yorick
/
dotfiles
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

merged nixos

auto-flake-update
Yorick van Pelt 2021-05-23 17:48:19 +02:00
parent 6299a52566 fc2b2c0b78
commit 785d459c2f
Signed by: yorick
GPG Key ID: D8D3CC6D951384DE
67 changed files with 2014 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
nixos/.git-crypt/.gitattributes vendored Normal file
View File

@ -0,0 +1,3 @@
# Do not edit this file. To specify the files to encrypt, create your own
# .gitattributes file in the directory where your files are.
* !filter !diff

BIN
nixos/.git-crypt/keys/default/0/6EFD1053ADB6ABF50DF64792A36E70F9DC014A15.gpg Normal file
View File

Binary file not shown.

4
nixos/.gitattributes vendored Normal file
View File

@ -0,0 +1,4 @@
secrets.nix filter=git-crypt diff=git-crypt
*.key filter=git-crypt diff=git-crypt
deploy_key filter=git-crypt diff=git-crypt
keys/** filter=git-crypt diff=git-crypt

2
nixos/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
result
copy-keys

64
nixos/README.md Normal file
View File

@ -0,0 +1,64 @@
My nixos configurations.
Systems
=======
[frumar](https://en.wikipedia.org/wiki/Frumar)
--------
Physical [server](./roles/server.nix). Mostly used for files. (storage: 30 TB hdd + 256GB ssd, RAM: 16GB, 2 cores ht)
- prometheus
- grafana
- rabbitmq
- torrents
- plex
[pennyworth](https://en.wikipedia.org/wiki/Alfred_Pennyworth)
----------
[Server](./roles/server.nix).
Hetzner cloud VPS (Storage: 20GB, RAM: 2GB, 1 core)
- [website](./services/website.nix)
- [email](./services/mail.nix)
- irc/weechat
- vpn + http gateway for some services
[woodhouse](https://en.wikipedia.org/wiki/List_of_Archer_characters#Recurring_characters)
-----------
intel nuc connected to the tv (storage: 250GB ssd, RAM: 8GB)
- plex media player
- todo: sshfs mount to frumar
[jarvis](https://en.wikipedia.org/wiki/Edwin_Jarvis)
--------
[workstation](./roles/workstation.nix).
dell xps 13 (RAM: 16GB, storage: 512GB ssd, 2 cores ht)
[blackadder](https://en.wikipedia.org/wiki/Edmund_Blackadder#Edmund_Blackadder_Esq._(Regency_Britain))
--------
[workstation](./roles/workstation.nix).
https://tweakers.net/productcollectie/wijzig/2583112/
ryzen 9 (RAM: 64GB, storage: 1TB ssd, 16 cores ht)
Maintenance
===========
Generating tor keys:
```
$(nix-build packages/shallot.nix --no-out-link)/bin/shallot -f tmp ^PATTERN
head -n3 tmp
tail -n +4 tmp > keys/ssh.HOSTNAME.key
shred tmp && rm tmp
```

54
nixos/conf Executable file
View File

@ -0,0 +1,54 @@
#!/usr/bin/env bash
set -xeuo pipefail
if ! [ -e secrets.nix ]
then
git crypt unlock
fi
export NIX_PATH=yori-nix=$PWD
host=$1
TARGET_HOST=$(nix eval --raw -f vpn.nix ips.$host)
#TARGET_HOST=192.168.178.1
case $2 in
copy-keys)
nix build -f servers.nix "$host".config.deployment.keys-copy --out-link copy-keys
./copy-keys/bin/copy-keys "$TARGET_HOST"
# rm ./copy-keys
;;
exec)
CHANNEL=$(jq -r ".$2.pkgs"<servers.json)
channel_url=$(get_channel "$CHANNEL")
export NIX_PATH="$channel_url:nixos-config=$PWD/logical/$2.nix:$NIX_PATH"
"${@:3}"
;;
ssh)
ssh root@"$TARGET_HOST"
;;
repl)
exec "$0" exec "$2" nix repl '<nixpkgs>' '<nixpkgs/nixos>'
;;
build)
nix build -f servers.nix "$host" --show-trace
;;
copy)
nix copy -f servers.nix "$host" --show-trace --to "ssh://$TARGET_HOST"
;;
test)
outPath=$(nix-build servers.nix -A "$host")
nix copy -f servers.nix "$host" --show-trace --to "ssh://$TARGET_HOST"
ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration test
;;
boot)
outPath=$(nix-build servers.nix -A "$host")
nix copy "$outPath" --show-trace --to "ssh://$TARGET_HOST"
ssh root@"$TARGET_HOST" nix-env -p "/nix/var/nix/profiles/system" --set "$outPath"
ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration boot
;;
switch)
outPath=$(nix-build servers.nix -A "$host")
nix copy "$outPath" --show-trace --to "ssh://$TARGET_HOST"
ssh root@"$TARGET_HOST" nix-env -p "/nix/var/nix/profiles/system" --set "$outPath"
ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration switch
;;
esac

19
nixos/deploy/keys.nix Normal file
View File

@ -0,0 +1,19 @@
{ pkgs, lib, config, ... }:
with lib;
let cfg = config.deployment.keyys; in
{
options.deployment.keyys = mkOption { type = types.listOf types.path; default = []; };
options.deployment.keys-copy = mkOption { type = types.package; };
config = {
deployment.keys-copy = pkgs.writeShellScriptBin "copy-keys" (if cfg != [] then ''
set -e
ssh root@$1 "mkdir -p /root/keys"
scp ${concatMapStringsSep " " toString cfg} root@$1:/root/keys
echo "uploaded keys"
'' else ''
echo "no keys to upload"
'');
};
}

BIN
nixos/keys/backup.pennyworth.key Normal file
View File

Binary file not shown.

BIN
nixos/keys/grafana.env Normal file
View File

Binary file not shown.

BIN
nixos/keys/http.muflax.key Normal file
View File

Binary file not shown.

BIN
nixos/keys/pennyworth_borg_repo.key Normal file
View File

Binary file not shown.

BIN
nixos/keys/pennyworth_borg_ssh.key Normal file
View File

Binary file not shown.

BIN
nixos/keys/pennyworth_borg_ssh.key.pub Normal file
View File

Binary file not shown.

BIN
nixos/keys/ssh.frumar.key Normal file
View File

Binary file not shown.

BIN
nixos/keys/ssh.jarvis.key Normal file
View File

Binary file not shown.

BIN
nixos/keys/ssh.pennyworth.key Normal file
View File

Binary file not shown.

BIN
nixos/keys/ssh.woodhouse.key Normal file
View File

Binary file not shown.

BIN
nixos/keys/wg.ascanius.key Normal file
View File

Binary file not shown.

BIN
nixos/keys/wg.blackadder.key Normal file
View File

Binary file not shown.

BIN
nixos/keys/wg.frumar.key Normal file
View File

Binary file not shown.

BIN
nixos/keys/wg.jarvis.key Normal file
View File

Binary file not shown.

BIN
nixos/keys/wg.mullvad-nl3.key Normal file
View File

Binary file not shown.

BIN
nixos/keys/wg.mullvad-nl4.key Normal file
View File

Binary file not shown.

BIN
nixos/keys/wg.pennyworth.key Normal file
View File

Binary file not shown.

BIN
nixos/keys/wg.woodhouse.key Normal file
View File

Binary file not shown.

BIN
nixos/keys/wg.zazu.key Normal file
View File

Binary file not shown.

BIN
nixos/keys/yori-nix.key Normal file
View File

Binary file not shown.

51
nixos/logical/blackadder.nix Normal file
View File

@ -0,0 +1,51 @@
{ config, pkgs, lib, ... }:
{
imports =
[ ../physical/3950x.nix
../roles/workstation.nix
];
nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
system.stateVersion = "19.09";
yorick.lumi-vpn = {
name = "yorick-homepc";
mtu = 1408;
};
xdg.autostart.enable = false;
services.znapzend = {
enable = true;
pure = true;
features = {
zfsGetType = true;
sendRaw = true;
};
zetup = {
"rpool/home-enc" = {
plan = "1d=>1h,1m=>1w";
destinations.frumar = {
host = "root@192.168.178.37";
dataset = "frumar-new/backup/blackadder";
plan = "1w=>1d,1y=>1w,10y=>1m,50y=>1y";
};
};
};
};
services.udev.extraRules = ''
SUBSYSTEM=="usb", ATTRS{idVendor}=="20b7", ATTRS{idProduct}=="9db1", MODE="0660", GROUP="dialout", TAG+="uaccess"
'';
nix.trustedUsers = [ "lars" ];
users.users.lars = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbieYUtRGQ4nf4glQvrZDn72doP6W2uw2z9VqFq5sZLROXYa4jW8nwx4h+BiArGs+VPwn6lfsP19PX6yNIk74C/SkO26S1Zvbe7ffNusi6PH2BQIOWeAYKk+eZH+ZOeD8z07uDB7QffwRLwzSaPFg+zfRzsMFoXH/GE9qOQ4lnfk8czTZL7zbZf/yS7mDFztClXFciYsVwgRXNiFpfc+9mOkU0oBWtGo/WGUhB0Hds3a4ylyjjVAcC/l1H2bvc/Q3d6bbn23pUFl2V78Yg1B4b1MT34qbBV6whXAQd7KM9tND2ZhpF2XQ7Spi1QlOac0jup+sE+3bbvcjNqTI05DwJO/dX5F2gSAFkvSY4ZPqSX5ilE/hj4DQuhRgLmQdbVl5IFV9aLYqUvJcCqX9jRFMly4YTFXsFz18rGkxOYGZabcE1usBM2zRVDTtEP6Si5ii76Ocvp8aNFBB2Kf1whg8tziTv3kQEQ9fd2sRtE2J3xveJiwXjUBU2uikSOKe8JP47Tb6PYlv7Ty/6OI51aUQn++R72VNajdBJ1r1osp7leqTJ+sXuLlWLo/a7lDpDmgEI7dbxqmpjLcMce0JzqLKlP1Q2U/nkYy86xkjSTH1rNUI2JAbJx3iTcGy7bq12yfjNfcGAqY4GVXvisK1cpbF0RCjaFExwtmzorljHh6ZHjQ== openpgp:0x60F7D1FD"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvdQ963wjgWyFMp6djRTqVwZr3/PQ/V+Qm5JTcxRTdY lumi@channelwood"
];
};
virtualisation.docker.enable = true;
}

92
nixos/logical/frumar.nix Normal file
View File

@ -0,0 +1,92 @@
{ config, pkgs, lib, ... }:
{
imports = [
../physical/fractal.nix
../roles/server.nix
../roles/homeserver.nix
../services/torrent-wg.nix
];
deployment.keyys = [ ../keys/grafana.env ];
system.stateVersion = "15.09";
networking.hostId = "0702dbe9";
services.nginx.enable = false;
# services.nginx.virtualHosts."${config.networking.hostName}" = {
# enableACME = lib.mkForce false;
# forceSSL = lib.mkForce false;
# default = true;
# };
boot.supportedFilesystems = [ "zfs" ];
services.yorick.torrent-vpn = {
enable = true; name = "mullvad-nl4"; namespace = "torrent";
};
services.plex = {
enable = true;
openFirewall = true;
};
services.victoriametrics = {
enable = true;
retentionPeriod = 12;
};
services.prometheus = {
enable = true;
extraFlags = [
"--web.enable-admin-api"
];
# victoriametrics
remoteWrite = [ { url = "http://127.0.0.1:8428/api/v1/write"; } ];
scrapeConfigs = [ {
job_name = "smartmeter";
# prometheus doesn't support mdns :thinking_face:
static_configs = [ { targets = [ "192.168.178.30" ]; } ];
scrape_interval = "10s";
} {
job_name = "node";
static_configs = [ { targets = [ "localhost:9100" ]; } ];
# } {
# job_name = "unifi";
# static_configs = [ { targets = [ "localhost:9130" ]; } ];
} {
job_name = "thermometer";
static_configs = [ { targets = [ "192.168.178.21:8000" ]; } ];
}];
exporters.node.enable = true;
# exporters.unifi = {
# enable = true;
# unifiAddress = "https://woodhouse.home.yori.cc:8443";
# unifiInsecure = true;
# unifiUsername = "ReadOnlyUser";
# unifiPassword = "ReadOnlyPassword";
# };
};
boot.zfs.requestEncryptionCredentials = false;
networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 3000 9090 ];
networking.firewall.allowedTCPPorts = [ 1883 ];
networking.firewall.allowedUDPPorts = [ 1883 ];
services.rabbitmq = {
enable = true;
plugins = [ "rabbitmq_mqtt" "rabbitmq_management" ];
};
services.grafana = {
enable = true;
addr = "0.0.0.0";
domain = "grafana.yori.cc";
rootUrl = "https://grafana.yori.cc/";
extraOptions = {
AUTH_BASIC_ENABLED = "false";
AUTH_DISABLE_LOGIN_FORM = "true";
AUTH_GOOGLE_ENABLED = "true";
AUTH_GOOGLE_ALLOW_SIGN_UP = "false";
};
};
systemd.services.grafana.serviceConfig.EnvironmentFile = "/root/keys/grafana.env";
services.zfs = {
trim.enable = false; # no ssd's
autoScrub = {
enable = true;
interval = "*-*-01 02:00:00"; # monthly + 2 hours
};
};
}

11
nixos/logical/jarvis.nix Normal file
View File

@ -0,0 +1,11 @@
{ config, pkgs, lib, ... }:
{
imports =
[ ../physical/xps9360.nix
../roles/workstation.nix
];
system.stateVersion = "17.09";
yorick.lumi-vpn.name = "yorick";
}

84
nixos/logical/pennyworth.nix Normal file
View File

@ -0,0 +1,84 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
let
sslforward = proxyPass: {
forceSSL = true;
enableACME = true;
locations."/" = {
inherit proxyPass;
proxyWebsockets = true;
};
};
vpn = import ../vpn.nix;
in
{
imports = [
../physical/hetznercloud.nix
../roles/server.nix
../modules/muflax-blog.nix
../services/backup.nix
../services/email.nix
];
system.stateVersion = "19.03";
services.nginx.enable = true;
services.yorick = {
public = { enable = true; vhost = "pub.yori.cc"; };
website = { enable = true; vhost = "yorickvanpelt.nl"; };
git = { enable = true; vhost = "git.yori.cc"; };
muflax-church = { enable = true; vhost = "muflax.church"; };
};
services.muflax-blog = {
enable = true;
web-server = {
port = 9001;
};
hidden-service = {
hostname = "muflax65ngodyewp.onion";
private_key = "/root/keys/http.muflax.key";
};
};
services.nginx.commonHttpConfig = ''
access_log off;
'';
services.nginx.virtualHosts = {
"yori.cc" = {
enableACME = true;
forceSSL = true;
globalRedirect = "yorickvanpelt.nl";
};
"yorickvanpelt.nl".locations."/p1".return = "301 https://git.yori.cc/yorick/meterkast";
"grafana.yori.cc" = sslforward "http://${vpn.ips.frumar}:3000";
"ubiquiti.yori.cc" = sslforward "https://${vpn.ips.woodhouse}:8443";
"prometheus.yori.cc" = {
# only over vpn
listen = [ { addr = "10.209.0.1"; port = 80; } ];
locations."/".proxyPass = "http://10.209.0.3:9090";
};
"pub.yori.cc".locations."/muflax/".extraConfig = ''
rewrite ^/muflax/(.*)$ https://alt.muflax.church/$1 permanent;
'';
};
deployment.keyys = [ <yori-nix/keys/http.muflax.key> ];
networking.firewall.allowedUDPPorts = [ 31790 ]; # wg
networking.wireguard.interfaces.wg-y.peers =
lib.mkForce (lib.mapAttrsToList (machine: publicKey: {
inherit publicKey;
allowedIPs = [ "${vpn.ips.${machine}}/32" ];
}) vpn.keys);
services.prometheus.exporters.wireguard = {
enable = true;
};
networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 9586 ];
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
environment.noXlibs = true;
users.users.yorick.packages = with pkgs; [
python2 sshfs-fuse weechat ripgrep
];
}

62
nixos/logical/woodhouse.nix Normal file
View File

@ -0,0 +1,62 @@
{ config, pkgs, lib, ... }:
let
#secrets = import <secrets>;
mkFuseMount = device: opts: {
# todo: "ServerAliveCountMax=3" "ServerAliveInterval=30"
device = "${pkgs.sshfsFuse}/bin/sshfs#${device}";
fsType = "fuse";
options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user"
"defaults" "allow_other" "transform_symlinks" "default_permissions"
"uid=1000"
"reconnect" "IdentityFile=/root/.ssh/id_sshfs"] ++ opts;
};
in
{
imports = [
../physical/nuc.nix
../roles/graphical.nix
#<yori-nix/roles/homeserver.nix>
];
# nixpkgs.overlays = [ (import (builtins.fetchTarball https://github.com/colemickens/nixpkgs-wayland/archive/master.tar.gz)) ];
# system.stateVersion = "17.09";
# fuse mounts
system.fsPackages = [ pkgs.sshfsFuse ];
# programs.sway = {
# enable = true;
# extraSessionCommands = ''
# export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${lib.makeLibraryPath (with pkgs; [ libxkbcommon libglvnd wayland ])}
# '';
# };
#fileSystems."/mnt/frumar" = mkFuseMount "yorick@${secrets.hostnames.frumar}:/data/yorick" [];
hardware.bluetooth.enable = true;
# kodi ports
networking.firewall.allowedTCPPorts = [7 8080 8443 9090 9777];
users.users.tv = {
isNormalUser = true;
uid = 1043;
extraGroups = [ "wheel" ];
hashedPassword = "$6$hD4ESAGS8O1d$yctx6spOPZ0nt/6cgYpsWZ86UoXw3ISRpf2gbdhbl8JgDz6Psjx6JCqJ9NsMi5BHnXlgRRK/z2SVrTjHEsqQR.";
packages = with pkgs; [ plex-media-player ];
};
services.xserver.windowManager.i3.enable = true;
networking.useNetworkd = true;
networking.dhcpcd.enable = false;
services.resolved.enable = true;
#services.nscd.enable = false;
networking.interfaces.eno1.useDHCP = true;
networking.useDHCP = false;
#services.xserver.enable = lib.mkForce false;
# services.unifi = {
# enable = true;
# unifiPackage = pkgs.unifiStable;
# };
# todo: debug:
services.resolved.extraConfig = "MulticastDNS=true";
systemd.network.networks."40-eno1".networkConfig.MulticastDNS="yes";
services.fstrim.enable = true;
}

197
nixos/logical/zazu.nix Normal file
View File

@ -0,0 +1,197 @@
# Edit this configuration file to define what should be installed on your system. Help is available in the configuration.nix(5) man page and in the NixOS manual (accessible by running nixos-help).
let sources = import ../nix/sources.nix; in
{ config, lib, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
../physical/apu2c4.nix
#<yori-nix/roles/homeserver.nix>
../roles
"${sources.nixos-hardware}/pcengines/apu"
<nixpkgs/nixos/modules/profiles/minimal.nix>
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = true;
"net.ipv6.conf.enp1s0.accept_ra" = 2;
};
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.enp1s0 = {
useDHCP = true;
tempAddress = "disabled";
};
#networking.interfaces.enp2s0.useDHCP = false;
networking.interfaces.enp3s0.useDHCP = false;
networking.interfaces.enp2s0 = {
tempAddress = "disabled";
ipv4.addresses = [{
address = "192.168.178.1";
prefixLength = 24;
}];
useDHCP = true;
};
# systemd.services.network-link-br0.unitConfig.After = lib.mkForce [ "network-pre.target" "br0-netdev.service" ];
# systemd.services.network-link-br0.unitConfig.BindsTo = lib.mkForce [ "br0-netdev.service" ];
networking.nat = {
enable = true;
externalInterface = "dslite1";
internalIPs = [ "192.168.178.1/24" ];
};
networking.defaultGateway = {
address = "192.0.0.1";
interface = "dslite1";
};
systemd.services.dslite1-netdev = {
wantedBy = [ "network-setup.service" "sys-subsystem-net-devices-dslite1.device" ];
bindsTo = [];
partOf = [ "network-setup.service" ];
after = [ "network-pre.target" "network-addresses-enp1s0.service" "network-link-enp1s0.service" ];
before = [ "network-setup.service" ];
path = [ pkgs.iproute ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
ip tunnel add dslite1 mode ip4ip6 local 2a02:a212:2200:4c00:20d:b9ff:fe56:ba04 remote 2001:730:2000:2::31 encaplimit none
ip link set dslite1 up
'';
postStop = ''
ip link del dslite1 || true
'';
};
networking.interfaces.dslite1 = {
mtu = 1452; # todo: ipv6 fragmenting?
ipv4.addresses = [{
address = "192.0.0.2";
prefixLength = 24;
}];
};
# networking.bridges = {
# br0.interfaces = [ "enp2s0" "enp3s0" ];
# };
networking.dhcpcd.persistent = true;
# request prefix delegation
networking.dhcpcd.extraConfig = ''
noipv6rs
ipv6only
interface enp1s0
ipv6rs
iaid 1
ia_pd 1/::/60 enp2s0/0/64
'';
services.dnsmasq = {
enable = true;
servers = [ "8.8.8.8" "1.1.1.1" ];
};
services.dhcpd4 = {
interfaces = [ "enp2s0" ];
enable = true;
machines = [
{ hostName = "amateria"; ethernetAddress = "a8:a1:59:15:8b:63"; ipAddress = "192.168.178.42"; }
{ hostName = "blackadder"; ethernetAddress = "a8:a1:59:03:8a:75"; ipAddress = "192.168.178.33"; }
{ hostName = "frumar"; ethernetAddress = "bc:5f:f4:e8:42:9f"; ipAddress = "192.168.178.37"; }
{ hostName = "jarvis"; ethernetAddress = "18:1d:ea:35:13:58"; ipAddress = "192.168.178.34"; }
{ hostName = "jarvis-dock"; ethernetAddress = "64:4b:f0:10:05:f2"; ipAddress = "192.168.178.13"; }
{ hostName = "printer"; ethernetAddress = "30:05:5c:44:20:a7"; ipAddress = "192.168.178.26"; }
{ hostName = "raspberrypi"; ethernetAddress = "b8:27:eb:b9:ec:3a"; ipAddress = "192.168.178.21"; }
{ hostName = "smartMeter"; ethernetAddress = "5c:cf:7f:26:ca:91"; ipAddress = "192.168.178.30"; }
{ hostName = "gang-ap"; ethernetAddress = "b4:fb:e4:2d:fc:f3"; ipAddress = "192.168.178.32"; }
{ hostName = "woodhouse"; ethernetAddress = "94:c6:91:15:1f:c5"; ipAddress = "192.168.178.39"; }
];
extraConfig = ''
subnet 192.168.178.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.178.255;
option routers 192.168.178.1;
option domain-name-servers 192.168.178.1;
range 192.168.178.3 192.168.178.200;
}
'';
};
services.radvd = {
enable = true;
config = ''
interface enp2s0 {
AdvSendAdvert on;
prefix 2a02:a212:2200:4c70::/64 {
AdvOnLink on;
AdvAutonomous on;
};
};
'';
};
networking.firewall.allowedUDPPorts = [ 53 ];
networking.firewall.allowedTCPPorts = [ 53 ];
services.fstrim.enable = true;
# Select internationalisation properties.
# i18n = {
# consoleFont = "Lat2-Terminus16";
# consoleKeyMap = "us";
# defaultLocale = "en_US.UTF-8";
# };
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# List packages installed in system profile. To search, run:
# $ nix search wget
# environment.systemPackages = with pkgs; [
# wget vim
# ];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# pinentryFlavor = "gnome3";
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Enable CUPS to print documents.
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.09"; # Did you read the comment?
services.udisks2.enable = false;
boot.supportedFilesystems = lib.mkForce [ "ext4" ];
boot.initrd.supportedFilesystems = lib.mkForce [ "ext4" ];
security.polkit.enable = false;
nixpkgs.overlays = [ (self: super: {
dhcpcd = super.dhcpcd.overrideAttrs (o: rec {
pname = "dhcpcd";
version = "8.1.9";
src = self.fetchurl {
url = "mirror://roy/${pname}/${pname}-${version}.tar.xz";
sha256 = "1kzv61bgrd0zwiy6r218zkccx36j9p5mz1gxqvbhg05xn9g50alf";
};
patches = [];
});
}) ];
}

42
nixos/modules/lumi-vpn.nix Normal file
View File

@ -0,0 +1,42 @@
{ config, lib, ... }:
let
cfg = config.yorick.lumi-vpn;
addresses = import "${builtins.getEnv "HOME"}/engineering/lumi/os/gateway/addresses.nix"
{ lib.ip4.ip = a: b: c: d: x: lib.concatStringsSep "." (map toString [ a b c d ]); };
in
{
options.yorick.lumi-vpn = with lib; {
enable = mkEnableOption "lumi vpn";
name = mkOption {
type = types.str;
example = "yorick-homepc";
};
user = mkOption {
type = types.str;
default = "yorick";
};
mtu = mkOption {
type = types.int;
default = 1371; # 1408 at home
};
ip = mkOption {
type = types.str;
example = "10.109.0.1";
default = addresses.workstations."${cfg.name}";
};
};
config = lib.mkIf cfg.enable {
networking.wireguard.interfaces = {
wg-lumi = {
privateKeyFile = "/home/${cfg.user}/engineering/lumi/secrets/devel/vpn/wg/workstations.${cfg.name}.key";
ips = [ cfg.ip ];
peers = [ {
publicKey = "6demp+PX2XyVoMovDj4xHQ2ZHKoj4QAF8maWpjcyzzI=";
endpoint = "wg.lumi.guide:31727";
allowedIPs = [ "10.96.0.0/12" "10.0.0.0/17" ];
}];
postSetup = "ip link set dev wg-lumi mtu ${toString cfg.mtu}";
};
};
};
}

57
nixos/modules/muflax-blog.nix Normal file
View File

@ -0,0 +1,57 @@
{ cur_pkgs, config, lib, ... }:
let
cfg = config.services.muflax-blog;
muflax-source = builtins.fetchGit {
rev = "e5ce7ae4296c6605a7e886c153d569fc38318096";
ref = "HEAD";
url = "https://github.com/fmap/muflax65ngodyewp.onion.git";
};
nixpkgs = import (builtins.fetchTarball {
url = "https://github.com/NixOS/nixpkgs-channels/archive/78e9665b48ff45d3e29f45b3ebeb6fc6c6e19922.tar.gz";
sha256 = "09f50jaijvry9lrnx891qmcf92yb8qs64n1cvy0db2yjrmxsxyw8";
}) { system = builtins.currentSystem; };
blog = lib.overrideDerivation (nixpkgs.callPackage "${muflax-source}/maintenance" {}) (default: {
buildPhase = default.buildPhase + "\n" + ''
grep -lr '[^@]muflax.com' out | xargs -r sed -i 's/\([^@]\)muflax.com/\1${cfg.hidden-service.hostname}/g'
'';
});
in with lib; {
options.services.muflax-blog = {
enable = mkOption { type = types.bool; default = false; };
web-server = {
port = mkOption { type = types.int; };
};
hidden-service = {
hostname = mkOption { type = types.str; };
private_key = mkOption { type = types.str; };
};
};
config = mkIf cfg.enable {
services.nginx = {
enable = true;
appendHttpConfig = ''
server {
index index.html;
port_in_redirect off;
listen 127.0.0.1:${toString cfg.web-server.port};
server_name ${cfg.hidden-service.hostname};
root ${blog}/muflax;
}
'' + concatStringsSep "\n" (map (site: ''
server {
index index.html;
port_in_redirect off;
listen 127.0.0.1:${toString cfg.web-server.port};
server_name ${site}.${cfg.hidden-service.hostname};
root ${blog}/${site};
}
'') ["daily" "gospel" "blog"]);
};
services.tor.enable = true;
services.tor.hiddenServices.muflax-blog.map = [{
port = 80; toPort = cfg.web-server.port; }];
services.tor.service-keys.muflax-blog = cfg.hidden-service.private_key;
};
}

36
nixos/modules/nginx.nix Normal file
View File

@ -0,0 +1,36 @@
{ config, lib, pkgs, ... }:
let
sslcfg = dir: ''
ssl on;
ssl_certificate_key ${dir}/key.pem;
ssl_certificate ${dir}/fullchain.pem;
ssl_trusted_certificate ${dir}/fullchain.pem;
add_header Strict-Transport-Security max-age=15768000;
'';
in
{
config = lib.mkIf config.services.nginx.enable {
services.nginx = {
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
serverTokens = false;
sslDhparam = "/etc/nginx/dhparam.pem";
virtualHosts."${config.networking.hostName}.yori.cc" = {
enableACME = true;
forceSSL = true;
default = true;
};
};
networking.firewall.allowedTCPPorts = [80 443];
system.activationScripts.nginxdhparams = ''
if ! [[ -e /etc/nginx/dhparam.pem ]]; then
mkdir -p /etc/nginx/
${pkgs.openssl}/bin/openssl dhparam -out /etc/nginx/dhparam.pem 2048
fi
'';
};
}

32
nixos/modules/tor-hidden-service.nix Normal file
View File

@ -0,0 +1,32 @@
{ config, lib, ... }:
with lib;
let
service-keys = config.services.tor.service-keys;
torDir = "/var/lib/tor";
in {
options.services.tor.service-keys = mkOption {
default = {};
type = with types; attrsOf str;
};
config = mkIf (service-keys != {}) {
systemd.services."install-tor-hidden-service-keys" = {
wantedBy = ["tor.service"];
serviceConfig.Type = "oneshot";
serviceConfig.User = "root";
serviceConfig.Group = "keys";
# TODO: update on change?
# TODO: better ways to get the keys on the server
script = concatStringsSep "\n" (mapAttrsToList (name: keypath: ''
if ! [[ -e ${torDir}/onion/${name}/private_key ]]; then
mkdir -p ${torDir}/onion/${name}/
cp ${keypath} ${torDir}/onion/${name}/private_key
chmod -R 700 ${torDir}/onion/${name}
chown -R tor ${torDir}/onion/${name}
fi
'') service-keys);
};
};
}

81
nixos/nix/sources.json Normal file
View File

@ -0,0 +1,81 @@
{
"emacs-overlay": {
"branch": "master",
"description": "Bleeding edge emacs overlay [maintainer=@adisbladis] ",
"homepage": "",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "dfed6847f127bd3c2c0cdd71b28d4e63e0ec0e91",
"sha256": "1b0871cr491cf1a4clhv2kwg492gp25gl45w72bmkyjbb6n22c7f",
"type": "tarball",
"url": "https://github.com/nix-community/emacs-overlay/archive/dfed6847f127bd3c2c0cdd71b28d4e63e0ec0e91.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"niv": {
"branch": "master",
"description": "Easy dependency management for Nix projects",
"homepage": "https://github.com/nmattia/niv",
"owner": "nmattia",
"repo": "niv",
"rev": "c8f74f44b5f5df2c8f20a1834460d012e74d78f9",
"sha256": "0zmhxgl37f1p2aiqjmiccflpgga6phj6vmqs3jd33z0frj6hsy5c",
"type": "tarball",
"url": "https://github.com/nmattia/niv/archive/c8f74f44b5f5df2c8f20a1834460d012e74d78f9.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixos-hardware": {
"branch": "master",
"description": "A collection of NixOS modules covering hardware quirks.",
"homepage": "",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "c242378e63b0ec334e964ac0c0fbbdd2b3e89ebf",
"sha256": "1z4cr5gsyfdpcy31vqg4ikalbxmnnac6jjk1nl8mxj0h0ix7pp36",
"type": "tarball",
"url": "https://github.com/nixos/nixos-hardware/archive/c242378e63b0ec334e964ac0c0fbbdd2b3e89ebf.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixos-mailserver": {
"sha256": "1m8ylrxlkn8nrpsvnivg32ncba9jkfal8a9sjy840hpl1jlm5lc4",
"type": "tarball",
"url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864/nixos-mailserver-ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864.tar.gz",
"url_template": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/<version>/nixos-mailserver-<version>.tar.gz",
"version": "ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864"
},
"nixpkgs": {
"branch": "master",
"description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
"homepage": "https://github.com/NixOS/nixpkgs",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9e377a6ce42dccd9b624ae4ce8f978dc892ba0e2",
"sha256": "1r3ll77hyqn28d9i4cf3vqd9v48fmaa1j8ps8c4fm4f8gqf4kpl1",
"type": "tarball",
"url": "https://github.com/nixos/nixpkgs/archive/9e377a6ce42dccd9b624ae4ce8f978dc892ba0e2.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixpkgs-mozilla": {
"branch": "master",
"description": "mozilla related nixpkgs (extends nixos/nixpkgs repo)",
"homepage": "",
"owner": "mozilla",
"repo": "nixpkgs-mozilla",
"rev": "8c007b60731c07dd7a052cce508de3bb1ae849b4",
"sha256": "1zybp62zz0h077zm2zmqs2wcg3whg6jqaah9hcl1gv4x8af4zhs6",
"type": "tarball",
"url": "https://github.com/mozilla/nixpkgs-mozilla/archive/8c007b60731c07dd7a052cce508de3bb1ae849b4.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixpkgs-wayland": {
"branch": "master",
"description": "Automated, pre-built packages for Wayland (sway/wlroots) tools for NixOS.",
"homepage": "",
"owner": "colemickens",
"repo": "nixpkgs-wayland",
"rev": "80a15b9aaf56cc559cf0028763776cadad36ece2",
"sha256": "02s1k36iypsa7y1brwarz5y74dcrnn5qqplih3jq4dh0baqliiz0",
"type": "tarball",
"url": "https://github.com/colemickens/nixpkgs-wayland/archive/80a15b9aaf56cc559cf0028763776cadad36ece2.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}
}

174
nixos/nix/sources.nix Normal file
View File

@ -0,0 +1,174 @@
# This file has been generated by Niv.
let
#
# The fetchers. fetch_<type> fetches specs of type <type>.
#
fetch_file = pkgs: name: spec:
let
name' = sanitizeName name + "-src";
in
if spec.builtin or true then
builtins_fetchurl { inherit (spec) url sha256; name = name'; }
else
pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
fetch_tarball = pkgs: name: spec:
let
name' = sanitizeName name + "-src";
in
if spec.builtin or true then
builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
else
pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
fetch_git = name: spec:
let
ref =
if spec ? ref then spec.ref else
if spec ? branch then "refs/heads/${spec.branch}" else
if spec ? tag then "refs/tags/${spec.tag}" else
abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
in
builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };
fetch_local = spec: spec.path;
fetch_builtin-tarball = name: throw
''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
$ niv modify ${name} -a type=tarball -a builtin=true'';
fetch_builtin-url = name: throw
''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
$ niv modify ${name} -a type=file -a builtin=true'';
#
# Various helpers
#
# https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
sanitizeName = name:
(
concatMapStrings (s: if builtins.isList s then "-" else s)
(
builtins.split "[^[:alnum:]+._?=-]+"
((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
)
);
# The set of packages used when specs are fetched using non-builtins.
mkPkgs = sources: system:
let
sourcesNixpkgs =
import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; };
hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
hasThisAsNixpkgsPath = <nixpkgs> == ./.;
in
if builtins.hasAttr "nixpkgs" sources
then sourcesNixpkgs
else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
import <nixpkgs> {}
else
abort
''
Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
add a package called "nixpkgs" to your sources.json.
'';
# The actual fetching function.
fetch = pkgs: name: spec:
if ! builtins.hasAttr "type" spec then
abort "ERROR: niv spec ${name} does not have a 'type' attribute"
else if spec.type == "file" then fetch_file pkgs name spec
else if spec.type == "tarball" then fetch_tarball pkgs name spec
else if spec.type == "git" then fetch_git name spec
else if spec.type == "local" then fetch_local spec
else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
else if spec.type == "builtin-url" then fetch_builtin-url name
else
abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
# If the environment variable NIV_OVERRIDE_${name} is set, then use
# the path directly as opposed to the fetched source.
replace = name: drv:
let
saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
in
if ersatz == "" then drv else
# this turns the string into an actual Nix path (for both absolute and
# relative paths)
if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
# Ports of functions for older nix versions
# a Nix version of mapAttrs if the built-in doesn't exist
mapAttrs = builtins.mapAttrs or (
f: set: with builtins;
listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
concatMapStrings = f: list: concatStrings (map f list);
concatStrings = builtins.concatStringsSep "";
# https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
optionalAttrs = cond: as: if cond then as else {};
# fetchTarball version that is compatible between all the versions of Nix
builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
let
inherit (builtins) lessThan nixVersion fetchTarball;
in
if lessThan nixVersion "1.12" then
fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
else
fetchTarball attrs;
# fetchurl version that is compatible between all the versions of Nix
builtins_fetchurl = { url, name ? null, sha256 }@attrs:
let
inherit (builtins) lessThan nixVersion fetchurl;
in
if lessThan nixVersion "1.12" then
fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
else
fetchurl attrs;
# Create the final "sources" from the config
mkSources = config:
mapAttrs (
name: spec:
if builtins.hasAttr "outPath" spec
then abort
"The values in sources.json should not have an 'outPath' attribute"
else
spec // { outPath = replace name (fetch config.pkgs name spec); }
) config.sources;
# The "config" used by the fetchers
mkConfig =
{ sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
, sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile)
, system ? builtins.currentSystem
, pkgs ? mkPkgs sources system
}: rec {
# The sources, i.e. the attribute set of spec name to spec
inherit sources;
# The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
inherit pkgs;
};
in
mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); }

3
nixos/packages/default.nix Normal file
View File

@ -0,0 +1,3 @@
[ (self: super: {
yori-cc = super.callPackage ./yori-cc.nix {};
})]

23
nixos/packages/yori-cc.nix Normal file
View File

@ -0,0 +1,23 @@
{ stdenv, callPackage }:
stdenv.mkDerivation {
name = "yori-cc-1.5";
src = builtins.fetchGit {
url = "git@git.yori.cc:yorick/yori-cc.git";
rev = "68c75ab84cceaf98dd8fd0646b97d73f966b8962";
};
buildInputs = [ ];
installPhase = ''
mkdir -p "$out/web"
cp -ra * "$out/web"
'';
meta = {
description = "Yori-cc website";
homepage = https://yorickvanpelt.nl;
maintainers = [ "Yorick" ];
};
}

38
nixos/physical/3950x-hardware-config.nix Normal file
View File

@ -0,0 +1,38 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "rpool/root/nixos";
fsType = "zfs";
};
fileSystems."/home" =
{ device = "rpool/home-enc";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/5D0A-7902";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/61a23e27-2cd4-4456-bcde-aec68be04239"; }
];
nix.maxJobs = lib.mkDefault 32;
# High-DPI console
#i18n.consoleFont = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
}

34
nixos/physical/3950x.nix Normal file
View File

@ -0,0 +1,34 @@
{ config, pkgs, lib, ... }:
let sources = import ../nix/sources.nix;
in
{
imports =
[ ./.
./3950x-hardware-config.nix
"${sources.nixos-hardware}/common/cpu/amd"
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.supportedFilesystems = [ "zfs" ];
boot.kernelModules = [ "nct6775" ];
boot.kernelPackages = pkgs.linuxPackages_5_10;
networking.hostId = "c7736638";
services.zfs.autoScrub.enable = true;
services.zfs.trim.enable = true;
hardware.bluetooth.enable = true;
networking.useDHCP = false;
networking.usePredictableInterfaceNames = false;
networking.bridges.br0.interfaces = [ "eth0" ];
networking.interfaces.br0.useDHCP = true;
# systemd.network.links."98-namepolicy" = {
# matchConfig.OriginalName = "*";
# linkConfig.NamePolicy = "mac kernel database onboard slot path";
# };
boot.kernelParams = [
"amdgpu.ppfeaturemask=0xffffffff" "amdgpu.noretry=0" "amdgpu.lockup_timeout=1000" "amdgpu.gpu_recovery=1" "amdgpu.audio=0"
# thunderbolt
"pcie_ports=native" "pci=assign-busses,hpbussize=0x33,realloc"
];
}

22
nixos/physical/apu2c4.nix Normal file
View File

@ -0,0 +1,22 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/1396f814-6cc2-4988-992a-3558fa1ac5a2";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/5f8f358d-f63c-48ad-a322-d1aeb403e4ff"; }
];
nix.maxJobs = lib.mkDefault 4;
}

3
nixos/physical/default.nix Normal file
View File

@ -0,0 +1,3 @@
{
hardware.enableRedistributableFirmware = true;
}

42
nixos/physical/fractal.nix Normal file
View File

@ -0,0 +1,42 @@
{ config, lib, pkgs, ... }:
let sources = import ../nix/sources.nix;
in
{
imports =
[ ./.
"${sources.nixos-hardware}/common/cpu/intel"
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" ];
# Use the GRUB 2 boot loader.
boot.loader.grub = {
enable = true;
version = 2;
# Define on which hard drive you want to install Grub.
device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S21PNXAG441016B";
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/ba95c638-f243-48ee-ae81-0c70884e7e74";
fsType = "ext4";
options = ["defaults" "relatime" "discard"];
};
swapDevices =
[ { device = "/dev/disk/by-label/nixos-swap"; }
];
fileSystems."/data" =
{ device = "frumar-new";
fsType = "zfs";
};
fileSystems."/data/plexmedia" =
{ device = "frumar-new/plexmedia";
fsType = "zfs";
};
nix.maxJobs = 4;
services.avahi.interfaces = [ "enp2s0" ];
}

38
nixos/physical/hetznercloud.nix Normal file
View File

@ -0,0 +1,38 @@
{ config, lib, pkgs, modulesPath, ... }:
let
ipconf = (import ../secrets.nix).ipconf.${config.networking.hostName};
in
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.loader.grub = {
enable = true;
version = 2;
device = "/dev/sda";
};
fileSystems."/" =
{ device = "/dev/sda1";
fsType = "ext4";
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 1;
#services.nscd.enable = false;
networking.dhcpcd.enable = false;
systemd.network.enable = true;
systemd.network.networks."40-hetzner" = {
DHCP = "ipv4";
address = [ ipconf.mainIPv6 ];
gateway = [ "fe80::1" ];
matchConfig.Name = "ens3";
};
services.fstrim.enable = true;
}

41
nixos/physical/nuc.nix Normal file
View File

@ -0,0 +1,41 @@
{ config, lib, pkgs, modulesPath, ... }:
let sources = import ../nix/sources.nix;
in
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
./.
"${sources.nixos-hardware}/common/cpu/intel"
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/3e148654-0ed8-4354-8159-e3499c6fa299";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/439E-26EA";
fsType = "vfat";
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
hardware.opengl.extraPackages = with pkgs; [
intel-media-driver # only available starting nixos-19.03 or the current nixos-unstable
];
}

32
nixos/physical/xps9360-hardware-config.nix Normal file
View File

@ -0,0 +1,32 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "rtsx_pci_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/a751e4ea-f1aa-48e1-9cbe-423878e29b62";
fsType = "btrfs";
};
boot.initrd.luks.devices."nix-crypt".device = "/dev/disk/by-uuid/320ef81d-283f-4916-ac26-ecfb0f31e549";
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0E07-7805";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/198ddaba-a849-41de-993d-862c2d37937a"; }
];
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
# high-resolution display
hardware.video.hidpi.enable = lib.mkDefault true;
}

47
nixos/physical/xps9360.nix Normal file
View File

@ -0,0 +1,47 @@
{ config, lib, pkgs, ... }:
let sources = import ../nix/sources.nix;
in
{
imports = [
"${sources.nixos-hardware}/dell/xps/13-9360"
./xps9360-hardware-config.nix
];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelModules = [ "i8k" ];
boot.extraModprobeConfig = ''
options i8k ignore_dmi=1
'';
fileSystems."/".options = ["defaults" "relatime" "discard"];
boot.initrd.luks.devices."nix-crypt".allowDiscards = true;
services.undervolt = rec {
enable = true;
coreOffset = -50;
gpuOffset = -50;
uncoreOffset = -50;
analogioOffset = -50;
};
services.tlp.settings = {
"CPU_SCALING_GOVERNOR_ON_AC" = "performance";
"CPU_SCALING_GOVERNOR_ON_BAT" = "powersave";
};
services.logind.lidSwitch = "ignore";
services.xserver.libinput.enable = true;
networking.wireless = {
enable = false;
iwd.enable = true;
};
hardware.bluetooth.enable = true;
hardware.enableRedistributableFirmware = true;
services.udev.packages = [ pkgs.crda ];
hardware.firmware = [ pkgs.wireless-regdb ];
# gotta go faster
networking.dhcpcd.extraConfig = ''
noarp
'';
}

122
nixos/roles/default.nix Normal file
View File

@ -0,0 +1,122 @@
let secrets = import ../secrets.nix;
in
{ config, pkgs, lib, name, ...}:
let
machine = name;
vpn = import ../vpn.nix;
in
{
imports = [
../modules/tor-hidden-service.nix
../modules/nginx.nix
../modules/lumi-vpn.nix
../deploy/keys.nix
../services
];
networking.domain = "yori.cc";
networking.hostName = machine;
time.timeZone = "Europe/Amsterdam";
users.mutableUsers = false;
users.users.root = {
openssh.authorizedKeys.keys = config.users.users.yorick.openssh.authorizedKeys.keys;
# root password is useful from console, ssh has password logins disabled
hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own
};
services.timesyncd.enable = true;
users.users.yorick = {
isNormalUser = true;
uid = 1000;
extraGroups = ["wheel"];
group = "users";
openssh.authorizedKeys.keys = with (import ../sshkeys.nix); yorick;
hashedPassword = secrets.yorick_hashedPassword;
};
# Nix
nixpkgs.config.allowUnfree = true;
nixpkgs.overlays = import ../packages;
#nix.buildCores = config.nix.maxJobs;
# Networking
networking.enableIPv6 = true;
services.openssh = {
enable = true;
passwordAuthentication = false;
challengeResponseAuthentication = false;
};
environment.systemPackages = with pkgs; [
# v important.
cowsay #ponysay
ed # ed, man!
sl
rlwrap
#vim
# system stuff
ethtool inetutils
pciutils usbutils
/*iotop*/ powertop htop
psmisc lsof
smartmontools hdparm
lm_sensors
ncdu
# utils
file which
reptyr
tmux
bc
mkpasswd
shadow
# archiving
xdelta
libarchive
atool
# network
nmap mtr bind
socat netcat-openbsd
lftp wget rsync
#gitMinimal
#rxvt_unicode.terminfo
];
nix.gc.automatic = true;
services.avahi = {
ipv6 = true;
hostName = machine;
};
deployment.keyys = [ (<yori-nix/keys>+"/wg.${machine}.key") ];
networking.wireguard.interfaces.wg-y = {
privateKeyFile = "/root/keys/wg.${machine}.key";
ips = [ vpn.ips.${machine} ];
listenPort = 31790;
peers = [ {
publicKey = vpn.keys.pennyworth;
endpoint = "pennyworth.yori.cc:31790";
allowedIPs = [ "10.209.0.0/24" ];
persistentKeepalive = 30;
}];
postSetup = "ip link set dev wg-y mtu 1371";
};
security.acme.email = "acme@yori.cc";
security.acme.acceptTerms = true;
nix.binaryCachePublicKeys =
[ "yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0=" ];
nix.trustedUsers = ["@wheel"];
services.prometheus.exporters.node = {
enable = true;
enabledCollectors = [ "systemd" ];
disabledCollectors = [ "rapl" ];
};
networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 9100 ];
}

52
nixos/roles/graphical.nix Normal file
View File

@ -0,0 +1,52 @@
let secrets = import <secrets>;
in { config, lib, pkgs, ... }: {
imports = [ ./. ];
options.yorick.support32bit = with lib;
mkOption {
type = types.bool;
default = false;
};
config = {
hardware.opengl = {
enable = true;
driSupport32Bit = config.yorick.support32bit;
};
sound.enable = true;
hardware.pulseaudio = {
enable = true;
support32Bit = config.yorick.support32bit;
};
users.users.yorick.extraGroups = [ "video" ];
# fix backlight permissions
services.udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness"
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness"
'';
fonts = {
fontDir.enable = true;
enableGhostscriptFonts = true;
fonts = with pkgs; [
corefonts # Micrsoft free fonts
inconsolata # monospaced
source-code-pro
ubuntu_font_family # Ubuntu fonts
source-han-sans-japanese
iosevka
font-awesome
];
};
# spotify
networking.firewall.allowedTCPPorts = [ 55025 57621 ];
networking.firewall.allowedUDPPorts = [ 55025 57621 ];
services.openssh.forwardX11 = true;
programs.sway = {
enable = true;
extraSessionCommands = ''
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${lib.makeLibraryPath (with pkgs; [ libxkbcommon libglvnd wayland ])}
'';
};
};
}

17
nixos/roles/homeserver.nix Normal file
View File

@ -0,0 +1,17 @@
{lib, ...}: {
users.users.lars = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbieYUtRGQ4nf4glQvrZDn72doP6W2uw2z9VqFq5sZLROXYa4jW8nwx4h+BiArGs+VPwn6lfsP19PX6yNIk74C/SkO26S1Zvbe7ffNusi6PH2BQIOWeAYKk+eZH+ZOeD8z07uDB7QffwRLwzSaPFg+zfRzsMFoXH/GE9qOQ4lnfk8czTZL7zbZf/yS7mDFztClXFciYsVwgRXNiFpfc+9mOkU0oBWtGo/WGUhB0Hds3a4ylyjjVAcC/l1H2bvc/Q3d6bbn23pUFl2V78Yg1B4b1MT34qbBV6whXAQd7KM9tND2ZhpF2XQ7Spi1QlOac0jup+sE+3bbvcjNqTI05DwJO/dX5F2gSAFkvSY4ZPqSX5ilE/hj4DQuhRgLmQdbVl5IFV9aLYqUvJcCqX9jRFMly4YTFXsFz18rGkxOYGZabcE1usBM2zRVDTtEP6Si5ii76Ocvp8aNFBB2Kf1whg8tziTv3kQEQ9fd2sRtE2J3xveJiwXjUBU2uikSOKe8JP47Tb6PYlv7Ty/6OI51aUQn++R72VNajdBJ1r1osp7leqTJ+sXuLlWLo/a7lDpDmgEI7dbxqmpjLcMce0JzqLKlP1Q2U/nkYy86xkjSTH1rNUI2JAbJx3iTcGy7bq12yfjNfcGAqY4GVXvisK1cpbF0RCjaFExwtmzorljHh6ZHjQ=="
];
};
services.avahi = {
enable = true;
nssmdns = true;
publish = {
enable = true;
addresses = true;
};
};
networking.firewall.logRefusedConnections = lib.mkForce true;
}

16
nixos/roles/server.nix Normal file
View File

@ -0,0 +1,16 @@
{
imports = [ ./. ];
documentation.nixos.enable = false;
services.sshguard.enable = true;
programs.mosh.enable = true;
environment.noXlibs = true;
networking.firewall.logRefusedConnections = false; # Silence logging of scanners and knockers
# TODO: upstream with noXlibs
# https://github.com/NixOS/nixpkgs/pull/107394
nixpkgs.overlays = [ (self: super: {
elixir_1_8 = (self.beam.packagesWith (self.beam.interpreters.erlang_nox)).elixir_1_8;
erlang = super.erlang_nox;
}) ];
}

112
nixos/roles/workstation.nix Normal file
View File

@ -0,0 +1,112 @@
{ config, lib, pkgs, ... }:
let
sources = import ../nix/sources.nix;
nixNetrcFile = pkgs.runCommand "nix-netrc-file"
{ hostname = "cache.lumi.guide";
username = "lumi";
} ''
cat > $out <<EOI
machine $hostname
login $username
password ${builtins.readFile /home/yorick/engineering/lumi/secrets/shared/passwords/nix-serve-password}
EOI
'';
in
{
imports = [
./graphical.nix
];
nixpkgs.overlays = [ (import sources.nixpkgs-wayland) ];
users.extraUsers.yorick.extraGroups = [ "input" "wireshark" "dialout" ];
services.printing = {
enable = true;
drivers = [ pkgs.gutenprint pkgs.cups-dymo ];
};
environment.systemPackages = with pkgs; [
pkgs.ghostscript pkgs.yubikey-manager pkgs.glib
];
environment.sessionVariables.XDG_DATA_DIRS = with pkgs; [
"${gnome-themes-extra}/share"
"${gsettings-desktop-schemas}/share/gsettings-schemas/${gsettings-desktop-schemas.name}"
];
programs.dconf.enable = true;
virtualisation.virtualbox.host.enable = false;
yorick.support32bit = true;
services.pcscd.enable = true;
#environment.systemPackages = [pkgs.yubikey-manager];
fonts.fonts = [ pkgs.emojione ];
# bluetooth headphones
hardware.pulseaudio.package = pkgs.pulseaudioFull;
programs.wireshark.enable = true;
nix = {
gc.automatic = pkgs.lib.mkOverride 30 false;
binaryCaches = [
"https://cache.nixos.org"
"https://cache.lumi.guide/"
#"s3://yori-nix?endpoint=s3.eu-central-003.backblazeb2.com&profile=backblaze-read"
#"https://nixpkgs-wayland.cachix.org"
];
trustedBinaryCaches = config.nix.binaryCaches ++ [
"ssh://yorick@jupiter.serokell.io"
"ssh-ng://jupiter"
"https://serokell.cachix.org"
];
binaryCachePublicKeys = [
"serokell:ic/49yTkeFIk4EBX1CZ/Wlt5fQfV7yCifaJyoM+S3Ss="
"serokell-1:aIojg2Vxgv7MkzPJoftOO/I8HKX622sT+c0fjnZBLj0="
"cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE="
"serokell.cachix.org-1:5DscEJD6c1dD1Mc/phTIbs13+iW22AVbx0HqiSb+Lq8="
#"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
"yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0="
];
extraOptions = ''
netrc-file = ${nixNetrcFile}
'';
};
services.avahi = {
enable = true;
nssmdns = true;
};
virtualisation.libvirtd.enable = true;
users.users.yorick.extraGroups = [ "libvirtd" "pico" ];
users.users.yorick.shell = pkgs.fish;
services.udev.extraRules = ''
SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5bf0", MODE="0664", GROUP="dialout"
'';
# LDAC:
hardware.pulseaudio.extraModules = [ pkgs.pulseaudio-modules-bt ];
# picoscope
#users.users.yorick.extraGroups = ["pico"];
services.udev.packages = [
(pkgs.writeTextDir "lib/udev/rules.d/95-pico.rules" ''
SUBSYSTEMS=="usb", ATTRS{idVendor}=="0ce9", MODE="664",GROUP="pico"
'')
];
users.groups.pico = {};
# development
services.postgresql = {
enable = true;
enableTCPIP = true;
package = pkgs.postgresql_10;
};
# git
boot.kernel.sysctl."fs.inotify.max_user_watches" = 1024000000;
yorick.lumi-vpn.enable = true;
services.pipewire.enable = true;
xdg.portal = {
enable = true;
extraPortals = with pkgs; [
xdg-desktop-portal-wlr
xdg-desktop-portal-gtk
];
gtkUsePortal = true;
};
}

BIN
nixos/secrets.nix Normal file
View File

Binary file not shown.

12
nixos/servers.nix Normal file
View File

@ -0,0 +1,12 @@
let
sources = import ./nix/sources.nix;
nixpkgs = import sources.nixpkgs {};
nixos = name: configuration: import (nixpkgs.path + "/nixos/lib/eval-config.nix") {
extraArgs = { inherit name; };
modules = [ ({lib, ... }: { config.nixpkgs.pkgs = lib.mkDefault nixpkgs; }) ] ++ configuration;
};
names = [ "pennyworth" "jarvis" "blackadder" "woodhouse" "frumar" "zazu" ];
in
nixpkgs.lib.genAttrs names (name: (let os =
nixos name [ ./roles (./logical + "/${name}.nix") ]; in
os.config.system.build.toplevel // os))

46
nixos/services/backup.nix Normal file
View File

@ -0,0 +1,46 @@
{ name, ... }:
{
deployment.keyys = [
(../keys + "/${name}_borg_repo.key")
(../keys + "/${name}_borg_ssh.key")
];
services.borgbackup.jobs.backup = {
encryption = {
# Keep the encryption key in the repo itself
mode = "repokey-blake2";
# Password is used to decrypt the encryption key from the repo
passCommand = "cat /root/keys/${name}_borg_repo.key";
};
environment = {
# Make sure we're using Borg >= 1.0
BORG_REMOTE_PATH = "borg1";
# SSH key is specific to the subaccount defined in the repo username
BORG_RSH = "ssh -i /root/keys/${name}_borg_ssh.key";
};
# Define schedule
startAt = "hourly";
repo = "14337@ch-s012.rsync.net:${name}";
paths = [ "/home" "/root" "/var/lib" ];
prune.keep = {
# hourly backups for the past week
within = "7d";
# daily backups for two weeks before that
daily = 14;
# weekly backups for a month before that
weekly = 4;
# monthly backups for 6 months before that
monthly = 6;
# 2 years
yearly = 2;
};
};
}

8
nixos/services/default.nix Normal file
View File

@ -0,0 +1,8 @@
{
imports = [
./git.nix
./muflax-church.nix
./pub.nix
./website.nix
];
}

26
nixos/services/email.nix Normal file
View File

@ -0,0 +1,26 @@
{ config, pkgs, lib, ... }:
let
sources = import ../nix/sources.nix;
in
{
imports = [
("${sources.nixos-mailserver}")
];
mailserver = rec {
enable = true;
fqdn = "pennyworth.yori.cc";
domains = [ "yori.cc" "yorickvanpelt.nl" ];
loginAccounts = {
"yorick@yori.cc" = {
hashedPassword = (import ../secrets.nix).yorick_mailPassword;
catchAll = domains;
aliases = [ "@yori.cc" "@yorickvanpelt.nl" ];
};
};
certificateScheme = 3;
enableImapSsl = true;
};
services.borgbackup.jobs.backup.paths = [ "/var/vmail" ];
}

52
nixos/services/git.nix Normal file
View File

@ -0,0 +1,52 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.yorick.git;
inherit (cfg) vhost;
in
{
options.services.yorick.git = with lib; {
enable = mkEnableOption "git";
vhost = mkOption { type = types.str; };
};
config = lib.mkIf cfg.enable {
users.extraUsers.git = {
createHome = true;
home = config.services.gitea.stateDir; extraGroups = [ "git" ]; useDefaultShell = true;
};
services.gitea = {
enable = true;
user = "git";
database.user = "root";
database.name = "gogs";
database.createDatabase = false;
#dump.enable = true; TODO: backups
domain = cfg.vhost;
rootUrl = "https://${cfg.vhost}/";
httpAddress = "localhost";
cookieSecure = true;
log.level = "Warn";
disableRegistration = true;
settings.service = {
REGISTER_EMAIL_CONFIRM = false;
ENABLE_NOTIFY_MAIL = false;
REQUIRE_SIGNIN_VIEW = false;
};
settings.picture.DISABLE_GRAVATAR = false;
settings.mailer = {
ENABLED = false;
AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/data/avatars";
};
};
services.nginx.virtualHosts.${vhost} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.gitea.httpPort}";
extraConfig = ''
proxy_buffering off;
'';
};
};
};
}

52
nixos/services/muflax-church.nix Normal file
View File

@ -0,0 +1,52 @@
{ config, lib, pkgs, ... }:
let
muflax-source = builtins.fetchGit {
rev = "e5ce7ae4296c6605a7e886c153d569fc38318096";
ref = "HEAD";
url = "https://github.com/fmap/muflax65ngodyewp.onion.git";
};
nixpkgs = import (builtins.fetchTarball {
url = "https://github.com/NixOS/nixpkgs-channels/archive/78e9665b48ff45d3e29f45b3ebeb6fc6c6e19922.tar.gz";
sha256 = "09f50jaijvry9lrnx891qmcf92yb8qs64n1cvy0db2yjrmxsxyw8";
}) { system = builtins.currentSystem; };
muflax-church = (nixpkgs.callPackage "${muflax-source}/maintenance" {}).overrideDerivation (default: {
buildPhase = default.buildPhase + "\n" + ''
grep -lr '[^@]muflax.com' out | xargs -r sed -i 's/\([^@]\)muflax.com/\1muflax.church/g;s/http:\/\/\([^@]*\)muflax.church/https:\/\/\1muflax.church/g'
'';
});
cfg = config.services.yorick.muflax-church;
inherit (cfg) vhost;
addrs = {
"daily.${vhost}" = "${muflax-church}/daily";
"blog.${vhost}" = "${muflax-church}/blog";
"gospel.${vhost}" = "${muflax-church}/gospel";
"alt.${vhost}" = "/home/public/public/muflax";
};
m = x: root: { forceSSL = true; useACMEHost = vhost; inherit root; };
in
{
options.services.yorick.muflax-church = with lib; {
enable = mkEnableOption "muflax.church";
vhost = mkOption { type = types.str; };
};
config = lib.mkIf cfg.enable {
services.nginx.virtualHosts = {
${cfg.vhost} = {
forceSSL = true;
enableACME = true;
root = "${muflax-church}/muflax";
};
"daily.${vhost}" = m "${muflax-church}/daily";
"blog.${vhost}" = m "${muflax-church}/blog";
"gospel.${vhost}" = m "${muflax-church}/gospel";
"alt.${vhost}" = m "/home/public/public/muflax";
} // (lib.mapAttrs m addrs);
security.acme.certs.${vhost}.extraDomainNames = [
"daily.${vhost}"
"blog.${vhost}"
"gospel.${vhost}"
"alt.${vhost}"
];
};
}

29
nixos/services/pub.nix Normal file
View File

@ -0,0 +1,29 @@
{ config, pkgs, lib, ... }:
let cfg = config.services.yorick.public; in
{
options.services.yorick.public = {
enable = lib.mkEnableOption "public hosting";
vhost = lib.mkOption { type = lib.types.str; };
};
#imports = [../modules/nginx.nix];
config = lib.mkIf cfg.enable {
systemd.services.nginx.serviceConfig = {
ProtectHome = "tmpfs";
BindReadOnlyPaths = [ "/home/public/public" ];
};
users.extraUsers.public = {
home = "/home/public";
useDefaultShell = true;
openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [public];
createHome = true;
};
services.nginx.virtualHosts.${cfg.vhost} = {
forceSSL = true;
enableACME = true;
locations."/" = {
root = "/home/public/public";
index = "index.html";
};
};
};
}

32
nixos/services/torrent-wg.nix Normal file
View File

@ -0,0 +1,32 @@
{pkgs, lib, config, ...}:
let
cfg = config.services.yorick.torrent-vpn;
in
{
options.services.yorick.torrent-vpn = with lib; {
enable = mkEnableOption "torrent-vpn";
name = mkOption { type = types.str; };
namespace = mkOption { type = types.str; };
};
config = {
deployment.keyys = [ (<yori-nix/keys>+"/wg.${cfg.name}.key") ];
networking.wireguard.interfaces.${cfg.name} = {
# curl -s https://api.mullvad.net/www/relays/all/ | jq '.[] | select(.type == "wireguard" and .country_code == "nl")'
ips = [ "10.66.30.26/32" "fc00:bbbb:bbbb:bb01::3:1e19/128" ];
privateKeyFile = "/root/keys/wg.${cfg.name}.key";
peers = [{
publicKey = "hnRyse6QxPPcZOoSwRsHUtK1W+APWXnIoaDTmH6JsHQ=";
allowedIPs = ["0.0.0.0/0" "::0/0"];
endpoint = "[2a03:1b20:3:f011::a04f]:51820";
}];
interfaceNamespace = cfg.namespace;
preSetup = ''
${pkgs.iproute}/bin/ip netns add "${cfg.namespace}" || true
'';
};
environment.etc."netns/torrent/resolv.conf".text = ''
nameserver 193.138.218.74
'';
};
}
# todo: presets

25
nixos/services/website.nix Normal file
View File

@ -0,0 +1,25 @@
{ config, lib, pkgs, ... }:
let
yoricc = pkgs.callPackage ../packages/yori-cc.nix {};
cfg = config.services.yorick.website;
in
with lib;
{
options.services.yorick = {
website = {
enable = mkEnableOption "yoricc website";
vhost = mkOption { type = types.str; };
pkg = mkOption { type = types.package; default = yoricc; };
};
redirect = mkOption { type = types.loaOf types.str; default = []; };
};
config.services.nginx.virtualHosts = with cfg; mkIf enable {
${vhost} = {
enableACME = true;
forceSSL = true;
locations."/".root = "${pkg}/web";
};
};
}

4
nixos/sshkeys.nix Normal file
View File

@ -0,0 +1,4 @@
{
public = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZv+hBDmjxF8h9Gxwvy0o7sMgOsqwp8pVj9AlpG90Y7agvkOm2IGtFueVfiDe0yWPXT0/EIiVWcPhWwcVkbY/BkypPJSMLnlcQ6ld+aO1g+BtdDaVuxcTSvQ77UCT2p+wftxoq1EiUdlhTsXpPucrBd+5NOde+jlPBE4qChIAf2zhOIByJAGT+M4Ie3eV4p5S9LB9CMI4s32gNUBbSA8UDmkjpBXkf9a1TZzdkOGWUmUFXt53/O8LZlGK9kkA5TsjM2xaxDjCLWf5wEcey4JsEggi1prE4aB68Q7+kdbvDiVSEFyZn0A/A9RXHBRAgW8yPdh+EGC56iDW/wkGxWBY5";
yorick = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDo1N5E6qkb3McJOvv0PqI7E8iYLAcjil5RWc+zeTtN/" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFQm2OJ8PlnDHfI7FV3hddXP0t2jgKAiCnnuWIc+LK4dnyGmlC/ihIe9KhSENZEnzVAXnYAMOoOvpkVa5p0Itf1n0anCK3k2vDq0Jz9nY3ZXmkSHE09QGCpSG8kU6j+zWJPo2jWYNtxYMRmmHAuzzOdlPY9Q199PEvHVaqzpSVhIdhqhEcmap8oqHW6KbJu+17nLGGQB5XiTB1SlTxbg62copA9KMcvQzNGIooKs5QyrU/B0g05EfbogH7xOLbwYAK676DTUBEcKpEUYFMMv+DBcU4cH2EI6UTLxI5ohrS1pxk20zu5nTRMlQRUETpWN4EbEPfOzF8FW1YOwdttfCas8D6Y6t9gA4o8GpylBG9AElVw7VyOFeBR+AtchormH+wH6nZEvzs6wg2d84I8xo5qYGUJIQS7OYxypjlY01IFCCa/7rjzXGDmdWAP/UEu85ys9FSryn9Ey5DXDQOqhMHguOwQDUyaArWyRCCBzKbx6cPZw2D9bLfDxbnaC2/5dVyxHJXoWmwneX2E/UT5QwtG1nyLShIZhYgO9lfDpO61Mz9Jjap3sj6mJPxHZc5SGye0j47xV6kX4vbSgfoSHHnasaI3fR2ZBS7tnfq1ebxXqFFSPHK6uHjLgDHtkMisvjOVZnybuXB296pjv6K1o2G3qlUnImOqfxZxvuy4Xl/mw== cardno:000607186578"];
}

21
nixos/vpn.nix Normal file
View File

@ -0,0 +1,21 @@
{
ips = {
pennyworth = "10.209.0.1";
jarvis = "10.209.0.2";
frumar = "10.209.0.3";
woodhouse = "10.209.0.4";
ascanius = "10.209.0.5";
blackadder = "10.209.0.6";
zazu = "10.209.0.7";
};
keys = {
# for i in wg.*.key; do echo $(echo $i | cut -d. -f2) = \"$(wg pubkey < $i)\"\;; done
ascanius = "zZ3gegDspSKBJutp99VzODZNcJ1qQF3OH2nrlxhICwI=";
blackadder = "+SfIbW9/MmA5iIVUUzkKPeWmZvwhP8y9qWo67o2UZUA=";
frumar = "UpFw4KmrvmOWdMOJ+LHvMzgN7cQMnasqlkzF8/apoGI=";
jarvis = "2/Qaq5uiy8uGGnZLIfjeomL47XjZCsJ1dDFDD9Nlq3E=";
pennyworth = "XoeUMsiSOWBFEFuAu+S4iQd3MzkyGhIj9dtxzZ0I500=";
woodhouse = "ICzlnC4zKUYvpQ0o5AFq2rG7CCqWUFVn3UqkLSoYNgI=";
zazu = "6X5EdNMO1MtFi18LCRGZ2cBD0d50Wq+pwkwVubjY1Ew=";
};
}