnableOption "yoricc website"; - vhost = mkOption { type = types.string; }; + vhost = mkOption { type = types.str; }; pkg = mkOption { type = types.package; default = yoricc; }; }; - redirect = mkOption { type = types.loaOf types.string; default = []; }; + redirect = mkOption { type = types.loaOf types.str; default = []; }; }; config.services.nginx.virtualHosts = with cfg; mkIf enable { ${vhost} = { diff --git a/services/xmpp.nix b/services/xmpp.nix index 7e80d85..132cd26 100644 --- a/services/xmpp.nix +++ b/services/xmpp.nix @@ -8,8 +8,8 @@ in { options.services.yorick.xmpp = with lib; { enable = mkEnableOption "xmpp"; - vhost = mkOption { type = types.string; }; - admins = mkOption { type = types.listOf types.string; }; + vhost = mkOption { type = types.str; }; + admins = mkOption { type = types.listOf types.str; }; }; config = lib.mkIf cfg.enable { # XMPP diff --git a/sshkeys.nix b/sshkeys.nix index 814e3da..eba2344 100644 --- a/sshkeys.nix +++ b/sshkeys.nix @@ -1,5 +1,5 @@ { public = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZv+hBDmjxF8h9Gxwvy0o7sMgOsqwp8pVj9AlpG90Y7agvkOm2IGtFueVfiDe0yWPXT0/EIiVWcPhWwcVkbY/BkypPJSMLnlcQ6ld+aO1g+BtdDaVuxcTSvQ77UCT2p+wftxoq1EiUdlhTsXpPucrBd+5NOde+jlPBE4qChIAf2zhOIByJAGT+M4Ie3eV4p5S9LB9CMI4s32gNUBbSA8UDmkjpBXkf9a1TZzdkOGWUmUFXt53/O8LZlGK9kkA5TsjM2xaxDjCLWf5wEcey4JsEggi1prE4aB68Q7+kdbvDiVSEFyZn0A/A9RXHBRAgW8yPdh+EGC56iDW/wkGxWBY5"; deploy = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGGQytwzcR2DrnYQlnZSbXNpSClCFFvy4gqak8r7u8nYplu5azdq6yNN5TRAEoseiTl2WbdnwgVNluze5FF8a5p2XDyu754YF9nyNbQvzWt5dyjFLemDbj5vAzUnQY+52L9qwo5OK3oG2qZx76T7B5CnEN/JDJxGT3xveRyVUSTnNj/N0iiYVsOcEzGpkdKf/5QOGHuZWJrqwz2CNalKbXAJU9mEOHAH+fSxSmf99YCwwF+GyfYUL3eGIZ9CP1pUQX0CZKq8APW+rLlXJuGOrLTNYWd2jTzea95oiyMQeDhidTeyyPWi2GI32tRHVegg6wMzFo7b/m1f/BI18h9psn"; - yorick = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDo1N5E6qkb3McJOvv0PqI7E8iYLAcjil5RWc+zeTtN/"; + yorick = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDo1N5E6qkb3McJOvv0PqI7E8iYLAcjil5RWc+zeTtN/" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFQm2OJ8PlnDHfI7FV3hddXP0t2jgKAiCnnuWIc+LK4dnyGmlC/ihIe9KhSENZEnzVAXnYAMOoOvpkVa5p0Itf1n0anCK3k2vDq0Jz9nY3ZXmkSHE09QGCpSG8kU6j+zWJPo2jWYNtxYMRmmHAuzzOdlPY9Q199PEvHVaqzpSVhIdhqhEcmap8oqHW6KbJu+17nLGGQB5XiTB1SlTxbg62copA9KMcvQzNGIooKs5QyrU/B0g05EfbogH7xOLbwYAK676DTUBEcKpEUYFMMv+DBcU4cH2EI6UTLxI5ohrS1pxk20zu5nTRMlQRUETpWN4EbEPfOzF8FW1YOwdttfCas8D6Y6t9gA4o8GpylBG9AElVw7VyOFeBR+AtchormH+wH6nZEvzs6wg2d84I8xo5qYGUJIQS7OYxypjlY01IFCCa/7rjzXGDmdWAP/UEu85ys9FSryn9Ey5DXDQOqhMHguOwQDUyaArWyRCCBzKbx6cPZw2D9bLfDxbnaC2/5dVyxHJXoWmwneX2E/UT5QwtG1nyLShIZhYgO9lfDpO61Mz9Jjap3sj6mJPxHZc5SGye0j47xV6kX4vbSgfoSHHnasaI3fR2ZBS7tnfq1ebxXqFFSPHK6uHjLgDHtkMisvjOVZnybuXB296pjv6K1o2G3qlUnImOqfxZxvuy4Xl/mw== cardno:000607186578"]; } diff --git a/vpn.nix b/vpn.nix new file mode 100644 index 0000000..bdad675 --- /dev/null +++ b/vpn.nix @@ -0,0 +1,21 @@ +{ + ips = { + pennyworth = "10.209.0.1"; + jarvis = "10.209.0.2"; + frumar = "10.209.0.3"; + woodhouse = "10.209.0.4"; + ascanius = "10.209.0.5"; + blackadder = "10.209.0.6"; + zazu = "10.209.0.7"; + }; + keys = { + # for i in wg.*.key; do echo $(echo $i | cut -d. -f2) = \"$(wg pubkey < $i)\"\;; done + ascanius = "zZ3gegDspSKBJutp99VzODZNcJ1qQF3OH2nrlxhICwI="; + blackadder = "+SfIbW9/MmA5iIVUUzkKPeWmZvwhP8y9qWo67o2UZUA="; + frumar = "UpFw4KmrvmOWdMOJ+LHvMzgN7cQMnasqlkzF8/apoGI="; + jarvis = "2/Qaq5uiy8uGGnZLIfjeomL47XjZCsJ1dDFDD9Nlq3E="; + pennyworth = "XoeUMsiSOWBFEFuAu+S4iQd3MzkyGhIj9dtxzZ0I500="; + woodhouse = "ICzlnC4zKUYvpQ0o5AFq2rG7CCqWUFVn3UqkLSoYNgI="; + zazu = "6X5EdNMO1MtFi18LCRGZ2cBD0d50Wq+pwkwVubjY1Ew="; + }; +}