diff --git a/nixos/.git-crypt/.gitattributes b/nixos/.git-crypt/.gitattributes new file mode 100644 index 0000000..17ef601 --- /dev/null +++ b/nixos/.git-crypt/.gitattributes @@ -0,0 +1,3 @@ +# Do not edit this file. To specify the files to encrypt, create your own +# .gitattributes file in the directory where your files are. +* !filter !diff diff --git a/nixos/.git-crypt/keys/default/0/6EFD1053ADB6ABF50DF64792A36E70F9DC014A15.gpg b/nixos/.git-crypt/keys/default/0/6EFD1053ADB6ABF50DF64792A36E70F9DC014A15.gpg new file mode 100644 index 0000000..aa3c09c Binary files /dev/null and b/nixos/.git-crypt/keys/default/0/6EFD1053ADB6ABF50DF64792A36E70F9DC014A15.gpg differ diff --git a/nixos/.gitattributes b/nixos/.gitattributes new file mode 100644 index 0000000..690a2a8 --- /dev/null +++ b/nixos/.gitattributes @@ -0,0 +1,4 @@ +secrets.nix filter=git-crypt diff=git-crypt +*.key filter=git-crypt diff=git-crypt +deploy_key filter=git-crypt diff=git-crypt +keys/** filter=git-crypt diff=git-crypt diff --git a/nixos/.gitignore b/nixos/.gitignore new file mode 100644 index 0000000..5b7d75b --- /dev/null +++ b/nixos/.gitignore @@ -0,0 +1,2 @@ +result +copy-keys \ No newline at end of file diff --git a/nixos/README.md b/nixos/README.md new file mode 100644 index 0000000..e515c04 --- /dev/null +++ b/nixos/README.md @@ -0,0 +1,64 @@ +My nixos configurations. + + +Systems +======= + +[frumar](https://en.wikipedia.org/wiki/Frumar) +-------- + +Physical [server](./roles/server.nix). Mostly used for files. (storage: 30 TB hdd + 256GB ssd, RAM: 16GB, 2 cores ht) + +- prometheus +- grafana +- rabbitmq +- torrents +- plex + +[pennyworth](https://en.wikipedia.org/wiki/Alfred_Pennyworth) +---------- + +[Server](./roles/server.nix). +Hetzner cloud VPS (Storage: 20GB, RAM: 2GB, 1 core) + +- [website](./services/website.nix) +- [email](./services/mail.nix) +- irc/weechat +- vpn + http gateway for some services + +[woodhouse](https://en.wikipedia.org/wiki/List_of_Archer_characters#Recurring_characters) +----------- + +intel nuc connected to the tv (storage: 250GB ssd, RAM: 8GB) + +- plex media player +- todo: sshfs mount to frumar + + + +[jarvis](https://en.wikipedia.org/wiki/Edwin_Jarvis) +-------- + +[workstation](./roles/workstation.nix). +dell xps 13 (RAM: 16GB, storage: 512GB ssd, 2 cores ht) + + +[blackadder](https://en.wikipedia.org/wiki/Edmund_Blackadder#Edmund_Blackadder_Esq._(Regency_Britain)) +-------- + +[workstation](./roles/workstation.nix). +https://tweakers.net/productcollectie/wijzig/2583112/ +ryzen 9 (RAM: 64GB, storage: 1TB ssd, 16 cores ht) + +Maintenance +=========== + +Generating tor keys: + +``` +$(nix-build packages/shallot.nix --no-out-link)/bin/shallot -f tmp ^PATTERN +head -n3 tmp +tail -n +4 tmp > keys/ssh.HOSTNAME.key +shred tmp && rm tmp + +``` diff --git a/nixos/conf b/nixos/conf new file mode 100755 index 0000000..2fbb461 --- /dev/null +++ b/nixos/conf @@ -0,0 +1,54 @@ +#!/usr/bin/env bash +set -xeuo pipefail +if ! [ -e secrets.nix ] +then + git crypt unlock +fi +export NIX_PATH=yori-nix=$PWD +host=$1 +TARGET_HOST=$(nix eval --raw -f vpn.nix ips.$host) +#TARGET_HOST=192.168.178.1 +case $2 in + copy-keys) + nix build -f servers.nix "$host".config.deployment.keys-copy --out-link copy-keys + ./copy-keys/bin/copy-keys "$TARGET_HOST" + # rm ./copy-keys + ;; + exec) + CHANNEL=$(jq -r ".$2.pkgs"' '' + ;; + build) + nix build -f servers.nix "$host" --show-trace + ;; + copy) + nix copy -f servers.nix "$host" --show-trace --to "ssh://$TARGET_HOST" + ;; + test) + outPath=$(nix-build servers.nix -A "$host") + nix copy -f servers.nix "$host" --show-trace --to "ssh://$TARGET_HOST" + ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration test + ;; + boot) + outPath=$(nix-build servers.nix -A "$host") + nix copy "$outPath" --show-trace --to "ssh://$TARGET_HOST" + ssh root@"$TARGET_HOST" nix-env -p "/nix/var/nix/profiles/system" --set "$outPath" + ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration boot + ;; + switch) + outPath=$(nix-build servers.nix -A "$host") + nix copy "$outPath" --show-trace --to "ssh://$TARGET_HOST" + ssh root@"$TARGET_HOST" nix-env -p "/nix/var/nix/profiles/system" --set "$outPath" + ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration switch + ;; + + +esac diff --git a/nixos/deploy/keys.nix b/nixos/deploy/keys.nix new file mode 100644 index 0000000..55febbe --- /dev/null +++ b/nixos/deploy/keys.nix @@ -0,0 +1,19 @@ +{ pkgs, lib, config, ... }: +with lib; +let cfg = config.deployment.keyys; in +{ + options.deployment.keyys = mkOption { type = types.listOf types.path; default = []; }; + options.deployment.keys-copy = mkOption { type = types.package; }; + config = { + deployment.keys-copy = pkgs.writeShellScriptBin "copy-keys" (if cfg != [] then '' + set -e + ssh root@$1 "mkdir -p /root/keys" + scp ${concatMapStringsSep " " toString cfg} root@$1:/root/keys + echo "uploaded keys" + '' else '' + echo "no keys to upload" + ''); + + }; + +} diff --git a/nixos/keys/backup.pennyworth.key b/nixos/keys/backup.pennyworth.key new file mode 100644 index 0000000..e58f7fe Binary files /dev/null and b/nixos/keys/backup.pennyworth.key differ diff --git a/nixos/keys/grafana.env b/nixos/keys/grafana.env new file mode 100644 index 0000000..334758e Binary files /dev/null and b/nixos/keys/grafana.env differ diff --git a/nixos/keys/http.muflax.key b/nixos/keys/http.muflax.key new file mode 100644 index 0000000..982c489 Binary files /dev/null and b/nixos/keys/http.muflax.key differ diff --git a/nixos/keys/pennyworth_borg_repo.key b/nixos/keys/pennyworth_borg_repo.key new file mode 100644 index 0000000..3f320f0 Binary files /dev/null and b/nixos/keys/pennyworth_borg_repo.key differ diff --git a/nixos/keys/pennyworth_borg_ssh.key b/nixos/keys/pennyworth_borg_ssh.key new file mode 100644 index 0000000..c830363 Binary files /dev/null and b/nixos/keys/pennyworth_borg_ssh.key differ diff --git a/nixos/keys/pennyworth_borg_ssh.key.pub b/nixos/keys/pennyworth_borg_ssh.key.pub new file mode 100644 index 0000000..3274dc5 Binary files /dev/null and b/nixos/keys/pennyworth_borg_ssh.key.pub differ diff --git a/nixos/keys/ssh.frumar.key b/nixos/keys/ssh.frumar.key new file mode 100644 index 0000000..60c90ad Binary files /dev/null and b/nixos/keys/ssh.frumar.key differ diff --git a/nixos/keys/ssh.jarvis.key b/nixos/keys/ssh.jarvis.key new file mode 100644 index 0000000..32c7090 Binary files /dev/null and b/nixos/keys/ssh.jarvis.key differ diff --git a/nixos/keys/ssh.pennyworth.key b/nixos/keys/ssh.pennyworth.key new file mode 100644 index 0000000..30df22f Binary files /dev/null and b/nixos/keys/ssh.pennyworth.key differ diff --git a/nixos/keys/ssh.woodhouse.key b/nixos/keys/ssh.woodhouse.key new file mode 100644 index 0000000..f30c841 Binary files /dev/null and b/nixos/keys/ssh.woodhouse.key differ diff --git a/nixos/keys/wg.ascanius.key b/nixos/keys/wg.ascanius.key new file mode 100644 index 0000000..bffe9eb Binary files /dev/null and b/nixos/keys/wg.ascanius.key differ diff --git a/nixos/keys/wg.blackadder.key b/nixos/keys/wg.blackadder.key new file mode 100644 index 0000000..7465562 Binary files /dev/null and b/nixos/keys/wg.blackadder.key differ diff --git a/nixos/keys/wg.frumar.key b/nixos/keys/wg.frumar.key new file mode 100644 index 0000000..bd8f954 Binary files /dev/null and b/nixos/keys/wg.frumar.key differ diff --git a/nixos/keys/wg.jarvis.key b/nixos/keys/wg.jarvis.key new file mode 100644 index 0000000..6d13817 Binary files /dev/null and b/nixos/keys/wg.jarvis.key differ diff --git a/nixos/keys/wg.mullvad-nl3.key b/nixos/keys/wg.mullvad-nl3.key new file mode 100644 index 0000000..91584a6 Binary files /dev/null and b/nixos/keys/wg.mullvad-nl3.key differ diff --git a/nixos/keys/wg.mullvad-nl4.key b/nixos/keys/wg.mullvad-nl4.key new file mode 100644 index 0000000..6ff1d02 Binary files /dev/null and b/nixos/keys/wg.mullvad-nl4.key differ diff --git a/nixos/keys/wg.pennyworth.key b/nixos/keys/wg.pennyworth.key new file mode 100644 index 0000000..9eb68a8 Binary files /dev/null and b/nixos/keys/wg.pennyworth.key differ diff --git a/nixos/keys/wg.woodhouse.key b/nixos/keys/wg.woodhouse.key new file mode 100644 index 0000000..91b24e0 Binary files /dev/null and b/nixos/keys/wg.woodhouse.key differ diff --git a/nixos/keys/wg.zazu.key b/nixos/keys/wg.zazu.key new file mode 100644 index 0000000..ea44d6a Binary files /dev/null and b/nixos/keys/wg.zazu.key differ diff --git a/nixos/keys/yori-nix.key b/nixos/keys/yori-nix.key new file mode 100644 index 0000000..f080c82 Binary files /dev/null and b/nixos/keys/yori-nix.key differ diff --git a/nixos/logical/blackadder.nix b/nixos/logical/blackadder.nix new file mode 100644 index 0000000..4f0abcd --- /dev/null +++ b/nixos/logical/blackadder.nix @@ -0,0 +1,51 @@ +{ config, pkgs, lib, ... }: +{ + imports = + [ ../physical/3950x.nix + ../roles/workstation.nix + ]; + + nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; + + system.stateVersion = "19.09"; + + yorick.lumi-vpn = { + name = "yorick-homepc"; + mtu = 1408; + }; + + xdg.autostart.enable = false; + + services.znapzend = { + enable = true; + pure = true; + features = { + zfsGetType = true; + sendRaw = true; + }; + zetup = { + "rpool/home-enc" = { + plan = "1d=>1h,1m=>1w"; + destinations.frumar = { + host = "root@192.168.178.37"; + dataset = "frumar-new/backup/blackadder"; + plan = "1w=>1d,1y=>1w,10y=>1m,50y=>1y"; + }; + }; + }; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="usb", ATTRS{idVendor}=="20b7", ATTRS{idProduct}=="9db1", MODE="0660", GROUP="dialout", TAG+="uaccess" + ''; + + nix.trustedUsers = [ "lars" ]; + users.users.lars = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbieYUtRGQ4nf4glQvrZDn72doP6W2uw2z9VqFq5sZLROXYa4jW8nwx4h+BiArGs+VPwn6lfsP19PX6yNIk74C/SkO26S1Zvbe7ffNusi6PH2BQIOWeAYKk+eZH+ZOeD8z07uDB7QffwRLwzSaPFg+zfRzsMFoXH/GE9qOQ4lnfk8czTZL7zbZf/yS7mDFztClXFciYsVwgRXNiFpfc+9mOkU0oBWtGo/WGUhB0Hds3a4ylyjjVAcC/l1H2bvc/Q3d6bbn23pUFl2V78Yg1B4b1MT34qbBV6whXAQd7KM9tND2ZhpF2XQ7Spi1QlOac0jup+sE+3bbvcjNqTI05DwJO/dX5F2gSAFkvSY4ZPqSX5ilE/hj4DQuhRgLmQdbVl5IFV9aLYqUvJcCqX9jRFMly4YTFXsFz18rGkxOYGZabcE1usBM2zRVDTtEP6Si5ii76Ocvp8aNFBB2Kf1whg8tziTv3kQEQ9fd2sRtE2J3xveJiwXjUBU2uikSOKe8JP47Tb6PYlv7Ty/6OI51aUQn++R72VNajdBJ1r1osp7leqTJ+sXuLlWLo/a7lDpDmgEI7dbxqmpjLcMce0JzqLKlP1Q2U/nkYy86xkjSTH1rNUI2JAbJx3iTcGy7bq12yfjNfcGAqY4GVXvisK1cpbF0RCjaFExwtmzorljHh6ZHjQ== openpgp:0x60F7D1FD" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvdQ963wjgWyFMp6djRTqVwZr3/PQ/V+Qm5JTcxRTdY lumi@channelwood" + ]; + }; + virtualisation.docker.enable = true; +} diff --git a/nixos/logical/frumar.nix b/nixos/logical/frumar.nix new file mode 100644 index 0000000..87740dd --- /dev/null +++ b/nixos/logical/frumar.nix @@ -0,0 +1,92 @@ +{ config, pkgs, lib, ... }: +{ + imports = [ + ../physical/fractal.nix + ../roles/server.nix + ../roles/homeserver.nix + ../services/torrent-wg.nix + ]; + + deployment.keyys = [ ../keys/grafana.env ]; + + system.stateVersion = "15.09"; + networking.hostId = "0702dbe9"; + + services.nginx.enable = false; + # services.nginx.virtualHosts."${config.networking.hostName}" = { + # enableACME = lib.mkForce false; + # forceSSL = lib.mkForce false; + # default = true; + # }; + boot.supportedFilesystems = [ "zfs" ]; + services.yorick.torrent-vpn = { + enable = true; name = "mullvad-nl4"; namespace = "torrent"; + }; + services.plex = { + enable = true; + openFirewall = true; + }; + services.victoriametrics = { + enable = true; + retentionPeriod = 12; + }; + services.prometheus = { + enable = true; + extraFlags = [ + "--web.enable-admin-api" + ]; + # victoriametrics + remoteWrite = [ { url = "http://127.0.0.1:8428/api/v1/write"; } ]; + scrapeConfigs = [ { + job_name = "smartmeter"; + # prometheus doesn't support mdns :thinking_face: + static_configs = [ { targets = [ "192.168.178.30" ]; } ]; + scrape_interval = "10s"; + } { + job_name = "node"; + static_configs = [ { targets = [ "localhost:9100" ]; } ]; + # } { + # job_name = "unifi"; + # static_configs = [ { targets = [ "localhost:9130" ]; } ]; + } { + job_name = "thermometer"; + static_configs = [ { targets = [ "192.168.178.21:8000" ]; } ]; + }]; + exporters.node.enable = true; + # exporters.unifi = { + # enable = true; + # unifiAddress = "https://woodhouse.home.yori.cc:8443"; + # unifiInsecure = true; + # unifiUsername = "ReadOnlyUser"; + # unifiPassword = "ReadOnlyPassword"; + # }; + }; + boot.zfs.requestEncryptionCredentials = false; + networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 3000 9090 ]; + networking.firewall.allowedTCPPorts = [ 1883 ]; + networking.firewall.allowedUDPPorts = [ 1883 ]; + services.rabbitmq = { + enable = true; + plugins = [ "rabbitmq_mqtt" "rabbitmq_management" ]; + }; + services.grafana = { + enable = true; + addr = "0.0.0.0"; + domain = "grafana.yori.cc"; + rootUrl = "https://grafana.yori.cc/"; + extraOptions = { + AUTH_BASIC_ENABLED = "false"; + AUTH_DISABLE_LOGIN_FORM = "true"; + AUTH_GOOGLE_ENABLED = "true"; + AUTH_GOOGLE_ALLOW_SIGN_UP = "false"; + }; + }; + systemd.services.grafana.serviceConfig.EnvironmentFile = "/root/keys/grafana.env"; + services.zfs = { + trim.enable = false; # no ssd's + autoScrub = { + enable = true; + interval = "*-*-01 02:00:00"; # monthly + 2 hours + }; + }; +} diff --git a/nixos/logical/jarvis.nix b/nixos/logical/jarvis.nix new file mode 100644 index 0000000..17d0cb0 --- /dev/null +++ b/nixos/logical/jarvis.nix @@ -0,0 +1,11 @@ +{ config, pkgs, lib, ... }: +{ + imports = + [ ../physical/xps9360.nix + ../roles/workstation.nix + ]; + + system.stateVersion = "17.09"; + + yorick.lumi-vpn.name = "yorick"; +} diff --git a/nixos/logical/pennyworth.nix b/nixos/logical/pennyworth.nix new file mode 100644 index 0000000..51cb658 --- /dev/null +++ b/nixos/logical/pennyworth.nix @@ -0,0 +1,84 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, ... }: +let + sslforward = proxyPass: { + forceSSL = true; + enableACME = true; + locations."/" = { + inherit proxyPass; + proxyWebsockets = true; + }; + }; + vpn = import ../vpn.nix; +in +{ + imports = [ + ../physical/hetznercloud.nix + ../roles/server.nix + ../modules/muflax-blog.nix + ../services/backup.nix + ../services/email.nix + ]; + + system.stateVersion = "19.03"; + + services.nginx.enable = true; + services.yorick = { + public = { enable = true; vhost = "pub.yori.cc"; }; + website = { enable = true; vhost = "yorickvanpelt.nl"; }; + git = { enable = true; vhost = "git.yori.cc"; }; + muflax-church = { enable = true; vhost = "muflax.church"; }; + }; + + services.muflax-blog = { + enable = true; + web-server = { + port = 9001; + }; + hidden-service = { + hostname = "muflax65ngodyewp.onion"; + private_key = "/root/keys/http.muflax.key"; + }; + }; + services.nginx.commonHttpConfig = '' + access_log off; + ''; + services.nginx.virtualHosts = { + "yori.cc" = { + enableACME = true; + forceSSL = true; + globalRedirect = "yorickvanpelt.nl"; + }; + "yorickvanpelt.nl".locations."/p1".return = "301 https://git.yori.cc/yorick/meterkast"; + "grafana.yori.cc" = sslforward "http://${vpn.ips.frumar}:3000"; + "ubiquiti.yori.cc" = sslforward "https://${vpn.ips.woodhouse}:8443"; + "prometheus.yori.cc" = { + # only over vpn + listen = [ { addr = "10.209.0.1"; port = 80; } ]; + locations."/".proxyPass = "http://10.209.0.3:9090"; + }; + "pub.yori.cc".locations."/muflax/".extraConfig = '' + rewrite ^/muflax/(.*)$ https://alt.muflax.church/$1 permanent; + ''; + }; + deployment.keyys = [ ]; + networking.firewall.allowedUDPPorts = [ 31790 ]; # wg + networking.wireguard.interfaces.wg-y.peers = + lib.mkForce (lib.mapAttrsToList (machine: publicKey: { + inherit publicKey; + allowedIPs = [ "${vpn.ips.${machine}}/32" ]; + }) vpn.keys); + services.prometheus.exporters.wireguard = { + enable = true; + }; + networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 9586 ]; + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + environment.noXlibs = true; + users.users.yorick.packages = with pkgs; [ + python2 sshfs-fuse weechat ripgrep + ]; + +} diff --git a/nixos/logical/woodhouse.nix b/nixos/logical/woodhouse.nix new file mode 100644 index 0000000..5857d0d --- /dev/null +++ b/nixos/logical/woodhouse.nix @@ -0,0 +1,62 @@ +{ config, pkgs, lib, ... }: +let + #secrets = import ; +mkFuseMount = device: opts: { + # todo: "ServerAliveCountMax=3" "ServerAliveInterval=30" + + device = "${pkgs.sshfsFuse}/bin/sshfs#${device}"; + fsType = "fuse"; + options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user" + "defaults" "allow_other" "transform_symlinks" "default_permissions" + "uid=1000" + "reconnect" "IdentityFile=/root/.ssh/id_sshfs"] ++ opts; +}; +in +{ + imports = [ + ../physical/nuc.nix + ../roles/graphical.nix + # + ]; + + # nixpkgs.overlays = [ (import (builtins.fetchTarball https://github.com/colemickens/nixpkgs-wayland/archive/master.tar.gz)) ]; + # system.stateVersion = "17.09"; + + # fuse mounts + system.fsPackages = [ pkgs.sshfsFuse ]; + + # programs.sway = { + # enable = true; + # extraSessionCommands = '' + # export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${lib.makeLibraryPath (with pkgs; [ libxkbcommon libglvnd wayland ])} + # ''; + # }; + #fileSystems."/mnt/frumar" = mkFuseMount "yorick@${secrets.hostnames.frumar}:/data/yorick" []; + hardware.bluetooth.enable = true; + + # kodi ports + networking.firewall.allowedTCPPorts = [7 8080 8443 9090 9777]; + users.users.tv = { + isNormalUser = true; + uid = 1043; + extraGroups = [ "wheel" ]; + hashedPassword = "$6$hD4ESAGS8O1d$yctx6spOPZ0nt/6cgYpsWZ86UoXw3ISRpf2gbdhbl8JgDz6Psjx6JCqJ9NsMi5BHnXlgRRK/z2SVrTjHEsqQR."; + packages = with pkgs; [ plex-media-player ]; + }; + services.xserver.windowManager.i3.enable = true; + networking.useNetworkd = true; + networking.dhcpcd.enable = false; + services.resolved.enable = true; + #services.nscd.enable = false; + networking.interfaces.eno1.useDHCP = true; + networking.useDHCP = false; + #services.xserver.enable = lib.mkForce false; + # services.unifi = { + # enable = true; + # unifiPackage = pkgs.unifiStable; + # }; + # todo: debug: + services.resolved.extraConfig = "MulticastDNS=true"; + systemd.network.networks."40-eno1".networkConfig.MulticastDNS="yes"; + services.fstrim.enable = true; +} diff --git a/nixos/logical/zazu.nix b/nixos/logical/zazu.nix new file mode 100644 index 0000000..d4bc6c3 --- /dev/null +++ b/nixos/logical/zazu.nix @@ -0,0 +1,197 @@ +# Edit this configuration file to define what should be installed on your system. Help is available in the configuration.nix(5) man page and in the NixOS manual (accessible by running ‘nixos-help’). +let sources = import ../nix/sources.nix; in +{ config, lib, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ../physical/apu2c4.nix + # + ../roles + "${sources.nixos-hardware}/pcengines/apu" + + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + + boot.kernel.sysctl = { + "net.ipv6.conf.all.forwarding" = true; + "net.ipv6.conf.enp1s0.accept_ra" = 2; + }; + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.enp1s0 = { + useDHCP = true; + tempAddress = "disabled"; + }; + #networking.interfaces.enp2s0.useDHCP = false; + networking.interfaces.enp3s0.useDHCP = false; + networking.interfaces.enp2s0 = { + tempAddress = "disabled"; + ipv4.addresses = [{ + address = "192.168.178.1"; + prefixLength = 24; + }]; + useDHCP = true; + }; + # systemd.services.network-link-br0.unitConfig.After = lib.mkForce [ "network-pre.target" "br0-netdev.service" ]; + # systemd.services.network-link-br0.unitConfig.BindsTo = lib.mkForce [ "br0-netdev.service" ]; + networking.nat = { + enable = true; + externalInterface = "dslite1"; + internalIPs = [ "192.168.178.1/24" ]; + }; + networking.defaultGateway = { + address = "192.0.0.1"; + interface = "dslite1"; + }; + systemd.services.dslite1-netdev = { + wantedBy = [ "network-setup.service" "sys-subsystem-net-devices-dslite1.device" ]; + bindsTo = []; + partOf = [ "network-setup.service" ]; + after = [ "network-pre.target" "network-addresses-enp1s0.service" "network-link-enp1s0.service" ]; + before = [ "network-setup.service" ]; + path = [ pkgs.iproute ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + ip tunnel add dslite1 mode ip4ip6 local 2a02:a212:2200:4c00:20d:b9ff:fe56:ba04 remote 2001:730:2000:2::31 encaplimit none + ip link set dslite1 up + ''; + postStop = '' + ip link del dslite1 || true + ''; + }; + networking.interfaces.dslite1 = { + mtu = 1452; # todo: ipv6 fragmenting? + ipv4.addresses = [{ + address = "192.0.0.2"; + prefixLength = 24; + }]; + }; + # networking.bridges = { + # br0.interfaces = [ "enp2s0" "enp3s0" ]; + # }; + networking.dhcpcd.persistent = true; + # request prefix delegation + networking.dhcpcd.extraConfig = '' + noipv6rs + ipv6only + interface enp1s0 + ipv6rs + iaid 1 + ia_pd 1/::/60 enp2s0/0/64 + ''; + services.dnsmasq = { + enable = true; + servers = [ "8.8.8.8" "1.1.1.1" ]; + }; + services.dhcpd4 = { + interfaces = [ "enp2s0" ]; + enable = true; + machines = [ + { hostName = "amateria"; ethernetAddress = "a8:a1:59:15:8b:63"; ipAddress = "192.168.178.42"; } + { hostName = "blackadder"; ethernetAddress = "a8:a1:59:03:8a:75"; ipAddress = "192.168.178.33"; } + { hostName = "frumar"; ethernetAddress = "bc:5f:f4:e8:42:9f"; ipAddress = "192.168.178.37"; } + { hostName = "jarvis"; ethernetAddress = "18:1d:ea:35:13:58"; ipAddress = "192.168.178.34"; } + { hostName = "jarvis-dock"; ethernetAddress = "64:4b:f0:10:05:f2"; ipAddress = "192.168.178.13"; } + { hostName = "printer"; ethernetAddress = "30:05:5c:44:20:a7"; ipAddress = "192.168.178.26"; } + { hostName = "raspberrypi"; ethernetAddress = "b8:27:eb:b9:ec:3a"; ipAddress = "192.168.178.21"; } + { hostName = "smartMeter"; ethernetAddress = "5c:cf:7f:26:ca:91"; ipAddress = "192.168.178.30"; } + { hostName = "gang-ap"; ethernetAddress = "b4:fb:e4:2d:fc:f3"; ipAddress = "192.168.178.32"; } + { hostName = "woodhouse"; ethernetAddress = "94:c6:91:15:1f:c5"; ipAddress = "192.168.178.39"; } + ]; + extraConfig = '' + subnet 192.168.178.0 netmask 255.255.255.0 { + option subnet-mask 255.255.255.0; + option broadcast-address 192.168.178.255; + option routers 192.168.178.1; + option domain-name-servers 192.168.178.1; + range 192.168.178.3 192.168.178.200; + } + ''; + }; + services.radvd = { + enable = true; + config = '' + interface enp2s0 { + AdvSendAdvert on; + prefix 2a02:a212:2200:4c70::/64 { + AdvOnLink on; + AdvAutonomous on; + }; + }; + ''; + }; + networking.firewall.allowedUDPPorts = [ 53 ]; + networking.firewall.allowedTCPPorts = [ 53 ]; + + services.fstrim.enable = true; + + # Select internationalisation properties. + # i18n = { + # consoleFont = "Lat2-Terminus16"; + # consoleKeyMap = "us"; + # defaultLocale = "en_US.UTF-8"; + # }; + + # Set your time zone. + time.timeZone = "Europe/Amsterdam"; + + # List packages installed in system profile. To search, run: + # $ nix search wget + # environment.systemPackages = with pkgs; [ + # wget vim + # ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # pinentryFlavor = "gnome3"; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Enable CUPS to print documents. + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.09"; # Did you read the comment? + services.udisks2.enable = false; + boot.supportedFilesystems = lib.mkForce [ "ext4" ]; + boot.initrd.supportedFilesystems = lib.mkForce [ "ext4" ]; + security.polkit.enable = false; + nixpkgs.overlays = [ (self: super: { + dhcpcd = super.dhcpcd.overrideAttrs (o: rec { + pname = "dhcpcd"; + version = "8.1.9"; + src = self.fetchurl { + url = "mirror://roy/${pname}/${pname}-${version}.tar.xz"; + sha256 = "1kzv61bgrd0zwiy6r218zkccx36j9p5mz1gxqvbhg05xn9g50alf"; + }; + patches = []; + }); + }) ]; +} diff --git a/nixos/modules/lumi-vpn.nix b/nixos/modules/lumi-vpn.nix new file mode 100644 index 0000000..78ec185 --- /dev/null +++ b/nixos/modules/lumi-vpn.nix @@ -0,0 +1,42 @@ +{ config, lib, ... }: +let + cfg = config.yorick.lumi-vpn; + addresses = import "${builtins.getEnv "HOME"}/engineering/lumi/os/gateway/addresses.nix" + { lib.ip4.ip = a: b: c: d: x: lib.concatStringsSep "." (map toString [ a b c d ]); }; +in +{ + options.yorick.lumi-vpn = with lib; { + enable = mkEnableOption "lumi vpn"; + name = mkOption { + type = types.str; + example = "yorick-homepc"; + }; + user = mkOption { + type = types.str; + default = "yorick"; + }; + mtu = mkOption { + type = types.int; + default = 1371; # 1408 at home + }; + ip = mkOption { + type = types.str; + example = "10.109.0.1"; + default = addresses.workstations."${cfg.name}"; + }; + }; + config = lib.mkIf cfg.enable { + networking.wireguard.interfaces = { + wg-lumi = { + privateKeyFile = "/home/${cfg.user}/engineering/lumi/secrets/devel/vpn/wg/workstations.${cfg.name}.key"; + ips = [ cfg.ip ]; + peers = [ { + publicKey = "6demp+PX2XyVoMovDj4xHQ2ZHKoj4QAF8maWpjcyzzI="; + endpoint = "wg.lumi.guide:31727"; + allowedIPs = [ "10.96.0.0/12" "10.0.0.0/17" ]; + }]; + postSetup = "ip link set dev wg-lumi mtu ${toString cfg.mtu}"; + }; + }; + }; +} diff --git a/nixos/modules/muflax-blog.nix b/nixos/modules/muflax-blog.nix new file mode 100644 index 0000000..f303c3a --- /dev/null +++ b/nixos/modules/muflax-blog.nix @@ -0,0 +1,57 @@ +{ cur_pkgs, config, lib, ... }: + + +let + cfg = config.services.muflax-blog; + muflax-source = builtins.fetchGit { + rev = "e5ce7ae4296c6605a7e886c153d569fc38318096"; + ref = "HEAD"; + url = "https://github.com/fmap/muflax65ngodyewp.onion.git"; +}; +nixpkgs = import (builtins.fetchTarball { + url = "https://github.com/NixOS/nixpkgs-channels/archive/78e9665b48ff45d3e29f45b3ebeb6fc6c6e19922.tar.gz"; + sha256 = "09f50jaijvry9lrnx891qmcf92yb8qs64n1cvy0db2yjrmxsxyw8"; +}) { system = builtins.currentSystem; }; + blog = lib.overrideDerivation (nixpkgs.callPackage "${muflax-source}/maintenance" {}) (default: { + buildPhase = default.buildPhase + "\n" + '' + grep -lr '[^@]muflax.com' out | xargs -r sed -i 's/\([^@]\)muflax.com/\1${cfg.hidden-service.hostname}/g' + ''; + }); +in with lib; { + options.services.muflax-blog = { + enable = mkOption { type = types.bool; default = false; }; + web-server = { + port = mkOption { type = types.int; }; + }; + hidden-service = { + hostname = mkOption { type = types.str; }; + private_key = mkOption { type = types.str; }; + }; + }; + config = mkIf cfg.enable { + services.nginx = { + enable = true; + appendHttpConfig = '' + server { + index index.html; + port_in_redirect off; + listen 127.0.0.1:${toString cfg.web-server.port}; + server_name ${cfg.hidden-service.hostname}; + root ${blog}/muflax; + } + '' + concatStringsSep "\n" (map (site: '' + server { + index index.html; + port_in_redirect off; + listen 127.0.0.1:${toString cfg.web-server.port}; + server_name ${site}.${cfg.hidden-service.hostname}; + root ${blog}/${site}; + } + '') ["daily" "gospel" "blog"]); + }; + services.tor.enable = true; + services.tor.hiddenServices.muflax-blog.map = [{ + port = 80; toPort = cfg.web-server.port; }]; + services.tor.service-keys.muflax-blog = cfg.hidden-service.private_key; + }; +} diff --git a/nixos/modules/nginx.nix b/nixos/modules/nginx.nix new file mode 100644 index 0000000..72dbffa --- /dev/null +++ b/nixos/modules/nginx.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: +let +sslcfg = dir: '' + ssl on; + ssl_certificate_key ${dir}/key.pem; + ssl_certificate ${dir}/fullchain.pem; + ssl_trusted_certificate ${dir}/fullchain.pem; + add_header Strict-Transport-Security max-age=15768000; +''; + +in +{ + config = lib.mkIf config.services.nginx.enable { + services.nginx = { + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + recommendedOptimisation = true; + serverTokens = false; + sslDhparam = "/etc/nginx/dhparam.pem"; + virtualHosts."${config.networking.hostName}.yori.cc" = { + enableACME = true; + forceSSL = true; + default = true; + }; + }; + networking.firewall.allowedTCPPorts = [80 443]; + system.activationScripts.nginxdhparams = '' + if ! [[ -e /etc/nginx/dhparam.pem ]]; then + mkdir -p /etc/nginx/ + ${pkgs.openssl}/bin/openssl dhparam -out /etc/nginx/dhparam.pem 2048 + fi + ''; + }; + +} diff --git a/nixos/modules/tor-hidden-service.nix b/nixos/modules/tor-hidden-service.nix new file mode 100644 index 0000000..dbe6211 --- /dev/null +++ b/nixos/modules/tor-hidden-service.nix @@ -0,0 +1,32 @@ +{ config, lib, ... }: + +with lib; + +let + service-keys = config.services.tor.service-keys; + torDir = "/var/lib/tor"; +in { + options.services.tor.service-keys = mkOption { + default = {}; + type = with types; attrsOf str; + }; + + config = mkIf (service-keys != {}) { + systemd.services."install-tor-hidden-service-keys" = { + wantedBy = ["tor.service"]; + serviceConfig.Type = "oneshot"; + serviceConfig.User = "root"; + serviceConfig.Group = "keys"; + # TODO: update on change? + # TODO: better ways to get the keys on the server + script = concatStringsSep "\n" (mapAttrsToList (name: keypath: '' + if ! [[ -e ${torDir}/onion/${name}/private_key ]]; then + mkdir -p ${torDir}/onion/${name}/ + cp ${keypath} ${torDir}/onion/${name}/private_key + chmod -R 700 ${torDir}/onion/${name} + chown -R tor ${torDir}/onion/${name} + fi + '') service-keys); + }; + }; +} diff --git a/nixos/nix/sources.json b/nixos/nix/sources.json new file mode 100644 index 0000000..62ea370 --- /dev/null +++ b/nixos/nix/sources.json @@ -0,0 +1,81 @@ +{ + "emacs-overlay": { + "branch": "master", + "description": "Bleeding edge emacs overlay [maintainer=@adisbladis] ", + "homepage": "", + "owner": "nix-community", + "repo": "emacs-overlay", + "rev": "dfed6847f127bd3c2c0cdd71b28d4e63e0ec0e91", + "sha256": "1b0871cr491cf1a4clhv2kwg492gp25gl45w72bmkyjbb6n22c7f", + "type": "tarball", + "url": "https://github.com/nix-community/emacs-overlay/archive/dfed6847f127bd3c2c0cdd71b28d4e63e0ec0e91.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "niv": { + "branch": "master", + "description": "Easy dependency management for Nix projects", + "homepage": "https://github.com/nmattia/niv", + "owner": "nmattia", + "repo": "niv", + "rev": "c8f74f44b5f5df2c8f20a1834460d012e74d78f9", + "sha256": "0zmhxgl37f1p2aiqjmiccflpgga6phj6vmqs3jd33z0frj6hsy5c", + "type": "tarball", + "url": "https://github.com/nmattia/niv/archive/c8f74f44b5f5df2c8f20a1834460d012e74d78f9.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixos-hardware": { + "branch": "master", + "description": "A collection of NixOS modules covering hardware quirks.", + "homepage": "", + "owner": "nixos", + "repo": "nixos-hardware", + "rev": "c242378e63b0ec334e964ac0c0fbbdd2b3e89ebf", + "sha256": "1z4cr5gsyfdpcy31vqg4ikalbxmnnac6jjk1nl8mxj0h0ix7pp36", + "type": "tarball", + "url": "https://github.com/nixos/nixos-hardware/archive/c242378e63b0ec334e964ac0c0fbbdd2b3e89ebf.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixos-mailserver": { + "sha256": "1m8ylrxlkn8nrpsvnivg32ncba9jkfal8a9sjy840hpl1jlm5lc4", + "type": "tarball", + "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864/nixos-mailserver-ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864.tar.gz", + "url_template": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive//nixos-mailserver-.tar.gz", + "version": "ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864" + }, + "nixpkgs": { + "branch": "master", + "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to", + "homepage": "https://github.com/NixOS/nixpkgs", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "9e377a6ce42dccd9b624ae4ce8f978dc892ba0e2", + "sha256": "1r3ll77hyqn28d9i4cf3vqd9v48fmaa1j8ps8c4fm4f8gqf4kpl1", + "type": "tarball", + "url": "https://github.com/nixos/nixpkgs/archive/9e377a6ce42dccd9b624ae4ce8f978dc892ba0e2.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixpkgs-mozilla": { + "branch": "master", + "description": "mozilla related nixpkgs (extends nixos/nixpkgs repo)", + "homepage": "", + "owner": "mozilla", + "repo": "nixpkgs-mozilla", + "rev": "8c007b60731c07dd7a052cce508de3bb1ae849b4", + "sha256": "1zybp62zz0h077zm2zmqs2wcg3whg6jqaah9hcl1gv4x8af4zhs6", + "type": "tarball", + "url": "https://github.com/mozilla/nixpkgs-mozilla/archive/8c007b60731c07dd7a052cce508de3bb1ae849b4.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixpkgs-wayland": { + "branch": "master", + "description": "Automated, pre-built packages for Wayland (sway/wlroots) tools for NixOS.", + "homepage": "", + "owner": "colemickens", + "repo": "nixpkgs-wayland", + "rev": "80a15b9aaf56cc559cf0028763776cadad36ece2", + "sha256": "02s1k36iypsa7y1brwarz5y74dcrnn5qqplih3jq4dh0baqliiz0", + "type": "tarball", + "url": "https://github.com/colemickens/nixpkgs-wayland/archive/80a15b9aaf56cc559cf0028763776cadad36ece2.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + } +} diff --git a/nixos/nix/sources.nix b/nixos/nix/sources.nix new file mode 100644 index 0000000..1938409 --- /dev/null +++ b/nixos/nix/sources.nix @@ -0,0 +1,174 @@ +# This file has been generated by Niv. + +let + + # + # The fetchers. fetch_ fetches specs of type . + # + + fetch_file = pkgs: name: spec: + let + name' = sanitizeName name + "-src"; + in + if spec.builtin or true then + builtins_fetchurl { inherit (spec) url sha256; name = name'; } + else + pkgs.fetchurl { inherit (spec) url sha256; name = name'; }; + + fetch_tarball = pkgs: name: spec: + let + name' = sanitizeName name + "-src"; + in + if spec.builtin or true then + builtins_fetchTarball { name = name'; inherit (spec) url sha256; } + else + pkgs.fetchzip { name = name'; inherit (spec) url sha256; }; + + fetch_git = name: spec: + let + ref = + if spec ? ref then spec.ref else + if spec ? branch then "refs/heads/${spec.branch}" else + if spec ? tag then "refs/tags/${spec.tag}" else + abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; + in + builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; }; + + fetch_local = spec: spec.path; + + fetch_builtin-tarball = name: throw + ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`. + $ niv modify ${name} -a type=tarball -a builtin=true''; + + fetch_builtin-url = name: throw + ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`. + $ niv modify ${name} -a type=file -a builtin=true''; + + # + # Various helpers + # + + # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695 + sanitizeName = name: + ( + concatMapStrings (s: if builtins.isList s then "-" else s) + ( + builtins.split "[^[:alnum:]+._?=-]+" + ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name) + ) + ); + + # The set of packages used when specs are fetched using non-builtins. + mkPkgs = sources: system: + let + sourcesNixpkgs = + import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; }; + hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; + hasThisAsNixpkgsPath = == ./.; + in + if builtins.hasAttr "nixpkgs" sources + then sourcesNixpkgs + else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then + import {} + else + abort + '' + Please specify either (through -I or NIX_PATH=nixpkgs=...) or + add a package called "nixpkgs" to your sources.json. + ''; + + # The actual fetching function. + fetch = pkgs: name: spec: + + if ! builtins.hasAttr "type" spec then + abort "ERROR: niv spec ${name} does not have a 'type' attribute" + else if spec.type == "file" then fetch_file pkgs name spec + else if spec.type == "tarball" then fetch_tarball pkgs name spec + else if spec.type == "git" then fetch_git name spec + else if spec.type == "local" then fetch_local spec + else if spec.type == "builtin-tarball" then fetch_builtin-tarball name + else if spec.type == "builtin-url" then fetch_builtin-url name + else + abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; + + # If the environment variable NIV_OVERRIDE_${name} is set, then use + # the path directly as opposed to the fetched source. + replace = name: drv: + let + saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name; + ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; + in + if ersatz == "" then drv else + # this turns the string into an actual Nix path (for both absolute and + # relative paths) + if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}"; + + # Ports of functions for older nix versions + + # a Nix version of mapAttrs if the built-in doesn't exist + mapAttrs = builtins.mapAttrs or ( + f: set: with builtins; + listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set)) + ); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 + range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 + stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 + stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); + concatMapStrings = f: list: concatStrings (map f list); + concatStrings = builtins.concatStringsSep ""; + + # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 + optionalAttrs = cond: as: if cond then as else {}; + + # fetchTarball version that is compatible between all the versions of Nix + builtins_fetchTarball = { url, name ? null, sha256 }@attrs: + let + inherit (builtins) lessThan nixVersion fetchTarball; + in + if lessThan nixVersion "1.12" then + fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) + else + fetchTarball attrs; + + # fetchurl version that is compatible between all the versions of Nix + builtins_fetchurl = { url, name ? null, sha256 }@attrs: + let + inherit (builtins) lessThan nixVersion fetchurl; + in + if lessThan nixVersion "1.12" then + fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) + else + fetchurl attrs; + + # Create the final "sources" from the config + mkSources = config: + mapAttrs ( + name: spec: + if builtins.hasAttr "outPath" spec + then abort + "The values in sources.json should not have an 'outPath' attribute" + else + spec // { outPath = replace name (fetch config.pkgs name spec); } + ) config.sources; + + # The "config" used by the fetchers + mkConfig = + { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null + , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile) + , system ? builtins.currentSystem + , pkgs ? mkPkgs sources system + }: rec { + # The sources, i.e. the attribute set of spec name to spec + inherit sources; + + # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers + inherit pkgs; + }; + +in +mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); } diff --git a/nixos/packages/default.nix b/nixos/packages/default.nix new file mode 100644 index 0000000..51eef8f --- /dev/null +++ b/nixos/packages/default.nix @@ -0,0 +1,3 @@ +[ (self: super: { + yori-cc = super.callPackage ./yori-cc.nix {}; +})] diff --git a/nixos/packages/yori-cc.nix b/nixos/packages/yori-cc.nix new file mode 100644 index 0000000..92f5a5f --- /dev/null +++ b/nixos/packages/yori-cc.nix @@ -0,0 +1,23 @@ +{ stdenv, callPackage }: + +stdenv.mkDerivation { + name = "yori-cc-1.5"; + + src = builtins.fetchGit { + url = "git@git.yori.cc:yorick/yori-cc.git"; + rev = "68c75ab84cceaf98dd8fd0646b97d73f966b8962"; + }; + + buildInputs = [ ]; + + installPhase = '' + mkdir -p "$out/web" + cp -ra * "$out/web" + ''; + + meta = { + description = "Yori-cc website"; + homepage = https://yorickvanpelt.nl; + maintainers = [ "Yorick" ]; + }; +} diff --git a/nixos/physical/3950x-hardware-config.nix b/nixos/physical/3950x-hardware-config.nix new file mode 100644 index 0000000..66b12c4 --- /dev/null +++ b/nixos/physical/3950x-hardware-config.nix @@ -0,0 +1,38 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "rpool/root/nixos"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "rpool/home-enc"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/5D0A-7902"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/61a23e27-2cd4-4456-bcde-aec68be04239"; } + ]; + + nix.maxJobs = lib.mkDefault 32; + # High-DPI console + #i18n.consoleFont = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz"; +} diff --git a/nixos/physical/3950x.nix b/nixos/physical/3950x.nix new file mode 100644 index 0000000..23f79ec --- /dev/null +++ b/nixos/physical/3950x.nix @@ -0,0 +1,34 @@ +{ config, pkgs, lib, ... }: +let sources = import ../nix/sources.nix; +in +{ + imports = + [ ./. + ./3950x-hardware-config.nix + "${sources.nixos-hardware}/common/cpu/amd" + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.supportedFilesystems = [ "zfs" ]; + boot.kernelModules = [ "nct6775" ]; + boot.kernelPackages = pkgs.linuxPackages_5_10; + networking.hostId = "c7736638"; + services.zfs.autoScrub.enable = true; + services.zfs.trim.enable = true; + hardware.bluetooth.enable = true; + + networking.useDHCP = false; + networking.usePredictableInterfaceNames = false; + networking.bridges.br0.interfaces = [ "eth0" ]; + networking.interfaces.br0.useDHCP = true; + # systemd.network.links."98-namepolicy" = { + # matchConfig.OriginalName = "*"; + # linkConfig.NamePolicy = "mac kernel database onboard slot path"; + # }; + boot.kernelParams = [ + "amdgpu.ppfeaturemask=0xffffffff" "amdgpu.noretry=0" "amdgpu.lockup_timeout=1000" "amdgpu.gpu_recovery=1" "amdgpu.audio=0" + # thunderbolt + "pcie_ports=native" "pci=assign-busses,hpbussize=0x33,realloc" + ]; +} diff --git a/nixos/physical/apu2c4.nix b/nixos/physical/apu2c4.nix new file mode 100644 index 0000000..b6eb949 --- /dev/null +++ b/nixos/physical/apu2c4.nix @@ -0,0 +1,22 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/1396f814-6cc2-4988-992a-3558fa1ac5a2"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/5f8f358d-f63c-48ad-a322-d1aeb403e4ff"; } + ]; + + nix.maxJobs = lib.mkDefault 4; +} diff --git a/nixos/physical/default.nix b/nixos/physical/default.nix new file mode 100644 index 0000000..c92b7a0 --- /dev/null +++ b/nixos/physical/default.nix @@ -0,0 +1,3 @@ +{ + hardware.enableRedistributableFirmware = true; +} diff --git a/nixos/physical/fractal.nix b/nixos/physical/fractal.nix new file mode 100644 index 0000000..7471c5d --- /dev/null +++ b/nixos/physical/fractal.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, ... }: +let sources = import ../nix/sources.nix; +in +{ + imports = + [ ./. + "${sources.nixos-hardware}/common/cpu/intel" + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub = { + enable = true; + version = 2; + # Define on which hard drive you want to install Grub. + device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S21PNXAG441016B"; + }; + + + fileSystems."/" = + { device = "/dev/disk/by-uuid/ba95c638-f243-48ee-ae81-0c70884e7e74"; + fsType = "ext4"; + options = ["defaults" "relatime" "discard"]; + }; + + swapDevices = + [ { device = "/dev/disk/by-label/nixos-swap"; } + ]; + fileSystems."/data" = + { device = "frumar-new"; + fsType = "zfs"; + }; + + fileSystems."/data/plexmedia" = + { device = "frumar-new/plexmedia"; + fsType = "zfs"; + }; + + nix.maxJobs = 4; + services.avahi.interfaces = [ "enp2s0" ]; +} diff --git a/nixos/physical/hetznercloud.nix b/nixos/physical/hetznercloud.nix new file mode 100644 index 0000000..0a5277c --- /dev/null +++ b/nixos/physical/hetznercloud.nix @@ -0,0 +1,38 @@ +{ config, lib, pkgs, modulesPath, ... }: +let + ipconf = (import ../secrets.nix).ipconf.${config.networking.hostName}; +in +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/sda"; + }; + + fileSystems."/" = + { device = "/dev/sda1"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + nix.maxJobs = lib.mkDefault 1; + #services.nscd.enable = false; + networking.dhcpcd.enable = false; + systemd.network.enable = true; + systemd.network.networks."40-hetzner" = { + DHCP = "ipv4"; + address = [ ipconf.mainIPv6 ]; + gateway = [ "fe80::1" ]; + matchConfig.Name = "ens3"; + }; + services.fstrim.enable = true; +} diff --git a/nixos/physical/nuc.nix b/nixos/physical/nuc.nix new file mode 100644 index 0000000..8ffb03e --- /dev/null +++ b/nixos/physical/nuc.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, modulesPath, ... }: +let sources = import ../nix/sources.nix; +in +{ + + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ./. + "${sources.nixos-hardware}/common/cpu/intel" + ]; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/3e148654-0ed8-4354-8159-e3499c6fa299"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/439E-26EA"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + nix.maxJobs = lib.mkDefault 4; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + nixpkgs.config.packageOverrides = pkgs: { + vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; + }; + hardware.opengl.extraPackages = with pkgs; [ + intel-media-driver # only available starting nixos-19.03 or the current nixos-unstable + ]; +} diff --git a/nixos/physical/xps9360-hardware-config.nix b/nixos/physical/xps9360-hardware-config.nix new file mode 100644 index 0000000..e201e76 --- /dev/null +++ b/nixos/physical/xps9360-hardware-config.nix @@ -0,0 +1,32 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "rtsx_pci_sdmmc" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/a751e4ea-f1aa-48e1-9cbe-423878e29b62"; + fsType = "btrfs"; + }; + + boot.initrd.luks.devices."nix-crypt".device = "/dev/disk/by-uuid/320ef81d-283f-4916-ac26-ecfb0f31e549"; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/0E07-7805"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/198ddaba-a849-41de-993d-862c2d37937a"; } + ]; + + nix.maxJobs = lib.mkDefault 4; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + # high-resolution display + hardware.video.hidpi.enable = lib.mkDefault true; +} diff --git a/nixos/physical/xps9360.nix b/nixos/physical/xps9360.nix new file mode 100644 index 0000000..5b80c09 --- /dev/null +++ b/nixos/physical/xps9360.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: +let sources = import ../nix/sources.nix; +in +{ + imports = [ + "${sources.nixos-hardware}/dell/xps/13-9360" + ./xps9360-hardware-config.nix + ]; + + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.kernelModules = [ "i8k" ]; + boot.extraModprobeConfig = '' + options i8k ignore_dmi=1 + ''; + fileSystems."/".options = ["defaults" "relatime" "discard"]; + + boot.initrd.luks.devices."nix-crypt".allowDiscards = true; + + services.undervolt = rec { + enable = true; + coreOffset = -50; + gpuOffset = -50; + uncoreOffset = -50; + analogioOffset = -50; + }; + services.tlp.settings = { + "CPU_SCALING_GOVERNOR_ON_AC" = "performance"; + "CPU_SCALING_GOVERNOR_ON_BAT" = "powersave"; + }; + services.logind.lidSwitch = "ignore"; + + services.xserver.libinput.enable = true; + + networking.wireless = { + enable = false; + iwd.enable = true; + }; + hardware.bluetooth.enable = true; + hardware.enableRedistributableFirmware = true; + + services.udev.packages = [ pkgs.crda ]; + hardware.firmware = [ pkgs.wireless-regdb ]; + # gotta go faster + networking.dhcpcd.extraConfig = '' + noarp + ''; +} diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix new file mode 100644 index 0000000..cc557d0 --- /dev/null +++ b/nixos/roles/default.nix @@ -0,0 +1,122 @@ +let secrets = import ../secrets.nix; +in +{ config, pkgs, lib, name, ...}: +let + machine = name; + vpn = import ../vpn.nix; +in +{ + imports = [ + ../modules/tor-hidden-service.nix + ../modules/nginx.nix + ../modules/lumi-vpn.nix + ../deploy/keys.nix + ../services + ]; + networking.domain = "yori.cc"; + networking.hostName = machine; + time.timeZone = "Europe/Amsterdam"; + users.mutableUsers = false; + users.users.root = { + openssh.authorizedKeys.keys = config.users.users.yorick.openssh.authorizedKeys.keys; + # root password is useful from console, ssh has password logins disabled + hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own + + }; + services.timesyncd.enable = true; + users.users.yorick = { + isNormalUser = true; + uid = 1000; + extraGroups = ["wheel"]; + group = "users"; + openssh.authorizedKeys.keys = with (import ../sshkeys.nix); yorick; + hashedPassword = secrets.yorick_hashedPassword; + }; + + # Nix + nixpkgs.config.allowUnfree = true; + nixpkgs.overlays = import ../packages; + + #nix.buildCores = config.nix.maxJobs; + + # Networking + networking.enableIPv6 = true; + + services.openssh = { + enable = true; + passwordAuthentication = false; + challengeResponseAuthentication = false; + }; + + + environment.systemPackages = with pkgs; [ + # v important. + cowsay #ponysay + ed # ed, man! + sl + rlwrap + + #vim + + # system stuff + ethtool inetutils + pciutils usbutils + /*iotop*/ powertop htop + psmisc lsof + smartmontools hdparm + lm_sensors + ncdu + + # utils + file which + reptyr + tmux + bc + mkpasswd + shadow + + # archiving + xdelta + libarchive + atool + + # network + nmap mtr bind + socat netcat-openbsd + lftp wget rsync + + #gitMinimal + #rxvt_unicode.terminfo + ]; + nix.gc.automatic = true; + + services.avahi = { + ipv6 = true; + hostName = machine; + }; + deployment.keyys = [ (+"/wg.${machine}.key") ]; + networking.wireguard.interfaces.wg-y = { + privateKeyFile = "/root/keys/wg.${machine}.key"; + ips = [ vpn.ips.${machine} ]; + listenPort = 31790; + peers = [ { + publicKey = vpn.keys.pennyworth; + endpoint = "pennyworth.yori.cc:31790"; + allowedIPs = [ "10.209.0.0/24" ]; + persistentKeepalive = 30; + }]; + postSetup = "ip link set dev wg-y mtu 1371"; + }; + security.acme.email = "acme@yori.cc"; + security.acme.acceptTerms = true; + nix.binaryCachePublicKeys = + [ "yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0=" ]; + + nix.trustedUsers = ["@wheel"]; + services.prometheus.exporters.node = { + enable = true; + enabledCollectors = [ "systemd" ]; + disabledCollectors = [ "rapl" ]; + }; + networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 9100 ]; +} diff --git a/nixos/roles/graphical.nix b/nixos/roles/graphical.nix new file mode 100644 index 0000000..86e30b6 --- /dev/null +++ b/nixos/roles/graphical.nix @@ -0,0 +1,52 @@ +let secrets = import ; +in { config, lib, pkgs, ... }: { + imports = [ ./. ]; + options.yorick.support32bit = with lib; + mkOption { + type = types.bool; + default = false; + }; + config = { + hardware.opengl = { + enable = true; + driSupport32Bit = config.yorick.support32bit; + }; + sound.enable = true; + hardware.pulseaudio = { + enable = true; + support32Bit = config.yorick.support32bit; + }; + users.users.yorick.extraGroups = [ "video" ]; + # fix backlight permissions + services.udev.extraRules = '' + ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness" + ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness" + ''; + + fonts = { + fontDir.enable = true; + enableGhostscriptFonts = true; + fonts = with pkgs; [ + corefonts # Micrsoft free fonts + inconsolata # monospaced + source-code-pro + ubuntu_font_family # Ubuntu fonts + source-han-sans-japanese + iosevka + font-awesome + ]; + }; + # spotify + networking.firewall.allowedTCPPorts = [ 55025 57621 ]; + networking.firewall.allowedUDPPorts = [ 55025 57621 ]; + + services.openssh.forwardX11 = true; + + programs.sway = { + enable = true; + extraSessionCommands = '' + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${lib.makeLibraryPath (with pkgs; [ libxkbcommon libglvnd wayland ])} + ''; + }; + }; +} diff --git a/nixos/roles/homeserver.nix b/nixos/roles/homeserver.nix new file mode 100644 index 0000000..a0eec7c --- /dev/null +++ b/nixos/roles/homeserver.nix @@ -0,0 +1,17 @@ +{lib, ...}: { + users.users.lars = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbieYUtRGQ4nf4glQvrZDn72doP6W2uw2z9VqFq5sZLROXYa4jW8nwx4h+BiArGs+VPwn6lfsP19PX6yNIk74C/SkO26S1Zvbe7ffNusi6PH2BQIOWeAYKk+eZH+ZOeD8z07uDB7QffwRLwzSaPFg+zfRzsMFoXH/GE9qOQ4lnfk8czTZL7zbZf/yS7mDFztClXFciYsVwgRXNiFpfc+9mOkU0oBWtGo/WGUhB0Hds3a4ylyjjVAcC/l1H2bvc/Q3d6bbn23pUFl2V78Yg1B4b1MT34qbBV6whXAQd7KM9tND2ZhpF2XQ7Spi1QlOac0jup+sE+3bbvcjNqTI05DwJO/dX5F2gSAFkvSY4ZPqSX5ilE/hj4DQuhRgLmQdbVl5IFV9aLYqUvJcCqX9jRFMly4YTFXsFz18rGkxOYGZabcE1usBM2zRVDTtEP6Si5ii76Ocvp8aNFBB2Kf1whg8tziTv3kQEQ9fd2sRtE2J3xveJiwXjUBU2uikSOKe8JP47Tb6PYlv7Ty/6OI51aUQn++R72VNajdBJ1r1osp7leqTJ+sXuLlWLo/a7lDpDmgEI7dbxqmpjLcMce0JzqLKlP1Q2U/nkYy86xkjSTH1rNUI2JAbJx3iTcGy7bq12yfjNfcGAqY4GVXvisK1cpbF0RCjaFExwtmzorljHh6ZHjQ==" + ]; + }; + services.avahi = { + enable = true; + nssmdns = true; + publish = { + enable = true; + addresses = true; + }; + }; + networking.firewall.logRefusedConnections = lib.mkForce true; +} diff --git a/nixos/roles/server.nix b/nixos/roles/server.nix new file mode 100644 index 0000000..c9eef60 --- /dev/null +++ b/nixos/roles/server.nix @@ -0,0 +1,16 @@ +{ + imports = [ ./. ]; + + documentation.nixos.enable = false; + services.sshguard.enable = true; + programs.mosh.enable = true; + + environment.noXlibs = true; + networking.firewall.logRefusedConnections = false; # Silence logging of scanners and knockers + # TODO: upstream with noXlibs + # https://github.com/NixOS/nixpkgs/pull/107394 + nixpkgs.overlays = [ (self: super: { + elixir_1_8 = (self.beam.packagesWith (self.beam.interpreters.erlang_nox)).elixir_1_8; + erlang = super.erlang_nox; + }) ]; +} diff --git a/nixos/roles/workstation.nix b/nixos/roles/workstation.nix new file mode 100644 index 0000000..96ee28b --- /dev/null +++ b/nixos/roles/workstation.nix @@ -0,0 +1,112 @@ +{ config, lib, pkgs, ... }: +let + sources = import ../nix/sources.nix; + nixNetrcFile = pkgs.runCommand "nix-netrc-file" +{ hostname = "cache.lumi.guide"; + username = "lumi"; +} '' + cat > $out <= 1.0 + BORG_REMOTE_PATH = "borg1"; + + # SSH key is specific to the subaccount defined in the repo username + BORG_RSH = "ssh -i /root/keys/${name}_borg_ssh.key"; + }; + + # Define schedule + startAt = "hourly"; + + repo = "14337@ch-s012.rsync.net:${name}"; + paths = [ "/home" "/root" "/var/lib" ]; + + prune.keep = { + # hourly backups for the past week + within = "7d"; + + # daily backups for two weeks before that + daily = 14; + + # weekly backups for a month before that + weekly = 4; + + # monthly backups for 6 months before that + monthly = 6; + + # 2 years + yearly = 2; + }; + }; +} diff --git a/nixos/services/default.nix b/nixos/services/default.nix new file mode 100644 index 0000000..735789a --- /dev/null +++ b/nixos/services/default.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ./git.nix + ./muflax-church.nix + ./pub.nix + ./website.nix + ]; +} diff --git a/nixos/services/email.nix b/nixos/services/email.nix new file mode 100644 index 0000000..44a7dc8 --- /dev/null +++ b/nixos/services/email.nix @@ -0,0 +1,26 @@ +{ config, pkgs, lib, ... }: +let + sources = import ../nix/sources.nix; +in +{ + imports = [ + ("${sources.nixos-mailserver}") + ]; + + mailserver = rec { + enable = true; + fqdn = "pennyworth.yori.cc"; + domains = [ "yori.cc" "yorickvanpelt.nl" ]; + loginAccounts = { + "yorick@yori.cc" = { + hashedPassword = (import ../secrets.nix).yorick_mailPassword; + catchAll = domains; + aliases = [ "@yori.cc" "@yorickvanpelt.nl" ]; + }; + }; + certificateScheme = 3; + enableImapSsl = true; + }; + + services.borgbackup.jobs.backup.paths = [ "/var/vmail" ]; +} diff --git a/nixos/services/git.nix b/nixos/services/git.nix new file mode 100644 index 0000000..bd97b30 --- /dev/null +++ b/nixos/services/git.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.yorick.git; + inherit (cfg) vhost; +in +{ + options.services.yorick.git = with lib; { + enable = mkEnableOption "git"; + vhost = mkOption { type = types.str; }; + }; + config = lib.mkIf cfg.enable { + users.extraUsers.git = { + createHome = true; + home = config.services.gitea.stateDir; extraGroups = [ "git" ]; useDefaultShell = true; + }; + services.gitea = { + enable = true; + user = "git"; + database.user = "root"; + database.name = "gogs"; + database.createDatabase = false; + #dump.enable = true; TODO: backups + domain = cfg.vhost; + rootUrl = "https://${cfg.vhost}/"; + httpAddress = "localhost"; + cookieSecure = true; + log.level = "Warn"; + disableRegistration = true; + settings.service = { + REGISTER_EMAIL_CONFIRM = false; + ENABLE_NOTIFY_MAIL = false; + REQUIRE_SIGNIN_VIEW = false; + }; + settings.picture.DISABLE_GRAVATAR = false; + settings.mailer = { + ENABLED = false; + AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/data/avatars"; + }; + }; + services.nginx.virtualHosts.${vhost} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.gitea.httpPort}"; + extraConfig = '' + proxy_buffering off; + ''; + }; + }; + }; +} diff --git a/nixos/services/muflax-church.nix b/nixos/services/muflax-church.nix new file mode 100644 index 0000000..8da4ac3 --- /dev/null +++ b/nixos/services/muflax-church.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: + +let + muflax-source = builtins.fetchGit { + rev = "e5ce7ae4296c6605a7e886c153d569fc38318096"; + ref = "HEAD"; + url = "https://github.com/fmap/muflax65ngodyewp.onion.git"; +}; +nixpkgs = import (builtins.fetchTarball { + url = "https://github.com/NixOS/nixpkgs-channels/archive/78e9665b48ff45d3e29f45b3ebeb6fc6c6e19922.tar.gz"; + sha256 = "09f50jaijvry9lrnx891qmcf92yb8qs64n1cvy0db2yjrmxsxyw8"; +}) { system = builtins.currentSystem; }; + muflax-church = (nixpkgs.callPackage "${muflax-source}/maintenance" {}).overrideDerivation (default: { + buildPhase = default.buildPhase + "\n" + '' + grep -lr '[^@]muflax.com' out | xargs -r sed -i 's/\([^@]\)muflax.com/\1muflax.church/g;s/http:\/\/\([^@]*\)muflax.church/https:\/\/\1muflax.church/g' + ''; + }); + cfg = config.services.yorick.muflax-church; + inherit (cfg) vhost; + addrs = { + "daily.${vhost}" = "${muflax-church}/daily"; + "blog.${vhost}" = "${muflax-church}/blog"; + "gospel.${vhost}" = "${muflax-church}/gospel"; + "alt.${vhost}" = "/home/public/public/muflax"; + }; + m = x: root: { forceSSL = true; useACMEHost = vhost; inherit root; }; +in +{ + options.services.yorick.muflax-church = with lib; { + enable = mkEnableOption "muflax.church"; + vhost = mkOption { type = types.str; }; + }; + config = lib.mkIf cfg.enable { + services.nginx.virtualHosts = { + ${cfg.vhost} = { + forceSSL = true; + enableACME = true; + root = "${muflax-church}/muflax"; + }; + "daily.${vhost}" = m "${muflax-church}/daily"; + "blog.${vhost}" = m "${muflax-church}/blog"; + "gospel.${vhost}" = m "${muflax-church}/gospel"; + "alt.${vhost}" = m "/home/public/public/muflax"; + } // (lib.mapAttrs m addrs); + security.acme.certs.${vhost}.extraDomainNames = [ + "daily.${vhost}" + "blog.${vhost}" + "gospel.${vhost}" + "alt.${vhost}" + ]; + }; +} diff --git a/nixos/services/pub.nix b/nixos/services/pub.nix new file mode 100644 index 0000000..a8cc787 --- /dev/null +++ b/nixos/services/pub.nix @@ -0,0 +1,29 @@ +{ config, pkgs, lib, ... }: +let cfg = config.services.yorick.public; in +{ + options.services.yorick.public = { + enable = lib.mkEnableOption "public hosting"; + vhost = lib.mkOption { type = lib.types.str; }; + }; + #imports = [../modules/nginx.nix]; + config = lib.mkIf cfg.enable { + systemd.services.nginx.serviceConfig = { + ProtectHome = "tmpfs"; + BindReadOnlyPaths = [ "/home/public/public" ]; + }; + users.extraUsers.public = { + home = "/home/public"; + useDefaultShell = true; + openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [public]; + createHome = true; + }; + services.nginx.virtualHosts.${cfg.vhost} = { + forceSSL = true; + enableACME = true; + locations."/" = { + root = "/home/public/public"; + index = "index.html"; + }; + }; + }; +} diff --git a/nixos/services/torrent-wg.nix b/nixos/services/torrent-wg.nix new file mode 100644 index 0000000..598d986 --- /dev/null +++ b/nixos/services/torrent-wg.nix @@ -0,0 +1,32 @@ +{pkgs, lib, config, ...}: +let + cfg = config.services.yorick.torrent-vpn; +in +{ + options.services.yorick.torrent-vpn = with lib; { + enable = mkEnableOption "torrent-vpn"; + name = mkOption { type = types.str; }; + namespace = mkOption { type = types.str; }; + }; + config = { + deployment.keyys = [ (+"/wg.${cfg.name}.key") ]; + networking.wireguard.interfaces.${cfg.name} = { + # curl -s https://api.mullvad.net/www/relays/all/ | jq '.[] | select(.type == "wireguard" and .country_code == "nl")' + ips = [ "10.66.30.26/32" "fc00:bbbb:bbbb:bb01::3:1e19/128" ]; + privateKeyFile = "/root/keys/wg.${cfg.name}.key"; + peers = [{ + publicKey = "hnRyse6QxPPcZOoSwRsHUtK1W+APWXnIoaDTmH6JsHQ="; + allowedIPs = ["0.0.0.0/0" "::0/0"]; + endpoint = "[2a03:1b20:3:f011::a04f]:51820"; + }]; + interfaceNamespace = cfg.namespace; + preSetup = '' + ${pkgs.iproute}/bin/ip netns add "${cfg.namespace}" || true + ''; + }; + environment.etc."netns/torrent/resolv.conf".text = '' + nameserver 193.138.218.74 + ''; + }; +} +# todo: presets diff --git a/nixos/services/website.nix b/nixos/services/website.nix new file mode 100644 index 0000000..d4cec95 --- /dev/null +++ b/nixos/services/website.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +let + yoricc = pkgs.callPackage ../packages/yori-cc.nix {}; + cfg = config.services.yorick.website; +in + with lib; +{ + options.services.yorick = { + website = { + enable = mkEnableOption "yoricc website"; + vhost = mkOption { type = types.str; }; + pkg = mkOption { type = types.package; default = yoricc; }; + }; + redirect = mkOption { type = types.loaOf types.str; default = []; }; + }; + config.services.nginx.virtualHosts = with cfg; mkIf enable { + ${vhost} = { + enableACME = true; + forceSSL = true; + locations."/".root = "${pkg}/web"; + }; + }; + +} diff --git a/nixos/sshkeys.nix b/nixos/sshkeys.nix new file mode 100644 index 0000000..e0a41ec --- /dev/null +++ b/nixos/sshkeys.nix @@ -0,0 +1,4 @@ +{ + public = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZv+hBDmjxF8h9Gxwvy0o7sMgOsqwp8pVj9AlpG90Y7agvkOm2IGtFueVfiDe0yWPXT0/EIiVWcPhWwcVkbY/BkypPJSMLnlcQ6ld+aO1g+BtdDaVuxcTSvQ77UCT2p+wftxoq1EiUdlhTsXpPucrBd+5NOde+jlPBE4qChIAf2zhOIByJAGT+M4Ie3eV4p5S9LB9CMI4s32gNUBbSA8UDmkjpBXkf9a1TZzdkOGWUmUFXt53/O8LZlGK9kkA5TsjM2xaxDjCLWf5wEcey4JsEggi1prE4aB68Q7+kdbvDiVSEFyZn0A/A9RXHBRAgW8yPdh+EGC56iDW/wkGxWBY5"; + yorick = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDo1N5E6qkb3McJOvv0PqI7E8iYLAcjil5RWc+zeTtN/" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFQm2OJ8PlnDHfI7FV3hddXP0t2jgKAiCnnuWIc+LK4dnyGmlC/ihIe9KhSENZEnzVAXnYAMOoOvpkVa5p0Itf1n0anCK3k2vDq0Jz9nY3ZXmkSHE09QGCpSG8kU6j+zWJPo2jWYNtxYMRmmHAuzzOdlPY9Q199PEvHVaqzpSVhIdhqhEcmap8oqHW6KbJu+17nLGGQB5XiTB1SlTxbg62copA9KMcvQzNGIooKs5QyrU/B0g05EfbogH7xOLbwYAK676DTUBEcKpEUYFMMv+DBcU4cH2EI6UTLxI5ohrS1pxk20zu5nTRMlQRUETpWN4EbEPfOzF8FW1YOwdttfCas8D6Y6t9gA4o8GpylBG9AElVw7VyOFeBR+AtchormH+wH6nZEvzs6wg2d84I8xo5qYGUJIQS7OYxypjlY01IFCCa/7rjzXGDmdWAP/UEu85ys9FSryn9Ey5DXDQOqhMHguOwQDUyaArWyRCCBzKbx6cPZw2D9bLfDxbnaC2/5dVyxHJXoWmwneX2E/UT5QwtG1nyLShIZhYgO9lfDpO61Mz9Jjap3sj6mJPxHZc5SGye0j47xV6kX4vbSgfoSHHnasaI3fR2ZBS7tnfq1ebxXqFFSPHK6uHjLgDHtkMisvjOVZnybuXB296pjv6K1o2G3qlUnImOqfxZxvuy4Xl/mw== cardno:000607186578"]; +} diff --git a/nixos/vpn.nix b/nixos/vpn.nix new file mode 100644 index 0000000..bdad675 --- /dev/null +++ b/nixos/vpn.nix @@ -0,0 +1,21 @@ +{ + ips = { + pennyworth = "10.209.0.1"; + jarvis = "10.209.0.2"; + frumar = "10.209.0.3"; + woodhouse = "10.209.0.4"; + ascanius = "10.209.0.5"; + blackadder = "10.209.0.6"; + zazu = "10.209.0.7"; + }; + keys = { + # for i in wg.*.key; do echo $(echo $i | cut -d. -f2) = \"$(wg pubkey < $i)\"\;; done + ascanius = "zZ3gegDspSKBJutp99VzODZNcJ1qQF3OH2nrlxhICwI="; + blackadder = "+SfIbW9/MmA5iIVUUzkKPeWmZvwhP8y9qWo67o2UZUA="; + frumar = "UpFw4KmrvmOWdMOJ+LHvMzgN7cQMnasqlkzF8/apoGI="; + jarvis = "2/Qaq5uiy8uGGnZLIfjeomL47XjZCsJ1dDFDD9Nlq3E="; + pennyworth = "XoeUMsiSOWBFEFuAu+S4iQd3MzkyGhIj9dtxzZ0I500="; + woodhouse = "ICzlnC4zKUYvpQ0o5AFq2rG7CCqWUFVn3UqkLSoYNgI="; + zazu = "6X5EdNMO1MtFi18LCRGZ2cBD0d50Wq+pwkwVubjY1Ew="; + }; +}