merged nixos
commit
785d459c2f
|
@ -0,0 +1,3 @@
|
|||
# Do not edit this file. To specify the files to encrypt, create your own
|
||||
# .gitattributes file in the directory where your files are.
|
||||
* !filter !diff
|
Binary file not shown.
|
@ -0,0 +1,4 @@
|
|||
secrets.nix filter=git-crypt diff=git-crypt
|
||||
*.key filter=git-crypt diff=git-crypt
|
||||
deploy_key filter=git-crypt diff=git-crypt
|
||||
keys/** filter=git-crypt diff=git-crypt
|
|
@ -0,0 +1,2 @@
|
|||
result
|
||||
copy-keys
|
|
@ -0,0 +1,64 @@
|
|||
My nixos configurations.
|
||||
|
||||
|
||||
Systems
|
||||
=======
|
||||
|
||||
[frumar](https://en.wikipedia.org/wiki/Frumar)
|
||||
--------
|
||||
|
||||
Physical [server](./roles/server.nix). Mostly used for files. (storage: 30 TB hdd + 256GB ssd, RAM: 16GB, 2 cores ht)
|
||||
|
||||
- prometheus
|
||||
- grafana
|
||||
- rabbitmq
|
||||
- torrents
|
||||
- plex
|
||||
|
||||
[pennyworth](https://en.wikipedia.org/wiki/Alfred_Pennyworth)
|
||||
----------
|
||||
|
||||
[Server](./roles/server.nix).
|
||||
Hetzner cloud VPS (Storage: 20GB, RAM: 2GB, 1 core)
|
||||
|
||||
- [website](./services/website.nix)
|
||||
- [email](./services/mail.nix)
|
||||
- irc/weechat
|
||||
- vpn + http gateway for some services
|
||||
|
||||
[woodhouse](https://en.wikipedia.org/wiki/List_of_Archer_characters#Recurring_characters)
|
||||
-----------
|
||||
|
||||
intel nuc connected to the tv (storage: 250GB ssd, RAM: 8GB)
|
||||
|
||||
- plex media player
|
||||
- todo: sshfs mount to frumar
|
||||
|
||||
|
||||
|
||||
[jarvis](https://en.wikipedia.org/wiki/Edwin_Jarvis)
|
||||
--------
|
||||
|
||||
[workstation](./roles/workstation.nix).
|
||||
dell xps 13 (RAM: 16GB, storage: 512GB ssd, 2 cores ht)
|
||||
|
||||
|
||||
[blackadder](https://en.wikipedia.org/wiki/Edmund_Blackadder#Edmund_Blackadder_Esq._(Regency_Britain))
|
||||
--------
|
||||
|
||||
[workstation](./roles/workstation.nix).
|
||||
https://tweakers.net/productcollectie/wijzig/2583112/
|
||||
ryzen 9 (RAM: 64GB, storage: 1TB ssd, 16 cores ht)
|
||||
|
||||
Maintenance
|
||||
===========
|
||||
|
||||
Generating tor keys:
|
||||
|
||||
```
|
||||
$(nix-build packages/shallot.nix --no-out-link)/bin/shallot -f tmp ^PATTERN
|
||||
head -n3 tmp
|
||||
tail -n +4 tmp > keys/ssh.HOSTNAME.key
|
||||
shred tmp && rm tmp
|
||||
|
||||
```
|
|
@ -0,0 +1,54 @@
|
|||
#!/usr/bin/env bash
|
||||
set -xeuo pipefail
|
||||
if ! [ -e secrets.nix ]
|
||||
then
|
||||
git crypt unlock
|
||||
fi
|
||||
export NIX_PATH=yori-nix=$PWD
|
||||
host=$1
|
||||
TARGET_HOST=$(nix eval --raw -f vpn.nix ips.$host)
|
||||
#TARGET_HOST=192.168.178.1
|
||||
case $2 in
|
||||
copy-keys)
|
||||
nix build -f servers.nix "$host".config.deployment.keys-copy --out-link copy-keys
|
||||
./copy-keys/bin/copy-keys "$TARGET_HOST"
|
||||
# rm ./copy-keys
|
||||
;;
|
||||
exec)
|
||||
CHANNEL=$(jq -r ".$2.pkgs"<servers.json)
|
||||
channel_url=$(get_channel "$CHANNEL")
|
||||
export NIX_PATH="$channel_url:nixos-config=$PWD/logical/$2.nix:$NIX_PATH"
|
||||
"${@:3}"
|
||||
;;
|
||||
ssh)
|
||||
ssh root@"$TARGET_HOST"
|
||||
;;
|
||||
repl)
|
||||
exec "$0" exec "$2" nix repl '<nixpkgs>' '<nixpkgs/nixos>'
|
||||
;;
|
||||
build)
|
||||
nix build -f servers.nix "$host" --show-trace
|
||||
;;
|
||||
copy)
|
||||
nix copy -f servers.nix "$host" --show-trace --to "ssh://$TARGET_HOST"
|
||||
;;
|
||||
test)
|
||||
outPath=$(nix-build servers.nix -A "$host")
|
||||
nix copy -f servers.nix "$host" --show-trace --to "ssh://$TARGET_HOST"
|
||||
ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration test
|
||||
;;
|
||||
boot)
|
||||
outPath=$(nix-build servers.nix -A "$host")
|
||||
nix copy "$outPath" --show-trace --to "ssh://$TARGET_HOST"
|
||||
ssh root@"$TARGET_HOST" nix-env -p "/nix/var/nix/profiles/system" --set "$outPath"
|
||||
ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration boot
|
||||
;;
|
||||
switch)
|
||||
outPath=$(nix-build servers.nix -A "$host")
|
||||
nix copy "$outPath" --show-trace --to "ssh://$TARGET_HOST"
|
||||
ssh root@"$TARGET_HOST" nix-env -p "/nix/var/nix/profiles/system" --set "$outPath"
|
||||
ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration switch
|
||||
;;
|
||||
|
||||
|
||||
esac
|
|
@ -0,0 +1,19 @@
|
|||
{ pkgs, lib, config, ... }:
|
||||
with lib;
|
||||
let cfg = config.deployment.keyys; in
|
||||
{
|
||||
options.deployment.keyys = mkOption { type = types.listOf types.path; default = []; };
|
||||
options.deployment.keys-copy = mkOption { type = types.package; };
|
||||
config = {
|
||||
deployment.keys-copy = pkgs.writeShellScriptBin "copy-keys" (if cfg != [] then ''
|
||||
set -e
|
||||
ssh root@$1 "mkdir -p /root/keys"
|
||||
scp ${concatMapStringsSep " " toString cfg} root@$1:/root/keys
|
||||
echo "uploaded keys"
|
||||
'' else ''
|
||||
echo "no keys to upload"
|
||||
'');
|
||||
|
||||
};
|
||||
|
||||
}
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,51 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
imports =
|
||||
[ ../physical/3950x.nix
|
||||
../roles/workstation.nix
|
||||
];
|
||||
|
||||
nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
|
||||
|
||||
system.stateVersion = "19.09";
|
||||
|
||||
yorick.lumi-vpn = {
|
||||
name = "yorick-homepc";
|
||||
mtu = 1408;
|
||||
};
|
||||
|
||||
xdg.autostart.enable = false;
|
||||
|
||||
services.znapzend = {
|
||||
enable = true;
|
||||
pure = true;
|
||||
features = {
|
||||
zfsGetType = true;
|
||||
sendRaw = true;
|
||||
};
|
||||
zetup = {
|
||||
"rpool/home-enc" = {
|
||||
plan = "1d=>1h,1m=>1w";
|
||||
destinations.frumar = {
|
||||
host = "root@192.168.178.37";
|
||||
dataset = "frumar-new/backup/blackadder";
|
||||
plan = "1w=>1d,1y=>1w,10y=>1m,50y=>1y";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.udev.extraRules = ''
|
||||
SUBSYSTEM=="usb", ATTRS{idVendor}=="20b7", ATTRS{idProduct}=="9db1", MODE="0660", GROUP="dialout", TAG+="uaccess"
|
||||
'';
|
||||
|
||||
nix.trustedUsers = [ "lars" ];
|
||||
users.users.lars = {
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbieYUtRGQ4nf4glQvrZDn72doP6W2uw2z9VqFq5sZLROXYa4jW8nwx4h+BiArGs+VPwn6lfsP19PX6yNIk74C/SkO26S1Zvbe7ffNusi6PH2BQIOWeAYKk+eZH+ZOeD8z07uDB7QffwRLwzSaPFg+zfRzsMFoXH/GE9qOQ4lnfk8czTZL7zbZf/yS7mDFztClXFciYsVwgRXNiFpfc+9mOkU0oBWtGo/WGUhB0Hds3a4ylyjjVAcC/l1H2bvc/Q3d6bbn23pUFl2V78Yg1B4b1MT34qbBV6whXAQd7KM9tND2ZhpF2XQ7Spi1QlOac0jup+sE+3bbvcjNqTI05DwJO/dX5F2gSAFkvSY4ZPqSX5ilE/hj4DQuhRgLmQdbVl5IFV9aLYqUvJcCqX9jRFMly4YTFXsFz18rGkxOYGZabcE1usBM2zRVDTtEP6Si5ii76Ocvp8aNFBB2Kf1whg8tziTv3kQEQ9fd2sRtE2J3xveJiwXjUBU2uikSOKe8JP47Tb6PYlv7Ty/6OI51aUQn++R72VNajdBJ1r1osp7leqTJ+sXuLlWLo/a7lDpDmgEI7dbxqmpjLcMce0JzqLKlP1Q2U/nkYy86xkjSTH1rNUI2JAbJx3iTcGy7bq12yfjNfcGAqY4GVXvisK1cpbF0RCjaFExwtmzorljHh6ZHjQ== openpgp:0x60F7D1FD"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvdQ963wjgWyFMp6djRTqVwZr3/PQ/V+Qm5JTcxRTdY lumi@channelwood"
|
||||
];
|
||||
};
|
||||
virtualisation.docker.enable = true;
|
||||
}
|
|
@ -0,0 +1,92 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
imports = [
|
||||
../physical/fractal.nix
|
||||
../roles/server.nix
|
||||
../roles/homeserver.nix
|
||||
../services/torrent-wg.nix
|
||||
];
|
||||
|
||||
deployment.keyys = [ ../keys/grafana.env ];
|
||||
|
||||
system.stateVersion = "15.09";
|
||||
networking.hostId = "0702dbe9";
|
||||
|
||||
services.nginx.enable = false;
|
||||
# services.nginx.virtualHosts."${config.networking.hostName}" = {
|
||||
# enableACME = lib.mkForce false;
|
||||
# forceSSL = lib.mkForce false;
|
||||
# default = true;
|
||||
# };
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
services.yorick.torrent-vpn = {
|
||||
enable = true; name = "mullvad-nl4"; namespace = "torrent";
|
||||
};
|
||||
services.plex = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
};
|
||||
services.victoriametrics = {
|
||||
enable = true;
|
||||
retentionPeriod = 12;
|
||||
};
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
extraFlags = [
|
||||
"--web.enable-admin-api"
|
||||
];
|
||||
# victoriametrics
|
||||
remoteWrite = [ { url = "http://127.0.0.1:8428/api/v1/write"; } ];
|
||||
scrapeConfigs = [ {
|
||||
job_name = "smartmeter";
|
||||
# prometheus doesn't support mdns :thinking_face:
|
||||
static_configs = [ { targets = [ "192.168.178.30" ]; } ];
|
||||
scrape_interval = "10s";
|
||||
} {
|
||||
job_name = "node";
|
||||
static_configs = [ { targets = [ "localhost:9100" ]; } ];
|
||||
# } {
|
||||
# job_name = "unifi";
|
||||
# static_configs = [ { targets = [ "localhost:9130" ]; } ];
|
||||
} {
|
||||
job_name = "thermometer";
|
||||
static_configs = [ { targets = [ "192.168.178.21:8000" ]; } ];
|
||||
}];
|
||||
exporters.node.enable = true;
|
||||
# exporters.unifi = {
|
||||
# enable = true;
|
||||
# unifiAddress = "https://woodhouse.home.yori.cc:8443";
|
||||
# unifiInsecure = true;
|
||||
# unifiUsername = "ReadOnlyUser";
|
||||
# unifiPassword = "ReadOnlyPassword";
|
||||
# };
|
||||
};
|
||||
boot.zfs.requestEncryptionCredentials = false;
|
||||
networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 3000 9090 ];
|
||||
networking.firewall.allowedTCPPorts = [ 1883 ];
|
||||
networking.firewall.allowedUDPPorts = [ 1883 ];
|
||||
services.rabbitmq = {
|
||||
enable = true;
|
||||
plugins = [ "rabbitmq_mqtt" "rabbitmq_management" ];
|
||||
};
|
||||
services.grafana = {
|
||||
enable = true;
|
||||
addr = "0.0.0.0";
|
||||
domain = "grafana.yori.cc";
|
||||
rootUrl = "https://grafana.yori.cc/";
|
||||
extraOptions = {
|
||||
AUTH_BASIC_ENABLED = "false";
|
||||
AUTH_DISABLE_LOGIN_FORM = "true";
|
||||
AUTH_GOOGLE_ENABLED = "true";
|
||||
AUTH_GOOGLE_ALLOW_SIGN_UP = "false";
|
||||
};
|
||||
};
|
||||
systemd.services.grafana.serviceConfig.EnvironmentFile = "/root/keys/grafana.env";
|
||||
services.zfs = {
|
||||
trim.enable = false; # no ssd's
|
||||
autoScrub = {
|
||||
enable = true;
|
||||
interval = "*-*-01 02:00:00"; # monthly + 2 hours
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,11 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
imports =
|
||||
[ ../physical/xps9360.nix
|
||||
../roles/workstation.nix
|
||||
];
|
||||
|
||||
system.stateVersion = "17.09";
|
||||
|
||||
yorick.lumi-vpn.name = "yorick";
|
||||
}
|
|
@ -0,0 +1,84 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
sslforward = proxyPass: {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
inherit proxyPass;
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
vpn = import ../vpn.nix;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
../physical/hetznercloud.nix
|
||||
../roles/server.nix
|
||||
../modules/muflax-blog.nix
|
||||
../services/backup.nix
|
||||
../services/email.nix
|
||||
];
|
||||
|
||||
system.stateVersion = "19.03";
|
||||
|
||||
services.nginx.enable = true;
|
||||
services.yorick = {
|
||||
public = { enable = true; vhost = "pub.yori.cc"; };
|
||||
website = { enable = true; vhost = "yorickvanpelt.nl"; };
|
||||
git = { enable = true; vhost = "git.yori.cc"; };
|
||||
muflax-church = { enable = true; vhost = "muflax.church"; };
|
||||
};
|
||||
|
||||
services.muflax-blog = {
|
||||
enable = true;
|
||||
web-server = {
|
||||
port = 9001;
|
||||
};
|
||||
hidden-service = {
|
||||
hostname = "muflax65ngodyewp.onion";
|
||||
private_key = "/root/keys/http.muflax.key";
|
||||
};
|
||||
};
|
||||
services.nginx.commonHttpConfig = ''
|
||||
access_log off;
|
||||
'';
|
||||
services.nginx.virtualHosts = {
|
||||
"yori.cc" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
globalRedirect = "yorickvanpelt.nl";
|
||||
};
|
||||
"yorickvanpelt.nl".locations."/p1".return = "301 https://git.yori.cc/yorick/meterkast";
|
||||
"grafana.yori.cc" = sslforward "http://${vpn.ips.frumar}:3000";
|
||||
"ubiquiti.yori.cc" = sslforward "https://${vpn.ips.woodhouse}:8443";
|
||||
"prometheus.yori.cc" = {
|
||||
# only over vpn
|
||||
listen = [ { addr = "10.209.0.1"; port = 80; } ];
|
||||
locations."/".proxyPass = "http://10.209.0.3:9090";
|
||||
};
|
||||
"pub.yori.cc".locations."/muflax/".extraConfig = ''
|
||||
rewrite ^/muflax/(.*)$ https://alt.muflax.church/$1 permanent;
|
||||
'';
|
||||
};
|
||||
deployment.keyys = [ <yori-nix/keys/http.muflax.key> ];
|
||||
networking.firewall.allowedUDPPorts = [ 31790 ]; # wg
|
||||
networking.wireguard.interfaces.wg-y.peers =
|
||||
lib.mkForce (lib.mapAttrsToList (machine: publicKey: {
|
||||
inherit publicKey;
|
||||
allowedIPs = [ "${vpn.ips.${machine}}/32" ];
|
||||
}) vpn.keys);
|
||||
services.prometheus.exporters.wireguard = {
|
||||
enable = true;
|
||||
};
|
||||
networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 9586 ];
|
||||
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
|
||||
environment.noXlibs = true;
|
||||
users.users.yorick.packages = with pkgs; [
|
||||
python2 sshfs-fuse weechat ripgrep
|
||||
];
|
||||
|
||||
}
|
|
@ -0,0 +1,62 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
#secrets = import <secrets>;
|
||||
mkFuseMount = device: opts: {
|
||||
# todo: "ServerAliveCountMax=3" "ServerAliveInterval=30"
|
||||
|
||||
device = "${pkgs.sshfsFuse}/bin/sshfs#${device}";
|
||||
fsType = "fuse";
|
||||
options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user"
|
||||
"defaults" "allow_other" "transform_symlinks" "default_permissions"
|
||||
"uid=1000"
|
||||
"reconnect" "IdentityFile=/root/.ssh/id_sshfs"] ++ opts;
|
||||
};
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
../physical/nuc.nix
|
||||
../roles/graphical.nix
|
||||
#<yori-nix/roles/homeserver.nix>
|
||||
];
|
||||
|
||||
# nixpkgs.overlays = [ (import (builtins.fetchTarball https://github.com/colemickens/nixpkgs-wayland/archive/master.tar.gz)) ];
|
||||
# system.stateVersion = "17.09";
|
||||
|
||||
# fuse mounts
|
||||
system.fsPackages = [ pkgs.sshfsFuse ];
|
||||
|
||||
# programs.sway = {
|
||||
# enable = true;
|
||||
# extraSessionCommands = ''
|
||||
# export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${lib.makeLibraryPath (with pkgs; [ libxkbcommon libglvnd wayland ])}
|
||||
# '';
|
||||
# };
|
||||
#fileSystems."/mnt/frumar" = mkFuseMount "yorick@${secrets.hostnames.frumar}:/data/yorick" [];
|
||||
hardware.bluetooth.enable = true;
|
||||
|
||||
# kodi ports
|
||||
networking.firewall.allowedTCPPorts = [7 8080 8443 9090 9777];
|
||||
users.users.tv = {
|
||||
isNormalUser = true;
|
||||
uid = 1043;
|
||||
extraGroups = [ "wheel" ];
|
||||
hashedPassword = "$6$hD4ESAGS8O1d$yctx6spOPZ0nt/6cgYpsWZ86UoXw3ISRpf2gbdhbl8JgDz6Psjx6JCqJ9NsMi5BHnXlgRRK/z2SVrTjHEsqQR.";
|
||||
packages = with pkgs; [ plex-media-player ];
|
||||
};
|
||||
services.xserver.windowManager.i3.enable = true;
|
||||
networking.useNetworkd = true;
|
||||
networking.dhcpcd.enable = false;
|
||||
services.resolved.enable = true;
|
||||
#services.nscd.enable = false;
|
||||
networking.interfaces.eno1.useDHCP = true;
|
||||
networking.useDHCP = false;
|
||||
#services.xserver.enable = lib.mkForce false;
|
||||
# services.unifi = {
|
||||
# enable = true;
|
||||
# unifiPackage = pkgs.unifiStable;
|
||||
# };
|
||||
# todo: debug:
|
||||
services.resolved.extraConfig = "MulticastDNS=true";
|
||||
systemd.network.networks."40-eno1".networkConfig.MulticastDNS="yes";
|
||||
services.fstrim.enable = true;
|
||||
}
|
|
@ -0,0 +1,197 @@
|
|||
# Edit this configuration file to define what should be installed on your system. Help is available in the configuration.nix(5) man page and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
let sources = import ../nix/sources.nix; in
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
../physical/apu2c4.nix
|
||||
#<yori-nix/roles/homeserver.nix>
|
||||
../roles
|
||||
"${sources.nixos-hardware}/pcengines/apu"
|
||||
<nixpkgs/nixos/modules/profiles/minimal.nix>
|
||||
];
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv6.conf.all.forwarding" = true;
|
||||
"net.ipv6.conf.enp1s0.accept_ra" = 2;
|
||||
};
|
||||
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||
# replicates the default behaviour.
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.enp1s0 = {
|
||||
useDHCP = true;
|
||||
tempAddress = "disabled";
|
||||
};
|
||||
#networking.interfaces.enp2s0.useDHCP = false;
|
||||
networking.interfaces.enp3s0.useDHCP = false;
|
||||
networking.interfaces.enp2s0 = {
|
||||
tempAddress = "disabled";
|
||||
ipv4.addresses = [{
|
||||
address = "192.168.178.1";
|
||||
prefixLength = 24;
|
||||
}];
|
||||
useDHCP = true;
|
||||
};
|
||||
# systemd.services.network-link-br0.unitConfig.After = lib.mkForce [ "network-pre.target" "br0-netdev.service" ];
|
||||
# systemd.services.network-link-br0.unitConfig.BindsTo = lib.mkForce [ "br0-netdev.service" ];
|
||||
networking.nat = {
|
||||
enable = true;
|
||||
externalInterface = "dslite1";
|
||||
internalIPs = [ "192.168.178.1/24" ];
|
||||
};
|
||||
networking.defaultGateway = {
|
||||
address = "192.0.0.1";
|
||||
interface = "dslite1";
|
||||
};
|
||||
systemd.services.dslite1-netdev = {
|
||||
wantedBy = [ "network-setup.service" "sys-subsystem-net-devices-dslite1.device" ];
|
||||
bindsTo = [];
|
||||
partOf = [ "network-setup.service" ];
|
||||
after = [ "network-pre.target" "network-addresses-enp1s0.service" "network-link-enp1s0.service" ];
|
||||
before = [ "network-setup.service" ];
|
||||
path = [ pkgs.iproute ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
script = ''
|
||||
ip tunnel add dslite1 mode ip4ip6 local 2a02:a212:2200:4c00:20d:b9ff:fe56:ba04 remote 2001:730:2000:2::31 encaplimit none
|
||||
ip link set dslite1 up
|
||||
'';
|
||||
postStop = ''
|
||||
ip link del dslite1 || true
|
||||
'';
|
||||
};
|
||||
networking.interfaces.dslite1 = {
|
||||
mtu = 1452; # todo: ipv6 fragmenting?
|
||||
ipv4.addresses = [{
|
||||
address = "192.0.0.2";
|
||||
prefixLength = 24;
|
||||
}];
|
||||
};
|
||||
# networking.bridges = {
|
||||
# br0.interfaces = [ "enp2s0" "enp3s0" ];
|
||||
# };
|
||||
networking.dhcpcd.persistent = true;
|
||||
# request prefix delegation
|
||||
networking.dhcpcd.extraConfig = ''
|
||||
noipv6rs
|
||||
ipv6only
|
||||
interface enp1s0
|
||||
ipv6rs
|
||||
iaid 1
|
||||
ia_pd 1/::/60 enp2s0/0/64
|
||||
'';
|
||||
services.dnsmasq = {
|
||||
enable = true;
|
||||
servers = [ "8.8.8.8" "1.1.1.1" ];
|
||||
};
|
||||
services.dhcpd4 = {
|
||||
interfaces = [ "enp2s0" ];
|
||||
enable = true;
|
||||
machines = [
|
||||
{ hostName = "amateria"; ethernetAddress = "a8:a1:59:15:8b:63"; ipAddress = "192.168.178.42"; }
|
||||
{ hostName = "blackadder"; ethernetAddress = "a8:a1:59:03:8a:75"; ipAddress = "192.168.178.33"; }
|
||||
{ hostName = "frumar"; ethernetAddress = "bc:5f:f4:e8:42:9f"; ipAddress = "192.168.178.37"; }
|
||||
{ hostName = "jarvis"; ethernetAddress = "18:1d:ea:35:13:58"; ipAddress = "192.168.178.34"; }
|
||||
{ hostName = "jarvis-dock"; ethernetAddress = "64:4b:f0:10:05:f2"; ipAddress = "192.168.178.13"; }
|
||||
{ hostName = "printer"; ethernetAddress = "30:05:5c:44:20:a7"; ipAddress = "192.168.178.26"; }
|
||||
{ hostName = "raspberrypi"; ethernetAddress = "b8:27:eb:b9:ec:3a"; ipAddress = "192.168.178.21"; }
|
||||
{ hostName = "smartMeter"; ethernetAddress = "5c:cf:7f:26:ca:91"; ipAddress = "192.168.178.30"; }
|
||||
{ hostName = "gang-ap"; ethernetAddress = "b4:fb:e4:2d:fc:f3"; ipAddress = "192.168.178.32"; }
|
||||
{ hostName = "woodhouse"; ethernetAddress = "94:c6:91:15:1f:c5"; ipAddress = "192.168.178.39"; }
|
||||
];
|
||||
extraConfig = ''
|
||||
subnet 192.168.178.0 netmask 255.255.255.0 {
|
||||
option subnet-mask 255.255.255.0;
|
||||
option broadcast-address 192.168.178.255;
|
||||
option routers 192.168.178.1;
|
||||
option domain-name-servers 192.168.178.1;
|
||||
range 192.168.178.3 192.168.178.200;
|
||||
}
|
||||
'';
|
||||
};
|
||||
services.radvd = {
|
||||
enable = true;
|
||||
config = ''
|
||||
interface enp2s0 {
|
||||
AdvSendAdvert on;
|
||||
prefix 2a02:a212:2200:4c70::/64 {
|
||||
AdvOnLink on;
|
||||
AdvAutonomous on;
|
||||
};
|
||||
};
|
||||
'';
|
||||
};
|
||||
networking.firewall.allowedUDPPorts = [ 53 ];
|
||||
networking.firewall.allowedTCPPorts = [ 53 ];
|
||||
|
||||
services.fstrim.enable = true;
|
||||
|
||||
# Select internationalisation properties.
|
||||
# i18n = {
|
||||
# consoleFont = "Lat2-Terminus16";
|
||||
# consoleKeyMap = "us";
|
||||
# defaultLocale = "en_US.UTF-8";
|
||||
# };
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Amsterdam";
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
# environment.systemPackages = with pkgs; [
|
||||
# wget vim
|
||||
# ];
|
||||
|
||||
# Some programs need SUID wrappers, can be configured further or are
|
||||
# started in user sessions.
|
||||
# programs.mtr.enable = true;
|
||||
# programs.gnupg.agent = {
|
||||
# enable = true;
|
||||
# enableSSHSupport = true;
|
||||
# pinentryFlavor = "gnome3";
|
||||
# };
|
||||
|
||||
# List services that you want to enable:
|
||||
|
||||
# Enable the OpenSSH daemon.
|
||||
services.openssh.enable = true;
|
||||
|
||||
# Open ports in the firewall.
|
||||
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# Or disable the firewall altogether.
|
||||
# networking.firewall.enable = false;
|
||||
|
||||
# Enable CUPS to print documents.
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "20.09"; # Did you read the comment?
|
||||
services.udisks2.enable = false;
|
||||
boot.supportedFilesystems = lib.mkForce [ "ext4" ];
|
||||
boot.initrd.supportedFilesystems = lib.mkForce [ "ext4" ];
|
||||
security.polkit.enable = false;
|
||||
nixpkgs.overlays = [ (self: super: {
|
||||
dhcpcd = super.dhcpcd.overrideAttrs (o: rec {
|
||||
pname = "dhcpcd";
|
||||
version = "8.1.9";
|
||||
src = self.fetchurl {
|
||||
url = "mirror://roy/${pname}/${pname}-${version}.tar.xz";
|
||||
sha256 = "1kzv61bgrd0zwiy6r218zkccx36j9p5mz1gxqvbhg05xn9g50alf";
|
||||
};
|
||||
patches = [];
|
||||
});
|
||||
}) ];
|
||||
}
|
|
@ -0,0 +1,42 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
cfg = config.yorick.lumi-vpn;
|
||||
addresses = import "${builtins.getEnv "HOME"}/engineering/lumi/os/gateway/addresses.nix"
|
||||
{ lib.ip4.ip = a: b: c: d: x: lib.concatStringsSep "." (map toString [ a b c d ]); };
|
||||
in
|
||||
{
|
||||
options.yorick.lumi-vpn = with lib; {
|
||||
enable = mkEnableOption "lumi vpn";
|
||||
name = mkOption {
|
||||
type = types.str;
|
||||
example = "yorick-homepc";
|
||||
};
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "yorick";
|
||||
};
|
||||
mtu = mkOption {
|
||||
type = types.int;
|
||||
default = 1371; # 1408 at home
|
||||
};
|
||||
ip = mkOption {
|
||||
type = types.str;
|
||||
example = "10.109.0.1";
|
||||
default = addresses.workstations."${cfg.name}";
|
||||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
networking.wireguard.interfaces = {
|
||||
wg-lumi = {
|
||||
privateKeyFile = "/home/${cfg.user}/engineering/lumi/secrets/devel/vpn/wg/workstations.${cfg.name}.key";
|
||||
ips = [ cfg.ip ];
|
||||
peers = [ {
|
||||
publicKey = "6demp+PX2XyVoMovDj4xHQ2ZHKoj4QAF8maWpjcyzzI=";
|
||||
endpoint = "wg.lumi.guide:31727";
|
||||
allowedIPs = [ "10.96.0.0/12" "10.0.0.0/17" ];
|
||||
}];
|
||||
postSetup = "ip link set dev wg-lumi mtu ${toString cfg.mtu}";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,57 @@
|
|||
{ cur_pkgs, config, lib, ... }:
|
||||
|
||||
|
||||
let
|
||||
cfg = config.services.muflax-blog;
|
||||
muflax-source = builtins.fetchGit {
|
||||
rev = "e5ce7ae4296c6605a7e886c153d569fc38318096";
|
||||
ref = "HEAD";
|
||||
url = "https://github.com/fmap/muflax65ngodyewp.onion.git";
|
||||
};
|
||||
nixpkgs = import (builtins.fetchTarball {
|
||||
url = "https://github.com/NixOS/nixpkgs-channels/archive/78e9665b48ff45d3e29f45b3ebeb6fc6c6e19922.tar.gz";
|
||||
sha256 = "09f50jaijvry9lrnx891qmcf92yb8qs64n1cvy0db2yjrmxsxyw8";
|
||||
}) { system = builtins.currentSystem; };
|
||||
blog = lib.overrideDerivation (nixpkgs.callPackage "${muflax-source}/maintenance" {}) (default: {
|
||||
buildPhase = default.buildPhase + "\n" + ''
|
||||
grep -lr '[^@]muflax.com' out | xargs -r sed -i 's/\([^@]\)muflax.com/\1${cfg.hidden-service.hostname}/g'
|
||||
'';
|
||||
});
|
||||
in with lib; {
|
||||
options.services.muflax-blog = {
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
web-server = {
|
||||
port = mkOption { type = types.int; };
|
||||
};
|
||||
hidden-service = {
|
||||
hostname = mkOption { type = types.str; };
|
||||
private_key = mkOption { type = types.str; };
|
||||
};
|
||||
};
|
||||
config = mkIf cfg.enable {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
appendHttpConfig = ''
|
||||
server {
|
||||
index index.html;
|
||||
port_in_redirect off;
|
||||
listen 127.0.0.1:${toString cfg.web-server.port};
|
||||
server_name ${cfg.hidden-service.hostname};
|
||||
root ${blog}/muflax;
|
||||
}
|
||||
'' + concatStringsSep "\n" (map (site: ''
|
||||
server {
|
||||
index index.html;
|
||||
port_in_redirect off;
|
||||
listen 127.0.0.1:${toString cfg.web-server.port};
|
||||
server_name ${site}.${cfg.hidden-service.hostname};
|
||||
root ${blog}/${site};
|
||||
}
|
||||
'') ["daily" "gospel" "blog"]);
|
||||
};
|
||||
services.tor.enable = true;
|
||||
services.tor.hiddenServices.muflax-blog.map = [{
|
||||
port = 80; toPort = cfg.web-server.port; }];
|
||||
services.tor.service-keys.muflax-blog = cfg.hidden-service.private_key;
|
||||
};
|
||||
}
|
|
@ -0,0 +1,36 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
sslcfg = dir: ''
|
||||
ssl on;
|
||||
ssl_certificate_key ${dir}/key.pem;
|
||||
ssl_certificate ${dir}/fullchain.pem;
|
||||
ssl_trusted_certificate ${dir}/fullchain.pem;
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
'';
|
||||
|
||||
in
|
||||
{
|
||||
config = lib.mkIf config.services.nginx.enable {
|
||||
services.nginx = {
|
||||
recommendedTlsSettings = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedOptimisation = true;
|
||||
serverTokens = false;
|
||||
sslDhparam = "/etc/nginx/dhparam.pem";
|
||||
virtualHosts."${config.networking.hostName}.yori.cc" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
default = true;
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [80 443];
|
||||
system.activationScripts.nginxdhparams = ''
|
||||
if ! [[ -e /etc/nginx/dhparam.pem ]]; then
|
||||
mkdir -p /etc/nginx/
|
||||
${pkgs.openssl}/bin/openssl dhparam -out /etc/nginx/dhparam.pem 2048
|
||||
fi
|
||||
'';
|
||||
};
|
||||
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
service-keys = config.services.tor.service-keys;
|
||||
torDir = "/var/lib/tor";
|
||||
in {
|
||||
options.services.tor.service-keys = mkOption {
|
||||
default = {};
|
||||
type = with types; attrsOf str;
|
||||
};
|
||||
|
||||
config = mkIf (service-keys != {}) {
|
||||
systemd.services."install-tor-hidden-service-keys" = {
|
||||
wantedBy = ["tor.service"];
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.User = "root";
|
||||
serviceConfig.Group = "keys";
|
||||
# TODO: update on change?
|
||||
# TODO: better ways to get the keys on the server
|
||||
script = concatStringsSep "\n" (mapAttrsToList (name: keypath: ''
|
||||
if ! [[ -e ${torDir}/onion/${name}/private_key ]]; then
|
||||
mkdir -p ${torDir}/onion/${name}/
|
||||
cp ${keypath} ${torDir}/onion/${name}/private_key
|
||||
chmod -R 700 ${torDir}/onion/${name}
|
||||
chown -R tor ${torDir}/onion/${name}
|
||||
fi
|
||||
'') service-keys);
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,81 @@
|
|||
{
|
||||
"emacs-overlay": {
|
||||
"branch": "master",
|
||||
"description": "Bleeding edge emacs overlay [maintainer=@adisbladis] ",
|
||||
"homepage": "",
|
||||
"owner": "nix-community",
|
||||
"repo": "emacs-overlay",
|
||||
"rev": "dfed6847f127bd3c2c0cdd71b28d4e63e0ec0e91",
|
||||
"sha256": "1b0871cr491cf1a4clhv2kwg492gp25gl45w72bmkyjbb6n22c7f",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/nix-community/emacs-overlay/archive/dfed6847f127bd3c2c0cdd71b28d4e63e0ec0e91.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"niv": {
|
||||
"branch": "master",
|
||||
"description": "Easy dependency management for Nix projects",
|
||||
"homepage": "https://github.com/nmattia/niv",
|
||||
"owner": "nmattia",
|
||||
"repo": "niv",
|
||||
"rev": "c8f74f44b5f5df2c8f20a1834460d012e74d78f9",
|
||||
"sha256": "0zmhxgl37f1p2aiqjmiccflpgga6phj6vmqs3jd33z0frj6hsy5c",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/nmattia/niv/archive/c8f74f44b5f5df2c8f20a1834460d012e74d78f9.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"nixos-hardware": {
|
||||
"branch": "master",
|
||||
"description": "A collection of NixOS modules covering hardware quirks.",
|
||||
"homepage": "",
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "c242378e63b0ec334e964ac0c0fbbdd2b3e89ebf",
|
||||
"sha256": "1z4cr5gsyfdpcy31vqg4ikalbxmnnac6jjk1nl8mxj0h0ix7pp36",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/nixos/nixos-hardware/archive/c242378e63b0ec334e964ac0c0fbbdd2b3e89ebf.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"nixos-mailserver": {
|
||||
"sha256": "1m8ylrxlkn8nrpsvnivg32ncba9jkfal8a9sjy840hpl1jlm5lc4",
|
||||
"type": "tarball",
|
||||
"url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864/nixos-mailserver-ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864.tar.gz",
|
||||
"url_template": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/<version>/nixos-mailserver-<version>.tar.gz",
|
||||
"version": "ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864"
|
||||
},
|
||||
"nixpkgs": {
|
||||
"branch": "master",
|
||||
"description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
|
||||
"homepage": "https://github.com/NixOS/nixpkgs",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "9e377a6ce42dccd9b624ae4ce8f978dc892ba0e2",
|
||||
"sha256": "1r3ll77hyqn28d9i4cf3vqd9v48fmaa1j8ps8c4fm4f8gqf4kpl1",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/nixos/nixpkgs/archive/9e377a6ce42dccd9b624ae4ce8f978dc892ba0e2.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"nixpkgs-mozilla": {
|
||||
"branch": "master",
|
||||
"description": "mozilla related nixpkgs (extends nixos/nixpkgs repo)",
|
||||
"homepage": "",
|
||||
"owner": "mozilla",
|
||||
"repo": "nixpkgs-mozilla",
|
||||
"rev": "8c007b60731c07dd7a052cce508de3bb1ae849b4",
|
||||
"sha256": "1zybp62zz0h077zm2zmqs2wcg3whg6jqaah9hcl1gv4x8af4zhs6",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/mozilla/nixpkgs-mozilla/archive/8c007b60731c07dd7a052cce508de3bb1ae849b4.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"nixpkgs-wayland": {
|
||||
"branch": "master",
|
||||
"description": "Automated, pre-built packages for Wayland (sway/wlroots) tools for NixOS.",
|
||||
"homepage": "",
|
||||
"owner": "colemickens",
|
||||
"repo": "nixpkgs-wayland",
|
||||
"rev": "80a15b9aaf56cc559cf0028763776cadad36ece2",
|
||||
"sha256": "02s1k36iypsa7y1brwarz5y74dcrnn5qqplih3jq4dh0baqliiz0",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/colemickens/nixpkgs-wayland/archive/80a15b9aaf56cc559cf0028763776cadad36ece2.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
}
|
||||
}
|
|
@ -0,0 +1,174 @@
|
|||
# This file has been generated by Niv.
|
||||
|
||||
let
|
||||
|
||||
#
|
||||
# The fetchers. fetch_<type> fetches specs of type <type>.
|
||||
#
|
||||
|
||||
fetch_file = pkgs: name: spec:
|
||||
let
|
||||
name' = sanitizeName name + "-src";
|
||||
in
|
||||
if spec.builtin or true then
|
||||
builtins_fetchurl { inherit (spec) url sha256; name = name'; }
|
||||
else
|
||||
pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
|
||||
|
||||
fetch_tarball = pkgs: name: spec:
|
||||
let
|
||||
name' = sanitizeName name + "-src";
|
||||
in
|
||||
if spec.builtin or true then
|
||||
builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
|
||||
else
|
||||
pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
|
||||
|
||||
fetch_git = name: spec:
|
||||
let
|
||||
ref =
|
||||
if spec ? ref then spec.ref else
|
||||
if spec ? branch then "refs/heads/${spec.branch}" else
|
||||
if spec ? tag then "refs/tags/${spec.tag}" else
|
||||
abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
|
||||
in
|
||||
builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };
|
||||
|
||||
fetch_local = spec: spec.path;
|
||||
|
||||
fetch_builtin-tarball = name: throw
|
||||
''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
|
||||
$ niv modify ${name} -a type=tarball -a builtin=true'';
|
||||
|
||||
fetch_builtin-url = name: throw
|
||||
''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
|
||||
$ niv modify ${name} -a type=file -a builtin=true'';
|
||||
|
||||
#
|
||||
# Various helpers
|
||||
#
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
|
||||
sanitizeName = name:
|
||||
(
|
||||
concatMapStrings (s: if builtins.isList s then "-" else s)
|
||||
(
|
||||
builtins.split "[^[:alnum:]+._?=-]+"
|
||||
((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
|
||||
)
|
||||
);
|
||||
|
||||
# The set of packages used when specs are fetched using non-builtins.
|
||||
mkPkgs = sources: system:
|
||||
let
|
||||
sourcesNixpkgs =
|
||||
import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; };
|
||||
hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
|
||||
hasThisAsNixpkgsPath = <nixpkgs> == ./.;
|
||||
in
|
||||
if builtins.hasAttr "nixpkgs" sources
|
||||
then sourcesNixpkgs
|
||||
else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
|
||||
import <nixpkgs> {}
|
||||
else
|
||||
abort
|
||||
''
|
||||
Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
|
||||
add a package called "nixpkgs" to your sources.json.
|
||||
'';
|
||||
|
||||
# The actual fetching function.
|
||||
fetch = pkgs: name: spec:
|
||||
|
||||
if ! builtins.hasAttr "type" spec then
|
||||
abort "ERROR: niv spec ${name} does not have a 'type' attribute"
|
||||
else if spec.type == "file" then fetch_file pkgs name spec
|
||||
else if spec.type == "tarball" then fetch_tarball pkgs name spec
|
||||
else if spec.type == "git" then fetch_git name spec
|
||||
else if spec.type == "local" then fetch_local spec
|
||||
else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
|
||||
else if spec.type == "builtin-url" then fetch_builtin-url name
|
||||
else
|
||||
abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
|
||||
|
||||
# If the environment variable NIV_OVERRIDE_${name} is set, then use
|
||||
# the path directly as opposed to the fetched source.
|
||||
replace = name: drv:
|
||||
let
|
||||
saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
|
||||
ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
|
||||
in
|
||||
if ersatz == "" then drv else
|
||||
# this turns the string into an actual Nix path (for both absolute and
|
||||
# relative paths)
|
||||
if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
|
||||
|
||||
# Ports of functions for older nix versions
|
||||
|
||||
# a Nix version of mapAttrs if the built-in doesn't exist
|
||||
mapAttrs = builtins.mapAttrs or (
|
||||
f: set: with builtins;
|
||||
listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
|
||||
);
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
|
||||
range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1);
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
|
||||
stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
|
||||
stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
|
||||
concatMapStrings = f: list: concatStrings (map f list);
|
||||
concatStrings = builtins.concatStringsSep "";
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
|
||||
optionalAttrs = cond: as: if cond then as else {};
|
||||
|
||||
# fetchTarball version that is compatible between all the versions of Nix
|
||||
builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
|
||||
let
|
||||
inherit (builtins) lessThan nixVersion fetchTarball;
|
||||
in
|
||||
if lessThan nixVersion "1.12" then
|
||||
fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
|
||||
else
|
||||
fetchTarball attrs;
|
||||
|
||||
# fetchurl version that is compatible between all the versions of Nix
|
||||
builtins_fetchurl = { url, name ? null, sha256 }@attrs:
|
||||
let
|
||||
inherit (builtins) lessThan nixVersion fetchurl;
|
||||
in
|
||||
if lessThan nixVersion "1.12" then
|
||||
fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
|
||||
else
|
||||
fetchurl attrs;
|
||||
|
||||
# Create the final "sources" from the config
|
||||
mkSources = config:
|
||||
mapAttrs (
|
||||
name: spec:
|
||||
if builtins.hasAttr "outPath" spec
|
||||
then abort
|
||||
"The values in sources.json should not have an 'outPath' attribute"
|
||||
else
|
||||
spec // { outPath = replace name (fetch config.pkgs name spec); }
|
||||
) config.sources;
|
||||
|
||||
# The "config" used by the fetchers
|
||||
mkConfig =
|
||||
{ sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
|
||||
, sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile)
|
||||
, system ? builtins.currentSystem
|
||||
, pkgs ? mkPkgs sources system
|
||||
}: rec {
|
||||
# The sources, i.e. the attribute set of spec name to spec
|
||||
inherit sources;
|
||||
|
||||
# The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
|
||||
inherit pkgs;
|
||||
};
|
||||
|
||||
in
|
||||
mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); }
|
|
@ -0,0 +1,3 @@
|
|||
[ (self: super: {
|
||||
yori-cc = super.callPackage ./yori-cc.nix {};
|
||||
})]
|
|
@ -0,0 +1,23 @@
|
|||
{ stdenv, callPackage }:
|
||||
|
||||
stdenv.mkDerivation {
|
||||
name = "yori-cc-1.5";
|
||||
|
||||
src = builtins.fetchGit {
|
||||
url = "git@git.yori.cc:yorick/yori-cc.git";
|
||||
rev = "68c75ab84cceaf98dd8fd0646b97d73f966b8962";
|
||||
};
|
||||
|
||||
buildInputs = [ ];
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p "$out/web"
|
||||
cp -ra * "$out/web"
|
||||
'';
|
||||
|
||||
meta = {
|
||||
description = "Yori-cc website";
|
||||
homepage = https://yorickvanpelt.nl;
|
||||
maintainers = [ "Yorick" ];
|
||||
};
|
||||
}
|
|
@ -0,0 +1,38 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "rpool/root/nixos";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/home" =
|
||||
{ device = "rpool/home-enc";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/5D0A-7902";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-uuid/61a23e27-2cd4-4456-bcde-aec68be04239"; }
|
||||
];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 32;
|
||||
# High-DPI console
|
||||
#i18n.consoleFont = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let sources = import ../nix/sources.nix;
|
||||
in
|
||||
{
|
||||
imports =
|
||||
[ ./.
|
||||
./3950x-hardware-config.nix
|
||||
"${sources.nixos-hardware}/common/cpu/amd"
|
||||
];
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
boot.kernelModules = [ "nct6775" ];
|
||||
boot.kernelPackages = pkgs.linuxPackages_5_10;
|
||||
networking.hostId = "c7736638";
|
||||
services.zfs.autoScrub.enable = true;
|
||||
services.zfs.trim.enable = true;
|
||||
hardware.bluetooth.enable = true;
|
||||
|
||||
networking.useDHCP = false;
|
||||
networking.usePredictableInterfaceNames = false;
|
||||
networking.bridges.br0.interfaces = [ "eth0" ];
|
||||
networking.interfaces.br0.useDHCP = true;
|
||||
# systemd.network.links."98-namepolicy" = {
|
||||
# matchConfig.OriginalName = "*";
|
||||
# linkConfig.NamePolicy = "mac kernel database onboard slot path";
|
||||
# };
|
||||
boot.kernelParams = [
|
||||
"amdgpu.ppfeaturemask=0xffffffff" "amdgpu.noretry=0" "amdgpu.lockup_timeout=1000" "amdgpu.gpu_recovery=1" "amdgpu.audio=0"
|
||||
# thunderbolt
|
||||
"pcie_ports=native" "pci=assign-busses,hpbussize=0x33,realloc"
|
||||
];
|
||||
}
|
|
@ -0,0 +1,22 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/1396f814-6cc2-4988-992a-3558fa1ac5a2";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-uuid/5f8f358d-f63c-48ad-a322-d1aeb403e4ff"; }
|
||||
];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 4;
|
||||
}
|
|
@ -0,0 +1,3 @@
|
|||
{
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
}
|
|
@ -0,0 +1,42 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let sources = import ../nix/sources.nix;
|
||||
in
|
||||
{
|
||||
imports =
|
||||
[ ./.
|
||||
"${sources.nixos-hardware}/common/cpu/intel"
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" ];
|
||||
|
||||
# Use the GRUB 2 boot loader.
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
version = 2;
|
||||
# Define on which hard drive you want to install Grub.
|
||||
device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S21PNXAG441016B";
|
||||
};
|
||||
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/ba95c638-f243-48ee-ae81-0c70884e7e74";
|
||||
fsType = "ext4";
|
||||
options = ["defaults" "relatime" "discard"];
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-label/nixos-swap"; }
|
||||
];
|
||||
fileSystems."/data" =
|
||||
{ device = "frumar-new";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/data/plexmedia" =
|
||||
{ device = "frumar-new/plexmedia";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
nix.maxJobs = 4;
|
||||
services.avahi.interfaces = [ "enp2s0" ];
|
||||
}
|
|
@ -0,0 +1,38 @@
|
|||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
let
|
||||
ipconf = (import ../secrets.nix).ipconf.${config.networking.hostName};
|
||||
in
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
version = 2;
|
||||
device = "/dev/sda";
|
||||
};
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/sda1";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 1;
|
||||
#services.nscd.enable = false;
|
||||
networking.dhcpcd.enable = false;
|
||||
systemd.network.enable = true;
|
||||
systemd.network.networks."40-hetzner" = {
|
||||
DHCP = "ipv4";
|
||||
address = [ ipconf.mainIPv6 ];
|
||||
gateway = [ "fe80::1" ];
|
||||
matchConfig.Name = "ens3";
|
||||
};
|
||||
services.fstrim.enable = true;
|
||||
}
|
|
@ -0,0 +1,41 @@
|
|||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
let sources = import ../nix/sources.nix;
|
||||
in
|
||||
{
|
||||
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
./.
|
||||
"${sources.nixos-hardware}/common/cpu/intel"
|
||||
];
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/3e148654-0ed8-4354-8159-e3499c6fa299";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/439E-26EA";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 4;
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
|
||||
nixpkgs.config.packageOverrides = pkgs: {
|
||||
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
|
||||
};
|
||||
hardware.opengl.extraPackages = with pkgs; [
|
||||
intel-media-driver # only available starting nixos-19.03 or the current nixos-unstable
|
||||
];
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "rtsx_pci_sdmmc" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/a751e4ea-f1aa-48e1-9cbe-423878e29b62";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
boot.initrd.luks.devices."nix-crypt".device = "/dev/disk/by-uuid/320ef81d-283f-4916-ac26-ecfb0f31e549";
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/0E07-7805";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-uuid/198ddaba-a849-41de-993d-862c2d37937a"; }
|
||||
];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 4;
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
# high-resolution display
|
||||
hardware.video.hidpi.enable = lib.mkDefault true;
|
||||
}
|
|
@ -0,0 +1,47 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let sources = import ../nix/sources.nix;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
"${sources.nixos-hardware}/dell/xps/13-9360"
|
||||
./xps9360-hardware-config.nix
|
||||
];
|
||||
|
||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
boot.kernelModules = [ "i8k" ];
|
||||
boot.extraModprobeConfig = ''
|
||||
options i8k ignore_dmi=1
|
||||
'';
|
||||
fileSystems."/".options = ["defaults" "relatime" "discard"];
|
||||
|
||||
boot.initrd.luks.devices."nix-crypt".allowDiscards = true;
|
||||
|
||||
services.undervolt = rec {
|
||||
enable = true;
|
||||
coreOffset = -50;
|
||||
gpuOffset = -50;
|
||||
uncoreOffset = -50;
|
||||
analogioOffset = -50;
|
||||
};
|
||||
services.tlp.settings = {
|
||||
"CPU_SCALING_GOVERNOR_ON_AC" = "performance";
|
||||
"CPU_SCALING_GOVERNOR_ON_BAT" = "powersave";
|
||||
};
|
||||
services.logind.lidSwitch = "ignore";
|
||||
|
||||
services.xserver.libinput.enable = true;
|
||||
|
||||
networking.wireless = {
|
||||
enable = false;
|
||||
iwd.enable = true;
|
||||
};
|
||||
hardware.bluetooth.enable = true;
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
|
||||
services.udev.packages = [ pkgs.crda ];
|
||||
hardware.firmware = [ pkgs.wireless-regdb ];
|
||||
# gotta go faster
|
||||
networking.dhcpcd.extraConfig = ''
|
||||
noarp
|
||||
'';
|
||||
}
|
|
@ -0,0 +1,122 @@
|
|||
let secrets = import ../secrets.nix;
|
||||
in
|
||||
{ config, pkgs, lib, name, ...}:
|
||||
let
|
||||
machine = name;
|
||||
vpn = import ../vpn.nix;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
../modules/tor-hidden-service.nix
|
||||
../modules/nginx.nix
|
||||
../modules/lumi-vpn.nix
|
||||
../deploy/keys.nix
|
||||
../services
|
||||
];
|
||||
networking.domain = "yori.cc";
|
||||
networking.hostName = machine;
|
||||
time.timeZone = "Europe/Amsterdam";
|
||||
users.mutableUsers = false;
|
||||
users.users.root = {
|
||||
openssh.authorizedKeys.keys = config.users.users.yorick.openssh.authorizedKeys.keys;
|
||||
# root password is useful from console, ssh has password logins disabled
|
||||
hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own
|
||||
|
||||
};
|
||||
services.timesyncd.enable = true;
|
||||
users.users.yorick = {
|
||||
isNormalUser = true;
|
||||
uid = 1000;
|
||||
extraGroups = ["wheel"];
|
||||
group = "users";
|
||||
openssh.authorizedKeys.keys = with (import ../sshkeys.nix); yorick;
|
||||
hashedPassword = secrets.yorick_hashedPassword;
|
||||
};
|
||||
|
||||
# Nix
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
nixpkgs.overlays = import ../packages;
|
||||
|
||||
#nix.buildCores = config.nix.maxJobs;
|
||||
|
||||
# Networking
|
||||
networking.enableIPv6 = true;
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
passwordAuthentication = false;
|
||||
challengeResponseAuthentication = false;
|
||||
};
|
||||
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
# v important.
|
||||
cowsay #ponysay
|
||||
ed # ed, man!
|
||||
sl
|
||||
rlwrap
|
||||
|
||||
#vim
|
||||
|
||||
# system stuff
|
||||
ethtool inetutils
|
||||
pciutils usbutils
|
||||
/*iotop*/ powertop htop
|
||||
psmisc lsof
|
||||
smartmontools hdparm
|
||||
lm_sensors
|
||||
ncdu
|
||||
|
||||
# utils
|
||||
file which
|
||||
reptyr
|
||||
tmux
|
||||
bc
|
||||
mkpasswd
|
||||
shadow
|
||||
|
||||
# archiving
|
||||
xdelta
|
||||
libarchive
|
||||
atool
|
||||
|
||||
# network
|
||||
nmap mtr bind
|
||||
socat netcat-openbsd
|
||||
lftp wget rsync
|
||||
|
||||
#gitMinimal
|
||||
#rxvt_unicode.terminfo
|
||||
];
|
||||
nix.gc.automatic = true;
|
||||
|
||||
services.avahi = {
|
||||
ipv6 = true;
|
||||
hostName = machine;
|
||||
};
|
||||
deployment.keyys = [ (<yori-nix/keys>+"/wg.${machine}.key") ];
|
||||
networking.wireguard.interfaces.wg-y = {
|
||||
privateKeyFile = "/root/keys/wg.${machine}.key";
|
||||
ips = [ vpn.ips.${machine} ];
|
||||
listenPort = 31790;
|
||||
peers = [ {
|
||||
publicKey = vpn.keys.pennyworth;
|
||||
endpoint = "pennyworth.yori.cc:31790";
|
||||
allowedIPs = [ "10.209.0.0/24" ];
|
||||
persistentKeepalive = 30;
|
||||
}];
|
||||
postSetup = "ip link set dev wg-y mtu 1371";
|
||||
};
|
||||
security.acme.email = "acme@yori.cc";
|
||||
security.acme.acceptTerms = true;
|
||||
nix.binaryCachePublicKeys =
|
||||
[ "yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0=" ];
|
||||
|
||||
nix.trustedUsers = ["@wheel"];
|
||||
services.prometheus.exporters.node = {
|
||||
enable = true;
|
||||
enabledCollectors = [ "systemd" ];
|
||||
disabledCollectors = [ "rapl" ];
|
||||
};
|
||||
networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 9100 ];
|
||||
}
|
|
@ -0,0 +1,52 @@
|
|||
let secrets = import <secrets>;
|
||||
in { config, lib, pkgs, ... }: {
|
||||
imports = [ ./. ];
|
||||
options.yorick.support32bit = with lib;
|
||||
mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
config = {
|
||||
hardware.opengl = {
|
||||
enable = true;
|
||||
driSupport32Bit = config.yorick.support32bit;
|
||||
};
|
||||
sound.enable = true;
|
||||
hardware.pulseaudio = {
|
||||
enable = true;
|
||||
support32Bit = config.yorick.support32bit;
|
||||
};
|
||||
users.users.yorick.extraGroups = [ "video" ];
|
||||
# fix backlight permissions
|
||||
services.udev.extraRules = ''
|
||||
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness"
|
||||
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness"
|
||||
'';
|
||||
|
||||
fonts = {
|
||||
fontDir.enable = true;
|
||||
enableGhostscriptFonts = true;
|
||||
fonts = with pkgs; [
|
||||
corefonts # Micrsoft free fonts
|
||||
inconsolata # monospaced
|
||||
source-code-pro
|
||||
ubuntu_font_family # Ubuntu fonts
|
||||
source-han-sans-japanese
|
||||
iosevka
|
||||
font-awesome
|
||||
];
|
||||
};
|
||||
# spotify
|
||||
networking.firewall.allowedTCPPorts = [ 55025 57621 ];
|
||||
networking.firewall.allowedUDPPorts = [ 55025 57621 ];
|
||||
|
||||
services.openssh.forwardX11 = true;
|
||||
|
||||
programs.sway = {
|
||||
enable = true;
|
||||
extraSessionCommands = ''
|
||||
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${lib.makeLibraryPath (with pkgs; [ libxkbcommon libglvnd wayland ])}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,17 @@
|
|||
{lib, ...}: {
|
||||
users.users.lars = {
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbieYUtRGQ4nf4glQvrZDn72doP6W2uw2z9VqFq5sZLROXYa4jW8nwx4h+BiArGs+VPwn6lfsP19PX6yNIk74C/SkO26S1Zvbe7ffNusi6PH2BQIOWeAYKk+eZH+ZOeD8z07uDB7QffwRLwzSaPFg+zfRzsMFoXH/GE9qOQ4lnfk8czTZL7zbZf/yS7mDFztClXFciYsVwgRXNiFpfc+9mOkU0oBWtGo/WGUhB0Hds3a4ylyjjVAcC/l1H2bvc/Q3d6bbn23pUFl2V78Yg1B4b1MT34qbBV6whXAQd7KM9tND2ZhpF2XQ7Spi1QlOac0jup+sE+3bbvcjNqTI05DwJO/dX5F2gSAFkvSY4ZPqSX5ilE/hj4DQuhRgLmQdbVl5IFV9aLYqUvJcCqX9jRFMly4YTFXsFz18rGkxOYGZabcE1usBM2zRVDTtEP6Si5ii76Ocvp8aNFBB2Kf1whg8tziTv3kQEQ9fd2sRtE2J3xveJiwXjUBU2uikSOKe8JP47Tb6PYlv7Ty/6OI51aUQn++R72VNajdBJ1r1osp7leqTJ+sXuLlWLo/a7lDpDmgEI7dbxqmpjLcMce0JzqLKlP1Q2U/nkYy86xkjSTH1rNUI2JAbJx3iTcGy7bq12yfjNfcGAqY4GVXvisK1cpbF0RCjaFExwtmzorljHh6ZHjQ=="
|
||||
];
|
||||
};
|
||||
services.avahi = {
|
||||
enable = true;
|
||||
nssmdns = true;
|
||||
publish = {
|
||||
enable = true;
|
||||
addresses = true;
|
||||
};
|
||||
};
|
||||
networking.firewall.logRefusedConnections = lib.mkForce true;
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
{
|
||||
imports = [ ./. ];
|
||||
|
||||
documentation.nixos.enable = false;
|
||||
services.sshguard.enable = true;
|
||||
programs.mosh.enable = true;
|
||||
|
||||
environment.noXlibs = true;
|
||||
networking.firewall.logRefusedConnections = false; # Silence logging of scanners and knockers
|
||||
# TODO: upstream with noXlibs
|
||||
# https://github.com/NixOS/nixpkgs/pull/107394
|
||||
nixpkgs.overlays = [ (self: super: {
|
||||
elixir_1_8 = (self.beam.packagesWith (self.beam.interpreters.erlang_nox)).elixir_1_8;
|
||||
erlang = super.erlang_nox;
|
||||
}) ];
|
||||
}
|
|
@ -0,0 +1,112 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
sources = import ../nix/sources.nix;
|
||||
nixNetrcFile = pkgs.runCommand "nix-netrc-file"
|
||||
{ hostname = "cache.lumi.guide";
|
||||
username = "lumi";
|
||||
} ''
|
||||
cat > $out <<EOI
|
||||
machine $hostname
|
||||
login $username
|
||||
password ${builtins.readFile /home/yorick/engineering/lumi/secrets/shared/passwords/nix-serve-password}
|
||||
EOI
|
||||
'';
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./graphical.nix
|
||||
];
|
||||
|
||||
nixpkgs.overlays = [ (import sources.nixpkgs-wayland) ];
|
||||
users.extraUsers.yorick.extraGroups = [ "input" "wireshark" "dialout" ];
|
||||
services.printing = {
|
||||
enable = true;
|
||||
drivers = [ pkgs.gutenprint pkgs.cups-dymo ];
|
||||
};
|
||||
environment.systemPackages = with pkgs; [
|
||||
pkgs.ghostscript pkgs.yubikey-manager pkgs.glib
|
||||
];
|
||||
environment.sessionVariables.XDG_DATA_DIRS = with pkgs; [
|
||||
"${gnome-themes-extra}/share"
|
||||
"${gsettings-desktop-schemas}/share/gsettings-schemas/${gsettings-desktop-schemas.name}"
|
||||
];
|
||||
programs.dconf.enable = true;
|
||||
virtualisation.virtualbox.host.enable = false;
|
||||
yorick.support32bit = true;
|
||||
services.pcscd.enable = true;
|
||||
#environment.systemPackages = [pkgs.yubikey-manager];
|
||||
fonts.fonts = [ pkgs.emojione ];
|
||||
# bluetooth headphones
|
||||
hardware.pulseaudio.package = pkgs.pulseaudioFull;
|
||||
programs.wireshark.enable = true;
|
||||
nix = {
|
||||
gc.automatic = pkgs.lib.mkOverride 30 false;
|
||||
binaryCaches = [
|
||||
"https://cache.nixos.org"
|
||||
"https://cache.lumi.guide/"
|
||||
#"s3://yori-nix?endpoint=s3.eu-central-003.backblazeb2.com&profile=backblaze-read"
|
||||
#"https://nixpkgs-wayland.cachix.org"
|
||||
];
|
||||
trustedBinaryCaches = config.nix.binaryCaches ++ [
|
||||
"ssh://yorick@jupiter.serokell.io"
|
||||
"ssh-ng://jupiter"
|
||||
"https://serokell.cachix.org"
|
||||
];
|
||||
binaryCachePublicKeys = [
|
||||
"serokell:ic/49yTkeFIk4EBX1CZ/Wlt5fQfV7yCifaJyoM+S3Ss="
|
||||
"serokell-1:aIojg2Vxgv7MkzPJoftOO/I8HKX622sT+c0fjnZBLj0="
|
||||
"cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE="
|
||||
"serokell.cachix.org-1:5DscEJD6c1dD1Mc/phTIbs13+iW22AVbx0HqiSb+Lq8="
|
||||
#"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
|
||||
"yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0="
|
||||
];
|
||||
extraOptions = ''
|
||||
netrc-file = ${nixNetrcFile}
|
||||
'';
|
||||
};
|
||||
services.avahi = {
|
||||
enable = true;
|
||||
nssmdns = true;
|
||||
};
|
||||
virtualisation.libvirtd.enable = true;
|
||||
users.users.yorick.extraGroups = [ "libvirtd" "pico" ];
|
||||
users.users.yorick.shell = pkgs.fish;
|
||||
services.udev.extraRules = ''
|
||||
SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5bf0", MODE="0664", GROUP="dialout"
|
||||
'';
|
||||
|
||||
# LDAC:
|
||||
hardware.pulseaudio.extraModules = [ pkgs.pulseaudio-modules-bt ];
|
||||
|
||||
# picoscope
|
||||
#users.users.yorick.extraGroups = ["pico"];
|
||||
services.udev.packages = [
|
||||
(pkgs.writeTextDir "lib/udev/rules.d/95-pico.rules" ''
|
||||
SUBSYSTEMS=="usb", ATTRS{idVendor}=="0ce9", MODE="664",GROUP="pico"
|
||||
'')
|
||||
];
|
||||
users.groups.pico = {};
|
||||
|
||||
# development
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
enableTCPIP = true;
|
||||
package = pkgs.postgresql_10;
|
||||
};
|
||||
|
||||
|
||||
# git
|
||||
boot.kernel.sysctl."fs.inotify.max_user_watches" = 1024000000;
|
||||
|
||||
yorick.lumi-vpn.enable = true;
|
||||
|
||||
services.pipewire.enable = true;
|
||||
xdg.portal = {
|
||||
enable = true;
|
||||
extraPortals = with pkgs; [
|
||||
xdg-desktop-portal-wlr
|
||||
xdg-desktop-portal-gtk
|
||||
];
|
||||
gtkUsePortal = true;
|
||||
};
|
||||
}
|
Binary file not shown.
|
@ -0,0 +1,12 @@
|
|||
let
|
||||
sources = import ./nix/sources.nix;
|
||||
nixpkgs = import sources.nixpkgs {};
|
||||
nixos = name: configuration: import (nixpkgs.path + "/nixos/lib/eval-config.nix") {
|
||||
extraArgs = { inherit name; };
|
||||
modules = [ ({lib, ... }: { config.nixpkgs.pkgs = lib.mkDefault nixpkgs; }) ] ++ configuration;
|
||||
};
|
||||
names = [ "pennyworth" "jarvis" "blackadder" "woodhouse" "frumar" "zazu" ];
|
||||
in
|
||||
nixpkgs.lib.genAttrs names (name: (let os =
|
||||
nixos name [ ./roles (./logical + "/${name}.nix") ]; in
|
||||
os.config.system.build.toplevel // os))
|
|
@ -0,0 +1,46 @@
|
|||
{ name, ... }:
|
||||
{
|
||||
deployment.keyys = [
|
||||
(../keys + "/${name}_borg_repo.key")
|
||||
(../keys + "/${name}_borg_ssh.key")
|
||||
];
|
||||
services.borgbackup.jobs.backup = {
|
||||
encryption = {
|
||||
# Keep the encryption key in the repo itself
|
||||
mode = "repokey-blake2";
|
||||
|
||||
# Password is used to decrypt the encryption key from the repo
|
||||
passCommand = "cat /root/keys/${name}_borg_repo.key";
|
||||
};
|
||||
environment = {
|
||||
# Make sure we're using Borg >= 1.0
|
||||
BORG_REMOTE_PATH = "borg1";
|
||||
|
||||
# SSH key is specific to the subaccount defined in the repo username
|
||||
BORG_RSH = "ssh -i /root/keys/${name}_borg_ssh.key";
|
||||
};
|
||||
|
||||
# Define schedule
|
||||
startAt = "hourly";
|
||||
|
||||
repo = "14337@ch-s012.rsync.net:${name}";
|
||||
paths = [ "/home" "/root" "/var/lib" ];
|
||||
|
||||
prune.keep = {
|
||||
# hourly backups for the past week
|
||||
within = "7d";
|
||||
|
||||
# daily backups for two weeks before that
|
||||
daily = 14;
|
||||
|
||||
# weekly backups for a month before that
|
||||
weekly = 4;
|
||||
|
||||
# monthly backups for 6 months before that
|
||||
monthly = 6;
|
||||
|
||||
# 2 years
|
||||
yearly = 2;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,8 @@
|
|||
{
|
||||
imports = [
|
||||
./git.nix
|
||||
./muflax-church.nix
|
||||
./pub.nix
|
||||
./website.nix
|
||||
];
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
sources = import ../nix/sources.nix;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
("${sources.nixos-mailserver}")
|
||||
];
|
||||
|
||||
mailserver = rec {
|
||||
enable = true;
|
||||
fqdn = "pennyworth.yori.cc";
|
||||
domains = [ "yori.cc" "yorickvanpelt.nl" ];
|
||||
loginAccounts = {
|
||||
"yorick@yori.cc" = {
|
||||
hashedPassword = (import ../secrets.nix).yorick_mailPassword;
|
||||
catchAll = domains;
|
||||
aliases = [ "@yori.cc" "@yorickvanpelt.nl" ];
|
||||
};
|
||||
};
|
||||
certificateScheme = 3;
|
||||
enableImapSsl = true;
|
||||
};
|
||||
|
||||
services.borgbackup.jobs.backup.paths = [ "/var/vmail" ];
|
||||
}
|
|
@ -0,0 +1,52 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.services.yorick.git;
|
||||
inherit (cfg) vhost;
|
||||
in
|
||||
{
|
||||
options.services.yorick.git = with lib; {
|
||||
enable = mkEnableOption "git";
|
||||
vhost = mkOption { type = types.str; };
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
users.extraUsers.git = {
|
||||
createHome = true;
|
||||
home = config.services.gitea.stateDir; extraGroups = [ "git" ]; useDefaultShell = true;
|
||||
};
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
user = "git";
|
||||
database.user = "root";
|
||||
database.name = "gogs";
|
||||
database.createDatabase = false;
|
||||
#dump.enable = true; TODO: backups
|
||||
domain = cfg.vhost;
|
||||
rootUrl = "https://${cfg.vhost}/";
|
||||
httpAddress = "localhost";
|
||||
cookieSecure = true;
|
||||
log.level = "Warn";
|
||||
disableRegistration = true;
|
||||
settings.service = {
|
||||
REGISTER_EMAIL_CONFIRM = false;
|
||||
ENABLE_NOTIFY_MAIL = false;
|
||||
REQUIRE_SIGNIN_VIEW = false;
|
||||
};
|
||||
settings.picture.DISABLE_GRAVATAR = false;
|
||||
settings.mailer = {
|
||||
ENABLED = false;
|
||||
AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/data/avatars";
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts.${vhost} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString config.services.gitea.httpPort}";
|
||||
extraConfig = ''
|
||||
proxy_buffering off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,52 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
muflax-source = builtins.fetchGit {
|
||||
rev = "e5ce7ae4296c6605a7e886c153d569fc38318096";
|
||||
ref = "HEAD";
|
||||
url = "https://github.com/fmap/muflax65ngodyewp.onion.git";
|
||||
};
|
||||
nixpkgs = import (builtins.fetchTarball {
|
||||
url = "https://github.com/NixOS/nixpkgs-channels/archive/78e9665b48ff45d3e29f45b3ebeb6fc6c6e19922.tar.gz";
|
||||
sha256 = "09f50jaijvry9lrnx891qmcf92yb8qs64n1cvy0db2yjrmxsxyw8";
|
||||
}) { system = builtins.currentSystem; };
|
||||
muflax-church = (nixpkgs.callPackage "${muflax-source}/maintenance" {}).overrideDerivation (default: {
|
||||
buildPhase = default.buildPhase + "\n" + ''
|
||||
grep -lr '[^@]muflax.com' out | xargs -r sed -i 's/\([^@]\)muflax.com/\1muflax.church/g;s/http:\/\/\([^@]*\)muflax.church/https:\/\/\1muflax.church/g'
|
||||
'';
|
||||
});
|
||||
cfg = config.services.yorick.muflax-church;
|
||||
inherit (cfg) vhost;
|
||||
addrs = {
|
||||
"daily.${vhost}" = "${muflax-church}/daily";
|
||||
"blog.${vhost}" = "${muflax-church}/blog";
|
||||
"gospel.${vhost}" = "${muflax-church}/gospel";
|
||||
"alt.${vhost}" = "/home/public/public/muflax";
|
||||
};
|
||||
m = x: root: { forceSSL = true; useACMEHost = vhost; inherit root; };
|
||||
in
|
||||
{
|
||||
options.services.yorick.muflax-church = with lib; {
|
||||
enable = mkEnableOption "muflax.church";
|
||||
vhost = mkOption { type = types.str; };
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.nginx.virtualHosts = {
|
||||
${cfg.vhost} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
root = "${muflax-church}/muflax";
|
||||
};
|
||||
"daily.${vhost}" = m "${muflax-church}/daily";
|
||||
"blog.${vhost}" = m "${muflax-church}/blog";
|
||||
"gospel.${vhost}" = m "${muflax-church}/gospel";
|
||||
"alt.${vhost}" = m "/home/public/public/muflax";
|
||||
} // (lib.mapAttrs m addrs);
|
||||
security.acme.certs.${vhost}.extraDomainNames = [
|
||||
"daily.${vhost}"
|
||||
"blog.${vhost}"
|
||||
"gospel.${vhost}"
|
||||
"alt.${vhost}"
|
||||
];
|
||||
};
|
||||
}
|
|
@ -0,0 +1,29 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let cfg = config.services.yorick.public; in
|
||||
{
|
||||
options.services.yorick.public = {
|
||||
enable = lib.mkEnableOption "public hosting";
|
||||
vhost = lib.mkOption { type = lib.types.str; };
|
||||
};
|
||||
#imports = [../modules/nginx.nix];
|
||||
config = lib.mkIf cfg.enable {
|
||||
systemd.services.nginx.serviceConfig = {
|
||||
ProtectHome = "tmpfs";
|
||||
BindReadOnlyPaths = [ "/home/public/public" ];
|
||||
};
|
||||
users.extraUsers.public = {
|
||||
home = "/home/public";
|
||||
useDefaultShell = true;
|
||||
openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [public];
|
||||
createHome = true;
|
||||
};
|
||||
services.nginx.virtualHosts.${cfg.vhost} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
root = "/home/public/public";
|
||||
index = "index.html";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
{pkgs, lib, config, ...}:
|
||||
let
|
||||
cfg = config.services.yorick.torrent-vpn;
|
||||
in
|
||||
{
|
||||
options.services.yorick.torrent-vpn = with lib; {
|
||||
enable = mkEnableOption "torrent-vpn";
|
||||
name = mkOption { type = types.str; };
|
||||
namespace = mkOption { type = types.str; };
|
||||
};
|
||||
config = {
|
||||
deployment.keyys = [ (<yori-nix/keys>+"/wg.${cfg.name}.key") ];
|
||||
networking.wireguard.interfaces.${cfg.name} = {
|
||||
# curl -s https://api.mullvad.net/www/relays/all/ | jq '.[] | select(.type == "wireguard" and .country_code == "nl")'
|
||||
ips = [ "10.66.30.26/32" "fc00:bbbb:bbbb:bb01::3:1e19/128" ];
|
||||
privateKeyFile = "/root/keys/wg.${cfg.name}.key";
|
||||
peers = [{
|
||||
publicKey = "hnRyse6QxPPcZOoSwRsHUtK1W+APWXnIoaDTmH6JsHQ=";
|
||||
allowedIPs = ["0.0.0.0/0" "::0/0"];
|
||||
endpoint = "[2a03:1b20:3:f011::a04f]:51820";
|
||||
}];
|
||||
interfaceNamespace = cfg.namespace;
|
||||
preSetup = ''
|
||||
${pkgs.iproute}/bin/ip netns add "${cfg.namespace}" || true
|
||||
'';
|
||||
};
|
||||
environment.etc."netns/torrent/resolv.conf".text = ''
|
||||
nameserver 193.138.218.74
|
||||
'';
|
||||
};
|
||||
}
|
||||
# todo: presets
|
|
@ -0,0 +1,25 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
yoricc = pkgs.callPackage ../packages/yori-cc.nix {};
|
||||
cfg = config.services.yorick.website;
|
||||
in
|
||||
with lib;
|
||||
{
|
||||
options.services.yorick = {
|
||||
website = {
|
||||
enable = mkEnableOption "yoricc website";
|
||||
vhost = mkOption { type = types.str; };
|
||||
pkg = mkOption { type = types.package; default = yoricc; };
|
||||
};
|
||||
redirect = mkOption { type = types.loaOf types.str; default = []; };
|
||||
};
|
||||
config.services.nginx.virtualHosts = with cfg; mkIf enable {
|
||||
${vhost} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".root = "${pkg}/web";
|
||||
};
|
||||
};
|
||||
|
||||
}
|
|
@ -0,0 +1,4 @@
|
|||
{
|
||||
public = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZv+hBDmjxF8h9Gxwvy0o7sMgOsqwp8pVj9AlpG90Y7agvkOm2IGtFueVfiDe0yWPXT0/EIiVWcPhWwcVkbY/BkypPJSMLnlcQ6ld+aO1g+BtdDaVuxcTSvQ77UCT2p+wftxoq1EiUdlhTsXpPucrBd+5NOde+jlPBE4qChIAf2zhOIByJAGT+M4Ie3eV4p5S9LB9CMI4s32gNUBbSA8UDmkjpBXkf9a1TZzdkOGWUmUFXt53/O8LZlGK9kkA5TsjM2xaxDjCLWf5wEcey4JsEggi1prE4aB68Q7+kdbvDiVSEFyZn0A/A9RXHBRAgW8yPdh+EGC56iDW/wkGxWBY5";
|
||||
yorick = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDo1N5E6qkb3McJOvv0PqI7E8iYLAcjil5RWc+zeTtN/" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFQm2OJ8PlnDHfI7FV3hddXP0t2jgKAiCnnuWIc+LK4dnyGmlC/ihIe9KhSENZEnzVAXnYAMOoOvpkVa5p0Itf1n0anCK3k2vDq0Jz9nY3ZXmkSHE09QGCpSG8kU6j+zWJPo2jWYNtxYMRmmHAuzzOdlPY9Q199PEvHVaqzpSVhIdhqhEcmap8oqHW6KbJu+17nLGGQB5XiTB1SlTxbg62copA9KMcvQzNGIooKs5QyrU/B0g05EfbogH7xOLbwYAK676DTUBEcKpEUYFMMv+DBcU4cH2EI6UTLxI5ohrS1pxk20zu5nTRMlQRUETpWN4EbEPfOzF8FW1YOwdttfCas8D6Y6t9gA4o8GpylBG9AElVw7VyOFeBR+AtchormH+wH6nZEvzs6wg2d84I8xo5qYGUJIQS7OYxypjlY01IFCCa/7rjzXGDmdWAP/UEu85ys9FSryn9Ey5DXDQOqhMHguOwQDUyaArWyRCCBzKbx6cPZw2D9bLfDxbnaC2/5dVyxHJXoWmwneX2E/UT5QwtG1nyLShIZhYgO9lfDpO61Mz9Jjap3sj6mJPxHZc5SGye0j47xV6kX4vbSgfoSHHnasaI3fR2ZBS7tnfq1ebxXqFFSPHK6uHjLgDHtkMisvjOVZnybuXB296pjv6K1o2G3qlUnImOqfxZxvuy4Xl/mw== cardno:000607186578"];
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
{
|
||||
ips = {
|
||||
pennyworth = "10.209.0.1";
|
||||
jarvis = "10.209.0.2";
|
||||
frumar = "10.209.0.3";
|
||||
woodhouse = "10.209.0.4";
|
||||
ascanius = "10.209.0.5";
|
||||
blackadder = "10.209.0.6";
|
||||
zazu = "10.209.0.7";
|
||||
};
|
||||
keys = {
|
||||
# for i in wg.*.key; do echo $(echo $i | cut -d. -f2) = \"$(wg pubkey < $i)\"\;; done
|
||||
ascanius = "zZ3gegDspSKBJutp99VzODZNcJ1qQF3OH2nrlxhICwI=";
|
||||
blackadder = "+SfIbW9/MmA5iIVUUzkKPeWmZvwhP8y9qWo67o2UZUA=";
|
||||
frumar = "UpFw4KmrvmOWdMOJ+LHvMzgN7cQMnasqlkzF8/apoGI=";
|
||||
jarvis = "2/Qaq5uiy8uGGnZLIfjeomL47XjZCsJ1dDFDD9Nlq3E=";
|
||||
pennyworth = "XoeUMsiSOWBFEFuAu+S4iQd3MzkyGhIj9dtxzZ0I500=";
|
||||
woodhouse = "ICzlnC4zKUYvpQ0o5AFq2rG7CCqWUFVn3UqkLSoYNgI=";
|
||||
zazu = "6X5EdNMO1MtFi18LCRGZ2cBD0d50Wq+pwkwVubjY1Ew=";
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue