From d94be95fe8f49a1328de3ba72e8a73883bd2bc9c Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Wed, 18 Mar 2015 02:24:24 +0100 Subject: [PATCH 001/172] initial commit --- configuration.nix | 67 ++++++++++++++++++++++++++++++++++++++ graphical.nix | 38 +++++++++++++++++++++ hardware-configuration.nix | 64 ++++++++++++++++++++++++++++++++++++ 3 files changed, 169 insertions(+) create mode 100644 configuration.nix create mode 100644 graphical.nix create mode 100644 hardware-configuration.nix diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..5a64042 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,67 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ ./hardware-configuration.nix + ./graphical.nix + ]; + + + # no, not that Ascanius. + networking.hostName = "ascanius"; + + # GOTTA GO FASTER + # this pulls in systemd-udevd-settle, which slows down boot + systemd.services.scsi-link-pm.enable = false; + # Set your time zone. + time.timeZone = "Europe/Amsterdam"; + + nixpkgs.config = { + allowUnfree = true; + packageOverrides = pkgs : { + bluez = pkgs.bluez5; + }; + }; + + # List packages installed in system profile. To search by name, run: + # $ nix-env -qaP | grep wget + environment.systemPackages = with pkgs; [ + (texLiveAggregationFun { paths = [ texLive texLiveExtra texLiveBeamer lmodern ]; }) + atool + bc + git + hdparm + htop + lm_sensors + mtr + ncdu + sl # v important. + smartmontools + unzip zip + wget + ]; + + + # TODO: cups. + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.extraUsers.yorick = { + isNormalUser = true; + uid = 1000; + extraGroups = ["wheel"]; + }; + + # not using ipv6 for now + networking.enableIPv6 = false; + + nix.binaryCaches = [ + https://hydra.nixos.org + ]; + nix.trustedBinaryCaches = config.nix.binaryCaches; + + +} diff --git a/graphical.nix b/graphical.nix new file mode 100644 index 0000000..50f542a --- /dev/null +++ b/graphical.nix @@ -0,0 +1,38 @@ +{ config, lib, pkgs, ... }: +{ + # Enable the X11 windowing system. + services.xserver = { + enable = true; + synaptics = { + twoFingerScroll = true; + # inverted scrolling + additionalOptions = '' + Option "HorizScrollDelta" "-107" + Option "VertScrollDelta" "-107" + ''; + }; + layout = "us"; + displayManager.slim.defaultUser = "yorick"; + # xkbOptions = "eurosign:e"; + }; + hardware.opengl = { + enable = true; + driSupport32Bit = true; + }; + + environment.systemPackages = with pkgs; [ + slock + ]; + security.setuidPrograms = [ "slock" ]; + + fonts = { + enableFontDir = true; + enableGhostscriptFonts = true; + fonts = with pkgs; [ + corefonts # Micrsoft free fonts + inconsolata # monospaced + source-code-pro + ubuntu_font_family # Ubuntu fonts + ]; + }; +} diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..ed20a1e --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,64 @@ +# I'm modifying this file anyways. +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ]; + + boot = { + loader.grub = { + enable = true; + device = "/dev/sda"; + }; + kernelModules = ["nvidiabl" "kvm-intel"]; + kernelPackages = pkgs.linuxPackages_3_18; + extraModulePackages = [pkgs.linuxPackages_3_18.nvidiabl]; + extraModprobeConfig = '' + options nvidiabl min=0x384 max=0x4650 + ''; + }; + services.xserver.videoDrivers = ["nvidia"]; + services.xserver.synaptics.enable = true; + + networking.wireless.enable = true; + hardware.bluetooth.enable = true; + + + # ideal... doesn't work. + #services.udev.extraRules = '' + # KERNEL=="nvidia_backlight", SUBSYSTEM=="backlight", MODE="666" + #''; + # for now + systemd.services."display-manager".preStart = '' + chmod a+w $(realpath /sys/class/backlight/nvidia_backlight/brightness) || true + ''; + # any better ideas to do this?... please? the scripts are pretty heavily modified. + # from https://github.com/march-linux/powerdown + services.udev.extraRules = '' + SUBSYSTEM=="power_supply", ATTR{online}=="0", RUN+="/etc/powerdown/powerdown" + SUBSYSTEM=="power_supply", ATTR{online}=="1", RUN+="/etc/powerdown/powerup" + ''; + + boot.initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usbhid" "usb_storage" "btrfs" "dm_crypt" ]; + boot.initrd.luks.devices = [ { + name = "nix-root-enc"; + device = "/dev/sdb2"; + allowDiscards = true; + }]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/a21dd1ae-b1ef-47d2-854e-4f561f0bfb4c"; + fsType = "btrfs"; + options = "defaults,relatime,discard"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/8a141d3a-4a7f-4ece-9881-b958649e956d"; + fsType = "ext2"; + }; + + swapDevices = [ ]; + + nix.maxJobs = 8; +} From 8c2deb6080fd4022d272686e491cdc431e76e0a3 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Wed, 18 Mar 2015 02:45:48 +0100 Subject: [PATCH 002/172] redshift. --- graphical.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/graphical.nix b/graphical.nix index 50f542a..653c2fd 100644 --- a/graphical.nix +++ b/graphical.nix @@ -35,4 +35,13 @@ ubuntu_font_family # Ubuntu fonts ]; }; + services.redshift = { + enable = true; + latitude = "51.8"; + longitude = "5.8"; + temperature = { + day = 6500; + night = 5500; + }; + }; } From 4db1081d3342a8d5c72c60b7c534bde876b5974f Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Mon, 23 Mar 2015 23:30:32 +0100 Subject: [PATCH 003/172] Add pulseaudio. --- graphical.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/graphical.nix b/graphical.nix index 653c2fd..e875423 100644 --- a/graphical.nix +++ b/graphical.nix @@ -19,6 +19,7 @@ enable = true; driSupport32Bit = true; }; + hardware.pulseaudio.enable = true; environment.systemPackages = with pkgs; [ slock From f8fb49c1e5101e01ea7024d8896cacaffd9e112a Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Mon, 23 Mar 2015 23:30:40 +0100 Subject: [PATCH 004/172] Japanese font --- graphical.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/graphical.nix b/graphical.nix index e875423..fc4c412 100644 --- a/graphical.nix +++ b/graphical.nix @@ -34,6 +34,7 @@ inconsolata # monospaced source-code-pro ubuntu_font_family # Ubuntu fonts + source-han-sans-japanese ]; }; services.redshift = { From 863befd57a3051ff037783f7f374f55c03ba21a1 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 14 Apr 2015 12:17:59 +0200 Subject: [PATCH 005/172] Fix: wifi loading in less than 2 minutes --- hardware-configuration.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hardware-configuration.nix b/hardware-configuration.nix index ed20a1e..5f7a195 100644 --- a/hardware-configuration.nix +++ b/hardware-configuration.nix @@ -32,12 +32,14 @@ # for now systemd.services."display-manager".preStart = '' chmod a+w $(realpath /sys/class/backlight/nvidia_backlight/brightness) || true + /etc/powerdown/powerswitch ''; # any better ideas to do this?... please? the scripts are pretty heavily modified. # from https://github.com/march-linux/powerdown services.udev.extraRules = '' SUBSYSTEM=="power_supply", ATTR{online}=="0", RUN+="/etc/powerdown/powerdown" SUBSYSTEM=="power_supply", ATTR{online}=="1", RUN+="/etc/powerdown/powerup" + SUBSYSTEM=="firmware", ACTION=="add", ATTR{loading}="-1" ''; boot.initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usbhid" "usb_storage" "btrfs" "dm_crypt" ]; From 92a9d53a443de631f9fec4a06cedb086cd7bf4c5 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 29 Sep 2015 01:09:21 +0200 Subject: [PATCH 006/172] run the power saving script automatically --- configuration.nix | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/configuration.nix b/configuration.nix index 5a64042..2e97090 100644 --- a/configuration.nix +++ b/configuration.nix @@ -45,6 +45,20 @@ wget ]; + virtualisation.virtualbox.host.enable = true; + + systemd.services.powerswitch = { + enable = true; + wantedBy = [ "multi-user.target" "suspend.target" ]; + after = [ "suspend.target" "display-manager.service" ]; + description = "Run powerswitch sometimes"; + path = [ pkgs.hdparm pkgs.iw pkgs.gawk pkgs.kmod config.system.sbin.modprobe ]; + preStart = "sleep 2s"; + serviceConfig = { + Type = "oneshot"; + ExecStart = ''/etc/powerdown/powerswitch''; + }; + }; # TODO: cups. From cb96f6b68200f7c96f98f78e73010b1cbcd916f9 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 29 Sep 2015 14:54:55 +0200 Subject: [PATCH 007/172] run power scripts on power supply state change --- configuration.nix | 12 ------------ hardware-configuration.nix | 4 +--- modules/powerdown.nix | 27 +++++++++++++++++++++++++++ 3 files changed, 28 insertions(+), 15 deletions(-) create mode 100644 modules/powerdown.nix diff --git a/configuration.nix b/configuration.nix index 2e97090..44f28a8 100644 --- a/configuration.nix +++ b/configuration.nix @@ -47,18 +47,6 @@ virtualisation.virtualbox.host.enable = true; - systemd.services.powerswitch = { - enable = true; - wantedBy = [ "multi-user.target" "suspend.target" ]; - after = [ "suspend.target" "display-manager.service" ]; - description = "Run powerswitch sometimes"; - path = [ pkgs.hdparm pkgs.iw pkgs.gawk pkgs.kmod config.system.sbin.modprobe ]; - preStart = "sleep 2s"; - serviceConfig = { - Type = "oneshot"; - ExecStart = ''/etc/powerdown/powerswitch''; - }; - }; # TODO: cups. diff --git a/hardware-configuration.nix b/hardware-configuration.nix index 5f7a195..fa29e9b 100644 --- a/hardware-configuration.nix +++ b/hardware-configuration.nix @@ -4,6 +4,7 @@ { imports = [ + ./modules/powerdown.nix ]; boot = { @@ -32,13 +33,10 @@ # for now systemd.services."display-manager".preStart = '' chmod a+w $(realpath /sys/class/backlight/nvidia_backlight/brightness) || true - /etc/powerdown/powerswitch ''; # any better ideas to do this?... please? the scripts are pretty heavily modified. # from https://github.com/march-linux/powerdown services.udev.extraRules = '' - SUBSYSTEM=="power_supply", ATTR{online}=="0", RUN+="/etc/powerdown/powerdown" - SUBSYSTEM=="power_supply", ATTR{online}=="1", RUN+="/etc/powerdown/powerup" SUBSYSTEM=="firmware", ACTION=="add", ATTR{loading}="-1" ''; diff --git a/modules/powerdown.nix b/modules/powerdown.nix new file mode 100644 index 0000000..684d237 --- /dev/null +++ b/modules/powerdown.nix @@ -0,0 +1,27 @@ +{ config, lib, pkgs, ... }: + +let + powersw = "/etc/powerdown/powerswitch"; + powerswpath = [ pkgs.hdparm pkgs.iw pkgs.gawk pkgs.kmod config.system.sbin.modprobe ]; +in +{ + + services.udev.path=powerswpath; + services.udev.extraRules = '' + SUBSYSTEM=="power_supply", ATTR{online}=="0", RUN+="${powersw}" + SUBSYSTEM=="power_supply", ATTR{online}=="1", RUN+="${powersw}" + ''; + + systemd.services.powerswitch = { + enable = true; + wantedBy = [ "multi-user.target" "suspend.target" ]; + after = [ "suspend.target" "display-manager.service" ]; + description = "Run powerswitch sometimes"; + path = powerswpath; + preStart = "sleep 4s"; + serviceConfig = { + Type = "oneshot"; + ExecStart = powersw; + }; + }; +} From c4e3dc2cc52e0f8d24e1fc1af2c4aa98739351c3 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Mon, 21 Dec 2015 00:52:34 +0100 Subject: [PATCH 008/172] add hydra key --- configuration.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configuration.nix b/configuration.nix index 44f28a8..5019a50 100644 --- a/configuration.nix +++ b/configuration.nix @@ -48,6 +48,8 @@ virtualisation.virtualbox.host.enable = true; + nix.binaryCachePublicKeys = ["hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; + # TODO: cups. # Define a user account. Don't forget to set a password with ‘passwd’. From d05387c9f1caf6e30ab6c1c2d0e01045b52ea06b Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Mon, 21 Dec 2015 00:52:48 +0100 Subject: [PATCH 009/172] steam game sound --- graphical.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/graphical.nix b/graphical.nix index fc4c412..1bd2792 100644 --- a/graphical.nix +++ b/graphical.nix @@ -20,6 +20,7 @@ driSupport32Bit = true; }; hardware.pulseaudio.enable = true; + hardware.pulseaudio.support32Bit = true; environment.systemPackages = with pkgs; [ slock From 1646900ef337264683e675f9cf9de4151a08b82a Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Mon, 21 Dec 2015 00:52:58 +0100 Subject: [PATCH 010/172] update kernel --- hardware-configuration.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/hardware-configuration.nix b/hardware-configuration.nix index fa29e9b..32f6fc8 100644 --- a/hardware-configuration.nix +++ b/hardware-configuration.nix @@ -13,8 +13,7 @@ device = "/dev/sda"; }; kernelModules = ["nvidiabl" "kvm-intel"]; - kernelPackages = pkgs.linuxPackages_3_18; - extraModulePackages = [pkgs.linuxPackages_3_18.nvidiabl]; + extraModulePackages = [pkgs.linuxPackages.nvidiabl]; extraModprobeConfig = '' options nvidiabl min=0x384 max=0x4650 ''; From 77079440731f386b0d6d57430c3868c39f690c46 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Mon, 21 Dec 2015 00:53:08 +0100 Subject: [PATCH 011/172] cups --- hardware-configuration.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hardware-configuration.nix b/hardware-configuration.nix index 32f6fc8..e60047b 100644 --- a/hardware-configuration.nix +++ b/hardware-configuration.nix @@ -58,6 +58,9 @@ }; swapDevices = [ ]; - + services.printing = { + enable = true; + drivers = [ pkgs.gutenprint ]; + }; nix.maxJobs = 8; } From d0bbe5252dcf3f91d1756e44dc540ef6749c294a Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Mon, 21 Dec 2015 00:53:16 +0100 Subject: [PATCH 012/172] comment --- configuration.nix | 2 +- modules/powerdown.nix | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/configuration.nix b/configuration.nix index 5019a50..6789307 100644 --- a/configuration.nix +++ b/configuration.nix @@ -30,7 +30,7 @@ # List packages installed in system profile. To search by name, run: # $ nix-env -qaP | grep wget environment.systemPackages = with pkgs; [ - (texLiveAggregationFun { paths = [ texLive texLiveExtra texLiveBeamer lmodern ]; }) + #(texLiveAggregationFun { paths = [ texLive texLiveExtra texLiveBeamer lmodern ]; }) atool bc git diff --git a/modules/powerdown.nix b/modules/powerdown.nix index 684d237..0d7a6d5 100644 --- a/modules/powerdown.nix +++ b/modules/powerdown.nix @@ -6,6 +6,8 @@ let in { + # the scripts are pretty heavily modified. + # from https://github.com/march-linux/powerdown services.udev.path=powerswpath; services.udev.extraRules = '' SUBSYSTEM=="power_supply", ATTR{online}=="0", RUN+="${powersw}" From 22403ab40de9fb4190554bb15dab9372817f4b2a Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 28 Jan 2016 02:59:31 +0100 Subject: [PATCH 013/172] change all the things --- .gitignore | 2 + ascanius/configuration.nix | 39 ++++++ .../hardware-configuration.nix | 15 ++- conf | 23 ++++ configuration.nix | 71 ---------- deploy_key.asc | 45 +++++++ frumar/configuration.nix | 33 +++++ frumar/hardware-configuration.nix | 33 +++++ modules/gogs.nix | 95 ++++++++++++++ modules/le_nginx.nix | 122 ++++++++++++++++++ network.nix | 11 ++ ospinio/configuration.nix | 75 +++++++++++ ospinio/hardware-configuration.nix | 46 +++++++ packages/gogitget.nix | 20 +++ packages/gogs.nix | 19 +++ packages/yori-cc.nix | 26 ++++ roles/common.nix | 80 ++++++++++++ graphical.nix => roles/graphical.nix | 5 - roles/pub.nix | 18 +++ roles/quassel.nix | 31 +++++ secrets.nix.asc | 22 ++++ sshkeys.nix | 5 + 22 files changed, 753 insertions(+), 83 deletions(-) create mode 100644 .gitignore create mode 100644 ascanius/configuration.nix rename hardware-configuration.nix => ascanius/hardware-configuration.nix (85%) create mode 100755 conf delete mode 100644 configuration.nix create mode 100644 deploy_key.asc create mode 100644 frumar/configuration.nix create mode 100644 frumar/hardware-configuration.nix create mode 100644 modules/gogs.nix create mode 100644 modules/le_nginx.nix create mode 100644 network.nix create mode 100644 ospinio/configuration.nix create mode 100644 ospinio/hardware-configuration.nix create mode 100644 packages/gogitget.nix create mode 100644 packages/gogs.nix create mode 100644 packages/yori-cc.nix create mode 100644 roles/common.nix rename graphical.nix => roles/graphical.nix (90%) create mode 100644 roles/pub.nix create mode 100644 roles/quassel.nix create mode 100644 secrets.nix.asc create mode 100644 sshkeys.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..59e3ed0 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +deploy_key +secrets.nix diff --git a/ascanius/configuration.nix b/ascanius/configuration.nix new file mode 100644 index 0000000..34ec616 --- /dev/null +++ b/ascanius/configuration.nix @@ -0,0 +1,39 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +let secrets = import ; +in +{ + imports = + [ ./hardware-configuration.nix + ../roles/common.nix + ../roles/graphical.nix + ]; + + # no, not that Ascanius. + networking.hostName = secrets.hostnames.ascanius; + + # GOTTA GO FASTER + # this pulls in systemd-udevd-settle, which slows down boot + systemd.services.scsi-link-pm.enable = false; + + nixpkgs.config = { + allowUnfree = true; + packageOverrides = pkgs : { + bluez = pkgs.bluez5; + }; + }; + + # List packages installed in system profile. To search by name, run: + # $ nix-env -qaP | grep wget + environment.systemPackages = with pkgs; [ + btrfs-progs + ]; + + virtualisation.virtualbox.host.enable = true; + + users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword; +} diff --git a/hardware-configuration.nix b/ascanius/hardware-configuration.nix similarity index 85% rename from hardware-configuration.nix rename to ascanius/hardware-configuration.nix index e60047b..52bde50 100644 --- a/hardware-configuration.nix +++ b/ascanius/hardware-configuration.nix @@ -4,9 +4,11 @@ { imports = [ - ./modules/powerdown.nix + ../modules/powerdown.nix ]; + hardware.cpu.intel.updateMicrocode = true; + boot = { loader.grub = { enable = true; @@ -33,8 +35,7 @@ systemd.services."display-manager".preStart = '' chmod a+w $(realpath /sys/class/backlight/nvidia_backlight/brightness) || true ''; - # any better ideas to do this?... please? the scripts are pretty heavily modified. - # from https://github.com/march-linux/powerdown + # this makes sure my wifi doesn't take a minute to work services.udev.extraRules = '' SUBSYSTEM=="firmware", ACTION=="add", ATTR{loading}="-1" ''; @@ -58,9 +59,9 @@ }; swapDevices = [ ]; - services.printing = { - enable = true; - drivers = [ pkgs.gutenprint ]; - }; + services.printing = { + enable = true; + drivers = [ pkgs.gutenprint ]; + }; nix.maxJobs = 8; } diff --git a/conf b/conf new file mode 100755 index 0000000..667ce03 --- /dev/null +++ b/conf @@ -0,0 +1,23 @@ +#!/usr/bin/env bash +if ! [ -e deploy_key ] || ! [ -e secrets.nix ] +then + gpg --decrypt-files secrets.nix.asc deploy_key.asc + sudo chgrp nixbld deploy_key + chmod 640 deploy_key +fi +case $1 in +local) + export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=`pwd`/ascanius/configuration.nix:secrets=`pwd`/secrets.nix + eval ${@:2} + ;; +remote) + export NIX_PATH="nixpkgs=$HOME/builds/nixpkgs/:ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix + eval ${@:2} + ;; +local-deploy) + sudo $0 local nixos-rebuild switch + ;; +remote-deploy) + $0 remote nixops deploy ${@:2} + ;; +esac diff --git a/configuration.nix b/configuration.nix deleted file mode 100644 index 6789307..0000000 --- a/configuration.nix +++ /dev/null @@ -1,71 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, ... }: - -{ - imports = - [ ./hardware-configuration.nix - ./graphical.nix - ]; - - - # no, not that Ascanius. - networking.hostName = "ascanius"; - - # GOTTA GO FASTER - # this pulls in systemd-udevd-settle, which slows down boot - systemd.services.scsi-link-pm.enable = false; - # Set your time zone. - time.timeZone = "Europe/Amsterdam"; - - nixpkgs.config = { - allowUnfree = true; - packageOverrides = pkgs : { - bluez = pkgs.bluez5; - }; - }; - - # List packages installed in system profile. To search by name, run: - # $ nix-env -qaP | grep wget - environment.systemPackages = with pkgs; [ - #(texLiveAggregationFun { paths = [ texLive texLiveExtra texLiveBeamer lmodern ]; }) - atool - bc - git - hdparm - htop - lm_sensors - mtr - ncdu - sl # v important. - smartmontools - unzip zip - wget - ]; - - virtualisation.virtualbox.host.enable = true; - - - nix.binaryCachePublicKeys = ["hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; - - # TODO: cups. - - # Define a user account. Don't forget to set a password with ‘passwd’. - users.extraUsers.yorick = { - isNormalUser = true; - uid = 1000; - extraGroups = ["wheel"]; - }; - - # not using ipv6 for now - networking.enableIPv6 = false; - - nix.binaryCaches = [ - https://hydra.nixos.org - ]; - nix.trustedBinaryCaches = config.nix.binaryCaches; - - -} diff --git a/deploy_key.asc b/deploy_key.asc new file mode 100644 index 0000000..55247be --- /dev/null +++ b/deploy_key.asc @@ -0,0 +1,45 @@ +-----BEGIN PGP MESSAGE----- +Version: GnuPG v2 + +hQIMA++MoCsgK05SAQ//b7c3XC7n5YZwVRGUMaZM2X9SUJcGdfls1spFI7ef9VoP +129fWxELMuFNRpkjq1eLhtkexIA5WW4z6ORMhNW0XQX28FWN/EhJb+5VcmEHquEP +/VHX7OGQ0i+MJBklXKBy6gH7PHqPn6ExYF2j+Ath7Hqf7MiBzFMVAElqPrTGwTJc +EaGE2GzM5jP+/LRyi3yErufDVQsjf2exD0hlb//gHwFsgir3N6GGywE9kMT+0/Fu +TA5K0HB2Ho2ZIY1CGZO1PQt0hKjbBiNKHPrExogeWgTL+xWk2isGZC3yU/JvY8iY +7fS4d7jLOyaUwpPV1dZtSTv4l22ooCuDAWWevxQwNFFpgtvVgpyLkU8k3yrPrNaS +bdXXAwaf2ejrIyxrxIi05P3B9T74lgFjHfEgczAvuumXxeGMK38HVIwHwEFSRyRm +I+UNN/SF3JigiQx/NSde4iZioy1AkH9aICu1OYKVLZ6PdfQzxlMDH0o0RapKxfyk +a48160uE8/A9/5G1YlNqzYxorqE7KgezryS7pMJHIANY3YqadW0q+sFveqUHGDuB +e2965cmnZ5gIVg327UTzMsnGMEQPTFnmhbBZSqnogCqEEjvxE+E5iTGQLMNij2Tk +Ws+xGtZ78IhnHeu2teVEwLyVWyDFBamsKyuRp0dIZSo4v8VpjhjLQu/jC/vy9pnS +6gHQ0WbD/WqMS0s91vsK7KMciX9nVzDh9gtrH6Xa0lwCgZIU8EmzxD3PF3S4f2k8 +FZzwsT89HOEauYx7CFeIl4I17MpgWK63I0Y+VE2kRwednbC1xdmA5reMNjaeHlgR +xvbGQFZeNvfswyl8FNd6izRLytH/9ApV6B44GjYbsIOrSsqq9lOyBkeR5B5yM0Tq +UJi/vj7TlLYcmnANlXuPlnk593645FdtVVMLONAJWjoI2cYQgTezaGRVBPuO9YpA +ShJj85+02oZ6cWs5hiSQzbNZWY4B2cKrZoGS/T/Ugy4eeuP4VDwMNS95SVv9Md+4 +pAEoUiuGr+rZQwelSnyBjp7gINNVWBbBkMS/jQiVJqntQq651LAgd+/YDNJU7+OF +xERWSdr+DbxvK6T4e2ffcs3Qlwz/zY1tpGCRtcW5kqX0fKbZVEoQV6F35i8V7yZ0 +j6MqlFhCryzJ5ahi46FXxfxumlQx4JTI55Kw7H58EaNoiENIGUhm2LokOH8XBvlU +fll0CG9pq78FaxfSCz+9KpmdIwnQZ3VFVWX28JsJ+SYgzUYjlNPqq5zW6tT/MPST +2P/y815oqNFVwf3F4gTvhiFn47MzdvU/BcteitBqDSYSoVv3dMV9995CF3CzF3gs +Zk9ksJqVjvpD2t9eYUFbGmxsaGA0UqvcnkDwuvaZR2VWEuW8hd+cHhj/1IrW5xpg +Lf7VxEXJEOEBpzefFaFdeiiWKRqN6oib8VzxE5v25+3jlLAfULh+L8GlCn1Wl6lQ +uL/3zKdd+jwr9MYhWoA529DIx7tema+D3Sjb9Tt5ZW6rMr8epKAhq+uMkPaoYSpl +My4tlS16RgJ3Pp4wqRH1NZ1+1FwzMyyyP2RoP0oD+Zpp7CIPhvewRaq28EMcIJd1 +f1Yy2s54u5IlvNsKgbO8P1Id0mpCHOmf0LIGG9REBe0VEgWeCOB5nUdaJo03VSYo +QYRR4O23gR/QrTXKrwol1AP7c34nGpXdevy37u7HZFAEDiBEw2/ZQECnmP6Xq6fO +nl7ud5Z0j/Rq1pWyLo8LqqPk4G5sYjA2IGnCq/q7LDIQSSZVZFYClBs2xwwcO4ff +dlYdWw23jnZOE73tvnxVatLA7sbVEchlg5xRKBp0rEUJbjw0/N5yz+8ldwkj2+SG +g6ww1lGVbM1R8ebTdOoGLNZqaGqXwT6c+QoliSjK6EQEZrBmtjA7Eg4nA62kg8+N +QJb/3aXC4VJ7j1RYySEhTKovwNMpHCIqk3x/VjqUMwtubU9pNLPeedKGgvhVg3o4 +fiEJo2TKFDgCfKxPb8JyeQBHPCvtyqGjoqWvLsbqdUKIKtylWrqx3bfQXVJlcnfX +iAYgM0+S4b9a46myhAQWEvfAk5IRaTgSPwvoi5ONTrYivi874M60uWs9Bq9hLtXo +pWRwhltqvNXC/kVDsWmCcItuUVf2361KzzB1l3o28EgLN6VNZ1FPnnj36l73MXrh +rBGLjgxDTsf+/Geik7s/M7sfwmuEBPr4vIQKRgLI43emkK7f1wtp4yxEmtGoQGV3 +2RSBW2yajFOGeJKxS9ctZaOOEnyEGIFj53HiElT+mUhEfnI3wCCdnW+MjEgo3Zaj +2/Rdj5oN5cXX+TV3HeR3c+atXCMZ9aJ0XRncijuBci4RaFdiRjN72cQC7Y/1RT4I +HpGT3xzQd/Io7HDP/fPEpBuHO9czl5VQBTY61Rbn91EwY4/C//mCFcAhKu4Aqd8X +IA/BGabdZ24xFVStDijY2lWFcUerjpvYOR7jBb7eeroDj2dwabuXQilhvuoDlw3d +wA4QPlR8SMuJlCZLKkHyq5ALWmzm/g== +=uAoS +-----END PGP MESSAGE----- diff --git a/frumar/configuration.nix b/frumar/configuration.nix new file mode 100644 index 0000000..cc41641 --- /dev/null +++ b/frumar/configuration.nix @@ -0,0 +1,33 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: +let secrets = import ; +in +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ../roles/common.nix + ../modules/le_nginx.nix + ../modules/gogs.nix # todo: better separation here + ../roles/quassel.nix + ../roles/pub.nix + ]; + + + networking.hostName = secrets.hostnames.frumar; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # The NixOS release to be compatible with for stateful data such as databases. + system.stateVersion = "15.09"; + + gogs.domain = "git.yori.cc"; + + le_nginx.email = secrets.email; # you probably know this, but spam + le_nginx.enable = true; + le_nginx.enable_ssl = true; +} \ No newline at end of file diff --git a/frumar/hardware-configuration.nix b/frumar/hardware-configuration.nix new file mode 100644 index 0000000..64389db --- /dev/null +++ b/frumar/hardware-configuration.nix @@ -0,0 +1,33 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + # Define on which hard drive you want to install Grub. + boot.loader.grub.device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S21PNXAG441016B"; + + + fileSystems."/" = + { device = "/dev/disk/by-uuid/ba95c638-f243-48ee-ae81-0c70884e7e74"; + fsType = "ext4"; + options = "defaults,relatime,discard"; + }; + + swapDevices = + [ { device = "/dev/disk/by-label/nixos-swap"; } + ]; + + nix.maxJobs = 4; +} diff --git a/modules/gogs.nix b/modules/gogs.nix new file mode 100644 index 0000000..3dff55a --- /dev/null +++ b/modules/gogs.nix @@ -0,0 +1,95 @@ +{ config, pkgs, lib, ... }: +let + gitHome = "/var/gogs"; + gogs = pkgs.callPackage ../packages/gogs.nix { }; + gogsPort = 8001; + domain = config.gogs.domain; + gogsConfig = pkgs.writeText "gogs.ini" '' +APP_NAME = Gogs: Go Git Service +RUN_USER = git +RUN_MODE = prod +[database] +DB_TYPE = sqlite3 +HOST = 127.0.0.1:3306 +NAME = gogs +USER = root +PASSWD = +SSL_MODE = disable +PATH = ${gitHome}/data/gogs.db +[repository] +ROOT = ${gitHome}/gogs-repositories +[server] +DOMAIN = ${domain} +HTTP_PORT = ${toString gogsPort} +ROOT_URL = https://${domain}/ +DISABLE_SSH = false +SSH_PORT = 22 +OFFLINE_MODE = false +[mailer] +ENABLED = false +[service] +REGISTER_EMAIL_CONFIRM = false +ENABLE_NOTIFY_MAIL = false +DISABLE_REGISTRATION = true +REQUIRE_SIGNIN_VIEW = false +[picture] +DISABLE_GRAVATAR = false +AVATAR_UPLOAD_PATH = ${gitHome}/data/avatars +[session] +PROVIDER = file +[log] +ROOT_PATH = ${gitHome}/logs +MODE = file +LEVEL = Info +[security] +INSTALL_LOCK = true +''; +inherit (lib) mkOption types; +in +{ + imports = [./le_nginx.nix]; + options.gogs = { + domain = mkOption { + type = types.string; + description = "The domain to run the servers on"; + default = {}; + example = "git.domain.com"; + }; + }; + config = +{ + users.extraUsers.git = { home = gitHome; extraGroups = [ "git" ]; useDefaultShell = true;}; + users.extraGroups.git = { }; + systemd.services.gogs = { + path = with pkgs; [ git openssh bash ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + Restart = "always"; + User = "git"; + Group = "git"; + ExecStart = "${gogs}/gogs web -c ${gogsConfig}"; + WorkingDirectory = gitHome; + }; + }; + le_nginx.servers.${domain} = '' + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_redirect off; + proxy_buffering off; + proxy_pass http://gogs; + client_max_body_size 30M; + break; + } + ''; + services.nginx.httpConfig = '' + upstream gogs { + server 127.0.0.1:${toString gogsPort}; + } + ''; +}; +} diff --git a/modules/le_nginx.nix b/modules/le_nginx.nix new file mode 100644 index 0000000..2484791 --- /dev/null +++ b/modules/le_nginx.nix @@ -0,0 +1,122 @@ +{ config, lib, pkgs, ... }: +let +cfg = config.le_nginx; +sslcfg = {fullchain ? "fullchain.pem", key ? "key.pem"}: '' + ssl on; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_certificate_key /etc/sslcerts/${key}; + ssl_certificate /etc/sslcerts/${fullchain}; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_protocols TLSv1.1 TLSv1.2; + # ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; + ssl_prefer_server_ciphers on; + add_header Strict-Transport-Security max-age=15768000; + ssl_stapling on; + ssl_stapling_verify on; +''; +makeServerBlock = servername: locationblock: '' + server { + listen 443; + server_name ${servername}; + ${sslcfg {}} + ${locationblock} + } +''; +vhosts = with lib; unique (concatMap (splitString " ") (attrNames cfg.servers)); +inherit (lib) mkEnableOption mkOption types mkIf; +in +{ + # todo: the problem here is that nginx will refuse to start initlaiiy + # because the SSL cert will be missing + # so you have to temporarily disable the ssl + options.le_nginx = { + enable = mkEnableOption "enable new nginx module"; + enable_ssl = mkEnableOption "enable the SSL blocks"; + servers = mkOption { + type = types.attrsOf types.string; + description = "The servers to host"; + default = {}; + example = {"git.domain.com" = "location / {}";}; + }; + email = mkOption { + type = types.string; + description = "email address to pass to LE"; + }; + }; + config = mkIf cfg.enable { + systemd.services.letsencrypt = { + path = [ pkgs.simp_le ]; + restartIfChanged = true; + serviceConfig = { + Type = "oneshot"; + }; + script = '' + mkdir -p /etc/sslcerts/acmeroot + cd /etc/sslcerts + simp_le ${lib.concatMapStringsSep " " (x: "-d " + x) vhosts} --default_root $PWD/acmeroot -f fullchain.pem -f key.pem -f account_key.json --email ${cfg.email} + ''; + startAt = "04:00"; + }; + services.nginx = { + enable = true; + httpConfig = '' + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log logs/access.log main; + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + + server_tokens off; + + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + + gzip on; + + server { + listen 80 default_server; + server_name ${lib.concatStringsSep " " vhosts}; + location /.well-known/acme-challenge { + default_type text/plain; + alias /etc/sslcerts/acmeroot/.well-known/acme-challenge; + } + location / { + rewrite ^(.*) https://$host$1 permanent; + } + } + '' + lib.optionalString cfg.enable_ssl '' + + # the default thing, for if no vhost is given + # generate default.pem and default.key manually + # and self-sign, if you feel like it + server { + listen 443 default_server; + server_name ""; + + ${sslcfg {fullchain = "default.crt"; key = "default.key";}} + + location / { + root ${pkgs.nginx}/usr/share/nginx/html; + index index.html index.htm; + } + + location = /50x.html { + root ${pkgs.nginx}/usr/share/nginx/html; + } + } + + ${lib.concatStringsSep "\n" (lib.mapAttrsToList makeServerBlock cfg.servers)} + + ''; + }; + networking.firewall.allowedTCPPorts = [80 443]; + }; + + +} diff --git a/network.nix b/network.nix new file mode 100644 index 0000000..ca9027a --- /dev/null +++ b/network.nix @@ -0,0 +1,11 @@ +with (import ).hostnames; { + network.description = "yorick's stuff"; + ospinio = { + imports = [./ospinio/configuration.nix]; + deployment.targetHost = ospinio; + }; + frumar = { + imports = [./frumar/configuration.nix]; + deployment.targetHost = frumar; + }; +} diff --git a/ospinio/configuration.nix b/ospinio/configuration.nix new file mode 100644 index 0000000..12ac1b2 --- /dev/null +++ b/ospinio/configuration.nix @@ -0,0 +1,75 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +let yoricc = import ../packages/yori-cc.nix; +in + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ../roles/common.nix + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + # Define on which hard drive you want to install Grub. + # boot.loader.grub.device = "/dev/sda"; + + networking.hostName = (import ).hostnames.ospinio; + + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # The NixOS release to be compatible with for stateful data such as databases. + system.stateVersion = "15.09"; + + services.nginx = { + enable = true; + httpConfig = '' + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log logs/access.log main; + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + + + gzip on; + + server { + listen 80; + server_name ""; + + location / { + root ${pkgs.nginx}/usr/share/nginx/html; + index index.html index.htm; + } + + location = /50x.html { + root ${pkgs.nginx}/usr/share/nginx/html; + } + } + + server { + listen 80; + server_name yori.cc; + server_tokens off; + location / { + root ${yoricc}/web; + } + } + + ''; + }; + networking.firewall.allowedTCPPorts = [22 80]; +} diff --git a/ospinio/hardware-configuration.nix b/ospinio/hardware-configuration.nix new file mode 100644 index 0000000..b460a15 --- /dev/null +++ b/ospinio/hardware-configuration.nix @@ -0,0 +1,46 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ ]; + + swapDevices = + [ { device = "/dev/disk/by-uuid/be7625e5-2e2c-41f2-8d5f-331f90980b9e"; } + ]; + + boot = { + kernelModules = [ ]; + extraModulePackages = [ ]; + kernelParams = ["boot.shell_on_fail"]; + loader.grub.device = "/dev/sda"; + loader.grub.storePath = "/nixos/nix/store"; + initrd.availableKernelModules = [ "ata_piix" "vmw_pvscsi" "floppy" ]; + initrd.supportedFilesystems = [ "ext4" ]; + initrd.postDeviceCommands = '' + mkdir -p /mnt-root/old-root ; + mount -t ext4 /dev/mapper/CAC_VG-CAC_LV /mnt-root/old-root ; + ''; + }; + + fileSystems = { + "/" = { + device = "/old-root/nixos"; + fsType = "none"; + "options" = "bind"; + }; + "/old-root" = { + device = "/dev/mapper/CAC_VG-CAC_LV"; + fsType = "ext4"; + }; + }; + networking = { + interfaces.enp2s0 = { + useDHCP = false; + ipAddress = "104.233.92.136"; + prefixLength = 24; + }; + defaultGateway = "104.233.92.1"; + nameservers = ["8.8.8.8"]; + }; + nix.maxJobs = 1; + +} diff --git a/packages/gogitget.nix b/packages/gogitget.nix new file mode 100644 index 0000000..47b7abd --- /dev/null +++ b/packages/gogitget.nix @@ -0,0 +1,20 @@ +# this is the secure fetchgit, but it actually works +{ fetchgit, writeScript, openssh, stdenv }: args: derivation ((fetchgit args).drvAttrs // { + SSH_AUTH_SOCK = if (builtins.tryEval ).success + then builtins.toString + else null; + GIT_SSH = writeScript "fetchgit-ssh" '' + #! ${stdenv.shell} + TEMP_ID=$(mktemp) + cp ${let + sshIdFile = if (builtins.tryEval ).success + then + else builtins.trace '' + That didn't work. + '' "/var/lib/empty/config"; + in builtins.toString sshIdFile} $TEMP_ID + chown `whoami` $TEMP_ID + chmod 400 $TEMP_ID + exec -a ssh ${openssh}/bin/ssh -i $TEMP_ID -o StrictHostKeyChecking=no "$@" + ''; +}) diff --git a/packages/gogs.nix b/packages/gogs.nix new file mode 100644 index 0000000..4f90c6a --- /dev/null +++ b/packages/gogs.nix @@ -0,0 +1,19 @@ +# https://uggz.tk/gebner/nixos-config/src/master/pkgs/gogs.nix +{ nixpkgs ? import {} }: with nixpkgs; +stdenv.mkDerivation rec { + name = "gogs-${version}"; + version = "0.8.10"; + src = fetchzip { + url = "https://dl.gogs.io/gogs_v${version}_linux_amd64.tar.gz"; + sha256 = "0c0abr0jinyvwhw84901ga80x6q13a0q8yrs6k5i8jawhpwvfl67"; + }; + buildPhase = '' + patchelf \ + --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ + --set-rpath ${pam}/lib \ + gogs + ''; + installPhase = '' + cp -ra ./ $out/ + ''; +} diff --git a/packages/yori-cc.nix b/packages/yori-cc.nix new file mode 100644 index 0000000..ee6bae8 --- /dev/null +++ b/packages/yori-cc.nix @@ -0,0 +1,26 @@ +with import {}; + +let gogitget = callPackage ./gogitget.nix {}; in + +stdenv.mkDerivation { + name = "yori-cc-1.0"; + + src = gogitget { + url = "git@git.yori.cc:yorick/yori-cc.git"; + rev = "965d05d8258821ece8d7421027acf9541437ff26"; + sha256 = "0dcdc2b00e4ba3f9fb2afe5a8b41afd5eb2b03f308dfa48827722f23c489f0d7"; + }; + + buildInputs = [ ]; + + installPhase = '' + mkdir -p "$out/web" + cp -ra * "$out/web" + ''; + + meta = { + description = "Yori-cc website"; + homepage = http://yori.cc; + maintainers = [ "Yorick" ]; + }; +} diff --git a/roles/common.nix b/roles/common.nix new file mode 100644 index 0000000..536dbb8 --- /dev/null +++ b/roles/common.nix @@ -0,0 +1,80 @@ +{ config, pkgs, lib, ...}: +{ + imports = []; + time.timeZone = "Europe/Amsterdam"; + users.mutableUsers = false; + users.extraUsers.root = { + openssh.authorizedKeys.keys = config.users.extraUsers.yorick.openssh.authorizedKeys.keys; + }; + users.extraUsers.yorick = { + isNormalUser = true; + uid = 1000; + extraGroups = ["wheel"]; + group = "users"; + openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [yorick]; + }; + + # Nix + nixpkgs.config.allowUnfree = true; + + nix.binaryCaches = [ + https://hydra.nixos.org + ]; + + nix.trustedBinaryCaches = config.nix.binaryCaches; + nix.binaryCachePublicKeys = ["hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; + + nix.extraOptions = '' + allow-unsafe-native-code-during-evaluation = true + allow-unfree = true + ''; + + # Networking + networking.enableIPv6 = false; + + services.openssh = { + passwordAuthentication = false; + challengeResponseAuthentication = false; + }; + + environment.systemPackages = with pkgs; [ + # v important. + cowsay ponysay + ed # ed, man! + sl + + vim + + # system stuff + ethtool inetutils + pciutils usbutils + iotop powertop htop + psmisc lsof + smartmontools hdparm + lm_sensors + ncdu + + # utils + file which + reptyr + tmux + bc + + # archiving + xdelta + atool + unrar p7zip + unzip zip + + # network + nmap mtr + socat netcat-openbsd + lftp wget rsync + + git + nix-repl + rxvt_unicode.terminfo + ]; + nix.gc.automatic = true; +} + diff --git a/graphical.nix b/roles/graphical.nix similarity index 90% rename from graphical.nix rename to roles/graphical.nix index 1bd2792..2fa9364 100644 --- a/graphical.nix +++ b/roles/graphical.nix @@ -22,11 +22,6 @@ hardware.pulseaudio.enable = true; hardware.pulseaudio.support32Bit = true; - environment.systemPackages = with pkgs; [ - slock - ]; - security.setuidPrograms = [ "slock" ]; - fonts = { enableFontDir = true; enableGhostscriptFonts = true; diff --git a/roles/pub.nix b/roles/pub.nix new file mode 100644 index 0000000..6bf0edb --- /dev/null +++ b/roles/pub.nix @@ -0,0 +1,18 @@ +{ config, pkgs, lib, ... }: +{ + imports = [../modules/le_nginx.nix]; + config = { + users.extraUsers.public = { + home = "/home/public"; + useDefaultShell = true; + openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [public]; + createHome = true; + }; + le_nginx.servers."pub.yori.cc" = '' + location / { + root /home/public/public; + index index.html; + } + ''; + }; +} diff --git a/roles/quassel.nix b/roles/quassel.nix new file mode 100644 index 0000000..a036207 --- /dev/null +++ b/roles/quassel.nix @@ -0,0 +1,31 @@ +{config, pkgs, lib, ...}: +{ + containers.quassel = { + config = { config, pkgs, ... }: { + services.postgresql.enable = true; + services.postgresql.package = pkgs.postgresql94; + services.quassel = { + # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/quassel.nix + enable = true; + interface = "0.0.0.0"; + }; + environment.systemPackages = [ + pkgs.quasselDaemon_qt5 + ]; + networking.firewall.allowedTCPPorts = [4242]; + }; + privateNetwork = true; + hostAddress = "192.168.125.1"; + localAddress = "192.168.125.11"; + }; + # give the containers networking + networking.nat = { + enable = true; + internalInterfaces = ["ve-+"]; + externalInterface = "enp2s0"; + forwardPorts = [ + { sourcePort = 4242; destination = "192.168.125.11:4242"; } + ]; + }; + networking.firewall.allowedTCPPorts = [4242]; +} diff --git a/secrets.nix.asc b/secrets.nix.asc new file mode 100644 index 0000000..5641e76 --- /dev/null +++ b/secrets.nix.asc @@ -0,0 +1,22 @@ +-----BEGIN PGP MESSAGE----- +Version: GnuPG v2 + +hQIMA++MoCsgK05SARAAgsaInIKBcBNB04oarPxeswE+Y+DFWmb3JDPChesJCDy+ +OkVMFp+ZOkNgoVBFdJ/jrCngNNK/MJ4Nx0G87HIy4OEoSyEDWAgZCg6+eZHlUVkY +XjUVpWMA5ppzEieiqAF3VczZ9sk8kLseagTbIR/AA+DF4cXNjT46zcURtVUsxkTo +rBoCRlGgzVi5L3dzz81CFR1ZdIbQ1SpDib9isLGd38dPvTXFD8IJLmcef8SR2FkN +eKoaA2HIC3CF3BfGBlKj+pcXsytHXgs5B2JUzGo0RYdLokQBh4/JhFT8obT5/udz +IbiqdcREyp6rUw+VMmcFSu1OIdpQ+OzfiiKcMkNIO1VO1GXNQkfUfo5FbVMIxKu1 +DQ4l00DBr6vWS3S3djPzMMmznAUIXAsBrby7cta5Utel+lcTjSa4tbEVHMQKx+Qy +mjzS/GnpRBPnAsxapUDLdTmUPxALpI76mZVRm9xZyYYcliphUdO6Sx9Er8BEEnuz +DdTgOO3bDz/wx3+oth9YNn+FqYKMItUJ/FZIcdPklrNd1/zKbS5hLt6+tmjQAJGH +rMWumhEc9NQIKbWdl8TovV9jF+NYS7mmxzi/TP4C+eNlYuZYNf8tAS+edr+Z0wSy +crHANbmnfLwAWzpJhqWAFtPJ8fLFoNUEz2Z+Sc3MgCCN6zXl2qMyDDd/Ns6+FInS +wFsBcOTNfaHqkiaMQSJQVx0H8yhLos25ECwLu7+ux7uRRGc5m+cMyq6nRBT7HPEa +7bfYE2xGMirIsHsxFkx+0U3ytUSRoPQYBIQuM3al71ao1b7WCyZFr58FF59wVUqp +9Dz7bNUpXuSzyahJAX6+RHFliLgKwsKHox93eBgcTI1FvJc5sqfHfzfqhdjylTgA +yWIpeZTjMhwXf4j0JrbUZt1b/9U2vzwbJQpYKkVn21zntTea+9+LMNziWHW1q2Lx +gJJPD5P9eTHuAjzdzQwEReijDicx3E1+AaPAvEqbGSP58p24c/K+Mlf3BQu1QgZz +mwDKQO9XZf1WCTvybsMktrFQzpOYhNIVDy1R7HSVB4wRu3LslrKmRpByjZ9y +=rpa6 +-----END PGP MESSAGE----- diff --git a/sshkeys.nix b/sshkeys.nix new file mode 100644 index 0000000..313272c --- /dev/null +++ b/sshkeys.nix @@ -0,0 +1,5 @@ +{ + public = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZv+hBDmjxF8h9Gxwvy0o7sMgOsqwp8pVj9AlpG90Y7agvkOm2IGtFueVfiDe0yWPXT0/EIiVWcPhWwcVkbY/BkypPJSMLnlcQ6ld+aO1g+BtdDaVuxcTSvQ77UCT2p+wftxoq1EiUdlhTsXpPucrBd+5NOde+jlPBE4qChIAf2zhOIByJAGT+M4Ie3eV4p5S9LB9CMI4s32gNUBbSA8UDmkjpBXkf9a1TZzdkOGWUmUFXt53/O8LZlGK9kkA5TsjM2xaxDjCLWf5wEcey4JsEggi1prE4aB68Q7+kdbvDiVSEFyZn0A/A9RXHBRAgW8yPdh+EGC56iDW/wkGxWBY5"; + deploy = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGGQytwzcR2DrnYQlnZSbXNpSClCFFvy4gqak8r7u8nYplu5azdq6yNN5TRAEoseiTl2WbdnwgVNluze5FF8a5p2XDyu754YF9nyNbQvzWt5dyjFLemDbj5vAzUnQY+52L9qwo5OK3oG2qZx76T7B5CnEN/JDJxGT3xveRyVUSTnNj/N0iiYVsOcEzGpkdKf/5QOGHuZWJrqwz2CNalKbXAJU9mEOHAH+fSxSmf99YCwwF+GyfYUL3eGIZ9CP1pUQX0CZKq8APW+rLlXJuGOrLTNYWd2jTzea95oiyMQeDhidTeyyPWi2GI32tRHVegg6wMzFo7b/m1f/BI18h9psn"; + yorick = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDi8Dn148E6k4TMBnRtkLRP4FSNSe54fn1vOtGtyE9eLIa5kg1SaGsijRmlCddILxiNO6uZsp6thaWwL+QWbBBEi9kdPpzyPDlrBkKJqOTJJH+94Gxnfxu8SkiQMoI5XOTKvzmhsw4hhHKDmGKlOv/qQjwzjsoyAO3AvBIgXAlstnDVWYgMK9ijf7FxR//YTDYqM8ABNJZvcsDXyN1feJWtJ0KYvd2Mg8kS/sVoAjEEaXsto3V3HaqxMQn5mRicJARNBJUCT/BOGrc50wy9zwBOvPZO72js2s6D62fzRDBcHuOoSv/z45DDcZxhonPg6OZcYe7dMKnFw1e/ndzwze6V"; +} From 1f47e3ba306e713769df3fabf64b7e2472aea396 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 12 Apr 2016 16:48:36 +0200 Subject: [PATCH 014/172] update --- ascanius/configuration.nix | 2 +- ascanius/hardware-configuration.nix | 2 +- roles/common.nix | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ascanius/configuration.nix b/ascanius/configuration.nix index 34ec616..aad13ae 100644 --- a/ascanius/configuration.nix +++ b/ascanius/configuration.nix @@ -30,7 +30,7 @@ in # List packages installed in system profile. To search by name, run: # $ nix-env -qaP | grep wget environment.systemPackages = with pkgs; [ - btrfs-progs + btrfs-progs ghostscript ]; virtualisation.virtualbox.host.enable = true; diff --git a/ascanius/hardware-configuration.nix b/ascanius/hardware-configuration.nix index 52bde50..3807e8f 100644 --- a/ascanius/hardware-configuration.nix +++ b/ascanius/hardware-configuration.nix @@ -50,7 +50,7 @@ fileSystems."/" = { device = "/dev/disk/by-uuid/a21dd1ae-b1ef-47d2-854e-4f561f0bfb4c"; fsType = "btrfs"; - options = "defaults,relatime,discard"; + options = ["defaults" "relatime" "discard"]; }; fileSystems."/boot" = diff --git a/roles/common.nix b/roles/common.nix index 536dbb8..921e98f 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -59,6 +59,8 @@ reptyr tmux bc + mkpasswd + shadow # archiving xdelta From a3bd62994ff5795308d7d8f4a29d6a5e0b78cb7a Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 14 Apr 2016 14:02:16 +0200 Subject: [PATCH 015/172] new server --- conf | 4 ++ network.nix | 4 ++ nixos-in-place.nix | 50 +++++++++++++++++++ ospinio/configuration.nix | 2 +- ospinio/hardware-configuration.nix | 51 +++++++------------ packages/gogitget.nix | 2 +- packages/gogs.nix | 4 +- pennyworth/configuration.nix | 72 +++++++++++++++++++++++++++ pennyworth/hardware-configuration.nix | 45 +++++++++++++++++ roles/common.nix | 7 ++- secrets.nix.asc | 43 +++++++++------- 11 files changed, 226 insertions(+), 58 deletions(-) create mode 100644 nixos-in-place.nix create mode 100644 pennyworth/configuration.nix create mode 100644 pennyworth/hardware-configuration.nix diff --git a/conf b/conf index 667ce03..1c72d23 100755 --- a/conf +++ b/conf @@ -14,6 +14,10 @@ remote) export NIX_PATH="nixpkgs=$HOME/builds/nixpkgs/:ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix eval ${@:2} ;; +remote-new) + export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-16.03/nixexprs.tar.xz:ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix + eval ${@:2} + ;; local-deploy) sudo $0 local nixos-rebuild switch ;; diff --git a/network.nix b/network.nix index ca9027a..f1529c6 100644 --- a/network.nix +++ b/network.nix @@ -8,4 +8,8 @@ with (import ).hostnames; { imports = [./frumar/configuration.nix]; deployment.targetHost = frumar; }; + pennyworth = { + imports = [./pennyworth/configuration.nix]; + deployment.targetHost = pennyworth; + }; } diff --git a/nixos-in-place.nix b/nixos-in-place.nix new file mode 100644 index 0000000..88204a9 --- /dev/null +++ b/nixos-in-place.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: +let + inherit (lib) mkEnableOption mkOption types mkIf; + cfg = config."nixos-in-place"; +in +{ + imports = [ ]; + options."nixos-in-place" = { + enable = mkEnableOption "enable nixos-in-place FS"; + rootfs = mkOption { + type = types.string; + description = "device name for root fs"; + }; + swapfs = mkOption { + type = types.string; + description = "device name for root fs"; + }; + }; + config = mkIf cfg.enable { + boot = { + kernelModules = [ ]; + extraModulePackages = [ ]; + kernelParams = ["root=${cfg.rootfs}" "boot.shell_on_fail"]; + loader.grub = { + enable = true; + storePath = "/nixos/nix/store"; + }; + initrd = { + supportedFilesystems = [ "ext4" ]; + postDeviceCommands = '' + mkdir -p /mnt-root/old-root ; + mount -t ext4 ${cfg.rootfs} /mnt-root/old-root ; + ''; + }; + }; + + fileSystems = { + "/" = { + device = "/old-root/nixos"; + fsType = "none"; + options = [ "bind" ]; + }; + "/old-root" = { + device = cfg.rootfs; + fsType = "ext4"; + }; + }; + swapDevices = [ { device = cfg.swapfs; } ]; + }; +} diff --git a/ospinio/configuration.nix b/ospinio/configuration.nix index 12ac1b2..461c468 100644 --- a/ospinio/configuration.nix +++ b/ospinio/configuration.nix @@ -27,7 +27,7 @@ in services.openssh.enable = true; # The NixOS release to be compatible with for stateful data such as databases. - system.stateVersion = "15.09"; + system.stateVersion = "16.03"; services.nginx = { enable = true; diff --git a/ospinio/hardware-configuration.nix b/ospinio/hardware-configuration.nix index b460a15..5a38530 100644 --- a/ospinio/hardware-configuration.nix +++ b/ospinio/hardware-configuration.nix @@ -1,46 +1,29 @@ { config, lib, pkgs, ... }: - +let + ipconf = (import ).ipconf.${config.networking.hostName}; +in { - imports = [ ]; - - swapDevices = - [ { device = "/dev/disk/by-uuid/be7625e5-2e2c-41f2-8d5f-331f90980b9e"; } - ]; - + imports = [ ../nixos-in-place.nix ]; + "nixos-in-place" = { + enable = true; + rootfs = "/dev/mapper/CAC_VG-CAC_LV"; + swapfs = "/dev/disk/by-uuid/be7625e5-2e2c-41f2-8d5f-331f90980b9e"; + }; boot = { - kernelModules = [ ]; - extraModulePackages = [ ]; - kernelParams = ["boot.shell_on_fail"]; - loader.grub.device = "/dev/sda"; - loader.grub.storePath = "/nixos/nix/store"; - initrd.availableKernelModules = [ "ata_piix" "vmw_pvscsi" "floppy" ]; - initrd.supportedFilesystems = [ "ext4" ]; - initrd.postDeviceCommands = '' - mkdir -p /mnt-root/old-root ; - mount -t ext4 /dev/mapper/CAC_VG-CAC_LV /mnt-root/old-root ; - ''; + loader.grub.device = "/dev/sda"; + initrd.availableKernelModules = [ "ata_piix" "vmw_pvscsi" "floppy" ]; }; - fileSystems = { - "/" = { - device = "/old-root/nixos"; - fsType = "none"; - "options" = "bind"; - }; - "/old-root" = { - device = "/dev/mapper/CAC_VG-CAC_LV"; - fsType = "ext4"; - }; - }; networking = { interfaces.enp2s0 = { - useDHCP = false; - ipAddress = "104.233.92.136"; - prefixLength = 24; + useDHCP = false; + inherit (ipconf) ip4 ip6; }; - defaultGateway = "104.233.92.1"; - nameservers = ["8.8.8.8"]; + inherit (ipconf) nameservers; + defaultGateway = ipconf.gateway4; + #defaultGateway6 = ipconf.gateway6; }; + nix.maxJobs = 1; } diff --git a/packages/gogitget.nix b/packages/gogitget.nix index 47b7abd..6a0ef40 100644 --- a/packages/gogitget.nix +++ b/packages/gogitget.nix @@ -15,6 +15,6 @@ in builtins.toString sshIdFile} $TEMP_ID chown `whoami` $TEMP_ID chmod 400 $TEMP_ID - exec -a ssh ${openssh}/bin/ssh -i $TEMP_ID -o StrictHostKeyChecking=no "$@" + exec -a ssh ${openssh}/bin/ssh -F /dev/null -i $TEMP_ID -o StrictHostKeyChecking=no "$@" ''; }) diff --git a/packages/gogs.nix b/packages/gogs.nix index 4f90c6a..535f202 100644 --- a/packages/gogs.nix +++ b/packages/gogs.nix @@ -2,10 +2,10 @@ { nixpkgs ? import {} }: with nixpkgs; stdenv.mkDerivation rec { name = "gogs-${version}"; - version = "0.8.10"; + version = "0.9.0"; src = fetchzip { url = "https://dl.gogs.io/gogs_v${version}_linux_amd64.tar.gz"; - sha256 = "0c0abr0jinyvwhw84901ga80x6q13a0q8yrs6k5i8jawhpwvfl67"; + sha256 = "1qyy0hi8hvz2k4p9251mx8xv9z08jwijfzl0rn0drm6sq34a7wg9"; }; buildPhase = '' patchelf \ diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix new file mode 100644 index 0000000..468e0d2 --- /dev/null +++ b/pennyworth/configuration.nix @@ -0,0 +1,72 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, ... }: + +let + secrets = import ; + yoricc = import ../packages/yori-cc.nix; +in +{ + imports = [ + ./hardware-configuration.nix + ../roles/common.nix + ]; + + networking.hostName = secrets.hostnames.pennyworth; + + services.openssh.enable = true; + networking.enableIPv6 = lib.mkOverride 30 true; + + system.stateVersion = "16.03"; + + # root password is useful from console, ssh has password logins disabled + users.extraUsers.root.hashedPassword = secrets.pennyworth_hashedPassword; + + + services.nginx = { + enable = true; + httpConfig = '' + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log logs/access.log main; + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + + + gzip on; + + server { + listen 80; + server_name ""; + + location / { + root ${pkgs.nginx}/usr/share/nginx/html; + index index.html index.htm; + } + + location = /50x.html { + root ${pkgs.nginx}/usr/share/nginx/html; + } + } + + server { + listen 80; + server_name yori.cc; + server_tokens off; + location / { + root ${yoricc}/web; + } + } + + ''; + }; + networking.firewall.allowedTCPPorts = [80]; + +} diff --git a/pennyworth/hardware-configuration.nix b/pennyworth/hardware-configuration.nix new file mode 100644 index 0000000..04e482f --- /dev/null +++ b/pennyworth/hardware-configuration.nix @@ -0,0 +1,45 @@ +{ config, lib, pkgs, ... }: +let + ipconf = (import ).ipconf.${config.networking.hostName}; +in +{ + imports = [ ../nixos-in-place.nix ]; + "nixos-in-place" = { + enable = true; + rootfs = "/dev/disk/by-uuid/7165e542-0995-474c-a228-9592339e0604"; + swapfs = "/dev/disk/by-uuid/baaf824a-bee0-4037-a237-3a69f1db7985"; + }; + # fs layout: + # before: /nixos/nix/* /boot/grub/menu.lst + # after: /nix/* /old-root/boot/grub/menu.lst + boot = { + # use grub 1, don't install + loader.grub = { + version = 1; + extraPerEntryConfig = "root (hd0,0)"; # do we need this? + mirroredBoots = [{ + path = "/old-root/boot"; + devices = ["nodev"]; + }]; + }; + initrd.availableKernelModules = [ "xen_blkfront" ]; + }; + networking = { + usePredictableInterfaceNames = false; # only eth0 + interfaces.eth0 = { + useDHCP = false; + inherit (ipconf) ip4 ip6; + }; + inherit (ipconf) nameservers; + # ideally, it should add a route for this automatically + #defaultGateway = ipconf.gateway4; + #defaultGateway6 = ipconf.gateway6; + }; + systemd.services."network-setup".postStart = with ipconf; '' + ip route add ${gateway4} dev eth0 || true + ip route add default via ${gateway4} || true + ip -6 route add ${gateway6} dev eth0 || true + ip -6 route add default via ${gateway6} || true + ''; + nix.maxJobs = lib.mkDefault 2; +} diff --git a/roles/common.nix b/roles/common.nix index 921e98f..ced486e 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -21,8 +21,11 @@ https://hydra.nixos.org ]; - nix.trustedBinaryCaches = config.nix.binaryCaches; - nix.binaryCachePublicKeys = ["hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; + nix.trustedBinaryCaches = config.nix.binaryCaches ++ [http://hydra.cryp.to]; + nix.binaryCachePublicKeys = [ + "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" + "hydra.cryp.to-1:8g6Hxvnp/O//5Q1bjjMTd5RO8ztTsG8DKPOAg9ANr2g=" + ]; nix.extraOptions = '' allow-unsafe-native-code-during-evaluation = true diff --git a/secrets.nix.asc b/secrets.nix.asc index 5641e76..f5fa0bd 100644 --- a/secrets.nix.asc +++ b/secrets.nix.asc @@ -1,22 +1,29 @@ -----BEGIN PGP MESSAGE----- Version: GnuPG v2 -hQIMA++MoCsgK05SARAAgsaInIKBcBNB04oarPxeswE+Y+DFWmb3JDPChesJCDy+ -OkVMFp+ZOkNgoVBFdJ/jrCngNNK/MJ4Nx0G87HIy4OEoSyEDWAgZCg6+eZHlUVkY -XjUVpWMA5ppzEieiqAF3VczZ9sk8kLseagTbIR/AA+DF4cXNjT46zcURtVUsxkTo -rBoCRlGgzVi5L3dzz81CFR1ZdIbQ1SpDib9isLGd38dPvTXFD8IJLmcef8SR2FkN -eKoaA2HIC3CF3BfGBlKj+pcXsytHXgs5B2JUzGo0RYdLokQBh4/JhFT8obT5/udz -IbiqdcREyp6rUw+VMmcFSu1OIdpQ+OzfiiKcMkNIO1VO1GXNQkfUfo5FbVMIxKu1 -DQ4l00DBr6vWS3S3djPzMMmznAUIXAsBrby7cta5Utel+lcTjSa4tbEVHMQKx+Qy -mjzS/GnpRBPnAsxapUDLdTmUPxALpI76mZVRm9xZyYYcliphUdO6Sx9Er8BEEnuz -DdTgOO3bDz/wx3+oth9YNn+FqYKMItUJ/FZIcdPklrNd1/zKbS5hLt6+tmjQAJGH -rMWumhEc9NQIKbWdl8TovV9jF+NYS7mmxzi/TP4C+eNlYuZYNf8tAS+edr+Z0wSy -crHANbmnfLwAWzpJhqWAFtPJ8fLFoNUEz2Z+Sc3MgCCN6zXl2qMyDDd/Ns6+FInS -wFsBcOTNfaHqkiaMQSJQVx0H8yhLos25ECwLu7+ux7uRRGc5m+cMyq6nRBT7HPEa -7bfYE2xGMirIsHsxFkx+0U3ytUSRoPQYBIQuM3al71ao1b7WCyZFr58FF59wVUqp -9Dz7bNUpXuSzyahJAX6+RHFliLgKwsKHox93eBgcTI1FvJc5sqfHfzfqhdjylTgA -yWIpeZTjMhwXf4j0JrbUZt1b/9U2vzwbJQpYKkVn21zntTea+9+LMNziWHW1q2Lx -gJJPD5P9eTHuAjzdzQwEReijDicx3E1+AaPAvEqbGSP58p24c/K+Mlf3BQu1QgZz -mwDKQO9XZf1WCTvybsMktrFQzpOYhNIVDy1R7HSVB4wRu3LslrKmRpByjZ9y -=rpa6 +hQIMA++MoCsgK05SAQ/+LvophpN/moY95XS96yuFU6UYe1zssnx0BXVlaG97U/PN +bKwhhuCWizCvF3jG2hhSQdcwd8ezi9Wf9YXPITN+jrBxyona7/Z271Pw6Wes0skf +wx5RX5m0QKH6ml35J160BIREiEm1U0CYSlGLX61hKHU2btvVxI0KnpzFZ9RGPe1J +oSY4hsjZGvXja6ZmouJX2gDDIIyibgkAvLk5ooJ6zr6qP4e8u2n5rDXDBOjvxjig +JXdCzBzCICFaU3UbAfD9KHjC9aWQD1fwKMg0HQo49SRuGqokIhpKgDbkiZev2Rnz +5nncwpTqM5oCmUjgJLHmCFvBOVFxyxxDmLDNU3BY6SU+xFNar63tQwSrmcW3Qlt0 +2tFE+OOC04o7efcT+Ca2VKVzQKeGbCwKdwktYVkpXYphGUo8HnqR+b3lQUXkK1Om +2kbYQtH8ztMIDUcb94sVcWANvhJhHAeeXVxCvDsaSWF5N1rrW6i/R4DxaBcgfkcn ++ioTVSOmlfOXWcBtucOS1KS2vl4WugslYXKi8RLgNYOj0h02jVsCdgPJqas7/TJc ++DkGbGLIsnwCt15yyw4d2NZz26ouX2vtfTR5wt9wChIuxL1j8MiBlw4QMPxmDDs5 +PQSLLyBySiibZVYWYaDv2Icp6AZ7kgD3XNf6z57BOAoyy7RdwuYEyq5cwZOIs1/S +6QHC5J0WQ6H0sL6k/mQYLOAGbsa7EW3Tv1wWXyPTZyWonVZOgU3mYnWLp2qKPSae +1sMWRvfd9hh41T8BVaDR9uXjFNeHo6Xk/mk2eWYyaNdlSulh2JpFjKJ3+2/DlLtR +gBxFIHaXXBPONlFMzq5GQ2xD6zS+tFJOc+MHjGNg3qIC0B4UnePOeT/OrhecufQG +BwobrUqO1JfUF30TX8ncGeb69GUI6TUiVENB1yQ5SU9+hW5zE6QM/ZiiUMMbHkAJ +2NTAnKmZQBZlWhb3GLeVq+bUIrn+QUNqJQN5bT1resOL3b7nVxrrQp9ryH2gu0Fb +rUIHL+RVYPb7IXsxLGskmHQffIEQ3AIag3LR8VuSzOd5EpIE+h90jSB0B85ENVYo +PkojI8buXckXVV7ro3t2BHcT7r2o6ZmhnW7IkF7P6QpV7oycRw3WdZ7C0mwmNbJq +ZWqG3N8aMv9URyBcIXI0qXcEHImx2v+6oLsZ/XUP3RGnbU1B7Twh/LHcZ3QfCA/u +7TdBxnBgLnRXBt48W+iSoLRw9SxIdLlpXpez/vQIjFHGM/a6XLRJgctMcK5rQdGS +yd3CXR0hVpDaZH33LFop67Phj5vvdop3ONHOmfV6NMqHbkH/p7rhHcdWBOVtNvry +j9vekI7qlEVBwuXgx9HHMPNNlkve94qbZSjpiGn+PHQmaF4/jCTZ41PmBaSp8mGC +eTMA9NQbUsBNew9UcryWl6rFrNMIcwu7De9REh0ovjoo6g3mxJhZuhWPwtmnEHpt +zzoF4hSeoisJwg+JwGq4lQbjVJBgjdcFqke6BAEvam1Jqale5CKJ1GKb +=fAua -----END PGP MESSAGE----- From fc8d5784bdac4c57e23c0a82b1874c5fe5cd7957 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 21 Apr 2016 22:33:02 +0200 Subject: [PATCH 016/172] add tor keys --- .gitignore | 2 ++ conf | 4 +++- keys/ssh.frumar.hostname.asc | 19 ++++++++++++++++++ keys/ssh.frumar.key.asc | 33 ++++++++++++++++++++++++++++++++ keys/ssh.pennyworth.hostname.asc | 19 ++++++++++++++++++ keys/ssh.pennyworth.key.asc | 33 ++++++++++++++++++++++++++++++++ 6 files changed, 109 insertions(+), 1 deletion(-) create mode 100644 keys/ssh.frumar.hostname.asc create mode 100644 keys/ssh.frumar.key.asc create mode 100644 keys/ssh.pennyworth.hostname.asc create mode 100644 keys/ssh.pennyworth.key.asc diff --git a/.gitignore b/.gitignore index 59e3ed0..3457031 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ deploy_key secrets.nix +keys/*.hostname +keys/*.key diff --git a/conf b/conf index 1c72d23..278d568 100755 --- a/conf +++ b/conf @@ -1,7 +1,7 @@ #!/usr/bin/env bash if ! [ -e deploy_key ] || ! [ -e secrets.nix ] then - gpg --decrypt-files secrets.nix.asc deploy_key.asc + gpg --decrypt-files secrets.nix.asc deploy_key.asc keys/*.asc sudo chgrp nixbld deploy_key chmod 640 deploy_key fi @@ -24,4 +24,6 @@ local-deploy) remote-deploy) $0 remote nixops deploy ${@:2} ;; +update-encrypt) + gpg -a -r yorick --encrypt-files secrets.nix deploy_key keys/*.hostname keys/*.key esac diff --git a/keys/ssh.frumar.hostname.asc b/keys/ssh.frumar.hostname.asc new file mode 100644 index 0000000..c193402 --- /dev/null +++ b/keys/ssh.frumar.hostname.asc @@ -0,0 +1,19 @@ +-----BEGIN PGP MESSAGE----- +Version: GnuPG v2 + +hQIMA++MoCsgK05SAQ/+OBQQJboR/E4uR03UZ/qCwY34O6o6s1E0BFMLp+wZY5OI +MPTc+cG9LKgx8uOJPYm+S4+3//4YQ2G9U4Yfex+511+/2QAiX5E5xDeQRvwsWfft +9AntZhalFeNPZ0fxeZ3Wdvrk/3eDallBWLB5biBOKjB8cvJdMF+QNt0VnMaB8f1N +lYsfamzmC1d+jsj8mQ08kMBa2kSbL+Nu+K5hrtUsQrGevvvJV8zO5At2mxaElD/C +xD9rLp+vdJoCXabgBEilNH/+bEkDMJoE/wWVJG5EXOwMVYhDTNVMshgNR3HghHPd +1eE8w868JyPPi2ZrwUBNXurIkfIdsav79QVRVJoBIeX/EwQLuCBj/FnGGMklTGFl +pbsIy9HDUzbvB9byA7KtuQUOHxLjeXdppUnTEpHFHB7gnEpoUVJLMET8Np8SY8wz +pGTWneNy9XHu1HQIi9gDqDJCBZvZX5wIEeLcXNE0C6iaL4+tqT7UDfCdDKdQ3nFc +nC9MxKMmJKEhVbRuvNil9oxQ+JhgfU8OOS+ybBtcLPUmZoCaiBwaq75onhbapk5f +xDNcsOkGpV3HWsCRz3m48MvDGlU3YO5R+PPJ+/ITqeLPytSSsOydSOAGXnGd9+F+ +x1CGrsADIYQKF/sMgO2ptqiwAeX878x0jwuBwTlxvfDGzzkHXeyWFMrxG8iF493S +YgHvB7BnP7wJQ2R/Is2LV3Z3ESFZDnZQrcTi/SaCNo+YZ85Of28Ep4GL4Lqlbkev +IxfPGEOr+SrP83lSD8eDWf9NRLtz+7NIU/P4U2Ywm6nmIE6hJuJRy0bXRqWmWr30 +0F+7 +=4UQQ +-----END PGP MESSAGE----- diff --git a/keys/ssh.frumar.key.asc b/keys/ssh.frumar.key.asc new file mode 100644 index 0000000..c507afb --- /dev/null +++ b/keys/ssh.frumar.key.asc @@ -0,0 +1,33 @@ +-----BEGIN PGP MESSAGE----- +Version: GnuPG v2 + +hQIMA++MoCsgK05SAQ//clphlrxUrWE9z0d8DKOoLAtn2cXvSnH4pB+QEP8/YlnD +F4SK6o1hjWQ+BHaEUi4fZubze2c2n20eu8txcMiB2ILWj71j6fhiEiSC+CNnM7rh +bXj1O7qOWeK/PWe2NCy7W45732SJjp7nkFHBGZuJs1ZOtT3X39mynnE3XHrZAhDM +waOXkBYuZdKOY9B8OUtJqPayTh6su6clNWqtwjMwPIC65RNErQikvYNNeF7JbrNJ +8RDFIh9CqFPdiiehiw33Fzhd0BtEYkdvXAhIhhEQ4tgJrE5tINLL5Zstn/CzupSA +LhatuTr2a1RUSgOdzYJVdBSKOn+Xp0DZjYNcQkcsvo0YswovtKEKEFO4uJWCuK8c +BeCDMPjw+E6gSvZFYKH+dp/K90oBu7ZBDUlX8oNjfV2ikle6P01Xywab8mriNgnJ +qtDEunekMTwqWzUGK6fzdUYSpvbtDY/qt+h7PxgAThc/wyQbVReYp4bgIDIbIUBZ +MHjA/J6wnoHS+2M13z60sPXrwWRQFrSCl7Gv2JVq6bwmXUTPbpSTTK5cCimomn+3 +prrlS2Hc+1EZBdWCWB7fAPt5sgD2evpndZThxCLp9vbZhqhHf7JFgn6uTW5pjkIq +EUUCLdtjx14lxxsdPCYri6UW7tlqodVO8U5QRKF5iV8fRSzLKmirV1qsoMFmWvTS +6QGdvQHf8dbkOxLvYIPEK6xs+60on6ZrrpFJ/Vyp1uMJkwsypKtGHJrXitfyFw9u +siADV5A4Df9Z1FodDAZbooD+utZ74j0ans0cGB5S3pjc9bGau7+EY6uJ5b/wUTkP +eWtJGlviyMfXXMk77+OefJ2gWzCzZVKmRB+ZBmtns/Q3X6HB4jbNCFFoVK6pq5gd +78BQy3U79EgEKzit+Ej3p2VKm7TaQHSNnluKGV/PFL4rhpfZE56lZmJO4pllOt5b +XoWtAckhd7uTROq3qWDGc9fuuTH1XhhH8udByPSMDpWEfp427oOfY+KV5cw1zRjW +3wSJuPBQk63ujze/0Hs+gLZwBE+TFYT08MRZu7B0/wtOfeau1tgoBZmP3QSSVgcH +cl/QoJnr04d9QnhXLnc35h/ZXLXKwd+RlT91vDDfMVJ+h44Wc+iBVTJc7z5rihwM +PCFkIfhyR2oXfV9GPX14UMB0QJ2TgqSnitKjbI2GK0op3NxxP54sQbC3DkxoMAMC +7IXFA1sGS2dGH5ceLbTlZ0bSGBXUouVED+ZW0ln7k6ZjzYvl4win1s19DHNlTB5v +vP5Xrln72lHggDwsEo5BQJvtqZZ7kOxAzn8Zvi1aihv/RMqWRS22PtVJpsRRHrmB +Mblo8cFhv5XUFPpCJObqr3Js/Y2wD3wd80uNM/ANSRHWwEHXZT51jxqn/B7QXJxq +8qr8dnSxtGjsbXIb8h/bMV7nncaOTKhKUB8kmnymUGJYX4JraqsRT1HkjBm8fruc ++kBH+PHo7EfYyMsyy6DfYnVDGoRBeIhlSxPMLubRzWBCvsvZk2+C3Mr9763Z34M3 +WZDnD14aEAuriJKlwcQa/B53CDPfyhmtj+sEdI3pXLIoc8I5XFeBOTdKYf2f7mZm +yv2Y4lmT5qqgwPqDxX+ls4pIZnM9fEPDHkm1YoyQtYaUk1VQjsfuHz0dI7ZSi1Rw +Eusxk6H+XcHwd5yUhPJBJq07iVi87KzGgTSOqqJ3dhvnlvrUxcmGdm67haymNJ+F +GfHMLQ== +=VhNR +-----END PGP MESSAGE----- diff --git a/keys/ssh.pennyworth.hostname.asc b/keys/ssh.pennyworth.hostname.asc new file mode 100644 index 0000000..c64ed0f --- /dev/null +++ b/keys/ssh.pennyworth.hostname.asc @@ -0,0 +1,19 @@ +-----BEGIN PGP MESSAGE----- +Version: GnuPG v2 + +hQIMA++MoCsgK05SAQ/+OKZWHaYsMa4qRH5QTv/UPoF/L4Oi/1/zWckKvRJOiUKN +lS3boXw61EKdew7vx2pLGQebWjdhFfI0cwV3DDPN11OdT7GA7CPBIMx+xe9Nwc84 +tOAmFcr3ViMuagLY35vyP7NSYVNxBTjLgJF6zPxXoG/zsnp7EEIW7/4/iA9QqKPF +Z+iQ2nwNxtPbvCGM8GNzRZVppYyfJmK3NF7Z03UIv5pF8SmJIly+Ol8sSHqPQ8kU +YahdvVz43VlXBjtbsUFoudQUDBGD7k2NtGyvm+CKqapSUido/cI+3stWSieKOftH +KdwG4z5XzIc0faWv3GUGws+uELs8elUiVj2k/mVBGy/27oVUQDHE/iiFUAjobl9q +ZgeMS3GknXMStH/M9CRlRrxEwv8M5LMdkv/EuYtdzvlnVth6Cb9BASBa9OFO2yZr +gQCwAKYoCjKwOVvQ7g7hiz+oBOIJn+6uL6IiG7gpnd2MR5Ah4jQBN9+8l78AvurK +/4nUAy0ZjBRHG9buIdcCDW+w0+O2TJKjQNtfaVLJNpuiNZ7hP+4ntCZyrbZFkzdK +qmCWjbmRscEo+HDeJykNCjbu1Vl+KbZy2++SHdkS+c3HV2ACePlZHMsuPTgkpqBU +lIx4+KRcjfDqIPKYEnQAAx0xiuVXLTIhDCTxfwWdBPtmMZzZy0++OkjXhexVG1XS +ZgH14+UJQGhhuFLWFbbG/KgUxvqbuMvRdg/rjMfOdaL/lkYMvcVUBxOdzjXYbBef +EIRww/qo8CWKrrhCscLvcqthIwhiuO6ek6gGL9eG/9NUkXqy5gwqcfyT/OAh/bYC +hQwlVcdc/g== +=dUor +-----END PGP MESSAGE----- diff --git a/keys/ssh.pennyworth.key.asc b/keys/ssh.pennyworth.key.asc new file mode 100644 index 0000000..791b272 --- /dev/null +++ b/keys/ssh.pennyworth.key.asc @@ -0,0 +1,33 @@ +-----BEGIN PGP MESSAGE----- +Version: GnuPG v2 + +hQIMA++MoCsgK05SAQ//bCRpTwXXx4iKhqswLmOWTMzaAdhiatQ5NAw/KUBAdEwR +XsEnjEr/BcIcbD/K5KENRyYDnAvxvwQ5KXz8DtgUG82Z7+ZznLyOAgl8bQQW1VBI +j6HzmLRo126xklo2Mh5f4TLlnTHBxf83TE0epXCBGluDCpnS5ZBDtsBIi92kthYd +FariaJJ23E80iEG1Iss0iUr7Hd3ONLuV1bDvsWBULS1nC8ZrfY+x8o87rSmeXs/8 +awPSmzNjDBPgBQLy0sG746Q2vbC2LcgiUUhTdg0ZVYHyTBdzhQ3ielYl4gMXEJuE +oz6De4O7zu/d2qdt8fopUnFp340wFKqHyajbd9ehY8lVJsTHPTIRV8MqwyDOapx9 +5FSzEyR3r7N/sGnsRlylNsr7a69BKEWS4mNhb2wjk8V+UcZvGAVVT/F08bpTpegK +qYXA0JXAiS2/kBtnxqPJ2a1/gx/Mjm54T2rllbckKudglquFJJwKNpWgBi+xlY1I +khgXv+sitTgwYuTbOCGFIAywfuyeAM7Qbqj0WxsOu6pa33X9y+4CZpnhsrdUxrxz +KSy1zExBRvYnSdE0LjVIcPoTPHB0q5gz2p+VwuArU32NHa3kYSfFLeGzJZ4Abaou +28D8L4kXUTlXhRh5rrjJ4w+w9Ra+bz46pa4swxOLb7lQWYFA6LgnACy2KKhEl17S +6QHfnGYB4+91xWH7s44GB35gTSA2lzQ7j6Y8WSi6iYmHpnUsoD31+eKrTTKbsUTj +xs8ZgLEM34p4RMnun7RC/NY7oZaK8qbCi5c752qBNjJFcPLoFsWdtl0cVl8OTfrq +td5ssM4+NXdJLER2qus02uHaEkRO83eZe1jrsKKCmMXw2iTKsC8iduO/2E7FX0xy +gwT5APjy3p5y6GXVKpPqg+qMWprUoxk1M5pXNgOSMCv+BDpb1f9Acwv2BHHaDJF+ +q9KjJVDgthSFeNEkwNpBCFVw+Nf0JXWnasRUpNSjmeHdSVfYjnM2jRMA4M6f/ZbW +SVAxqa9/bQGdY/hVg1A9+sJ6YqNXeCmri+zwU8qhpmCZL8wjKvM12Z/Ip4q32liB +aHGJBd2ydCR9a594rxRkKVjuzLsYkwv5BE5h8NMk8a/Iqpo2gM+YzH0DT4Jqadr4 +cBOciF3ds3oWvvkMX2wpMl0weYF5VF0e7JWnaFxBn1AOU9Bq67zEeAgQkyjbgP4W +hVp3PPmtcFn7JubTE2HV+tXuwnZLYuOAcYFX18F2deGZsiHH6PGBEoqlQbG+wOgT +0PMqSf4zkGS/YrtbB0TlrFgT5PEOotv27oaXKDpZ4Fe5acaDnp3vQAa4avTba2Ie +IUfSjgpgIobLd6HnwcTfas/WScBNhJY/n798VsJ0FP9EwEmuWtsfs8GEnhkqKchb +Y2rdci8dp8IrhcW24hNrvN/KFBNha2DpSkFSh0hLqmOI4VBc5v+0bIgXucmhx4FT +Ngh6/AhEZXqYQaH0sDg70C77D2VWsGnWtYloLr5fY9tXNgZ0AoXEVDMFnLTVyUoG +GsLW8lIAD3dCxp0GYNlU9jVo+sH4Fzz81w5c+JYC5k1VzuMf7V/D/yiztb9N0aUz +7PDRp+1z681XoxaNsZ5AyD7AdCRzsJT/tF8yNt+U0qPK5HExeNcxRCZndyOofbJ2 +nTR00ZRKdDzs7Ie8GRvZaj54Cjib1aWH9fvnDgGQdV/elKGk5yMQ3GS7e1ilVsV/ +Ep8YutR3R0BrWjzU +=zE7X +-----END PGP MESSAGE----- From 501dcfeaba480e580f4e4eeeced03004918864b6 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 21 Apr 2016 22:34:24 +0200 Subject: [PATCH 017/172] re-encrypt deploy_key and secrets --- deploy_key.asc | 82 ++++++++++++++++++++++++------------------------- secrets.nix.asc | 53 +++++++++++++++++--------------- 2 files changed, 69 insertions(+), 66 deletions(-) diff --git a/deploy_key.asc b/deploy_key.asc index 55247be..536bd56 100644 --- a/deploy_key.asc +++ b/deploy_key.asc @@ -1,45 +1,45 @@ -----BEGIN PGP MESSAGE----- Version: GnuPG v2 -hQIMA++MoCsgK05SAQ//b7c3XC7n5YZwVRGUMaZM2X9SUJcGdfls1spFI7ef9VoP -129fWxELMuFNRpkjq1eLhtkexIA5WW4z6ORMhNW0XQX28FWN/EhJb+5VcmEHquEP -/VHX7OGQ0i+MJBklXKBy6gH7PHqPn6ExYF2j+Ath7Hqf7MiBzFMVAElqPrTGwTJc -EaGE2GzM5jP+/LRyi3yErufDVQsjf2exD0hlb//gHwFsgir3N6GGywE9kMT+0/Fu -TA5K0HB2Ho2ZIY1CGZO1PQt0hKjbBiNKHPrExogeWgTL+xWk2isGZC3yU/JvY8iY -7fS4d7jLOyaUwpPV1dZtSTv4l22ooCuDAWWevxQwNFFpgtvVgpyLkU8k3yrPrNaS -bdXXAwaf2ejrIyxrxIi05P3B9T74lgFjHfEgczAvuumXxeGMK38HVIwHwEFSRyRm -I+UNN/SF3JigiQx/NSde4iZioy1AkH9aICu1OYKVLZ6PdfQzxlMDH0o0RapKxfyk -a48160uE8/A9/5G1YlNqzYxorqE7KgezryS7pMJHIANY3YqadW0q+sFveqUHGDuB -e2965cmnZ5gIVg327UTzMsnGMEQPTFnmhbBZSqnogCqEEjvxE+E5iTGQLMNij2Tk -Ws+xGtZ78IhnHeu2teVEwLyVWyDFBamsKyuRp0dIZSo4v8VpjhjLQu/jC/vy9pnS -6gHQ0WbD/WqMS0s91vsK7KMciX9nVzDh9gtrH6Xa0lwCgZIU8EmzxD3PF3S4f2k8 -FZzwsT89HOEauYx7CFeIl4I17MpgWK63I0Y+VE2kRwednbC1xdmA5reMNjaeHlgR -xvbGQFZeNvfswyl8FNd6izRLytH/9ApV6B44GjYbsIOrSsqq9lOyBkeR5B5yM0Tq -UJi/vj7TlLYcmnANlXuPlnk593645FdtVVMLONAJWjoI2cYQgTezaGRVBPuO9YpA -ShJj85+02oZ6cWs5hiSQzbNZWY4B2cKrZoGS/T/Ugy4eeuP4VDwMNS95SVv9Md+4 -pAEoUiuGr+rZQwelSnyBjp7gINNVWBbBkMS/jQiVJqntQq651LAgd+/YDNJU7+OF -xERWSdr+DbxvK6T4e2ffcs3Qlwz/zY1tpGCRtcW5kqX0fKbZVEoQV6F35i8V7yZ0 -j6MqlFhCryzJ5ahi46FXxfxumlQx4JTI55Kw7H58EaNoiENIGUhm2LokOH8XBvlU -fll0CG9pq78FaxfSCz+9KpmdIwnQZ3VFVWX28JsJ+SYgzUYjlNPqq5zW6tT/MPST -2P/y815oqNFVwf3F4gTvhiFn47MzdvU/BcteitBqDSYSoVv3dMV9995CF3CzF3gs -Zk9ksJqVjvpD2t9eYUFbGmxsaGA0UqvcnkDwuvaZR2VWEuW8hd+cHhj/1IrW5xpg -Lf7VxEXJEOEBpzefFaFdeiiWKRqN6oib8VzxE5v25+3jlLAfULh+L8GlCn1Wl6lQ -uL/3zKdd+jwr9MYhWoA529DIx7tema+D3Sjb9Tt5ZW6rMr8epKAhq+uMkPaoYSpl -My4tlS16RgJ3Pp4wqRH1NZ1+1FwzMyyyP2RoP0oD+Zpp7CIPhvewRaq28EMcIJd1 -f1Yy2s54u5IlvNsKgbO8P1Id0mpCHOmf0LIGG9REBe0VEgWeCOB5nUdaJo03VSYo -QYRR4O23gR/QrTXKrwol1AP7c34nGpXdevy37u7HZFAEDiBEw2/ZQECnmP6Xq6fO -nl7ud5Z0j/Rq1pWyLo8LqqPk4G5sYjA2IGnCq/q7LDIQSSZVZFYClBs2xwwcO4ff -dlYdWw23jnZOE73tvnxVatLA7sbVEchlg5xRKBp0rEUJbjw0/N5yz+8ldwkj2+SG -g6ww1lGVbM1R8ebTdOoGLNZqaGqXwT6c+QoliSjK6EQEZrBmtjA7Eg4nA62kg8+N -QJb/3aXC4VJ7j1RYySEhTKovwNMpHCIqk3x/VjqUMwtubU9pNLPeedKGgvhVg3o4 -fiEJo2TKFDgCfKxPb8JyeQBHPCvtyqGjoqWvLsbqdUKIKtylWrqx3bfQXVJlcnfX -iAYgM0+S4b9a46myhAQWEvfAk5IRaTgSPwvoi5ONTrYivi874M60uWs9Bq9hLtXo -pWRwhltqvNXC/kVDsWmCcItuUVf2361KzzB1l3o28EgLN6VNZ1FPnnj36l73MXrh -rBGLjgxDTsf+/Geik7s/M7sfwmuEBPr4vIQKRgLI43emkK7f1wtp4yxEmtGoQGV3 -2RSBW2yajFOGeJKxS9ctZaOOEnyEGIFj53HiElT+mUhEfnI3wCCdnW+MjEgo3Zaj -2/Rdj5oN5cXX+TV3HeR3c+atXCMZ9aJ0XRncijuBci4RaFdiRjN72cQC7Y/1RT4I -HpGT3xzQd/Io7HDP/fPEpBuHO9czl5VQBTY61Rbn91EwY4/C//mCFcAhKu4Aqd8X -IA/BGabdZ24xFVStDijY2lWFcUerjpvYOR7jBb7eeroDj2dwabuXQilhvuoDlw3d -wA4QPlR8SMuJlCZLKkHyq5ALWmzm/g== -=uAoS +hQILA++MoCsgK05SAQ/4s60j70xEnibB+A85WitiOn3r1yzRQi8ngc57zDYrH7Qy +mJZ+Oa2Jno3xFIFYq4LmKZcJW7Z/FcD8ssK8T6RGs97vpXaxQcdtLqgTREYUc1zu +G8mEn0HZBl9BPiNArrWeqQnp101Ms03ctl8z3crdD201PfJZsQJOm0c05JDz584Z +aOeh2xYv+6lULWi+Kigb5CBRQ3K6/cBiBm15nHHhSRt7fx3zhiCsvUbOlPXUkHrS +c5CF93vFfCyH17m9ezVsDcSDqFHIZTvdRGUY3cEqbBvYvjB3IhS8HlPQrJghvzEf +KY/FqUKcrXJ97gEQV23TfggrdgxH6nZd9PcF3LIN1cBpmAENzE5cps7OI8+UUBxt +AMl5OB5x02eXxPbzfTtj4nb2/6e3ce0EefmMFgNLyZus7SSfPRy9V5JSBKvBhu8Z +TkJ8ZueBtOrvhaDDQRB/beAEpEH9s3nVIdiX6XLCUn95IoQZ0BUHcdSbHqsgX8bM +rXoa7b7bqO4UkTMxf9g1QYpYA2HBvd2Rk8RivO0evfaagiI45YJVPxTQYWAO5sez +zOj1p3m3MSMZP5pY+EvsTr+jzc8UIxz0/OTYTeOU6e7suuqkvWfaTWVKnTfC9Qvv +AlceFDuisqXQT14ogpbXaZ0qL1lS2QplvIiax8dZZjG0R9Cht8vEu8TI5U79rdLq +AXghpesY274OYcMw3I6bMl+Pa5LdALt/DDAaFsq0MN2x4YKgjY5uIeZcKSLsAGrk +nEh3t31Doogj6oiW6d/9gU7gSM+/fZ4ko07UbGdpMIgiUddUJkbmghzhUQIJP1tP +kyROgeLIcl12PdySFsTOs2bQfzBw5Nl9jl9NYUk9JfQRjjWEmJ7Mur0jVIos7YaE +aWSWlZXSZbr2SFonPYnw0ZjAoCeRRTFbrDk31kjCSrat+nz6D2aSzqdYk41kq2zg +7GuXmB2aZgtnZ1FTp6JQSIS98gsgcF7tJsoPbpENd/F7Ws5mXU8OuYw2woClssaZ +vJbxamU7F3w4BUd8TjZPjUj5ZI27lnR1zGwW4nLwiiX+tzctP2owl0DgaSt5MmnN +2k57cRVdsyIKwBveQFCVbVIB9L0xOKonNtCwD1K8hD5Q1nbtGN3EZI9nqBESjvkT +OPR/s1teQapWkconXt7KKLCvnIK5JqZCqLSVIxWXSCwV6GL7JLi8uZLauF/eSFT/ +qwJFpVmg9HC0rtcjL2n/8de75ESr+Vbe1K7jCYZSukcVEmZ1/f74uYd/PP2gdjGR +uZuZmj13KcY1vAMD3+X2HRuwkk9m1uUu6+mdYMNryjc5ll2TrLDGfdr5Z1B8npV5 +HGTPK1y/QW5dx3ktWp+Ecjytnlm1mZOx6iKIeOGyg9PuV/2MGywv7rLGcuEcBDZK +IfhVa+pCEjXU9ibw4bj1iBlrPmzGDRwg78CvF8f8sD1RZIoHj1kwCb2CThQyD0jV +XFGBOjtXmYU72l21R7P3UI6wXK+wOPeWIjyH2XUeldPZhzdg2llxmqAb15YQ/nYh +nry175IsSTjuv00jX0jDKatfDgsZHahSPLKwyuKVpS7rdKeiGXT/H1+pOQzBmX9s +LhkIxToaai4gMPRHcS5Yowlv3wZ1yIeiAIlRJBbnAMKhn05/FcqgdowTds1hFApz +TrMJCM7vQ2gUQxnA8+mq9Pv3mQ7Sz45pzrecEDqDIPaNLUt2JcI9yDwGZok43OsE +tDrMyj9bqcqgnDabI2M2+xntJXc2FaoMLwJTffeG2LggoF2FnMX2VZbIzPw3b9Y2 +C2Q6ccjdvSSb5PQTA5eudOkZba5QKL14wzIg/nQDlyqImRMJb2JGElKWRgvrXCy5 +9Yhny/6nyJ7HSo0/ON/1/EXRyYgRe+5gptARYi5V5FyI7OhcM3ChOUuJfej+zrMj +ZSfAh11Jh2XF3XO0L83kxLFFXYxxYP9glNwI4Bf7GgTvQxaIukt4BFnBU9b5Q/+F +cGe0fiQyOQlQxruJYNTpcedwpS4Cgp74WxY1DnrR2kpdAC67Hq2lYeNOaku2Q9WV +Eyg7BoGbL+aB5b6QCgWReMCWEY+OQsIVxiBhpVGvqitWnb2TxZ7jcwkdaqvkuI24 +tt7lX8Kj9B0Tfle57oDhqrbaWU6tYWmoz963P42bh5I2vCHWfDdG+jJlbduMhZCl +JpqD36Rk4pW23q92pQkXeYup1MSn4og9HaHIz+1hV3DHpeKb+T6W7EbJI6X6hSE/ +juzkgxLcP8jrZvEJfhjMzfqfliLptMaIzkfiLDK1dgyf1yibEKx1+QhDf+bFavng +UdAaGZ+D+HQpkFSKSrBmEThHPhEAVeaabgRKOpEanIaY1Io0dHSjfza1QOMbjZzg +qmD1bSjVRO6uu0eXadzmdT7M1+KEBcU7sG1Stwk7+nwgXx76PiVtt0tUtLnOFl0G +fE7v1KfVcdSFsTX66LIoVxOLGNPDOH3dj60gy+sQ5Ts8ZZ6bxp2Ro46QxW4yCcXd +Ky6iwM/k5JM7fXVAviEzPsiOk7U8rehp +=bM4l -----END PGP MESSAGE----- diff --git a/secrets.nix.asc b/secrets.nix.asc index f5fa0bd..14c499f 100644 --- a/secrets.nix.asc +++ b/secrets.nix.asc @@ -1,29 +1,32 @@ -----BEGIN PGP MESSAGE----- Version: GnuPG v2 -hQIMA++MoCsgK05SAQ/+LvophpN/moY95XS96yuFU6UYe1zssnx0BXVlaG97U/PN -bKwhhuCWizCvF3jG2hhSQdcwd8ezi9Wf9YXPITN+jrBxyona7/Z271Pw6Wes0skf -wx5RX5m0QKH6ml35J160BIREiEm1U0CYSlGLX61hKHU2btvVxI0KnpzFZ9RGPe1J -oSY4hsjZGvXja6ZmouJX2gDDIIyibgkAvLk5ooJ6zr6qP4e8u2n5rDXDBOjvxjig -JXdCzBzCICFaU3UbAfD9KHjC9aWQD1fwKMg0HQo49SRuGqokIhpKgDbkiZev2Rnz -5nncwpTqM5oCmUjgJLHmCFvBOVFxyxxDmLDNU3BY6SU+xFNar63tQwSrmcW3Qlt0 -2tFE+OOC04o7efcT+Ca2VKVzQKeGbCwKdwktYVkpXYphGUo8HnqR+b3lQUXkK1Om -2kbYQtH8ztMIDUcb94sVcWANvhJhHAeeXVxCvDsaSWF5N1rrW6i/R4DxaBcgfkcn -+ioTVSOmlfOXWcBtucOS1KS2vl4WugslYXKi8RLgNYOj0h02jVsCdgPJqas7/TJc -+DkGbGLIsnwCt15yyw4d2NZz26ouX2vtfTR5wt9wChIuxL1j8MiBlw4QMPxmDDs5 -PQSLLyBySiibZVYWYaDv2Icp6AZ7kgD3XNf6z57BOAoyy7RdwuYEyq5cwZOIs1/S -6QHC5J0WQ6H0sL6k/mQYLOAGbsa7EW3Tv1wWXyPTZyWonVZOgU3mYnWLp2qKPSae -1sMWRvfd9hh41T8BVaDR9uXjFNeHo6Xk/mk2eWYyaNdlSulh2JpFjKJ3+2/DlLtR -gBxFIHaXXBPONlFMzq5GQ2xD6zS+tFJOc+MHjGNg3qIC0B4UnePOeT/OrhecufQG -BwobrUqO1JfUF30TX8ncGeb69GUI6TUiVENB1yQ5SU9+hW5zE6QM/ZiiUMMbHkAJ -2NTAnKmZQBZlWhb3GLeVq+bUIrn+QUNqJQN5bT1resOL3b7nVxrrQp9ryH2gu0Fb -rUIHL+RVYPb7IXsxLGskmHQffIEQ3AIag3LR8VuSzOd5EpIE+h90jSB0B85ENVYo -PkojI8buXckXVV7ro3t2BHcT7r2o6ZmhnW7IkF7P6QpV7oycRw3WdZ7C0mwmNbJq -ZWqG3N8aMv9URyBcIXI0qXcEHImx2v+6oLsZ/XUP3RGnbU1B7Twh/LHcZ3QfCA/u -7TdBxnBgLnRXBt48W+iSoLRw9SxIdLlpXpez/vQIjFHGM/a6XLRJgctMcK5rQdGS -yd3CXR0hVpDaZH33LFop67Phj5vvdop3ONHOmfV6NMqHbkH/p7rhHcdWBOVtNvry -j9vekI7qlEVBwuXgx9HHMPNNlkve94qbZSjpiGn+PHQmaF4/jCTZ41PmBaSp8mGC -eTMA9NQbUsBNew9UcryWl6rFrNMIcwu7De9REh0ovjoo6g3mxJhZuhWPwtmnEHpt -zzoF4hSeoisJwg+JwGq4lQbjVJBgjdcFqke6BAEvam1Jqale5CKJ1GKb -=fAua +hQIMA++MoCsgK05SAQ//VnOGAXDtZpB3jAIg49OBW8oznyN/a9062jq48UVZF8VN +8hTKxZY6Ae41bH5wobv2n+6SSJZLxX98U4bpddjIsf6bVk6MyLouTwSgFIN8wpik +yF/+Jpzcx6BwmHM+5Wi+0DUrhoaePdDqEzo9lU6E0pzv3jJxml0XALGxfwC0PIPl +zj24VqfAQpj7DP2PWaUnJufBNgLNvnUsb2BRMnFlK4PARwg3KdISOVFTSLwsQYfN +KvI/Z0R704VTCOEfcMdy9D4o8FBeAgEJhICvN4ngu4MwRKw6gLxp3EdpEcvgVAYy +ToVPfHEgbHpDQXliLRjIVY4kASJdmblf1fAfJbQHmHdjz/TGH4p4sU2PFE/ZN51u +MKYQptdTnOOB7TzgGgLWJDvcIENZM6Ns+eslCaCFH3kosp8q/piNZViNTuOIsFLa +Ij0Jn/YIpbikUz6Z05gs4Esss4ot8fcF/tC+vpinNE5LfF5ien6aFBauYie0WUoe +hU9VRoTKJrppQOtu7x59Fz3mlG+oDSat+jUESWYXFiwn9XCQubQYWwDSWu0C3PB9 +B3AhJcDo+R1xrqtB51iIYxVzYsc1ky0r4+RrLsFJC1m5UkLGDnO3N73Ix388JJYD +XwUFFIDjZdm6PmE/0KpKyRV+xoV1thzJvpeWkDh169hQZnQjh5ZbuBt1gxdvtCHS +6QEMaYF63XPZn07rO9oROxo4yeuz3EMI1iG20wsGzNDfMLml4JEcQFDGcr7moiSD +/OOgUey6ZVj838xo87m+qTzoqQ9hs13cbB3TV0w81HDaZ8NnXWr3111kBhhHAB0C +xF4XmxymXRkRzY7Y0gOJGkmM16n+qJiCYdlgglVkChraMZRx5/XCxZNupMYYz6l7 +SizRu5DQZZLdrEHPUTKBa8DgcscHdWksgdmVVDtGOz6rAF1mWLsGAM3bRHVFQy54 +wgCt4gcrZd/lAiB/D+2ZN0ClKHv8WebwJLxEhKoDNlxb/RFnmT7Ge0TVk0Z6YlBt ++IzJQY4Z2r4WjpuStvJrGxP6JzSZ8MCRWs5o0hY01Eth8Ww7uNyO8KSerJ819evh +fBmFeokN2SELuL7nc/idxdqUqotnov0PK3Eg8CFLx/WK3zh2gUZG91qo2ffLev81 +9RuNgHQ7GDy0bo1BhipiHC6FVwwD7ycpRaYCqMpasl/T83a2hDiTLBxYo4g2nkA9 +tk922u/sYlCtT2PL66JV97UiHksLZTxDVuAIePwIbpSY/UjtrKdZS/x/jHbUtRVX +InJJ/zRZKaM/dyTdHqRsFNltj22tcZCLXJyNHoM/2KY7Arfu/JLGeLd0UbEUIEuM +Vcsfh0jmUBZffSFQ/kY2uypL7brIPO1vuYseh3/j/poowBiOGZQlrjY51Ib/pUSl ++sgKp/QOXxN6Va5G+D6/U0udlmccnQdbuE8Dp3hqSmPZC2e8T2z4QiDbnq2AUrfs +vWqktuTh3c7znWqJX2deMDn4mt3PTq7fOEcfJhQWJlHNkrqNOeewWKN9YwvkaMJ1 +0eB61sYMUa9o122NxaSrauQhp0aLC9Y8rqvNE97HS7VaH8kXXF3JbtdwvOx24CNL +aZUDL/Pyn9CDICqyptXV1/mqDU8HkR/kIX7YDGRLukMaCmsaZwfwSHwF3N7UAMty +PUQJt0jg5pqV3hg= +=A96z -----END PGP MESSAGE----- From 5841d660fa8a300bf01846fac287f924a4c332fa Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 21 Apr 2016 22:35:13 +0200 Subject: [PATCH 018/172] move nixos-in-place to modules dir --- nixos-in-place.nix => modules/nixos-in-place.nix | 0 ospinio/hardware-configuration.nix | 2 +- pennyworth/hardware-configuration.nix | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) rename nixos-in-place.nix => modules/nixos-in-place.nix (100%) diff --git a/nixos-in-place.nix b/modules/nixos-in-place.nix similarity index 100% rename from nixos-in-place.nix rename to modules/nixos-in-place.nix diff --git a/ospinio/hardware-configuration.nix b/ospinio/hardware-configuration.nix index 5a38530..001beb2 100644 --- a/ospinio/hardware-configuration.nix +++ b/ospinio/hardware-configuration.nix @@ -3,7 +3,7 @@ let ipconf = (import ).ipconf.${config.networking.hostName}; in { - imports = [ ../nixos-in-place.nix ]; + imports = [ ../modules/nixos-in-place.nix ]; "nixos-in-place" = { enable = true; rootfs = "/dev/mapper/CAC_VG-CAC_LV"; diff --git a/pennyworth/hardware-configuration.nix b/pennyworth/hardware-configuration.nix index 04e482f..7bd23d9 100644 --- a/pennyworth/hardware-configuration.nix +++ b/pennyworth/hardware-configuration.nix @@ -3,7 +3,7 @@ let ipconf = (import ).ipconf.${config.networking.hostName}; in { - imports = [ ../nixos-in-place.nix ]; + imports = [ ../modules/nixos-in-place.nix ]; "nixos-in-place" = { enable = true; rootfs = "/dev/disk/by-uuid/7165e542-0995-474c-a228-9592339e0604"; From 696ecfc0a41676b277742c9bbadeb494bd5661c1 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 21 Apr 2016 22:39:41 +0200 Subject: [PATCH 019/172] Use lets-encrypt for https with the new security.acme support in nixos 16.03 --- modules/le_nginx.nix | 1 + modules/nginx.nix | 172 +++++++++++++++++++++++++++++++++++ pennyworth/configuration.nix | 73 +++++++-------- 3 files changed, 208 insertions(+), 38 deletions(-) create mode 100644 modules/nginx.nix diff --git a/modules/le_nginx.nix b/modules/le_nginx.nix index 2484791..9814335 100644 --- a/modules/le_nginx.nix +++ b/modules/le_nginx.nix @@ -1,3 +1,4 @@ +# DEPRECATED: use security.acme + ./nginx.nix on nixos >=16.03 { config, lib, pkgs, ... }: let cfg = config.le_nginx; diff --git a/modules/nginx.nix b/modules/nginx.nix new file mode 100644 index 0000000..eb9af5a --- /dev/null +++ b/modules/nginx.nix @@ -0,0 +1,172 @@ +{ config, lib, pkgs, ... }: +let +cfg = config.nginxssl; +sslcfg = dir: '' + ssl on; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_certificate_key ${dir}/key.pem; + ssl_certificate ${dir}/fullchain.pem; + ssl_trusted_certificate ${dir}/fullchain.pem; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_protocols TLSv1.1 TLSv1.2; + # ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; + ssl_prefer_server_ciphers on; + add_header Strict-Transport-Security max-age=15768000; + ssl_stapling on; + ssl_stapling_verify on; +''; + +makeChallenges = servername: key_webroot: '' + server { + listen 80; + server_name ${servername}; + server_tokens off; + location /.well-known/acme-challenge { + default_type text/plain; + alias ${key_webroot}/.well-known/acme-challenge; + } + } +''; +makeServerBlock = servername: {key_root, key_webroot, contents, ...}: '' + server { + listen 80; + server_name ${servername}; + server_tokens off; + location /.well-known/acme-challenge { + default_type text/plain; + alias ${key_webroot}/.well-known/acme-challenge; + } + location / { + rewrite ^(.*) https://$host$1 permanent; + } + } + server { + listen 443; + server_name ${servername}; + server_tokens off; + ${sslcfg key_root} + ${contents} + } +''; +#vhosts = with lib; unique (concatMap (splitString " ") (attrNames cfg.servers)); +servopts = {...}: { + options = { + key_webroot = mkOption { + type = types.string; + description = "The path where the acme challenge is stored"; + }; + key_root = mkOption { + type = types.string; + description = "The path where the SSL keys are stored"; + }; + contents = mkOption { + type = types.string; + description = "Extra server block contents, like location blocks"; + example = "location / {}"; + }; + }; +}; +inherit (lib) mkEnableOption mkOption types mkIf; +in +{ + options.nginxssl = { + enable = mkEnableOption "enable new nginx module"; + no_vhost_keydir = mkOption { + type = types.string; + default = "/etc/sslcerts/no_vhost"; + description = "The path where the SSL keys for the default are stored (can and will be self-signed)"; + }; + servers = mkOption { + type = types.attrsOf types.optionSet; + description = "The servers to host"; + default = {}; + example = {"git.domain.com" = { + contents = "location / {}"; + key_root = "/var/lib/acme/git.domain.com"; + key_webroot = "/etc/sslcerts/acmeroot"; + }; + }; + options = [ servopts ]; + }; + challenges = mkOption { + type = types.attrsOf types.string; + default = []; + example = {"mail.domain.com" = "/var/lib/acme/mail.domain.com";}; + description = "Other domains to host challenges for"; + }; + }; + config = mkIf cfg.enable { + services.nginx = { + enable = true; + httpConfig = '' + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log logs/access.log main; + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + + server_tokens off; + + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + + gzip on; + # the default thing, for if no vhost is given + # generate default.pem and default.key manually + # and self-sign, if you feel like it + server { + listen 80 default_server; + server_name ""; + location / { + rewrite ^(.*) https://$host$1 permanent; + } + } + server { + listen 443 default_server spdy deferred; + server_name ""; + + ${sslcfg cfg.no_vhost_keydir} + + location / { + root ${pkgs.nginx}/html; + index index.html index.htm; + } + + location = /50x.html { + root ${pkgs.nginx}/html; + } + } + + ${lib.concatStringsSep "\n" (lib.mapAttrsToList makeChallenges cfg.challenges)} + + ${lib.concatStringsSep "\n" (lib.mapAttrsToList makeServerBlock cfg.servers)} + + ''; + }; + networking.firewall.allowedTCPPorts = [80 443]; + system.activationScripts.nginxdhparams = + '' + if ! [[ -e /etc/nginx/dhparam.pem ]]; then + mkdir -p /etc/nginx/ + ${pkgs.openssl}/bin/openssl dhparam -out /etc/nginx/dhparam.pem 2048 + fi + dir=${cfg.no_vhost_keydir} + mkdir -m 0700 -p $dir + if ! [[ -e $dir/key.pem ]]; then + ${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024 + ${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \ + -subj "/C=NL/CN=www.example.com" + ${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem + ${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem + fi + ''; + }; + + +} diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix index 468e0d2..97aa012 100644 --- a/pennyworth/configuration.nix +++ b/pennyworth/configuration.nix @@ -7,11 +7,14 @@ let secrets = import ; yoricc = import ../packages/yori-cc.nix; + acmeWebRoot = "/etc/sslcerts/acmeroot"; + acmeKeyDir = "${config.security.acme.directory}/yori.cc"; in { imports = [ ./hardware-configuration.nix ../roles/common.nix + ../modules/nginx.nix ]; networking.hostName = secrets.hostnames.pennyworth; @@ -25,48 +28,42 @@ in users.extraUsers.root.hashedPassword = secrets.pennyworth_hashedPassword; - services.nginx = { + nginxssl = { enable = true; - httpConfig = '' - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log logs/access.log main; - sendfile on; - #tcp_nopush on; - - #keepalive_timeout 0; - keepalive_timeout 65; - - - gzip on; - - server { - listen 80; - server_name ""; - - location / { - root ${pkgs.nginx}/usr/share/nginx/html; - index index.html index.htm; - } - - location = /50x.html { - root ${pkgs.nginx}/usr/share/nginx/html; - } - } - - server { - listen 80; - server_name yori.cc; - server_tokens off; + challenges."${config.networking.hostName}" = acmeWebRoot; + servers."yori.cc" = { + key_root = acmeKeyDir; + key_webroot = acmeWebRoot; + contents = '' location / { root ${yoricc}/web; } - } - - ''; + ''; + }; }; - networking.firewall.allowedTCPPorts = [80]; + + # Let's Encrypt configuration. + security.acme.certs."yori.cc" = + { email = secrets.email; + extraDomains = { + "${config.networking.hostName}" = null; + }; + webroot = acmeWebRoot; + postRun = "systemctl reload nginx.service dovecot2.service opensmtpd.service"; + }; + # Generate a dummy self-signed certificate until we get one from + # Let's Encrypt. + system.activationScripts.letsEncryptKeys = + '' + dir=${acmeKeyDir} + mkdir -m 0700 -p $dir + if ! [[ -e $dir/key.pem ]]; then + ${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024 + ${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \ + -subj "/C=NL/CN=www.example.com" + ${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem + ${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem + fi + ''; } From c39662b91d3bf2754952db06661da0891061d9e2 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 21 Apr 2016 22:41:43 +0200 Subject: [PATCH 020/172] remove hydra as binary cache --- roles/common.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/common.nix b/roles/common.nix index ced486e..6112e16 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -17,13 +17,9 @@ # Nix nixpkgs.config.allowUnfree = true; - nix.binaryCaches = [ - https://hydra.nixos.org - ]; nix.trustedBinaryCaches = config.nix.binaryCaches ++ [http://hydra.cryp.to]; nix.binaryCachePublicKeys = [ - "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" "hydra.cryp.to-1:8g6Hxvnp/O//5Q1bjjMTd5RO8ztTsG8DKPOAg9ANr2g=" ]; From 687b038f26c57558ca58f2d205ff414c1af4abf9 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 21 Apr 2016 22:42:07 +0200 Subject: [PATCH 021/172] install bind (dig, nslookup) in the system profile --- roles/common.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/common.nix b/roles/common.nix index 6112e16..41bbe73 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -68,7 +68,7 @@ unzip zip # network - nmap mtr + nmap mtr bind socat netcat-openbsd lftp wget rsync From 16bdb76bda1df7371d3d95eabe08ffe43de14cf8 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 21 Apr 2016 22:44:08 +0200 Subject: [PATCH 022/172] add mail server to pennyworth --- modules/mailz.nix | 312 +++++++++++++++++++++++++++++++++++ pennyworth/configuration.nix | 12 ++ 2 files changed, 324 insertions(+) create mode 100644 modules/mailz.nix diff --git a/modules/mailz.nix b/modules/mailz.nix new file mode 100644 index 0000000..bfabcba --- /dev/null +++ b/modules/mailz.nix @@ -0,0 +1,312 @@ +# https://github.com/valeriangalliat/nixos-mailz +# manual actions: +# run sa-update +# configure DNS (dkim at /var/lib/dkim/*/default.txt) +# mkdir /var/empty/.spamassassin +# chown -R spamd /var/empty/.spamassassin +# possibly unneeded: +# chgrp -R vmail /var/spool/mail +# chmod g+rwx /var/spool/mail +# TODO: rspamd? +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.mailz; + + # Convert: + # + # { + # a = { aliases = [ "x", "y" ]; }; + # b = { aliases = [ "x" ]; }; + # } + # + # To: + # + # { + # x = [ "a" "b" ]; + # y = [ "a" ]; + # } + aliases = foldAttrs (user: users: [user] ++ users) [ ] + (flatten (flip mapAttrsToList cfg.users + (user: options: flip map options.aliases + (alias: { ${alias} = user; })))); + + files = { + credentials = pkgs.writeText "credentials" + (concatStringsSep "\n" + (flip mapAttrsToList cfg.users + (user: options: "${user} ${options.password}"))); + + # dovecot2 + users = pkgs.writeText "users" + (concatStringsSep "\n" + (flip mapAttrsToList cfg.users + (user: options: "${user}:${options.password}:::::"))); + + recipients = pkgs.writeText "recipients" + (concatStringsSep "\n" + (flip concatMap cfg.domains (domain: + (map (user: "${user}@${domain}") + (attrNames cfg.users ++ flatten ((flip mapAttrsToList) cfg.users + (user: options: options.aliases))))))); + + aliases = pkgs.writeText "aliases" + (concatStringsSep "\n" + (flip mapAttrsToList aliases + (alias: users: "${alias} ${concatStringsSep "," users}"))); + + domains = pkgs.writeText "domains" + (concatStringsSep "\n" cfg.domains); + + spamassassinSieve = pkgs.writeText "spamassassin.sieve" '' + require "fileinto"; + if header :contains "X-Spam-Flag" "YES" { + fileinto "Spam"; + } + ''; + + # From + regex = pkgs.writeText "filter-regex.conf" '' + helo ! ^\[ + helo ^\. + helo \.$ + helo ^[^\.]*$ + ''; + }; + +in + +{ + options = { + services.mailz = { + domain = mkOption { + default = cfg.networking.hostName; + type = types.str; + description = "Domain for this mail server."; + }; + + user = mkOption { + default = "vmail"; + type = types.str; + }; + + group = mkOption { + default = "vmail"; + type = types.str; + }; + + uid = mkOption { + default = 2000; + type = types.int; + }; + + gid = mkOption { + default = 2000; + type = types.int; + }; + + dkimDirectory = mkOption { + default = "/var/lib/dkim"; + type = types.str; + description = "Where to store DKIM keys."; + }; + + dkimBits = mkOption { + type = types.int; + default = 2048; + description = "Size of the generated DKIM key."; + }; + + domains = mkOption { + type = types.listOf types.str; + description = "The domains to look for"; + example = ["example.com"]; + }; + + keydir = mkOption { + type = types.str; + description = "The place to look for the ssl key"; + default = "${config.security.acme.directory}/${cfg.domain}"; + example = ["example.com"]; + }; + + users = mkOption { + default = { }; + type = types.loaOf types.optionSet; + description = '' + Attribute set of users. + ''; + + options = { + password = mkOption { + type = types.str; + description = '' + The user password, generated with + smtpctl encrypt. + ''; + }; + + aliases = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "postmaster" ]; + description = "A list of aliases for this user."; + }; + }; + + example = { + "foo" = { + password = "encrypted"; + aliases = [ "postmaster" ]; + }; + "bar" = { + password = "encrypted"; + }; + }; + }; + }; + }; + + config = mkIf (cfg.users != { }) { + nixpkgs.config.packageOverrides = pkgs: { + # opensmtpd = overrideDerivation pkgs.opensmtpd (oldAttrs: { + # # Needed to listen on both IPv4 and IPv6 + # patches = oldAttrs.patches ++ [ ./opensmtpd.diff ]; + # }); + opensmtpd-extras = pkgs.opensmtpd-extras.override { + # Needed to have PRNG working in chroot (for dkim-signer) + openssl = pkgs.libressl; + }; + }; + + system.activationScripts.mailz = '' + # Make sure SpamAssassin database is present + if ! [ -d /etc/spamassassin ]; then + cp -r ${pkgs.spamassassin}/share/spamassassin /etc + fi + + # Make sure a DKIM private key exist + if ! [ -d ${cfg.dkimDirectory}/${head cfg.domains} ]; then + mkdir -p ${cfg.dkimDirectory}/${head cfg.domains} + chmod 700 ${cfg.dkimDirectory}/${head cfg.domains} + ${pkgs.opendkim}/bin/opendkim-genkey --bits ${toString cfg.dkimBits} --domain ${head cfg.domains} --directory ${cfg.dkimDirectory}/${head cfg.domains} + fi + ''; + + services.spamassassin.enable = true; + # it turns out that the dkim header domain does not have to match the from address + # but it would be a nice-to-have + services.opensmtpd = { + enable = true; + serverConfiguration = '' + filter filter-pause pause + filter filter-regex regex "${files.regex}" + filter filter-spamassassin spamassassin "-saccept" + filter filter-dkim-signer dkim-signer "-d${head cfg.domains}" "-p${cfg.dkimDirectory}/${head cfg.domains}/default.private" + filter in chain filter-pause filter-regex filter-spamassassin + filter out chain filter-dkim-signer + + pki ${cfg.domain} certificate "${cfg.keydir}/fullchain.pem" + pki ${cfg.domain} key "${cfg.keydir}/key.pem" + + table credentials file:${files.credentials} + table recipients file:${files.recipients} + table aliases file:${files.aliases} + table domains file:${files.domains} + + listen on 0.0.0.0 port 25 hostname ${cfg.domain} filter in tls pki ${cfg.domain} + #listen on :: port 25 hostname ${cfg.domain} filter in tls pki ${cfg.domain} + listen on 0.0.0.0 port 587 hostname ${cfg.domain} filter out tls-require pki ${cfg.domain} auth + #listen on :: port 587 hostname ${cfg.domain} filter out tls-require pki ${cfg.domain} auth + enqueuer filter out + + accept from any for domain recipient alias deliver to lmtp localhost:24 + accept from local for any relay + ''; + procPackages = [ pkgs.opensmtpd-extras ]; + }; + + services.dovecot2 = { + enable = true; + enablePop3 = false; + enableLmtp = true; + mailLocation = "maildir:/var/spool/mail/%n"; + mailUser = cfg.user; + mailGroup = cfg.group; + modules = [ pkgs.dovecot_pigeonhole ]; + sslServerCert = "${cfg.keydir}/fullchain.pem"; + sslServerKey = "${cfg.keydir}/key.pem"; + enablePAM = false; + sieveScripts = { before = files.spamassassinSieve; }; + extraConfig = '' + postmaster_address = postmaster@${head cfg.domains} + + service lmtp { + inet_listener lmtp { + address = 127.0.0.1 ::1 + port = 24 + } + } + + userdb { + driver = passwd-file + args = username_format=%n ${files.users} + default_fields = uid=${cfg.user} gid=${cfg.user} home=/var/spool/mail/%n + } + + passdb { + driver = passwd-file + args = username_format=%n ${files.users} + } + + namespace inbox { + inbox = yes + + mailbox Sent { + auto = subscribe + special_use = \Sent + } + + mailbox Drafts { + auto = subscribe + special_use = \Drafts + } + + mailbox Spam { + auto = create + special_use = \Junk + } + + mailbox Trash { + auto = subscribe + special_use = \Trash + } + + mailbox Archive { + auto = subscribe + special_use = \Archive + } + } + + protocol lmtp { + mail_plugins = $mail_plugins sieve + } + ''; + }; + + users.extraUsers = optional (cfg.user == "vmail") { + name = "vmail"; + uid = cfg.uid; + group = cfg.group; + }; + + users.extraGroups = optional (cfg.group == "vmail") { + name = "vmail"; + gid = cfg.gid; + }; + + networking.firewall.allowedTCPPorts = [ 25 587 993 ]; + }; +} diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix index 97aa012..52f3dd5 100644 --- a/pennyworth/configuration.nix +++ b/pennyworth/configuration.nix @@ -14,6 +14,7 @@ in imports = [ ./hardware-configuration.nix ../roles/common.nix + ../modules/mailz.nix ../modules/nginx.nix ]; @@ -27,6 +28,17 @@ in # root password is useful from console, ssh has password logins disabled users.extraUsers.root.hashedPassword = secrets.pennyworth_hashedPassword; + services.mailz = { + domain = config.networking.hostName; + keydir = acmeKeyDir; + domains = secrets.email_domains; + users = { + yorick = { + password = secrets.yorick_mailPassword; + aliases = ["postmaster" "me" "ik" "info" "~"]; + }; + }; + }; nginxssl = { enable = true; From 2bc1e0458b9b4e47d940ebfb4ca04a06c9f17ee7 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 21 Apr 2016 22:45:06 +0200 Subject: [PATCH 023/172] add tor client + hidden ssh service on pennyworth --- modules/tor-hidden-service.nix | 42 ++++++++++++++++++++++++++++++++++ packages/shallot.nix | 24 +++++++++++++++++++ pennyworth/configuration.nix | 8 +++++++ roles/common.nix | 10 ++++++++ 4 files changed, 84 insertions(+) create mode 100644 modules/tor-hidden-service.nix create mode 100644 packages/shallot.nix diff --git a/modules/tor-hidden-service.nix b/modules/tor-hidden-service.nix new file mode 100644 index 0000000..984b614 --- /dev/null +++ b/modules/tor-hidden-service.nix @@ -0,0 +1,42 @@ +{ config, lib, ... }: + +with lib; + +let + hiddenServices = config.services.tor.hiddenServices; +in { + options.services.tor = { + hiddenServices = mkOption { default = []; }; + }; + + config = mkIf (hiddenServices != []) { + assertions = map (hiddenService: { + assertion = hasAttr "name" hiddenService && hasAttr "port" hiddenService; + message = "all hidden services should define a name and a port.."; + }) hiddenServices; + + services.tor.enable = true; + + services.tor.extraConfig = concatStringsSep "\n" (map (hiddenService: '' + HiddenServiceDir /var/lib/tor/${hiddenService.name} + HiddenServicePort ${toString (if hasAttr "remote_port" hiddenService then hiddenService.remote_port else hiddenService.port)} 127.0.0.1:${toString hiddenService.port} + '') hiddenServices); + + systemd.services."install-tor-hidden-service-keys" = { + wantedBy = ["tor.service"]; + serviceConfig.Type = "oneshot"; + serviceConfig.User = "tor"; + serviceConfig.Group = "keys"; + # TODO: update on change? + # TODO: better ways to get the keys on the server + script = concatStringsSep "\n" (map (hiddenService: if (hasAttr "private_key" hiddenService && hasAttr "hostname" hiddenService) then '' + if ! [[ -e /var/lib/tor/${hiddenService.name}/private_key ]]; then + mkdir -p /var/lib/tor/${hiddenService.name}/ + cp ${hiddenService.private_key} /var/lib/tor/${hiddenService.name}/private_key + cp ${hiddenService.hostname} /var/lib/tor/${hiddenService.name}/hostname + chmod -R 700 /var/lib/tor/${hiddenService.name}; + fi + '' else "true") hiddenServices); + }; + }; +} diff --git a/packages/shallot.nix b/packages/shallot.nix new file mode 100644 index 0000000..fad7a90 --- /dev/null +++ b/packages/shallot.nix @@ -0,0 +1,24 @@ +with import {}; + +stdenv.mkDerivation { + name = "shallot-0.0.3-alpha"; + + src = fetchFromGitHub { + rev = "831de01b13b309933d32efe8388444ef6a831cfb"; + owner = "katmagic"; + repo = "Shallot"; + sha256 = "0zlgl13vmv6zj1jk5cfjqg66n3qq9yp2202llpgvfl16rzxrlv5r"; + }; + + buildInputs = [openssl]; + + buildPhase = '' + ./configure + make + ''; + + installPhase = '' + mkdir -p $out/bin + mv shallot $out/bin + ''; +} \ No newline at end of file diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix index 52f3dd5..570d3c1 100644 --- a/pennyworth/configuration.nix +++ b/pennyworth/configuration.nix @@ -16,6 +16,7 @@ in ../roles/common.nix ../modules/mailz.nix ../modules/nginx.nix + ../modules/tor-hidden-service.nix ]; networking.hostName = secrets.hostnames.pennyworth; @@ -78,4 +79,11 @@ in ${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem fi ''; + + services.tor.hiddenServices = [ + { name = "ssh"; + port = 22; + hostname = "/run/keys/torkeys/ssh.pennyworth.hostname"; + private_key = "/run/keys/torkeys/ssh.pennyworth.key"; } + ]; } diff --git a/roles/common.nix b/roles/common.nix index 41bbe73..6aa91e4 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -36,6 +36,16 @@ challengeResponseAuthentication = false; }; + services.tor = { + enable = true; + client.enable = true; + }; + + programs.ssh.extraConfig = '' + Host *.onion + ProxyCommand nc -xlocalhost:9050 -X5 %h %p + ''; + environment.systemPackages = with pkgs; [ # v important. cowsay ponysay From 7bcb3e5c420536f3eaa142ddb054f0bf49ef0f40 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 22 Apr 2016 19:12:59 +0200 Subject: [PATCH 024/172] add XMPP using prosody --- pennyworth/configuration.nix | 40 +++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix index 570d3c1..3f3b5b6 100644 --- a/pennyworth/configuration.nix +++ b/pennyworth/configuration.nix @@ -21,6 +21,8 @@ in networking.hostName = secrets.hostnames.pennyworth; + environment.noXlibs = true; + services.openssh.enable = true; networking.enableIPv6 = lib.mkOverride 30 true; @@ -29,6 +31,7 @@ in # root password is useful from console, ssh has password logins disabled users.extraUsers.root.hashedPassword = secrets.pennyworth_hashedPassword; + # email services.mailz = { domain = config.networking.hostName; keydir = acmeKeyDir; @@ -41,6 +44,7 @@ in }; }; + # website + lets encrypt challenge hosting nginxssl = { enable = true; challenges."${config.networking.hostName}" = acmeWebRoot; @@ -63,7 +67,9 @@ in "${config.networking.hostName}" = null; }; webroot = acmeWebRoot; - postRun = "systemctl reload nginx.service dovecot2.service opensmtpd.service"; + postRun = ''systemctl reload nginx.service dovecot2.service opensmtpd.service + systemctl restart prosody.service + ''; }; # Generate a dummy self-signed certificate until we get one from # Let's Encrypt. @@ -80,10 +86,42 @@ in fi ''; + # hidden SSH service + services.tor.hiddenServices = [ { name = "ssh"; port = 22; hostname = "/run/keys/torkeys/ssh.pennyworth.hostname"; private_key = "/run/keys/torkeys/ssh.pennyworth.key"; } ]; + + # XMPP + services.prosody = { + enable = true; + + allowRegistration = false; + extraModules = [ "private" "vcard" "privacy" "compression" "component" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist"]; + virtualHosts.yoricc = { + enabled = true; + domain = "yori.cc"; + ssl = { + key = "/var/lib/prosody/keys/key.pem"; + cert = "/var/lib/prosody/keys/fullchain.pem"; + }; + }; + extraConfig = '' + use_libevent = true + s2s_require_encryption = true + c2s_require_encryption = true + ''; + + admins = [ "yorick@yori.cc"]; + }; + systemd.services.prosody.serviceConfig.PermissionsStartOnly = true; + systemd.services.prosody.preStart = '' + mkdir -m 0700 -p /var/lib/prosody/keys + cp ${acmeKeyDir}/key.pem ${acmeKeyDir}/fullchain.pem /var/lib/prosody/keys + chown -R prosody:prosody /var/lib/prosody + ''; + networking.firewall.allowedTCPPorts = [5222 5269]; } From f254fad78a91046a7a5dd199502db44c51bb8497 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 23 Apr 2016 00:30:39 +0200 Subject: [PATCH 025/172] add prosody-modules: carbons,mam,smacks --- pennyworth/configuration.nix | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix index 3f3b5b6..34b3e1b 100644 --- a/pennyworth/configuration.nix +++ b/pennyworth/configuration.nix @@ -96,11 +96,19 @@ in ]; # XMPP - services.prosody = { + services.prosody = let + # TODO: this should be in nixpkgs + prosodyModules = pkgs.fetchhg { + name = "prosody-modules-22042016"; + rev = "e0b8b8a50013"; + sha256 = "06qd46bmwjpzrygih91fv7z7g8z60kn0qyr7cf06a57a28117wdy"; + url = "https://hg.prosody.im/prosody-modules/"; + }; + in { enable = true; allowRegistration = false; - extraModules = [ "private" "vcard" "privacy" "compression" "component" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist"]; + extraModules = [ "private" "vcard" "privacy" "compression" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist" "mam" "carbons" "smacks"]; virtualHosts.yoricc = { enabled = true; domain = "yori.cc"; @@ -109,7 +117,9 @@ in cert = "/var/lib/prosody/keys/fullchain.pem"; }; }; + # TODO: Component "chat.yori.cc" "muc" # also proxy65 and pubsub? extraConfig = '' + plugin_paths = { "${prosodyModules}" } use_libevent = true s2s_require_encryption = true c2s_require_encryption = true From 08914f047dcd038f5534630fc9b410f4570331a5 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 23 Apr 2016 01:44:07 +0200 Subject: [PATCH 026/172] add luadbi for db storage --- packages/luadbi.nix | 47 ++++++++++++++++++++++++++++++++++++ pennyworth/configuration.nix | 9 +++++++ 2 files changed, 56 insertions(+) create mode 100644 packages/luadbi.nix diff --git a/packages/luadbi.nix b/packages/luadbi.nix new file mode 100644 index 0000000..7a5f1d0 --- /dev/null +++ b/packages/luadbi.nix @@ -0,0 +1,47 @@ +{lib, fetchurl, lua, sqlite, luaPackages, + libpsql ? null, libmysql ? null, + withpsql ? false, withmysql ? false}: + +assert withpsql -> libpsql != null; +assert withmysql -> libmysql != null; + +luaPackages.buildLuaPackage rec { + version = "0.5"; + name = "luadbi-${version}"; + isLibrary = true; + src = fetchurl { + url = "https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/luadbi/luadbi.${version}.tar.gz"; + sha256 = "07ikxgxgfpimnwf7zrqwcwma83ss3wm2nzjxpwv2a1c0vmc684a9"; + }; + + propagatedBuildInputs = [ sqlite ] + ++ (lib.optional withpsql [libpsql]) + ++ (lib.optional withmysql [libmysql]); + + unpackPhase = '' + mkdir ./luadbi + tar -xf $src -C ./luadbi + sourceRoot=./luadbi + chmod -R u+w "$sourceRoot"; + ''; + + preBuild = with lib.optionalString; '' + makeFlagsArray=( + sqlite3 + ${lib.optionalString withpsql "psql"} + ${lib.optionalString withmysql "mysql"} + LUA_LDIR="$out/share/lua/${lua.luaversion}" + LUA_INC="-I${lua}/include" LUA_CDIR="$out/lib/lua/${lua.luaversion}" + ) + ''; + + installPhase = '' + mkdir -p $out/lib/lua/${lua.luaversion} + install -p ./*.so DBI.lua $out/lib/lua/${lua.luaversion} + ''; + + meta = { + homepage = "https://code.google.com/archive/p/luadbi/downloads"; + maintainers = [ "Yorick" ]; + }; +} diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix index 34b3e1b..7f982a4 100644 --- a/pennyworth/configuration.nix +++ b/pennyworth/configuration.nix @@ -7,6 +7,7 @@ let secrets = import ; yoricc = import ../packages/yori-cc.nix; + luadbi = pkgs.callPackage ../packages/luadbi.nix {}; acmeWebRoot = "/etc/sslcerts/acmeroot"; acmeKeyDir = "${config.security.acme.directory}/yori.cc"; in @@ -123,10 +124,18 @@ in use_libevent = true s2s_require_encryption = true c2s_require_encryption = true + archive_expires_after = "never" + storage = { + archive2 = "sql"; + } ''; admins = [ "yorick@yori.cc"]; }; + nixpkgs.config.packageOverrides = pkgs: + # FIXME: ugly hacks! + { prosody = pkgs.prosody.override { withZlib = true; luazlib = luadbi; }; + }; systemd.services.prosody.serviceConfig.PermissionsStartOnly = true; systemd.services.prosody.preStart = '' mkdir -m 0700 -p /var/lib/prosody/keys From 228599deb7b8a62dd0b9555e2796d7a741d32e42 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 28 Apr 2016 21:24:17 +0200 Subject: [PATCH 027/172] update encrypted files with 5F94FEDC --- deploy_key.asc | 77 +++++++++++++++----------------- keys/ssh.frumar.hostname.asc | 24 ++++------ keys/ssh.frumar.key.asc | 52 ++++++++++----------- keys/ssh.pennyworth.hostname.asc | 24 ++++------ keys/ssh.pennyworth.key.asc | 52 ++++++++++----------- secrets.nix.asc | 50 +++++++++------------ 6 files changed, 122 insertions(+), 157 deletions(-) diff --git a/deploy_key.asc b/deploy_key.asc index 536bd56..a34115b 100644 --- a/deploy_key.asc +++ b/deploy_key.asc @@ -1,45 +1,40 @@ -----BEGIN PGP MESSAGE----- Version: GnuPG v2 -hQILA++MoCsgK05SAQ/4s60j70xEnibB+A85WitiOn3r1yzRQi8ngc57zDYrH7Qy -mJZ+Oa2Jno3xFIFYq4LmKZcJW7Z/FcD8ssK8T6RGs97vpXaxQcdtLqgTREYUc1zu -G8mEn0HZBl9BPiNArrWeqQnp101Ms03ctl8z3crdD201PfJZsQJOm0c05JDz584Z -aOeh2xYv+6lULWi+Kigb5CBRQ3K6/cBiBm15nHHhSRt7fx3zhiCsvUbOlPXUkHrS -c5CF93vFfCyH17m9ezVsDcSDqFHIZTvdRGUY3cEqbBvYvjB3IhS8HlPQrJghvzEf -KY/FqUKcrXJ97gEQV23TfggrdgxH6nZd9PcF3LIN1cBpmAENzE5cps7OI8+UUBxt -AMl5OB5x02eXxPbzfTtj4nb2/6e3ce0EefmMFgNLyZus7SSfPRy9V5JSBKvBhu8Z -TkJ8ZueBtOrvhaDDQRB/beAEpEH9s3nVIdiX6XLCUn95IoQZ0BUHcdSbHqsgX8bM -rXoa7b7bqO4UkTMxf9g1QYpYA2HBvd2Rk8RivO0evfaagiI45YJVPxTQYWAO5sez -zOj1p3m3MSMZP5pY+EvsTr+jzc8UIxz0/OTYTeOU6e7suuqkvWfaTWVKnTfC9Qvv -AlceFDuisqXQT14ogpbXaZ0qL1lS2QplvIiax8dZZjG0R9Cht8vEu8TI5U79rdLq -AXghpesY274OYcMw3I6bMl+Pa5LdALt/DDAaFsq0MN2x4YKgjY5uIeZcKSLsAGrk -nEh3t31Doogj6oiW6d/9gU7gSM+/fZ4ko07UbGdpMIgiUddUJkbmghzhUQIJP1tP -kyROgeLIcl12PdySFsTOs2bQfzBw5Nl9jl9NYUk9JfQRjjWEmJ7Mur0jVIos7YaE -aWSWlZXSZbr2SFonPYnw0ZjAoCeRRTFbrDk31kjCSrat+nz6D2aSzqdYk41kq2zg -7GuXmB2aZgtnZ1FTp6JQSIS98gsgcF7tJsoPbpENd/F7Ws5mXU8OuYw2woClssaZ -vJbxamU7F3w4BUd8TjZPjUj5ZI27lnR1zGwW4nLwiiX+tzctP2owl0DgaSt5MmnN -2k57cRVdsyIKwBveQFCVbVIB9L0xOKonNtCwD1K8hD5Q1nbtGN3EZI9nqBESjvkT -OPR/s1teQapWkconXt7KKLCvnIK5JqZCqLSVIxWXSCwV6GL7JLi8uZLauF/eSFT/ -qwJFpVmg9HC0rtcjL2n/8de75ESr+Vbe1K7jCYZSukcVEmZ1/f74uYd/PP2gdjGR -uZuZmj13KcY1vAMD3+X2HRuwkk9m1uUu6+mdYMNryjc5ll2TrLDGfdr5Z1B8npV5 -HGTPK1y/QW5dx3ktWp+Ecjytnlm1mZOx6iKIeOGyg9PuV/2MGywv7rLGcuEcBDZK -IfhVa+pCEjXU9ibw4bj1iBlrPmzGDRwg78CvF8f8sD1RZIoHj1kwCb2CThQyD0jV -XFGBOjtXmYU72l21R7P3UI6wXK+wOPeWIjyH2XUeldPZhzdg2llxmqAb15YQ/nYh -nry175IsSTjuv00jX0jDKatfDgsZHahSPLKwyuKVpS7rdKeiGXT/H1+pOQzBmX9s -LhkIxToaai4gMPRHcS5Yowlv3wZ1yIeiAIlRJBbnAMKhn05/FcqgdowTds1hFApz -TrMJCM7vQ2gUQxnA8+mq9Pv3mQ7Sz45pzrecEDqDIPaNLUt2JcI9yDwGZok43OsE -tDrMyj9bqcqgnDabI2M2+xntJXc2FaoMLwJTffeG2LggoF2FnMX2VZbIzPw3b9Y2 -C2Q6ccjdvSSb5PQTA5eudOkZba5QKL14wzIg/nQDlyqImRMJb2JGElKWRgvrXCy5 -9Yhny/6nyJ7HSo0/ON/1/EXRyYgRe+5gptARYi5V5FyI7OhcM3ChOUuJfej+zrMj -ZSfAh11Jh2XF3XO0L83kxLFFXYxxYP9glNwI4Bf7GgTvQxaIukt4BFnBU9b5Q/+F -cGe0fiQyOQlQxruJYNTpcedwpS4Cgp74WxY1DnrR2kpdAC67Hq2lYeNOaku2Q9WV -Eyg7BoGbL+aB5b6QCgWReMCWEY+OQsIVxiBhpVGvqitWnb2TxZ7jcwkdaqvkuI24 -tt7lX8Kj9B0Tfle57oDhqrbaWU6tYWmoz963P42bh5I2vCHWfDdG+jJlbduMhZCl -JpqD36Rk4pW23q92pQkXeYup1MSn4og9HaHIz+1hV3DHpeKb+T6W7EbJI6X6hSE/ -juzkgxLcP8jrZvEJfhjMzfqfliLptMaIzkfiLDK1dgyf1yibEKx1+QhDf+bFavng -UdAaGZ+D+HQpkFSKSrBmEThHPhEAVeaabgRKOpEanIaY1Io0dHSjfza1QOMbjZzg -qmD1bSjVRO6uu0eXadzmdT7M1+KEBcU7sG1Stwk7+nwgXx76PiVtt0tUtLnOFl0G -fE7v1KfVcdSFsTX66LIoVxOLGNPDOH3dj60gy+sQ5Ts8ZZ6bxp2Ro46QxW4yCcXd -Ky6iwM/k5JM7fXVAviEzPsiOk7U8rehp -=bM4l +hQEMAwEAjpZflP7cAQf+MXcQuYxDtrZu+BqXghfVpvKwfuIUnUEUYxynBFMRX2bv +IpUmv1eQ0E7L8DNC4x0qiR7mVG1AIufZgZMrEF9t2DaeJUgasDGD1fsPw6Zzy6lT +pE5t3zcOe2rGNEV5saGr9jGTHsByERi9H8D/8JEOTPfSQbuAMcX/P++QIIfEiQBS +fpGKsbzhSaCw3K5nHQRVgBzEDjAk5HSzbFikC1wcyZOx2/hgOABZEGSJwv3wjEC3 +gG15w33d4eQjSaM1AEQyO5Vq7oT+kyaQsYvUpgAdh2EALNYo3XlQ792aB1WzHbmY +O3unmpM12LdyuDmaNk4GMROGOlqDCV6vJq/RYYU779LqAaJiUYOcUBPLCsIx4HdM +mDWCmlRk/LoL9GuurBi580hI0F9qfW6AZUn6cTQn9Xpq9o2wvxEQC0Fr+5K9fV2O +w1Z45DaFbaCKU7qbzhhNDcfQsrvfkMDRs5d7SxB0l6UcRtYXhY9xxBUrXYALHAVU +qp25i5pAXRQiMyR8+f8upkWtnizf2125k6NRbGj/UVAH90CY5SKLTDOafvIaAYgf +4u/tfeiXisxIWRJySl8v6RXThKczpyuSpMsCR420tkFxgY1RparOEZTlD9WbnmH9 +9dunKVAlwyGN8d1pEEtBnmup1ns+JEq9vjuiPJJh77pSVjwGwL/84S+PDLZ5J91U +9djK3yFjtIjz3Aylpr9mw2y8LKGK0oEpMlS+K/I8758hDfbo3OwvKfWuzA3yJ2MC +6s61KV9OUXyu3KlSetkDGZTN+nH/EE2xVvaZ1CdRdaBWFYykpcOloLfw0bS13+nZ +GOg21bqILiojT699TyfvMYcWDN9s6EBuu3fr66pNUrMAeOKwIdSzNocTPSJCKusk +3ysrm2UY/xrIzwg7joRGBXERgyjenjjXTn7xeL3lnwQpfddnnL4ab2kAZfdi1J4D +MgHwhp13QBaeJSj8zgcSPYsnP1wkxbx7RLDhf2yzy8tqlHJdYIKBkBXMDtJiiEWi +nRhO90C4aiHhb0GX0k3Rv61Sls0F3Jh/1C5bq9hqRxyRQdJnTkmhbiFbnvMlo+d6 +n0rr4OqEZ3tp5o9mJG24FwdeJ++dRr/ImW3GpPo/MLqARyze2sfkwucxRoZtWn09 +tohziD7OQjTxyNS9XGimYrcPuoo/QboMHIYV2RDgmSfsphY82ZjA2PjqrIwMuRGS +0KLQ21SrIhioNwmX3k9hYSKdZVBlGvR8jzhzQ076gkaNUGPApinWMtV10c7+hY3/ +XS2GrIStEJ1iuqZwW6TWmuwPIp9umPGSSJMkenw66suH12LWEf8TS42Nj+HfWRiI +WusqL7Lvy7ZGShWqic2E0G7/EmxLrNCssJhKt7orLJv48nItKrqDgmC6woDLvnP9 +4AFS48j16RfqC+3vtTLwXut6qxhWGv1yrBLWGsEkAOKs6RHYDevcHERvNCkugyHE +TWux2+gZfR0HDwi5Ocy6j2RngVVUxvsPSTayAI8cKQQiKy9oLheESMDKC8LzNGXj +K4ZTLqM6Ok72dXneapt1qh6r9hkVuiNqn2h4SkrrovnMC2/ZVQcHTNpWevWVXsai +5qZAscTND4TZPwkUHSSLi0Wnv6gaPyNgcIh3LnUh4dVPUWulhxeu8a6K2pVj2lb5 +aYi6iXiiaFgVV0IfmtOCQutQVent4lK3j3nscDITUzOwnwvxlYMQ7oase/RJTK97 +28CTviidWIGfg0PPQ8nQXTD0+xfBYZDfu/Ks6+XdG7R9FmAE9RHFiUS0TFS7L9Br +uLFmylq9lSve9ToOYR4B/4aAXyoU58urtU0wkJT2GKxnmCKKuwp+tBPqot0necPA +khJpcfMwbEsOMw6AHDoOdHtRiZMnR6/0DvcCwdevA8KljmCoE3F0PKxWIirCG/rO ++Q4oJdIM+X6mLIlbbccQOMBVb7IEdXutAXq77Pe88rQn+OYxWjuMCfWJ5a0822gv +3QXMdr165q/8IOUblJr1yr4UFhOzBJyDaeXF7wU3a0pcLsFfbiyIxY4lS91/Q9dP +mNbdWWv6XZ6Zx4fxCNtAHIDkxoAmHJcz5ySfcyoqZ/APK6yw5dbUic3dRhik6VYI +VksFjGqTIDtjWiy3RFWow6lr8GUPzIjmV+u842VVbcAs2hOwZCTeLO2hXYgcxgXn +aNVz4E9n +=N9Mx -----END PGP MESSAGE----- diff --git a/keys/ssh.frumar.hostname.asc b/keys/ssh.frumar.hostname.asc index c193402..d0add6f 100644 --- a/keys/ssh.frumar.hostname.asc +++ b/keys/ssh.frumar.hostname.asc @@ -1,19 +1,13 @@ -----BEGIN PGP MESSAGE----- Version: GnuPG v2 -hQIMA++MoCsgK05SAQ/+OBQQJboR/E4uR03UZ/qCwY34O6o6s1E0BFMLp+wZY5OI -MPTc+cG9LKgx8uOJPYm+S4+3//4YQ2G9U4Yfex+511+/2QAiX5E5xDeQRvwsWfft -9AntZhalFeNPZ0fxeZ3Wdvrk/3eDallBWLB5biBOKjB8cvJdMF+QNt0VnMaB8f1N -lYsfamzmC1d+jsj8mQ08kMBa2kSbL+Nu+K5hrtUsQrGevvvJV8zO5At2mxaElD/C -xD9rLp+vdJoCXabgBEilNH/+bEkDMJoE/wWVJG5EXOwMVYhDTNVMshgNR3HghHPd -1eE8w868JyPPi2ZrwUBNXurIkfIdsav79QVRVJoBIeX/EwQLuCBj/FnGGMklTGFl -pbsIy9HDUzbvB9byA7KtuQUOHxLjeXdppUnTEpHFHB7gnEpoUVJLMET8Np8SY8wz -pGTWneNy9XHu1HQIi9gDqDJCBZvZX5wIEeLcXNE0C6iaL4+tqT7UDfCdDKdQ3nFc -nC9MxKMmJKEhVbRuvNil9oxQ+JhgfU8OOS+ybBtcLPUmZoCaiBwaq75onhbapk5f -xDNcsOkGpV3HWsCRz3m48MvDGlU3YO5R+PPJ+/ITqeLPytSSsOydSOAGXnGd9+F+ -x1CGrsADIYQKF/sMgO2ptqiwAeX878x0jwuBwTlxvfDGzzkHXeyWFMrxG8iF493S -YgHvB7BnP7wJQ2R/Is2LV3Z3ESFZDnZQrcTi/SaCNo+YZ85Of28Ep4GL4Lqlbkev -IxfPGEOr+SrP83lSD8eDWf9NRLtz+7NIU/P4U2Ywm6nmIE6hJuJRy0bXRqWmWr30 -0F+7 -=4UQQ +hQEMAwEAjpZflP7cAQf/e+HeSvqtGKPtU89jRWJRKGWIHMw+Sd/q3iXaTvE6XJC5 +KDKo5JfTkN8gsRBMcIRKZAE1B41WnOtq0ZXaGeSrZPtt5oVtIKbLwHPNVj8E6ysf +EPf9NWBxei1WEqRZln8FMVtKSn2bIxN0qsQ+o/6RxGSC+yzvYlnk9FZc7qDkO2GJ +7lxBFHVnRzgQPA9nv3MCiyJDxCScDLG0vpS1qQ+NeZOvj7T+K6n6EXgwCvaGv3LQ +CRRSUOmBijh4vxREdwyRko47/g+O77JzC2N9xR6HYYXAHsGkcu3bKow44XGu9M84 +4mEGfYrTu/iHeaNOwUDnrQRpNZmIqUj/uc/L2LpiY9JiAb73hDjRREOg9JqacHHO +VGRjYDJ5ydYRfTFrGn/1x8TvW2K1WJibqyVorqCmvVUwfI9xln56tH7nHxHJ0hCC +Hx4r/7CoNNIpwpUtu1QggIBeKppDQk7t1ixvCVXHFJNl+Iw= +=dy/n -----END PGP MESSAGE----- diff --git a/keys/ssh.frumar.key.asc b/keys/ssh.frumar.key.asc index c507afb..2cff5e8 100644 --- a/keys/ssh.frumar.key.asc +++ b/keys/ssh.frumar.key.asc @@ -1,33 +1,27 @@ -----BEGIN PGP MESSAGE----- Version: GnuPG v2 -hQIMA++MoCsgK05SAQ//clphlrxUrWE9z0d8DKOoLAtn2cXvSnH4pB+QEP8/YlnD -F4SK6o1hjWQ+BHaEUi4fZubze2c2n20eu8txcMiB2ILWj71j6fhiEiSC+CNnM7rh -bXj1O7qOWeK/PWe2NCy7W45732SJjp7nkFHBGZuJs1ZOtT3X39mynnE3XHrZAhDM -waOXkBYuZdKOY9B8OUtJqPayTh6su6clNWqtwjMwPIC65RNErQikvYNNeF7JbrNJ -8RDFIh9CqFPdiiehiw33Fzhd0BtEYkdvXAhIhhEQ4tgJrE5tINLL5Zstn/CzupSA -LhatuTr2a1RUSgOdzYJVdBSKOn+Xp0DZjYNcQkcsvo0YswovtKEKEFO4uJWCuK8c -BeCDMPjw+E6gSvZFYKH+dp/K90oBu7ZBDUlX8oNjfV2ikle6P01Xywab8mriNgnJ -qtDEunekMTwqWzUGK6fzdUYSpvbtDY/qt+h7PxgAThc/wyQbVReYp4bgIDIbIUBZ -MHjA/J6wnoHS+2M13z60sPXrwWRQFrSCl7Gv2JVq6bwmXUTPbpSTTK5cCimomn+3 -prrlS2Hc+1EZBdWCWB7fAPt5sgD2evpndZThxCLp9vbZhqhHf7JFgn6uTW5pjkIq -EUUCLdtjx14lxxsdPCYri6UW7tlqodVO8U5QRKF5iV8fRSzLKmirV1qsoMFmWvTS -6QGdvQHf8dbkOxLvYIPEK6xs+60on6ZrrpFJ/Vyp1uMJkwsypKtGHJrXitfyFw9u -siADV5A4Df9Z1FodDAZbooD+utZ74j0ans0cGB5S3pjc9bGau7+EY6uJ5b/wUTkP -eWtJGlviyMfXXMk77+OefJ2gWzCzZVKmRB+ZBmtns/Q3X6HB4jbNCFFoVK6pq5gd -78BQy3U79EgEKzit+Ej3p2VKm7TaQHSNnluKGV/PFL4rhpfZE56lZmJO4pllOt5b -XoWtAckhd7uTROq3qWDGc9fuuTH1XhhH8udByPSMDpWEfp427oOfY+KV5cw1zRjW -3wSJuPBQk63ujze/0Hs+gLZwBE+TFYT08MRZu7B0/wtOfeau1tgoBZmP3QSSVgcH -cl/QoJnr04d9QnhXLnc35h/ZXLXKwd+RlT91vDDfMVJ+h44Wc+iBVTJc7z5rihwM -PCFkIfhyR2oXfV9GPX14UMB0QJ2TgqSnitKjbI2GK0op3NxxP54sQbC3DkxoMAMC -7IXFA1sGS2dGH5ceLbTlZ0bSGBXUouVED+ZW0ln7k6ZjzYvl4win1s19DHNlTB5v -vP5Xrln72lHggDwsEo5BQJvtqZZ7kOxAzn8Zvi1aihv/RMqWRS22PtVJpsRRHrmB -Mblo8cFhv5XUFPpCJObqr3Js/Y2wD3wd80uNM/ANSRHWwEHXZT51jxqn/B7QXJxq -8qr8dnSxtGjsbXIb8h/bMV7nncaOTKhKUB8kmnymUGJYX4JraqsRT1HkjBm8fruc -+kBH+PHo7EfYyMsyy6DfYnVDGoRBeIhlSxPMLubRzWBCvsvZk2+C3Mr9763Z34M3 -WZDnD14aEAuriJKlwcQa/B53CDPfyhmtj+sEdI3pXLIoc8I5XFeBOTdKYf2f7mZm -yv2Y4lmT5qqgwPqDxX+ls4pIZnM9fEPDHkm1YoyQtYaUk1VQjsfuHz0dI7ZSi1Rw -Eusxk6H+XcHwd5yUhPJBJq07iVi87KzGgTSOqqJ3dhvnlvrUxcmGdm67haymNJ+F -GfHMLQ== -=VhNR +hQEMAwEAjpZflP7cAQf+NhVPRvKA+uAnxG0EHA0ejwIX5izr7guh9WvN+K36mngs +EzqQikwg2XKIEXrgegwmVhUskZqksmp2bmu8f5BWoukHZUnWdinD0/01yb+YsO94 +JEooWLc3+i0Zd3gJjazMbokyZJDA0g2fyOEo1sd1jNTzFdayJU6q8T35OEwVA1Ca +BiBK2Ym+FfcH724zALuC22QzHUvz26Q3S4igXZdnKU5APmQwejV7iHlbGosNPZyQ +sSJQxbSNv9ghWabpOR+qVtshx9wdrthUxmeUBwA5VvOasLejaxTf9xfWFk9qRi+3 +53F1ou7eZlR+5WfM6M74M+e5xbMddl+Zq1PuMUgwtdLpAUDBRvUVCURfpobuOn8/ +cXXtMSYc2C0TUpr9EExaFBlIvMxfdqt0t2RD2v7NLFX4cjUEGFDqVhaoVvYcn+J5 +u2vl/86ekzV9OoKrRh5lkefEDXsubWoT8CySbaP1YV0vKNpF0/Tg9doqGjmk5Wgw +H+ztastSw9PYtkXUEJSmnaeESyhuLSu1TtXnnyumhELFrwmeY2x5sjxFpgeBrSDa +scUb8uWwUEqnQzdh1L0NkatRKvWw/8RkC6KTdLyRWBCUBlqd5CQ7mGlkiIELQ9Su +c2XNEVBKPJNVJ48AhBHz9jQQ7CyNfh72i2S+oFNmvD/fMBM3vvFEpJM5xMLPmcBr +j68HKYaF4I70w2B9QvqxCOjNmMiPaPSI3IurM/hi5sIyB++8XIqVVbiUNzXY1vAx +mFPMgMWP8y8wnwy6FfjX4qZNR/NVTmpv4igRPJMLB0BpPqgP6REAGZqBg2It06l8 +rvPVxJsCV3seUVPNtw5UEd5ZvDwM/eYzO5PqdebwW2F6bkFvxkMjsui0yRzVqhC+ +NAxZvIMuOxA3e5ydeS1LBUhXZwZg644/n5bMcKBnYdXQDhFrnCX2H36QQ05zirMs +G+JUAAUgxIBQt6fmBtiba9SDvdqzdBP9+Y/PeEyBai77eGdzxPKxZjrzn9q4JjOQ +yvalQ69eBXiFXNuz+Ewj2XLAP0Wb6tE1jSwwzEFLYiEKexCtiZS2gjguhhqq6UGT +VGP2BAw39hJDeJ4/bgC5q2Od9Ki0cOG4AXqTlrs1zbgJdxXhAcqKHcokktU38glU +/Y39BKIVqFbm31FAYzOWFZP3wWHhPr6PI16fYpGVUmzZwCqpcKa4xfbyy0eARls6 +UYgU7WAIYm4rTMNJ9LMytVAGVRViqKWHSzZKY3L5kWt0yY/8QvDnxTP078FJ20GA +OINn/2UMoDEaa2ra5JsNfcKdaF5W6Dar5TJYEJeqn8dcQuC1EdfZrMo0r/KYxxK3 +6EaYmztxOc5o4NXIcL42g/SMIm0HhgSFG5ObMK4vEj38RQ== +=swEQ -----END PGP MESSAGE----- diff --git a/keys/ssh.pennyworth.hostname.asc b/keys/ssh.pennyworth.hostname.asc index c64ed0f..dd2718d 100644 --- a/keys/ssh.pennyworth.hostname.asc +++ b/keys/ssh.pennyworth.hostname.asc @@ -1,19 +1,13 @@ -----BEGIN PGP MESSAGE----- Version: GnuPG v2 -hQIMA++MoCsgK05SAQ/+OKZWHaYsMa4qRH5QTv/UPoF/L4Oi/1/zWckKvRJOiUKN -lS3boXw61EKdew7vx2pLGQebWjdhFfI0cwV3DDPN11OdT7GA7CPBIMx+xe9Nwc84 -tOAmFcr3ViMuagLY35vyP7NSYVNxBTjLgJF6zPxXoG/zsnp7EEIW7/4/iA9QqKPF -Z+iQ2nwNxtPbvCGM8GNzRZVppYyfJmK3NF7Z03UIv5pF8SmJIly+Ol8sSHqPQ8kU -YahdvVz43VlXBjtbsUFoudQUDBGD7k2NtGyvm+CKqapSUido/cI+3stWSieKOftH -KdwG4z5XzIc0faWv3GUGws+uELs8elUiVj2k/mVBGy/27oVUQDHE/iiFUAjobl9q -ZgeMS3GknXMStH/M9CRlRrxEwv8M5LMdkv/EuYtdzvlnVth6Cb9BASBa9OFO2yZr -gQCwAKYoCjKwOVvQ7g7hiz+oBOIJn+6uL6IiG7gpnd2MR5Ah4jQBN9+8l78AvurK -/4nUAy0ZjBRHG9buIdcCDW+w0+O2TJKjQNtfaVLJNpuiNZ7hP+4ntCZyrbZFkzdK -qmCWjbmRscEo+HDeJykNCjbu1Vl+KbZy2++SHdkS+c3HV2ACePlZHMsuPTgkpqBU -lIx4+KRcjfDqIPKYEnQAAx0xiuVXLTIhDCTxfwWdBPtmMZzZy0++OkjXhexVG1XS -ZgH14+UJQGhhuFLWFbbG/KgUxvqbuMvRdg/rjMfOdaL/lkYMvcVUBxOdzjXYbBef -EIRww/qo8CWKrrhCscLvcqthIwhiuO6ek6gGL9eG/9NUkXqy5gwqcfyT/OAh/bYC -hQwlVcdc/g== -=dUor +hQEMAwEAjpZflP7cAQf/Zk2l208KLP6TuE3riCi2ogm42yk23PRTYjcO/MZZ7us5 +tzkzf6RkYUlAngotnBppwCbc7nTQcpSPwE2DfrRnzOvfQp4Wv9XoV2WS/anar3MZ +Bk9ECUaItLO6j0gxhfwwyIAD1jodswDvBZ3DTJn/8de2t+bq3fbNbun/LdCVa8eA +OtqLNO8llaCEN0cutZJw5hXNBDw5+xehv/EY11LiwBe6QueFnKHWCzD6koXSWdR9 +TR8R+sZyr/0hYqHrrSr5EhvqCAWqNPUeJ/i6ouZkmlFKgZMsidyAbYLPLX8TOIQt +d6+MTSmoTHSzI99bvi2znbj4nmoXBVN6pasYPMuNX9JmAfYE5Cc+tVXfRokuEBSF +Evbpyf23o5i6dh8tQrUw32elPcjWIlCBUXkfisAYXQ0zntvf288yRGBonKK01yAK +uxNAwotaUZWmkJby25cEKmrxFqVKAQVBSEZcV7VfUmBmf5JYUgnd +=/dyQ -----END PGP MESSAGE----- diff --git a/keys/ssh.pennyworth.key.asc b/keys/ssh.pennyworth.key.asc index 791b272..528f0bd 100644 --- a/keys/ssh.pennyworth.key.asc +++ b/keys/ssh.pennyworth.key.asc @@ -1,33 +1,27 @@ -----BEGIN PGP MESSAGE----- Version: GnuPG v2 -hQIMA++MoCsgK05SAQ//bCRpTwXXx4iKhqswLmOWTMzaAdhiatQ5NAw/KUBAdEwR -XsEnjEr/BcIcbD/K5KENRyYDnAvxvwQ5KXz8DtgUG82Z7+ZznLyOAgl8bQQW1VBI -j6HzmLRo126xklo2Mh5f4TLlnTHBxf83TE0epXCBGluDCpnS5ZBDtsBIi92kthYd -FariaJJ23E80iEG1Iss0iUr7Hd3ONLuV1bDvsWBULS1nC8ZrfY+x8o87rSmeXs/8 -awPSmzNjDBPgBQLy0sG746Q2vbC2LcgiUUhTdg0ZVYHyTBdzhQ3ielYl4gMXEJuE -oz6De4O7zu/d2qdt8fopUnFp340wFKqHyajbd9ehY8lVJsTHPTIRV8MqwyDOapx9 -5FSzEyR3r7N/sGnsRlylNsr7a69BKEWS4mNhb2wjk8V+UcZvGAVVT/F08bpTpegK -qYXA0JXAiS2/kBtnxqPJ2a1/gx/Mjm54T2rllbckKudglquFJJwKNpWgBi+xlY1I -khgXv+sitTgwYuTbOCGFIAywfuyeAM7Qbqj0WxsOu6pa33X9y+4CZpnhsrdUxrxz -KSy1zExBRvYnSdE0LjVIcPoTPHB0q5gz2p+VwuArU32NHa3kYSfFLeGzJZ4Abaou -28D8L4kXUTlXhRh5rrjJ4w+w9Ra+bz46pa4swxOLb7lQWYFA6LgnACy2KKhEl17S -6QHfnGYB4+91xWH7s44GB35gTSA2lzQ7j6Y8WSi6iYmHpnUsoD31+eKrTTKbsUTj -xs8ZgLEM34p4RMnun7RC/NY7oZaK8qbCi5c752qBNjJFcPLoFsWdtl0cVl8OTfrq -td5ssM4+NXdJLER2qus02uHaEkRO83eZe1jrsKKCmMXw2iTKsC8iduO/2E7FX0xy -gwT5APjy3p5y6GXVKpPqg+qMWprUoxk1M5pXNgOSMCv+BDpb1f9Acwv2BHHaDJF+ -q9KjJVDgthSFeNEkwNpBCFVw+Nf0JXWnasRUpNSjmeHdSVfYjnM2jRMA4M6f/ZbW -SVAxqa9/bQGdY/hVg1A9+sJ6YqNXeCmri+zwU8qhpmCZL8wjKvM12Z/Ip4q32liB -aHGJBd2ydCR9a594rxRkKVjuzLsYkwv5BE5h8NMk8a/Iqpo2gM+YzH0DT4Jqadr4 -cBOciF3ds3oWvvkMX2wpMl0weYF5VF0e7JWnaFxBn1AOU9Bq67zEeAgQkyjbgP4W -hVp3PPmtcFn7JubTE2HV+tXuwnZLYuOAcYFX18F2deGZsiHH6PGBEoqlQbG+wOgT -0PMqSf4zkGS/YrtbB0TlrFgT5PEOotv27oaXKDpZ4Fe5acaDnp3vQAa4avTba2Ie -IUfSjgpgIobLd6HnwcTfas/WScBNhJY/n798VsJ0FP9EwEmuWtsfs8GEnhkqKchb -Y2rdci8dp8IrhcW24hNrvN/KFBNha2DpSkFSh0hLqmOI4VBc5v+0bIgXucmhx4FT -Ngh6/AhEZXqYQaH0sDg70C77D2VWsGnWtYloLr5fY9tXNgZ0AoXEVDMFnLTVyUoG -GsLW8lIAD3dCxp0GYNlU9jVo+sH4Fzz81w5c+JYC5k1VzuMf7V/D/yiztb9N0aUz -7PDRp+1z681XoxaNsZ5AyD7AdCRzsJT/tF8yNt+U0qPK5HExeNcxRCZndyOofbJ2 -nTR00ZRKdDzs7Ie8GRvZaj54Cjib1aWH9fvnDgGQdV/elKGk5yMQ3GS7e1ilVsV/ -Ep8YutR3R0BrWjzU -=zE7X +hQEMAwEAjpZflP7cAQf5Af25R/+IuXGNgUyF+2ghadXGNiRLbaCW8gwG7tAxf3/y +/knLQMYCgTWzZ/9fVJVvPht6wx1pyRuTB9yRnWGC/jbqQHiV2NIAPobzlf4s1ce/ +oNNae3TDq7HBrIFyZP7vcnDcIKAi+KNTU21mthK26cll1GOm2TME1bdHN2uQmn/s +NRnxs6DFbrM2C0QzVxrdf33SOKEUXGtmoQdAXw7/zWwzKvLHw9hsyOaAkLWVqNnN +4FZvTGx0PSSOodTr7CQxlCwXbt9gQutyTcqcMXPE7BsuccEBVOviXLvedoSgCvVO +ZzTS+vqxVLaf1I77NcEAUDBy1hjlG1Yq5RyJIj2htNLpAUPsAtMSK8Z0XcS+WAH6 +P0UL9v9dhpFWwzwaBgsDUPcSueXBcy59X9ruCo+RUA1nWmW8GytMavCuctyXhKNw +47mn+5Mc4ZpBtLwVw+NAWSvj/XOSi0eho9WTLN/ToICyA2E/Sl/i9DaA65ZNWg4U +/Q4KhS3B+6QI2Mn05TBQQ49wn1EBLRXNXBI3xlWtOYx3SDSdgsfXmE4uhGxjJjNY +cYwn1BAtuJYSrN8gYT9yMdNCAO20fMezXdQXE5vrhMmkwjlkUYT2+W3AtybghYBF +rLvtEy51MTIQLgdxAn4MHf461fkFFtPJ3adBIBSx05kBQrilsaH9RR4zV56wrRQG +iwCbDUXgsaVIgER6GucQrO+PlPph71FnQXP0h9NKmM+gEFz755KfkCr00Bi2Y/1L +Fd+R7DJc+iw5bNac4Ac4FvkwrxTH9CgwtLGwuuEqchpLQ/nQWV/KUqLMGg3N9iNw +hSYWUoei7OPwmi5ymD9Wx8MrOt1f7ITBhXzBTnqi5sL4pnvyi46Kfv1s4ix8gdfM +pNRD+fiblfeBiWhOWHd7hheYuYTw8LV+LgmH57AfT/k+l9cCDRmOgbC6wjfO6XUu +54LLMUoFYJX58bcCnX5QSVxyhuafYG2aiTy0UfKZBpbjMWBqpicZuEUIns9qRx9S +27b0d4yIhV74NjIPdUE48IHARxY3AchGoSFDEZOlLZtqANFk4E9goXSdMLT4pv7Z +PIKa/3bJCql/EPU3cfA0fBKIjUPGV7OwCy7Ij3h4U0mcjT5dIHyaB2QT2wyQi3fa +y3uqo337Ax1i7qNCg9dZhjzWNn8RgdR9b2/3o5FXhcoeFleXODGAktbq/b1GlfkS +C9WnMB4tHrtBgExJV7MmJ++LkApEW0VAG6UvMwDVdswShuREX9Z1B44onCBXw+ZC +kJPn5hVEN1kBAQVdyFOSS/A/0mELnvcrKPXBpXHqaUaPYh3t0NCZ+JkXLexmmeHq +RLot6lqSzMEbeCioIZuiQAY1bof5JMnFNbBVRHux4OFjsbR+Iiq44N7j +=4aPY -----END PGP MESSAGE----- diff --git a/secrets.nix.asc b/secrets.nix.asc index 14c499f..6646ba4 100644 --- a/secrets.nix.asc +++ b/secrets.nix.asc @@ -1,32 +1,26 @@ -----BEGIN PGP MESSAGE----- Version: GnuPG v2 -hQIMA++MoCsgK05SAQ//VnOGAXDtZpB3jAIg49OBW8oznyN/a9062jq48UVZF8VN -8hTKxZY6Ae41bH5wobv2n+6SSJZLxX98U4bpddjIsf6bVk6MyLouTwSgFIN8wpik -yF/+Jpzcx6BwmHM+5Wi+0DUrhoaePdDqEzo9lU6E0pzv3jJxml0XALGxfwC0PIPl -zj24VqfAQpj7DP2PWaUnJufBNgLNvnUsb2BRMnFlK4PARwg3KdISOVFTSLwsQYfN -KvI/Z0R704VTCOEfcMdy9D4o8FBeAgEJhICvN4ngu4MwRKw6gLxp3EdpEcvgVAYy -ToVPfHEgbHpDQXliLRjIVY4kASJdmblf1fAfJbQHmHdjz/TGH4p4sU2PFE/ZN51u -MKYQptdTnOOB7TzgGgLWJDvcIENZM6Ns+eslCaCFH3kosp8q/piNZViNTuOIsFLa -Ij0Jn/YIpbikUz6Z05gs4Esss4ot8fcF/tC+vpinNE5LfF5ien6aFBauYie0WUoe -hU9VRoTKJrppQOtu7x59Fz3mlG+oDSat+jUESWYXFiwn9XCQubQYWwDSWu0C3PB9 -B3AhJcDo+R1xrqtB51iIYxVzYsc1ky0r4+RrLsFJC1m5UkLGDnO3N73Ix388JJYD -XwUFFIDjZdm6PmE/0KpKyRV+xoV1thzJvpeWkDh169hQZnQjh5ZbuBt1gxdvtCHS -6QEMaYF63XPZn07rO9oROxo4yeuz3EMI1iG20wsGzNDfMLml4JEcQFDGcr7moiSD -/OOgUey6ZVj838xo87m+qTzoqQ9hs13cbB3TV0w81HDaZ8NnXWr3111kBhhHAB0C -xF4XmxymXRkRzY7Y0gOJGkmM16n+qJiCYdlgglVkChraMZRx5/XCxZNupMYYz6l7 -SizRu5DQZZLdrEHPUTKBa8DgcscHdWksgdmVVDtGOz6rAF1mWLsGAM3bRHVFQy54 -wgCt4gcrZd/lAiB/D+2ZN0ClKHv8WebwJLxEhKoDNlxb/RFnmT7Ge0TVk0Z6YlBt -+IzJQY4Z2r4WjpuStvJrGxP6JzSZ8MCRWs5o0hY01Eth8Ww7uNyO8KSerJ819evh -fBmFeokN2SELuL7nc/idxdqUqotnov0PK3Eg8CFLx/WK3zh2gUZG91qo2ffLev81 -9RuNgHQ7GDy0bo1BhipiHC6FVwwD7ycpRaYCqMpasl/T83a2hDiTLBxYo4g2nkA9 -tk922u/sYlCtT2PL66JV97UiHksLZTxDVuAIePwIbpSY/UjtrKdZS/x/jHbUtRVX -InJJ/zRZKaM/dyTdHqRsFNltj22tcZCLXJyNHoM/2KY7Arfu/JLGeLd0UbEUIEuM -Vcsfh0jmUBZffSFQ/kY2uypL7brIPO1vuYseh3/j/poowBiOGZQlrjY51Ib/pUSl -+sgKp/QOXxN6Va5G+D6/U0udlmccnQdbuE8Dp3hqSmPZC2e8T2z4QiDbnq2AUrfs -vWqktuTh3c7znWqJX2deMDn4mt3PTq7fOEcfJhQWJlHNkrqNOeewWKN9YwvkaMJ1 -0eB61sYMUa9o122NxaSrauQhp0aLC9Y8rqvNE97HS7VaH8kXXF3JbtdwvOx24CNL -aZUDL/Pyn9CDICqyptXV1/mqDU8HkR/kIX7YDGRLukMaCmsaZwfwSHwF3N7UAMty -PUQJt0jg5pqV3hg= -=A96z +hQEMAwEAjpZflP7cAQf/XtTo6OegwjwMcof/0CfW+AwF7hhqk5KXOj9cX14j+cWO +4QOYM8uVSHVF8ynz7/nvl5cCixRqguMo/G9urUCyBdXSP5lt6eCu6ROLYQ+KjYWx +9Zu5X09jl+QnS0jsqZun+akMNjLmkxIqbHAzDo8WVN9oAIV1sejzZeCXdvaNIgat +Z25M0yC2YTJ8tHNTp0P0+qEvsynDTo1zjabshjLPuob6UcwGQWwqZZZuOmfGO48a +LS3hLlO8OOAxeG0BwgLOoQyw8B5l3L9UCW/1eAAf3StxR/aKn1mgt1wtHd/DoUC7 +rBt5tiolUjZszQgZO5ztF/ehEU5SWEmCq+pZS7BWPtLpAT/NkOPxaxXylZAoHVQM +OTbKhpNDvkiFCQTwDsM51xuQcFnTRLIwj2HemuX2NaDyWVm/XosCwhwLZHoQcpxH +jWrkFckUFu8D6GitU3C+EjJyq3NDIFR3+5thqdPY829TLRbbyGETIftCZtDt+5kd +Po6EX3vjPmugLnlrWqIPlSTbCG9853joj4W4BWYba3wK1qFmeoLQmeIdtVxnz41M +uPlLToZsuEaYDIgKn3HSBqPYuTtOjnvLnKvWxBA+ny6ACjS2xSNbWH726Q92hg/M +3zrYyUoefc6xeeDFRjjnOwD3lczSvHRLa5GHdMZegv0bUwzRKDkBNJZVENEVRbt2 +A46REcqCb+Bbt7k8lq7dMNRfKixF+t4Ra6KWBeanIL6DlRz+KVj3JmaaAZmIe/dX +ucJb/f/zl4NOtWyaA5lGYlTh6WEBLBatQJQG1EpVzMuTPPOKicht1/FxzxDT3jRM +bxBvZV12vcgTQJFTidrfadEOYVsGqznbYcBci76X5dCarPp7bC3st81L/pM18zt/ +LfKEl+EUOexG7UlcAZcitDpJEilYqGvkbTo8SAvnZ1xNp32CJ9yibNs95aJhahEv +y6m/hxsZend8Xtu9EWG7hXqxPMRL8ysMlRETprjgxM5ZWlzPI1m/vJuaYg/iJFN4 +xaEXfd6jSNw2EHOE2Khzi7XAE5ECbnaNedAoSq3RIlP/qzkYmQTgSUcWy87zb3yx +gZ1BbhfV/vG0MwcvZEKrtICUGFglAwL7niyzabS9xRuV/vyeWcTjMvPrgInxGbVX +Re5Uuup6H9/G3CLa4+FbR6a7irtJYkLiy+KrRGzE7Xal4kpgKxIx4duPYpTLHQj6 +bTnhekIljEvGpIATS/XE9SJtBGPpK9yMA5UMCGz0IqfNFKALjT9JOy5d86NZtn5P +SmJas+M1Shu2BUJhrPyzcyv7FFdi/GdG2wVss+FH0pLXAZdgoro= +=5q+m -----END PGP MESSAGE----- From 1928755491ce272da3cd30bf1de50e62ec994f4b Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 29 Apr 2016 01:05:09 +0200 Subject: [PATCH 028/172] Move Tor hostnames into secrets.nix --- conf | 2 +- keys/ssh.frumar.hostname.asc | 13 --------- keys/ssh.pennyworth.hostname.asc | 13 --------- modules/tor-hidden-service.nix | 2 +- pennyworth/configuration.nix | 2 +- secrets.nix.asc | 45 ++++++++++++++++---------------- 6 files changed, 26 insertions(+), 51 deletions(-) delete mode 100644 keys/ssh.frumar.hostname.asc delete mode 100644 keys/ssh.pennyworth.hostname.asc diff --git a/conf b/conf index 278d568..35b4393 100755 --- a/conf +++ b/conf @@ -25,5 +25,5 @@ remote-deploy) $0 remote nixops deploy ${@:2} ;; update-encrypt) - gpg -a -r yorick --encrypt-files secrets.nix deploy_key keys/*.hostname keys/*.key + gpg -a -r yorick --encrypt-files secrets.nix deploy_key keys/*.key esac diff --git a/keys/ssh.frumar.hostname.asc b/keys/ssh.frumar.hostname.asc deleted file mode 100644 index d0add6f..0000000 --- a/keys/ssh.frumar.hostname.asc +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN PGP MESSAGE----- -Version: GnuPG v2 - -hQEMAwEAjpZflP7cAQf/e+HeSvqtGKPtU89jRWJRKGWIHMw+Sd/q3iXaTvE6XJC5 -KDKo5JfTkN8gsRBMcIRKZAE1B41WnOtq0ZXaGeSrZPtt5oVtIKbLwHPNVj8E6ysf -EPf9NWBxei1WEqRZln8FMVtKSn2bIxN0qsQ+o/6RxGSC+yzvYlnk9FZc7qDkO2GJ -7lxBFHVnRzgQPA9nv3MCiyJDxCScDLG0vpS1qQ+NeZOvj7T+K6n6EXgwCvaGv3LQ -CRRSUOmBijh4vxREdwyRko47/g+O77JzC2N9xR6HYYXAHsGkcu3bKow44XGu9M84 -4mEGfYrTu/iHeaNOwUDnrQRpNZmIqUj/uc/L2LpiY9JiAb73hDjRREOg9JqacHHO -VGRjYDJ5ydYRfTFrGn/1x8TvW2K1WJibqyVorqCmvVUwfI9xln56tH7nHxHJ0hCC -Hx4r/7CoNNIpwpUtu1QggIBeKppDQk7t1ixvCVXHFJNl+Iw= -=dy/n ------END PGP MESSAGE----- diff --git a/keys/ssh.pennyworth.hostname.asc b/keys/ssh.pennyworth.hostname.asc deleted file mode 100644 index dd2718d..0000000 --- a/keys/ssh.pennyworth.hostname.asc +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN PGP MESSAGE----- -Version: GnuPG v2 - -hQEMAwEAjpZflP7cAQf/Zk2l208KLP6TuE3riCi2ogm42yk23PRTYjcO/MZZ7us5 -tzkzf6RkYUlAngotnBppwCbc7nTQcpSPwE2DfrRnzOvfQp4Wv9XoV2WS/anar3MZ -Bk9ECUaItLO6j0gxhfwwyIAD1jodswDvBZ3DTJn/8de2t+bq3fbNbun/LdCVa8eA -OtqLNO8llaCEN0cutZJw5hXNBDw5+xehv/EY11LiwBe6QueFnKHWCzD6koXSWdR9 -TR8R+sZyr/0hYqHrrSr5EhvqCAWqNPUeJ/i6ouZkmlFKgZMsidyAbYLPLX8TOIQt -d6+MTSmoTHSzI99bvi2znbj4nmoXBVN6pasYPMuNX9JmAfYE5Cc+tVXfRokuEBSF -Evbpyf23o5i6dh8tQrUw32elPcjWIlCBUXkfisAYXQ0zntvf288yRGBonKK01yAK -uxNAwotaUZWmkJby25cEKmrxFqVKAQVBSEZcV7VfUmBmf5JYUgnd -=/dyQ ------END PGP MESSAGE----- diff --git a/modules/tor-hidden-service.nix b/modules/tor-hidden-service.nix index 984b614..0f10328 100644 --- a/modules/tor-hidden-service.nix +++ b/modules/tor-hidden-service.nix @@ -33,7 +33,7 @@ in { if ! [[ -e /var/lib/tor/${hiddenService.name}/private_key ]]; then mkdir -p /var/lib/tor/${hiddenService.name}/ cp ${hiddenService.private_key} /var/lib/tor/${hiddenService.name}/private_key - cp ${hiddenService.hostname} /var/lib/tor/${hiddenService.name}/hostname + echo ${hiddenService.hostname} > /var/lib/tor/${hiddenService.name}/hostname chmod -R 700 /var/lib/tor/${hiddenService.name}; fi '' else "true") hiddenServices); diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix index 7f982a4..e0d295b 100644 --- a/pennyworth/configuration.nix +++ b/pennyworth/configuration.nix @@ -92,7 +92,7 @@ in services.tor.hiddenServices = [ { name = "ssh"; port = 22; - hostname = "/run/keys/torkeys/ssh.pennyworth.hostname"; + hostname = secrets.tor_hostnames."ssh.pennyworth"; private_key = "/run/keys/torkeys/ssh.pennyworth.key"; } ]; diff --git a/secrets.nix.asc b/secrets.nix.asc index 6646ba4..ae316bb 100644 --- a/secrets.nix.asc +++ b/secrets.nix.asc @@ -1,26 +1,27 @@ -----BEGIN PGP MESSAGE----- Version: GnuPG v2 -hQEMAwEAjpZflP7cAQf/XtTo6OegwjwMcof/0CfW+AwF7hhqk5KXOj9cX14j+cWO -4QOYM8uVSHVF8ynz7/nvl5cCixRqguMo/G9urUCyBdXSP5lt6eCu6ROLYQ+KjYWx -9Zu5X09jl+QnS0jsqZun+akMNjLmkxIqbHAzDo8WVN9oAIV1sejzZeCXdvaNIgat -Z25M0yC2YTJ8tHNTp0P0+qEvsynDTo1zjabshjLPuob6UcwGQWwqZZZuOmfGO48a -LS3hLlO8OOAxeG0BwgLOoQyw8B5l3L9UCW/1eAAf3StxR/aKn1mgt1wtHd/DoUC7 -rBt5tiolUjZszQgZO5ztF/ehEU5SWEmCq+pZS7BWPtLpAT/NkOPxaxXylZAoHVQM -OTbKhpNDvkiFCQTwDsM51xuQcFnTRLIwj2HemuX2NaDyWVm/XosCwhwLZHoQcpxH -jWrkFckUFu8D6GitU3C+EjJyq3NDIFR3+5thqdPY829TLRbbyGETIftCZtDt+5kd -Po6EX3vjPmugLnlrWqIPlSTbCG9853joj4W4BWYba3wK1qFmeoLQmeIdtVxnz41M -uPlLToZsuEaYDIgKn3HSBqPYuTtOjnvLnKvWxBA+ny6ACjS2xSNbWH726Q92hg/M -3zrYyUoefc6xeeDFRjjnOwD3lczSvHRLa5GHdMZegv0bUwzRKDkBNJZVENEVRbt2 -A46REcqCb+Bbt7k8lq7dMNRfKixF+t4Ra6KWBeanIL6DlRz+KVj3JmaaAZmIe/dX -ucJb/f/zl4NOtWyaA5lGYlTh6WEBLBatQJQG1EpVzMuTPPOKicht1/FxzxDT3jRM -bxBvZV12vcgTQJFTidrfadEOYVsGqznbYcBci76X5dCarPp7bC3st81L/pM18zt/ -LfKEl+EUOexG7UlcAZcitDpJEilYqGvkbTo8SAvnZ1xNp32CJ9yibNs95aJhahEv -y6m/hxsZend8Xtu9EWG7hXqxPMRL8ysMlRETprjgxM5ZWlzPI1m/vJuaYg/iJFN4 -xaEXfd6jSNw2EHOE2Khzi7XAE5ECbnaNedAoSq3RIlP/qzkYmQTgSUcWy87zb3yx -gZ1BbhfV/vG0MwcvZEKrtICUGFglAwL7niyzabS9xRuV/vyeWcTjMvPrgInxGbVX -Re5Uuup6H9/G3CLa4+FbR6a7irtJYkLiy+KrRGzE7Xal4kpgKxIx4duPYpTLHQj6 -bTnhekIljEvGpIATS/XE9SJtBGPpK9yMA5UMCGz0IqfNFKALjT9JOy5d86NZtn5P -SmJas+M1Shu2BUJhrPyzcyv7FFdi/GdG2wVss+FH0pLXAZdgoro= -=5q+m +hQEMAwEAjpZflP7cAQf5Aevf5xTB40XNBl7RnAX5/hfmStnnc0b/Vfx5k+Dz/Hn4 +/Jt12+WUniKxMpuAhENSJYOBsvu2HPiHNeFlUSOaoyX8UERv5LcGAdZEMwiP/hQu +yWDXFHxchgdtEYCqzrtZcTYXelAiuS6b0Sq+xK03/yL6BKj12TiAcQv0SAKzkFD9 +tvy0NrbMwpZPqOF5Hy89LXsG5dOy+MT0SgwaJGiKxZ6JumUYsF2gYGh9vdkDX4BX +hS2eZgGJDHkUpW26JaDohzQg6441DA+s0uso/KAMmfKoUcsx7RIrM6sEbV6GRspC +DOzdZyZc/2NJuDtMBcpVpzXMylqhBhOtqDj9wREIONLpAQVdCBLgU+o0kI80Dc5p +qwbYC4mzG/mOIUcFNAvH99kxT4OBtGaMyqIQ0he07dHd3jPnzHdJPLcHzJz0CabL +rncODL6fPk7MPPIN0yTXyBgoFnwb0PnXML9pQfIKTHD1bd8zxKNJLiJMfZC7/cbV +qHPhnjPOAX5pmIKpEqdBrIZ0+cMRFgauFSwO+Ts4ZuoLsO+0uR6t1EJ4Nc4tpoD3 +j1JDEHz3wyz16Mb/rjAJokJdarPJysqwuu8jmSwFOj+Q2P5H2rG4ESqpX9jKv9Gt +MM9FrTiDjyvOA5lye+JlsGcFCWVgf3WTE8DjHQeBWAyPuUT9xesbd+h0jY7j2GRJ +m3XsaAfIzZkFQx77Kymsjh5QYcv+LaRrMbY8ID5Mz+sEj8+JkUaLynkn+QZ3IwqA +xPsNwFX/+HoBPH9ZR8erTEpQMEtadwC8TwN+RC+PPokIDfLP+dvfxyoJDXypVmoD +YK7PFPfYoU7ZrwTioinA3flBG71VhuTlIzSN6FaBL8oj+ssbhnmNJCMSm8X4hghV +wAtlhgxOgrGtng5J9M+KbtVoCyjffi8cosLvSHCZk2SHss+i1RGNmytUEYtjsyB7 +wFPBPT3n9kbTc7xMjec4RWPO5O4LvBqTX6pc94HvA5oJsxo4J4WdFD5EVFm90TOy +eMsJmAVw5tuU8QjlL0Ps0GvATUCwKLVVq3e1+dlZAqcORl+/e1zpK+Hg7XihFymC +yCK2oZ8TlWX+H1xlAwgQ6KSz8ah+Z97wdm5+YVgYKOBkNrOWkNv9O72tGPIPA9/n +a8+FBAXq75hufY06Hl8ryUy4V3udJpTCKkGADe8X2ru9k1nZmuMvWponapzXZM9y +xpcaJzro+P64PxN9g423GHjD8vOpqqPNY8Ff+A6IJdyDMBR7F8KdKN+M6jGzkWRN +gMXd8+O9KwMLUGmAKeZiZNcQZEent2jWYuZi7vLxmWMTtEpZQQfwy0Ca1aIaAgPe +/s3UBRQDhcKwQOOGaM05UicFv4yfoq1XhDv9mcqbQEmIS7QynvmuDhIBmtfFKZCa +=tRx2 -----END PGP MESSAGE----- From 496a9b41ee43e7f907b4be6eca076135dfb83dd0 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 29 Apr 2016 01:07:06 +0200 Subject: [PATCH 029/172] Temporarily host fmap/muflax65ngodyewp.onion --- conf | 2 +- modules/muflax-blog.nix | 50 ++++++++++++++++++++++++++++++++++++ pennyworth/configuration.nix | 12 +++++++++ vendor/muflax-blog | 1 + 4 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 modules/muflax-blog.nix create mode 160000 vendor/muflax-blog diff --git a/conf b/conf index 35b4393..2e8e0ca 100755 --- a/conf +++ b/conf @@ -15,7 +15,7 @@ remote) eval ${@:2} ;; remote-new) - export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-16.03/nixexprs.tar.xz:ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix + export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-16.03/nixexprs.tar.xz:ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix:muflax-blog=./vendor/muflax-blog eval ${@:2} ;; local-deploy) diff --git a/modules/muflax-blog.nix b/modules/muflax-blog.nix new file mode 100644 index 0000000..289cd4e --- /dev/null +++ b/modules/muflax-blog.nix @@ -0,0 +1,50 @@ +{ pkgs, config, lib, ... }: + + +let + cfg = config.services.muflax-blog; + blog = lib.overrideDerivation (pkgs.callPackage {}) (default: { + buildPhase = default.buildPhase + "\n" + '' + grep -lr '[^@]muflax.com' out | xargs -r sed -i 's/\([^@]\)muflax.com/\1${cfg.hidden-service.hostname}/g' + ''; + }); +in with lib; { + options.services.muflax-blog = { + enable = mkOption { type = types.bool; default = false; }; + web-server = { + port = mkOption { type = types.int; }; + }; + hidden-service = { + hostname = mkOption { type = types.str; }; + private_key = mkOption { type = types.str; }; + }; + }; + config = mkIf cfg.enable { + services.nginx = { + enable = true; + httpConfig = '' + server { + index index.html; + port_in_redirect off; + listen 127.0.0.1:${toString cfg.web-server.port}; + server_name ${cfg.hidden-service.hostname}; + root ${blog}/muflax; + } + '' + concatStringsSep "\n" (map (site: '' + server { + index index.html; + port_in_redirect off; + listen 127.0.0.1:${toString cfg.web-server.port}; + server_name ${site}.${cfg.hidden-service.hostname}; + root ${blog}/${site}; + } + '') ["daily" "gospel" "blog"]); + }; + services.tor.hiddenServices = [{ + name = "muflax-blog"; + remote_port = 80; + inherit (cfg.web-server) port; + inherit (cfg.hidden-service) hostname private_key; + }]; + }; +} \ No newline at end of file diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix index e0d295b..f869db1 100644 --- a/pennyworth/configuration.nix +++ b/pennyworth/configuration.nix @@ -18,6 +18,7 @@ in ../modules/mailz.nix ../modules/nginx.nix ../modules/tor-hidden-service.nix + ../modules/muflax-blog.nix ]; networking.hostName = secrets.hostnames.pennyworth; @@ -143,4 +144,15 @@ in chown -R prosody:prosody /var/lib/prosody ''; networking.firewall.allowedTCPPorts = [5222 5269]; + + services.muflax-blog = { + enable = true; + web-server = { + port = 9001; + }; + hidden-service = { + hostname = "muflax65ngodyewp.onion"; + private_key = "/run/keys/torkeys/http.muflax.key"; + }; + }; } diff --git a/vendor/muflax-blog b/vendor/muflax-blog new file mode 160000 index 0000000..e5ce7ae --- /dev/null +++ b/vendor/muflax-blog @@ -0,0 +1 @@ +Subproject commit e5ce7ae4296c6605a7e886c153d569fc38318096 From 7284c35ed79fd0d689fe972cf8c370315bac1d32 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 30 Apr 2016 14:03:45 +0200 Subject: [PATCH 030/172] Update Frumar to 16.03 --- frumar/configuration.nix | 40 +++++++++- frumar/hardware-configuration.nix | 2 +- modules/gogs.nix | 34 +++++---- modules/le_nginx.nix | 123 ------------------------------ modules/nginx.nix | 2 +- roles/quassel.nix | 2 +- 6 files changed, 58 insertions(+), 145 deletions(-) delete mode 100644 modules/le_nginx.nix diff --git a/frumar/configuration.nix b/frumar/configuration.nix index cc41641..f92038c 100644 --- a/frumar/configuration.nix +++ b/frumar/configuration.nix @@ -4,14 +4,17 @@ { config, pkgs, ... }: let secrets = import ; + acmeWebRoot = "/etc/sslcerts/acmeroot"; + acmeKeyDir = "${config.security.acme.directory}/git.yori.cc"; in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ../roles/common.nix - ../modules/le_nginx.nix + ../modules/nginx.nix ../modules/gogs.nix # todo: better separation here + ../modules/tor-hidden-service.nix ../roles/quassel.nix ../roles/pub.nix ]; @@ -27,7 +30,36 @@ in gogs.domain = "git.yori.cc"; - le_nginx.email = secrets.email; # you probably know this, but spam - le_nginx.enable = true; - le_nginx.enable_ssl = true; + # website + lets encrypt challenge hosting + nginxssl.enable = true; + + # Let's Encrypt configuration. + security.acme.certs."git.yori.cc" = + { email = secrets.email; + webroot = config.nginxssl.servers."git.yori.cc".key_webroot; + postRun = "systemctl reload nginx.service"; + }; + # Generate a dummy self-signed certificate until we get one from + # Let's Encrypt. + system.activationScripts.letsEncryptKeys = + '' + dir=${acmeKeyDir} + mkdir -m 0700 -p $dir + if ! [[ -e $dir/key.pem ]]; then + ${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024 + ${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \ + -subj "/C=NL/CN=www.example.com" + ${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem + ${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem + fi + ''; + + # hidden SSH service + + services.tor.hiddenServices = [ + { name = "ssh"; + port = 22; + hostname = secrets.tor_hostnames."ssh.frumar"; + private_key = "/run/keys/torkeys/ssh.frumar.key"; } + ]; } \ No newline at end of file diff --git a/frumar/hardware-configuration.nix b/frumar/hardware-configuration.nix index 64389db..bcaf31b 100644 --- a/frumar/hardware-configuration.nix +++ b/frumar/hardware-configuration.nix @@ -22,7 +22,7 @@ fileSystems."/" = { device = "/dev/disk/by-uuid/ba95c638-f243-48ee-ae81-0c70884e7e74"; fsType = "ext4"; - options = "defaults,relatime,discard"; + options = ["defaults" "relatime" "discard"]; }; swapDevices = diff --git a/modules/gogs.nix b/modules/gogs.nix index 3dff55a..f9c0ee6 100644 --- a/modules/gogs.nix +++ b/modules/gogs.nix @@ -47,7 +47,7 @@ INSTALL_LOCK = true inherit (lib) mkOption types; in { - imports = [./le_nginx.nix]; + imports = [./nginx.nix]; options.gogs = { domain = mkOption { type = types.string; @@ -72,20 +72,24 @@ in WorkingDirectory = gitHome; }; }; - le_nginx.servers.${domain} = '' - location / { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_redirect off; - proxy_buffering off; - proxy_pass http://gogs; - client_max_body_size 30M; - break; - } - ''; + nginxssl.servers.${domain} = { + key_root = "/var/lib/acme/git.yori.cc"; + key_webroot = "/etc/sslcerts/acmeroot"; + contents = '' + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_redirect off; + proxy_buffering off; + proxy_pass http://gogs; + client_max_body_size 30M; + break; + } + ''; + }; services.nginx.httpConfig = '' upstream gogs { server 127.0.0.1:${toString gogsPort}; diff --git a/modules/le_nginx.nix b/modules/le_nginx.nix deleted file mode 100644 index 9814335..0000000 --- a/modules/le_nginx.nix +++ /dev/null @@ -1,123 +0,0 @@ -# DEPRECATED: use security.acme + ./nginx.nix on nixos >=16.03 -{ config, lib, pkgs, ... }: -let -cfg = config.le_nginx; -sslcfg = {fullchain ? "fullchain.pem", key ? "key.pem"}: '' - ssl on; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - ssl_certificate_key /etc/sslcerts/${key}; - ssl_certificate /etc/sslcerts/${fullchain}; - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_protocols TLSv1.1 TLSv1.2; - # ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; - ssl_prefer_server_ciphers on; - add_header Strict-Transport-Security max-age=15768000; - ssl_stapling on; - ssl_stapling_verify on; -''; -makeServerBlock = servername: locationblock: '' - server { - listen 443; - server_name ${servername}; - ${sslcfg {}} - ${locationblock} - } -''; -vhosts = with lib; unique (concatMap (splitString " ") (attrNames cfg.servers)); -inherit (lib) mkEnableOption mkOption types mkIf; -in -{ - # todo: the problem here is that nginx will refuse to start initlaiiy - # because the SSL cert will be missing - # so you have to temporarily disable the ssl - options.le_nginx = { - enable = mkEnableOption "enable new nginx module"; - enable_ssl = mkEnableOption "enable the SSL blocks"; - servers = mkOption { - type = types.attrsOf types.string; - description = "The servers to host"; - default = {}; - example = {"git.domain.com" = "location / {}";}; - }; - email = mkOption { - type = types.string; - description = "email address to pass to LE"; - }; - }; - config = mkIf cfg.enable { - systemd.services.letsencrypt = { - path = [ pkgs.simp_le ]; - restartIfChanged = true; - serviceConfig = { - Type = "oneshot"; - }; - script = '' - mkdir -p /etc/sslcerts/acmeroot - cd /etc/sslcerts - simp_le ${lib.concatMapStringsSep " " (x: "-d " + x) vhosts} --default_root $PWD/acmeroot -f fullchain.pem -f key.pem -f account_key.json --email ${cfg.email} - ''; - startAt = "04:00"; - }; - services.nginx = { - enable = true; - httpConfig = '' - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log logs/access.log main; - sendfile on; - #tcp_nopush on; - - #keepalive_timeout 0; - keepalive_timeout 65; - - server_tokens off; - - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - - gzip on; - - server { - listen 80 default_server; - server_name ${lib.concatStringsSep " " vhosts}; - location /.well-known/acme-challenge { - default_type text/plain; - alias /etc/sslcerts/acmeroot/.well-known/acme-challenge; - } - location / { - rewrite ^(.*) https://$host$1 permanent; - } - } - '' + lib.optionalString cfg.enable_ssl '' - - # the default thing, for if no vhost is given - # generate default.pem and default.key manually - # and self-sign, if you feel like it - server { - listen 443 default_server; - server_name ""; - - ${sslcfg {fullchain = "default.crt"; key = "default.key";}} - - location / { - root ${pkgs.nginx}/usr/share/nginx/html; - index index.html index.htm; - } - - location = /50x.html { - root ${pkgs.nginx}/usr/share/nginx/html; - } - } - - ${lib.concatStringsSep "\n" (lib.mapAttrsToList makeServerBlock cfg.servers)} - - ''; - }; - networking.firewall.allowedTCPPorts = [80 443]; - }; - - -} diff --git a/modules/nginx.nix b/modules/nginx.nix index eb9af5a..443c87b 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -90,7 +90,7 @@ in }; challenges = mkOption { type = types.attrsOf types.string; - default = []; + default = {}; example = {"mail.domain.com" = "/var/lib/acme/mail.domain.com";}; description = "Other domains to host challenges for"; }; diff --git a/roles/quassel.nix b/roles/quassel.nix index a036207..6f30922 100644 --- a/roles/quassel.nix +++ b/roles/quassel.nix @@ -7,7 +7,7 @@ services.quassel = { # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/quassel.nix enable = true; - interface = "0.0.0.0"; + interfaces = ["0.0.0.0"]; }; environment.systemPackages = [ pkgs.quasselDaemon_qt5 From 0e1ffa99bd01d529a70c41ec2cc904bd853f5922 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 29 Jul 2016 19:03:54 +0200 Subject: [PATCH 031/172] switch to enlightenment --- ascanius/configuration.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ascanius/configuration.nix b/ascanius/configuration.nix index aad13ae..ae1730f 100644 --- a/ascanius/configuration.nix +++ b/ascanius/configuration.nix @@ -36,4 +36,8 @@ in virtualisation.virtualbox.host.enable = true; users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword; + + services.xserver = { + desktopManager.enlightenment.enable = true; + }; } From 3e294aac74745042fedc9032e14e8049e953ec91 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 29 Jul 2016 19:04:28 +0200 Subject: [PATCH 032/172] encrypt pub --- roles/pub.nix | 42 +++++++++++++++++++++++++++++++++++------- 1 file changed, 35 insertions(+), 7 deletions(-) diff --git a/roles/pub.nix b/roles/pub.nix index 6bf0edb..9b8fe30 100644 --- a/roles/pub.nix +++ b/roles/pub.nix @@ -1,6 +1,10 @@ { config, pkgs, lib, ... }: +let secrets = import ; + acmeWebRoot = "/etc/sslcerts/acmeroot"; + acmeKeyDir = "${config.security.acme.directory}/pub.yori.cc"; +in { - imports = [../modules/le_nginx.nix]; + imports = [../modules/nginx.nix]; config = { users.extraUsers.public = { home = "/home/public"; @@ -8,11 +12,35 @@ openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [public]; createHome = true; }; - le_nginx.servers."pub.yori.cc" = '' - location / { - root /home/public/public; - index index.html; - } - ''; + nginxssl.servers."pub.yori.cc" = { + key_root = acmeKeyDir; + key_webroot = "/etc/sslcerts/acmeroot"; + contents = '' + location / { + root /home/public/public; + index index.html; + } + ''; + }; + # Let's Encrypt configuration. + security.acme.certs."pub.yori.cc" = + { email = secrets.email; + webroot = config.nginxssl.servers."pub.yori.cc".key_webroot; + postRun = "systemctl reload nginx.service"; + }; + # Generate a dummy self-signed certificate until we get one from + # Let's Encrypt. + system.activationScripts.letsEncryptKeys = + '' + dir=${acmeKeyDir} + mkdir -m 0700 -p $dir + if ! [[ -e $dir/key.pem ]]; then + ${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024 + ${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \ + -subj "/C=NL/CN=www.example.com" + ${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem + ${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem + fi + ''; }; } From eb727903cc760912823c65eb311743da8783c6cf Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 29 Jul 2016 19:04:40 +0200 Subject: [PATCH 033/172] switch yori-cc version --- packages/yori-cc.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/yori-cc.nix b/packages/yori-cc.nix index ee6bae8..654e0e2 100644 --- a/packages/yori-cc.nix +++ b/packages/yori-cc.nix @@ -3,12 +3,12 @@ with import {}; let gogitget = callPackage ./gogitget.nix {}; in stdenv.mkDerivation { - name = "yori-cc-1.0"; + name = "yori-cc-1.1"; src = gogitget { url = "git@git.yori.cc:yorick/yori-cc.git"; - rev = "965d05d8258821ece8d7421027acf9541437ff26"; - sha256 = "0dcdc2b00e4ba3f9fb2afe5a8b41afd5eb2b03f308dfa48827722f23c489f0d7"; + rev = "b5ca927b1c725b4a674a73f546d010be739472ff"; + sha256 = "3e4c25358d96b6fc3819b7b74e33c84de508c930910399784af2bd3a82c1f3bd"; }; buildInputs = [ ]; From 4b10d103d9332a4e4f227534abd59d1eded12ee2 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 29 Jul 2016 19:05:30 +0200 Subject: [PATCH 034/172] add new secrets --- deploy_key.asc | 72 ++++++++++++++++++------------------- keys/http.muflax.key.asc | 27 ++++++++++++++ keys/ssh.frumar.key.asc | 46 ++++++++++++------------ keys/ssh.pennyworth.key.asc | 46 ++++++++++++------------ keys/ssh.woodhouse.key.asc | 27 ++++++++++++++ secrets.nix.asc | 47 ++++++++++++------------ 6 files changed, 160 insertions(+), 105 deletions(-) create mode 100644 keys/http.muflax.key.asc create mode 100644 keys/ssh.woodhouse.key.asc diff --git a/deploy_key.asc b/deploy_key.asc index a34115b..5ba729f 100644 --- a/deploy_key.asc +++ b/deploy_key.asc @@ -1,40 +1,40 @@ -----BEGIN PGP MESSAGE----- Version: GnuPG v2 -hQEMAwEAjpZflP7cAQf+MXcQuYxDtrZu+BqXghfVpvKwfuIUnUEUYxynBFMRX2bv -IpUmv1eQ0E7L8DNC4x0qiR7mVG1AIufZgZMrEF9t2DaeJUgasDGD1fsPw6Zzy6lT -pE5t3zcOe2rGNEV5saGr9jGTHsByERi9H8D/8JEOTPfSQbuAMcX/P++QIIfEiQBS -fpGKsbzhSaCw3K5nHQRVgBzEDjAk5HSzbFikC1wcyZOx2/hgOABZEGSJwv3wjEC3 -gG15w33d4eQjSaM1AEQyO5Vq7oT+kyaQsYvUpgAdh2EALNYo3XlQ792aB1WzHbmY -O3unmpM12LdyuDmaNk4GMROGOlqDCV6vJq/RYYU779LqAaJiUYOcUBPLCsIx4HdM -mDWCmlRk/LoL9GuurBi580hI0F9qfW6AZUn6cTQn9Xpq9o2wvxEQC0Fr+5K9fV2O -w1Z45DaFbaCKU7qbzhhNDcfQsrvfkMDRs5d7SxB0l6UcRtYXhY9xxBUrXYALHAVU -qp25i5pAXRQiMyR8+f8upkWtnizf2125k6NRbGj/UVAH90CY5SKLTDOafvIaAYgf -4u/tfeiXisxIWRJySl8v6RXThKczpyuSpMsCR420tkFxgY1RparOEZTlD9WbnmH9 -9dunKVAlwyGN8d1pEEtBnmup1ns+JEq9vjuiPJJh77pSVjwGwL/84S+PDLZ5J91U -9djK3yFjtIjz3Aylpr9mw2y8LKGK0oEpMlS+K/I8758hDfbo3OwvKfWuzA3yJ2MC -6s61KV9OUXyu3KlSetkDGZTN+nH/EE2xVvaZ1CdRdaBWFYykpcOloLfw0bS13+nZ -GOg21bqILiojT699TyfvMYcWDN9s6EBuu3fr66pNUrMAeOKwIdSzNocTPSJCKusk -3ysrm2UY/xrIzwg7joRGBXERgyjenjjXTn7xeL3lnwQpfddnnL4ab2kAZfdi1J4D -MgHwhp13QBaeJSj8zgcSPYsnP1wkxbx7RLDhf2yzy8tqlHJdYIKBkBXMDtJiiEWi -nRhO90C4aiHhb0GX0k3Rv61Sls0F3Jh/1C5bq9hqRxyRQdJnTkmhbiFbnvMlo+d6 -n0rr4OqEZ3tp5o9mJG24FwdeJ++dRr/ImW3GpPo/MLqARyze2sfkwucxRoZtWn09 -tohziD7OQjTxyNS9XGimYrcPuoo/QboMHIYV2RDgmSfsphY82ZjA2PjqrIwMuRGS -0KLQ21SrIhioNwmX3k9hYSKdZVBlGvR8jzhzQ076gkaNUGPApinWMtV10c7+hY3/ -XS2GrIStEJ1iuqZwW6TWmuwPIp9umPGSSJMkenw66suH12LWEf8TS42Nj+HfWRiI -WusqL7Lvy7ZGShWqic2E0G7/EmxLrNCssJhKt7orLJv48nItKrqDgmC6woDLvnP9 -4AFS48j16RfqC+3vtTLwXut6qxhWGv1yrBLWGsEkAOKs6RHYDevcHERvNCkugyHE -TWux2+gZfR0HDwi5Ocy6j2RngVVUxvsPSTayAI8cKQQiKy9oLheESMDKC8LzNGXj -K4ZTLqM6Ok72dXneapt1qh6r9hkVuiNqn2h4SkrrovnMC2/ZVQcHTNpWevWVXsai -5qZAscTND4TZPwkUHSSLi0Wnv6gaPyNgcIh3LnUh4dVPUWulhxeu8a6K2pVj2lb5 -aYi6iXiiaFgVV0IfmtOCQutQVent4lK3j3nscDITUzOwnwvxlYMQ7oase/RJTK97 -28CTviidWIGfg0PPQ8nQXTD0+xfBYZDfu/Ks6+XdG7R9FmAE9RHFiUS0TFS7L9Br -uLFmylq9lSve9ToOYR4B/4aAXyoU58urtU0wkJT2GKxnmCKKuwp+tBPqot0necPA -khJpcfMwbEsOMw6AHDoOdHtRiZMnR6/0DvcCwdevA8KljmCoE3F0PKxWIirCG/rO -+Q4oJdIM+X6mLIlbbccQOMBVb7IEdXutAXq77Pe88rQn+OYxWjuMCfWJ5a0822gv -3QXMdr165q/8IOUblJr1yr4UFhOzBJyDaeXF7wU3a0pcLsFfbiyIxY4lS91/Q9dP -mNbdWWv6XZ6Zx4fxCNtAHIDkxoAmHJcz5ySfcyoqZ/APK6yw5dbUic3dRhik6VYI -VksFjGqTIDtjWiy3RFWow6lr8GUPzIjmV+u842VVbcAs2hOwZCTeLO2hXYgcxgXn -aNVz4E9n -=N9Mx +hQEMAwEAjpZflP7cAQgArtoZGba4G45Y28r7xuHZ4XGdKs5Ug3bsZXip1R6ENB7L +QwIei5EW3pLb1EBzFFMxSTPt1lfXAqV5bHmDKflH6CjT7qtnq3j2KhMfMyP3XwMT +OQXc8R8LOGgR6SGcc5/ccCWSKOzdYvNP2yVwRXOuZmyrcPjedKxYrSp6ul+4D62z +/IBhGZdaUR10bATr5Xaeb01ermD/ujfGr0cuwXeylRw/9pBi7opHcka7kdog9ID5 +nFWvjkaSb3zrTDVKsGRHNGs3QWclmmVn3j/2w3PSDFgQlzk9qr44sjqBVHO8ib0Z +Nx3DwUlx8pE3LyWOEZROYIzFPRl9kWpMdDENt+AxYdLqATvmoomK4fU1P1eq3hg2 +zvZ65+kstDSwHt+DU70tFamgIb9z3IxHYBXB5bezJB2AWz5AnGJ43QyaTpDd6e9k +KdynHlBe0p3bfbRy+KZxSSVXbTIl8bonxnz8cQKwe+4vtBtSMy7wNundXG7y2cBy +nL+UTcjAzmiw08FFsPtm+O2MbE58eYPSb4GZOZEMAjbYTWHwcfMq4LC2p6GCwprU +tT2o1I1vXa5okXNIbR275lVQQ/IYKHSNToX48KOesdnKwSmQvujs9lJ9beSaPadL +fwTEEVgzH/+mANf0glGjbYtNNo37qriVdQ5wi7a5rYxVV37OKHL/BrDPsNAKhkwu +xa1gXUC2XvNAwkFM9ITS5BkXXiWbumkJnCDaNd6ufvMclwwlHP/gdyfOVP0nz/xF +o7v9HXQhkOERwBdn/U2KwKFSqGpZCA/6qQTSMzrOOArA5V7vU7SOXiBDV2Ugqh9U +xWsA/f+4E+8DoTruFzkL7ZpgT9OSyAA7q/fwlFH3wX912rkTzmHutslMAaLb4Q8/ +fhLf2OrlA+hR1EFE297QCRMN/VTKSYzaeN+M4BSI5037rzeAtw3QxvT+tyxDP/JS +GU9cJRI5eyN0kLMee2Esulkv/wjMzzN/SymaHqZxAva4Ki5GQnOfhss8/uV+iGuy +kw7LY+02I4iWjfDQw342ymUXRoJvNzuByceLx7MyIB8qbK/m7aielw9koZhAgJbp +HA4VpAmoRBLrm/Jig+uNuKKeT1aeKXjO1lvfoHQK+ILn7IS0HjslUJdBToUU3KiM +d9gEbUJEie5xIp1yS2amhotQfbdfZnloXZXXemycV2lSVm4mllBJbaQggp/9H+7G +bGrcFajUR/f4GbbSSB2SJGjZ7r4rsOlT5EnL9Op+GKa7DQoVO4Tnuw3snOk8fy3R +1WVT9tdFvOoWgQTB/gpcPQwmCK6Kuuiq2zyu74zbzFedkuNQ3TbSCKISO+F+GZNc +o5fJ2ZZjnMEADQkDT2gTm0TlR/t0CfRBxaWl5idE1an+bn+e8JQs0R3h5mv7XJbe +Jj2crMKsTRbC3hIs5xTnb5PrK4Hvr2kZLVqZLfg3/l78BIm/+iGMl4UskTMGqQxG +466YWi664hFSkMjpfGQknOThzMCpRyWWOosvhgILYSZJP3TNtYh06vgflNBHwCLx +fQhVo8/zxYgmdLJFfOj3M5Eez7sEvMJUOJs05zzaPorScryvf+ZxNZ1eHtcCZ86z +rXLKEw4XS3yajFmLMxzdL1kzsDVb5Jk/w4lvXogLXqTWc4OM4+EZufY4Jw3xekEQ +BOJu890drSPvfDI2/fulDQLCmfxylCoSscjVn82z1+ksuJdrAU1HhQHI9/xHF+D1 +scCTXju4j43+R6dIAsaRmDg6ajOE5bGKuW9eIqNhWx3zKYb0ktbrhGgQE18mCjgv +r/DyrkEY03hHOXYpwUXSRkXE7qXAl32fT3MI2c+As2Y78dhuo5jTaIeN9TildPgy +EOuzqwmmcgdm4+MWCiRnG7xDJrOpRWKD3Fa7KF01EjRuVD1QrO65fnuMp6uPtSr4 +BtOHuWYv2T98mW4lJwy+vLZsv+6Dc7C0UJs2IKTrNx8OEKEj153IftVUwP/LDNHM +ysCtFim6r5LdFYQZ03TveosBogTbjBk+nO9y0q3rRWsLJktE+rEwi0uX9lB6nPS5 +2/0IsvmZtNNafIWntY5MnitWZqdi3ft/GFt5NrvT1kHU1x9D9Rh1yGxqzoyxJ5LA +nGMLyqtmLhAWuLsN2mxZO84LbsDeiUWG9gjx4E8MJV2TXH6SUqsPVSjgHAzrmYU3 +X5xgthUD +=T754 -----END PGP MESSAGE----- diff --git a/keys/http.muflax.key.asc b/keys/http.muflax.key.asc new file mode 100644 index 0000000..61012e8 --- /dev/null +++ b/keys/http.muflax.key.asc @@ -0,0 +1,27 @@ +-----BEGIN PGP MESSAGE----- +Version: GnuPG v2 + +hQEMAwEAjpZflP7cAQf/Te+pWH2q3e/A+1PCFydiaaxtihSnR9kOrkHWzT77ZSc2 +ZIyzWtjQwmQdyFfkhcYvPMMS8dS+gcmi6gt3XzyYILdAZ9h0NxhyFRaBqoDab5OL +13oNdTDAZUEQdhFqqA8oSZ8NcYPCzUf1kXuQYejVzw0uTmVpVWDxKL9m7+xYa8X5 +Vl3Jcp3/qBAUpA2SQ+OaWVHGcvCTaTKO3nLfV84n2cBU99b64Oey4SUc4oJSnslo +p9ynrjeTfx4uoHmQFYnkLxQzHGN4mrqC5Xp1cb1NxiW3FmAjTaLeJw35Wq17lgUS +4R/sEwulj7uFErRV6w2cdsuTVSeAUki9LonuHRmgk9LpAY/ZqptZ49JGY8GAlL9o +E3vIkZpfijDyD+hRjAygf7mKtb1xJWe7LAjKN0rMI5Hew7zqNXNpe+3yTXkVtKRU +GNlkPHMFg0q1cGjs8+u3HQOrtFgZTM3xZRWN809T5QatLZ1+aBhwQ6AkFpRaGfVX +xVRnisGxoPy1X7F7Ztibfp+O4dNRinujsMP8cmqyhpiaBBMrGJdZtbISE5Yk5q4l +aeRzcacpKtWGPEDjsgc9A55cJ6ORIgZaZLUkqWDoxkb+3laIJcCrihSQEA+5c13I +fBGWwA1KAWN2/ac0KcV0MJElbZY4BTaZNgrHUAFqePeupn3uqS5bd+XR9x/qVMmb +anBLw4MCISGebyHi3zvHXQ1cz2KZWbzodWDJP/htnlcBCFwrH1AciHIYR6cMhAY8 +ajDzpHqoZuwCt+mOZWI+3K2shYE/r5zSbL9in3L7qpGxz1ro32zt7k0ZQaVt12FU +QTQaJLNtdbjRaXEc3dmCu7LHvxEKEVmrqXJDbTgQFQn+ADDlu6OZokRULTUMK2QQ +dFlVJJD1S9xXbSA2TkVPCmKgzaJp1X2QnggVR1BySPRm0Yh+QRDI2dlS23ups1M/ +fH2MUnlv0OeD6C1o5d+6R1UxxrC902+Guu6jCg6bIlfOciFqr31STK/Zw5aA46C4 +R1O6NppK80NEO7JysumDbA/AQm52/1GoMDpcw5yZ8/wTQR3pOW7XxqgEaKfb7gUA +VwxEJDfRAwMrlDaaQidSlZIsiK8FoaPgHBVriNaiNgNRD3uopMckVTPeQNYviOxH +wXrHmD7NSL/8JRRJVUseN+/jLBXhJBazp5ltldTQz2vOQLasmtstjXI5vz1vBnrf +k0jUf1e8d5YZH86bZ6H5B1pterSNoEHm8X8Y7Y6zGH+QwXNU0HQrB5PE+6VdquHk +rPrwBOxov7bP9MFWzIvhQDleT9UVOeOQGfxnOlNQSaBLMqzUmA8fDTGuPG3B/aB6 +3miAwbs5mvCIumeRVU5VKJPICVyHG8lY3mOejk/jVcdN4SBZ+A== +=HtJv +-----END PGP MESSAGE----- diff --git a/keys/ssh.frumar.key.asc b/keys/ssh.frumar.key.asc index 2cff5e8..0287f8e 100644 --- a/keys/ssh.frumar.key.asc +++ b/keys/ssh.frumar.key.asc @@ -1,27 +1,27 @@ -----BEGIN PGP MESSAGE----- Version: GnuPG v2 -hQEMAwEAjpZflP7cAQf+NhVPRvKA+uAnxG0EHA0ejwIX5izr7guh9WvN+K36mngs -EzqQikwg2XKIEXrgegwmVhUskZqksmp2bmu8f5BWoukHZUnWdinD0/01yb+YsO94 -JEooWLc3+i0Zd3gJjazMbokyZJDA0g2fyOEo1sd1jNTzFdayJU6q8T35OEwVA1Ca -BiBK2Ym+FfcH724zALuC22QzHUvz26Q3S4igXZdnKU5APmQwejV7iHlbGosNPZyQ -sSJQxbSNv9ghWabpOR+qVtshx9wdrthUxmeUBwA5VvOasLejaxTf9xfWFk9qRi+3 -53F1ou7eZlR+5WfM6M74M+e5xbMddl+Zq1PuMUgwtdLpAUDBRvUVCURfpobuOn8/ -cXXtMSYc2C0TUpr9EExaFBlIvMxfdqt0t2RD2v7NLFX4cjUEGFDqVhaoVvYcn+J5 -u2vl/86ekzV9OoKrRh5lkefEDXsubWoT8CySbaP1YV0vKNpF0/Tg9doqGjmk5Wgw -H+ztastSw9PYtkXUEJSmnaeESyhuLSu1TtXnnyumhELFrwmeY2x5sjxFpgeBrSDa -scUb8uWwUEqnQzdh1L0NkatRKvWw/8RkC6KTdLyRWBCUBlqd5CQ7mGlkiIELQ9Su -c2XNEVBKPJNVJ48AhBHz9jQQ7CyNfh72i2S+oFNmvD/fMBM3vvFEpJM5xMLPmcBr -j68HKYaF4I70w2B9QvqxCOjNmMiPaPSI3IurM/hi5sIyB++8XIqVVbiUNzXY1vAx -mFPMgMWP8y8wnwy6FfjX4qZNR/NVTmpv4igRPJMLB0BpPqgP6REAGZqBg2It06l8 -rvPVxJsCV3seUVPNtw5UEd5ZvDwM/eYzO5PqdebwW2F6bkFvxkMjsui0yRzVqhC+ -NAxZvIMuOxA3e5ydeS1LBUhXZwZg644/n5bMcKBnYdXQDhFrnCX2H36QQ05zirMs -G+JUAAUgxIBQt6fmBtiba9SDvdqzdBP9+Y/PeEyBai77eGdzxPKxZjrzn9q4JjOQ -yvalQ69eBXiFXNuz+Ewj2XLAP0Wb6tE1jSwwzEFLYiEKexCtiZS2gjguhhqq6UGT -VGP2BAw39hJDeJ4/bgC5q2Od9Ki0cOG4AXqTlrs1zbgJdxXhAcqKHcokktU38glU -/Y39BKIVqFbm31FAYzOWFZP3wWHhPr6PI16fYpGVUmzZwCqpcKa4xfbyy0eARls6 -UYgU7WAIYm4rTMNJ9LMytVAGVRViqKWHSzZKY3L5kWt0yY/8QvDnxTP078FJ20GA -OINn/2UMoDEaa2ra5JsNfcKdaF5W6Dar5TJYEJeqn8dcQuC1EdfZrMo0r/KYxxK3 -6EaYmztxOc5o4NXIcL42g/SMIm0HhgSFG5ObMK4vEj38RQ== -=swEQ +hQEMAwEAjpZflP7cAQgAiGfh0LSsIYvhNg8jVFvHC7MlNfvvDF65qXuA8YJ+ySOh +IVg4gq8xT65DoY6sss1t93vv+BhozpeU+u0mJy8r0h1nT2h3aK3U2YYbGSrxyN5J +/HsjjaY7noZzdOAC++AGfw7trwcJW3BHFy0zd2nf49X3KtVr0zzwZU8b9SQ/9XrR +Yk3V5rkWRDGhzdfKuxHxJVz/fV9ehAwX/hBRKFIsdRnnrrKCeai8lPaDo4/73jem +fhHkqclmuhS1G2c6Cgq8VCgNUWvNgr7tv+fXn9gO+1eMzTL4lk3VmQKriAUqQdKH +sez5sRVLVuv+b5U2ehqtqRdMgE2UqyjLib9DyCnA9tLpAZuLGq6EgBBrVbr1UgwZ +zR/kp0NtRwWApsmNuVprvGNANyEAgiFcwRpHlL0hoX6qgt5ctfKXbUqCFzOqeQpC +RTf/7SB5jCDcl+J3z7Q86WbTQFKAabKf4rNHtxaPYJh5ohX9PxYJV3tyyR6hEHRI +o/8OZsjUAuIHOUkB5g8CQoQo8FbSphQ3n9BVt9cPPKG1j5Z5z6r6GvCGRki7Guk2 +fabh/L7eK2oExvFiXNNzbnsUupk1JUkEU8JYDVwdSPC3axFH60PtXLbFGCafae5y +lA4qS0etsFJTQvbAUUunXia+G9F0DNQPpufumQ2oEGkAZfFD/GMjCfSJ5eZjnAO0 +mlFbg82+lNpynyVCpoZd0ViMYHpcKWQfsDgM+rtL4FKVst6ysrKN5PvZP9rJ+50I +6XQo42DBxYDpJoaWbp9J7oMIUHwyDMKXKxI0Z0aRO3H/tA1BTI/v8Heq0VYF8VJa +Z+2sxZjR9mG1LM8/kiB8Z2qqSl43NBahMChocCFHFX6lIls7U3g9FN6D1n6he6UF +wJXKXR6EWXh92yDTUkTekNequLnkLRvkZzZ6KWJkmNyWcLDtpVudVg4e3LTYzs7P +EHQZ0x/8LglnzQBhQ0tp/IUGxYCu9tQ40rdA+IFijlB9BA8goh+TbyJoRdWmm3Lq +4tWa3klwxLsId0H9a6JxlELAP/L5pntD1ds95h7my3hMIx8/nPmP6gTSOqRVowBH +fZlIxAhlkhuKsOICXcArsSwA5DB1UGBmE96m349u/pO89UEv6msLRj9qBXn1axxe +I2yCGPjgZkEOi9DNVmK9B3TR5wK/lVmNiKHyLkhPzzGQ2LKOSiMFPRRuZvzs89gl +zVfBoOwZ6XxEmOhO5x/b+TENiDh9f1L+JMSqugkVQT7qcxXyWVnMR8j8sUTNevhm +9BdMTNFypc4AcMZ0ZxAsRgFQNVlDtlYQtAdb44S5WDRwOQgTZg7M+SRS/eQ3dejJ +vbV/REpJTbjXTkedkyiBhlPmcpqtMo1h+GLLnTBGaDMYDA== +=Itrx -----END PGP MESSAGE----- diff --git a/keys/ssh.pennyworth.key.asc b/keys/ssh.pennyworth.key.asc index 528f0bd..8dad0cd 100644 --- a/keys/ssh.pennyworth.key.asc +++ b/keys/ssh.pennyworth.key.asc @@ -1,27 +1,27 @@ -----BEGIN PGP MESSAGE----- Version: GnuPG v2 -hQEMAwEAjpZflP7cAQf5Af25R/+IuXGNgUyF+2ghadXGNiRLbaCW8gwG7tAxf3/y -/knLQMYCgTWzZ/9fVJVvPht6wx1pyRuTB9yRnWGC/jbqQHiV2NIAPobzlf4s1ce/ -oNNae3TDq7HBrIFyZP7vcnDcIKAi+KNTU21mthK26cll1GOm2TME1bdHN2uQmn/s -NRnxs6DFbrM2C0QzVxrdf33SOKEUXGtmoQdAXw7/zWwzKvLHw9hsyOaAkLWVqNnN -4FZvTGx0PSSOodTr7CQxlCwXbt9gQutyTcqcMXPE7BsuccEBVOviXLvedoSgCvVO -ZzTS+vqxVLaf1I77NcEAUDBy1hjlG1Yq5RyJIj2htNLpAUPsAtMSK8Z0XcS+WAH6 -P0UL9v9dhpFWwzwaBgsDUPcSueXBcy59X9ruCo+RUA1nWmW8GytMavCuctyXhKNw -47mn+5Mc4ZpBtLwVw+NAWSvj/XOSi0eho9WTLN/ToICyA2E/Sl/i9DaA65ZNWg4U -/Q4KhS3B+6QI2Mn05TBQQ49wn1EBLRXNXBI3xlWtOYx3SDSdgsfXmE4uhGxjJjNY -cYwn1BAtuJYSrN8gYT9yMdNCAO20fMezXdQXE5vrhMmkwjlkUYT2+W3AtybghYBF -rLvtEy51MTIQLgdxAn4MHf461fkFFtPJ3adBIBSx05kBQrilsaH9RR4zV56wrRQG -iwCbDUXgsaVIgER6GucQrO+PlPph71FnQXP0h9NKmM+gEFz755KfkCr00Bi2Y/1L -Fd+R7DJc+iw5bNac4Ac4FvkwrxTH9CgwtLGwuuEqchpLQ/nQWV/KUqLMGg3N9iNw -hSYWUoei7OPwmi5ymD9Wx8MrOt1f7ITBhXzBTnqi5sL4pnvyi46Kfv1s4ix8gdfM -pNRD+fiblfeBiWhOWHd7hheYuYTw8LV+LgmH57AfT/k+l9cCDRmOgbC6wjfO6XUu -54LLMUoFYJX58bcCnX5QSVxyhuafYG2aiTy0UfKZBpbjMWBqpicZuEUIns9qRx9S -27b0d4yIhV74NjIPdUE48IHARxY3AchGoSFDEZOlLZtqANFk4E9goXSdMLT4pv7Z -PIKa/3bJCql/EPU3cfA0fBKIjUPGV7OwCy7Ij3h4U0mcjT5dIHyaB2QT2wyQi3fa -y3uqo337Ax1i7qNCg9dZhjzWNn8RgdR9b2/3o5FXhcoeFleXODGAktbq/b1GlfkS -C9WnMB4tHrtBgExJV7MmJ++LkApEW0VAG6UvMwDVdswShuREX9Z1B44onCBXw+ZC -kJPn5hVEN1kBAQVdyFOSS/A/0mELnvcrKPXBpXHqaUaPYh3t0NCZ+JkXLexmmeHq -RLot6lqSzMEbeCioIZuiQAY1bof5JMnFNbBVRHux4OFjsbR+Iiq44N7j -=4aPY +hQEMAwEAjpZflP7cAQgAvoPmVMBHwSqRdsFKNXNAuWQxNXPXDhhD3HggJGaFaLLb +TaMy+ZddjcCsL1VuJD2Xbs7dfNtYQilF4+2RiVMf8curJm9dV0adI5+6AMcFz+f7 +bB4L8a9QTExfwxOTLbNFUYTyQmWmMl/QeTXlrqOZIj9jYeF6NosWwroh6lOtgrgv +srjVdPacwBVz/oFzMG2xV1BSpEwpBC4WihZo+MM7NREW31gWIQnq02nhafSGii2b +k/T8IsSlS6lOa1yoV+cucn4qZGhXMS4U9J2fXCXmRungBN9tW+xCQG0agnhFAMbD +21iw4sq94pEqX1oVcEWZlZtOUwZe1VvzxLRpLDTIcdLpATiGy1DSi5ItkZpQ9MNb +jlXUKjrz2s6XubINIXfDBmXtLel6JMoxmRzIbVbE0rpbdnZ67Fidkh2eV4g/yUKt +k3Cum3E0TKtGXHMK9GnwxPX0yXtFuhvxLPUmSRwKJXUafcoabcw4NoHTQtjn/EwQ +1Dw+oLGGNnrcXFu1LGfBIXv72cEct/IlTKnVAPcrGSJBW2VqC3rAgVByTsrCtX/W +Rjzayao2NzG0qC14lLMz8BLgdyS4XPHnU/2Si7sQUa6L0t2E4Aqx8EsG14X28UB+ +BXCJS9LxQfNgZ1MlNFDIpbdRKeoBlRaLULQUKksU2Xyodgm8sah0DyxpV7IAXZ5P +qt34/7/79Lbyykvi2gyZuMYLt0bmXLIGeyj853MjUDGoR1idJ45xGwL/VkYkMt/v +lqTkDgsEKdPIowxPmJ7R26K8jQJBPEj9/oCjNJ6hQpINOOdtjGy7b7oWvfwPoFSP +MTXvYgjcHO4g5InU7FRfbWb1FBl3WrMuqKf8aI0vsJ1UDLYbnQgXDADqkSKGZRAg +lyQgO8eQskI0g9Q4ChezPPSJYz4BSU7JHrxcYx08YPf+NdPGa3ryUXNuwiKAIVij +tgOxs+Ro6fxgQVuXg/G0dF9WPMVJbBu/X08TutbLaaEtqFfbNAbl+a2UP4RefKNE +/TozCnubs3QEP23p6DkVJMnAR60jf/LlteFAbZThk8x/XCgsn/BjRVXGJRPhvwb5 +DfVCT3p03jw+hf0iLIDqMNNz4ojLNSFbXRjhUVSaidDybRmkbpWjTZi1vkqJXZlo +2G52ecHtApKtM4yE8tMn9HYSKPN3tUH6DW01faXxka3cfbuYnklN/EJ/3ZEvrwaK +Ybf1i6aw2/cHn3PXbfsqY/waYgZGdFsJIVqjzfWUHhz4LfKySx4dZj8yJg/a83f0 +FTsahK5gv9mpTM4pgyzuzdQ20Y8VSN7iJALb84R4eNTHUHvdnOJjG/hcBQP+Fdeq +N6fTIQVWfr1bu1JqSnzPlb08kvsdQKbrrvLrPKOLkz7bcZ9AC8beTxC7 +=jNi9 -----END PGP MESSAGE----- diff --git a/keys/ssh.woodhouse.key.asc b/keys/ssh.woodhouse.key.asc new file mode 100644 index 0000000..b357613 --- /dev/null +++ b/keys/ssh.woodhouse.key.asc @@ -0,0 +1,27 @@ +-----BEGIN PGP MESSAGE----- +Version: GnuPG v2 + +hQEMAwEAjpZflP7cAQf+M1QRCxCR4GrCMXMaWH/inZbfEZqTO2ZSbOqat6H66Rzp +ihvO/bxL02C5QtkSuKqh0kHnWsGqtTgTYfZzW3f7Ljdfis3G9NaRzmDLsA9k0rCu +USGp6gBqA4NM7KSEvtZR8OXxVkO1fjBxNpNZ9awpj1p5Vw0uloyyNzIz8bPgi3qt +480/gLQRy+wp6+2rZiNyBkfRBmdtIJ5BUFOpirQIIowN8xw+MbBeV888PintvH/C +OOPlamNn/FhxZLq0+fmc+dZxVrNwVCru6QX/nQWzFYrcz/YsrtGMon0rKmQh2ZsM +q8v3LGBbWTmhYi4mlHo9mo4Xi1qZAuI+0P7Shmu+ONLpAS8cYq6u011w0b0Q47mp +PKSHoFJHLQMEyoQQmbz3zg2DXWrzDGq8Y9aHe40IOuo8qg3+QWv2sPFgJIP3RxTc +t5jPHEKvBRmE7sTTNTFwbwLCJzMMDGZs3XS91wuGTrj8rlxQXPWE1+hk5CLu1pzo +/R/drxK/oxacvw1aD7UuF34ZXIm90OHBqqtKSCw0zo/56fs7F6/sz5xg3agd8uHm +R2khjHtvCLIdrmnnLM6oQJ/bBJSAI7O1t2hpaWpxD8cxfDWp2kX+Rec3gjU1rtql +8k9allDZz62Cd34TkXV59BG4izTDvZpN3fVVz13zBWtDHtdF+udlHp29vpsc8POn +WZM+7Gc8Xzk8bTMJ3NReMg9vHPkvOyy42NKdE8s5LojymDMbYWc3kBnlmCfhg2Gs +PevJqrAnE2I3olOvhN/Ceny5rmlYr2AzuyYiXJnLNSoQK0dujs898pxBnTmgeOKS +c30QeXhpiVlkiVJkg2JJg4d8fkidvYhIJHUaGSHKNmuS7jybbwozZrCi6nx473dn +q9AkBTKcvHaoSLvP4y0CzzyZ4uanVWYuTdmAvRmj/UDovAFqmH30Gq6bdnNZWyiI +HEsJ2sW84UjcS/77Yq00skSk6MxzS6a7tDHKUAVWj2hSX/FHjRBIRZiyXDgFsEKm +n8L8/i1T10nOJqBzTtocvfTARsDe7blQQZ3yI/zEW1zmjw1zbv7OvxX8ktfkNsX3 +HGjkUMDhEa5YAauxmN0emX4eg/jq/CA/2hDN/oom70ihtmXzwmjjgjDIe6R/eLe+ +mJ52PIWZlt6YG9esig0prn55tAvp4y08zzyl66nQL+ubDbQvntZDJjIX4fxd1RFq +DEb8dFQ+FnMRCVdjK5QplFJim1lYaknvEtC1jmInhQOOqLv1SD0e95zQB68I+we+ +fPhaHslYVwuZPgCl8y30HgOPomyuUcy76phQWgjWQtl5knvw7a+K+a13vHF6mE1x +MAK6edXMupqDpuJlJFzl5cX3qwEYMjguadFQFXoYyfB9hRbCHk3lpgM= +=bMD0 +-----END PGP MESSAGE----- diff --git a/secrets.nix.asc b/secrets.nix.asc index ae316bb..2aa2437 100644 --- a/secrets.nix.asc +++ b/secrets.nix.asc @@ -1,27 +1,28 @@ -----BEGIN PGP MESSAGE----- Version: GnuPG v2 -hQEMAwEAjpZflP7cAQf5Aevf5xTB40XNBl7RnAX5/hfmStnnc0b/Vfx5k+Dz/Hn4 -/Jt12+WUniKxMpuAhENSJYOBsvu2HPiHNeFlUSOaoyX8UERv5LcGAdZEMwiP/hQu -yWDXFHxchgdtEYCqzrtZcTYXelAiuS6b0Sq+xK03/yL6BKj12TiAcQv0SAKzkFD9 -tvy0NrbMwpZPqOF5Hy89LXsG5dOy+MT0SgwaJGiKxZ6JumUYsF2gYGh9vdkDX4BX -hS2eZgGJDHkUpW26JaDohzQg6441DA+s0uso/KAMmfKoUcsx7RIrM6sEbV6GRspC -DOzdZyZc/2NJuDtMBcpVpzXMylqhBhOtqDj9wREIONLpAQVdCBLgU+o0kI80Dc5p -qwbYC4mzG/mOIUcFNAvH99kxT4OBtGaMyqIQ0he07dHd3jPnzHdJPLcHzJz0CabL -rncODL6fPk7MPPIN0yTXyBgoFnwb0PnXML9pQfIKTHD1bd8zxKNJLiJMfZC7/cbV -qHPhnjPOAX5pmIKpEqdBrIZ0+cMRFgauFSwO+Ts4ZuoLsO+0uR6t1EJ4Nc4tpoD3 -j1JDEHz3wyz16Mb/rjAJokJdarPJysqwuu8jmSwFOj+Q2P5H2rG4ESqpX9jKv9Gt -MM9FrTiDjyvOA5lye+JlsGcFCWVgf3WTE8DjHQeBWAyPuUT9xesbd+h0jY7j2GRJ -m3XsaAfIzZkFQx77Kymsjh5QYcv+LaRrMbY8ID5Mz+sEj8+JkUaLynkn+QZ3IwqA -xPsNwFX/+HoBPH9ZR8erTEpQMEtadwC8TwN+RC+PPokIDfLP+dvfxyoJDXypVmoD -YK7PFPfYoU7ZrwTioinA3flBG71VhuTlIzSN6FaBL8oj+ssbhnmNJCMSm8X4hghV -wAtlhgxOgrGtng5J9M+KbtVoCyjffi8cosLvSHCZk2SHss+i1RGNmytUEYtjsyB7 -wFPBPT3n9kbTc7xMjec4RWPO5O4LvBqTX6pc94HvA5oJsxo4J4WdFD5EVFm90TOy -eMsJmAVw5tuU8QjlL0Ps0GvATUCwKLVVq3e1+dlZAqcORl+/e1zpK+Hg7XihFymC -yCK2oZ8TlWX+H1xlAwgQ6KSz8ah+Z97wdm5+YVgYKOBkNrOWkNv9O72tGPIPA9/n -a8+FBAXq75hufY06Hl8ryUy4V3udJpTCKkGADe8X2ru9k1nZmuMvWponapzXZM9y -xpcaJzro+P64PxN9g423GHjD8vOpqqPNY8Ff+A6IJdyDMBR7F8KdKN+M6jGzkWRN -gMXd8+O9KwMLUGmAKeZiZNcQZEent2jWYuZi7vLxmWMTtEpZQQfwy0Ca1aIaAgPe -/s3UBRQDhcKwQOOGaM05UicFv4yfoq1XhDv9mcqbQEmIS7QynvmuDhIBmtfFKZCa -=tRx2 +hQEMAwEAjpZflP7cAQf/WInyFwbeVLTT2OzoiabhI8ZQIteC8iz4BgU3BoMbhmzU +i8Rivtwy9p6sYepzNXQ7DOxkCc+28IXD5JF7gFlPv9Km0r//JU3YaYBMxHyH+iN1 +iyf+PeiBgiLmvF7uPTILxFlPhUhi2s26JUmCDtZZFBEmuuPz1MFIu1kw/ryV74kI +d+4TUbNG2xhu2Rogu6xzXkun0Uy2XR6Qa2CImpUFJ5dwJfWye3UtAxMknQEbCXO5 +ZxNwQU9jXEMgjGK57lTYSX6uBbLK8BweeV+spPI5wKA5BA0RCuOWKTQyREy7e38b +a2ZL1jjGOiN8PI9x89MQcE7IQVDb+L9/Vxp8dFjbTdLpAfE2XNzPx+m5h3gNr0I+ +M9b/oTHfUFH3NN+NKQCSZPRbDfri3CgrhBLuaIvVsswnfqYJRiBPkp73JP3NpM14 +uFaENf5ii1zxfmH4du7vmzP7Utcx0PebL2P0NQc1dIMFlG6Aht8m7ACPVUziXfxd +er9PFjPHKY6V7hR1wsD2bXCzFZK8StJCNnU6hge91KOx4jV/9+Y08kZwJDvFPooo +g3HnYT8KoVzoBkW4M5AiPSUeBy5w60WwbN2wLSHLT1aNjODASvqv41dFhO3up3/v +gMFmeIg3DjNa6qvFjbJEjefmfSzgkwgS9CEVfNAg3BBrXIM5Cw9+LvWin2gRlR9n +taiTy7MWzsLSkRALoVZ8WOvUgEZwW+WPHIDORTBrqBpR5g+qP94t9Myu/mfG6lqe +TC1I2jQlP8zu2YDc3yvDaK9AeCJIyxu8NwYZAotZwPwzapRiQmMIM6Tfld+YSC/+ +/K68Uno2YH/X43y9pKx0w18azbYE+UzpX29NZnHChduxFmg4WueIaFhQJkJCeu6j +2bBjvVXalI56flFhx+dJk8VjXTwmVjf3tGY0WkpQ7wPvFNynZ2srV4wdhuN8sXDl +rRGwiafOp6zIiaHtoHsBdP6XHqMputKYOQobuGV+lfK324XUAFYMKS2RrYry1Mfo +YdLqbz9WovTn2G74VaYE72jAZNm53AZeP0ggufgAIAe6kcqion76Cq5bU6PC/j9I +7dbdzybOa2pNatSEBrDPVOdbhWrb0ifFMQp/CBAGDLaiTeyjPnjVSx9tqmGnQ+vn +bWdS/lNxvxWturdoR5zEx7nyEMYhOzjylNke8sTJQOxNS8gh6CQ+FjOm11XvkEnL +RlBtIIQEhRxdymUfKAvmc9D4A8zi602bJgEn7uqr4xjnf+F41WA0E8U53WAYK0cM +Z+bOuiKYzWkLlKIP1Qa48jhmdVV/9MgLWZf1uf3MgsTqKErjx/fKtFLdOhcL6wsI +tloEz+5ID1xzo5CtS1vhuKvvG25EXkyerlfC4wGkR4xFiiks9Ei2DBG/MLMjJcrk +1FJroBTZqPB4xAwpM7WC84CcNNW+qm8= +=8zHI -----END PGP MESSAGE----- From 830a966fa56c1679a831327c0329b6e7adfe332b Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 26 Aug 2016 20:13:37 +0200 Subject: [PATCH 035/172] move everything to remote-new --- conf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/conf b/conf index 2e8e0ca..502e55b 100755 --- a/conf +++ b/conf @@ -11,10 +11,6 @@ local) eval ${@:2} ;; remote) - export NIX_PATH="nixpkgs=$HOME/builds/nixpkgs/:ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix - eval ${@:2} - ;; -remote-new) export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-16.03/nixexprs.tar.xz:ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix:muflax-blog=./vendor/muflax-blog eval ${@:2} ;; From 7517023e85e6fefff4f9b47ae3b8379fb36193eb Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 26 Aug 2016 20:14:16 +0200 Subject: [PATCH 036/172] fix powerdown --- modules/powerdown.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/powerdown.nix b/modules/powerdown.nix index 0d7a6d5..e9b31b0 100644 --- a/modules/powerdown.nix +++ b/modules/powerdown.nix @@ -2,7 +2,7 @@ let powersw = "/etc/powerdown/powerswitch"; - powerswpath = [ pkgs.hdparm pkgs.iw pkgs.gawk pkgs.kmod config.system.sbin.modprobe ]; + powerswpath = [ pkgs.hdparm pkgs.iw pkgs.gawk pkgs.kmod ]; in { From cd379d299a8270f2e82aa0d167b75fe9bcc2c988 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 26 Aug 2016 20:14:24 +0200 Subject: [PATCH 037/172] hello woodhouse --- network.nix | 4 ++ woodhouse/configuration.nix | 99 ++++++++++++++++++++++++++++ woodhouse/hardware-configuration.nix | 32 +++++++++ 3 files changed, 135 insertions(+) create mode 100644 woodhouse/configuration.nix create mode 100644 woodhouse/hardware-configuration.nix diff --git a/network.nix b/network.nix index f1529c6..eb985af 100644 --- a/network.nix +++ b/network.nix @@ -12,4 +12,8 @@ with (import ).hostnames; { imports = [./pennyworth/configuration.nix]; deployment.targetHost = pennyworth; }; + woodhouse = { + imports = [./woodhouse/configuration.nix]; + deployment.targetHost = woodhouse; + }; } diff --git a/woodhouse/configuration.nix b/woodhouse/configuration.nix new file mode 100644 index 0000000..e8dec8c --- /dev/null +++ b/woodhouse/configuration.nix @@ -0,0 +1,99 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, ... }: +let + secrets = import ; +in +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ../roles/common.nix + ../modules/tor-hidden-service.nix + ../roles/graphical.nix + ]; + + # Use the gummiboot efi boot loader. + boot.loader.gummiboot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = secrets.hostnames.woodhouse; + + # Select internationalisation properties. + # i18n = { + # consoleFont = "Lat2-Terminus16"; + # consoleKeyMap = "us"; + # defaultLocale = "en_US.UTF-8"; + # }; + + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + + # root password is useful from console, ssh has password logins disabled + users.extraUsers.root.hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own + + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + # services.xserver.layout = "us"; + # services.xserver.xkbOptions = "eurosign:e"; + + # Enable the KDE Desktop Environment. + # services.xserver.displayManager.kdm.enable = true; + # services.xserver.desktopManager.kde4.enable = true; + + # The NixOS release to be compatible with for stateful data such as databases. + system.stateVersion = "16.03"; + + + services.redshift.enable = lib.mkOverride 30 false; + services.xserver = { + #windowManager.i3.enable = true; + desktopManager.e19.enable = true; + displayManager.slim.autoLogin = true; + }; + + users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword; + + environment.systemPackages = with pkgs; [ + btrfs-progs + ]; + services.tor.hiddenServices = [ + { name = "ssh"; + port = 22; + hostname = secrets.tor_hostnames."ssh.woodhouse"; + private_key = "/run/keys/torkeys/ssh.woodhouse.key"; } + ]; + + system.fsPackages = [ pkgs.sshfsFuse ]; + fileSystems."/mnt/frumar" = { + # todo: "ServerAliveCountMax=3" "ServerAliveInterval=30" + + device = "${pkgs.sshfsFuse}/bin/sshfs#yorick@" + secrets.hostnames.frumar + ":/data/yorick"; + fsType = "fuse"; + options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user" + "defaults" "allow_other" "transform_symlinks" "default_permissions" + "uid=1000" + "reconnect" "IdentityFile=/root/.ssh/id_sshfs"]; + }; + fileSystems."/mnt/alphonse" = { + device = "${pkgs.sshfsFuse}/bin/sshfs#yorick@quassel.rasusan.nl:/mnt/storinator"; + fsType = "fuse"; + options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user" + "defaults" "allow_other" "transform_symlinks" "default_permissions" + "uid=1000" + "reconnect" "IdentityFile=/root/.ssh/id_sshfs" "port=15777"]; + }; + + networking.firewall.allowedTCPPorts = [7 8080 9090 9777]; # kodi + +} diff --git a/woodhouse/hardware-configuration.nix b/woodhouse/hardware-configuration.nix new file mode 100644 index 0000000..f3dd966 --- /dev/null +++ b/woodhouse/hardware-configuration.nix @@ -0,0 +1,32 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ]; + + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + hardware.cpu.intel.updateMicrocode = true; + + + fileSystems."/" = + { device = "/dev/disk/by-uuid/fa5026b1-0f73-4233-a417-780c65f3f038"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/729B-0F6C"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/086b6aaa-a737-4747-91d6-b4923bf14858"; } + ]; + + nix.maxJobs = lib.mkDefault 4; +} From 294890091d064c62f7be91668ade07afd116260c Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 26 Aug 2016 20:14:37 +0200 Subject: [PATCH 038/172] basic update script --- update_all.sh | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100755 update_all.sh diff --git a/update_all.sh b/update_all.sh new file mode 100755 index 0000000..1e0dc6e --- /dev/null +++ b/update_all.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +set -e +userspace_update_cmd="$(cat <" -A hosts.woodhouse) + echo "nix-channel --update" | nixops ssh $1 + cp deploy_key deploy_key2 + chmod 0600 deploy_key2 + ssh-agent bash < Date: Sat, 17 Sep 2016 16:02:14 +0200 Subject: [PATCH 039/172] move ascanius+woodhouse to i3, remove dependency on nixops --- ascanius/configuration.nix | 3 --- ascanius/hardware-configuration.nix | 2 ++ conf | 6 +++--- roles/graphical.nix | 8 +++----- update_all.sh | 6 +++--- woodhouse/configuration.nix | 13 +++++++------ woodhouse/hardware-configuration.nix | 1 + 7 files changed, 19 insertions(+), 20 deletions(-) diff --git a/ascanius/configuration.nix b/ascanius/configuration.nix index ae1730f..1cc7682 100644 --- a/ascanius/configuration.nix +++ b/ascanius/configuration.nix @@ -37,7 +37,4 @@ in users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword; - services.xserver = { - desktopManager.enlightenment.enable = true; - }; } diff --git a/ascanius/hardware-configuration.nix b/ascanius/hardware-configuration.nix index 3807e8f..bdc777b 100644 --- a/ascanius/hardware-configuration.nix +++ b/ascanius/hardware-configuration.nix @@ -64,4 +64,6 @@ drivers = [ pkgs.gutenprint ]; }; nix.maxJobs = 8; + + services.tcsd.enable = true; # it has a TPM. maybe use this? } diff --git a/conf b/conf index 502e55b..a73e58a 100755 --- a/conf +++ b/conf @@ -11,14 +11,14 @@ local) eval ${@:2} ;; remote) - export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-16.03/nixexprs.tar.xz:ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix:muflax-blog=./vendor/muflax-blog - eval ${@:2} + export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-16.09/nixexprs.tar.xz:nixos-config=`pwd`/$2/configuration.nix:ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix:muflax-blog=./vendor/muflax-blog + eval ${@:3} ;; local-deploy) sudo $0 local nixos-rebuild switch ;; remote-deploy) - $0 remote nixops deploy ${@:2} + $0 remote $2 nixos-rebuild --build-host localhost --target-host ${@:3} ;; update-encrypt) gpg -a -r yorick --encrypt-files secrets.nix deploy_key keys/*.key diff --git a/roles/graphical.nix b/roles/graphical.nix index 2fa9364..5e5636b 100644 --- a/roles/graphical.nix +++ b/roles/graphical.nix @@ -5,15 +5,13 @@ enable = true; synaptics = { twoFingerScroll = true; - # inverted scrolling - additionalOptions = '' - Option "HorizScrollDelta" "-107" - Option "VertScrollDelta" "-107" - ''; + horizontalScroll = true; + scrollDelta = -107; # inverted scrolling }; layout = "us"; displayManager.slim.defaultUser = "yorick"; # xkbOptions = "eurosign:e"; + windowManager.i3-gaps.enable = true; }; hardware.opengl = { enable = true; diff --git a/update_all.sh b/update_all.sh index 1e0dc6e..e39e7c0 100755 --- a/update_all.sh +++ b/update_all.sh @@ -22,11 +22,11 @@ echo "updating root conf" sh -c "$userspace_update_cmd" else echo "updating" $1 - ./conf remote-deploy --include $1 HOST=$(nix-instantiate --eval -A hostnames.$1 secrets.nix | tr -d '"') + ./conf remote-deploy $1 root@$HOST switch echo "updating userspace" - # nix-copy-closure --to $HOST $(./conf remote nix-build --no-out-link "\" -A hosts.woodhouse) - echo "nix-channel --update" | nixops ssh $1 + #nix-copy-closure --to root@$HOST $(./conf remote nix-build --no-out-link "\" -A hosts.$1) + echo "nix-channel --update" | ssh root@$HOST cp deploy_key deploy_key2 chmod 0600 deploy_key2 ssh-agent bash < Date: Mon, 19 Sep 2016 00:05:21 +0200 Subject: [PATCH 040/172] switch to nouveau --- ascanius/hardware-configuration.nix | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/ascanius/hardware-configuration.nix b/ascanius/hardware-configuration.nix index bdc777b..dd405a8 100644 --- a/ascanius/hardware-configuration.nix +++ b/ascanius/hardware-configuration.nix @@ -14,13 +14,10 @@ enable = true; device = "/dev/sda"; }; + kernelPackages = pkgs.linuxPackages_latest; kernelModules = ["nvidiabl" "kvm-intel"]; - extraModulePackages = [pkgs.linuxPackages.nvidiabl]; - extraModprobeConfig = '' - options nvidiabl min=0x384 max=0x4650 - ''; }; - services.xserver.videoDrivers = ["nvidia"]; + services.xserver.videoDrivers = ["nouveau"]; services.xserver.synaptics.enable = true; networking.wireless.enable = true; @@ -33,7 +30,7 @@ #''; # for now systemd.services."display-manager".preStart = '' - chmod a+w $(realpath /sys/class/backlight/nvidia_backlight/brightness) || true + chmod a+w $(realpath /sys/class/backlight/nv_backlight/brightness) || true ''; # this makes sure my wifi doesn't take a minute to work services.udev.extraRules = '' From 173d32bae47b3eeb7559d81c0a107a07331624fc Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Mon, 19 Sep 2016 19:29:29 +0200 Subject: [PATCH 041/172] add powerdown stuff to the nix config --- ascanius/hardware-configuration.nix | 2 +- {modules => ascanius}/powerdown.nix | 6 +- ascanius/powerdown/Makefile | 6 + ascanius/powerdown/default.nix | 19 ++ ascanius/powerdown/license.txt | 339 +++++++++++++++++++++++++ ascanius/powerdown/powerdown | 55 ++++ ascanius/powerdown/powerdown-functions | 154 +++++++++++ ascanius/powerdown/powernow | 57 +++++ ascanius/powerdown/powerswitch | 7 + ascanius/powerdown/powerup | 57 +++++ 10 files changed, 697 insertions(+), 5 deletions(-) rename {modules => ascanius}/powerdown.nix (79%) create mode 100755 ascanius/powerdown/Makefile create mode 100644 ascanius/powerdown/default.nix create mode 100644 ascanius/powerdown/license.txt create mode 100755 ascanius/powerdown/powerdown create mode 100755 ascanius/powerdown/powerdown-functions create mode 100755 ascanius/powerdown/powernow create mode 100755 ascanius/powerdown/powerswitch create mode 100755 ascanius/powerdown/powerup diff --git a/ascanius/hardware-configuration.nix b/ascanius/hardware-configuration.nix index dd405a8..aebe3d0 100644 --- a/ascanius/hardware-configuration.nix +++ b/ascanius/hardware-configuration.nix @@ -4,7 +4,7 @@ { imports = [ - ../modules/powerdown.nix + ./powerdown.nix ]; hardware.cpu.intel.updateMicrocode = true; diff --git a/modules/powerdown.nix b/ascanius/powerdown.nix similarity index 79% rename from modules/powerdown.nix rename to ascanius/powerdown.nix index e9b31b0..dc94d5d 100644 --- a/modules/powerdown.nix +++ b/ascanius/powerdown.nix @@ -1,14 +1,13 @@ { config, lib, pkgs, ... }: let - powersw = "/etc/powerdown/powerswitch"; - powerswpath = [ pkgs.hdparm pkgs.iw pkgs.gawk pkgs.kmod ]; + pd = pkgs.callPackage ./powerdown {}; + powersw = "${pd}/bin/powerswitch"; in { # the scripts are pretty heavily modified. # from https://github.com/march-linux/powerdown - services.udev.path=powerswpath; services.udev.extraRules = '' SUBSYSTEM=="power_supply", ATTR{online}=="0", RUN+="${powersw}" SUBSYSTEM=="power_supply", ATTR{online}=="1", RUN+="${powersw}" @@ -19,7 +18,6 @@ in wantedBy = [ "multi-user.target" "suspend.target" ]; after = [ "suspend.target" "display-manager.service" ]; description = "Run powerswitch sometimes"; - path = powerswpath; preStart = "sleep 4s"; serviceConfig = { Type = "oneshot"; diff --git a/ascanius/powerdown/Makefile b/ascanius/powerdown/Makefile new file mode 100755 index 0000000..fde6036 --- /dev/null +++ b/ascanius/powerdown/Makefile @@ -0,0 +1,6 @@ +install: + install -m 644 -D powerdown-functions $(DESTDIR)/lib/powerdown-functions + install -D powerdown $(DESTDIR)/bin/powerdown + install -D powerup $(DESTDIR)/bin/powerup + install -D powernow $(DESTDIR)/bin/powernow + install -D powerswitch $(DESTDIR)/bin/powerswitch diff --git a/ascanius/powerdown/default.nix b/ascanius/powerdown/default.nix new file mode 100644 index 0000000..9e68d03 --- /dev/null +++ b/ascanius/powerdown/default.nix @@ -0,0 +1,19 @@ +{ pkgs ? import {} }: +let + inherit (pkgs) stdenv makeWrapper lib; + powerswpackages = with pkgs; [ hdparm iw gawk kmod ]; + powerswpath = lib.makeBinPath powerswpackages; +in +stdenv.mkDerivation rec { + name = "powerdown"; + src = ./.; + buildPhase = "true"; + nativeBuildInputs = [ makeWrapper ]; + makeFlags = "DESTDIR=$(out)"; + postInstall = '' + wrapProgram $out/bin/powerup --prefix PATH : ${powerswpath} + wrapProgram $out/bin/powerdown --prefix PATH : ${powerswpath} + wrapProgram $out/bin/powernow --prefix PATH : ${powerswpath} + wrapProgram $out/bin/powerswitch --prefix PATH : ${powerswpath} + ''; +} diff --git a/ascanius/powerdown/license.txt b/ascanius/powerdown/license.txt new file mode 100644 index 0000000..d159169 --- /dev/null +++ b/ascanius/powerdown/license.txt @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/ascanius/powerdown/powerdown b/ascanius/powerdown/powerdown new file mode 100755 index 0000000..c024a5b --- /dev/null +++ b/ascanius/powerdown/powerdown @@ -0,0 +1,55 @@ +#!/usr/bin/env bash +# powerdown - powersave script +# please use this with xset dpms, hdparm + +if [[ $EUID != 0 ]]; then + echo "[powerdown] must be run as root" + exit 1 +fi + +source $( dirname "${BASH_SOURCE[0]}" )/../lib/powerdown-functions +lock + +# bus +for i in /sys/bus/*/devices/*/power/control; do opt "$i" auto; done + +# usb autosuspend +for i in /sys/bus/usb/devices/*/power/autosuspend; do opt "$i" 10; done +usb_powersave + +# nmi_watchdog +opt /proc/sys/kernel/nmi_watchdog 0 + +# cpu +for i in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do opt "$i" powersave; done +#load_mod msr + +# kernel write mode +opt /proc/sys/vm/laptop_mode 5 +opt /proc/sys/vm/dirty_ratio 90 +opt /proc/sys/vm/dirty_background_ratio 1 +opt /proc/sys/vm/dirty_expire_centisecs 60000 +opt /proc/sys/vm/dirty_writeback_centisecs 60000 + +# disk +for i in /sys/class/scsi_host/host*/link_power_management_policy; do opt "$i" min_power; done +hdparm -y /dev/sda +#for dev in $(awk '/^\/dev\/sd/ {print $1}' /etc/mtab); do run blockdev --setra 4096 "$dev"; done + +# sound card +opt /sys/module/snd_hda_intel/parameters/power_save 1 +opt /sys/module/snd_hda_intel/parameters/power_save_controller Y + +# net +for i in $(iw dev | awk '$1 == "Interface" { print $2 }'); do run iw dev "$i" set power_save on; done + +# screen +for i in /sys/class/backlight/*; do opt "$i/brightness" "$(num_scale "$i/max_brightness" 1)"; done + +# webcam +#unload_mod_recursive videodev + +# bluetooth +#unload_mod_recursive bluetooth + +exit 0 diff --git a/ascanius/powerdown/powerdown-functions b/ascanius/powerdown/powerdown-functions new file mode 100755 index 0000000..ff7e40a --- /dev/null +++ b/ascanius/powerdown/powerdown-functions @@ -0,0 +1,154 @@ +#!/usr/bin/env bash +# powerdown-functions + +shopt -s nullglob extglob + +# turn on kernel options +opt() { + [[ -f "$1" ]] || return + [[ -w "$1" ]] && echo "$2" | tee "$1" &>/dev/null || echo "[powerdown] cannot write $2 to $1" +} + +# unload kernel module +unload_mod() { + has_mod "$1" || return + modprobe -r "$1" || echo "[powerdown] cannot unload module $1" +} + +unload_mod_recursive() { + local dep + for dep in $(lsmod | awk -v mod="$1" '$1==mod {gsub(",", " ", $4); print $4}'); do + unload_mod_recursive "$dep" + done + unload_mod "$1" +} + +# load kernel module +load_mod() { + has_mod "$1" || return + modprobe "$1" || echo "[powerdown] cannot load module $1" +} + +# module exists +has_mod() { + modprobe -nq "$1" +} + +# module loaded +mod_loaded() { + grep -qs "^$1 " /proc/modules +} + +# brightness scale 0 to 5 +# $1 = max file +# $2 = value +num_scale() { + echo $(($(< "$1") / 5 * $2)) +} + +# command +run() { + "$@" &> /dev/null || echo "[powerdown] cannot run $@" +} + +has_bat() { + local bat + for bat in /sys/class/power_supply/BAT*; do + return 0 + done + return 1 +} + +# get current power usage +display_power() { + if ! has_bat; then + echo "[powerdown] no battery" + return + fi + local bat + for bat in /sys/class/power_supply/BAT*; do + local watt + if [[ -f "$bat/power_now" ]]; then + watt="$(bc <<< "scale=3; $(< "$bat/power_now") / 1000000")" + else + watt="$(bc <<< "scale=3; $(< "$bat/current_now") * $(< "$bat/voltage_now") / 1000000000000")" + fi + echo "[powerdown] $(basename "$bat") using $watt watts" + done +} + +# get readahead +display_readahead() { + echo "- $1 readahead: $(blockdev --getra "$1")" +} + +# dump kernel option content +dump () { + [[ -r "$1" ]] || return + echo "- $1: $(< "$1")" +} + +display_module() { + has_mod "$1" || return + echo -n "- $1 " + mod_loaded "$1" && echo "loaded" || echo "not loaded" +} + +display_wireless() { + echo "- $1 $(iw dev "$1" get power_save)" +} + +hibernate_offset() { + filefrag -v /hibernate | awk 'NR==4 {print $4}' | tr -d . +} + +root_part() { + df / | awk 'NR==2 {print $1}' +} + +has_swap_part () { + grep -qs swap /etc/fstab +} + +can_suspend_to_disk () { + [[ -f /hibernate ]] || has_swap_part +} + +swap_part() { + awk '$3=="swap" {print $1; exit}' /etc/fstab +} + +resume_boot_option() { + if [[ -f /hibernate ]]; then + echo "resume=$(root_part) resume_offset=$(hibernate_offset)" + elif has_swap_part; then + echo "resume=$(swap_part)" + fi +} + +# lock the file until the script finishes +lock() { + local LOCK=/tmp/powerdown.lock + if ! mkdir "$LOCK" 2> /dev/null; then + echo "Working... $LOCK" + exit + fi + trap "rm -rf $LOCK" EXIT +} + +# $1 = device path +is_usb_hid() { + local subdev + for subdev in $1/*:*; do + # USB_DEVICE_CLASS 3 = HID + [[ "$(< "$subdev/bInterfaceClass")" == 03 ]] && return 0 + done + return 1 +} + +usb_powersave() { + local usbdev + for usbdev in /sys/bus/usb/devices/+([^:]); do + is_usb_hid "$usbdev" && opt "$usbdev/power/control" on || opt "$usbdev/power/control" auto + done +} diff --git a/ascanius/powerdown/powernow b/ascanius/powerdown/powernow new file mode 100755 index 0000000..3902444 --- /dev/null +++ b/ascanius/powerdown/powernow @@ -0,0 +1,57 @@ +#!/usr/bin/env bash +# powerdown - get energy usagei + +if [[ $EUID != 0 ]]; then + echo "[powerdown] must be run as root" + exit 1 +fi + +source $( dirname "${BASH_SOURCE[0]}" )/../lib/powerdown-functions + +lock +display_power +echo + +# nmi_watchdog +dump /proc/sys/kernel/nmi_watchdog + +# cpu +for i in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do dump "$i"; done + +# aspm +dump /sys/module/pcie_aspm/parameters/policy + +# kernel write mode +dump /proc/sys/vm/laptop_mode +dump /proc/sys/vm/dirty_ratio +dump /proc/sys/vm/dirty_background_ratio +dump /proc/sys/vm/dirty_expire_centisecs +dump /proc/sys/vm/dirty_writeback_centisecs + + +# disk +for dev in $(awk '/^\/dev\/sd/ {print $1}' /etc/mtab); do display_readahead "$dev"; done +for i in /sys/class/scsi_host/host*/link_power_management_policy; do dump "$i"; done + +# sound card +dump /sys/module/snd_hda_intel/parameters/power_save +dump /sys/module/snd_hda_intel/parameters/power_save_controller +dump /sys/module/snd_ac97_codec/parameters/power_save + +# net +for i in $(iw dev | awk '$1 == "Interface" { print $2 }'); do display_wireless "$i"; done + +# screen +for i in /sys/class/backlight/*; do dump "$i/brightness"; done + +# webcam +display_module videodev + +# bluetooth +display_module bluetooth + +# i915 +dump /sys/module/i915/parameters/i915_enable_rc6 +dump /sys/module/i915/parameters/lvds_downclock +dump /sys/module/i915/parameters/i915_enable_fbc +for i in /sys/kernel/debug/dri/*/i915_max_freq; do dump "$i"; done diff --git a/ascanius/powerdown/powerswitch b/ascanius/powerdown/powerswitch new file mode 100755 index 0000000..c4c63db --- /dev/null +++ b/ascanius/powerdown/powerswitch @@ -0,0 +1,7 @@ +#!/usr/bin/env bash +if [ `cat /sys/class/power_supply/AC/online` -eq 1 ] +then + $( dirname "${BASH_SOURCE[0]}" )/powerup +else + $( dirname "${BASH_SOURCE[0]}" )/powerdown +fi diff --git a/ascanius/powerdown/powerup b/ascanius/powerdown/powerup new file mode 100755 index 0000000..155394d --- /dev/null +++ b/ascanius/powerdown/powerup @@ -0,0 +1,57 @@ +#!/usr/bin/env bash +# powerdown - powerup +# + +if [[ $EUID != 0 ]]; then + echo "[powerdown] must be run as root" + exit 1 +fi + +source $( dirname "${BASH_SOURCE[0]}" )/../lib/powerdown-functions +lock + +# bus +for i in /sys/bus/*/devices/*/power/control; do opt "$i" on; done + +# usb autosuspend +for i in /sys/bus/usb/devices/*/power/autosuspend; do opt "$i" 600; done +for i in /sys/bus/usb/devices/*/power/control; do opt "$i" on; done + +# nmi_watchdog +opt /proc/sys/kernel/nmi_watchdog 1 + +# cpu +for i in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do opt "$i" performance; done + + +# kernel write mode +opt /proc/sys/vm/laptop_mode 0 +opt /proc/sys/vm/dirty_ratio 20 +opt /proc/sys/vm/dirty_background_ratio 10 +opt /proc/sys/vm/dirty_expire_centisecs 3000 +opt /proc/sys/vm/dirty_writeback_centisecs 500 + +# disk +for i in /sys/class/scsi_host/host*/link_power_management_policy; do opt "$i" medium_power; done +hdparm -y /dev/sda + +# sound card +opt /sys/module/snd_hda_intel/parameters/power_save 0 +opt /sys/module/snd_hda_intel/parameters/power_save_controller Y + +# net +for i in $(iw dev | awk '$1 == "Interface" { print $2 }'); do run iw dev "$i" set power_save off; done + +# screen +for i in /sys/class/backlight/*; do opt "$i/brightness" "$(num_scale "$i/max_brightness" 5 )"; done + +# webcam +load_mod videodev + +# bluetooth +load_mod bluetooth + + +# i915 +#opt /sys/module/i915/parameters/i915_enable_rc6 0 +exit 0 From 4aa3e486409d46cfd68e0902a766bbc779a5d680 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Mon, 19 Sep 2016 20:54:40 +0200 Subject: [PATCH 042/172] fix mail on pennyworth --- modules/mailz.nix | 181 +++++++++++--------------- modules/nginx.nix | 1 + pennyworth/configuration.nix | 25 +--- pennyworth/hardware-configuration.nix | 2 + 4 files changed, 89 insertions(+), 120 deletions(-) diff --git a/modules/mailz.nix b/modules/mailz.nix index bfabcba..b37a41f 100644 --- a/modules/mailz.nix +++ b/modules/mailz.nix @@ -14,24 +14,8 @@ with lib; let cfg = config.services.mailz; - - # Convert: - # - # { - # a = { aliases = [ "x", "y" ]; }; - # b = { aliases = [ "x" ]; }; - # } - # - # To: - # - # { - # x = [ "a" "b" ]; - # y = [ "a" ]; - # } - aliases = foldAttrs (user: users: [user] ++ users) [ ] - (flatten (flip mapAttrsToList cfg.users - (user: options: flip map options.aliases - (alias: { ${alias} = user; })))); + + alldomains = lib.concatLists (mapAttrsToList (n: usr: usr.domains) cfg.users); files = { credentials = pkgs.writeText "credentials" @@ -45,20 +29,8 @@ let (flip mapAttrsToList cfg.users (user: options: "${user}:${options.password}:::::"))); - recipients = pkgs.writeText "recipients" - (concatStringsSep "\n" - (flip concatMap cfg.domains (domain: - (map (user: "${user}@${domain}") - (attrNames cfg.users ++ flatten ((flip mapAttrsToList) cfg.users - (user: options: options.aliases))))))); - - aliases = pkgs.writeText "aliases" - (concatStringsSep "\n" - (flip mapAttrsToList aliases - (alias: users: "${alias} ${concatStringsSep "," users}"))); - domains = pkgs.writeText "domains" - (concatStringsSep "\n" cfg.domains); + (concatStringsSep "\n" alldomains); spamassassinSieve = pkgs.writeText "spamassassin.sieve" '' require "fileinto"; @@ -67,15 +39,9 @@ let } ''; - # From - regex = pkgs.writeText "filter-regex.conf" '' - helo ! ^\[ - helo ^\. - helo \.$ - helo ^[^\.]*$ - ''; }; + in { @@ -119,17 +85,15 @@ in description = "Size of the generated DKIM key."; }; - domains = mkOption { - type = types.listOf types.str; - description = "The domains to look for"; - example = ["example.com"]; + mainUser = mkOption { + example = "root"; + type = types.str; }; keydir = mkOption { type = types.str; description = "The place to look for the ssl key"; default = "${config.security.acme.directory}/${cfg.domain}"; - example = ["example.com"]; }; users = mkOption { @@ -147,19 +111,16 @@ in smtpctl encrypt. ''; }; - - aliases = mkOption { + domains = mkOption { type = types.listOf types.str; - default = [ ]; - example = [ "postmaster" ]; - description = "A list of aliases for this user."; + example = ["example.com"]; }; + }; example = { "foo" = { password = "encrypted"; - aliases = [ "postmaster" ]; }; "bar" = { password = "encrypted"; @@ -170,62 +131,69 @@ in }; config = mkIf (cfg.users != { }) { - nixpkgs.config.packageOverrides = pkgs: { - # opensmtpd = overrideDerivation pkgs.opensmtpd (oldAttrs: { - # # Needed to listen on both IPv4 and IPv6 - # patches = oldAttrs.patches ++ [ ./opensmtpd.diff ]; - # }); - opensmtpd-extras = pkgs.opensmtpd-extras.override { - # Needed to have PRNG working in chroot (for dkim-signer) - openssl = pkgs.libressl; - }; - }; - system.activationScripts.mailz = '' # Make sure SpamAssassin database is present - if ! [ -d /etc/spamassassin ]; then - cp -r ${pkgs.spamassassin}/share/spamassassin /etc - fi + #if ! [ -d /etc/spamassassin ]; then + # cp -r ${pkgs.spamassassin}/share/spamassassin /etc + #fi # Make sure a DKIM private key exist - if ! [ -d ${cfg.dkimDirectory}/${head cfg.domains} ]; then - mkdir -p ${cfg.dkimDirectory}/${head cfg.domains} - chmod 700 ${cfg.dkimDirectory}/${head cfg.domains} - ${pkgs.opendkim}/bin/opendkim-genkey --bits ${toString cfg.dkimBits} --domain ${head cfg.domains} --directory ${cfg.dkimDirectory}/${head cfg.domains} + if ! [ -d ${cfg.dkimDirectory} ]; then + mkdir -p ${cfg.dkimDirectory} + chmod 700 ${cfg.dkimDirectory} + chown ${config.services.rmilter.user} ${cfg.dkimDirectory} fi - ''; - - services.spamassassin.enable = true; - # it turns out that the dkim header domain does not have to match the from address - # but it would be a nice-to-have - services.opensmtpd = { + # Generate missing keys + '' + + (lib.concatMapStringsSep "\n" (domain: '' + if ! [ -e ${cfg.dkimDirectory}/${domain}.default.key ]; then + ${pkgs.opendkim}/bin/opendkim-genkey --bits ${toString cfg.dkimBits} --domain ${domain} --directory ${cfg.dkimDirectory} --selector default + mv ${cfg.dkimDirectory}/default.private ${cfg.dkimDirectory}/${domain}.default.key + mv ${cfg.dkimDirectory}/default.txt ${cfg.dkimDirectory}/${domain}.default.txt + chown ${config.services.rmilter.user} ${cfg.dkimDirectory}/${domain}.default.* + fi + '') alldomains); + services.rspamd.enable = true; + services.rmilter = { enable = true; - serverConfiguration = '' - filter filter-pause pause - filter filter-regex regex "${files.regex}" - filter filter-spamassassin spamassassin "-saccept" - filter filter-dkim-signer dkim-signer "-d${head cfg.domains}" "-p${cfg.dkimDirectory}/${head cfg.domains}/default.private" - filter in chain filter-pause filter-regex filter-spamassassin - filter out chain filter-dkim-signer - - pki ${cfg.domain} certificate "${cfg.keydir}/fullchain.pem" - pki ${cfg.domain} key "${cfg.keydir}/key.pem" - - table credentials file:${files.credentials} - table recipients file:${files.recipients} - table aliases file:${files.aliases} - table domains file:${files.domains} - - listen on 0.0.0.0 port 25 hostname ${cfg.domain} filter in tls pki ${cfg.domain} - #listen on :: port 25 hostname ${cfg.domain} filter in tls pki ${cfg.domain} - listen on 0.0.0.0 port 587 hostname ${cfg.domain} filter out tls-require pki ${cfg.domain} auth - #listen on :: port 587 hostname ${cfg.domain} filter out tls-require pki ${cfg.domain} auth - enqueuer filter out - - accept from any for domain recipient alias deliver to lmtp localhost:24 - accept from local for any relay + socketActivation = false; + #debug = true; + rspamd.enable = true; + postfix.enable = true; + extraConfig = '' + dkim { + domain { + key = ${cfg.dkimDirectory}; + domain = "*"; + selector = "default"; + }; + header_canon = relaxed; + body_canon = relaxed; + sign_alg = sha256; + }; ''; - procPackages = [ pkgs.opensmtpd-extras ]; + }; + + services.postfix = { + enable = true; + destination = alldomains ++ ["$myhostname" "localhost.$mydomain" "$mydomain" "localhost"]; + sslCert = "${cfg.keydir}/fullchain.pem"; + sslKey = "${cfg.keydir}/key.pem"; + postmasterAlias = cfg.mainUser; + enableSubmission = true; + virtual = lib.concatStringsSep "\n" (lib.mapAttrsToList (name: usr: + lib.concatMapStringsSep "\n" (dom: "@${dom} ${name}") usr.domains) cfg.users); + extraConfig = '' + mailbox_transport = lmtp:unix:dovecot-lmtp + ''; + submissionOptions = { + "smtpd_tls_security_level" = "encrypt"; + "smtpd_sasl_auth_enable" = "yes"; + "smtpd_sasl_type" = "dovecot"; + "smtpd_sasl_path" = "/var/lib/postfix/auth"; + "smtpd_client_restrictions" = "permit_sasl_authenticated,reject"; + #"milter_macro_daemon_name" = "ORIGINATING"; + }; }; services.dovecot2 = { @@ -241,12 +209,21 @@ in enablePAM = false; sieveScripts = { before = files.spamassassinSieve; }; extraConfig = '' - postmaster_address = postmaster@${head cfg.domains} + postmaster_address = postmaster@${head alldomains} service lmtp { - inet_listener lmtp { - address = 127.0.0.1 ::1 - port = 24 + unix_listener /var/lib/postfix/queue/dovecot-lmtp { + mode = 0660 + user = postfix + group = postfix + } + } + service auth { + unix_listener /var/lib/postfix/auth { + mode = 0660 + # Assuming the default Postfix user and group + user = postfix + group = postfix } } diff --git a/modules/nginx.nix b/modules/nginx.nix index 443c87b..d9e28c1 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -156,6 +156,7 @@ in mkdir -p /etc/nginx/ ${pkgs.openssl}/bin/openssl dhparam -out /etc/nginx/dhparam.pem 2048 fi + # self-sign certs in case an invalid vhost is looked up dir=${cfg.no_vhost_keydir} mkdir -m 0700 -p $dir if ! [[ -e $dir/key.pem ]]; then diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix index f869db1..85825f2 100644 --- a/pennyworth/configuration.nix +++ b/pennyworth/configuration.nix @@ -23,6 +23,8 @@ in networking.hostName = secrets.hostnames.pennyworth; + services.nixosManual.enable = false; + environment.noXlibs = true; services.openssh.enable = true; @@ -37,15 +39,14 @@ in services.mailz = { domain = config.networking.hostName; keydir = acmeKeyDir; - domains = secrets.email_domains; + mainUser = "yorick"; users = { - yorick = { - password = secrets.yorick_mailPassword; - aliases = ["postmaster" "me" "ik" "info" "~"]; + yorick = with secrets; { + password = yorick_mailPassword; + domains = email_domains; }; }; }; - # website + lets encrypt challenge hosting nginxssl = { enable = true; @@ -63,6 +64,7 @@ in # Let's Encrypt configuration. + security.acme.preliminarySelfsigned = true; security.acme.certs."yori.cc" = { email = secrets.email; extraDomains = { @@ -73,19 +75,6 @@ in systemctl restart prosody.service ''; }; - # Generate a dummy self-signed certificate until we get one from - # Let's Encrypt. - system.activationScripts.letsEncryptKeys = - '' - dir=${acmeKeyDir} - mkdir -m 0700 -p $dir - if ! [[ -e $dir/key.pem ]]; then - ${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024 - ${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \ - -subj "/C=NL/CN=www.example.com" - ${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem - ${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem - fi ''; # hidden SSH service diff --git a/pennyworth/hardware-configuration.nix b/pennyworth/hardware-configuration.nix index 7bd23d9..fd492f4 100644 --- a/pennyworth/hardware-configuration.nix +++ b/pennyworth/hardware-configuration.nix @@ -21,9 +21,11 @@ in path = "/old-root/boot"; devices = ["nodev"]; }]; + splashImage = null; }; initrd.availableKernelModules = [ "xen_blkfront" ]; }; + sound.enable = false; networking = { usePredictableInterfaceNames = false; # only eth0 interfaces.eth0 = { From 7fc153bcfbe5e8c6797fbc897965c93d36ab8d50 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Mon, 19 Sep 2016 21:02:33 +0200 Subject: [PATCH 043/172] remove the vendor stuff --- conf | 2 +- modules/muflax-blog.nix | 8 +++++++- vendor/muflax-blog | 1 - 3 files changed, 8 insertions(+), 3 deletions(-) delete mode 160000 vendor/muflax-blog diff --git a/conf b/conf index a73e58a..4b80885 100755 --- a/conf +++ b/conf @@ -11,7 +11,7 @@ local) eval ${@:2} ;; remote) - export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-16.09/nixexprs.tar.xz:nixos-config=`pwd`/$2/configuration.nix:ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix:muflax-blog=./vendor/muflax-blog + export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-16.09/nixexprs.tar.xz:nixos-config=`pwd`/$2/configuration.nix:ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix eval ${@:3} ;; local-deploy) diff --git a/modules/muflax-blog.nix b/modules/muflax-blog.nix index 289cd4e..14f1553 100644 --- a/modules/muflax-blog.nix +++ b/modules/muflax-blog.nix @@ -3,7 +3,13 @@ let cfg = config.services.muflax-blog; - blog = lib.overrideDerivation (pkgs.callPackage {}) (default: { + muflax-source = pkgs.fetchFromGitHub { + rev = "e5ce7ae4296c6605a7e886c153d569fc38318096"; + owner = "fmap"; + repo = "muflax65ngodyewp.onion"; + sha256 = "10n5km8mr7vjqlyb46drfhwzlrwranqaxpqc53a2hk9pqqckm8cx"; + }; + blog = lib.overrideDerivation (pkgs.callPackage "${muflax-source}/maintenance" {}) (default: { buildPhase = default.buildPhase + "\n" + '' grep -lr '[^@]muflax.com' out | xargs -r sed -i 's/\([^@]\)muflax.com/\1${cfg.hidden-service.hostname}/g' ''; diff --git a/vendor/muflax-blog b/vendor/muflax-blog deleted file mode 160000 index e5ce7ae..0000000 --- a/vendor/muflax-blog +++ /dev/null @@ -1 +0,0 @@ -Subproject commit e5ce7ae4296c6605a7e886c153d569fc38318096 From 4b596dea0f3ae785c99a2856eca38b1bac956e0b Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 20 Sep 2016 20:05:45 +0200 Subject: [PATCH 044/172] add mail backups --- modules/backup.nix | 59 ++++++++++++++++++++++++++++++++++++ pennyworth/configuration.nix | 13 ++++++++ 2 files changed, 72 insertions(+) create mode 100644 modules/backup.nix diff --git a/modules/backup.nix b/modules/backup.nix new file mode 100644 index 0000000..8823f3f --- /dev/null +++ b/modules/backup.nix @@ -0,0 +1,59 @@ +{ config, pkgs, lib, ... }: +let +cfg = config.services.backup; +inherit (lib) mkEnableOption mkOption types mkIf +flip mapAttrs' nameValuePair; +in +{ + + options.services.backup = { + enable = mkOption { type = types.bool; default = false; }; + backups = mkOption { + type = types.loaOf types.optionSet; + options = { + dir = mkOption { type = types.str; }; + user = mkOption { type = types.str; }; + remote = mkOption { type = types.str; }; + keyfile = mkOption { type = types.str; }; + exclude = mkOption { type = types.str; default = ""; }; + interval = mkOption { type = types.str; default = "weekly"; }; + }; + }; + }; + config = mkIf cfg.enable { + systemd.services = let + sectionToService = name: data: with data; { + description = "Back up ${name}"; + serviceConfig = { + IOSchedulingClass="idle"; + User=user; + #Type = "oneshot"; + }; + script = '' + source ${keyfile} + ${pkgs.duplicity}/bin/duplicity ${dir} ${remote} \ + --ssl-cacert-file /etc/ssl/certs/ca-bundle.crt \ + --encrypt-key ${user} \ + --exclude-filelist ${pkgs.writeText "dupignore" exclude} \ + --asynchronous-upload \ + --volsize 100 \ + --allow-source-mismatch + ''; + after = ["network.target" "network-online.target"]; + wants = ["network-online.target"]; + }; + in flip mapAttrs' cfg.backups (name: data: nameValuePair + ("backup-${name}") + (sectionToService name data)); + systemd.timers = flip mapAttrs' cfg.backups (name: data: nameValuePair + ("backup-${name}") + ({ + description = "Periodically backups ${name}"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = data.interval; + Unit = "backup-${name}.service"; + }; + })); + }; +} diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix index 85825f2..e4d8333 100644 --- a/pennyworth/configuration.nix +++ b/pennyworth/configuration.nix @@ -19,6 +19,7 @@ in ../modules/nginx.nix ../modules/tor-hidden-service.nix ../modules/muflax-blog.nix + ../modules/backup.nix ]; networking.hostName = secrets.hostnames.pennyworth; @@ -47,6 +48,18 @@ in }; }; }; + services.backup = { + enable = true; + backups = { + mail = { + dir = "/var/spool/mail"; + user = config.services.mailz.user; + remote = "webdavs://mail@yorickvp.stackstorage.com/remote.php/webdav//mail_bak"; + keyfile = "/var/backup/mail_creds"; + interval = "daily"; + }; + }; + }; # website + lets encrypt challenge hosting nginxssl = { enable = true; From ed5a55d734d578dec99af9c74b113bd898b83bd4 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Wed, 21 Sep 2016 13:43:04 +0200 Subject: [PATCH 045/172] Why not just do it as root? Because... ehm... hmm.. good point. --- modules/backup.nix | 6 +++--- pennyworth/configuration.nix | 3 +-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/modules/backup.nix b/modules/backup.nix index 8823f3f..27a221f 100644 --- a/modules/backup.nix +++ b/modules/backup.nix @@ -12,28 +12,28 @@ in type = types.loaOf types.optionSet; options = { dir = mkOption { type = types.str; }; - user = mkOption { type = types.str; }; remote = mkOption { type = types.str; }; keyfile = mkOption { type = types.str; }; + keyid = mkOption { type = types.str; default = "root"; }; exclude = mkOption { type = types.str; default = ""; }; interval = mkOption { type = types.str; default = "weekly"; }; }; }; }; config = mkIf cfg.enable { + # TODO: generate key in pre-start? systemd.services = let sectionToService = name: data: with data; { description = "Back up ${name}"; serviceConfig = { IOSchedulingClass="idle"; - User=user; #Type = "oneshot"; }; script = '' source ${keyfile} ${pkgs.duplicity}/bin/duplicity ${dir} ${remote} \ --ssl-cacert-file /etc/ssl/certs/ca-bundle.crt \ - --encrypt-key ${user} \ + --encrypt-key ${keyid} \ --exclude-filelist ${pkgs.writeText "dupignore" exclude} \ --asynchronous-upload \ --volsize 100 \ diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix index e4d8333..d6b1192 100644 --- a/pennyworth/configuration.nix +++ b/pennyworth/configuration.nix @@ -53,9 +53,8 @@ in backups = { mail = { dir = "/var/spool/mail"; - user = config.services.mailz.user; remote = "webdavs://mail@yorickvp.stackstorage.com/remote.php/webdav//mail_bak"; - keyfile = "/var/backup/mail_creds"; + keyfile = "/var/backup/creds"; interval = "daily"; }; }; From 29bbb39c636ffe6b261ffc256a7b96a1d67d8c62 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Wed, 21 Sep 2016 13:43:21 +0200 Subject: [PATCH 046/172] save me some typing --- conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf b/conf index 4b80885..4b8cb5e 100755 --- a/conf +++ b/conf @@ -18,7 +18,7 @@ local-deploy) sudo $0 local nixos-rebuild switch ;; remote-deploy) - $0 remote $2 nixos-rebuild --build-host localhost --target-host ${@:3} + $0 remote $2 nixos-rebuild --build-host localhost --target-host root@$2 switch ;; update-encrypt) gpg -a -r yorick --encrypt-files secrets.nix deploy_key keys/*.key From 1d87ec7d64e29c89b57cd74259869f836bf443c0 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Wed, 21 Sep 2016 15:16:35 +0200 Subject: [PATCH 047/172] switch to gpg-agent --- ascanius/configuration.nix | 6 +++++- sshkeys.nix | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ascanius/configuration.nix b/ascanius/configuration.nix index 1cc7682..ffc8d7b 100644 --- a/ascanius/configuration.nix +++ b/ascanius/configuration.nix @@ -36,5 +36,9 @@ in virtualisation.virtualbox.host.enable = true; users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword; - + services.xserver.displayManager.sessionCommands = '' + gpg-connect-agent /bye + unset SSH_AGENT_PID + export SSH_AUTH_SOCK="''${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh" + ''; } diff --git a/sshkeys.nix b/sshkeys.nix index 313272c..814e3da 100644 --- a/sshkeys.nix +++ b/sshkeys.nix @@ -1,5 +1,5 @@ { public = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZv+hBDmjxF8h9Gxwvy0o7sMgOsqwp8pVj9AlpG90Y7agvkOm2IGtFueVfiDe0yWPXT0/EIiVWcPhWwcVkbY/BkypPJSMLnlcQ6ld+aO1g+BtdDaVuxcTSvQ77UCT2p+wftxoq1EiUdlhTsXpPucrBd+5NOde+jlPBE4qChIAf2zhOIByJAGT+M4Ie3eV4p5S9LB9CMI4s32gNUBbSA8UDmkjpBXkf9a1TZzdkOGWUmUFXt53/O8LZlGK9kkA5TsjM2xaxDjCLWf5wEcey4JsEggi1prE4aB68Q7+kdbvDiVSEFyZn0A/A9RXHBRAgW8yPdh+EGC56iDW/wkGxWBY5"; deploy = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGGQytwzcR2DrnYQlnZSbXNpSClCFFvy4gqak8r7u8nYplu5azdq6yNN5TRAEoseiTl2WbdnwgVNluze5FF8a5p2XDyu754YF9nyNbQvzWt5dyjFLemDbj5vAzUnQY+52L9qwo5OK3oG2qZx76T7B5CnEN/JDJxGT3xveRyVUSTnNj/N0iiYVsOcEzGpkdKf/5QOGHuZWJrqwz2CNalKbXAJU9mEOHAH+fSxSmf99YCwwF+GyfYUL3eGIZ9CP1pUQX0CZKq8APW+rLlXJuGOrLTNYWd2jTzea95oiyMQeDhidTeyyPWi2GI32tRHVegg6wMzFo7b/m1f/BI18h9psn"; - yorick = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDi8Dn148E6k4TMBnRtkLRP4FSNSe54fn1vOtGtyE9eLIa5kg1SaGsijRmlCddILxiNO6uZsp6thaWwL+QWbBBEi9kdPpzyPDlrBkKJqOTJJH+94Gxnfxu8SkiQMoI5XOTKvzmhsw4hhHKDmGKlOv/qQjwzjsoyAO3AvBIgXAlstnDVWYgMK9ijf7FxR//YTDYqM8ABNJZvcsDXyN1feJWtJ0KYvd2Mg8kS/sVoAjEEaXsto3V3HaqxMQn5mRicJARNBJUCT/BOGrc50wy9zwBOvPZO72js2s6D62fzRDBcHuOoSv/z45DDcZxhonPg6OZcYe7dMKnFw1e/ndzwze6V"; + yorick = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDo1N5E6qkb3McJOvv0PqI7E8iYLAcjil5RWc+zeTtN/"; } From ef4cddb7dfab017e468cb01230031dabf5ea35b0 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Wed, 21 Sep 2016 18:20:33 +0200 Subject: [PATCH 048/172] add pennyworth backup key --- keys/backup.pennyworth.key.asc | 130 +++++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100644 keys/backup.pennyworth.key.asc diff --git a/keys/backup.pennyworth.key.asc b/keys/backup.pennyworth.key.asc new file mode 100644 index 0000000..0d0e96f --- /dev/null +++ b/keys/backup.pennyworth.key.asc @@ -0,0 +1,130 @@ +-----BEGIN PGP MESSAGE----- + +hQELAwEAjpZflP7cAQf3YoeglsYFi2wussa+PFOYHijLbfCKQk63Loo4pCWBlH+y +nOGGU7hhdxjC4RYmqGTyRyPf6dO94m92QkgyCeuaJ+V6HXXZ9L5XZ1CqdV5Zoyqt +TmfdnKVY1p2vylA0qZVNDRLeRVPppFdZD77+ys/DUCXTEeNI4tOm0w40TdNJ5xcc +/9vL6URvjJTnnHAJO8u3H69rMiXIyOvlVfTsV+ROEI5vnhFwQX2/TUqKs+zluQDT +FImeywprxQ0b+RddciQtV6AuNGjLTozngc4jwS73j2zBO4B6Oymu39O/w1kQQA0/ +ThppmLH15uqNFjsHJngen1PdvzqdmdCT4TMbOSm90uwBoXJTCGFMAHXDbXu5S238 +beR55CyFN/3p8LY6qE9vw7jyPly1RULx2n8zbOTtQVYU87K41Ss7rHTse7RONImA +6ccSlzdyrkTFHnfI6YD2+1nxzhQ/+sOKXHbOR3CDYs+/rSVuvmv7LEwKVtdN+Pa2 +KzHlKN6Imic8g/YXtGvoo+3fuNk0wtfAdoAU27duZB3f2jGPnP5LId5fSM/ZAebE +2BRjklGnx/uD2sLUw46mZSRBDojMAm3qfCKFmpUGryliymuPIBkXvPP9SC7fbXKA +Ga6D0aWI34SFOSKGWzYrmYXFiYy5nNxuofq+aiAZ25k/ortYIe8SSZWiBu4Sgsz3 +EUTbzYI4TaDHY7S2/CpJE2UDbRJrxOitdPVk6WM/u+9wLZ2xf5oevUUkxIfFlUtX +eU+xoTACTxGmdU1licqXQQnBw7q7OcwTF4KKE+vjkLKZ954MLVuSqbvYnQYdXmzW +tjpfc57bzJPNyBLv+5cUI7szT5Yr5PmsDA3IjZ5LfF9TPvnC4vJdFpBp8DTiZxgJ +LAVvzuYjhoMoaLyp1xXeS3Bbcv45rIZ/AevHlhb5bQgSqP9u3baXV1D4Irf9BgFi +RJBUIiBBJf7ltGmzmI9hHP6nW+0wP7eCBH//bQpmb4iCeogL3K3n7YrQ4D7F8wy5 +qiL36fna9auONi0l2CZSt6gbLK+Whzy93BIGJV3IFuAfFYueEuSH0zKfvevcqvDi +zF7tNx5ujWLoDBECJuBNuTosROq4AXY6FpKiE5kqZZPS1RoHeJIDSmhIiaFE3CBR +8LBLaD3Cu0FaC1Gk3TZvSAj85P7EkwOCIFt0+oR3MY0OeWnSi9FPaZHM+dYwzXbu +vgRnQM+NBbRdHpQBt+OAi4ETZZZBGJz2IC541fRwaKvvPerfx8anEO1fvN4sCDyn +3IV09RZsTSJGLmJ3BhlNT3edI668PKcw76jeoE5n8c9DiEeBOaWcbaGvZxJ1rLDW +5g3f3kiORS2SmA6HTtTqCiAERDp7XfkjpEyOsfoPdy+u92KK+WovmKSnzssGLYFg +YycTWuuFVYeDJ3uqbKiQbC32gUspGvPseCnHK40RhC+tEAZVZjvF4UL+M7Nhp+aQ +o69BMxrqcZlpUKMqzN8Y9G9yCmjIlFja1vbXO/IHZij9mshvodMFlg7JO+INxwAJ +IGzFZu9y3AYrjVVTQGLEoFCiixZjBlkfyByg5XugqzaAKHw2rb2dGy44GMSAlz80 +e7700zzsmPxYsSmeUcygik5ZSIrjZHTFwP6Vz0QiShOBTBQeIqup4nhJrVvBmu7K +4AuOOo6XyMwBxMKEVFD4OMOJgK1xQf7RPH/uxx7uKrrfm9xeVTGzUjTKDSOv4xDG +ne1vs1hE+X119ELIXVAymraN2WM6714LztLwSuxEoTwPyIUKpH/NehPLkvGD0VIo +bUdjbrfh7f7VuFbFVKDTMorTxxB5kmrHJ78fQbAEMWgYucpamW1amHYr4bZBaBqe +extCMHLUtrvUD1bQZq5DY3edBL0dT4FG1zu2ix/TOl9pzkYZO5TIBGsFx17FFrK+ +7f7PVyMbMSNafZFtA1CHtaE8vyUK3mENZsQKJ2rxnsAKgWtfM8pm4B97Y682CJyP +sQpINlifa4621iYzp5D9lv/15WgqSyDehIyKAIm/c1KmwlavjVyZaOAQ9g6eFbSW +Sx9wIxu9WIHEXjMHi5iMcG+FTVYeCTrNW5EW+CceS3cjmaqW4HJ9uKCXp96Y2tCB +10N6xebWkSoWZThv/vQFakN4Z2ee1M45rL9UuXOsyFD8qKYou4KJvC+92vCr5nNy +HAZy3bGVnrQkWKYQAKxYq545dvgpdFcacXqq7hiuqOn6VBabRCKPUz/4z4Pen9QK +XyxjdkYlU4TZ0j3yVgFpQOkonKqHed3lA2lTAdB80ulf8Q4TD35Yc3nyTtAAOHSt +O0vs54GxwEEj3CDVocnLjB8jC9VuT/MHXZmOCl0gBT1IFVRueXkGFYeTL7vsXrbJ +eZIUlwSwc1E+NISCDZvRUNl8Pd86q97IkqNCChwzk1VjhMUqz2OVYb2suhisjjJe +YKNoc/+bT9VPNST+9eSVqCAlMcS6dhR8p+hHZZCkEZylGO4wt8wNAf2t72Wtozwk +eG0hqbzDEUwWPB5v4PY6HQHK/Sx/0IsviMXyotBGvu5UbWULiFjUDyU18siwVHF2 +PkFSLEV4r0i4k30fC/Gb3ZjDAVOTv+gVpytbDDcyr3qoX6ioSTm07JN6K7XFL4FH +fP+6+VyZ9oDrEAo9p8ezYqReBa1dnjJTHAlJYmZWhifOc2aIxiYUtOhl0rj155bS +DSDcZvtg0XfPmwJfsG+GX77hu7DOzZLMNNibSlMSdGIyjqNY/lj163PUvG1mP4mC +Tdji1L6EP0gore5P3Pf/zFj8pKcLYwwvKe7/3NxhJLUwUPjBbAlYvYXmgnTCuJOv +Qgy3a1JsdhtXj57IeRw+iozamhryI/cH6TfMxZiIQP4s8PdM0ivfZ2aGchasOtTw +fvyt+YNb0ii9nhr9GoZejseHsC0+4a8UutdZyY3NkOnHILy0KHL98f30qSCWwioG +y+kcRY0XUi56pIpMNpPbNqiyQTLtNSfS/8nVdU5ceGS9bNMwJ/nd3l+4vhG2u8So +hEFCWy52jUtx7DaAdpMPyu1u+Jf5PDdtu9OjDwEZwfjLCMwGH/4XIvcBu7O4AzFR +2ITdx78die2hhTdWcqh8rowYWp3onL4gTNpRKVWyV4hlOKEr9OB0AQmNMPGH8FLF +Rr+KJ09z7Vr2TlKk5Y4KFZcoenQetAfp4FiXnDHuxtLr6/+EiJKGuWdIvhSMb2ev +j9VoPd+nMXKdioc0p7k+nmpBqAo/EPBpf5GBbm69krg2HFmwXAzpCAOjNnwfD61Z +SAYBJgoF7CSboK2Ii283li2O/UdwJ61DsHtKx/bpA9BsXwfUL4fJokr03qvl5MMB +hJOmL94WKXOjXOCm7zJcEE/na69mzpYc53m6OlY/SyezTqHsO6Zn9mmJtFL7dhwf +ebjJgdpzJnl0FQK12x6wl1zhvjSRrOEm48KAUYPupYCoiH+4D0t9K0OJNYNLC4CX +7WhuQFF2TEWiCr32dY0xZfypZfuOmuKCSVxODtcQ79VbUphqTk+0pU1arSdGYY0m +DoVOa52U4ICAcKyDNPBJfH5ZLEemg1qHiU1cMrN9oV7WPykgPCDDHQqIwb5DAuMb +gWGvogHlpKnhT4JJu3gkWcWQZq2EROvFQ5rNbRl2y0+uNjDWDtnuRLzH/f1UbxeR +VS3JENVMzHYKcN8jzFlGRwoZW/2D6E5z+E3fc03oqq0ohVcG3MAu1Ubb9iFnECL/ +aMTazGhiny0XbfpKL9Rt1OzAJDAYSLX334ZopajT8j9dLSIwx6QtdEVQkeVzV1Or +qfsKG9W9IWfyT2DvuyYzjuEfHb4Nlp/D3jt1U2fP9NlYBFb9Q0WztRVjeWKyAapf +pq2oiCtuHgD6nQyBtM6ZInRMvnGyvBQRVuk1M1kmInJo8/K+clMKNKmPJS6Olx+F +ueLwWaY/sL0yfV4JaJyA1EdVAu8xM4rgKRzkYuG1IyxiC03CRrpzJhHUwrYD9Onp +ruhDUFbvZdI03n7GMD4FOThr+FyWkE4zm84aq3AM8XZaIdob6Kwe2KVx6ONi4PNr +cYCyTqKEbAwnOSEpzlwXCO74/EiiB57LqAacPB7OUlPnP2WYqHpGTK8lVK+GYRuV +tILtwah5/OzSgUBVLJ1Vp7XC7RK8ObNyPHj/AWWyvD5qEUW1cKKv07EFxEtEZLSs +Y3XgOsaGBMVuCYNlUb7yCHxBuWO141dX45rdurMCH5aLlhHr2BVWrZlK2avJ64P/ +ihMHthTxF6CQcSgW5cYRQlDUCYCooVbUNQTwxsuRDpge36fYzEoD9yvGsDtSMejl +m/seYNRo1py4uwmedYAkeVa8NnI3o2TCUfEuOMwazWa14ZLLyWDgL/meAer5UhUK +CwMZhS87N8hlOIlKcgxQqpE21cdDlxF6VANFRVoDmTdMCsNrvEkIAfh7fli2HNxg +I/pbVX9vkJxWTrNQUtJNdX9A9FU2jhNTsSIxepM+qxcVC489kXIxvKSshYZ5MVgr +6z+2XH9kskYKfz+i59Uv3A+0QlSPE1+5VsKzKdkEndtDt67elGpTk1/MJVzvyARh +6GJkwYkVbGnwvZ31xC/76ii2AiqMy74K3laJolzuyDFElHqrqq6qokM2rQe+jMjU +KEfwnTmnLdR4DDKwvCYuDLGGeJHL4fO6G/rm2ExWOm8I5HyJFnKUlMQ0sE+NwkTU +sX3sRRjthKwNsQp51Mu8aVQxhYT9ULe5Nx3VvrH7d0MBD2/cXjvEwuwSmn3ZMKYT +/FujVVV2DGScWA1oMrKVj3izbvJfCGzV1J0gSNszeT6hvH71Au2HPdNak1tWlhTB +OK5XYwbig1nx11AAdAOxAVEHAYyR7SbRumcjgBIqylVj7NmsMljgZ5dttLgJRaFt +F2LfZ8lw5ft3NT0fdraLvFxklSI2ONvFn28yPA9kD6Wb+lhrREeH3tkVBus/VhNX +a/pwl9I4b0uI9fwbrjFxg6EtqQExAZyc1n0E+286br9sQnnRb+QQlxrjx0/WNn9X +q6X4pr03Algyi1k6HmIzTq5S0+jF7CDwGwAlhtzjQnxcNqkXo+FiX/3v2dExOwuD +o5esaXxhG/EHvrprn6cyTukzc9qfaJPtZi95dT77MvGakND8CyWKbj1bxJoxEzuh +on+S7yIZ2n2cBqIG4kw+sFf0mt6nqQda+EbRkIMNi/Qxbc92yJsHzKMfDzjAskER +CEygJDRvYF8zCbBVV+0+43Q9ETA7OfsmjbH2daPQkB0hw/dRlbsMVpfWZHd/Kv/n +Cwm6sRIIlZqUMmKdXRmVJCFGeJ0+zrK3U1MjTzX6afPBDhB3UWwW0kvXAJP2WX2z +2jSpTnCXoObx8mv0HYwJDqu0hSVipmakz2S2CafUsGTkaMw3yJIIM2hpmQ7S0sFW +/VXCLjeaK5/4VbCFPASBZwb4CN/yrlENh6h1T/2Fq34hNsvbp+IH0XSUhjZkJxUN +n9Kn7fyumVkk/cDZOJ7JSkyZPWlfGORxlYxNKqnv5vK9U/tsr+j18GZYLEt37DeQ +q8zIzFjR9GRWqYRWg+8hpcbRCaYLX7uRlxAkPi7abXlSz4BvKDRZvtEzzLZug+AB +YupusFV4N6hyp0utw+84dhSReOCXJfwe0PTQYw7fI+Wk9xvR5E2euRg1vld6wy0q +0wVR3oqAwolsLK9TV9V29gY3dZqnDJpu/wk2seAaXxedZCOlEhfPLvpHf7fA1CeV +EnINMYtgd3ib0ht4IpE2tvgHzzZBfGkidAf18hm7b94NtkCQLz7NcLP77fH3ynVO +PMoQ3CTqU01byWez/3C5HWg/k9sbGsb/23e5kffizjmFIp7x76885tmfYCB4U6hn +6v/50eV1VDBd7RcoWHeMxbxoSCopjTMBuD7nRclpfbW9I2f2rH5HlSiEkCsSn7IC +i5xYUl0/ZzYxLNcOOK+KK7Y4wOiW0GGFeN2O6mK9O4ab7H4tVgZY6LmfGj1dR6Am +qTb3BiQUJqtWTvEj3nNv98LgWm5pgsf5Le5jPAigJ0qIcrjTXcdXkt3izSqBEOQ/ +43z69RzDQD1mN/qNOJbWxQTjHgsROl1xRRdJyxx8QLi0BsQt2r05f5Zk3xGPKBrq +2EMsAapsX0c6u7bDKetm0hh9uNm9wYjBkmoZ/pUkBVbqPU8DQDSsR8U8TLNo2GEi +udj/1CpMqjluJWg2qP8ufVY4NU1nIdm+3iub1NALthzBNRHBgp5UjFgDnbd0D46q +ySBFCnX4jNxAyRXdeT7Coj+vynA4yy1PZFleL7cztei/mYEAm29KCKsQDOTZ+mkh +2xLgB+V/EhcsTBGGRoGu9CaN7g8B59E7aqbAlm5gTk6mpCFKVjFVGAOpdGSGzQEw +I5KXDV3JN3A6yq9naurkGXpFERQwOXN9NB8Tzb54+vD92FB6lCAooODtDn56JVIi +bnizfKZtfISBaTD7tl3FNU3qRa3/Vxa5xfP1H5vA1bEcpfR1LoULCKFeUoEThdil +Jgdc1dGhNk0giYCv44Fyirq3CDUL04ALfbOgiX0BkyVAynPOEFHTVZtFEzbt7xXi +pmrg6C0VIEBAC38cj6gq/yiPNVy3GbszVlQRxxkWtgQ8FtyWR6vKYjOPsUnXC588 +Flfr+I8UlL9MSTHtjGUMs3cuvj7/8CH05nXTiePbW8E/9kjVYVhhc3srs1oS1loS +fpJ0/Q23iqwHDFus6UjeBeMmKPxVB25It/w1HtcV9pkvR7ocgdABi6pCWHydDUb5 +8pREd52mgxH/246WgBVC31qcI75yU8UJtKOyK7olK45ByKzVJ6V8vgVcFE4LTCYA +NB1mEylevKY0IYh/8teGDB1F3ICzaIB9VvahmgH+yjxYlXSRaB3niWd2ljJ4uQGL +IalzO34xIog4yzkOcPz8jxUISuw0dWIqE7HfHYcEpK6hJ2P/YGAMEShApnlviDrc +kVOSzSqAPue5Q+PiJRQxTHimnsbeLtQO7uuqGBzAlzVCAaZ7KlQEZxCLvyr68wXl +NK8yQyiihB1t7jyxwXEgoX60P0wTyivJ5B3KaJlbtixR8mCXXAUDjJmjaxLAbKRT +Nzjrw7ueyq8E19khRZSd/3RK647yEjgdeGmz++AoUiSEuxE0P3J8d7y4YUI6E5Gt +aaahAKBFACPJP0VSuHlO0hnbXLeg3ECXLVrj3xbEdWTVwcQRT9VsQ410dMurh+TQ +6K4OgXczPXUlb8k1oRZq19PpSvSpW1NwYAaCLx8hWpqRNB36JB+h48tZ7d4n6dnq +J3NoXbRi5NPRymjsNfUx6DgKYUAGuwMYiUKWyKQpjoJOj63C8oK5jgYdDp39eJXm +NecBQreXXaBRpddOQu02sO5DtGVtUY7t0oclX8QA/l46abqGsbb5uJiLsnFalv/L +CEAEfe1T+dK3rnc8pfWeX2f/qjZuSRX3cwUA0kksdO4t6zMc9kyVaYG8idZRWlWq +SL0vNiF4JnofSKGNiZoLpRzk5cfdXC3vczQR5jI1nseNl5n3UFq4GhLi/PLi0W3d +gciZUR1I0Hwdhj2Dy6TOqYafkK+xol8E/D4nUXdQVv/L9NlNTZ4iDVJfEczC1jby +Ad/V7GNyul+pPO4KZmcZdAOh+e1dSsbIJB7h/ICf8x94V5c6Ved8h7oHy7yjdNw3 +ra/Fm2DhQ5kFULv9zQWEhg8gj9oU3zPrcf5dKs8epowLZUgx6MByGVCfi38cA0mT +2msJX9LcPOUBqVqUF4/zodrT2oWcdrS3znssFWxfBb6IwbhiGFoWXYjkF64KTiGv +dGELH0XJByewsxbahVbcPT6uAXXGENrW5cvfU2PGfJH9nz13sN91vltfUlQrCtL2 +YepeuCQXU4z/meFNZUMngd0RXhRmNmKB54GiXayxpS8q2vBY8eJWVotcbV1h9+gG +RsSMlxJKWACOk6tYSqMwcFC+RGPc9MzoZ1kwyyOKoyrlWMqo65ggJTinlsvGWI8z +QXmGkDKuOYHlZgRFtpvffeZNWmyM9iwfCS5IGb4559i3UMxB+ugaXxOCwD8GdaRi +xeO3XrY9JIhoMu6xuyf3YJQxfizU70J1kGNuAFUIMAeEB7FZ5OksMsZnh9loKwY= +=UKg/ +-----END PGP MESSAGE----- From a130550dc3f4539235267dd98a7d12262d878dc9 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 22 Sep 2016 13:38:48 +0200 Subject: [PATCH 049/172] add vfs495 driver. fingerprint performance unsatisfactory for my fingers --- modules/vfs495.nix | 39 +++++++++++++++++++++++++++++++++++++++ packages/vfs495.nix | 39 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 modules/vfs495.nix create mode 100644 packages/vfs495.nix diff --git a/modules/vfs495.nix b/modules/vfs495.nix new file mode 100644 index 0000000..6d884cc --- /dev/null +++ b/modules/vfs495.nix @@ -0,0 +1,39 @@ +{ pkgs, config, lib, ... }: + +let +vfs495 = pkgs.callPackage ../packages/vfs495.nix { }; +cfg = config.services.vfs495; +in +{ + options.services.vfs495 = with lib; { + enable = mkOption { type = types.bool; default = false; }; + }; + config = lib.mkIf cfg.enable { + nixpkgs.config = { + packageOverrides = pkgs : { + libfprint = pkgs.libfprint.overrideDerivation (attrs: { + patches = [(pkgs.fetchurl { + url = "http://ix.io/1eh0"; + sha256 = "1h55gc07piidixxm5h37p0514h67q0z1q9ygapyl89in3csd5n94"; + })]; + buildInputs = [pkgs.autoreconfHook] ++ attrs.buildInputs; + }); + }; + }; + services.fprintd.enable = true; + systemd.services.fprintd = { + path = [pkgs.procps]; + environment.LD_LIBRARY_PATH = "${vfs495}/usr/lib"; + }; + systemd.services.vfs495 = { + serviceConfig = { + Type = "forking"; + ExecStartPre = "rm -f /tmp/vcsSemKey_*"; + ExecStart = "${vfs495}/usr/bin/vcsFPService"; + }; + wantedBy = [ "multi-user.target" ]; + before = ["fprintd.service"]; + }; + # TODO: send SIGUSR1 on suspend and SIGUSR2 on resume + }; +} diff --git a/packages/vfs495.nix b/packages/vfs495.nix new file mode 100644 index 0000000..bd59836 --- /dev/null +++ b/packages/vfs495.nix @@ -0,0 +1,39 @@ +{ pkgs ? import {} }: with pkgs; +let +# this is ugly but it works +openssl_0_9_8 = runCommand "openssl_0_9_8" {} '' + mkdir -p $out/lib/ + ln -s ${openssl_1_0_1.out}/lib/libcrypto.so $out/lib/libcrypto.so.0.9.8 + ln -s ${openssl_1_0_1.out}/lib/libssl.so $out/lib/libssl.so.0.9.8 +''; +in +stdenv.mkDerivation rec { + version = "4.5-118.00"; + name = "vfs495-${version}"; + + src = fetchurl { + url = "https://dl.dropboxusercontent.com/u/71679/Validity-Sensor-Setup-${version}.x86_64.rpm"; + sha256 = "1hd03bv14zr639l0wnwcc0bggjsfpnq57fjz3vqym19xqn9ks001"; + }; + nativeBuildInputs = [ patchelf ]; + buildInputs = [libusb libusb1 openssl_0_9_8]; + unpackCmd = '' + (mkdir -p "${name}" && cd "${name}" && + ${rpmextract}/bin/rpmextract "$curSrc")''; + installPhase = '' + mkdir -p $out + cp -R etc/ usr/ $out/ + patchelf \ + --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ + --set-rpath "${lib.makeLibraryPath buildInputs}" \ + $out/usr/bin/vcsFPService + patchelf --set-rpath "${lib.makeLibraryPath buildInputs}" \ + $out/usr/lib/libvfsFprintWrapper.so + ''; + meta = with stdenv.lib; { + description = "Userspace driver for VFS495 fingerprint readers"; + license = licenses.unfreeRedistributable; + #maintainers = with maintainers; [ yorickvp ]; + platforms = platforms.linux; + }; +} From 330f52bf3e4931cfa993606c21656d6f9d6e5c7c Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 22 Sep 2016 19:02:27 +0200 Subject: [PATCH 050/172] enable trustedgrub --- ascanius/hardware-configuration.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ascanius/hardware-configuration.nix b/ascanius/hardware-configuration.nix index aebe3d0..ae6500d 100644 --- a/ascanius/hardware-configuration.nix +++ b/ascanius/hardware-configuration.nix @@ -13,6 +13,10 @@ loader.grub = { enable = true; device = "/dev/sda"; + trustedBoot = { + enable = true; + systemHasTPM = "YES_TPM_is_activated"; + }; }; kernelPackages = pkgs.linuxPackages_latest; kernelModules = ["nvidiabl" "kvm-intel"]; @@ -63,4 +67,5 @@ nix.maxJobs = 8; services.tcsd.enable = true; # it has a TPM. maybe use this? + environment.systemPackages = with pkgs; [tpm-tools]; } From 6852bbb9f37dc7d80e91925c999dab0e8fe6a494 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 22 Sep 2016 19:36:20 +0200 Subject: [PATCH 051/172] redirect to yorickvanpelt.nl --- packages/yori-cc.nix | 10 +++++----- pennyworth/configuration.nix | 12 +++++++++++- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/packages/yori-cc.nix b/packages/yori-cc.nix index 654e0e2..aa502ee 100644 --- a/packages/yori-cc.nix +++ b/packages/yori-cc.nix @@ -3,12 +3,12 @@ with import {}; let gogitget = callPackage ./gogitget.nix {}; in stdenv.mkDerivation { - name = "yori-cc-1.1"; + name = "yori-cc-1.2"; src = gogitget { - url = "git@git.yori.cc:yorick/yori-cc.git"; - rev = "b5ca927b1c725b4a674a73f546d010be739472ff"; - sha256 = "3e4c25358d96b6fc3819b7b74e33c84de508c930910399784af2bd3a82c1f3bd"; + "url" = "git@git.yori.cc:yorick/yori-cc.git"; + "rev" = "6e73c0152a9e5b0109e714fb57ca0d401cbf27a1"; + "sha256" ="1zmwl5rlbd80ml0qng1n0xh0mkps1nsmngnvcqjbb3247692lvpj"; }; buildInputs = [ ]; @@ -20,7 +20,7 @@ stdenv.mkDerivation { meta = { description = "Yori-cc website"; - homepage = http://yori.cc; + homepage = https://yorickvanpelt.nl; maintainers = [ "Yorick" ]; }; } diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix index d6b1192..052df29 100644 --- a/pennyworth/configuration.nix +++ b/pennyworth/configuration.nix @@ -64,6 +64,15 @@ in enable = true; challenges."${config.networking.hostName}" = acmeWebRoot; servers."yori.cc" = { + key_root = acmeKeyDir; + key_webroot = acmeWebRoot; + contents = '' + location / { + rewrite ^(.*) https://yorickvanpelt.nl$1 permanent; + } + ''; + }; + servers."yorickvanpelt.nl" = { key_root = acmeKeyDir; key_webroot = acmeWebRoot; contents = '' @@ -81,9 +90,10 @@ in { email = secrets.email; extraDomains = { "${config.networking.hostName}" = null; + "yorickvanpelt.nl" = null; }; webroot = acmeWebRoot; - postRun = ''systemctl reload nginx.service dovecot2.service opensmtpd.service + postRun = ''systemctl reload nginx.service dovecot2.service postfix.service systemctl restart prosody.service ''; }; From f8877a55bf0f4e8d436e502399db3827968fca55 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 22 Sep 2016 20:58:24 +0200 Subject: [PATCH 052/172] update yori-cc --- packages/yori-cc.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/yori-cc.nix b/packages/yori-cc.nix index aa502ee..eaa3e5e 100644 --- a/packages/yori-cc.nix +++ b/packages/yori-cc.nix @@ -3,12 +3,12 @@ with import {}; let gogitget = callPackage ./gogitget.nix {}; in stdenv.mkDerivation { - name = "yori-cc-1.2"; + name = "yori-cc-1.3"; src = gogitget { "url" = "git@git.yori.cc:yorick/yori-cc.git"; - "rev" = "6e73c0152a9e5b0109e714fb57ca0d401cbf27a1"; - "sha256" ="1zmwl5rlbd80ml0qng1n0xh0mkps1nsmngnvcqjbb3247692lvpj"; + "rev" = "db207b9fd74a1036d2272c38dcbb6de504cf590a"; + "sha256" = "1rqsv7pdij15f6nxxwggw58q12ggl6g7gjjq73sbdz1v9x78xbzp"; }; buildInputs = [ ]; From 20672cfdd45db9fc89908267577b4b9aa32df9f1 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 8 Dec 2016 15:30:42 +0100 Subject: [PATCH 053/172] enable ssh on ascanius --- ascanius/configuration.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ascanius/configuration.nix b/ascanius/configuration.nix index ffc8d7b..68d3545 100644 --- a/ascanius/configuration.nix +++ b/ascanius/configuration.nix @@ -27,6 +27,8 @@ in }; }; + services.openssh.enable = true; + # List packages installed in system profile. To search by name, run: # $ nix-env -qaP | grep wget environment.systemPackages = with pkgs; [ From 8b1ad3db8cecac5bbcee337640f1662eb30569b1 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 8 Dec 2016 15:31:45 +0100 Subject: [PATCH 054/172] add jarvis, fix i3-gaps, add spotify ports --- jarvis/configuration.nix | 51 +++++++++++++++++ jarvis/hardware-configuration.nix | 94 +++++++++++++++++++++++++++++++ roles/common.nix | 3 + roles/graphical.nix | 9 ++- 4 files changed, 156 insertions(+), 1 deletion(-) create mode 100644 jarvis/configuration.nix create mode 100644 jarvis/hardware-configuration.nix diff --git a/jarvis/configuration.nix b/jarvis/configuration.nix new file mode 100644 index 0000000..014512a --- /dev/null +++ b/jarvis/configuration.nix @@ -0,0 +1,51 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +let secrets = import ; +in +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ../roles/common.nix + ../roles/graphical.nix + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "jarvis"; # Define your hostname. + # Select internationalisation properties. + i18n.consoleFont = "latarcyrheb-sun32"; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; # temp + # Enable CUPS to print documents. + services.printing.enable = true; + + + # The NixOS release to be compatible with for stateful data such as databases. + system.stateVersion = "17.03"; + + # List packages installed in system profile. To search by name, run: + # $ nix-env -qaP | grep wget + environment.systemPackages = with pkgs; [ + btrfs-progs + ]; + + #virtualisation.virtualbox.host.enable = true; + + users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword; + services.xserver.displayManager.sessionCommands = '' + gpg-connect-agent /bye + unset SSH_AGENT_PID + export SSH_AUTH_SOCK="''${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh" + ${pkgs.xorg.xrandr}/bin/xrandr --dpi 192 + ''; +} diff --git a/jarvis/hardware-configuration.nix b/jarvis/hardware-configuration.nix new file mode 100644 index 0000000..67ac86d --- /dev/null +++ b/jarvis/hardware-configuration.nix @@ -0,0 +1,94 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: +let +kpkgs = pkgs.linuxPackages_testing; +#kpkgs = pkgs.linuxPackages_custom (pkgs.linuxPackages_latest.kernel.overrideDerivation (oldAttr: { +# enableParallelBuild = true; +#})); +in +{ + imports = + [ + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + boot.blacklistedKernelModules = ["psmouse"]; + + hardware.cpu.intel.updateMicrocode = true; + + + services.xserver.synaptics.enable = true; + services.thermald.enable = true; + + networking.wireless.enable = true; + hardware.bluetooth.enable = true; + boot.kernelPackages = kpkgs; + boot.kernelParams = ["i915.enable_fbc=1"]; # "i915.enable_psr=1"]; # lvds downclock is no longer a thing + boot.kernelPatches = let + kver = "4.8.8"; #kpkgs.kernel.version; + linux-nvme = pkgs.fetchFromGitHub { + owner = "damige"; + repo = "linux-nvme"; + rev = "e58f5a1e9357fb0647fc173a17ceebe6280ba43c"; + sha256 = "0n42s6a6wzckm5k6mfpx0mp66ql52wv3irs9s0c000nx039hg57m"; + }; + in [ + # half of thesea are in 4.9 already + # { patch = "${linux-nvme}/src/${kver}/nvmepatch1-V4.patch"; name = "nvme-1";} + # { patch = "${linux-nvme}/src/${kver}/nvmepatch2-V4.patch"; name = "nvme-2";} + { patch = "${linux-nvme}/src/${kver}/nvmepatch3-V4.patch"; name = "nvme-3";} + ]; + # nixpkgs.config.packageOverrides = pkgs: + # { linux_testing = pkgs.linux_testing.overrideDerivation (attrs: { + # enableParallelBuilding = true; + # }); + # }; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/a751e4ea-f1aa-48e1-9cbe-423878e29b62"; + fsType = "btrfs"; + options = ["defaults" "relatime" "discard"]; + }; + + boot.initrd.luks.devices."nix-crypt" = { + device = "/dev/disk/by-uuid/320ef81d-283f-4916-ac26-ecfb0f31e549"; + allowDiscards = true; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/0E07-7805"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/d9c4c15b-0e9c-47f6-8675-93b1b8de5f9d"; } + ]; + + nix.maxJobs = lib.mkDefault 4; + + # ideal... doesn't work. + #services.udev.extraRules = '' + # KERNEL=="intel_backlight", SUBSYSTEM=="backlight", MODE="666" + #''; + # for now + systemd.services."display-manager".preStart = '' + chmod a+w $(realpath /sys/class/backlight/intel_backlight/brightness) || true + ''; + # this makes sure my wifi doesn't take a minute to work + services.udev.extraRules = '' + SUBSYSTEM=="firmware", ACTION=="add", ATTR{loading}="-1" + ''; + + services.xserver.videoDrivers = ["modesetting"]; + hardware.opengl.extraPackages = [ pkgs.vaapiIntel ]; + nixpkgs.config = { + packageOverrides = pkgs : { + mpv = pkgs.mpv.override { vaapiSupport = true; }; + }; + }; + +} diff --git a/roles/common.nix b/roles/common.nix index 6aa91e4..ba5edf6 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -6,6 +6,7 @@ users.extraUsers.root = { openssh.authorizedKeys.keys = config.users.extraUsers.yorick.openssh.authorizedKeys.keys; }; + services.timesyncd.enable = true; users.extraUsers.yorick = { isNormalUser = true; uid = 1000; @@ -26,6 +27,8 @@ nix.extraOptions = '' allow-unsafe-native-code-during-evaluation = true allow-unfree = true + binary-caches-parallel-connections = 3 + connect-timeout = 5 ''; # Networking diff --git a/roles/graphical.nix b/roles/graphical.nix index 5e5636b..3902ec5 100644 --- a/roles/graphical.nix +++ b/roles/graphical.nix @@ -11,7 +11,11 @@ layout = "us"; displayManager.slim.defaultUser = "yorick"; # xkbOptions = "eurosign:e"; - windowManager.i3-gaps.enable = true; + windowManager.i3 = { + enable = true; + } // (if (lib.versionAtLeast config.system.nixosRelease "17.03") then { + package = pkgs.i3-gaps; + } else {}); }; hardware.opengl = { enable = true; @@ -40,4 +44,7 @@ night = 5500; }; }; + # spotify + networking.firewall.allowedTCPPorts = [57621]; + networking.firewall.allowedUDPPorts = [57621]; } From 1d9b3abe2c596f949351eb57f1ef513e512c33f7 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 8 Dec 2016 15:33:35 +0100 Subject: [PATCH 055/172] remove ospinio --- network.nix | 4 -- ospinio/configuration.nix | 75 ------------------------------ ospinio/hardware-configuration.nix | 29 ------------ secrets.nix.asc | 48 +++++++++---------- 4 files changed, 23 insertions(+), 133 deletions(-) delete mode 100644 ospinio/configuration.nix delete mode 100644 ospinio/hardware-configuration.nix diff --git a/network.nix b/network.nix index eb985af..dc23373 100644 --- a/network.nix +++ b/network.nix @@ -1,9 +1,5 @@ with (import ).hostnames; { network.description = "yorick's stuff"; - ospinio = { - imports = [./ospinio/configuration.nix]; - deployment.targetHost = ospinio; - }; frumar = { imports = [./frumar/configuration.nix]; deployment.targetHost = frumar; diff --git a/ospinio/configuration.nix b/ospinio/configuration.nix deleted file mode 100644 index 461c468..0000000 --- a/ospinio/configuration.nix +++ /dev/null @@ -1,75 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, ... }: - -let yoricc = import ../packages/yori-cc.nix; -in - -{ - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ../roles/common.nix - ]; - - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - # Define on which hard drive you want to install Grub. - # boot.loader.grub.device = "/dev/sda"; - - networking.hostName = (import ).hostnames.ospinio; - - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - - # The NixOS release to be compatible with for stateful data such as databases. - system.stateVersion = "16.03"; - - services.nginx = { - enable = true; - httpConfig = '' - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log logs/access.log main; - sendfile on; - #tcp_nopush on; - - #keepalive_timeout 0; - keepalive_timeout 65; - - - gzip on; - - server { - listen 80; - server_name ""; - - location / { - root ${pkgs.nginx}/usr/share/nginx/html; - index index.html index.htm; - } - - location = /50x.html { - root ${pkgs.nginx}/usr/share/nginx/html; - } - } - - server { - listen 80; - server_name yori.cc; - server_tokens off; - location / { - root ${yoricc}/web; - } - } - - ''; - }; - networking.firewall.allowedTCPPorts = [22 80]; -} diff --git a/ospinio/hardware-configuration.nix b/ospinio/hardware-configuration.nix deleted file mode 100644 index 001beb2..0000000 --- a/ospinio/hardware-configuration.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, lib, pkgs, ... }: -let - ipconf = (import ).ipconf.${config.networking.hostName}; -in -{ - imports = [ ../modules/nixos-in-place.nix ]; - "nixos-in-place" = { - enable = true; - rootfs = "/dev/mapper/CAC_VG-CAC_LV"; - swapfs = "/dev/disk/by-uuid/be7625e5-2e2c-41f2-8d5f-331f90980b9e"; - }; - boot = { - loader.grub.device = "/dev/sda"; - initrd.availableKernelModules = [ "ata_piix" "vmw_pvscsi" "floppy" ]; - }; - - networking = { - interfaces.enp2s0 = { - useDHCP = false; - inherit (ipconf) ip4 ip6; - }; - inherit (ipconf) nameservers; - defaultGateway = ipconf.gateway4; - #defaultGateway6 = ipconf.gateway6; - }; - - nix.maxJobs = 1; - -} diff --git a/secrets.nix.asc b/secrets.nix.asc index 2aa2437..dd31cc7 100644 --- a/secrets.nix.asc +++ b/secrets.nix.asc @@ -1,28 +1,26 @@ -----BEGIN PGP MESSAGE----- -Version: GnuPG v2 -hQEMAwEAjpZflP7cAQf/WInyFwbeVLTT2OzoiabhI8ZQIteC8iz4BgU3BoMbhmzU -i8Rivtwy9p6sYepzNXQ7DOxkCc+28IXD5JF7gFlPv9Km0r//JU3YaYBMxHyH+iN1 -iyf+PeiBgiLmvF7uPTILxFlPhUhi2s26JUmCDtZZFBEmuuPz1MFIu1kw/ryV74kI -d+4TUbNG2xhu2Rogu6xzXkun0Uy2XR6Qa2CImpUFJ5dwJfWye3UtAxMknQEbCXO5 -ZxNwQU9jXEMgjGK57lTYSX6uBbLK8BweeV+spPI5wKA5BA0RCuOWKTQyREy7e38b -a2ZL1jjGOiN8PI9x89MQcE7IQVDb+L9/Vxp8dFjbTdLpAfE2XNzPx+m5h3gNr0I+ -M9b/oTHfUFH3NN+NKQCSZPRbDfri3CgrhBLuaIvVsswnfqYJRiBPkp73JP3NpM14 -uFaENf5ii1zxfmH4du7vmzP7Utcx0PebL2P0NQc1dIMFlG6Aht8m7ACPVUziXfxd -er9PFjPHKY6V7hR1wsD2bXCzFZK8StJCNnU6hge91KOx4jV/9+Y08kZwJDvFPooo -g3HnYT8KoVzoBkW4M5AiPSUeBy5w60WwbN2wLSHLT1aNjODASvqv41dFhO3up3/v -gMFmeIg3DjNa6qvFjbJEjefmfSzgkwgS9CEVfNAg3BBrXIM5Cw9+LvWin2gRlR9n -taiTy7MWzsLSkRALoVZ8WOvUgEZwW+WPHIDORTBrqBpR5g+qP94t9Myu/mfG6lqe -TC1I2jQlP8zu2YDc3yvDaK9AeCJIyxu8NwYZAotZwPwzapRiQmMIM6Tfld+YSC/+ -/K68Uno2YH/X43y9pKx0w18azbYE+UzpX29NZnHChduxFmg4WueIaFhQJkJCeu6j -2bBjvVXalI56flFhx+dJk8VjXTwmVjf3tGY0WkpQ7wPvFNynZ2srV4wdhuN8sXDl -rRGwiafOp6zIiaHtoHsBdP6XHqMputKYOQobuGV+lfK324XUAFYMKS2RrYry1Mfo -YdLqbz9WovTn2G74VaYE72jAZNm53AZeP0ggufgAIAe6kcqion76Cq5bU6PC/j9I -7dbdzybOa2pNatSEBrDPVOdbhWrb0ifFMQp/CBAGDLaiTeyjPnjVSx9tqmGnQ+vn -bWdS/lNxvxWturdoR5zEx7nyEMYhOzjylNke8sTJQOxNS8gh6CQ+FjOm11XvkEnL -RlBtIIQEhRxdymUfKAvmc9D4A8zi602bJgEn7uqr4xjnf+F41WA0E8U53WAYK0cM -Z+bOuiKYzWkLlKIP1Qa48jhmdVV/9MgLWZf1uf3MgsTqKErjx/fKtFLdOhcL6wsI -tloEz+5ID1xzo5CtS1vhuKvvG25EXkyerlfC4wGkR4xFiiks9Ei2DBG/MLMjJcrk -1FJroBTZqPB4xAwpM7WC84CcNNW+qm8= -=8zHI +hQEMAwEAjpZflP7cAQgAuUQH4GHZsM4Qh+zUBK9nMQ+Cl+jetPLYv8QFzsTWFOge +gAPdZs5NRi+ncvaoA/jnZtNfo8awtZ7UPT2wh3j102cGB5rB3flsVD61wQuiu1rG +v3wh4875vjHpRZy6JaJuRTHvno0usoebg1dwiVaiFI10oXRzrEtiM+M6CiDeUFGM +aUl356YxRbLgkYHw/R6C5WdssOt4jOuQkXV1Jv+b3Td5HJYLL+Ae9Dwg7MVfGzas +aSboFHatQ2HqS/pTyNLz3zJzoxPWhQPaIFV5V3BpmQvC6qnBp824T2tHz4G9vqND +G3UI6sI1Um/KuPg9pgDdO30O8+1n1E9LxLjwm4vVKNLpASVp/SY8UrJmx5bGFr/0 +qkCuVVPcJm0rr9VAHSGrDwXanE4HFG5W+LFb1EL/gEa2rlcYvv7YsOxMTXjYKBRC +cY9w8NNTsxgGTm1Mn76cCS5sUSLeoPYlYTbgsmGrMO7EEYdOQhFsK1IHv8ANoDA+ +OnciOCLOKCb85cCO5w8zM63Fdz0sK8uDs0W/XUWBmk0vyeqv1dFFExzZ06Y2l4yh +pKwuIb4hEniv0i+T5ElN93PM2nMaxfPj8M4T8DEsIA5kRiO96ITXCJLLEsCxkF2s +fJZ4U4bF7jxj3rErLJthPsA2Xw62vq0I60g7+BcZt/g8Sj0TGmYRR+MvvOeXUuIT +JtqeIFx2c6NbOT5rKqu7HbI5AlRZ1pmjDgfYF0CF6U/0fq5PHbh7ntyRU79Ca8Hn +tr9SU/g3Uq/WMpPzFbZ21+kCXrwBkti4urUkOfUzUO04fUS7SUj/FzgyyBCh3nHG +cRSrcy49f9mvSvV1hxpu0ukWJID8UiDyoM0RqQ8Qab7BrKsCgodUnKFHWIKuYxgX +defCwQzuEq/A4kmB1pPF6F56cfa4wyKVjXgreQzgQxqG4LtjsZGzA84Q/R+2xVxj +LBJzuKzBmuDgwCKw6/9q872Vz8+r1MdeXdpkxEUS8knMbmhHMKw0Pb7vwI5t3JQy +5DziTWV0M6rAuBjXJ0h876XARDwVUue0mNf9FovMvnak4af/cXPWuBCZ+ZDJzL7Y +d5FXz5/Tb5Lqw+qoJtjullDR3Vtntmm4MOUTytVBFWz5NXw5NlVm3KmpLUHK4KbY +grHphnz87JZJ7jA2o1WXPsj8FwzmNpIYqTbB/mp/Gtr4vfarD2Org1uyc16n9e0e +AIePoJIR5Rsrkb51WSuJ4kV+5A1M+YH+k400qYmTcPKeenZvn8RJvjeD7R4ErpK7 +vc3RsAFEdBvsUVidrKM0DmWmMSxeNYU72Bubr8TfHcDOe3ZSotokh1v3JE2gdICQ +LO0PkA3txVH+gjOa02Y9ZiDm0eqWQiwGx5g6TeiKD4jx9zpNfCt7 +=u9KE -----END PGP MESSAGE----- From c7c75c0256988bd97236ade36ea97a3d2f772af3 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 8 Dec 2016 15:36:11 +0100 Subject: [PATCH 056/172] remove vfs495 --- modules/vfs495.nix | 39 --------------------------------------- packages/vfs495.nix | 39 --------------------------------------- 2 files changed, 78 deletions(-) delete mode 100644 modules/vfs495.nix delete mode 100644 packages/vfs495.nix diff --git a/modules/vfs495.nix b/modules/vfs495.nix deleted file mode 100644 index 6d884cc..0000000 --- a/modules/vfs495.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ pkgs, config, lib, ... }: - -let -vfs495 = pkgs.callPackage ../packages/vfs495.nix { }; -cfg = config.services.vfs495; -in -{ - options.services.vfs495 = with lib; { - enable = mkOption { type = types.bool; default = false; }; - }; - config = lib.mkIf cfg.enable { - nixpkgs.config = { - packageOverrides = pkgs : { - libfprint = pkgs.libfprint.overrideDerivation (attrs: { - patches = [(pkgs.fetchurl { - url = "http://ix.io/1eh0"; - sha256 = "1h55gc07piidixxm5h37p0514h67q0z1q9ygapyl89in3csd5n94"; - })]; - buildInputs = [pkgs.autoreconfHook] ++ attrs.buildInputs; - }); - }; - }; - services.fprintd.enable = true; - systemd.services.fprintd = { - path = [pkgs.procps]; - environment.LD_LIBRARY_PATH = "${vfs495}/usr/lib"; - }; - systemd.services.vfs495 = { - serviceConfig = { - Type = "forking"; - ExecStartPre = "rm -f /tmp/vcsSemKey_*"; - ExecStart = "${vfs495}/usr/bin/vcsFPService"; - }; - wantedBy = [ "multi-user.target" ]; - before = ["fprintd.service"]; - }; - # TODO: send SIGUSR1 on suspend and SIGUSR2 on resume - }; -} diff --git a/packages/vfs495.nix b/packages/vfs495.nix deleted file mode 100644 index bd59836..0000000 --- a/packages/vfs495.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ pkgs ? import {} }: with pkgs; -let -# this is ugly but it works -openssl_0_9_8 = runCommand "openssl_0_9_8" {} '' - mkdir -p $out/lib/ - ln -s ${openssl_1_0_1.out}/lib/libcrypto.so $out/lib/libcrypto.so.0.9.8 - ln -s ${openssl_1_0_1.out}/lib/libssl.so $out/lib/libssl.so.0.9.8 -''; -in -stdenv.mkDerivation rec { - version = "4.5-118.00"; - name = "vfs495-${version}"; - - src = fetchurl { - url = "https://dl.dropboxusercontent.com/u/71679/Validity-Sensor-Setup-${version}.x86_64.rpm"; - sha256 = "1hd03bv14zr639l0wnwcc0bggjsfpnq57fjz3vqym19xqn9ks001"; - }; - nativeBuildInputs = [ patchelf ]; - buildInputs = [libusb libusb1 openssl_0_9_8]; - unpackCmd = '' - (mkdir -p "${name}" && cd "${name}" && - ${rpmextract}/bin/rpmextract "$curSrc")''; - installPhase = '' - mkdir -p $out - cp -R etc/ usr/ $out/ - patchelf \ - --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ - --set-rpath "${lib.makeLibraryPath buildInputs}" \ - $out/usr/bin/vcsFPService - patchelf --set-rpath "${lib.makeLibraryPath buildInputs}" \ - $out/usr/lib/libvfsFprintWrapper.so - ''; - meta = with stdenv.lib; { - description = "Userspace driver for VFS495 fingerprint readers"; - license = licenses.unfreeRedistributable; - #maintainers = with maintainers; [ yorickvp ]; - platforms = platforms.linux; - }; -} From 74c6c7acae03d478f65cb7403f4fc9989adc5b02 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 25 Dec 2016 00:14:47 +0100 Subject: [PATCH 057/172] update frumar --- frumar/configuration.nix | 25 ++------------ modules/gogs.nix | 31 +++++------------- modules/nginx.nix | 71 +++++++++++----------------------------- packages/gogs.nix | 4 +-- roles/common.nix | 1 + roles/pub.nix | 40 +++++----------------- roles/quassel.nix | 15 +++++++-- 7 files changed, 53 insertions(+), 134 deletions(-) diff --git a/frumar/configuration.nix b/frumar/configuration.nix index f92038c..1c918cd 100644 --- a/frumar/configuration.nix +++ b/frumar/configuration.nix @@ -12,7 +12,7 @@ in [ # Include the results of the hardware scan. ./hardware-configuration.nix ../roles/common.nix - ../modules/nginx.nix + ../modules/nginx.nix ../modules/gogs.nix # todo: better separation here ../modules/tor-hidden-service.nix ../roles/quassel.nix @@ -29,30 +29,9 @@ in system.stateVersion = "15.09"; gogs.domain = "git.yori.cc"; - - # website + lets encrypt challenge hosting nginxssl.enable = true; - # Let's Encrypt configuration. - security.acme.certs."git.yori.cc" = - { email = secrets.email; - webroot = config.nginxssl.servers."git.yori.cc".key_webroot; - postRun = "systemctl reload nginx.service"; - }; - # Generate a dummy self-signed certificate until we get one from - # Let's Encrypt. - system.activationScripts.letsEncryptKeys = - '' - dir=${acmeKeyDir} - mkdir -m 0700 -p $dir - if ! [[ -e $dir/key.pem ]]; then - ${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024 - ${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \ - -subj "/C=NL/CN=www.example.com" - ${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem - ${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem - fi - ''; + security.acme.preliminarySelfsigned = true; # hidden SSH service diff --git a/modules/gogs.nix b/modules/gogs.nix index f9c0ee6..6dd9b5f 100644 --- a/modules/gogs.nix +++ b/modules/gogs.nix @@ -47,7 +47,7 @@ INSTALL_LOCK = true inherit (lib) mkOption types; in { - imports = [./nginx.nix]; + #imports = [./nginx.nix]; options.gogs = { domain = mkOption { type = types.string; @@ -72,28 +72,15 @@ in WorkingDirectory = gitHome; }; }; - nginxssl.servers.${domain} = { - key_root = "/var/lib/acme/git.yori.cc"; - key_webroot = "/etc/sslcerts/acmeroot"; - contents = '' - location / { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_redirect off; + services.nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString gogsPort}"; + extraConfig = '' proxy_buffering off; - proxy_pass http://gogs; - client_max_body_size 30M; - break; - } - ''; + ''; + }; }; - services.nginx.httpConfig = '' - upstream gogs { - server 127.0.0.1:${toString gogsPort}; - } - ''; }; } diff --git a/modules/nginx.nix b/modules/nginx.nix index d9e28c1..e415c0b 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -3,24 +3,16 @@ let cfg = config.nginxssl; sslcfg = dir: '' ssl on; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_certificate_key ${dir}/key.pem; ssl_certificate ${dir}/fullchain.pem; ssl_trusted_certificate ${dir}/fullchain.pem; - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_protocols TLSv1.1 TLSv1.2; - # ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; - ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=15768000; - ssl_stapling on; - ssl_stapling_verify on; ''; makeChallenges = servername: key_webroot: '' server { listen 80; server_name ${servername}; - server_tokens off; location /.well-known/acme-challenge { default_type text/plain; alias ${key_webroot}/.well-known/acme-challenge; @@ -43,7 +35,6 @@ makeServerBlock = servername: {key_root, key_webroot, contents, ...}: '' server { listen 443; server_name ${servername}; - server_tokens off; ${sslcfg key_root} ${contents} } @@ -98,50 +89,26 @@ in config = mkIf cfg.enable { services.nginx = { enable = true; - httpConfig = '' - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + recommendedOptimisation = true; + serverTokens = false; + sslDhparam = "/etc/nginx/dhparam.pem"; + virtualHosts = { + "\"\"" = { + forceSSL = true; + locations."/" = { + index = "index.html index.htm"; + root = "${pkgs.nginx}/html"; + }; + sslCertificate = "${cfg.no_vhost_keydir}/fullchain.pem"; + sslCertificateKey = "${cfg.no_vhost_keydir}/key.pem"; + default = true; + }; + }; - access_log logs/access.log main; - sendfile on; - #tcp_nopush on; - - #keepalive_timeout 0; - keepalive_timeout 65; - - server_tokens off; - - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - - gzip on; - # the default thing, for if no vhost is given - # generate default.pem and default.key manually - # and self-sign, if you feel like it - server { - listen 80 default_server; - server_name ""; - location / { - rewrite ^(.*) https://$host$1 permanent; - } - } - server { - listen 443 default_server spdy deferred; - server_name ""; - - ${sslcfg cfg.no_vhost_keydir} - - location / { - root ${pkgs.nginx}/html; - index index.html index.htm; - } - - location = /50x.html { - root ${pkgs.nginx}/html; - } - } + appendHttpConfig = '' ${lib.concatStringsSep "\n" (lib.mapAttrsToList makeChallenges cfg.challenges)} diff --git a/packages/gogs.nix b/packages/gogs.nix index 535f202..f055612 100644 --- a/packages/gogs.nix +++ b/packages/gogs.nix @@ -2,10 +2,10 @@ { nixpkgs ? import {} }: with nixpkgs; stdenv.mkDerivation rec { name = "gogs-${version}"; - version = "0.9.0"; + version = "0.9.113"; src = fetchzip { url = "https://dl.gogs.io/gogs_v${version}_linux_amd64.tar.gz"; - sha256 = "1qyy0hi8hvz2k4p9251mx8xv9z08jwijfzl0rn0drm6sq34a7wg9"; + sha256 = "0gwpshzch1b0s810pd5cpiad1skvnjhsd6kx9gmlbw2whdp2jf2r"; }; buildPhase = '' patchelf \ diff --git a/roles/common.nix b/roles/common.nix index ba5edf6..c081cb4 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -23,6 +23,7 @@ nix.binaryCachePublicKeys = [ "hydra.cryp.to-1:8g6Hxvnp/O//5Q1bjjMTd5RO8ztTsG8DKPOAg9ANr2g=" ]; + nix.buildCores = config.nix.maxJobs; nix.extraOptions = '' allow-unsafe-native-code-during-evaluation = true diff --git a/roles/pub.nix b/roles/pub.nix index 9b8fe30..34240de 100644 --- a/roles/pub.nix +++ b/roles/pub.nix @@ -1,10 +1,8 @@ { config, pkgs, lib, ... }: let secrets = import ; - acmeWebRoot = "/etc/sslcerts/acmeroot"; - acmeKeyDir = "${config.security.acme.directory}/pub.yori.cc"; in { - imports = [../modules/nginx.nix]; + #imports = [../modules/nginx.nix]; config = { users.extraUsers.public = { home = "/home/public"; @@ -12,35 +10,13 @@ in openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [public]; createHome = true; }; - nginxssl.servers."pub.yori.cc" = { - key_root = acmeKeyDir; - key_webroot = "/etc/sslcerts/acmeroot"; - contents = '' - location / { - root /home/public/public; - index index.html; - } - ''; - }; - # Let's Encrypt configuration. - security.acme.certs."pub.yori.cc" = - { email = secrets.email; - webroot = config.nginxssl.servers."pub.yori.cc".key_webroot; - postRun = "systemctl reload nginx.service"; + services.nginx.virtualHosts."pub.yori.cc" = { + forceSSL = true; + enableACME = true; + locations."/" = { + root = "/home/public/public"; + index = "index.html"; }; - # Generate a dummy self-signed certificate until we get one from - # Let's Encrypt. - system.activationScripts.letsEncryptKeys = - '' - dir=${acmeKeyDir} - mkdir -m 0700 -p $dir - if ! [[ -e $dir/key.pem ]]; then - ${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024 - ${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \ - -subj "/C=NL/CN=www.example.com" - ${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem - ${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem - fi - ''; + }; }; } diff --git a/roles/quassel.nix b/roles/quassel.nix index 6f30922..75bf8a6 100644 --- a/roles/quassel.nix +++ b/roles/quassel.nix @@ -2,15 +2,24 @@ { containers.quassel = { config = { config, pkgs, ... }: { - services.postgresql.enable = true; - services.postgresql.package = pkgs.postgresql94; + services.postgresql = { + enable = true; + package = pkgs.postgresql94; + extraConfig = '' + max_connections = 10 + shared_buffers = 1GB + effective_cache_size = 4GB + work_mem = 50MB + maintenance_work_mem = 100MB + ''; + }; services.quassel = { # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/quassel.nix enable = true; interfaces = ["0.0.0.0"]; }; environment.systemPackages = [ - pkgs.quasselDaemon_qt5 + pkgs.kde4.quasselDaemon ]; networking.firewall.allowedTCPPorts = [4242]; }; From a4bd9ee92f6f83c62d6df7fe663755c39ac3c168 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 24 Jan 2017 21:39:28 +0100 Subject: [PATCH 058/172] move the nvme patch to its own file --- jarvis/configuration.nix | 2 ++ jarvis/hardware-configuration.nix | 32 +------------------------------ jarvis/linux-nvme.nix | 27 ++++++++++++++++++++++++++ 3 files changed, 30 insertions(+), 31 deletions(-) create mode 100644 jarvis/linux-nvme.nix diff --git a/jarvis/configuration.nix b/jarvis/configuration.nix index 014512a..7d95fac 100644 --- a/jarvis/configuration.nix +++ b/jarvis/configuration.nix @@ -48,4 +48,6 @@ in export SSH_AUTH_SOCK="''${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh" ${pkgs.xorg.xrandr}/bin/xrandr --dpi 192 ''; + nix.gc.automatic = pkgs.lib.mkOverride 30 false; + } diff --git a/jarvis/hardware-configuration.nix b/jarvis/hardware-configuration.nix index 67ac86d..827fc38 100644 --- a/jarvis/hardware-configuration.nix +++ b/jarvis/hardware-configuration.nix @@ -2,15 +2,10 @@ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. { config, lib, pkgs, ... }: -let -kpkgs = pkgs.linuxPackages_testing; -#kpkgs = pkgs.linuxPackages_custom (pkgs.linuxPackages_latest.kernel.overrideDerivation (oldAttr: { -# enableParallelBuild = true; -#})); -in { imports = [ + ./linux-nvme.nix ]; boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; @@ -26,27 +21,7 @@ in networking.wireless.enable = true; hardware.bluetooth.enable = true; - boot.kernelPackages = kpkgs; boot.kernelParams = ["i915.enable_fbc=1"]; # "i915.enable_psr=1"]; # lvds downclock is no longer a thing - boot.kernelPatches = let - kver = "4.8.8"; #kpkgs.kernel.version; - linux-nvme = pkgs.fetchFromGitHub { - owner = "damige"; - repo = "linux-nvme"; - rev = "e58f5a1e9357fb0647fc173a17ceebe6280ba43c"; - sha256 = "0n42s6a6wzckm5k6mfpx0mp66ql52wv3irs9s0c000nx039hg57m"; - }; - in [ - # half of thesea are in 4.9 already - # { patch = "${linux-nvme}/src/${kver}/nvmepatch1-V4.patch"; name = "nvme-1";} - # { patch = "${linux-nvme}/src/${kver}/nvmepatch2-V4.patch"; name = "nvme-2";} - { patch = "${linux-nvme}/src/${kver}/nvmepatch3-V4.patch"; name = "nvme-3";} - ]; - # nixpkgs.config.packageOverrides = pkgs: - # { linux_testing = pkgs.linux_testing.overrideDerivation (attrs: { - # enableParallelBuilding = true; - # }); - # }; fileSystems."/" = { device = "/dev/disk/by-uuid/a751e4ea-f1aa-48e1-9cbe-423878e29b62"; @@ -85,10 +60,5 @@ in services.xserver.videoDrivers = ["modesetting"]; hardware.opengl.extraPackages = [ pkgs.vaapiIntel ]; - nixpkgs.config = { - packageOverrides = pkgs : { - mpv = pkgs.mpv.override { vaapiSupport = true; }; - }; - }; } diff --git a/jarvis/linux-nvme.nix b/jarvis/linux-nvme.nix new file mode 100644 index 0000000..1efafda --- /dev/null +++ b/jarvis/linux-nvme.nix @@ -0,0 +1,27 @@ +{ config, lib, pkgs, ... }: +# check if it's working: +# nix-shell -p nvme-cli --command "sudo nvme get-feature -f 0x0c -H /dev/nvme0" | grep Enable +{ boot = rec { + # gotta go faster + kernelPackages = pkgs.linuxPackages_latest // { + kernel = pkgs.linuxPackages_latest.kernel.overrideDerivation (attr: { + enableParallelBuilding = true; + }); + }; + + kernelPatches = let + kver = kernelPackages.kernel.version; + kernel_newer_4_9 = builtins.compareVersions kver "4.9" > -1; + # https://github.com/damige/linux-nvme/ + linux-nvme = pkgs.fetchFromGitHub { + owner = "damige"; + repo = "linux-nvme"; + rev = "d6f6df100db9b8f1ee6fc04f8d2f8ddbcbec87f8"; + sha256 = "0iqxzk3q7vzg7gmqrlvq1lf9wf3qfq5dm79hjsb48s6q12l3ml06"; + }; + in map (name: { patch = "${linux-nvme}/src/${kver}/${name}.patch"; inherit name; }) + (if kernel_newer_4_9 + then ["APST" "pm_qos1" "pm_qos2" "pm_qos3" "nvme"] + else ["nvmepatch1-V4" "nvmepatch2-V4" "nvmepatch3-V4"]); + }; +} From ff31c8c604f19623d28b5ac5032479f472fd1470 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 26 Jan 2017 14:45:11 +0100 Subject: [PATCH 059/172] add grafana+influxdb --- frumar/configuration.nix | 1 + pennyworth/configuration.nix | 2 ++ roles/collectd.nix | 63 ++++++++++++++++++++++++++++++++++++ roles/graphs.nix | 38 ++++++++++++++++++++++ secrets.nix.asc | 44 ++++++++++++------------- woodhouse/configuration.nix | 1 + 6 files changed, 126 insertions(+), 23 deletions(-) create mode 100644 roles/collectd.nix create mode 100644 roles/graphs.nix diff --git a/frumar/configuration.nix b/frumar/configuration.nix index 1c918cd..2906ff6 100644 --- a/frumar/configuration.nix +++ b/frumar/configuration.nix @@ -17,6 +17,7 @@ in ../modules/tor-hidden-service.nix ../roles/quassel.nix ../roles/pub.nix + ../roles/collectd.nix ]; diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix index 052df29..2261b19 100644 --- a/pennyworth/configuration.nix +++ b/pennyworth/configuration.nix @@ -15,6 +15,8 @@ in imports = [ ./hardware-configuration.nix ../roles/common.nix + ../roles/collectd.nix + ../roles/graphs.nix ../modules/mailz.nix ../modules/nginx.nix ../modules/tor-hidden-service.nix diff --git a/roles/collectd.nix b/roles/collectd.nix new file mode 100644 index 0000000..64dde96 --- /dev/null +++ b/roles/collectd.nix @@ -0,0 +1,63 @@ +{ config, pkgs, lib, ...}: +let + secrets = import ; +in +{ + services.collectd = { + enable = true; + extraConfig = '' + LoadPlugin network + + LoadPlugin conntrack + LoadPlugin cpu + LoadPlugin df + LoadPlugin disk + LoadPlugin interface + LoadPlugin fhcount + LoadPlugin load + LoadPlugin memory + LoadPlugin processes + LoadPlugin swap + LoadPlugin tcpconns + LoadPlugin uptime + LoadPlugin users + + + + LocalPort "443" + + + + Username "${config.networking.hostName}" + Password "${secrets.influx_pass.${config.networking.hostName}}" + + + ''; + }; + boot.kernel.sysctl."net.core.rmem_max" = 26214400; + boot.kernel.sysctl."net.core.rmem_default" = 26214400; + nixpkgs.config.packageOverrides = pkgs: { + collectd = pkgs.collectd.override { + jdk = null; + libcredis = null; + libdbi = null; + libmemcached = null; cyrus_sasl = null; + libmodbus = null; + libnotify = null; gdk_pixbuf = null; + libsigrok = null; + libvirt = null; + libxml2 = null; + libtool = null; + lvm2 = null; + libmysql = null; + protobufc = null; + python = null; + rabbitmq-c = null; + riemann = null; + rrdtool = null; + varnish = null; + yajl = null; + net_snmp = null; + }; + }; +} diff --git a/roles/graphs.nix b/roles/graphs.nix new file mode 100644 index 0000000..be097e6 --- /dev/null +++ b/roles/graphs.nix @@ -0,0 +1,38 @@ +# use together with ./collectd.nix +{ config, pkgs, lib, ...}: +let + secrets = import ; + grafana_port = 3000; + domain = "graphs.yori.cc"; +in +{ + networking.firewall.allowedUDPPorts = [25826]; + services.influxdb = { + enable = true; + extraConfig = { + collectd = [{ + enabled = true; + typesdb = "${pkgs.collectd}/share/collectd/types.db"; + database = "collectd_db"; + "security-level" = "sign"; + "auth-file" = pkgs.writeText "collectd_auth" + (builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: p: "${n}: ${p}") secrets.influx_pass) + "\n"); + port = 25826; + }]; + }; + }; + services.grafana = { + enable = true; + inherit domain; + rootUrl = "https://${domain}/"; + port = grafana_port; + }; + services.nginx.virtualHosts.${domain} = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString grafana_port}"; + }; + }; + +} diff --git a/secrets.nix.asc b/secrets.nix.asc index dd31cc7..6783e4b 100644 --- a/secrets.nix.asc +++ b/secrets.nix.asc @@ -1,26 +1,24 @@ -----BEGIN PGP MESSAGE----- -hQEMAwEAjpZflP7cAQgAuUQH4GHZsM4Qh+zUBK9nMQ+Cl+jetPLYv8QFzsTWFOge -gAPdZs5NRi+ncvaoA/jnZtNfo8awtZ7UPT2wh3j102cGB5rB3flsVD61wQuiu1rG -v3wh4875vjHpRZy6JaJuRTHvno0usoebg1dwiVaiFI10oXRzrEtiM+M6CiDeUFGM -aUl356YxRbLgkYHw/R6C5WdssOt4jOuQkXV1Jv+b3Td5HJYLL+Ae9Dwg7MVfGzas -aSboFHatQ2HqS/pTyNLz3zJzoxPWhQPaIFV5V3BpmQvC6qnBp824T2tHz4G9vqND -G3UI6sI1Um/KuPg9pgDdO30O8+1n1E9LxLjwm4vVKNLpASVp/SY8UrJmx5bGFr/0 -qkCuVVPcJm0rr9VAHSGrDwXanE4HFG5W+LFb1EL/gEa2rlcYvv7YsOxMTXjYKBRC -cY9w8NNTsxgGTm1Mn76cCS5sUSLeoPYlYTbgsmGrMO7EEYdOQhFsK1IHv8ANoDA+ -OnciOCLOKCb85cCO5w8zM63Fdz0sK8uDs0W/XUWBmk0vyeqv1dFFExzZ06Y2l4yh -pKwuIb4hEniv0i+T5ElN93PM2nMaxfPj8M4T8DEsIA5kRiO96ITXCJLLEsCxkF2s -fJZ4U4bF7jxj3rErLJthPsA2Xw62vq0I60g7+BcZt/g8Sj0TGmYRR+MvvOeXUuIT -JtqeIFx2c6NbOT5rKqu7HbI5AlRZ1pmjDgfYF0CF6U/0fq5PHbh7ntyRU79Ca8Hn -tr9SU/g3Uq/WMpPzFbZ21+kCXrwBkti4urUkOfUzUO04fUS7SUj/FzgyyBCh3nHG -cRSrcy49f9mvSvV1hxpu0ukWJID8UiDyoM0RqQ8Qab7BrKsCgodUnKFHWIKuYxgX -defCwQzuEq/A4kmB1pPF6F56cfa4wyKVjXgreQzgQxqG4LtjsZGzA84Q/R+2xVxj -LBJzuKzBmuDgwCKw6/9q872Vz8+r1MdeXdpkxEUS8knMbmhHMKw0Pb7vwI5t3JQy -5DziTWV0M6rAuBjXJ0h876XARDwVUue0mNf9FovMvnak4af/cXPWuBCZ+ZDJzL7Y -d5FXz5/Tb5Lqw+qoJtjullDR3Vtntmm4MOUTytVBFWz5NXw5NlVm3KmpLUHK4KbY -grHphnz87JZJ7jA2o1WXPsj8FwzmNpIYqTbB/mp/Gtr4vfarD2Org1uyc16n9e0e -AIePoJIR5Rsrkb51WSuJ4kV+5A1M+YH+k400qYmTcPKeenZvn8RJvjeD7R4ErpK7 -vc3RsAFEdBvsUVidrKM0DmWmMSxeNYU72Bubr8TfHcDOe3ZSotokh1v3JE2gdICQ -LO0PkA3txVH+gjOa02Y9ZiDm0eqWQiwGx5g6TeiKD4jx9zpNfCt7 -=u9KE +hF4DVNqm0KmYcYASAQdAzceaPLCjk6UKh4KT0GkBKnOLxv8fbysTLTXW/kxL2l4w +X+FzhmbeD6jlLoLmYHEKMDvYT6/OdbxdnI803Inlu6URwupUAzTyHmDhG99vw8AB +0ukBDbZs9VEwEV4dXxgyZbBZ2sCNUrEO/WGSHEKmFcSl6XrXAt767StQ10ohce3y +5mf7F/L36+bdqZ4Ndzr+N27p7RQNyAnF9RmyiG6COnlJBuflo5TOyOpF0Az71hid +Nff8xjhnp0DyMAI0xXo2pQvtKgerDuYRsXVNl2eUEHnDg0rd88jt0mt34SvBjI9e +B3Tg4acgSHCNbrGuODc3uW/ellmFEblaZ+ybXV8K1kWarXxgecrOv6sjLS/s9jWD +Pj+qNT/UOaCVXe1bxutc3cPD5m2kgPlZHF3UNcKzpR8HFR/dVcuilHmcaX5D9sm1 +b77KD3a81blq9xb/bDb9H7JJ+V4z1yCzx2CngetqVQ4Ksgpz+ctUFGQHbDixX2Yn +VRpKNdcVzJZfQy4SPaG2fz0mQdRFJmdqkauaxT/PY/uhDA9QtkIHmE6xjJxOTfqu +guAeVZZtLzy26bSGPiRoO7UfBZQ9nBZrsaV7xtEbq1W6mt/951mZfKC8KpX1cDiO +0ld6+lHH47zCPpA5TSbyy0GY14QMqPmIQvfkL1ul7GfhAYb8Wba+Z1m2BfYis+bn +XQdXkdTJieS0I/Uc1pvXzTzjVHReRisKBreqAeZ97bYZqlV8e4O14GhUqdwEHMSE +Gp6HybrOVA1sVOtvCAcUx2xMVBET0xSNCD0B05e5cbgZQMCPn0aA+qAlNBPXGJzf +0ckP0eOj2iSAjYQNyoCmP8R6ULKc74Pwb4xaNlcPMvlCaDfR/7W1P+u9HDH1/ep+ +SV1nkyW5RRlpWbEfwPI1j50O5FR44sxb7YmrxIPM97p62zCm6wqn7AoRlkztw8pB +XUwfx+mWRusRZrB4fDMTltLtu3Tj6wFanlmK5FYFDnujMZHWUKwuUPgp66Y+W7q0 +4kJSvfi2VXGRKzhWuHTdhNKIm4pDooePQtzBJdqN0xg9j+M5QEjhVqpZf0E/Vtt3 +UI8DpDr71HvNem6HgE74tcCHegjUc5DKEVQjLAFa5nTFPjeMHsQc2VPB2htCtp/f +n0E76Muu4YRHUeroo8LXMuuZ/fJdsyv7avlHYBmn5wPDj1HTbk6sOSKrAaHzDuDX +s2Mb4L+0HHecO3B6uPv1FRPUnV7i+URNcV9UtHt8MGyJyXQ= +=NQWD -----END PGP MESSAGE----- diff --git a/woodhouse/configuration.nix b/woodhouse/configuration.nix index 5cbe44e..63d184c 100644 --- a/woodhouse/configuration.nix +++ b/woodhouse/configuration.nix @@ -11,6 +11,7 @@ in [ # Include the results of the hardware scan. ./hardware-configuration.nix ../roles/common.nix + ../roles/collectd.nix ../modules/tor-hidden-service.nix ../roles/graphical.nix ]; From c9a99431c0b4ec61b0b32310ab8fbee768b88037 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 26 Jan 2017 14:50:56 +0100 Subject: [PATCH 060/172] add tor hidden service on laptop --- ascanius/configuration.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ascanius/configuration.nix b/ascanius/configuration.nix index 68d3545..64b51b6 100644 --- a/ascanius/configuration.nix +++ b/ascanius/configuration.nix @@ -11,6 +11,7 @@ in [ ./hardware-configuration.nix ../roles/common.nix ../roles/graphical.nix + ../modules/tor-hidden-service.nix ]; # no, not that Ascanius. @@ -43,4 +44,11 @@ in unset SSH_AGENT_PID export SSH_AUTH_SOCK="''${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh" ''; + + services.tor.hiddenServices = [ + { name = "ssh"; + port = 22; + hostname = secrets.tor_hostnames."ssh.ascanius"; + private_key = "/run/keys/torkeys/ssh.ascanius.key"; } + ]; } From 69bddec6fb281aff4f7916b23e17928eaaf99834 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 26 Jan 2017 14:51:44 +0100 Subject: [PATCH 061/172] disable gc on laptop --- ascanius/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/ascanius/configuration.nix b/ascanius/configuration.nix index 64b51b6..e2827fb 100644 --- a/ascanius/configuration.nix +++ b/ascanius/configuration.nix @@ -51,4 +51,5 @@ in hostname = secrets.tor_hostnames."ssh.ascanius"; private_key = "/run/keys/torkeys/ssh.ascanius.key"; } ]; + nix.gc.automatic = pkgs.lib.mkOverride 30 false; } From a44a8ff0aa064067334509082aae335d2ad07ff6 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 26 Jan 2017 14:52:06 +0100 Subject: [PATCH 062/172] switch from synaptics to libinput --- jarvis/hardware-configuration.nix | 2 +- roles/graphical.nix | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/jarvis/hardware-configuration.nix b/jarvis/hardware-configuration.nix index 827fc38..30d451f 100644 --- a/jarvis/hardware-configuration.nix +++ b/jarvis/hardware-configuration.nix @@ -16,7 +16,7 @@ hardware.cpu.intel.updateMicrocode = true; - services.xserver.synaptics.enable = true; + services.xserver.libinput.enable = true; services.thermald.enable = true; networking.wireless.enable = true; diff --git a/roles/graphical.nix b/roles/graphical.nix index 3902ec5..b6131b1 100644 --- a/roles/graphical.nix +++ b/roles/graphical.nix @@ -8,6 +8,10 @@ horizontalScroll = true; scrollDelta = -107; # inverted scrolling }; + libinput = { + naturalScrolling = true; + tappingDragLock = false; + }; layout = "us"; displayManager.slim.defaultUser = "yorick"; # xkbOptions = "eurosign:e"; From 34092c5e7f5717eda827cfa4dd6ec10159f4b62c Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 26 Jan 2017 14:55:53 +0100 Subject: [PATCH 063/172] tmp fix trustedgrub build --- ascanius/configuration.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ascanius/configuration.nix b/ascanius/configuration.nix index e2827fb..868fd48 100644 --- a/ascanius/configuration.nix +++ b/ascanius/configuration.nix @@ -25,6 +25,8 @@ in allowUnfree = true; packageOverrides = pkgs : { bluez = pkgs.bluez5; + # https://github.com/NixOS/nixpkgs/issues/22099 + trustedGrub = pkgs.trustedGrub.overrideDerivation (attr: {NIX_CFLAGS_COMPILE = "-Wno-error";}); }; }; From 02cb36fee7cf456b4d62947aa62c07b7609ffa4e Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 26 Jan 2017 14:56:17 +0100 Subject: [PATCH 064/172] compatibility fix for new nginx configuration --- modules/muflax-blog.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/muflax-blog.nix b/modules/muflax-blog.nix index 14f1553..bfebafa 100644 --- a/modules/muflax-blog.nix +++ b/modules/muflax-blog.nix @@ -28,7 +28,7 @@ in with lib; { config = mkIf cfg.enable { services.nginx = { enable = true; - httpConfig = '' + appendHttpConfig = '' server { index index.html; port_in_redirect off; From 21520bec5f31a21264e887d11720b6e18342bc7f Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 26 Jan 2017 14:57:08 +0100 Subject: [PATCH 065/172] add basic asterisk config --- pennyworth/asterisk.nix | 66 ++++++++++++++++++++++++++++++++++++ pennyworth/configuration.nix | 1 + 2 files changed, 67 insertions(+) create mode 100644 pennyworth/asterisk.nix diff --git a/pennyworth/asterisk.nix b/pennyworth/asterisk.nix new file mode 100644 index 0000000..3126342 --- /dev/null +++ b/pennyworth/asterisk.nix @@ -0,0 +1,66 @@ +{ config, pkgs, lib, ... }: + +{ + # todo: the prestart service copies to the wrong dir + services.asterisk = { + enable = true; + #extraArguments = ["-vvvddd"]; + confFiles."asterisk.conf" = '' + [directories] + astetcdir => /etc/asterisk/ + astmoddir => ${pkgs.asterisk}/lib/asterisk/modules + astvarlibdir => /var/lib/asterisk + astdbdir => /var/lib/asterisk + astkeydir => /var/lib/asterisk + astdatadir => /var/lib/asterisk + astagidir => /var/lib/asterisk/agi-bin + astspooldir => /var/spool/asterisk + astrundir => /var/run/asterisk + astlogdir => /var/log/asterisk + astsbindir => ${pkgs.asterisk}/sbin + ''; + }; + environment.etc = { + # Loading all modules by default is considered sensible by the authors of + # "Asterisk: The Definitive Guide". Secure sites will likely want to + # specify their own "modules.conf" in the confFiles option. + "asterisk/modules.conf".text = '' + [modules] + autoload=yes + ''; + + # Use syslog for logging so logs can be viewed with journalctl + "asterisk/logger.conf".text = '' + [general] + [logfiles] + syslog.local0 => notice,warning,error + console => debug,notice,warning,error,verbose,dtmf,fax + ''; + }; + environment.systemPackages = with pkgs; [ + asterisk + ]; + #networking.firewall.allowedUDPPorts = [5060]; + #networking.firewall.allowedTCPPorts = [5060]; + networking.firewall.extraCommands = '' + iptables -A nixos-fw -p udp --dport 5060 -s 193.169.138.0/23 -j nixos-fw-accept + iptables -A nixos-fw -p udp --dport 5060 -s 91.232.130.0/24 -j nixos-fw-accept + iptables -A nixos-fw -p udp --dport 5060 -s 81.205.5.19 -j nixos-fw-accept + iptables -A nixos-fw -p tcp --dport 5060 -s 193.169.138.0/23 -j nixos-fw-accept + iptables -A nixos-fw -p tcp --dport 5060 -s 91.232.130.0/24 -j nixos-fw-accept + iptables -A nixos-fw -p tcp --dport 5060 -s 81.205.5.19 -j nixos-fw-accept + ''; + # nixpkgs.config = { + # packageOverrides = pkgs : { + # asterisk = pkgs.asterisk.overrideDerivation (attrs: rec { + # version = "13.11.2"; + # broken = false; + + # src = pkgs.fetchurl { + # url = "http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-${version}.tar.gz"; + # sha256 = "0fjski1cpbxap1kcjg6sgd6c8qpxn8lb1sszpg6iz88vn4dh19vf"; + # }; + # }); + # }; + # }; +} diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix index 2261b19..7b65e38 100644 --- a/pennyworth/configuration.nix +++ b/pennyworth/configuration.nix @@ -22,6 +22,7 @@ in ../modules/tor-hidden-service.nix ../modules/muflax-blog.nix ../modules/backup.nix + ./asterisk.nix ]; networking.hostName = secrets.hostnames.pennyworth; From 7bdb6f91862882a10e391585835af1dd25ddf551 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 28 Jan 2017 19:54:48 +0100 Subject: [PATCH 066/172] tmp: fix firewall --- pennyworth/asterisk.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pennyworth/asterisk.nix b/pennyworth/asterisk.nix index 3126342..2542899 100644 --- a/pennyworth/asterisk.nix +++ b/pennyworth/asterisk.nix @@ -43,12 +43,12 @@ #networking.firewall.allowedUDPPorts = [5060]; #networking.firewall.allowedTCPPorts = [5060]; networking.firewall.extraCommands = '' - iptables -A nixos-fw -p udp --dport 5060 -s 193.169.138.0/23 -j nixos-fw-accept - iptables -A nixos-fw -p udp --dport 5060 -s 91.232.130.0/24 -j nixos-fw-accept - iptables -A nixos-fw -p udp --dport 5060 -s 81.205.5.19 -j nixos-fw-accept - iptables -A nixos-fw -p tcp --dport 5060 -s 193.169.138.0/23 -j nixos-fw-accept - iptables -A nixos-fw -p tcp --dport 5060 -s 91.232.130.0/24 -j nixos-fw-accept - iptables -A nixos-fw -p tcp --dport 5060 -s 81.205.5.19 -j nixos-fw-accept + iptables -A nixos-fw -p udp -s 193.169.138.0/23 -j nixos-fw-accept + iptables -A nixos-fw -p udp -s 91.232.130.0/24 -j nixos-fw-accept + iptables -A nixos-fw -p udp -s 81.205.5.19 -j nixos-fw-accept + iptables -A nixos-fw -p tcp -s 193.169.138.0/23 -j nixos-fw-accept + iptables -A nixos-fw -p tcp -s 91.232.130.0/24 -j nixos-fw-accept + iptables -A nixos-fw -p tcp -s 81.205.5.19 -j nixos-fw-accept ''; # nixpkgs.config = { # packageOverrides = pkgs : { From 352b50e0905fdd91f01596289f1ba0f1f27f6208 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 29 Jan 2017 19:12:57 +0100 Subject: [PATCH 067/172] add sensors collectd plugin --- roles/collectd.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/collectd.nix b/roles/collectd.nix index 64dde96..7a05e03 100644 --- a/roles/collectd.nix +++ b/roles/collectd.nix @@ -21,6 +21,7 @@ in LoadPlugin tcpconns LoadPlugin uptime LoadPlugin users + LoadPlugin sensors From 31dd1de293f00d810f0435e0e479ef23d380a3c1 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Mon, 30 Jan 2017 17:41:05 +0100 Subject: [PATCH 068/172] update scripts --- conf | 17 ++++++----------- update_all.sh | 37 ------------------------------------- 2 files changed, 6 insertions(+), 48 deletions(-) delete mode 100755 update_all.sh diff --git a/conf b/conf index 4b8cb5e..ef3fdc3 100755 --- a/conf +++ b/conf @@ -5,20 +5,15 @@ then sudo chgrp nixbld deploy_key chmod 640 deploy_key fi +export NIX_PATH="ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix case $1 in -local) - export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=`pwd`/ascanius/configuration.nix:secrets=`pwd`/secrets.nix - eval ${@:2} - ;; -remote) - export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-16.09/nixexprs.tar.xz:nixos-config=`pwd`/$2/configuration.nix:ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix +stable) + export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-16.09/nixexprs.tar.xz:nixos-config=`pwd`/$2/configuration.nix:$NIX_PATH" eval ${@:3} ;; -local-deploy) - sudo $0 local nixos-rebuild switch - ;; -remote-deploy) - $0 remote $2 nixos-rebuild --build-host localhost --target-host root@$2 switch +channel) + export NIX_PATH="/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=`pwd`/$2/configuration.nix:$NIX_PATH" + eval ${@:3} ;; update-encrypt) gpg -a -r yorick --encrypt-files secrets.nix deploy_key keys/*.key diff --git a/update_all.sh b/update_all.sh deleted file mode 100755 index e39e7c0..0000000 --- a/update_all.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/usr/bin/env bash -set -e -userspace_update_cmd="$(cat <" -A hosts.$1) - echo "nix-channel --update" | ssh root@$HOST - cp deploy_key deploy_key2 - chmod 0600 deploy_key2 - ssh-agent bash < Date: Mon, 30 Jan 2017 17:41:54 +0100 Subject: [PATCH 069/172] add tmp pad hosting --- pennyworth/configuration.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix index 7b65e38..831baa9 100644 --- a/pennyworth/configuration.nix +++ b/pennyworth/configuration.nix @@ -100,7 +100,13 @@ in systemctl restart prosody.service ''; }; - ''; + services.nginx.virtualHosts."pad.yori.cc" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:9140"; + }; + }; # hidden SSH service From fbb3463bd4bcc5df10c294f1132ce266c0ea4d87 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Mon, 30 Jan 2017 18:25:28 +0100 Subject: [PATCH 070/172] add readme --- README.md | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..b25177a --- /dev/null +++ b/README.md @@ -0,0 +1,63 @@ +My nixos configurations. + + +Systems +======= + +[frumar](https://en.wikipedia.org/wiki/Frumar) +-------- + +Physical server. Mostly used for files. (storage: 6 TB hdd + 256GB ssd, RAM: 8GB, 2 cores ht) + +- git hosting +- [public files](./roles/pub.nix) +- torrents +- [quassel](./roles/quassel.nix) + +[pennyworth](https://en.wikipedia.org/wiki/Alfred_Pennyworth) +---------- + +VPS (Storage: 80GB, RAM: 1GB, 2 cores) + +- [grafana](./roles/graphs.nix) +- website +- email +- prosody +- asterisk + +[woodhouse](https://en.wikipedia.org/wiki/List_of_Archer_characters#Recurring_characters) +----------- + +intel nuc connected to the tv (storage: 64GB ssd, RAM: 4GB) + +- kodi +- sshfs mounts to alphonse & frumar + + +[ascanius](https://en.wikipedia.org/wiki/Frumar) +---------- + +hp elitebook 8570w (RAM: 16GB, 4 cores ht, storage: 256GB ssd + 300GB HDD) + +- includes a power saving script + +[jarvis](https://en.wikipedia.org/wiki/Edwin_Jarvis) +-------- + +dell xps 13 (RAM: 16GB, storage: 512GB ssd, 2 cores ht) + +- for now, just run powertop --auto-tune after a reboot I guess + + +Maintenance +=========== + +Generating tor keys: + +``` +$(nix-build packages/shallot.nix --no-out-link)/bin/shallot -f tmp ^PATTERN +head -n3 tmp +tail -n +4 tmp > keys/ssh.HOSTNAME.key +shred tmp && rm tmp + +``` From 258d0d625392cc0e0b4cd109d23350f1c9afa25d Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 2 Feb 2017 16:31:19 +0100 Subject: [PATCH 071/172] better hardware/logical separation --- ascanius/configuration.nix | 19 +----------- ascanius/hardware-configuration.nix | 9 +++--- frumar/configuration.nix | 3 -- jarvis/configuration.nix | 28 +----------------- jarvis/hardware-configuration.nix | 11 ++++++- pennyworth/configuration.nix | 4 --- roles/common.nix | 6 ++++ roles/graphical.nix | 21 +++++++------- roles/workstation.nix | 28 ++++++++++++++++++ woodhouse/configuration.nix | 43 +--------------------------- woodhouse/hardware-configuration.nix | 7 +++++ 11 files changed, 68 insertions(+), 111 deletions(-) create mode 100644 roles/workstation.nix diff --git a/ascanius/configuration.nix b/ascanius/configuration.nix index 868fd48..30dccfe 100644 --- a/ascanius/configuration.nix +++ b/ascanius/configuration.nix @@ -10,7 +10,7 @@ in imports = [ ./hardware-configuration.nix ../roles/common.nix - ../roles/graphical.nix + ../roles/workstation.nix ../modules/tor-hidden-service.nix ]; @@ -22,7 +22,6 @@ in systemd.services.scsi-link-pm.enable = false; nixpkgs.config = { - allowUnfree = true; packageOverrides = pkgs : { bluez = pkgs.bluez5; # https://github.com/NixOS/nixpkgs/issues/22099 @@ -30,22 +29,6 @@ in }; }; - services.openssh.enable = true; - - # List packages installed in system profile. To search by name, run: - # $ nix-env -qaP | grep wget - environment.systemPackages = with pkgs; [ - btrfs-progs ghostscript - ]; - - virtualisation.virtualbox.host.enable = true; - - users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword; - services.xserver.displayManager.sessionCommands = '' - gpg-connect-agent /bye - unset SSH_AGENT_PID - export SSH_AUTH_SOCK="''${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh" - ''; services.tor.hiddenServices = [ { name = "ssh"; diff --git a/ascanius/hardware-configuration.nix b/ascanius/hardware-configuration.nix index ae6500d..ac6e8fc 100644 --- a/ascanius/hardware-configuration.nix +++ b/ascanius/hardware-configuration.nix @@ -59,13 +59,12 @@ fsType = "ext2"; }; + + swapDevices = [ ]; - services.printing = { - enable = true; - drivers = [ pkgs.gutenprint ]; - }; + nix.maxJobs = 8; services.tcsd.enable = true; # it has a TPM. maybe use this? - environment.systemPackages = with pkgs; [tpm-tools]; + environment.systemPackages = with pkgs; [btrfs-progs tpm-tools]; } diff --git a/frumar/configuration.nix b/frumar/configuration.nix index 2906ff6..006c85e 100644 --- a/frumar/configuration.nix +++ b/frumar/configuration.nix @@ -23,9 +23,6 @@ in networking.hostName = secrets.hostnames.frumar; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "15.09"; diff --git a/jarvis/configuration.nix b/jarvis/configuration.nix index 7d95fac..5d81317 100644 --- a/jarvis/configuration.nix +++ b/jarvis/configuration.nix @@ -4,48 +4,22 @@ { config, pkgs, ... }: -let secrets = import ; -in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ../roles/common.nix - ../roles/graphical.nix + ../roles/workstation.nix ]; - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "jarvis"; # Define your hostname. - # Select internationalisation properties. - i18n.consoleFont = "latarcyrheb-sun32"; - - # List services that you want to enable: - - # Enable the OpenSSH daemon. - # services.openssh.enable = true; # temp - # Enable CUPS to print documents. - services.printing.enable = true; # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "17.03"; - # List packages installed in system profile. To search by name, run: - # $ nix-env -qaP | grep wget - environment.systemPackages = with pkgs; [ - btrfs-progs - ]; - #virtualisation.virtualbox.host.enable = true; - - users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword; services.xserver.displayManager.sessionCommands = '' - gpg-connect-agent /bye - unset SSH_AGENT_PID - export SSH_AUTH_SOCK="''${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh" ${pkgs.xorg.xrandr}/bin/xrandr --dpi 192 ''; nix.gc.automatic = pkgs.lib.mkOverride 30 false; diff --git a/jarvis/hardware-configuration.nix b/jarvis/hardware-configuration.nix index 30d451f..6f6dd55 100644 --- a/jarvis/hardware-configuration.nix +++ b/jarvis/hardware-configuration.nix @@ -13,6 +13,12 @@ boot.extraModulePackages = [ ]; boot.blacklistedKernelModules = ["psmouse"]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + hardware.cpu.intel.updateMicrocode = true; @@ -44,6 +50,8 @@ ]; nix.maxJobs = lib.mkDefault 4; + + environment.systemPackages = [pkgs.btrfs-progs]; # ideal... doesn't work. #services.udev.extraRules = '' @@ -60,5 +68,6 @@ services.xserver.videoDrivers = ["modesetting"]; hardware.opengl.extraPackages = [ pkgs.vaapiIntel ]; - + # bigger console font + i18n.consoleFont = "latarcyrheb-sun32"; } diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix index 831baa9..9f7be42 100644 --- a/pennyworth/configuration.nix +++ b/pennyworth/configuration.nix @@ -31,14 +31,10 @@ in environment.noXlibs = true; - services.openssh.enable = true; networking.enableIPv6 = lib.mkOverride 30 true; system.stateVersion = "16.03"; - # root password is useful from console, ssh has password logins disabled - users.extraUsers.root.hashedPassword = secrets.pennyworth_hashedPassword; - # email services.mailz = { domain = config.networking.hostName; diff --git a/roles/common.nix b/roles/common.nix index c081cb4..46deeda 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -1,3 +1,5 @@ +let secrets = import ; +in { config, pkgs, lib, ...}: { imports = []; @@ -5,6 +7,9 @@ users.mutableUsers = false; users.extraUsers.root = { openssh.authorizedKeys.keys = config.users.extraUsers.yorick.openssh.authorizedKeys.keys; + # root password is useful from console, ssh has password logins disabled + hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own + }; services.timesyncd.enable = true; users.extraUsers.yorick = { @@ -36,6 +41,7 @@ networking.enableIPv6 = false; services.openssh = { + enable = true; passwordAuthentication = false; challengeResponseAuthentication = false; }; diff --git a/roles/graphical.nix b/roles/graphical.nix index b6131b1..84822fc 100644 --- a/roles/graphical.nix +++ b/roles/graphical.nix @@ -1,5 +1,10 @@ +let secrets = import ; +in { config, lib, pkgs, ... }: { + options.yorick.support32bit = with lib; + mkOption { type = types.bool; default = false; }; + config = { # Enable the X11 windowing system. services.xserver = { enable = true; @@ -23,10 +28,10 @@ }; hardware.opengl = { enable = true; - driSupport32Bit = true; + driSupport32Bit = config.yorick.support32bit; }; hardware.pulseaudio.enable = true; - hardware.pulseaudio.support32Bit = true; + hardware.pulseaudio.support32Bit = config.yorick.support32bit; fonts = { enableFontDir = true; @@ -39,16 +44,10 @@ source-han-sans-japanese ]; }; - services.redshift = { - enable = true; - latitude = "51.8"; - longitude = "5.8"; - temperature = { - day = 6500; - night = 5500; - }; - }; # spotify networking.firewall.allowedTCPPorts = [57621]; networking.firewall.allowedUDPPorts = [57621]; + + users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword; +}; } diff --git a/roles/workstation.nix b/roles/workstation.nix new file mode 100644 index 0000000..7a73db5 --- /dev/null +++ b/roles/workstation.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ + ../roles/graphical.nix + ]; + users.extraUsers.yorick.extraGroups = ["input"]; + services.redshift = { + enable = true; + latitude = "51.8"; + longitude = "5.8"; + temperature = { + day = 6500; + night = 5500; + }; + }; + services.printing = { + enable = true; + drivers = [ pkgs.gutenprint ]; + }; + environment.systemPackages = [pkgs.ghostscript]; + services.xserver.displayManager.sessionCommands = '' + gpg-connect-agent /bye + unset SSH_AGENT_PID + export SSH_AUTH_SOCK="''${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh" + ''; + virtualisation.virtualbox.host.enable = true; + yorick.support32bit = true; +} diff --git a/woodhouse/configuration.nix b/woodhouse/configuration.nix index 63d184c..d7dae89 100644 --- a/woodhouse/configuration.nix +++ b/woodhouse/configuration.nix @@ -16,59 +16,18 @@ in ../roles/graphical.nix ]; - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = secrets.hostnames.woodhouse; - # Select internationalisation properties. - # i18n = { - # consoleFont = "Lat2-Terminus16"; - # consoleKeyMap = "us"; - # defaultLocale = "en_US.UTF-8"; - # }; - - - # List services that you want to enable: - - hardware.opengl.driSupport32Bit = lib.mkOverride 30 false; - hardware.pulseaudio.support32Bit = lib.mkOverride 30 false; - - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - - - # root password is useful from console, ssh has password logins disabled - users.extraUsers.root.hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own - - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - # services.xserver.layout = "us"; - # services.xserver.xkbOptions = "eurosign:e"; - - # Enable the KDE Desktop Environment. - # services.xserver.displayManager.kdm.enable = true; - # services.xserver.desktopManager.kde4.enable = true; - # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "16.09"; - services.redshift.enable = lib.mkOverride 30 false; services.xserver = { # displayManager.slim.autoLogin = true; # TODO: debug this }; - users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword; - environment.systemPackages = with pkgs; [ - btrfs-progs - ]; + services.tor.hiddenServices = [ { name = "ssh"; port = 22; diff --git a/woodhouse/hardware-configuration.nix b/woodhouse/hardware-configuration.nix index e1c8a61..51f4a00 100644 --- a/woodhouse/hardware-configuration.nix +++ b/woodhouse/hardware-configuration.nix @@ -13,6 +13,9 @@ boot.extraModulePackages = [ ]; hardware.cpu.intel.updateMicrocode = true; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + fileSystems."/" = { device = "/dev/disk/by-uuid/fa5026b1-0f73-4233-a417-780c65f3f038"; @@ -30,4 +33,8 @@ nix.maxJobs = lib.mkDefault 4; services.xserver.videoDrivers = ["intel"]; + + environment.systemPackages = with pkgs; [ + btrfs-progs + ]; } From 6459a6c0f604cb8b2ecf3c109e53f64b970238f7 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 2 Feb 2017 16:36:25 +0100 Subject: [PATCH 072/172] update linux-nvme --- jarvis/linux-nvme.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jarvis/linux-nvme.nix b/jarvis/linux-nvme.nix index 1efafda..5f7962a 100644 --- a/jarvis/linux-nvme.nix +++ b/jarvis/linux-nvme.nix @@ -16,8 +16,8 @@ linux-nvme = pkgs.fetchFromGitHub { owner = "damige"; repo = "linux-nvme"; - rev = "d6f6df100db9b8f1ee6fc04f8d2f8ddbcbec87f8"; - sha256 = "0iqxzk3q7vzg7gmqrlvq1lf9wf3qfq5dm79hjsb48s6q12l3ml06"; + rev = "49204bb12ca0797e17d70f21bb947a99eaeebbfa"; + sha256 = "1bybrr0j7n81vhf3g36cm8sfmax0kp0b3xndlbcr5im9zrlkvwkj"; }; in map (name: { patch = "${linux-nvme}/src/${kver}/${name}.patch"; inherit name; }) (if kernel_newer_4_9 From 36b1a550c40225e91bfb1dcba089d16b1fcc2f90 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 2 Feb 2017 16:58:48 +0100 Subject: [PATCH 073/172] split off functionality into roles --- README.md | 10 +-- frumar/configuration.nix | 2 - pennyworth/configuration.nix | 118 ++--------------------------- {pennyworth => roles}/asterisk.nix | 0 roles/common.nix | 3 + roles/mail.nix | 35 +++++++++ roles/website.nix | 50 ++++++++++++ roles/xmpp.nix | 55 ++++++++++++++ 8 files changed, 154 insertions(+), 119 deletions(-) rename {pennyworth => roles}/asterisk.nix (100%) create mode 100644 roles/mail.nix create mode 100644 roles/website.nix create mode 100644 roles/xmpp.nix diff --git a/README.md b/README.md index b25177a..72f5bbe 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Systems Physical server. Mostly used for files. (storage: 6 TB hdd + 256GB ssd, RAM: 8GB, 2 cores ht) -- git hosting +- [git hosting](./modules/gogs.nix) - [public files](./roles/pub.nix) - torrents - [quassel](./roles/quassel.nix) @@ -20,10 +20,10 @@ Physical server. Mostly used for files. (storage: 6 TB hdd + 256GB ssd, RAM: 8GB VPS (Storage: 80GB, RAM: 1GB, 2 cores) - [grafana](./roles/graphs.nix) -- website -- email -- prosody -- asterisk +- [website](./roles/website.nix) +- [email](./roles/main.nix) +- [prosody](./roles/xmpp.nix) +- [asterisk](./roles/asterisk.nix) [woodhouse](https://en.wikipedia.org/wiki/List_of_Archer_characters#Recurring_characters) ----------- diff --git a/frumar/configuration.nix b/frumar/configuration.nix index 006c85e..7da4f79 100644 --- a/frumar/configuration.nix +++ b/frumar/configuration.nix @@ -28,8 +28,6 @@ in gogs.domain = "git.yori.cc"; nginxssl.enable = true; - # Let's Encrypt configuration. - security.acme.preliminarySelfsigned = true; # hidden SSH service diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix index 9f7be42..3e142c7 100644 --- a/pennyworth/configuration.nix +++ b/pennyworth/configuration.nix @@ -17,12 +17,12 @@ in ../roles/common.nix ../roles/collectd.nix ../roles/graphs.nix - ../modules/mailz.nix - ../modules/nginx.nix + ../roles/xmpp.nix + ../roles/website.nix + ../roles/mail.nix ../modules/tor-hidden-service.nix ../modules/muflax-blog.nix - ../modules/backup.nix - ./asterisk.nix + ../roles/asterisk.nix ]; networking.hostName = secrets.hostnames.pennyworth; @@ -34,68 +34,9 @@ in networking.enableIPv6 = lib.mkOverride 30 true; system.stateVersion = "16.03"; + + nginxssl.enable = true; - # email - services.mailz = { - domain = config.networking.hostName; - keydir = acmeKeyDir; - mainUser = "yorick"; - users = { - yorick = with secrets; { - password = yorick_mailPassword; - domains = email_domains; - }; - }; - }; - services.backup = { - enable = true; - backups = { - mail = { - dir = "/var/spool/mail"; - remote = "webdavs://mail@yorickvp.stackstorage.com/remote.php/webdav//mail_bak"; - keyfile = "/var/backup/creds"; - interval = "daily"; - }; - }; - }; - # website + lets encrypt challenge hosting - nginxssl = { - enable = true; - challenges."${config.networking.hostName}" = acmeWebRoot; - servers."yori.cc" = { - key_root = acmeKeyDir; - key_webroot = acmeWebRoot; - contents = '' - location / { - rewrite ^(.*) https://yorickvanpelt.nl$1 permanent; - } - ''; - }; - servers."yorickvanpelt.nl" = { - key_root = acmeKeyDir; - key_webroot = acmeWebRoot; - contents = '' - location / { - root ${yoricc}/web; - } - ''; - }; - }; - - - # Let's Encrypt configuration. - security.acme.preliminarySelfsigned = true; - security.acme.certs."yori.cc" = - { email = secrets.email; - extraDomains = { - "${config.networking.hostName}" = null; - "yorickvanpelt.nl" = null; - }; - webroot = acmeWebRoot; - postRun = ''systemctl reload nginx.service dovecot2.service postfix.service - systemctl restart prosody.service - ''; - }; services.nginx.virtualHosts."pad.yori.cc" = { enableACME = true; forceSSL = true; @@ -113,53 +54,6 @@ in private_key = "/run/keys/torkeys/ssh.pennyworth.key"; } ]; - # XMPP - services.prosody = let - # TODO: this should be in nixpkgs - prosodyModules = pkgs.fetchhg { - name = "prosody-modules-22042016"; - rev = "e0b8b8a50013"; - sha256 = "06qd46bmwjpzrygih91fv7z7g8z60kn0qyr7cf06a57a28117wdy"; - url = "https://hg.prosody.im/prosody-modules/"; - }; - in { - enable = true; - - allowRegistration = false; - extraModules = [ "private" "vcard" "privacy" "compression" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist" "mam" "carbons" "smacks"]; - virtualHosts.yoricc = { - enabled = true; - domain = "yori.cc"; - ssl = { - key = "/var/lib/prosody/keys/key.pem"; - cert = "/var/lib/prosody/keys/fullchain.pem"; - }; - }; - # TODO: Component "chat.yori.cc" "muc" # also proxy65 and pubsub? - extraConfig = '' - plugin_paths = { "${prosodyModules}" } - use_libevent = true - s2s_require_encryption = true - c2s_require_encryption = true - archive_expires_after = "never" - storage = { - archive2 = "sql"; - } - ''; - - admins = [ "yorick@yori.cc"]; - }; - nixpkgs.config.packageOverrides = pkgs: - # FIXME: ugly hacks! - { prosody = pkgs.prosody.override { withZlib = true; luazlib = luadbi; }; - }; - systemd.services.prosody.serviceConfig.PermissionsStartOnly = true; - systemd.services.prosody.preStart = '' - mkdir -m 0700 -p /var/lib/prosody/keys - cp ${acmeKeyDir}/key.pem ${acmeKeyDir}/fullchain.pem /var/lib/prosody/keys - chown -R prosody:prosody /var/lib/prosody - ''; - networking.firewall.allowedTCPPorts = [5222 5269]; services.muflax-blog = { enable = true; diff --git a/pennyworth/asterisk.nix b/roles/asterisk.nix similarity index 100% rename from pennyworth/asterisk.nix rename to roles/asterisk.nix diff --git a/roles/common.nix b/roles/common.nix index 46deeda..243ad85 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -97,5 +97,8 @@ in rxvt_unicode.terminfo ]; nix.gc.automatic = true; + + security.acme.preliminarySelfsigned = true; + } diff --git a/roles/mail.nix b/roles/mail.nix new file mode 100644 index 0000000..fde9845 --- /dev/null +++ b/roles/mail.nix @@ -0,0 +1,35 @@ +{ config, pkgs, lib, ... }: +let secrets = import ; +in +{ + imports = [ + ../modules/mailz.nix + ../modules/backup.nix + ]; + config = { + # email + services.mailz = { + domain = config.networking.hostName; + keydir = acmeKeyDir; + mainUser = "yorick"; + users = { + yorick = with secrets; { + password = yorick_mailPassword; + domains = email_domains; + }; + }; + }; + services.backup = { + enable = true; + backups = { + mail = { + dir = "/var/spool/mail"; + remote = "webdavs://mail@yorickvp.stackstorage.com/remote.php/webdav//mail_bak"; + keyfile = "/var/backup/creds"; + interval = "daily"; + }; + }; + }; + + }; +} diff --git a/roles/website.nix b/roles/website.nix new file mode 100644 index 0000000..a63db4c --- /dev/null +++ b/roles/website.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: + +let + secrets = import ; + yoricc = import ../packages/yori-cc.nix; + acmeWebRoot = "/etc/sslcerts/acmeroot"; + acmeKeyDir = "${config.security.acme.directory}/yori.cc"; +in +{ + imports = [ + ../modules/nginx.nix + ]; + # website + lets encrypt challenge hosting + nginxssl = { + enable = true; + challenges."${config.networking.hostName}" = acmeWebRoot; + servers."yori.cc" = { + key_root = acmeKeyDir; + key_webroot = acmeWebRoot; + contents = '' + location / { + rewrite ^(.*) https://yorickvanpelt.nl$1 permanent; + } + ''; + }; + servers."yorickvanpelt.nl" = { + key_root = acmeKeyDir; + key_webroot = acmeWebRoot; + contents = '' + location / { + root ${yoricc}/web; + } + ''; + }; + }; + + + # Let's Encrypt configuration. + security.acme.certs."yori.cc" = + { email = secrets.email; + extraDomains = { + "${config.networking.hostName}" = null; + "yorickvanpelt.nl" = null; + }; + webroot = acmeWebRoot; + postRun = ''systemctl reload nginx.service dovecot2.service postfix.service + systemctl restart prosody.service + ''; + }; +} diff --git a/roles/xmpp.nix b/roles/xmpp.nix new file mode 100644 index 0000000..7bc575b --- /dev/null +++ b/roles/xmpp.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +let + luadbi = pkgs.callPackage ../packages/luadbi.nix {}; +in +{ + # XMPP + services.prosody = let + # TODO: this should be in nixpkgs + prosodyModules = pkgs.fetchhg { + name = "prosody-modules-22042016"; + rev = "e0b8b8a50013"; + sha256 = "06qd46bmwjpzrygih91fv7z7g8z60kn0qyr7cf06a57a28117wdy"; + url = "https://hg.prosody.im/prosody-modules/"; + }; + in { + enable = true; + + allowRegistration = false; + extraModules = [ "private" "vcard" "privacy" "compression" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist" "mam" "carbons" "smacks"]; + virtualHosts.yoricc = { + enabled = true; + domain = "yori.cc"; + ssl = { + key = "/var/lib/prosody/keys/key.pem"; + cert = "/var/lib/prosody/keys/fullchain.pem"; + }; + }; + # TODO: Component "chat.yori.cc" "muc" # also proxy65 and pubsub? + extraConfig = '' + plugin_paths = { "${prosodyModules}" } + use_libevent = true + s2s_require_encryption = true + c2s_require_encryption = true + archive_expires_after = "never" + storage = { + archive2 = "sql"; + } + ''; + + admins = [ "yorick@yori.cc"]; + }; + nixpkgs.config.packageOverrides = pkgs: + # FIXME: ugly hacks! + { prosody = pkgs.prosody.override { withZlib = true; luazlib = luadbi; }; + }; + systemd.services.prosody.serviceConfig.PermissionsStartOnly = true; + systemd.services.prosody.preStart = '' + mkdir -m 0700 -p /var/lib/prosody/keys + cp ${acmeKeyDir}/key.pem ${acmeKeyDir}/fullchain.pem /var/lib/prosody/keys + chown -R prosody:prosody /var/lib/prosody + ''; + networking.firewall.allowedTCPPorts = [5222 5269]; + +} From 0cc302ce6a88e5f5f4700ecfcd604e91f331ba20 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 2 Feb 2017 17:15:17 +0100 Subject: [PATCH 074/172] move files out of subdirs --- frumar/configuration.nix => logical/frumar.nix | 2 +- pennyworth/configuration.nix => logical/pennyworth.nix | 2 +- woodhouse/configuration.nix => logical/woodhouse.nix | 2 +- frumar/hardware-configuration.nix => physical/frumar.nix | 0 .../hardware-configuration.nix => physical/pennyworth.nix | 0 woodhouse/hardware-configuration.nix => physical/woodhouse.nix | 0 6 files changed, 3 insertions(+), 3 deletions(-) rename frumar/configuration.nix => logical/frumar.nix (96%) rename pennyworth/configuration.nix => logical/pennyworth.nix (97%) rename woodhouse/configuration.nix => logical/woodhouse.nix (98%) rename frumar/hardware-configuration.nix => physical/frumar.nix (100%) rename pennyworth/hardware-configuration.nix => physical/pennyworth.nix (100%) rename woodhouse/hardware-configuration.nix => physical/woodhouse.nix (100%) diff --git a/frumar/configuration.nix b/logical/frumar.nix similarity index 96% rename from frumar/configuration.nix rename to logical/frumar.nix index 7da4f79..fac885c 100644 --- a/frumar/configuration.nix +++ b/logical/frumar.nix @@ -10,7 +10,7 @@ in { imports = [ # Include the results of the hardware scan. - ./hardware-configuration.nix + ../psysical/frumar.nix ../roles/common.nix ../modules/nginx.nix ../modules/gogs.nix # todo: better separation here diff --git a/pennyworth/configuration.nix b/logical/pennyworth.nix similarity index 97% rename from pennyworth/configuration.nix rename to logical/pennyworth.nix index 3e142c7..c392ca2 100644 --- a/pennyworth/configuration.nix +++ b/logical/pennyworth.nix @@ -13,7 +13,7 @@ let in { imports = [ - ./hardware-configuration.nix + ../physical/pennyworth.nix ../roles/common.nix ../roles/collectd.nix ../roles/graphs.nix diff --git a/woodhouse/configuration.nix b/logical/woodhouse.nix similarity index 98% rename from woodhouse/configuration.nix rename to logical/woodhouse.nix index d7dae89..b15ffa6 100644 --- a/woodhouse/configuration.nix +++ b/logical/woodhouse.nix @@ -9,7 +9,7 @@ in { imports = [ # Include the results of the hardware scan. - ./hardware-configuration.nix + ../physical/woodhouse.nix ../roles/common.nix ../roles/collectd.nix ../modules/tor-hidden-service.nix diff --git a/frumar/hardware-configuration.nix b/physical/frumar.nix similarity index 100% rename from frumar/hardware-configuration.nix rename to physical/frumar.nix diff --git a/pennyworth/hardware-configuration.nix b/physical/pennyworth.nix similarity index 100% rename from pennyworth/hardware-configuration.nix rename to physical/pennyworth.nix diff --git a/woodhouse/hardware-configuration.nix b/physical/woodhouse.nix similarity index 100% rename from woodhouse/hardware-configuration.nix rename to physical/woodhouse.nix From c57cefa71bb28fba225d37d96e89c926dbf7cfb1 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 2 Feb 2017 17:22:03 +0100 Subject: [PATCH 075/172] another round of renaming --- ascanius/configuration.nix => logical/ascanius.nix | 2 +- logical/frumar.nix | 2 +- jarvis/configuration.nix => logical/jarvis.nix | 2 +- logical/pennyworth.nix | 2 +- logical/woodhouse.nix | 2 +- {jarvis => modules}/linux-nvme.nix | 0 physical/{frumar.nix => fractal.nix} | 0 ascanius/hardware-configuration.nix => physical/hp8570w.nix | 2 +- {ascanius => physical/hp8570w}/powerdown.nix | 0 {ascanius => physical/hp8570w}/powerdown/Makefile | 0 {ascanius => physical/hp8570w}/powerdown/default.nix | 0 {ascanius => physical/hp8570w}/powerdown/license.txt | 0 {ascanius => physical/hp8570w}/powerdown/powerdown | 0 {ascanius => physical/hp8570w}/powerdown/powerdown-functions | 0 {ascanius => physical/hp8570w}/powerdown/powernow | 0 {ascanius => physical/hp8570w}/powerdown/powerswitch | 0 {ascanius => physical/hp8570w}/powerdown/powerup | 0 physical/{pennyworth.nix => kassala.nix} | 0 physical/{woodhouse.nix => nuc.nix} | 0 jarvis/hardware-configuration.nix => physical/xps9360.nix | 0 20 files changed, 6 insertions(+), 6 deletions(-) rename ascanius/configuration.nix => logical/ascanius.nix (96%) rename jarvis/configuration.nix => logical/jarvis.nix (95%) rename {jarvis => modules}/linux-nvme.nix (100%) rename physical/{frumar.nix => fractal.nix} (100%) rename ascanius/hardware-configuration.nix => physical/hp8570w.nix (98%) rename {ascanius => physical/hp8570w}/powerdown.nix (100%) rename {ascanius => physical/hp8570w}/powerdown/Makefile (100%) rename {ascanius => physical/hp8570w}/powerdown/default.nix (100%) rename {ascanius => physical/hp8570w}/powerdown/license.txt (100%) rename {ascanius => physical/hp8570w}/powerdown/powerdown (100%) rename {ascanius => physical/hp8570w}/powerdown/powerdown-functions (100%) rename {ascanius => physical/hp8570w}/powerdown/powernow (100%) rename {ascanius => physical/hp8570w}/powerdown/powerswitch (100%) rename {ascanius => physical/hp8570w}/powerdown/powerup (100%) rename physical/{pennyworth.nix => kassala.nix} (100%) rename physical/{woodhouse.nix => nuc.nix} (100%) rename jarvis/hardware-configuration.nix => physical/xps9360.nix (100%) diff --git a/ascanius/configuration.nix b/logical/ascanius.nix similarity index 96% rename from ascanius/configuration.nix rename to logical/ascanius.nix index 30dccfe..37ecfbe 100644 --- a/ascanius/configuration.nix +++ b/logical/ascanius.nix @@ -8,7 +8,7 @@ let secrets = import ; in { imports = - [ ./hardware-configuration.nix + [ ../physical/hp8570w.nix ../roles/common.nix ../roles/workstation.nix ../modules/tor-hidden-service.nix diff --git a/logical/frumar.nix b/logical/frumar.nix index fac885c..d08e01f 100644 --- a/logical/frumar.nix +++ b/logical/frumar.nix @@ -10,7 +10,7 @@ in { imports = [ # Include the results of the hardware scan. - ../psysical/frumar.nix + ../psysical/fractal.nix ../roles/common.nix ../modules/nginx.nix ../modules/gogs.nix # todo: better separation here diff --git a/jarvis/configuration.nix b/logical/jarvis.nix similarity index 95% rename from jarvis/configuration.nix rename to logical/jarvis.nix index 5d81317..40d6f5e 100644 --- a/jarvis/configuration.nix +++ b/logical/jarvis.nix @@ -7,7 +7,7 @@ { imports = [ # Include the results of the hardware scan. - ./hardware-configuration.nix + ../physical/xps9360.nix ../roles/common.nix ../roles/workstation.nix ]; diff --git a/logical/pennyworth.nix b/logical/pennyworth.nix index c392ca2..c2ce059 100644 --- a/logical/pennyworth.nix +++ b/logical/pennyworth.nix @@ -13,7 +13,7 @@ let in { imports = [ - ../physical/pennyworth.nix + ../physical/kassala.nix ../roles/common.nix ../roles/collectd.nix ../roles/graphs.nix diff --git a/logical/woodhouse.nix b/logical/woodhouse.nix index b15ffa6..172f3c8 100644 --- a/logical/woodhouse.nix +++ b/logical/woodhouse.nix @@ -9,7 +9,7 @@ in { imports = [ # Include the results of the hardware scan. - ../physical/woodhouse.nix + ../physical/nuc.nix ../roles/common.nix ../roles/collectd.nix ../modules/tor-hidden-service.nix diff --git a/jarvis/linux-nvme.nix b/modules/linux-nvme.nix similarity index 100% rename from jarvis/linux-nvme.nix rename to modules/linux-nvme.nix diff --git a/physical/frumar.nix b/physical/fractal.nix similarity index 100% rename from physical/frumar.nix rename to physical/fractal.nix diff --git a/ascanius/hardware-configuration.nix b/physical/hp8570w.nix similarity index 98% rename from ascanius/hardware-configuration.nix rename to physical/hp8570w.nix index ac6e8fc..be8a1eb 100644 --- a/ascanius/hardware-configuration.nix +++ b/physical/hp8570w.nix @@ -4,7 +4,7 @@ { imports = [ - ./powerdown.nix + ./hp8570w/powerdown.nix ]; hardware.cpu.intel.updateMicrocode = true; diff --git a/ascanius/powerdown.nix b/physical/hp8570w/powerdown.nix similarity index 100% rename from ascanius/powerdown.nix rename to physical/hp8570w/powerdown.nix diff --git a/ascanius/powerdown/Makefile b/physical/hp8570w/powerdown/Makefile similarity index 100% rename from ascanius/powerdown/Makefile rename to physical/hp8570w/powerdown/Makefile diff --git a/ascanius/powerdown/default.nix b/physical/hp8570w/powerdown/default.nix similarity index 100% rename from ascanius/powerdown/default.nix rename to physical/hp8570w/powerdown/default.nix diff --git a/ascanius/powerdown/license.txt b/physical/hp8570w/powerdown/license.txt similarity index 100% rename from ascanius/powerdown/license.txt rename to physical/hp8570w/powerdown/license.txt diff --git a/ascanius/powerdown/powerdown b/physical/hp8570w/powerdown/powerdown similarity index 100% rename from ascanius/powerdown/powerdown rename to physical/hp8570w/powerdown/powerdown diff --git a/ascanius/powerdown/powerdown-functions b/physical/hp8570w/powerdown/powerdown-functions similarity index 100% rename from ascanius/powerdown/powerdown-functions rename to physical/hp8570w/powerdown/powerdown-functions diff --git a/ascanius/powerdown/powernow b/physical/hp8570w/powerdown/powernow similarity index 100% rename from ascanius/powerdown/powernow rename to physical/hp8570w/powerdown/powernow diff --git a/ascanius/powerdown/powerswitch b/physical/hp8570w/powerdown/powerswitch similarity index 100% rename from ascanius/powerdown/powerswitch rename to physical/hp8570w/powerdown/powerswitch diff --git a/ascanius/powerdown/powerup b/physical/hp8570w/powerdown/powerup similarity index 100% rename from ascanius/powerdown/powerup rename to physical/hp8570w/powerdown/powerup diff --git a/physical/pennyworth.nix b/physical/kassala.nix similarity index 100% rename from physical/pennyworth.nix rename to physical/kassala.nix diff --git a/physical/woodhouse.nix b/physical/nuc.nix similarity index 100% rename from physical/woodhouse.nix rename to physical/nuc.nix diff --git a/jarvis/hardware-configuration.nix b/physical/xps9360.nix similarity index 100% rename from jarvis/hardware-configuration.nix rename to physical/xps9360.nix From 5cb4dc11c02dff80069bcbb42ea15a5db6bec990 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 2 Feb 2017 18:58:13 +0100 Subject: [PATCH 076/172] fix paths --- conf | 4 ++-- physical/xps9360.nix | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/conf b/conf index ef3fdc3..bf3069b 100755 --- a/conf +++ b/conf @@ -8,11 +8,11 @@ fi export NIX_PATH="ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix case $1 in stable) - export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-16.09/nixexprs.tar.xz:nixos-config=`pwd`/$2/configuration.nix:$NIX_PATH" + export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-16.09/nixexprs.tar.xz:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" eval ${@:3} ;; channel) - export NIX_PATH="/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=`pwd`/$2/configuration.nix:$NIX_PATH" + export NIX_PATH="/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" eval ${@:3} ;; update-encrypt) diff --git a/physical/xps9360.nix b/physical/xps9360.nix index 6f6dd55..eec78b4 100644 --- a/physical/xps9360.nix +++ b/physical/xps9360.nix @@ -5,7 +5,7 @@ { imports = [ - ./linux-nvme.nix + ../modules/linux-nvme.nix ]; boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; From 8e8697255ee0bb2c9ea648349dd535ac2500226e Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 2 Feb 2017 23:14:55 +0100 Subject: [PATCH 077/172] add release-unstable.nix --- release-unstable.nix | 9 +++++++++ secrets_dummy.nix | 18 ++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 release-unstable.nix create mode 100644 secrets_dummy.nix diff --git a/release-unstable.nix b/release-unstable.nix new file mode 100644 index 0000000..7662f1a --- /dev/null +++ b/release-unstable.nix @@ -0,0 +1,9 @@ +let + nixos = import ; + nixpkgs = import {}; + nixosFor = path: nixos {configuration = import path;}; +in +{ + ascanius = nixpkgs.lib.hydraJob (nixosFor ./logical/ascanius.nix).system; + jarvis = nixpkgs.lib.hydraJob (nixosFor ./logical/jarvis.nix).system; +} diff --git a/secrets_dummy.nix b/secrets_dummy.nix new file mode 100644 index 0000000..eb33136 --- /dev/null +++ b/secrets_dummy.nix @@ -0,0 +1,18 @@ +{ + pennyworth_hashedPassword = ""; + yorick_hashedPassword = ""; + tor_hostnames = { + "ssh.pennyworth" = "q.onion"; + "ssh.frumar" = "q.onion"; + "ssh.woodhouse" = "q.onion"; + "ssh.ascanius" = "q.onion"; + }; + hostnames = { + frumar = "q"; + ospinio = "q"; + ascanius = "q"; + pennyworth = "q"; + woodhouse = "q"; + jarvis = "q"; + }; +} From 4703a2f5b75aa77cf7fdad5e3f5986698740e0cf Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Mon, 27 Feb 2017 16:20:21 +0100 Subject: [PATCH 078/172] add keep-going always --- roles/common.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/common.nix b/roles/common.nix index 243ad85..9cf115b 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -35,6 +35,7 @@ in allow-unfree = true binary-caches-parallel-connections = 3 connect-timeout = 5 + keep-going = true ''; # Networking From 5caaa521fca324c4561c19892a8d59cbf5f38ea4 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Mon, 27 Feb 2017 16:20:31 +0100 Subject: [PATCH 079/172] x11 forwarding --- roles/graphical.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/graphical.nix b/roles/graphical.nix index 84822fc..236697e 100644 --- a/roles/graphical.nix +++ b/roles/graphical.nix @@ -49,5 +49,6 @@ in networking.firewall.allowedUDPPorts = [57621]; users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword; + services.openssh.forwardX11 = true; }; } From 3113d052a798486743cbaf0dcd98146221e71129 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Mon, 13 Mar 2017 23:53:23 +0100 Subject: [PATCH 080/172] update linux-nvme, downgrade kernel to 4.9 (but add builds for >4.8) --- conf | 4 ++++ logical/jarvis.nix | 6 +++++- modules/linux-nvme.nix | 38 +++++++++++++++++++++++++------------- physical/xps9360.nix | 23 +++++++++++++++++++++-- 4 files changed, 55 insertions(+), 16 deletions(-) diff --git a/conf b/conf index bf3069b..de65c0a 100755 --- a/conf +++ b/conf @@ -7,6 +7,10 @@ then fi export NIX_PATH="ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix case $1 in +git) + export NIX_PATH="nixpkgs=https://github.com/NixOS/nixpkgs/archive/master.tar.gz:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" + eval ${@:3} + ;; stable) export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-16.09/nixexprs.tar.xz:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" eval ${@:3} diff --git a/logical/jarvis.nix b/logical/jarvis.nix index 40d6f5e..a167497 100644 --- a/logical/jarvis.nix +++ b/logical/jarvis.nix @@ -23,5 +23,9 @@ ${pkgs.xorg.xrandr}/bin/xrandr --dpi 192 ''; nix.gc.automatic = pkgs.lib.mkOverride 30 false; - + # nix.trustedBinaryCaches = [http://192.168.1.27:5000]; + # nix.binaryCachePublicKeys = [ + # "hydra.example.org-1:NbZfmBIhIevVM5OZ81TbwruSC9etkIrdi1mR6AAdm98=" + # ]; + virtualisation.virtualbox.host.enable = pkgs.lib.mkOverride 30 false; } diff --git a/modules/linux-nvme.nix b/modules/linux-nvme.nix index 5f7962a..e32626a 100644 --- a/modules/linux-nvme.nix +++ b/modules/linux-nvme.nix @@ -1,27 +1,39 @@ { config, lib, pkgs, ... }: # check if it's working: # nix-shell -p nvme-cli --command "sudo nvme get-feature -f 0x0c -H /dev/nvme0" | grep Enable -{ boot = rec { +let +cfg = config.linux_nvme; +inherit (lib) mkIf mkOption mkEnableOption; +in +{ + options.linux_nvme = { + basekpkgs = mkOption { default = pkgs.linuxPackages_latest; }; + gofaster = mkEnableOption "enable parallel building on kernel"; + nvmepatch = mkEnableOption "enable nvme patch"; + }; + config.boot = rec { # gotta go faster - kernelPackages = pkgs.linuxPackages_latest // { - kernel = pkgs.linuxPackages_latest.kernel.overrideDerivation (attr: { + kernelPackages = mkIf cfg.gofaster (cfg.basekpkgs // { + kernel = cfg.basekpkgs.kernel.overrideDerivation (attr: { enableParallelBuilding = true; }); - }; + }); - kernelPatches = let - kver = kernelPackages.kernel.version; - kernel_newer_4_9 = builtins.compareVersions kver "4.9" > -1; + kernelPatches = mkIf cfg.nvmepatch (let + newerThan = v: builtins.compareVersions config.boot.kernelPackages.kernel.version v > -1; # https://github.com/damige/linux-nvme/ linux-nvme = pkgs.fetchFromGitHub { owner = "damige"; repo = "linux-nvme"; - rev = "49204bb12ca0797e17d70f21bb947a99eaeebbfa"; - sha256 = "1bybrr0j7n81vhf3g36cm8sfmax0kp0b3xndlbcr5im9zrlkvwkj"; + rev = "4e9b1de7ad5386f6c8c208d81005a77d79460d26"; + sha256 = "151pnv1gjrcmlvw8bx0ndpvn254jjy394h8yr3sgh2gqbc5i1aqp"; }; - in map (name: { patch = "${linux-nvme}/src/${kver}/${name}.patch"; inherit name; }) - (if kernel_newer_4_9 - then ["APST" "pm_qos1" "pm_qos2" "pm_qos3" "nvme"] - else ["nvmepatch1-V4" "nvmepatch2-V4" "nvmepatch3-V4"]); + mkpatches = dir: map (name: { patch = "${linux-nvme}/patches/${dir}/${name}.patch"; inherit name; }); + in + if newerThan "4.11" then [] else + if newerThan "4.10" then (mkpatches "4.10.x" ["APST"]) else + if newerThan "4.9" then (mkpatches "4.9.x" ["APST" "pm_qos1" "pm_qos2" "pm_qos3" "nvme"]) else + if newerThan "4.8" then (mkpatches "4.8.x" ["nvmepatch1-V4" "nvmepatch2-V4" "nvmepatch3-V4"]) else + throw "unknown kernel version"); }; } diff --git a/physical/xps9360.nix b/physical/xps9360.nix index eec78b4..84de475 100644 --- a/physical/xps9360.nix +++ b/physical/xps9360.nix @@ -12,8 +12,24 @@ boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; boot.blacklistedKernelModules = ["psmouse"]; - + linux_nvme = { + basekpkgs = pkgs.linuxPackages_4_9; + gofaster = true; + nvmepatch = true; + }; + # boot.kernelPackages = pkgs.linuxPackagesFor ((pkgs.linux_testing.override { + # argsOverride = { + # version = "4.11.0-drm"; + # modDirVersion = "4.11.0-rc1"; + # src = pkgs.fetchgit { + # url = "git://anongit.freedesktop.org/drm-intel"; + # rev = "1d1c80ec6d4d6ac72aa80920d5290776f3c81a86"; + # sha256 = "1879cgzag8072rp99prhm3nqaf90z63j74p7si931bvz4qj4z7s0"; + # }; + # }; + # }).overrideDerivation (attr: {enableParallelBuilding = true;})); + # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; @@ -27,7 +43,10 @@ networking.wireless.enable = true; hardware.bluetooth.enable = true; - boot.kernelParams = ["i915.enable_fbc=1"]; # "i915.enable_psr=1"]; # lvds downclock is no longer a thing + # https://wiki.archlinux.org/index.php/Dell_XPS_13_(9360)#Module-based_Powersaving_Options + # might require linux 4.11 + boot.kernelParams = ["i915.enable_fbc=1" "i915.enable_guc_loading=1" "i915.enable_guc_submission=1" "i915.enable_huc=1" "i915.enable_psr=2"]; + # now we wait until enable_psr=1 is fixed fileSystems."/" = { device = "/dev/disk/by-uuid/a751e4ea-f1aa-48e1-9cbe-423878e29b62"; From 959090068f1381f5ab8d7a23d009c4fd5b56b450 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 8 Apr 2017 23:14:57 +0200 Subject: [PATCH 081/172] nixos 16.09 -> 17.03 --- README.md | 2 +- conf | 2 +- logical/frumar.nix | 5 +-- logical/pennyworth.nix | 3 -- modules/gogs.nix | 86 ------------------------------------------ packages/yori-cc.nix | 6 +-- roles/asterisk.nix | 37 ++++++------------ roles/gogs.nix | 58 ++++++++++++++++++++++++++++ roles/mail.nix | 1 + roles/quassel.nix | 2 +- roles/xmpp.nix | 1 + 11 files changed, 79 insertions(+), 124 deletions(-) delete mode 100644 modules/gogs.nix create mode 100644 roles/gogs.nix diff --git a/README.md b/README.md index 72f5bbe..3e3ab44 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Systems Physical server. Mostly used for files. (storage: 6 TB hdd + 256GB ssd, RAM: 8GB, 2 cores ht) -- [git hosting](./modules/gogs.nix) +- [git hosting](./roles/gogs.nix) - [public files](./roles/pub.nix) - torrents - [quassel](./roles/quassel.nix) diff --git a/conf b/conf index de65c0a..d479d0f 100755 --- a/conf +++ b/conf @@ -12,7 +12,7 @@ git) eval ${@:3} ;; stable) - export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-16.09/nixexprs.tar.xz:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" + export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-17.03/nixexprs.tar.xz:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" eval ${@:3} ;; channel) diff --git a/logical/frumar.nix b/logical/frumar.nix index d08e01f..0c71722 100644 --- a/logical/frumar.nix +++ b/logical/frumar.nix @@ -10,10 +10,10 @@ in { imports = [ # Include the results of the hardware scan. - ../psysical/fractal.nix + ../physical/fractal.nix ../roles/common.nix ../modules/nginx.nix - ../modules/gogs.nix # todo: better separation here + ../roles/gogs.nix ../modules/tor-hidden-service.nix ../roles/quassel.nix ../roles/pub.nix @@ -26,7 +26,6 @@ in # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "15.09"; - gogs.domain = "git.yori.cc"; nginxssl.enable = true; # hidden SSH service diff --git a/logical/pennyworth.nix b/logical/pennyworth.nix index c2ce059..0be506a 100644 --- a/logical/pennyworth.nix +++ b/logical/pennyworth.nix @@ -7,9 +7,6 @@ let secrets = import ; yoricc = import ../packages/yori-cc.nix; - luadbi = pkgs.callPackage ../packages/luadbi.nix {}; - acmeWebRoot = "/etc/sslcerts/acmeroot"; - acmeKeyDir = "${config.security.acme.directory}/yori.cc"; in { imports = [ diff --git a/modules/gogs.nix b/modules/gogs.nix deleted file mode 100644 index 6dd9b5f..0000000 --- a/modules/gogs.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ config, pkgs, lib, ... }: -let - gitHome = "/var/gogs"; - gogs = pkgs.callPackage ../packages/gogs.nix { }; - gogsPort = 8001; - domain = config.gogs.domain; - gogsConfig = pkgs.writeText "gogs.ini" '' -APP_NAME = Gogs: Go Git Service -RUN_USER = git -RUN_MODE = prod -[database] -DB_TYPE = sqlite3 -HOST = 127.0.0.1:3306 -NAME = gogs -USER = root -PASSWD = -SSL_MODE = disable -PATH = ${gitHome}/data/gogs.db -[repository] -ROOT = ${gitHome}/gogs-repositories -[server] -DOMAIN = ${domain} -HTTP_PORT = ${toString gogsPort} -ROOT_URL = https://${domain}/ -DISABLE_SSH = false -SSH_PORT = 22 -OFFLINE_MODE = false -[mailer] -ENABLED = false -[service] -REGISTER_EMAIL_CONFIRM = false -ENABLE_NOTIFY_MAIL = false -DISABLE_REGISTRATION = true -REQUIRE_SIGNIN_VIEW = false -[picture] -DISABLE_GRAVATAR = false -AVATAR_UPLOAD_PATH = ${gitHome}/data/avatars -[session] -PROVIDER = file -[log] -ROOT_PATH = ${gitHome}/logs -MODE = file -LEVEL = Info -[security] -INSTALL_LOCK = true -''; -inherit (lib) mkOption types; -in -{ - #imports = [./nginx.nix]; - options.gogs = { - domain = mkOption { - type = types.string; - description = "The domain to run the servers on"; - default = {}; - example = "git.domain.com"; - }; - }; - config = -{ - users.extraUsers.git = { home = gitHome; extraGroups = [ "git" ]; useDefaultShell = true;}; - users.extraGroups.git = { }; - systemd.services.gogs = { - path = with pkgs; [ git openssh bash ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "simple"; - Restart = "always"; - User = "git"; - Group = "git"; - ExecStart = "${gogs}/gogs web -c ${gogsConfig}"; - WorkingDirectory = gitHome; - }; - }; - services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString gogsPort}"; - extraConfig = '' - proxy_buffering off; - ''; - }; - }; -}; -} diff --git a/packages/yori-cc.nix b/packages/yori-cc.nix index eaa3e5e..f118f68 100644 --- a/packages/yori-cc.nix +++ b/packages/yori-cc.nix @@ -3,12 +3,12 @@ with import {}; let gogitget = callPackage ./gogitget.nix {}; in stdenv.mkDerivation { - name = "yori-cc-1.3"; + name = "yori-cc-1.3.5"; src = gogitget { "url" = "git@git.yori.cc:yorick/yori-cc.git"; - "rev" = "db207b9fd74a1036d2272c38dcbb6de504cf590a"; - "sha256" = "1rqsv7pdij15f6nxxwggw58q12ggl6g7gjjq73sbdz1v9x78xbzp"; + "rev" = "f049e4330dfb64bbbaf700897269c003fce8b5c4"; + "sha256" = "1x8knlsp7cx52sr15gr0yhj1vl8ncznrqn4nvaycgwmhr1kysffr"; }; buildInputs = [ ]; diff --git a/roles/asterisk.nix b/roles/asterisk.nix index 2542899..f54b0fc 100644 --- a/roles/asterisk.nix +++ b/roles/asterisk.nix @@ -5,37 +5,22 @@ services.asterisk = { enable = true; #extraArguments = ["-vvvddd"]; - confFiles."asterisk.conf" = '' - [directories] - astetcdir => /etc/asterisk/ - astmoddir => ${pkgs.asterisk}/lib/asterisk/modules - astvarlibdir => /var/lib/asterisk - astdbdir => /var/lib/asterisk - astkeydir => /var/lib/asterisk - astdatadir => /var/lib/asterisk - astagidir => /var/lib/asterisk/agi-bin - astspooldir => /var/spool/asterisk - astrundir => /var/run/asterisk - astlogdir => /var/log/asterisk - astsbindir => ${pkgs.asterisk}/sbin - ''; - }; - environment.etc = { - # Loading all modules by default is considered sensible by the authors of - # "Asterisk: The Definitive Guide". Secure sites will likely want to - # specify their own "modules.conf" in the confFiles option. - "asterisk/modules.conf".text = '' - [modules] - autoload=yes - ''; - - # Use syslog for logging so logs can be viewed with journalctl - "asterisk/logger.conf".text = '' + confFiles."logger.conf" = '' [general] [logfiles] syslog.local0 => notice,warning,error console => debug,notice,warning,error,verbose,dtmf,fax ''; + confFiles."extensions.conf" = '' + [from-sim] + exten => _X.,1,Verbose(Call from Limesco SIM [''${CALLERID(num)}] to [''${EXTEN}]) + same => n,Dial(SIP/speakup01/''${EXTEN}) + + [from-speakup] + ; Vervang ... door de rest van je DIY-nummer: + exten => 31626972516,1,Verbose(Call from SpeakUp [''${CALLERID(num)}] to [''${EXTEN}]) + same => n,Dial(SIP/limesco/''${EXTEN}) + ''; }; environment.systemPackages = with pkgs; [ asterisk diff --git a/roles/gogs.nix b/roles/gogs.nix new file mode 100644 index 0000000..37e40d1 --- /dev/null +++ b/roles/gogs.nix @@ -0,0 +1,58 @@ +{ config, pkgs, lib, ... }: +let + gitHome = "/var/gogs"; + gogs = pkgs.callPackage ../packages/gogs.nix { }; + gogsPort = 8001; + domain = "git.yori.cc"; +in +{ + imports = [ + ../modules/nginx.nix + ]; + + users.extraUsers.git = { home = gitHome; extraGroups = [ "git" ]; useDefaultShell = true;}; + users.extraGroups.git = { }; + services.gogs = rec { + enable = true; + user = "git"; + group = "git"; + database.user = "root"; + stateDir = gitHome; + repositoryRoot = "${stateDir}/gogs-repositories"; + rootUrl = "https://${domain}/"; + httpAddress = "localhost"; + httpPort = gogsPort; + extraConfig = '' + [service] + REGISTER_EMAIL_CONFIRM = false + ENABLE_NOTIFY_MAIL = false + DISABLE_REGISTRATION = true + REQUIRE_SIGNIN_VIEW = false + [picture] + DISABLE_GRAVATAR = false + AVATAR_UPLOAD_PATH = ${gitHome}/data/avatars + [mailer] + ENABLED = false + [session] + PROVIDER = file + [log] + ROOT_PATH = ${gitHome}/logs + MODE = file + LEVEL = Info + [server] + DISABLE_ROUTER_LOG = true + ''; + inherit domain; + }; + users.extraUsers.gogs.createHome = lib.mkForce false; + services.nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString gogsPort}"; + extraConfig = '' + proxy_buffering off; + ''; + }; + }; +} diff --git a/roles/mail.nix b/roles/mail.nix index fde9845..8dfd293 100644 --- a/roles/mail.nix +++ b/roles/mail.nix @@ -1,5 +1,6 @@ { config, pkgs, lib, ... }: let secrets = import ; +acmeKeyDir = "${config.security.acme.directory}/yori.cc"; in { imports = [ diff --git a/roles/quassel.nix b/roles/quassel.nix index 75bf8a6..b7e595e 100644 --- a/roles/quassel.nix +++ b/roles/quassel.nix @@ -19,7 +19,7 @@ interfaces = ["0.0.0.0"]; }; environment.systemPackages = [ - pkgs.kde4.quasselDaemon + pkgs.quasselDaemon ]; networking.firewall.allowedTCPPorts = [4242]; }; diff --git a/roles/xmpp.nix b/roles/xmpp.nix index 7bc575b..c654637 100644 --- a/roles/xmpp.nix +++ b/roles/xmpp.nix @@ -2,6 +2,7 @@ let luadbi = pkgs.callPackage ../packages/luadbi.nix {}; + acmeKeyDir = "${config.security.acme.directory}/yori.cc"; in { # XMPP From 8036714ef0fb3618dcd2e614e3a2b9e06e685d4b Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 8 Apr 2017 23:20:11 +0200 Subject: [PATCH 082/172] add iosevka, upgrade kernel to testing --- logical/jarvis.nix | 3 ++- physical/xps9360.nix | 2 +- roles/graphical.nix | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/logical/jarvis.nix b/logical/jarvis.nix index a167497..9b30d18 100644 --- a/logical/jarvis.nix +++ b/logical/jarvis.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { imports = @@ -17,6 +17,7 @@ # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "17.03"; + networking.enableIPv6 = lib.mkOverride 30 true; services.xserver.displayManager.sessionCommands = '' diff --git a/physical/xps9360.nix b/physical/xps9360.nix index 84de475..0af2377 100644 --- a/physical/xps9360.nix +++ b/physical/xps9360.nix @@ -13,7 +13,7 @@ boot.extraModulePackages = [ ]; boot.blacklistedKernelModules = ["psmouse"]; linux_nvme = { - basekpkgs = pkgs.linuxPackages_4_9; + basekpkgs = pkgs.linuxPackages_testing; gofaster = true; nvmepatch = true; }; diff --git a/roles/graphical.nix b/roles/graphical.nix index 236697e..ab68a15 100644 --- a/roles/graphical.nix +++ b/roles/graphical.nix @@ -42,6 +42,7 @@ in source-code-pro ubuntu_font_family # Ubuntu fonts source-han-sans-japanese + iosevka ]; }; # spotify From 1fa2add0b35177751209537967a4612323c5df06 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 28 Apr 2017 18:09:28 +0200 Subject: [PATCH 083/172] switch to systemd-networkd --- physical/xps9360.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/physical/xps9360.nix b/physical/xps9360.nix index 0af2377..30b808c 100644 --- a/physical/xps9360.nix +++ b/physical/xps9360.nix @@ -42,6 +42,7 @@ services.thermald.enable = true; networking.wireless.enable = true; + networking.useNetworkd = true; hardware.bluetooth.enable = true; # https://wiki.archlinux.org/index.php/Dell_XPS_13_(9360)#Module-based_Powersaving_Options # might require linux 4.11 From 089078acfe4028ec3513b7b8dad571ac1d96b201 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 28 Apr 2017 18:09:47 +0200 Subject: [PATCH 084/172] mount oxygen instead of alphonse --- logical/woodhouse.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/logical/woodhouse.nix b/logical/woodhouse.nix index 172f3c8..bb1f161 100644 --- a/logical/woodhouse.nix +++ b/logical/woodhouse.nix @@ -46,8 +46,8 @@ in "uid=1000" "reconnect" "IdentityFile=/root/.ssh/id_sshfs"]; }; - fileSystems."/mnt/alphonse" = { - device = "${pkgs.sshfsFuse}/bin/sshfs#yorick@quassel.rasusan.nl:/mnt/storinator"; + fileSystems."/mnt/oxygen" = { + device = "${pkgs.sshfsFuse}/bin/sshfs#yorick@oxygen.obfusk.ch:"; fsType = "fuse"; options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user" "defaults" "allow_other" "transform_symlinks" "default_permissions" From 2bfbc8bb82a40c607466eb23c2e566e4784fe24b Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Wed, 3 May 2017 18:57:44 +0200 Subject: [PATCH 085/172] 4.11 stable released. can finally stop building my own kernel --- modules/linux-nvme.nix | 39 --------------------------------------- physical/xps9360.nix | 21 +++------------------ 2 files changed, 3 insertions(+), 57 deletions(-) delete mode 100644 modules/linux-nvme.nix diff --git a/modules/linux-nvme.nix b/modules/linux-nvme.nix deleted file mode 100644 index e32626a..0000000 --- a/modules/linux-nvme.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ config, lib, pkgs, ... }: -# check if it's working: -# nix-shell -p nvme-cli --command "sudo nvme get-feature -f 0x0c -H /dev/nvme0" | grep Enable -let -cfg = config.linux_nvme; -inherit (lib) mkIf mkOption mkEnableOption; -in -{ - options.linux_nvme = { - basekpkgs = mkOption { default = pkgs.linuxPackages_latest; }; - gofaster = mkEnableOption "enable parallel building on kernel"; - nvmepatch = mkEnableOption "enable nvme patch"; - }; - config.boot = rec { - # gotta go faster - kernelPackages = mkIf cfg.gofaster (cfg.basekpkgs // { - kernel = cfg.basekpkgs.kernel.overrideDerivation (attr: { - enableParallelBuilding = true; - }); - }); - - kernelPatches = mkIf cfg.nvmepatch (let - newerThan = v: builtins.compareVersions config.boot.kernelPackages.kernel.version v > -1; - # https://github.com/damige/linux-nvme/ - linux-nvme = pkgs.fetchFromGitHub { - owner = "damige"; - repo = "linux-nvme"; - rev = "4e9b1de7ad5386f6c8c208d81005a77d79460d26"; - sha256 = "151pnv1gjrcmlvw8bx0ndpvn254jjy394h8yr3sgh2gqbc5i1aqp"; - }; - mkpatches = dir: map (name: { patch = "${linux-nvme}/patches/${dir}/${name}.patch"; inherit name; }); - in - if newerThan "4.11" then [] else - if newerThan "4.10" then (mkpatches "4.10.x" ["APST"]) else - if newerThan "4.9" then (mkpatches "4.9.x" ["APST" "pm_qos1" "pm_qos2" "pm_qos3" "nvme"]) else - if newerThan "4.8" then (mkpatches "4.8.x" ["nvmepatch1-V4" "nvmepatch2-V4" "nvmepatch3-V4"]) else - throw "unknown kernel version"); - }; -} diff --git a/physical/xps9360.nix b/physical/xps9360.nix index 30b808c..7018f01 100644 --- a/physical/xps9360.nix +++ b/physical/xps9360.nix @@ -5,31 +5,16 @@ { imports = [ - ../modules/linux-nvme.nix ]; boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; boot.blacklistedKernelModules = ["psmouse"]; - linux_nvme = { - basekpkgs = pkgs.linuxPackages_testing; - gofaster = true; - nvmepatch = true; - }; - # boot.kernelPackages = pkgs.linuxPackagesFor ((pkgs.linux_testing.override { - # argsOverride = { - # version = "4.11.0-drm"; - # modDirVersion = "4.11.0-rc1"; - # src = pkgs.fetchgit { - # url = "git://anongit.freedesktop.org/drm-intel"; - # rev = "1d1c80ec6d4d6ac72aa80920d5290776f3c81a86"; - # sha256 = "1879cgzag8072rp99prhm3nqaf90z63j74p7si931bvz4qj4z7s0"; - # }; - # }; - # }).overrideDerivation (attr: {enableParallelBuilding = true;})); - + boot.kernelPackages = pkgs.linuxPackages_4_11; + + # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; From 3a71af1d29e455e67e79a16f7dd54bd6ed8212f0 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Wed, 3 May 2017 18:58:06 +0200 Subject: [PATCH 086/172] switch back to dhcpcd, resolved is slow. still gotta go faster though. --- physical/xps9360.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/physical/xps9360.nix b/physical/xps9360.nix index 7018f01..477d868 100644 --- a/physical/xps9360.nix +++ b/physical/xps9360.nix @@ -27,7 +27,9 @@ services.thermald.enable = true; networking.wireless.enable = true; - networking.useNetworkd = true; + networking.dhcpcd.extraConfig = '' + noarp + ''; hardware.bluetooth.enable = true; # https://wiki.archlinux.org/index.php/Dell_XPS_13_(9360)#Module-based_Powersaving_Options # might require linux 4.11 From 7a7acb67f18d53dac2177f2f18b3b2fcaf4c8f58 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 16 Jun 2017 17:11:16 +0200 Subject: [PATCH 087/172] gogs switched out --- packages/gogs.nix | 19 ------------------- roles/gogs.nix | 1 - 2 files changed, 20 deletions(-) delete mode 100644 packages/gogs.nix diff --git a/packages/gogs.nix b/packages/gogs.nix deleted file mode 100644 index f055612..0000000 --- a/packages/gogs.nix +++ /dev/null @@ -1,19 +0,0 @@ -# https://uggz.tk/gebner/nixos-config/src/master/pkgs/gogs.nix -{ nixpkgs ? import {} }: with nixpkgs; -stdenv.mkDerivation rec { - name = "gogs-${version}"; - version = "0.9.113"; - src = fetchzip { - url = "https://dl.gogs.io/gogs_v${version}_linux_amd64.tar.gz"; - sha256 = "0gwpshzch1b0s810pd5cpiad1skvnjhsd6kx9gmlbw2whdp2jf2r"; - }; - buildPhase = '' - patchelf \ - --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ - --set-rpath ${pam}/lib \ - gogs - ''; - installPhase = '' - cp -ra ./ $out/ - ''; -} diff --git a/roles/gogs.nix b/roles/gogs.nix index 37e40d1..3dfc15e 100644 --- a/roles/gogs.nix +++ b/roles/gogs.nix @@ -1,7 +1,6 @@ { config, pkgs, lib, ... }: let gitHome = "/var/gogs"; - gogs = pkgs.callPackage ../packages/gogs.nix { }; gogsPort = 8001; domain = "git.yori.cc"; in From 83805a80784f4f73b436bfc052b30f2e81f1da53 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 16 Jun 2017 17:11:40 +0200 Subject: [PATCH 088/172] only get df stats for real drives --- roles/collectd.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/collectd.nix b/roles/collectd.nix index 7a05e03..c9589c6 100644 --- a/roles/collectd.nix +++ b/roles/collectd.nix @@ -33,6 +33,12 @@ in Password "${secrets.influx_pass.${config.networking.hostName}}" + + FSType "btrfs" + FSType "ext3" + FSType "ext4" + FSType "vfat" + ''; }; boot.kernel.sysctl."net.core.rmem_max" = 26214400; From b85c8eb54ad6cc58f74b7a247abed53a74afea6a Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 16 Jun 2017 17:12:03 +0200 Subject: [PATCH 089/172] nyamsas, oxygen mount --- logical/woodhouse.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/logical/woodhouse.nix b/logical/woodhouse.nix index bb1f161..da2863c 100644 --- a/logical/woodhouse.nix +++ b/logical/woodhouse.nix @@ -52,9 +52,19 @@ in options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user" "defaults" "allow_other" "transform_symlinks" "default_permissions" "uid=1000" - "reconnect" "IdentityFile=/root/.ssh/id_sshfs" "port=15777"]; + "reconnect" "IdentityFile=/root/.ssh/id_sshfs"]; }; + fileSystems."/mnt/nyamsas" = { + device = "${pkgs.sshfsFuse}/bin/sshfs#yorick@nyamsas.quezacotl.nl:"; + fsType = "fuse"; + options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user" + "defaults" "allow_other" "transform_symlinks" "default_permissions" + "uid=1000" + "reconnect" "IdentityFile=/root/.ssh/id_sshfs" "port=1337"]; + }; + + networking.firewall.allowedTCPPorts = [7 8080 9090 9777]; # kodi } From ba6141aff8b93707b4c19449fa0f3323f28df160 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Wed, 21 Jun 2017 14:31:57 +0200 Subject: [PATCH 090/172] update secrets --- secrets.nix.asc | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/secrets.nix.asc b/secrets.nix.asc index 6783e4b..bc4510c 100644 --- a/secrets.nix.asc +++ b/secrets.nix.asc @@ -1,24 +1,24 @@ -----BEGIN PGP MESSAGE----- -hF4DVNqm0KmYcYASAQdAzceaPLCjk6UKh4KT0GkBKnOLxv8fbysTLTXW/kxL2l4w -X+FzhmbeD6jlLoLmYHEKMDvYT6/OdbxdnI803Inlu6URwupUAzTyHmDhG99vw8AB -0ukBDbZs9VEwEV4dXxgyZbBZ2sCNUrEO/WGSHEKmFcSl6XrXAt767StQ10ohce3y -5mf7F/L36+bdqZ4Ndzr+N27p7RQNyAnF9RmyiG6COnlJBuflo5TOyOpF0Az71hid -Nff8xjhnp0DyMAI0xXo2pQvtKgerDuYRsXVNl2eUEHnDg0rd88jt0mt34SvBjI9e -B3Tg4acgSHCNbrGuODc3uW/ellmFEblaZ+ybXV8K1kWarXxgecrOv6sjLS/s9jWD -Pj+qNT/UOaCVXe1bxutc3cPD5m2kgPlZHF3UNcKzpR8HFR/dVcuilHmcaX5D9sm1 -b77KD3a81blq9xb/bDb9H7JJ+V4z1yCzx2CngetqVQ4Ksgpz+ctUFGQHbDixX2Yn -VRpKNdcVzJZfQy4SPaG2fz0mQdRFJmdqkauaxT/PY/uhDA9QtkIHmE6xjJxOTfqu -guAeVZZtLzy26bSGPiRoO7UfBZQ9nBZrsaV7xtEbq1W6mt/951mZfKC8KpX1cDiO -0ld6+lHH47zCPpA5TSbyy0GY14QMqPmIQvfkL1ul7GfhAYb8Wba+Z1m2BfYis+bn -XQdXkdTJieS0I/Uc1pvXzTzjVHReRisKBreqAeZ97bYZqlV8e4O14GhUqdwEHMSE -Gp6HybrOVA1sVOtvCAcUx2xMVBET0xSNCD0B05e5cbgZQMCPn0aA+qAlNBPXGJzf -0ckP0eOj2iSAjYQNyoCmP8R6ULKc74Pwb4xaNlcPMvlCaDfR/7W1P+u9HDH1/ep+ -SV1nkyW5RRlpWbEfwPI1j50O5FR44sxb7YmrxIPM97p62zCm6wqn7AoRlkztw8pB -XUwfx+mWRusRZrB4fDMTltLtu3Tj6wFanlmK5FYFDnujMZHWUKwuUPgp66Y+W7q0 -4kJSvfi2VXGRKzhWuHTdhNKIm4pDooePQtzBJdqN0xg9j+M5QEjhVqpZf0E/Vtt3 -UI8DpDr71HvNem6HgE74tcCHegjUc5DKEVQjLAFa5nTFPjeMHsQc2VPB2htCtp/f -n0E76Muu4YRHUeroo8LXMuuZ/fJdsyv7avlHYBmn5wPDj1HTbk6sOSKrAaHzDuDX -s2Mb4L+0HHecO3B6uPv1FRPUnV7i+URNcV9UtHt8MGyJyXQ= -=NQWD +hF4DnqWDuZcZnF8SAQdAVaj8bZhjRpGWqpVtj1KWoNTs1IiYuICgYUSCgRKksyow +76JN8cddpQ9IqjDa/8uyX0fR6vtN7Twm65eEn3ucj8B8mGfIG8m3PQpOd4ue2akP +0ukBgi5zb+IZWFhkd1D8ahkV2OAiND62uILIOFbWrsAvW3A+/+xTGyGRBRmuSlwC +Ud+coyE74JC8nYkLbLRO/fpxDWeg9UeRLip6zHaAUkx9hdn57Uhv3UH4KhIYNJKC +s4N59XTeig2s+rkA+NK2E6QiywJAbjOyqb4XQSq84er4UjlR8tODTkuzGXnfAEKa +6ND3Fd+BF3K+C0TUfwmSEsVZJfA74T9XAM93ki1aZ3aRLxDaW6CPOb3gVJQhgleC +KsQp9QonFPaseJFQmDSpsstDlxxLBp+L+fyohsBAoT/+vHkxumFcJdATZYV9dNqp +x5d+xK36jpmhgV4mE979bl1gDZpay5lUdS2LRQjd3c09DE4JHyXn/Xqk64HUZvT0 +3OZa0TzIlfHfQi3FfpHAwFHMDIu/EN70KgoPiN9GE3NYs28EqpRx6XAgyMQYHaYH +zr1WG0Dly5DHQR/c4a83tRoPkJQoQCjC/2y8A+PUdVCgWvrYyMzaMse3oI/m1NpC +bpTIzwPPa3+K6lMRDx/Zalfr92QmU6FD21gPzq5F4dVqA/KJLT0yTyeHIgHbg5aZ +Ob8CN/29qMpvwutLansNQrOHpW56JbT9b1AD5/4TG/nbbCEM6mhwh6bbE7kJYB92 +N5EhlwDQdSslo9cP3u4MNOJOTjkwdN3FZQV14XM0KF66j8COagI4Z52ckb2l6F61 +KO9t2P6YQ1qF+Siw+9VE5TJQ9YaoAsJvM79eS6gOkTM0Ms+zqszijsCSB4/sx/LS +xb0WQY32X9XCd7OkRT3xIfzPBfFyuPXDZima73yaOLeKob4HF7c0L07oRG+0cfMT +UEMN8NsZexJ1q+ZwUhu+aahYQVDDrFvwurqKvfcZjCrv4SoYlatFHfRuJhiJGtan +s8cwSFFoERcMLxY//sznNLgfS1Lpxlbzbflmiri6fvQK/DlsgMNyq2DYKEbfYrxf +1NmExBleZA/qYQoDeuWFxcxVT+W261JdglLkHpYXkeHlNxd97aZzEkpEjHha2V4V +swmm79oQsTBlRujxFDnnDm2q8LZ+XsNv85enjYN4jb/1EqUwZQhdZKjeI1tNQBfh +IFRaWFj7+4OS5OtdcPvgq/sydHxuJb4v1V3vjRRutFw34g== +=u5NG -----END PGP MESSAGE----- From e452c0d62ec1300bcc6ca085870557f0eed4a63e Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 23 Jun 2017 16:01:31 +0200 Subject: [PATCH 091/172] fix LE --- modules/nginx.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/nginx.nix b/modules/nginx.nix index e415c0b..2af7604 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -12,6 +12,7 @@ sslcfg = dir: '' makeChallenges = servername: key_webroot: '' server { listen 80; + listen [::]:80; server_name ${servername}; location /.well-known/acme-challenge { default_type text/plain; @@ -22,6 +23,7 @@ makeChallenges = servername: key_webroot: '' makeServerBlock = servername: {key_root, key_webroot, contents, ...}: '' server { listen 80; + listen [::]:80; server_name ${servername}; server_tokens off; location /.well-known/acme-challenge { @@ -34,7 +36,12 @@ makeServerBlock = servername: {key_root, key_webroot, contents, ...}: '' } server { listen 443; + listen [::]:443; server_name ${servername}; + location /.well-known/acme-challenge { + default_type text/plain; + alias ${key_webroot}/.well-known/acme-challenge; + } ${sslcfg key_root} ${contents} } From a48b7e66f17c2aa44fb0e1aec147f5a66cd15682 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 24 Jun 2017 13:36:15 +0200 Subject: [PATCH 092/172] generate tor ssh host forwards from secrets --- roles/common.nix | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/roles/common.nix b/roles/common.nix index 9cf115b..3dad562 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -33,8 +33,8 @@ in nix.extraOptions = '' allow-unsafe-native-code-during-evaluation = true allow-unfree = true - binary-caches-parallel-connections = 3 - connect-timeout = 5 + #binary-caches-parallel-connections = 3 + #connect-timeout = 5 keep-going = true ''; @@ -55,7 +55,12 @@ in programs.ssh.extraConfig = '' Host *.onion ProxyCommand nc -xlocalhost:9050 -X5 %h %p - ''; + '' + + (with lib; (flip concatMapStrings) (filter (hasPrefix "ssh.") (attrNames secrets.tor_hostnames)) (name: '' + Host ${removePrefix "ssh." name}.onion + hostname ${secrets.tor_hostnames.${name}} + '' + )); environment.systemPackages = with pkgs; [ # v important. @@ -100,6 +105,5 @@ in nix.gc.automatic = true; security.acme.preliminarySelfsigned = true; - } From 4a8f32ddcb67b0dc09e799d92c7f1d127c16622c Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 29 Jun 2017 23:39:47 +0200 Subject: [PATCH 093/172] Fix readme typo. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3e3ab44..48ea7cb 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ VPS (Storage: 80GB, RAM: 1GB, 2 cores) - [grafana](./roles/graphs.nix) - [website](./roles/website.nix) -- [email](./roles/main.nix) +- [email](./roles/mail.nix) - [prosody](./roles/xmpp.nix) - [asterisk](./roles/asterisk.nix) From 7c01fddce1e7ad756e1f2b039d02521c88e7b474 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 25 Feb 2018 21:29:39 +0100 Subject: [PATCH 094/172] There is no capslock, only escape. Also, other changes. --- logical/ascanius.nix | 30 ++++++++++++++++++------------ logical/jarvis.nix | 4 ++-- physical/xps9360.nix | 4 ++-- roles/common.nix | 1 + roles/graphical.nix | 1 + 5 files changed, 24 insertions(+), 16 deletions(-) diff --git a/logical/ascanius.nix b/logical/ascanius.nix index 37ecfbe..7da4fdd 100644 --- a/logical/ascanius.nix +++ b/logical/ascanius.nix @@ -11,30 +11,36 @@ in [ ../physical/hp8570w.nix ../roles/common.nix ../roles/workstation.nix - ../modules/tor-hidden-service.nix ]; # no, not that Ascanius. networking.hostName = secrets.hostnames.ascanius; - # GOTTA GO FASTER - # this pulls in systemd-udevd-settle, which slows down boot - systemd.services.scsi-link-pm.enable = false; - nixpkgs.config = { packageOverrides = pkgs : { bluez = pkgs.bluez5; # https://github.com/NixOS/nixpkgs/issues/22099 - trustedGrub = pkgs.trustedGrub.overrideDerivation (attr: {NIX_CFLAGS_COMPILE = "-Wno-error";}); + trustedGrub = pkgs.grub2.overrideDerivation (attr: rec { + version = "2.x-20170910"; + name = "trustedGRUB2-${version}"; + buildInputs = attr.buildInputs ++ (with pkgs;[autoconf automake]); + prePatch = '' + rm -rf po + tar Jxf ${pkgs.grub2.src} grub-2.02/po + cp -r grub-2.02/po po + ./autogen.sh + ''; + src = pkgs.fetchFromGitHub { + repo = "TrustedGRUB2"; + owner = "Rohde-Schwarz-Cybersecurity"; + rev = "e656aaabd3bc5abda6c62c8967ebfd0c53ef179b"; + sha256 = "08lq4prqhn923i8a7q79s4lsfnqgk4jd255xzk1wy12vg45dwlsc"; + }; + }); }; }; - services.tor.hiddenServices = [ - { name = "ssh"; - port = 22; - hostname = secrets.tor_hostnames."ssh.ascanius"; - private_key = "/run/keys/torkeys/ssh.ascanius.key"; } - ]; + services.tor.hiddenServices.ssh.map = [{ port = 22; }]; nix.gc.automatic = pkgs.lib.mkOverride 30 false; } diff --git a/logical/jarvis.nix b/logical/jarvis.nix index 9b30d18..d47b924 100644 --- a/logical/jarvis.nix +++ b/logical/jarvis.nix @@ -16,8 +16,8 @@ # The NixOS release to be compatible with for stateful data such as databases. - system.stateVersion = "17.03"; - networking.enableIPv6 = lib.mkOverride 30 true; + system.stateVersion = "17.09"; + #networking.enableIPv6 = lib.mkOverride 30 true; services.xserver.displayManager.sessionCommands = '' diff --git a/physical/xps9360.nix b/physical/xps9360.nix index 477d868..a605d2f 100644 --- a/physical/xps9360.nix +++ b/physical/xps9360.nix @@ -12,7 +12,7 @@ boot.extraModulePackages = [ ]; boot.blacklistedKernelModules = ["psmouse"]; - boot.kernelPackages = pkgs.linuxPackages_4_11; + boot.kernelPackages = pkgs.linuxPackages_latest; # Use the systemd-boot EFI boot loader. @@ -33,7 +33,7 @@ hardware.bluetooth.enable = true; # https://wiki.archlinux.org/index.php/Dell_XPS_13_(9360)#Module-based_Powersaving_Options # might require linux 4.11 - boot.kernelParams = ["i915.enable_fbc=1" "i915.enable_guc_loading=1" "i915.enable_guc_submission=1" "i915.enable_huc=1" "i915.enable_psr=2"]; + boot.kernelParams = ["i915.enable_fbc=1" "i915.enable_guc_loading=1" "i915.enable_guc_submission=1" "i915.enable_huc=1" "i915.enable_psr=2" "intel_iommu=on"]; # now we wait until enable_psr=1 is fixed fileSystems."/" = diff --git a/roles/common.nix b/roles/common.nix index 3dad562..f31d304 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -67,6 +67,7 @@ in cowsay ponysay ed # ed, man! sl + rlwrap vim diff --git a/roles/graphical.nix b/roles/graphical.nix index ab68a15..d69f414 100644 --- a/roles/graphical.nix +++ b/roles/graphical.nix @@ -18,6 +18,7 @@ in tappingDragLock = false; }; layout = "us"; + xkbOptions = "caps:escape"; displayManager.slim.defaultUser = "yorick"; # xkbOptions = "eurosign:e"; windowManager.i3 = { From ba7078334634d096693aa6942b1e2fdcd3a58735 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 27 Feb 2018 16:31:16 +0100 Subject: [PATCH 095/172] some changes after nix 2.0 --- conf | 4 +++ logical/ascanius.nix | 36 +++----------------- logical/jarvis.nix | 9 ----- logical/woodhouse.nix | 57 ++++++++++--------------------- modules/tor-hidden-service.nix | 35 +++++++------------ physical/fractal.nix | 3 +- physical/hp8570w.nix | 36 +++++--------------- physical/hp8570w/powerdown.nix | 16 +++------ physical/nuc.nix | 4 +-- physical/xps9360.nix | 61 ++++++++-------------------------- roles/collectd.nix | 4 +-- roles/common.nix | 11 +++--- roles/graphical.nix | 33 +++++++++--------- roles/hardware.nix | 44 ++++++++++++++++++++++++ roles/pub.nix | 2 -- roles/workstation.nix | 1 + 16 files changed, 137 insertions(+), 219 deletions(-) create mode 100644 roles/hardware.nix diff --git a/conf b/conf index d479d0f..1fdf2a0 100755 --- a/conf +++ b/conf @@ -15,6 +15,10 @@ stable) export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-17.03/nixexprs.tar.xz:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" eval ${@:3} ;; +checkout) + export NIX_PATH="nixpkgs=`pwd`/../nixpkgs:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" + eval ${@:3} + ;; channel) export NIX_PATH="/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" eval ${@:3} diff --git a/logical/ascanius.nix b/logical/ascanius.nix index 7da4fdd..a666c18 100644 --- a/logical/ascanius.nix +++ b/logical/ascanius.nix @@ -1,7 +1,3 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - { config, pkgs, ... }: let secrets = import ; @@ -13,34 +9,12 @@ in ../roles/workstation.nix ]; + system.stateVersion = "17.09"; # no, not that Ascanius. networking.hostName = secrets.hostnames.ascanius; + services.tor.hiddenServices.ssh.map = [ + { port = 22; } + ]; + services.tor.service-keys.ssh = "/run/keys/torkeys/ssh.ascanius.key"; - nixpkgs.config = { - packageOverrides = pkgs : { - bluez = pkgs.bluez5; - # https://github.com/NixOS/nixpkgs/issues/22099 - trustedGrub = pkgs.grub2.overrideDerivation (attr: rec { - version = "2.x-20170910"; - name = "trustedGRUB2-${version}"; - buildInputs = attr.buildInputs ++ (with pkgs;[autoconf automake]); - prePatch = '' - rm -rf po - tar Jxf ${pkgs.grub2.src} grub-2.02/po - cp -r grub-2.02/po po - ./autogen.sh - ''; - src = pkgs.fetchFromGitHub { - repo = "TrustedGRUB2"; - owner = "Rohde-Schwarz-Cybersecurity"; - rev = "e656aaabd3bc5abda6c62c8967ebfd0c53ef179b"; - sha256 = "08lq4prqhn923i8a7q79s4lsfnqgk4jd255xzk1wy12vg45dwlsc"; - }; - }); - }; - }; - - - services.tor.hiddenServices.ssh.map = [{ port = 22; }]; - nix.gc.automatic = pkgs.lib.mkOverride 30 false; } diff --git a/logical/jarvis.nix b/logical/jarvis.nix index d47b924..f48bf09 100644 --- a/logical/jarvis.nix +++ b/logical/jarvis.nix @@ -1,7 +1,3 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - { config, pkgs, lib, ... }: { @@ -23,10 +19,5 @@ services.xserver.displayManager.sessionCommands = '' ${pkgs.xorg.xrandr}/bin/xrandr --dpi 192 ''; - nix.gc.automatic = pkgs.lib.mkOverride 30 false; - # nix.trustedBinaryCaches = [http://192.168.1.27:5000]; - # nix.binaryCachePublicKeys = [ - # "hydra.example.org-1:NbZfmBIhIevVM5OZ81TbwruSC9etkIrdi1mR6AAdm98=" - # ]; virtualisation.virtualbox.host.enable = pkgs.lib.mkOverride 30 false; } diff --git a/logical/woodhouse.nix b/logical/woodhouse.nix index da2863c..b833b8d 100644 --- a/logical/woodhouse.nix +++ b/logical/woodhouse.nix @@ -1,25 +1,30 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - { config, pkgs, lib, ... }: let secrets = import ; +mkFuseMount = device: opts: { + # todo: "ServerAliveCountMax=3" "ServerAliveInterval=30" + + device = "${pkgs.sshfsFuse}/bin/sshfs#${device}"; + fsType = "fuse"; + options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user" + "defaults" "allow_other" "transform_symlinks" "default_permissions" + "uid=1000" + "reconnect" "IdentityFile=/root/.ssh/id_sshfs"] ++ opts; +}; in { imports = [ # Include the results of the hardware scan. ../physical/nuc.nix ../roles/common.nix - ../roles/collectd.nix - ../modules/tor-hidden-service.nix + # ../roles/collectd.nix ../roles/graphical.nix ]; networking.hostName = secrets.hostnames.woodhouse; # The NixOS release to be compatible with for stateful data such as databases. - system.stateVersion = "16.09"; + system.stateVersion = "17.09"; services.xserver = { @@ -27,42 +32,14 @@ in }; - - services.tor.hiddenServices = [ - { name = "ssh"; - port = 22; - hostname = secrets.tor_hostnames."ssh.woodhouse"; - private_key = "/run/keys/torkeys/ssh.woodhouse.key"; } - ]; + services.tor.hiddenServices.ssh.map = [ {port = 22;} ]; + services.tor.service-keys.ssh = "/run/keys/torkeys/ssh.woodhouse.key"; system.fsPackages = [ pkgs.sshfsFuse ]; - fileSystems."/mnt/frumar" = { - # todo: "ServerAliveCountMax=3" "ServerAliveInterval=30" - device = "${pkgs.sshfsFuse}/bin/sshfs#yorick@" + secrets.hostnames.frumar + ":/data/yorick"; - fsType = "fuse"; - options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user" - "defaults" "allow_other" "transform_symlinks" "default_permissions" - "uid=1000" - "reconnect" "IdentityFile=/root/.ssh/id_sshfs"]; - }; - fileSystems."/mnt/oxygen" = { - device = "${pkgs.sshfsFuse}/bin/sshfs#yorick@oxygen.obfusk.ch:"; - fsType = "fuse"; - options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user" - "defaults" "allow_other" "transform_symlinks" "default_permissions" - "uid=1000" - "reconnect" "IdentityFile=/root/.ssh/id_sshfs"]; - }; - - fileSystems."/mnt/nyamsas" = { - device = "${pkgs.sshfsFuse}/bin/sshfs#yorick@nyamsas.quezacotl.nl:"; - fsType = "fuse"; - options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user" - "defaults" "allow_other" "transform_symlinks" "default_permissions" - "uid=1000" - "reconnect" "IdentityFile=/root/.ssh/id_sshfs" "port=1337"]; - }; + fileSystems."/mnt/frumar" = mkFuseMount "yorick@${secrets.hostnames.frumar}:/data/yorick" []; + fileSystems."/mnt/oxygen" = mkFuseMount "yorick@oxygen.obfusk.ch:" []; + fileSystems."/mnt/nyamsas" = mkFuseMount "yorick@nyamsas.quezacotl.nl:" ["port=1337"]; networking.firewall.allowedTCPPorts = [7 8080 9090 9777]; # kodi diff --git a/modules/tor-hidden-service.nix b/modules/tor-hidden-service.nix index 0f10328..5fd411b 100644 --- a/modules/tor-hidden-service.nix +++ b/modules/tor-hidden-service.nix @@ -3,25 +3,15 @@ with lib; let - hiddenServices = config.services.tor.hiddenServices; + service-keys = config.services.tor.service-keys; + torDir = "/var/lib/tor"; in { - options.services.tor = { - hiddenServices = mkOption { default = []; }; + options.services.tor.service-keys = mkOption { + default = {}; + type = with types; loaOf string; }; - config = mkIf (hiddenServices != []) { - assertions = map (hiddenService: { - assertion = hasAttr "name" hiddenService && hasAttr "port" hiddenService; - message = "all hidden services should define a name and a port.."; - }) hiddenServices; - - services.tor.enable = true; - - services.tor.extraConfig = concatStringsSep "\n" (map (hiddenService: '' - HiddenServiceDir /var/lib/tor/${hiddenService.name} - HiddenServicePort ${toString (if hasAttr "remote_port" hiddenService then hiddenService.remote_port else hiddenService.port)} 127.0.0.1:${toString hiddenService.port} - '') hiddenServices); - + config = mkIf (service-keys != {}) { systemd.services."install-tor-hidden-service-keys" = { wantedBy = ["tor.service"]; serviceConfig.Type = "oneshot"; @@ -29,14 +19,13 @@ in { serviceConfig.Group = "keys"; # TODO: update on change? # TODO: better ways to get the keys on the server - script = concatStringsSep "\n" (map (hiddenService: if (hasAttr "private_key" hiddenService && hasAttr "hostname" hiddenService) then '' - if ! [[ -e /var/lib/tor/${hiddenService.name}/private_key ]]; then - mkdir -p /var/lib/tor/${hiddenService.name}/ - cp ${hiddenService.private_key} /var/lib/tor/${hiddenService.name}/private_key - echo ${hiddenService.hostname} > /var/lib/tor/${hiddenService.name}/hostname - chmod -R 700 /var/lib/tor/${hiddenService.name}; + script = concatStringsSep "\n" (mapAttrsToList (name: keypath: '' + if ! [[ -e ${torDir}/onion/${name}/private_key ]]; then + mkdir -p ${torDir}/onion/${name}/ + cp ${keypath} ${torDir}/onion/${name}/private_key + chmod -R 700 ${torDir}/onion/${name} fi - '' else "true") hiddenServices); + '') service-keys); }; }; } diff --git a/physical/fractal.nix b/physical/fractal.nix index bcaf31b..8e3a7a8 100644 --- a/physical/fractal.nix +++ b/physical/fractal.nix @@ -9,8 +9,7 @@ ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; + yorick.cpu = "intel"; # Use the GRUB 2 boot loader. boot.loader.grub.enable = true; diff --git a/physical/hp8570w.nix b/physical/hp8570w.nix index be8a1eb..ac34d0b 100644 --- a/physical/hp8570w.nix +++ b/physical/hp8570w.nix @@ -1,47 +1,27 @@ -# I'm modifying this file anyways. { config, lib, pkgs, ... }: { - imports = - [ - ./hp8570w/powerdown.nix - ]; + imports = [ + + ./hp8570w/powerdown.nix + ]; - hardware.cpu.intel.updateMicrocode = true; + yorick = { cpu = "intel"; gpu = "nvidia"; laptop = true; }; boot = { loader.grub = { enable = true; device = "/dev/sda"; - trustedBoot = { - enable = true; - systemHasTPM = "YES_TPM_is_activated"; - }; }; kernelPackages = pkgs.linuxPackages_latest; - kernelModules = ["nvidiabl" "kvm-intel"]; }; - services.xserver.videoDrivers = ["nouveau"]; - services.xserver.synaptics.enable = true; - networking.wireless.enable = true; - hardware.bluetooth.enable = true; - - - # ideal... doesn't work. - #services.udev.extraRules = '' - # KERNEL=="nvidia_backlight", SUBSYSTEM=="backlight", MODE="666" - #''; - # for now - systemd.services."display-manager".preStart = '' - chmod a+w $(realpath /sys/class/backlight/nv_backlight/brightness) || true - ''; # this makes sure my wifi doesn't take a minute to work services.udev.extraRules = '' SUBSYSTEM=="firmware", ACTION=="add", ATTR{loading}="-1" ''; - boot.initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usbhid" "usb_storage" "btrfs" "dm_crypt" ]; + boot.initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usbhid" "usb_storage" ]; boot.initrd.luks.devices = [ { name = "nix-root-enc"; device = "/dev/sdb2"; @@ -65,6 +45,6 @@ nix.maxJobs = 8; - services.tcsd.enable = true; # it has a TPM. maybe use this? - environment.systemPackages = with pkgs; [btrfs-progs tpm-tools]; + #services.tcsd.enable = true; # it has a TPM. maybe use this? + #environment.systemPackages = with pkgs; [tpm-tools]; } diff --git a/physical/hp8570w/powerdown.nix b/physical/hp8570w/powerdown.nix index dc94d5d..d49d35b 100644 --- a/physical/hp8570w/powerdown.nix +++ b/physical/hp8570w/powerdown.nix @@ -13,15 +13,9 @@ in SUBSYSTEM=="power_supply", ATTR{online}=="1", RUN+="${powersw}" ''; - systemd.services.powerswitch = { - enable = true; - wantedBy = [ "multi-user.target" "suspend.target" ]; - after = [ "suspend.target" "display-manager.service" ]; - description = "Run powerswitch sometimes"; - preStart = "sleep 4s"; - serviceConfig = { - Type = "oneshot"; - ExecStart = powersw; - }; - }; + powerManagement.powerUpCommands = '' + sleep 4s + ${powersw}/bin/powerswitch + ''; + } diff --git a/physical/nuc.nix b/physical/nuc.nix index 51f4a00..c5b2e6b 100644 --- a/physical/nuc.nix +++ b/physical/nuc.nix @@ -9,9 +9,7 @@ ]; boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - hardware.cpu.intel.updateMicrocode = true; + yorick = { cpu = "intel"; gpu = "intel"; }; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; diff --git a/physical/xps9360.nix b/physical/xps9360.nix index a605d2f..8cbd31f 100644 --- a/physical/xps9360.nix +++ b/physical/xps9360.nix @@ -1,40 +1,22 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. { config, lib, pkgs, ... }: { - imports = - [ - ]; + imports = [ + + ]; + yorick = { cpu = "intel"; gpu = "intel"; laptop = true; }; + + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + kernelPackages = pkgs.linuxPackages_latest; + }; boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; boot.blacklistedKernelModules = ["psmouse"]; - boot.kernelPackages = pkgs.linuxPackages_latest; - - - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - - hardware.cpu.intel.updateMicrocode = true; - - - services.xserver.libinput.enable = true; - services.thermald.enable = true; - - networking.wireless.enable = true; - networking.dhcpcd.extraConfig = '' - noarp - ''; - hardware.bluetooth.enable = true; - # https://wiki.archlinux.org/index.php/Dell_XPS_13_(9360)#Module-based_Powersaving_Options - # might require linux 4.11 - boot.kernelParams = ["i915.enable_fbc=1" "i915.enable_guc_loading=1" "i915.enable_guc_submission=1" "i915.enable_huc=1" "i915.enable_psr=2" "intel_iommu=on"]; - # now we wait until enable_psr=1 is fixed fileSystems."/" = { device = "/dev/disk/by-uuid/a751e4ea-f1aa-48e1-9cbe-423878e29b62"; @@ -57,24 +39,7 @@ ]; nix.maxJobs = lib.mkDefault 4; - - environment.systemPackages = [pkgs.btrfs-progs]; - # ideal... doesn't work. - #services.udev.extraRules = '' - # KERNEL=="intel_backlight", SUBSYSTEM=="backlight", MODE="666" - #''; - # for now - systemd.services."display-manager".preStart = '' - chmod a+w $(realpath /sys/class/backlight/intel_backlight/brightness) || true - ''; - # this makes sure my wifi doesn't take a minute to work - services.udev.extraRules = '' - SUBSYSTEM=="firmware", ACTION=="add", ATTR{loading}="-1" - ''; - - services.xserver.videoDrivers = ["modesetting"]; - hardware.opengl.extraPackages = [ pkgs.vaapiIntel ]; # bigger console font i18n.consoleFont = "latarcyrheb-sun32"; } diff --git a/roles/collectd.nix b/roles/collectd.nix index c9589c6..3ea09b8 100644 --- a/roles/collectd.nix +++ b/roles/collectd.nix @@ -56,11 +56,11 @@ in libxml2 = null; libtool = null; lvm2 = null; - libmysql = null; + mysql = null; protobufc = null; python = null; rabbitmq-c = null; - riemann = null; + riemann_c_client = null; rrdtool = null; varnish = null; yajl = null; diff --git a/roles/common.nix b/roles/common.nix index f31d304..cf4aeb1 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -2,7 +2,10 @@ let secrets = import ; in { config, pkgs, lib, ...}: { - imports = []; + imports = [ + ../roles/hardware.nix + ../modules/tor-hidden-service.nix + ]; time.timeZone = "Europe/Amsterdam"; users.mutableUsers = false; users.extraUsers.root = { @@ -12,6 +15,7 @@ in }; services.timesyncd.enable = true; + services.fail2ban.enable = true; users.extraUsers.yorick = { isNormalUser = true; uid = 1000; @@ -22,6 +26,7 @@ in # Nix nixpkgs.config.allowUnfree = true; + nix.package = pkgs.nixUnstable; nix.trustedBinaryCaches = config.nix.binaryCaches ++ [http://hydra.cryp.to]; @@ -32,10 +37,6 @@ in nix.extraOptions = '' allow-unsafe-native-code-during-evaluation = true - allow-unfree = true - #binary-caches-parallel-connections = 3 - #connect-timeout = 5 - keep-going = true ''; # Networking diff --git a/roles/graphical.nix b/roles/graphical.nix index d69f414..462db09 100644 --- a/roles/graphical.nix +++ b/roles/graphical.nix @@ -8,11 +8,6 @@ in # Enable the X11 windowing system. services.xserver = { enable = true; - synaptics = { - twoFingerScroll = true; - horizontalScroll = true; - scrollDelta = -107; # inverted scrolling - }; libinput = { naturalScrolling = true; tappingDragLock = false; @@ -23,16 +18,24 @@ in # xkbOptions = "eurosign:e"; windowManager.i3 = { enable = true; - } // (if (lib.versionAtLeast config.system.nixosRelease "17.03") then { package = pkgs.i3-gaps; - } else {}); + }; }; - hardware.opengl = { - enable = true; - driSupport32Bit = config.yorick.support32bit; - }; - hardware.pulseaudio.enable = true; - hardware.pulseaudio.support32Bit = config.yorick.support32bit; + hardware.opengl = { + enable = true; + driSupport32Bit = config.yorick.support32bit; + }; + sound.enable = true; + hardware.pulseaudio = { + enable = true; + support32Bit = config.yorick.support32bit; + }; + users.extraUsers.yorick.extraGroups = ["video"]; + # fix backlight permissions + services.udev.extraRules = '' + ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness" + ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness" + ''; fonts = { enableFontDir = true; @@ -47,8 +50,8 @@ in ]; }; # spotify - networking.firewall.allowedTCPPorts = [57621]; - networking.firewall.allowedUDPPorts = [57621]; + networking.firewall.allowedTCPPorts = [55025 57621]; + networking.firewall.allowedUDPPorts = [55025 57621]; users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword; services.openssh.forwardX11 = true; diff --git a/roles/hardware.nix b/roles/hardware.nix new file mode 100644 index 0000000..3583928 --- /dev/null +++ b/roles/hardware.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, ... }: +let cfg = config.yorick; in +with lib; +{ + options.yorick = { + cpu = mkOption { + type = types.nullOr (types.enum ["intel"]); + }; + gpu = mkOption { + type = types.nullOr (types.enum ["intel" "nvidia"]); + default = null; + }; + laptop = mkEnableOption "laptop settings"; + }; + config = mkMerge [ + (mkIf (cfg.gpu == "intel") { + # https://wiki.archlinux.org/index.php/Dell_XPS_13_(9360)#Module-based_Powersaving_Options + boot.kernelParams = ["i915.enable_fbc=1" "i915.enable_guc_loading=1" "i915.enable_guc_submission=1" "i915.enable_huc=1" "i915.enable_psr=2"]; + # now we wait until enable_psr=1 is fixed + services.xserver.videoDrivers = ["modesetting"]; + hardware.opengl.extraPackages = [ pkgs.vaapiIntel ]; + }) + (mkIf (cfg.gpu == "nvidia") { + boot.kernelModules = ["nvidiabl"]; + services.xserver.videoDrivers = ["nvidia"]; + boot.extraModulePackages = [config.boot.kernelPackages.nvidiabl]; + }) + (mkIf (cfg.cpu == "intel") { + hardware.cpu.intel.updateMicrocode = true; + boot.kernelModules = ["kvm-intel"]; + }) + (mkIf (cfg.laptop) { + services.xserver.libinput.enable = true; + + networking.wireless.enable = true; + hardware.bluetooth.enable = true; + # gotta go faster + networking.dhcpcd.extraConfig = '' + noarp + ''; + services.thermald.enable = true; + }) + ]; +} diff --git a/roles/pub.nix b/roles/pub.nix index 34240de..b15a46c 100644 --- a/roles/pub.nix +++ b/roles/pub.nix @@ -1,6 +1,4 @@ { config, pkgs, lib, ... }: -let secrets = import ; -in { #imports = [../modules/nginx.nix]; config = { diff --git a/roles/workstation.nix b/roles/workstation.nix index 7a73db5..fab4e01 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -25,4 +25,5 @@ ''; virtualisation.virtualbox.host.enable = true; yorick.support32bit = true; + nix.gc.automatic = pkgs.lib.mkOverride 30 false; } From 3ea4addcb2a749bb1ffab892cebf44f092c867bd Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 27 Feb 2018 16:49:15 +0100 Subject: [PATCH 096/172] use git-crypt --- .git-crypt/.gitattributes | 3 + ...FD1053ADB6ABF50DF64792A36E70F9DC014A15.gpg | Bin 0 -> 294 bytes .gitattributes | 3 + .gitignore | 4 - conf | 4 +- deploy_key | Bin 0 -> 1701 bytes deploy_key.asc | 40 ------ keys/backup.pennyworth.key | Bin 0 -> 7599 bytes keys/backup.pennyworth.key.asc | 130 ------------------ keys/http.muflax.key | Bin 0 -> 909 bytes keys/http.muflax.key.asc | 27 ---- keys/ssh.frumar.key | Bin 0 -> 909 bytes keys/ssh.frumar.key.asc | 27 ---- keys/ssh.pennyworth.key | Bin 0 -> 909 bytes keys/ssh.pennyworth.key.asc | 27 ---- keys/ssh.woodhouse.key | Bin 0 -> 909 bytes keys/ssh.woodhouse.key.asc | 27 ---- secrets.nix | Bin 0 -> 1545 bytes secrets.nix.asc | 24 ---- 19 files changed, 7 insertions(+), 309 deletions(-) create mode 100644 .git-crypt/.gitattributes create mode 100644 .git-crypt/keys/default/0/6EFD1053ADB6ABF50DF64792A36E70F9DC014A15.gpg create mode 100644 .gitattributes delete mode 100644 .gitignore create mode 100644 deploy_key delete mode 100644 deploy_key.asc create mode 100644 keys/backup.pennyworth.key delete mode 100644 keys/backup.pennyworth.key.asc create mode 100644 keys/http.muflax.key delete mode 100644 keys/http.muflax.key.asc create mode 100644 keys/ssh.frumar.key delete mode 100644 keys/ssh.frumar.key.asc create mode 100644 keys/ssh.pennyworth.key delete mode 100644 keys/ssh.pennyworth.key.asc create mode 100644 keys/ssh.woodhouse.key delete mode 100644 keys/ssh.woodhouse.key.asc create mode 100644 secrets.nix delete mode 100644 secrets.nix.asc diff --git a/.git-crypt/.gitattributes b/.git-crypt/.gitattributes new file mode 100644 index 0000000..17ef601 --- /dev/null +++ b/.git-crypt/.gitattributes @@ -0,0 +1,3 @@ +# Do not edit this file. To specify the files to encrypt, create your own +# .gitattributes file in the directory where your files are. +* !filter !diff diff --git a/.git-crypt/keys/default/0/6EFD1053ADB6ABF50DF64792A36E70F9DC014A15.gpg b/.git-crypt/keys/default/0/6EFD1053ADB6ABF50DF64792A36E70F9DC014A15.gpg new file mode 100644 index 0000000000000000000000000000000000000000..aa3c09c052ecce55b34ec216d2059dae3305ac0f GIT binary patch literal 294 zcmV+>0one9UIU(`gSnR(oL>?F2S9=KYn{Z7j_AVf3wf?EFEs+CGobi$CdH$ROy zl?iKCqf0nz{Z`a{Cz!4?70pU9oxgU*++pR;IConXkO;S*X3H0yJUXY+7jatXbXHP*nRJH5fkz5mwLRquQ+P3*a^4}~vu}B0c-U+X s9&Flb2n?E-EG0{A)qh)Uq|`$!=WStAje%6Pivx5WH-@;TH^ldq5SieS?EnA( literal 0 HcmV?d00001 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..1a2f179 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,3 @@ +secrets.nix filter=git-crypt diff=git-crypt +*.key filter=git-crypt diff=git-crypt +deploy_key filter=git-crypt diff=git-crypt diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 3457031..0000000 --- a/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -deploy_key -secrets.nix -keys/*.hostname -keys/*.key diff --git a/conf b/conf index 1fdf2a0..b64188c 100755 --- a/conf +++ b/conf @@ -1,7 +1,7 @@ #!/usr/bin/env bash if ! [ -e deploy_key ] || ! [ -e secrets.nix ] then - gpg --decrypt-files secrets.nix.asc deploy_key.asc keys/*.asc + git crypt unlock sudo chgrp nixbld deploy_key chmod 640 deploy_key fi @@ -23,6 +23,4 @@ channel) export NIX_PATH="/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" eval ${@:3} ;; -update-encrypt) - gpg -a -r yorick --encrypt-files secrets.nix deploy_key keys/*.key esac diff --git a/deploy_key b/deploy_key new file mode 100644 index 0000000000000000000000000000000000000000..03ed4862b520a0ad9a37d2347a0dddbb28c0ca67 GIT binary patch literal 1701 zcmV;W23q+5M@dveQdv+`01`@$hILcwUTMbOcq#RF&)zdR1t1ja%oAv1&&tt7kg^`ra3pLp3w>P7xXDEH+)kV#Y^PH>KifX8dlo~O+>tXE5~ zJiP#SEJQMn3a0~dCa|M1>pJA}&cw6K!Tr;m4g8npK%OEhC0MaJC{ATa3sMM!UpzQe;>40wB zfWlHRL8v1ur1;G((plLnAWkT}CrVpWK4+B?tSei0ea5m=0~#E0YA}I!{crH{@G%Dr z#8MS={ICBv$#0llOpi4!39a1k>U2I(I%Ie$oH$mh5q&Nb*VRu0s4(sXzzpK9jLSCw zj1jfOd9jpMR#Ex-m4s3%fAm}rp?y>dJ^p-gyt`~F`qRS!xnKeyVNgcP3O&`n{pRNHYdjz0BT{X%>SNvLe?w3Zv8f)e# z%ye%y#IhF4Xk7(HfqD)McKZ;8!QoRB9Iv?#k0jh<9yd#MZ*>k*2*o=w9?y%JRaM5b zR*vY~5;afxq}_GLuk^yv7|r5x__6{#-n`I}v5&=_^BHH9E>xn-Pd*au*0DK}O4SC( zCUeI&A$I<<#PdkAGsGLNk#+_{bvXXHCr{cpn9ysR6n zcBcq+7UU7W)RB6r^V1)ihP(=ujnCZMXen(wa!xYnjPO?4yz+lNy}Dh_5)k>A9<;@6 zK1?xt00lpr-ed!%Ai^rMKee7XKY0cObQA|5vSVKlGlY6xpA&8gZDSa{(eQEii;C~g z1{G~j*XJuqA---`Sz)kQv~<`d+1{@|OrK~DmyXAxV!jaOx$0HyN#om_p6(sBIiQ2wt*vNn}jsvE17<962o_c)agc6L*} z-=yvgpK@1%nlo`z!WC?UlK$&P`82aLIV-dY9ZJq(aFNK0Z_4$xPMOvFvuGpKZAPlj z#4$#+ZA;M(zAU(fFMYEG;Ghy*aaleTGI=*M{e1U+9l>`;L#TFiYdiH3d^H6kFA_|G zvB#o3e=ir(R@T#)t~hsGfRrdscC)iT(4iegW8r0IL;0RFB&!fQMh?hiq@(d>atdSR zxhg_-W0FowF34Ipb(OqVCpl2CAom;8rX;X{)Y{KL*@0!?j?!KYvJjZwQ+AK&8k*r{ z%|9B>(GUq#5NGYOFIPRFPdH_Q7($zzJh*iFE5d$zAHA69{#19{B5vBpzSs-V&-HHz zJzqV%&KnuiJ+trfo00YS7X-yYo~j?Y zORg9l!Rs#t?67+ahYz-njMQlWf-JWS@<2ngDR>t4n#zTu!$tleg`Bv%GREl04V*R`4=Mm*%w<1ooH2edsJ literal 0 HcmV?d00001 diff --git a/deploy_key.asc b/deploy_key.asc deleted file mode 100644 index 5ba729f..0000000 --- a/deploy_key.asc +++ /dev/null @@ -1,40 +0,0 @@ ------BEGIN PGP MESSAGE----- -Version: GnuPG v2 - -hQEMAwEAjpZflP7cAQgArtoZGba4G45Y28r7xuHZ4XGdKs5Ug3bsZXip1R6ENB7L -QwIei5EW3pLb1EBzFFMxSTPt1lfXAqV5bHmDKflH6CjT7qtnq3j2KhMfMyP3XwMT -OQXc8R8LOGgR6SGcc5/ccCWSKOzdYvNP2yVwRXOuZmyrcPjedKxYrSp6ul+4D62z -/IBhGZdaUR10bATr5Xaeb01ermD/ujfGr0cuwXeylRw/9pBi7opHcka7kdog9ID5 -nFWvjkaSb3zrTDVKsGRHNGs3QWclmmVn3j/2w3PSDFgQlzk9qr44sjqBVHO8ib0Z -Nx3DwUlx8pE3LyWOEZROYIzFPRl9kWpMdDENt+AxYdLqATvmoomK4fU1P1eq3hg2 -zvZ65+kstDSwHt+DU70tFamgIb9z3IxHYBXB5bezJB2AWz5AnGJ43QyaTpDd6e9k -KdynHlBe0p3bfbRy+KZxSSVXbTIl8bonxnz8cQKwe+4vtBtSMy7wNundXG7y2cBy -nL+UTcjAzmiw08FFsPtm+O2MbE58eYPSb4GZOZEMAjbYTWHwcfMq4LC2p6GCwprU -tT2o1I1vXa5okXNIbR275lVQQ/IYKHSNToX48KOesdnKwSmQvujs9lJ9beSaPadL -fwTEEVgzH/+mANf0glGjbYtNNo37qriVdQ5wi7a5rYxVV37OKHL/BrDPsNAKhkwu -xa1gXUC2XvNAwkFM9ITS5BkXXiWbumkJnCDaNd6ufvMclwwlHP/gdyfOVP0nz/xF -o7v9HXQhkOERwBdn/U2KwKFSqGpZCA/6qQTSMzrOOArA5V7vU7SOXiBDV2Ugqh9U -xWsA/f+4E+8DoTruFzkL7ZpgT9OSyAA7q/fwlFH3wX912rkTzmHutslMAaLb4Q8/ -fhLf2OrlA+hR1EFE297QCRMN/VTKSYzaeN+M4BSI5037rzeAtw3QxvT+tyxDP/JS -GU9cJRI5eyN0kLMee2Esulkv/wjMzzN/SymaHqZxAva4Ki5GQnOfhss8/uV+iGuy -kw7LY+02I4iWjfDQw342ymUXRoJvNzuByceLx7MyIB8qbK/m7aielw9koZhAgJbp -HA4VpAmoRBLrm/Jig+uNuKKeT1aeKXjO1lvfoHQK+ILn7IS0HjslUJdBToUU3KiM -d9gEbUJEie5xIp1yS2amhotQfbdfZnloXZXXemycV2lSVm4mllBJbaQggp/9H+7G -bGrcFajUR/f4GbbSSB2SJGjZ7r4rsOlT5EnL9Op+GKa7DQoVO4Tnuw3snOk8fy3R -1WVT9tdFvOoWgQTB/gpcPQwmCK6Kuuiq2zyu74zbzFedkuNQ3TbSCKISO+F+GZNc -o5fJ2ZZjnMEADQkDT2gTm0TlR/t0CfRBxaWl5idE1an+bn+e8JQs0R3h5mv7XJbe -Jj2crMKsTRbC3hIs5xTnb5PrK4Hvr2kZLVqZLfg3/l78BIm/+iGMl4UskTMGqQxG -466YWi664hFSkMjpfGQknOThzMCpRyWWOosvhgILYSZJP3TNtYh06vgflNBHwCLx -fQhVo8/zxYgmdLJFfOj3M5Eez7sEvMJUOJs05zzaPorScryvf+ZxNZ1eHtcCZ86z -rXLKEw4XS3yajFmLMxzdL1kzsDVb5Jk/w4lvXogLXqTWc4OM4+EZufY4Jw3xekEQ -BOJu890drSPvfDI2/fulDQLCmfxylCoSscjVn82z1+ksuJdrAU1HhQHI9/xHF+D1 -scCTXju4j43+R6dIAsaRmDg6ajOE5bGKuW9eIqNhWx3zKYb0ktbrhGgQE18mCjgv -r/DyrkEY03hHOXYpwUXSRkXE7qXAl32fT3MI2c+As2Y78dhuo5jTaIeN9TildPgy -EOuzqwmmcgdm4+MWCiRnG7xDJrOpRWKD3Fa7KF01EjRuVD1QrO65fnuMp6uPtSr4 -BtOHuWYv2T98mW4lJwy+vLZsv+6Dc7C0UJs2IKTrNx8OEKEj153IftVUwP/LDNHM -ysCtFim6r5LdFYQZ03TveosBogTbjBk+nO9y0q3rRWsLJktE+rEwi0uX9lB6nPS5 -2/0IsvmZtNNafIWntY5MnitWZqdi3ft/GFt5NrvT1kHU1x9D9Rh1yGxqzoyxJ5LA -nGMLyqtmLhAWuLsN2mxZO84LbsDeiUWG9gjx4E8MJV2TXH6SUqsPVSjgHAzrmYU3 -X5xgthUD -=T754 ------END PGP MESSAGE----- diff --git a/keys/backup.pennyworth.key b/keys/backup.pennyworth.key new file mode 100644 index 0000000000000000000000000000000000000000..e58f7fed0e2499d6eb76dd73c9abb912c4ea4b59 GIT binary patch literal 7599 zcmV;g9Z=!`M@dveQdv+`03<8^!A}D--%>S3{=@ZZ!t1p4OlBDww+rzzj0)pQa4}zR2BwOSpdZM z^+EfKe-olBRbUfz_6|0o#&Wj$^}WG@P&J%>Wgg8?QLbOWLI`Nk*!P;BRk&w_Zl68uJ^im`lh)+4ny2RXCL zB?HZGAhV8}fo-l%=ip00Bul}!6mla2BkxAKs<-c?Z2Ix)Awhb}2C{2F3!_$Oo{ZHy zA~;z|J=W4ipN?8XrZ%7QI4y@_mkhDDcR(-MJdz&adSvxpxFy#=b;oSe0 z+;EwnOB)C0eKuZ#|Jh~pKX?Z&3MGhC$ zOcPMMY_lwgH1JsDBv8jF?v11MQCX_;Dsg+kk#5;lN$hs`I3?GZ^l$^+o`u0|$Z-CJ zBR%mnniAJ7Pnd5+?1ZCh(E&D2^}<%^iqFZhnv&x`yF`e6OmC?rrQqkR$(8O$EfF;* zmh@7HD|S@_%gS0z9^h-U0mQV$!|Nv`(Iz12Jdj2$H zxcIEvN#ikuNGC4?HVjq}LTBIPq(|8}iN3;wio2-V=s2WUsDaK|%L~o-lW_CM0W;33 zO}fAZrQcG62!o2#I?>vjxn$J&F`oiPK1gbFu12#ZP&9V~X?U1O(G~ zMy17`=QjrZ9td|W^U5V2QaeI>0Uvzwm|K)8jZ17OD4YlUEVC4N--38Yk7b27x1Pm@ zNNLsC)_ivx)Rc$J2`}BOgn}gOru)U6o_0`E5`D7!Y5fuIrMv7C*l z!l353)Zd=M`^TlIcxp0bO`#Z^4ZEKP(x}LVL2_t0n`5~}8a)7(&~v*H()$`5er;Q$ z?;(h1c-QLaIHo;ah8D~ZAuFEsj2>mOF?;gKjX zEqfRq{9K~~o~TD}z6JhFffYgX;m7}LCYTjAsZgEWuXDt}ATq7d(4?)t_j$0&;6FFm z7P96u(4rcd&Vs$=)}=%XleM4N5aC9kBe8`sHNG9QfYRmxV}trj*YxZlg5M$&}ZURQ|i=4Gu;9BUan>&q-1oB^eCs z)6u$fr`H;dhZNqS_vX7C1@muJS1a-2C91ymIRv=@%~N!FzdY9E(aoSu1+!=+ez&rn z!h>4$SPuh`9fP#Sr`;@>3#14o(zfI7O!Bp0km4kfWqMg5eNZhQ$(kc6-v_qXYra+L zlxWNAB_jKLp42R8Y*tV2eINZcAo6bGS9s%AtWsoODwvVO_H6fsnu%V?)mgHY)zJA~ zkuu&4of$HMuZ_~n1Dx{dL~uP6ol-4c3@kLV@j4_9!*pZhA}o#j`eIh{oRlS|g$Xa- zf^z=nEuKKM_|>+ysVvQR!}w$bx0nwvI_7b0SGCvWG8Gek)I{IQBmnM;PwCce{bycZ z+3d5oz6ha&!{rYOphEGYu7#~GRvMG~DbG$=r>v_=kP{u8t4+cyn@@aKAo9_iA zxx1~^?__fSAM8RmW8fru4zA9r?iUOvRqt)+qmR<=w@|W>|MOD3J z|K0sMB)T89>J<+@Py+t(%k^y#3Ia9(#E`oDSbabZgD|gfWy*#s6S7t@Qn&gTVpmV% zjl+rhdLOLZFeY!h;QJpVb&a@J+F0uNjqHzsyAg)vB8)&w=|$B7ZtH(r!JEu)5ODxy6b)mf2_b`bq2jAPrLsD`)3>&&L`0BSUxb_ANcTMge$ zNaO+T<*O6NO5MqW<*#Dy87{9aF6hAn+N{wPs7qmGH>q1n1F3jh zV@M5kJ@%I)l~;k*R0mf42=Zvt;|pV3lQc1fSKyOZx?C49 z8-NrPQHZ$t-=T#K-A!P*b|EP?UJm>h?7Tec2IyaRB@%crq3cmI>DacL{%qmCkT@oU zzsUIv)b@u+7HnYR-W#QCPYmRT#J~@UgBrID0(xf9yVJ4eLs%|XLuHapBC6W0!?cy4 zW;<BYlIx;~;@k(!D!&Ix9K3nBrXiAh-B@l{$*Yjs!VrvQm9A7dgSSK2fsCf)RehX1Tv3N*By#bH~$&j6I| z12os>$1YoP>e$n(4aZNKCkh1gROSSMR zgyU5A;KidoC_Mw|CHa18VsbBxqWMB18X9nEWhoc%gJjL?!{EAHt~0^G%EQlE@k^3@ z3tW7`Hb<)PByH=JI2u%|mhjq8u5Ew;hK1mSK1$~43z+LQ5^)l(*>dmA{{~KB*QjRu zvCHUDc%@YwrgulPW4}(LWlPo}#{ndj=iDaL3>>Y5wO-97{$C>!Sj)jjZXkqRK@}Z6 zpn{&k1&NP{riCcP8LB3}%#90QbW#^_%IUE@ z^sJPRUeA_n7nVw$dUY97JV)tHbO=OOL8`A(+t1Ui@%3KGN6eNp6&XnLy}j|x(K$w#11n%oC1(!FVseZLeLEVka=N}cqlGAW(hJi?E%5zpm$Q^~U+4_`YRTV}qzW#9GK}ob z)T)xGUD?IKAR`gnk{`k#e4Ze3W5qXe$DiUPd>6DhqZJrASxeu4A-hPkTnNpW`~*k; zDR@SaE>eHn5D_P{6K_P=x*CizMWR64b+XEtg36)34$0;Y=Sy8*pZgRUZ z`Sm)hf`}|zq@#YDTonULB&Sx~MUH;nJT~&XtG@{y9be-C=S7SeP=0}}S=nbefnrJ> z*_%bZdrG0XQcuM8&h@TwR1qH5{kk@9VO6pK&|(q?(j@)P;m64U!Sd+15r^)@!r?z# zJRUqXLKKB{4kL){4AMH3J07H9;F<5kT*$bycv&#MAx{F$1XV?&e(HcvS~#JXAYy~? z{%(SP1UI|jKNqw@QC=V;)*qvm7pqFQoijl&)KvFXhwPVK?M2PR``H%J|K#n3$9CAc zr#w(puQwV#V zHgZ9U)F=iZ!wT{Ll)`xdyBsD|JJ`C9` z4*@VKnLj}r1s!o7*9Pq+vV;_6SU=~4Vh0c>DAH3QrW@YQ9jpm5{RofKRBr(&(yN!* z*K(bZDqf^=P%nuQN9^TPg61FkNNH!-g% zCCfJhO%A#aDW7=e?qCv;qg*O+Qb@1t%Hh8EY_csY#Eh69Q(sJeQ~y-h4^`l0ZIs}_ zhZ#WH`7`_M54y#~{OH|g%Pj@ay)gOUkrSpYa}KIB#%&`}h7VpRM`tLY6h};{0D}IQ z!mw-)3tr^A+B10+s~VC(*_UV?Dr^I0*{}(PlLKpIruc`VFfUDRR*8RhkikRsC6jf# zC*x>{Xg|=CtuHz1A(`eFo%^MSawBxDM?nTRF2@d#pv)WGQ3^pmwI$LCku2=;z&RpfBMeK>+WL~@p=LeT$F~qV-C9100!MYdVzZCU+8$$OFXO1w z41hFXNgdni8nn9bIIteub@Un8_FWNaPyUTN^&6&@wPlX9daimqYp&*cY3CE;dy|+xtG*Rnf zPeG3#Rfm^JCe%JNB1*s}A0#*GrTrfp(b?o)Lt_*?M;c06`Q}@O#$rs~SK2qe&+)t6E4;i%DO#^8eg`PaVU=VoGP-!8UModqqEIE$Jg zVRsl|zjNkxvVQKs7ujIloY-@TH{9xB1!Thj>QFRFmJy0q64O%s-{$1CMzTzFDC2GdlEnsL#2YiL`gt74 zQ_}mq4;AwvcUi;yD%r5M{k243oztH$>q76DgfmiUv31&71}Og_i^`i&-hRhA=!~-n zQhFxTz&o!iQg3CORV$t!@DMo55Vm5d0vEc~2KquWo1+s-TgVoCf9_We`@Jy{XwL>i zNJ;XvOE1(lCy^*45q#gEUCCi!w$SmYNBZ$c=(-H_A_qqvdm!R0v9?Dtbv_*?DZPs3nW zdX?A-168`DsTX(0(|b>rQux-y(k7x;gIBUGKecuy_qH)QH>I$BDJ4Y6DkQvvr66r; zQEla6JkJR^3rmzA;JHO7tEx*CATy@Lh*UCzZ@&0r;7B#Fd0B+@p-lA3^$4DvW{WA9 zsODf)c_8gqBFMj0g*lbrFeIUsaFwK7F%<$M7wFy}hV4%9{7O0pxt-^>X&!%YRH)>M z8*uO{XSqg*?4Tzyt#%lk0G$C>RCqI}>gN87Rsh04eIAc2a?pF`8rz4qZc^a?aWElri?X*+ zqQ%sl?ktYrOic;?-$)Ajwl=ygEU^QyqZ64Tjt!YzyM$)7ga|2;x9O+#C=DFMheh_S z)s90{YIknx!0O+ObFvGh{VsA5(s7f>RMLQspHTFSR=0_C@*qon_zo1l)5~aJ3_9bF zrQNEZ=P_8EYG<1^5u?bvkE9XaOtuq|<=}sO^D<$rZ6`-S-5# zQ+J)zpY=zCghF9ag=mCC*!z#82glReQ}~yGdo7s*GRWomDm!icd3?^VGZ2t(n`D|R z!}b&7pXWrWAlFH%qO>SkuOo3aM&g(r*Q9V6J}o-#Nt1!c-JYx@ns5rdzxGltznTnp zf=&JzSmyq=o701;PqovkQXO``nt0V`-qIHK26`AJtOApATd)+G*1N=jW|=hzStk`l z_{N%opsKFzZcDrcA2&WBd?K=0!O>pXg%ARs0kOgP5BDhHAIGPm?Jw16!tmo@>7lm>gBYq7r8ih$z>k;%;$JA)StCtp~Egtvd(8@NOt0>P8$Y3@W54-xJw!x zm3h_@6$U`UK#T~%1=KR~@~3ti7qb|u{yKPb*Klz+R=;h<=Np0b=WM8U^7Jf8@)u}| zxBx5hG6i#a%;}R`^>JM#5LLQ>%rf<}!DuMxr!XN2ACj58bhi4ExUphvjsB6E2>^!v zF*c_$3ZS4!ay&a7n~CIwubBe1m!~2AAA0qWT^lL@AIEqFl>HfS~r~-ho<@v z67;QK6=)N==VG59v(I4|M)!$J>Ch6(*!cR3_}1kzNGAG}gM6+uQTR!)zd%I;(3BxN zD2}(>YBkxBa|is9ikZGiFA%JO$$n}s*26Si3Gcp=?~mIX9}aNbu2j zO<;j^*W^_!M(~#l2Y$phB`>+hGv*s>n`@x`-^TX~%p3Y_)y8c}hO2~q;3YgE< z#QOyUQXD_I3w{hSSdEpa>ZF^%W7gY>*-1p5`nL%7=5G(**N0$ppL(-B;je(E8Ww!8hW!kN^v!siQ*)CQ-AGg4mtPh`D>e`Zy2>exU%-^cj zeI|HjI25;zvAP4;TWoNjX3TgA^MPO-WL~Vh=^Vx&5OEE&(K!lRX2u`&Q{J9UjCMj1_^%Fek~m5qe(l zZm-zs9oRR$rqpedU!I{cLN~bui!kuUh{D|8+r{b%oD0PClQT8zbvlqz>5fMnuKZ&o zV-P5Rn_I&-X+f?#!kzew#NOoQQ|N47&Z3b1jCF3}DZ^{3`K))q2$$Ygn^5%h79xfJ z`X}^iS72F48LdsyI4Su>VyAMKmuG)$-V!EWqFf~zfTV`8*j8wSht|R>GA(<&)De#Z z*J6nA3#!phi8?LLE|9>Lq0xAeMwtrRhd#aOV?QD;TKs&Jn65>|5%vLRcXJP_+Fa`D&FcbUdC;diZE z8SGO8g?Uy16Vs(!<#|VY!ZVssFYWEOn`j>sAMIM|>eyU{OxEA!3Pk;Eo&sOGqswJ% zzp;|lHB&~T0t^>gocR#~u`uSj2X(3-?efLK5FfFAeAYFViL8)Hf^GEpgl76397GtK zvnrSE={JwZ<|yq~^IY;u2OI^tB=P&Wci+DnR237I#Hb`!fz_b%YKjOKjg|D+2k$F_ zKg}JO#Jn&M<*_C_fj2}KD4m70eLxVuUlZ|EXYXDq@^05C=)*pMrP5_iom-phyAJR( zRfHNlmRpP`Xza$5DYU?>T*)#nWboxeLUiuGDff?2izds8T45?!hgcW3#GT zI_y)BX_e*V_E>djfS#ybM>hrM4o4@!+#M7bX4LC6|1MZ5c5m+vU>pc;#>D)yQ55lV z&wze#`T0}+s;k9%znHc-==oqU?qY)yo+TVVjsh|`E%0VvndY*jQkVIYN%4morr_P5 zHlNKg;Y>dq9SnUozy+OSo!D!b&kirn6D>JvS%K2T&fIsf*mH#-XkAuoV;5rJgh@DB zS1Nq1*R$!yzYD>6d!(N~0}ud!Z1u{pwp3gJ_18&Mbl)m&sDu!b)WVef0Le$$+DUHM zZofB{I5d+K!bCQF=g4?3zj&f2?peW*rDsRFScPVXn}}$c^t#dcuryp8mCL4SDw7bk)MIkcrlG6MPivF37pO z#%Gif&9&VrV#*M>iP;8g_JDtQpWuTyc_T*UNivJU|eB^2atMBH}11}#4 z7-yK6Gad(?`2g1ieT-4XBs3+QzMD(UEBkr*vRsh-wmQsCne^9STjiVgcMHStw7 zK-;g)-}_pGT}F*LPLv`T0fh`MG_NXRZBoCBl3Qe*&J{z-+?g_0hNJf3e|lvTV3dhq zBT{?osZcil9UE(|y?uknJ;NItlA0HFur#5aC>+7})X6%5c_d-Us5_wr8$k-ZJmbXY z9eqPnh|o&Afe|5Gjz5y>mf#e2a~h8(Q6Lh4RQP)RxnK}hf81{3Pm^!@YNP;4qc^|p zjflqVt4N(#o#>EMPlhvKz`|_5U9X|CPGO4pL$767XiBPn$^Sw0q8ZtM71@oL)J-06=UEnMVn=U< zGrE(io)+5eej9%j)?W_g&Iqyn&4I3r3ywA}#7i%As?)(uP<4HwW-Uk7u^uen8R@Z!gAUcP3vj{%UN3 z0KUj-5g)Eq;KLKpYe7(N`l)2cT7WjK)B0z_QKb3atA$FV83N?oDo3#l=3}(m&D=6Y zeUsk4L*NI)7mzNKz|jMEIk78@E{v~gY;VrNWyk&K_`dxmv1?{?lg{6F+l5a+14J~8 zxJL-mze?xntPmgCLigIdTe((uEsIQLw2RApKArp4iqB(eVakb89YVOvjF}YcLk#c@ zXaWV`57SoL_$D7nAa{P^-0sKnfl?!KM=l=APYwDt*$2mS!2LfewpTq-5UJQlsIW*R zukZ3g{wKJF>*%l!?8(ne>Z~#`>@B{wA$7b_(wshnGO`zREvdd2_ZCAv%Y)~j$s6PJ z+n)W20UH07T`X*|i*7NbM2?6+ESDi4ob{~sRYdl{*-G{?MFQI zG-(zQJv-PNb6IN1i^2k|Bd;eU2TfzG=-hqJ$$O!UY;W^jm%uGIEhg#>+02P3>#u7@ ziubX#=f4xc5NjE-EDf+o1DArPa<540|0gCDiz!w$^ZhvK`{`62yU?xrN)sCT_q@z* zkkxsI_>#?B{ygR%Y?bq^FhV*#$^GVplP~09j|)_Vm4X2Hcy$_H0-u j+5d&`v+xEr3+!V1@%U6#xf?IOa|;MuJ?Q50wnX_$HW zJ@;8cS3V+-?OeH*+?utr&{AFGorhxxdUhB~J)WXTzQMa0T-l=7WdJJuf1qw7GqZ6( zGY@MC;i}Fhk;$s{R9mPNhwpN(0;n>Ui%G<2ym4J-ijp~BJ8((>p zaTX5ygZR^+HXSNmhp%6v5qf|{3O@9|H__Xd{9JF<2{wEO1n5aP;paJ3#y|v3Rk7Ai zqU$g1MGqtAJ(+4$3z!wCTs!*my05&XS?reP?>*|(F5|kd0im8TG)D`|2ao@sLUJ=6UTkZ119ZMYbgSOGWGw_X)76^*3Q324)dix_pKv3wKP45e3uYrWz@PHw3(PyZk?iTDY$Y&tVKJ z*cE9ucNB$(e~1t=N$nj`kFhG?ADf$!TtkeZ9}_{qORakNcyeVDi-)-R+fz(Ly)+kJ zRSc_v-}PIFvL7iMk-Cx7b6H2Tmkh@Gdyw#;d!2rE@P4LM($$HOGdQk%b*Yi0d%flo jD!yLLb17Ih#f-XxoJmthsWrqk=t~(HpSLjVR}}KxF{rty literal 0 HcmV?d00001 diff --git a/keys/ssh.pennyworth.key.asc b/keys/ssh.pennyworth.key.asc deleted file mode 100644 index 8dad0cd..0000000 --- a/keys/ssh.pennyworth.key.asc +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN PGP MESSAGE----- -Version: GnuPG v2 - -hQEMAwEAjpZflP7cAQgAvoPmVMBHwSqRdsFKNXNAuWQxNXPXDhhD3HggJGaFaLLb -TaMy+ZddjcCsL1VuJD2Xbs7dfNtYQilF4+2RiVMf8curJm9dV0adI5+6AMcFz+f7 -bB4L8a9QTExfwxOTLbNFUYTyQmWmMl/QeTXlrqOZIj9jYeF6NosWwroh6lOtgrgv -srjVdPacwBVz/oFzMG2xV1BSpEwpBC4WihZo+MM7NREW31gWIQnq02nhafSGii2b -k/T8IsSlS6lOa1yoV+cucn4qZGhXMS4U9J2fXCXmRungBN9tW+xCQG0agnhFAMbD -21iw4sq94pEqX1oVcEWZlZtOUwZe1VvzxLRpLDTIcdLpATiGy1DSi5ItkZpQ9MNb -jlXUKjrz2s6XubINIXfDBmXtLel6JMoxmRzIbVbE0rpbdnZ67Fidkh2eV4g/yUKt -k3Cum3E0TKtGXHMK9GnwxPX0yXtFuhvxLPUmSRwKJXUafcoabcw4NoHTQtjn/EwQ -1Dw+oLGGNnrcXFu1LGfBIXv72cEct/IlTKnVAPcrGSJBW2VqC3rAgVByTsrCtX/W -Rjzayao2NzG0qC14lLMz8BLgdyS4XPHnU/2Si7sQUa6L0t2E4Aqx8EsG14X28UB+ -BXCJS9LxQfNgZ1MlNFDIpbdRKeoBlRaLULQUKksU2Xyodgm8sah0DyxpV7IAXZ5P -qt34/7/79Lbyykvi2gyZuMYLt0bmXLIGeyj853MjUDGoR1idJ45xGwL/VkYkMt/v -lqTkDgsEKdPIowxPmJ7R26K8jQJBPEj9/oCjNJ6hQpINOOdtjGy7b7oWvfwPoFSP -MTXvYgjcHO4g5InU7FRfbWb1FBl3WrMuqKf8aI0vsJ1UDLYbnQgXDADqkSKGZRAg -lyQgO8eQskI0g9Q4ChezPPSJYz4BSU7JHrxcYx08YPf+NdPGa3ryUXNuwiKAIVij -tgOxs+Ro6fxgQVuXg/G0dF9WPMVJbBu/X08TutbLaaEtqFfbNAbl+a2UP4RefKNE -/TozCnubs3QEP23p6DkVJMnAR60jf/LlteFAbZThk8x/XCgsn/BjRVXGJRPhvwb5 -DfVCT3p03jw+hf0iLIDqMNNz4ojLNSFbXRjhUVSaidDybRmkbpWjTZi1vkqJXZlo -2G52ecHtApKtM4yE8tMn9HYSKPN3tUH6DW01faXxka3cfbuYnklN/EJ/3ZEvrwaK -Ybf1i6aw2/cHn3PXbfsqY/waYgZGdFsJIVqjzfWUHhz4LfKySx4dZj8yJg/a83f0 -FTsahK5gv9mpTM4pgyzuzdQ20Y8VSN7iJALb84R4eNTHUHvdnOJjG/hcBQP+Fdeq -N6fTIQVWfr1bu1JqSnzPlb08kvsdQKbrrvLrPKOLkz7bcZ9AC8beTxC7 -=jNi9 ------END PGP MESSAGE----- diff --git a/keys/ssh.woodhouse.key b/keys/ssh.woodhouse.key new file mode 100644 index 0000000000000000000000000000000000000000..f30c841fee6c0b9d9e344f7c0dea06afc6545448 GIT binary patch literal 909 zcmV;819JQTM@dveQdv+`0258o)4ngUlcykH7 zqKyD#+G0GA$x?N{7Q5%Tl69N@cNPR5cS?J$);-7Q`oyTT;KaVg18TwnvE@W9xML|1m^FCb!)`h30>{^ ze?_eXM;qB??QXl}_;(|wghv+9h&eoM+qpHIMfWHzY8a+ zNlJk(Go=W`d>o~jV`hS#6X(Pt(O%V4)B}F$8gYdRc)LYVyiK3ASdN-!ttYGz=qr{{ z9ib9p%PffRoxHmgH^t7!uI`d04mpJxR_;m)WcBk~rBuHq;PML^hU!sGu_)hg|H@&3 zj5Rt@3H+XGnBg3;t8nmAs;Y>)D)ZWZT_&FLmBQ+s=e%!!=E_Xclz(5%+EuI@wQfGe zfkh{R@F8q>t$ZuwTUDI);<8p$ufn^_IW7FF2#8Pv!-(lq+nE1qJ(|S=kh2`JEPNL= z?`rFF9wAA@_YM9lj_eokbc5V6Cf5lxv9lT*rjK55+EHE-1g4LR|6ExHh+sm~N332R z^DfC&3JN8j0fE!tHHDy8kpQgVq0o>vO+ zQyVYM3u|aqc97aUcFg86$zr{ITOlQOUEyq!#p1a1!0JNL8uW{Nm*ji+L+92+qFDX) z8ml^!{%V>5d{EE=;oml_iIPYqEemm|hX@d)?fifY(#iKnaCKjF-+C$$7o;gk*G3Wa zHkm5J{2p3#7QTysfbjr(EeaXuw%evusndW_Li;5ajh2CASHXm)en)Qu!Q1&-L!qX8 z8Zk7kN}!@IK6I32$$SE*T&%db3fo!O7%b6qoP5Tms6p*32JBnt<7o7zXgf%10drBu zU)B*HjI~j*9ye|zptQx;)ir6ul3RR_Gf}vp>6gwPS(_I!)2+pw^Nvy8TH#0NT9bMJ jG=Z%g0pb@rmC}g^`R1989An zqaSo$F8(%wK3I6Q)Cs(S;o*14JUH2m>uyslnk7C$qfj{;ig%heqIFb}sO9<-`IKlC zwT#kJi?6_*?vuNMLQHi9`{3ve#V=_O>$4}tpPcL?86K&?_xvr9`Sg{sm;f*%RxpcklHRW#?{fS1cdLyV{0uCCw%5^*7U z2Ndbzj>hwHm|wSa5;s_@&C;J*2sG3Y1poN3r%+=OUms*=6iVSXCAB><5MwtJPN1$h z=9(eW{KoPeg2-r0?1B{l0pcLt@O z7yM?aA-Yb!8w$!wig^5jJ^K*hIHLC#GGKEkoYlda4G_BzxI2cvH@d zPmIHRDQ<_ED8_<2ef@yuuhMgjcK{X}@Hb6cEvJ{mJF~Yd2 zkVU12ZfoJ-Z0n{&4O?jT4(^Qbtx0dG{bo==0>Rw4Jfag$Q8qCNcBqr1?7(B@ooNB1 zuQCkW9YUd_=O`4f5&(fpXQ2v-p^qowyuJYg0N_VZbLBbrj%f|wU`9M`AS8_0^-+pM zB<>kw<JTI|g%+s;{I2v~~j6cOi0|`8MSUUhkY4b6K zvD+3RxUg;!(RN=kH3NEz>!gflAXSRLfr|SDlRe1dMu0iRjr={AA+VTPtF*sBgmT+_ zHCBna?qI2ZU*duAA1$=JlJz7m(al$3852We492}AaOzFvKpisY;D@2RqYerqYxuJiy@nnjP!IP68{~BA@X6*<_y65kwtHBPPwYK4dNlhpn!5tZJeQrP~|>=tb=| zebD8YwLube>y8!-`#Yw`!Ty7SK4DR7s;N-%pS3~<;3ABo3P|zx4T2=(SEJhZlzQe|OQ*QiN^mF$f~52z literal 0 HcmV?d00001 diff --git a/secrets.nix.asc b/secrets.nix.asc deleted file mode 100644 index bc4510c..0000000 --- a/secrets.nix.asc +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN PGP MESSAGE----- - -hF4DnqWDuZcZnF8SAQdAVaj8bZhjRpGWqpVtj1KWoNTs1IiYuICgYUSCgRKksyow -76JN8cddpQ9IqjDa/8uyX0fR6vtN7Twm65eEn3ucj8B8mGfIG8m3PQpOd4ue2akP -0ukBgi5zb+IZWFhkd1D8ahkV2OAiND62uILIOFbWrsAvW3A+/+xTGyGRBRmuSlwC -Ud+coyE74JC8nYkLbLRO/fpxDWeg9UeRLip6zHaAUkx9hdn57Uhv3UH4KhIYNJKC -s4N59XTeig2s+rkA+NK2E6QiywJAbjOyqb4XQSq84er4UjlR8tODTkuzGXnfAEKa -6ND3Fd+BF3K+C0TUfwmSEsVZJfA74T9XAM93ki1aZ3aRLxDaW6CPOb3gVJQhgleC -KsQp9QonFPaseJFQmDSpsstDlxxLBp+L+fyohsBAoT/+vHkxumFcJdATZYV9dNqp -x5d+xK36jpmhgV4mE979bl1gDZpay5lUdS2LRQjd3c09DE4JHyXn/Xqk64HUZvT0 -3OZa0TzIlfHfQi3FfpHAwFHMDIu/EN70KgoPiN9GE3NYs28EqpRx6XAgyMQYHaYH -zr1WG0Dly5DHQR/c4a83tRoPkJQoQCjC/2y8A+PUdVCgWvrYyMzaMse3oI/m1NpC -bpTIzwPPa3+K6lMRDx/Zalfr92QmU6FD21gPzq5F4dVqA/KJLT0yTyeHIgHbg5aZ -Ob8CN/29qMpvwutLansNQrOHpW56JbT9b1AD5/4TG/nbbCEM6mhwh6bbE7kJYB92 -N5EhlwDQdSslo9cP3u4MNOJOTjkwdN3FZQV14XM0KF66j8COagI4Z52ckb2l6F61 -KO9t2P6YQ1qF+Siw+9VE5TJQ9YaoAsJvM79eS6gOkTM0Ms+zqszijsCSB4/sx/LS -xb0WQY32X9XCd7OkRT3xIfzPBfFyuPXDZima73yaOLeKob4HF7c0L07oRG+0cfMT -UEMN8NsZexJ1q+ZwUhu+aahYQVDDrFvwurqKvfcZjCrv4SoYlatFHfRuJhiJGtan -s8cwSFFoERcMLxY//sznNLgfS1Lpxlbzbflmiri6fvQK/DlsgMNyq2DYKEbfYrxf -1NmExBleZA/qYQoDeuWFxcxVT+W261JdglLkHpYXkeHlNxd97aZzEkpEjHha2V4V -swmm79oQsTBlRujxFDnnDm2q8LZ+XsNv85enjYN4jb/1EqUwZQhdZKjeI1tNQBfh -IFRaWFj7+4OS5OtdcPvgq/sydHxuJb4v1V3vjRRutFw34g== -=u5NG ------END PGP MESSAGE----- From 717ad7eea696bcb5aafd3851bf3fb5e2736d2281 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 10 Mar 2018 17:15:37 +0100 Subject: [PATCH 097/172] add yubikey --- roles/workstation.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/workstation.nix b/roles/workstation.nix index fab4e01..b343443 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -26,4 +26,8 @@ virtualisation.virtualbox.host.enable = true; yorick.support32bit = true; nix.gc.automatic = pkgs.lib.mkOverride 30 false; + # yubikey + hardware.u2f.enable = true; + services.pcscd.enable = true; + environment.systemPackages = [pkgs.yubikey-manager]; } From 9db7e7bc3527b12e94ec73b8a7311dd3b29dcbe1 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 11 Mar 2018 18:28:25 +0100 Subject: [PATCH 098/172] update for 18.03 --- logical/ascanius.nix | 4 -- logical/frumar.nix | 39 ++++-------- logical/pennyworth.nix | 44 +++++++------ logical/woodhouse.nix | 9 --- modules/mailz.nix | 2 - modules/muflax-blog.nix | 28 ++++---- modules/nginx.nix | 137 ++++------------------------------------ packages/luadbi.nix | 47 -------------- packages/yori-cc.nix | 2 +- physical/kassala.nix | 2 +- roles/asterisk.nix | 51 --------------- roles/common.nix | 19 ++++-- roles/gogs.nix | 89 ++++++++++++-------------- roles/mail.nix | 26 ++++---- roles/pub.nix | 9 ++- roles/quassel.nix | 73 +++++++++++---------- roles/website.nix | 55 +++++----------- roles/workstation.nix | 4 +- roles/xmpp.nix | 89 +++++++++++++------------- secrets.nix | Bin 1545 -> 1567 bytes 20 files changed, 241 insertions(+), 488 deletions(-) delete mode 100644 packages/luadbi.nix delete mode 100644 roles/asterisk.nix diff --git a/logical/ascanius.nix b/logical/ascanius.nix index a666c18..6058945 100644 --- a/logical/ascanius.nix +++ b/logical/ascanius.nix @@ -12,9 +12,5 @@ in system.stateVersion = "17.09"; # no, not that Ascanius. networking.hostName = secrets.hostnames.ascanius; - services.tor.hiddenServices.ssh.map = [ - { port = 22; } - ]; - services.tor.service-keys.ssh = "/run/keys/torkeys/ssh.ascanius.key"; } diff --git a/logical/frumar.nix b/logical/frumar.nix index 0c71722..6917703 100644 --- a/logical/frumar.nix +++ b/logical/frumar.nix @@ -1,24 +1,11 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - { config, pkgs, ... }: let secrets = import ; - acmeWebRoot = "/etc/sslcerts/acmeroot"; - acmeKeyDir = "${config.security.acme.directory}/git.yori.cc"; in { - imports = - [ # Include the results of the hardware scan. - ../physical/fractal.nix - ../roles/common.nix - ../modules/nginx.nix - ../roles/gogs.nix - ../modules/tor-hidden-service.nix - ../roles/quassel.nix - ../roles/pub.nix - ../roles/collectd.nix - ]; + imports = [ + ../physical/fractal.nix + ../roles/common.nix + ]; networking.hostName = secrets.hostnames.frumar; @@ -26,14 +13,12 @@ in # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "15.09"; - nginxssl.enable = true; + services.nginx.enable = true; + services.yorick = { + public = { enable = true; vhost = "pub.yori.cc"; }; + gogs = { enable = true; vhost = "git.yori.cc"; }; + quassel.enable = true; + }; + - # hidden SSH service - - services.tor.hiddenServices = [ - { name = "ssh"; - port = 22; - hostname = secrets.tor_hostnames."ssh.frumar"; - private_key = "/run/keys/torkeys/ssh.frumar.key"; } - ]; -} \ No newline at end of file +} diff --git a/logical/pennyworth.nix b/logical/pennyworth.nix index 0be506a..2dfa35a 100644 --- a/logical/pennyworth.nix +++ b/logical/pennyworth.nix @@ -12,14 +12,7 @@ in imports = [ ../physical/kassala.nix ../roles/common.nix - ../roles/collectd.nix - ../roles/graphs.nix - ../roles/xmpp.nix - ../roles/website.nix - ../roles/mail.nix - ../modules/tor-hidden-service.nix ../modules/muflax-blog.nix - ../roles/asterisk.nix ]; networking.hostName = secrets.hostnames.pennyworth; @@ -31,25 +24,34 @@ in networking.enableIPv6 = lib.mkOverride 30 true; system.stateVersion = "16.03"; + yorick = { cpu = null; }; - nginxssl.enable = true; - - services.nginx.virtualHosts."pad.yori.cc" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:9140"; + services.nginx.enable = true; + services.yorick = { + website = { enable = true; vhost = "yorickvanpelt.nl"; }; + mail = { + enable = true; + mainUser = "yorick"; + users = { + yorick = with secrets; { + password = yorick_mailPassword; + domains = email_domains; + }; + }; + }; + xmpp = { + enable = true; + vhost = "yori.cc"; + admins = [ "yorick@yori.cc" ]; }; }; + services.nginx.virtualHosts."yori.cc" = { + enableACME = true; + forceSSL = true; + globalRedirect = "yorickvanpelt.nl"; + }; - # hidden SSH service - services.tor.hiddenServices = [ - { name = "ssh"; - port = 22; - hostname = secrets.tor_hostnames."ssh.pennyworth"; - private_key = "/run/keys/torkeys/ssh.pennyworth.key"; } - ]; services.muflax-blog = { diff --git a/logical/woodhouse.nix b/logical/woodhouse.nix index b833b8d..463b899 100644 --- a/logical/woodhouse.nix +++ b/logical/woodhouse.nix @@ -26,15 +26,6 @@ in # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "17.09"; - - services.xserver = { - # displayManager.slim.autoLogin = true; # TODO: debug this - }; - - - services.tor.hiddenServices.ssh.map = [ {port = 22;} ]; - services.tor.service-keys.ssh = "/run/keys/torkeys/ssh.woodhouse.key"; - system.fsPackages = [ pkgs.sshfsFuse ]; fileSystems."/mnt/frumar" = mkFuseMount "yorick@${secrets.hostnames.frumar}:/data/yorick" []; diff --git a/modules/mailz.nix b/modules/mailz.nix index b37a41f..4bf7169 100644 --- a/modules/mailz.nix +++ b/modules/mailz.nix @@ -274,13 +274,11 @@ in }; users.extraUsers = optional (cfg.user == "vmail") { - name = "vmail"; uid = cfg.uid; group = cfg.group; }; users.extraGroups = optional (cfg.group == "vmail") { - name = "vmail"; gid = cfg.gid; }; diff --git a/modules/muflax-blog.nix b/modules/muflax-blog.nix index bfebafa..5bfd51c 100644 --- a/modules/muflax-blog.nix +++ b/modules/muflax-blog.nix @@ -1,15 +1,18 @@ -{ pkgs, config, lib, ... }: +{ cur_pkgs, config, lib, ... }: let cfg = config.services.muflax-blog; - muflax-source = pkgs.fetchFromGitHub { + muflax-source = builtins.fetchGit { rev = "e5ce7ae4296c6605a7e886c153d569fc38318096"; - owner = "fmap"; - repo = "muflax65ngodyewp.onion"; - sha256 = "10n5km8mr7vjqlyb46drfhwzlrwranqaxpqc53a2hk9pqqckm8cx"; - }; - blog = lib.overrideDerivation (pkgs.callPackage "${muflax-source}/maintenance" {}) (default: { + ref = "HEAD"; + url = "https://github.com/fmap/muflax65ngodyewp.onion.git"; +}; +nixpkgs = import (builtins.fetchTarball { + url = "https://github.com/NixOS/nixpkgs-channels/archive/78e9665b48ff45d3e29f45b3ebeb6fc6c6e19922.tar.gz"; + sha256 = "09f50jaijvry9lrnx891qmcf92yb8qs64n1cvy0db2yjrmxsxyw8"; +}) { system = builtins.currentSystem; }; + blog = lib.overrideDerivation (nixpkgs.callPackage "${muflax-source}/maintenance" {}) (default: { buildPhase = default.buildPhase + "\n" + '' grep -lr '[^@]muflax.com' out | xargs -r sed -i 's/\([^@]\)muflax.com/\1${cfg.hidden-service.hostname}/g' ''; @@ -46,11 +49,8 @@ in with lib; { } '') ["daily" "gospel" "blog"]); }; - services.tor.hiddenServices = [{ - name = "muflax-blog"; - remote_port = 80; - inherit (cfg.web-server) port; - inherit (cfg.hidden-service) hostname private_key; - }]; + services.tor.hiddenServices.muflax-blog.map = [{ + port = 80; toPort = cfg.web-server.port; }]; + services.tor.service-keys.muflax-blog = cfg.hidden-service.private_key; }; -} \ No newline at end of file +} diff --git a/modules/nginx.nix b/modules/nginx.nix index 2af7604..8d69147 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -1,6 +1,5 @@ { config, lib, pkgs, ... }: let -cfg = config.nginxssl; sslcfg = dir: '' ssl on; ssl_certificate_key ${dir}/key.pem; @@ -9,139 +8,29 @@ sslcfg = dir: '' add_header Strict-Transport-Security max-age=15768000; ''; -makeChallenges = servername: key_webroot: '' - server { - listen 80; - listen [::]:80; - server_name ${servername}; - location /.well-known/acme-challenge { - default_type text/plain; - alias ${key_webroot}/.well-known/acme-challenge; - } - } -''; -makeServerBlock = servername: {key_root, key_webroot, contents, ...}: '' - server { - listen 80; - listen [::]:80; - server_name ${servername}; - server_tokens off; - location /.well-known/acme-challenge { - default_type text/plain; - alias ${key_webroot}/.well-known/acme-challenge; - } - location / { - rewrite ^(.*) https://$host$1 permanent; - } - } - server { - listen 443; - listen [::]:443; - server_name ${servername}; - location /.well-known/acme-challenge { - default_type text/plain; - alias ${key_webroot}/.well-known/acme-challenge; - } - ${sslcfg key_root} - ${contents} - } -''; -#vhosts = with lib; unique (concatMap (splitString " ") (attrNames cfg.servers)); -servopts = {...}: { - options = { - key_webroot = mkOption { - type = types.string; - description = "The path where the acme challenge is stored"; - }; - key_root = mkOption { - type = types.string; - description = "The path where the SSL keys are stored"; - }; - contents = mkOption { - type = types.string; - description = "Extra server block contents, like location blocks"; - example = "location / {}"; - }; - }; -}; -inherit (lib) mkEnableOption mkOption types mkIf; in { - options.nginxssl = { - enable = mkEnableOption "enable new nginx module"; - no_vhost_keydir = mkOption { - type = types.string; - default = "/etc/sslcerts/no_vhost"; - description = "The path where the SSL keys for the default are stored (can and will be self-signed)"; - }; - servers = mkOption { - type = types.attrsOf types.optionSet; - description = "The servers to host"; - default = {}; - example = {"git.domain.com" = { - contents = "location / {}"; - key_root = "/var/lib/acme/git.domain.com"; - key_webroot = "/etc/sslcerts/acmeroot"; - }; - }; - options = [ servopts ]; - }; - challenges = mkOption { - type = types.attrsOf types.string; - default = {}; - example = {"mail.domain.com" = "/var/lib/acme/mail.domain.com";}; - description = "Other domains to host challenges for"; - }; - }; - config = mkIf cfg.enable { + config = lib.mkIf config.services.nginx.enable { services.nginx = { - enable = true; recommendedTlsSettings = true; recommendedGzipSettings = true; recommendedProxySettings = true; recommendedOptimisation = true; serverTokens = false; sslDhparam = "/etc/nginx/dhparam.pem"; - virtualHosts = { - "\"\"" = { - forceSSL = true; - locations."/" = { - index = "index.html index.htm"; - root = "${pkgs.nginx}/html"; - }; - sslCertificate = "${cfg.no_vhost_keydir}/fullchain.pem"; - sslCertificateKey = "${cfg.no_vhost_keydir}/key.pem"; - default = true; - }; - }; - - appendHttpConfig = '' - - ${lib.concatStringsSep "\n" (lib.mapAttrsToList makeChallenges cfg.challenges)} - - ${lib.concatStringsSep "\n" (lib.mapAttrsToList makeServerBlock cfg.servers)} - - ''; - }; + virtualHosts."${config.networking.hostName}" = { + enableACME = true; + forceSSL = true; + default = true; + }; + }; networking.firewall.allowedTCPPorts = [80 443]; - system.activationScripts.nginxdhparams = - '' - if ! [[ -e /etc/nginx/dhparam.pem ]]; then - mkdir -p /etc/nginx/ - ${pkgs.openssl}/bin/openssl dhparam -out /etc/nginx/dhparam.pem 2048 - fi - # self-sign certs in case an invalid vhost is looked up - dir=${cfg.no_vhost_keydir} - mkdir -m 0700 -p $dir - if ! [[ -e $dir/key.pem ]]; then - ${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024 - ${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \ - -subj "/C=NL/CN=www.example.com" - ${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem - ${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem - fi - ''; + system.activationScripts.nginxdhparams = '' + if ! [[ -e /etc/nginx/dhparam.pem ]]; then + mkdir -p /etc/nginx/ + ${pkgs.openssl}/bin/openssl dhparam -out /etc/nginx/dhparam.pem 2048 + fi + ''; }; - } diff --git a/packages/luadbi.nix b/packages/luadbi.nix deleted file mode 100644 index 7a5f1d0..0000000 --- a/packages/luadbi.nix +++ /dev/null @@ -1,47 +0,0 @@ -{lib, fetchurl, lua, sqlite, luaPackages, - libpsql ? null, libmysql ? null, - withpsql ? false, withmysql ? false}: - -assert withpsql -> libpsql != null; -assert withmysql -> libmysql != null; - -luaPackages.buildLuaPackage rec { - version = "0.5"; - name = "luadbi-${version}"; - isLibrary = true; - src = fetchurl { - url = "https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/luadbi/luadbi.${version}.tar.gz"; - sha256 = "07ikxgxgfpimnwf7zrqwcwma83ss3wm2nzjxpwv2a1c0vmc684a9"; - }; - - propagatedBuildInputs = [ sqlite ] - ++ (lib.optional withpsql [libpsql]) - ++ (lib.optional withmysql [libmysql]); - - unpackPhase = '' - mkdir ./luadbi - tar -xf $src -C ./luadbi - sourceRoot=./luadbi - chmod -R u+w "$sourceRoot"; - ''; - - preBuild = with lib.optionalString; '' - makeFlagsArray=( - sqlite3 - ${lib.optionalString withpsql "psql"} - ${lib.optionalString withmysql "mysql"} - LUA_LDIR="$out/share/lua/${lua.luaversion}" - LUA_INC="-I${lua}/include" LUA_CDIR="$out/lib/lua/${lua.luaversion}" - ) - ''; - - installPhase = '' - mkdir -p $out/lib/lua/${lua.luaversion} - install -p ./*.so DBI.lua $out/lib/lua/${lua.luaversion} - ''; - - meta = { - homepage = "https://code.google.com/archive/p/luadbi/downloads"; - maintainers = [ "Yorick" ]; - }; -} diff --git a/packages/yori-cc.nix b/packages/yori-cc.nix index f118f68..725b9f1 100644 --- a/packages/yori-cc.nix +++ b/packages/yori-cc.nix @@ -1,4 +1,4 @@ -with import {}; +{ stdenv, callPackage }: let gogitget = callPackage ./gogitget.nix {}; in diff --git a/physical/kassala.nix b/physical/kassala.nix index fd492f4..e90671c 100644 --- a/physical/kassala.nix +++ b/physical/kassala.nix @@ -30,7 +30,7 @@ in usePredictableInterfaceNames = false; # only eth0 interfaces.eth0 = { useDHCP = false; - inherit (ipconf) ip4 ip6; + inherit (ipconf) ipv4 ipv6; }; inherit (ipconf) nameservers; # ideally, it should add a route for this automatically diff --git a/roles/asterisk.nix b/roles/asterisk.nix deleted file mode 100644 index f54b0fc..0000000 --- a/roles/asterisk.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - # todo: the prestart service copies to the wrong dir - services.asterisk = { - enable = true; - #extraArguments = ["-vvvddd"]; - confFiles."logger.conf" = '' - [general] - [logfiles] - syslog.local0 => notice,warning,error - console => debug,notice,warning,error,verbose,dtmf,fax - ''; - confFiles."extensions.conf" = '' - [from-sim] - exten => _X.,1,Verbose(Call from Limesco SIM [''${CALLERID(num)}] to [''${EXTEN}]) - same => n,Dial(SIP/speakup01/''${EXTEN}) - - [from-speakup] - ; Vervang ... door de rest van je DIY-nummer: - exten => 31626972516,1,Verbose(Call from SpeakUp [''${CALLERID(num)}] to [''${EXTEN}]) - same => n,Dial(SIP/limesco/''${EXTEN}) - ''; - }; - environment.systemPackages = with pkgs; [ - asterisk - ]; - #networking.firewall.allowedUDPPorts = [5060]; - #networking.firewall.allowedTCPPorts = [5060]; - networking.firewall.extraCommands = '' - iptables -A nixos-fw -p udp -s 193.169.138.0/23 -j nixos-fw-accept - iptables -A nixos-fw -p udp -s 91.232.130.0/24 -j nixos-fw-accept - iptables -A nixos-fw -p udp -s 81.205.5.19 -j nixos-fw-accept - iptables -A nixos-fw -p tcp -s 193.169.138.0/23 -j nixos-fw-accept - iptables -A nixos-fw -p tcp -s 91.232.130.0/24 -j nixos-fw-accept - iptables -A nixos-fw -p tcp -s 81.205.5.19 -j nixos-fw-accept - ''; - # nixpkgs.config = { - # packageOverrides = pkgs : { - # asterisk = pkgs.asterisk.overrideDerivation (attrs: rec { - # version = "13.11.2"; - # broken = false; - - # src = pkgs.fetchurl { - # url = "http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-${version}.tar.gz"; - # sha256 = "0fjski1cpbxap1kcjg6sgd6c8qpxn8lb1sszpg6iz88vn4dh19vf"; - # }; - # }); - # }; - # }; -} diff --git a/roles/common.nix b/roles/common.nix index cf4aeb1..bd29e9d 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -1,10 +1,20 @@ let secrets = import ; in { config, pkgs, lib, ...}: +let + machine = with lib; head (splitString "." config.networking.hostName); +in { imports = [ ../roles/hardware.nix ../modules/tor-hidden-service.nix + ../modules/nginx.nix + ../roles/pub.nix + ../roles/quassel.nix + ../roles/gogs.nix + ../roles/mail.nix + ../roles/website.nix + ../roles/xmpp.nix ]; time.timeZone = "Europe/Amsterdam"; users.mutableUsers = false; @@ -28,11 +38,6 @@ in nixpkgs.config.allowUnfree = true; nix.package = pkgs.nixUnstable; - - nix.trustedBinaryCaches = config.nix.binaryCaches ++ [http://hydra.cryp.to]; - nix.binaryCachePublicKeys = [ - "hydra.cryp.to-1:8g6Hxvnp/O//5Q1bjjMTd5RO8ztTsG8DKPOAg9ANr2g=" - ]; nix.buildCores = config.nix.maxJobs; nix.extraOptions = '' @@ -51,6 +56,9 @@ in services.tor = { enable = true; client.enable = true; + # ssh hidden service + hiddenServices.ssh.map = [{ port = 22; }]; + service-keys.ssh = "/run/keys/torkeys/ssh.${machine}.key"; }; programs.ssh.extraConfig = '' @@ -106,6 +114,5 @@ in ]; nix.gc.automatic = true; - security.acme.preliminarySelfsigned = true; } diff --git a/roles/gogs.nix b/roles/gogs.nix index 3dfc15e..e7c8a1e 100644 --- a/roles/gogs.nix +++ b/roles/gogs.nix @@ -1,57 +1,52 @@ { config, pkgs, lib, ... }: let - gitHome = "/var/gogs"; - gogsPort = 8001; - domain = "git.yori.cc"; + cfg = config.services.yorick.gogs; in { - imports = [ - ../modules/nginx.nix - ]; - - users.extraUsers.git = { home = gitHome; extraGroups = [ "git" ]; useDefaultShell = true;}; - users.extraGroups.git = { }; - services.gogs = rec { - enable = true; - user = "git"; - group = "git"; - database.user = "root"; - stateDir = gitHome; - repositoryRoot = "${stateDir}/gogs-repositories"; - rootUrl = "https://${domain}/"; - httpAddress = "localhost"; - httpPort = gogsPort; - extraConfig = '' - [service] - REGISTER_EMAIL_CONFIRM = false - ENABLE_NOTIFY_MAIL = false - DISABLE_REGISTRATION = true - REQUIRE_SIGNIN_VIEW = false - [picture] - DISABLE_GRAVATAR = false - AVATAR_UPLOAD_PATH = ${gitHome}/data/avatars - [mailer] - ENABLED = false - [session] - PROVIDER = file - [log] - ROOT_PATH = ${gitHome}/logs - MODE = file - LEVEL = Info - [server] - DISABLE_ROUTER_LOG = true - ''; - inherit domain; + options.services.yorick.gogs = with lib; { + enable = mkEnableOption "gogs"; + dir = mkOption { type = types.string; default = "/var/gogs"; }; + port = mkOption { type = types.int; default = 8001; }; + vhost = mkOption { type = types.string; }; }; - users.extraUsers.gogs.createHome = lib.mkForce false; - services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString gogsPort}"; + config = lib.mkIf cfg.enable { + + users.extraUsers.git = { home = cfg.dir; extraGroups = [ "git" ]; useDefaultShell = true;}; + users.extraGroups.git = { }; + services.gogs = rec { + enable = true; + user = "git"; + group = "git"; + database.user = "root"; + stateDir = cfg.dir; + repositoryRoot = "${stateDir}/gogs-repositories"; + rootUrl = "https://${cfg.vhost}/"; + httpAddress = "localhost"; + httpPort = cfg.port; extraConfig = '' - proxy_buffering off; + [service] + REGISTER_EMAIL_CONFIRM = false + ENABLE_NOTIFY_MAIL = false + DISABLE_REGISTRATION = true + REQUIRE_SIGNIN_VIEW = false + [picture] + DISABLE_GRAVATAR = false + AVATAR_UPLOAD_PATH = ${cfg.dir}/data/avatars + [mailer] + ENABLED = false ''; + domain = cfg.vhost; + }; + users.extraUsers.gogs.createHome = lib.mkForce false; + services.nginx.virtualHosts.${cfg.vhost} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + extraConfig = '' + proxy_buffering off; + ''; + }; }; }; } diff --git a/roles/mail.nix b/roles/mail.nix index 8dfd293..d2df22f 100644 --- a/roles/mail.nix +++ b/roles/mail.nix @@ -1,25 +1,27 @@ { config, pkgs, lib, ... }: -let secrets = import ; -acmeKeyDir = "${config.security.acme.directory}/yori.cc"; +let +cfg = config.services.yorick.mail; in { imports = [ ../modules/mailz.nix ../modules/backup.nix ]; - config = { + options.services.yorick.mail = with lib; { + enable = mkEnableOption "mail service"; + mainUser = mkOption { type = types.string; }; + users = mkOption {}; + }; + config = lib.mkIf cfg.enable { # email - services.mailz = { + services.mailz = rec { domain = config.networking.hostName; - keydir = acmeKeyDir; - mainUser = "yorick"; - users = { - yorick = with secrets; { - password = yorick_mailPassword; - domains = email_domains; - }; - }; + keydir = "${config.security.acme.directory}/${domain}"; + inherit (cfg) mainUser users; }; + security.acme.certs.${config.networking.hostName}.postRun = '' + systemctl reload dovecot2.service postfix.service + ''; services.backup = { enable = true; backups = { diff --git a/roles/pub.nix b/roles/pub.nix index b15a46c..31d886c 100644 --- a/roles/pub.nix +++ b/roles/pub.nix @@ -1,14 +1,19 @@ { config, pkgs, lib, ... }: +let cfg = config.services.yorick.public; in { + options.services.yorick.public = { + enable = lib.mkEnableOption "public hosting"; + vhost = lib.mkOption { type = lib.types.string; }; + }; #imports = [../modules/nginx.nix]; - config = { + config = lib.mkIf cfg.enable { users.extraUsers.public = { home = "/home/public"; useDefaultShell = true; openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [public]; createHome = true; }; - services.nginx.virtualHosts."pub.yori.cc" = { + services.nginx.virtualHosts.${cfg.vhost} = { forceSSL = true; enableACME = true; locations."/" = { diff --git a/roles/quassel.nix b/roles/quassel.nix index b7e595e..87252e1 100644 --- a/roles/quassel.nix +++ b/roles/quassel.nix @@ -1,40 +1,45 @@ {config, pkgs, lib, ...}: { - containers.quassel = { - config = { config, pkgs, ... }: { - services.postgresql = { - enable = true; - package = pkgs.postgresql94; - extraConfig = '' - max_connections = 10 - shared_buffers = 1GB - effective_cache_size = 4GB - work_mem = 50MB - maintenance_work_mem = 100MB - ''; + options.services.yorick.quassel = { + enable = lib.mkEnableOption "quassel container"; + }; + config = { + containers.quassel = { + config = { config, pkgs, ... }: { + services.postgresql = { + enable = true; + package = pkgs.postgresql94; + extraConfig = '' + max_connections = 10 + shared_buffers = 1GB + effective_cache_size = 4GB + work_mem = 50MB + maintenance_work_mem = 100MB + ''; + }; + services.quassel = { + # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/quassel.nix + enable = true; + interfaces = ["0.0.0.0"]; + }; + environment.systemPackages = [ + pkgs.quasselDaemon + ]; + networking.firewall.allowedTCPPorts = [4242]; }; - services.quassel = { - # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/quassel.nix - enable = true; - interfaces = ["0.0.0.0"]; - }; - environment.systemPackages = [ - pkgs.quasselDaemon - ]; - networking.firewall.allowedTCPPorts = [4242]; + privateNetwork = true; + hostAddress = "192.168.125.1"; + localAddress = "192.168.125.11"; }; - privateNetwork = true; - hostAddress = "192.168.125.1"; - localAddress = "192.168.125.11"; + # give the containers networking + networking.nat = { + enable = true; + internalInterfaces = ["ve-+"]; + externalInterface = "enp2s0"; + forwardPorts = [ + { sourcePort = 4242; destination = "192.168.125.11:4242"; } + ]; + }; + networking.firewall.allowedTCPPorts = [4242]; }; - # give the containers networking - networking.nat = { - enable = true; - internalInterfaces = ["ve-+"]; - externalInterface = "enp2s0"; - forwardPorts = [ - { sourcePort = 4242; destination = "192.168.125.11:4242"; } - ]; - }; - networking.firewall.allowedTCPPorts = [4242]; } diff --git a/roles/website.nix b/roles/website.nix index a63db4c..8657647 100644 --- a/roles/website.nix +++ b/roles/website.nix @@ -1,50 +1,25 @@ { config, lib, pkgs, ... }: let - secrets = import ; - yoricc = import ../packages/yori-cc.nix; - acmeWebRoot = "/etc/sslcerts/acmeroot"; - acmeKeyDir = "${config.security.acme.directory}/yori.cc"; + yoricc = pkgs.callPackage ../packages/yori-cc.nix {}; + cfg = config.services.yorick.website; in + with lib; { - imports = [ - ../modules/nginx.nix - ]; - # website + lets encrypt challenge hosting - nginxssl = { - enable = true; - challenges."${config.networking.hostName}" = acmeWebRoot; - servers."yori.cc" = { - key_root = acmeKeyDir; - key_webroot = acmeWebRoot; - contents = '' - location / { - rewrite ^(.*) https://yorickvanpelt.nl$1 permanent; - } - ''; + options.services.yorick = { + website = { + enable = mkEnableOption "yoricc website"; + vhost = mkOption { type = types.string; }; + pkg = mkOption { type = types.package; default = yoricc; }; }; - servers."yorickvanpelt.nl" = { - key_root = acmeKeyDir; - key_webroot = acmeWebRoot; - contents = '' - location / { - root ${yoricc}/web; - } - ''; + redirect = mkOption { type = types.loaOf types.string; default = []; }; + }; + config.services.nginx.virtualHosts = with cfg; mkIf enable { + ${vhost} = { + enableACME = true; + forceSSL = true; + locations."/".root = "${pkg}/web"; }; }; - - # Let's Encrypt configuration. - security.acme.certs."yori.cc" = - { email = secrets.email; - extraDomains = { - "${config.networking.hostName}" = null; - "yorickvanpelt.nl" = null; - }; - webroot = acmeWebRoot; - postRun = ''systemctl reload nginx.service dovecot2.service postfix.service - systemctl restart prosody.service - ''; - }; } diff --git a/roles/workstation.nix b/roles/workstation.nix index b343443..391410a 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -17,7 +17,7 @@ enable = true; drivers = [ pkgs.gutenprint ]; }; - environment.systemPackages = [pkgs.ghostscript]; + environment.systemPackages = [pkgs.ghostscript pkgs.yubikey-manager]; services.xserver.displayManager.sessionCommands = '' gpg-connect-agent /bye unset SSH_AGENT_PID @@ -29,5 +29,5 @@ # yubikey hardware.u2f.enable = true; services.pcscd.enable = true; - environment.systemPackages = [pkgs.yubikey-manager]; + #environment.systemPackages = [pkgs.yubikey-manager]; } diff --git a/roles/xmpp.nix b/roles/xmpp.nix index c654637..7e80d85 100644 --- a/roles/xmpp.nix +++ b/roles/xmpp.nix @@ -1,56 +1,57 @@ { config, lib, pkgs, ... }: let - luadbi = pkgs.callPackage ../packages/luadbi.nix {}; - acmeKeyDir = "${config.security.acme.directory}/yori.cc"; + acmeKeyDir = "${config.security.acme.directory}/${cfg.vhost}"; + communityModules = [ "mam" "carbons" "smacks" ]; + cfg = config.services.yorick.xmpp; in { - # XMPP - services.prosody = let - # TODO: this should be in nixpkgs - prosodyModules = pkgs.fetchhg { - name = "prosody-modules-22042016"; - rev = "e0b8b8a50013"; - sha256 = "06qd46bmwjpzrygih91fv7z7g8z60kn0qyr7cf06a57a28117wdy"; - url = "https://hg.prosody.im/prosody-modules/"; - }; + options.services.yorick.xmpp = with lib; { + enable = mkEnableOption "xmpp"; + vhost = mkOption { type = types.string; }; + admins = mkOption { type = types.listOf types.string; }; + }; + config = lib.mkIf cfg.enable { + # XMPP + services.prosody = let in { - enable = true; - - allowRegistration = false; - extraModules = [ "private" "vcard" "privacy" "compression" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist" "mam" "carbons" "smacks"]; - virtualHosts.yoricc = { - enabled = true; - domain = "yori.cc"; - ssl = { - key = "/var/lib/prosody/keys/key.pem"; - cert = "/var/lib/prosody/keys/fullchain.pem"; + enable = true; + + allowRegistration = false; + extraModules = [ "private" "vcard" "privacy" "compression" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist"] ++ communityModules; + virtualHosts.default = { + enabled = true; + domain = cfg.vhost; + ssl = { + key = "/var/lib/prosody/keys/key.pem"; + cert = "/var/lib/prosody/keys/fullchain.pem"; + }; + }; + # TODO: Component "chat.yori.cc" "muc" # also proxy65 and pubsub? + extraConfig = '' + use_libevent = true + s2s_require_encryption = true + c2s_require_encryption = true + archive_expires_after = "never" + storage = { + archive2 = "sql"; + } + ''; + inherit (cfg) admins; + package = pkgs.prosody.override { + withZlib = true; withDBI = true; + withCommunityModules = communityModules; }; }; - # TODO: Component "chat.yori.cc" "muc" # also proxy65 and pubsub? - extraConfig = '' - plugin_paths = { "${prosodyModules}" } - use_libevent = true - s2s_require_encryption = true - c2s_require_encryption = true - archive_expires_after = "never" - storage = { - archive2 = "sql"; - } - ''; - - admins = [ "yorick@yori.cc"]; - }; - nixpkgs.config.packageOverrides = pkgs: - # FIXME: ugly hacks! - { prosody = pkgs.prosody.override { withZlib = true; luazlib = luadbi; }; - }; - systemd.services.prosody.serviceConfig.PermissionsStartOnly = true; - systemd.services.prosody.preStart = '' + systemd.services.prosody.serviceConfig.PermissionsStartOnly = true; + systemd.services.prosody.preStart = '' mkdir -m 0700 -p /var/lib/prosody/keys cp ${acmeKeyDir}/key.pem ${acmeKeyDir}/fullchain.pem /var/lib/prosody/keys chown -R prosody:prosody /var/lib/prosody - ''; - networking.firewall.allowedTCPPorts = [5222 5269]; - + ''; + networking.firewall.allowedTCPPorts = [5222 5269]; + security.acme.certs.${cfg.vhost}.postRun = '' + systemctl restart prosody.service + ''; + }; } diff --git a/secrets.nix b/secrets.nix index f1a7853f5ea9f30b6ad6877c5e943bb5ff7f9c3b..32c7ebf08694b42cdd86c02fa3d044fee46be532 100644 GIT binary patch literal 1567 zcmV+)2H^PsM@dveQdv+`0P#oSyhvt_#>!i%FEjTGj2Bqb%*I_D?v@GH7Uh^G&@7#` z_L1w;b-lp4>aFtXJ35i}C-z-PGxI|SQ?q8ekmfU$BX7Fz5s5C+cy;Ktb1F+{D?!y_ zNPj|d{MRO#lhB3igGn4_iES2uLV;r0b)cmhaJV}NY?WTz_Ye zFBGFytQeX=!JD*c>P{AAfe~}PVyJ%(O_{AT#W}iF_QhD(m);Q3Ch^w0W2jaS*b{U8oGan%y4`@!MdZUOx zg+ktL{t{($=#j>r=R53X0SxDz%c1{!}uVfg_7u){0J74D$x zLKlSq$2fyPT!n{aR%W5ZPqs~8L49}nHLA;Qn^tyBG_J_WggJ7rc{}k&f+jw$0atChN5GQh}*$Xu0s zPF3kCD03SAS>&6YX%-ZD--3TrV;yvxRS}g;rS=b?O^L78x+c?m0JZmU)*sKr0$<{` zB?ujTjR?Mm?4)zoPFx;7ffMRcBM!+ z`{e<3L>9*W`eG^Ue3@f?N4!fXmrFm^JtL^98bn>~Qa>;;-$h9I-a*n*>$NUGeDr>$ z7mz`>ygWL&?k4f76q?(4^5F;2I(fi|{pXX=2Q8SQ%_jk8J|y&NX^dv;c;Yhqst`}| z!Yo6S*C+4!L*yH^-FluXWC+YnXII*8&sHdPqpn5{CHged`v;PQ=4^=vt0RNq4eA)H zCRI2U=1mElA`|*z>Mmkf!+Uxf0;q-Z2Qr<%Wv6r^hVB00%kpaFQJ~u#e?;>+l1vZ_ zgS(>hE=$J2A%}`GshBs2pUQ@MmEO&jyV162g_(w?s;9W`jM#Jr@U=xXzj}KX3kWdZsK!vFc+T)i=9po> zbFB<3FAg1bGCGW$>gj7{-zSJ7lAeTt)ZeB3brD5A-yJ}K&9U_)PL#=R+*UQr Rvea1c?_R}Sf#G()q{?r_3w;0p literal 1545 zcmV+k2KM;?M@dveQdv+`0GGSvi=LzW-@Y94j-l?^0PlwFBKvOe>rmC}g^`R1989An zqaSo$F8(%wK3I6Q)Cs(S;o*14JUH2m>uyslnk7C$qfj{;ig%heqIFb}sO9<-`IKlC zwT#kJi?6_*?vuNMLQHi9`{3ve#V=_O>$4}tpPcL?86K&?_xvr9`Sg{sm;f*%RxpcklHRW#?{fS1cdLyV{0uCCw%5^*7U z2Ndbzj>hwHm|wSa5;s_@&C;J*2sG3Y1poN3r%+=OUms*=6iVSXCAB><5MwtJPN1$h z=9(eW{KoPeg2-r0?1B{l0pcLt@O z7yM?aA-Yb!8w$!wig^5jJ^K*hIHLC#GGKEkoYlda4G_BzxI2cvH@d zPmIHRDQ<_ED8_<2ef@yuuhMgjcK{X}@Hb6cEvJ{mJF~Yd2 zkVU12ZfoJ-Z0n{&4O?jT4(^Qbtx0dG{bo==0>Rw4Jfag$Q8qCNcBqr1?7(B@ooNB1 zuQCkW9YUd_=O`4f5&(fpXQ2v-p^qowyuJYg0N_VZbLBbrj%f|wU`9M`AS8_0^-+pM zB<>kw<JTI|g%+s;{I2v~~j6cOi0|`8MSUUhkY4b6K zvD+3RxUg;!(RN=kH3NEz>!gflAXSRLfr|SDlRe1dMu0iRjr={AA+VTPtF*sBgmT+_ zHCBna?qI2ZU*duAA1$=JlJz7m(al$3852We492}AaOzFvKpisY;D@2RqYerqYxuJiy@nnjP!IP68{~BA@X6*<_y65kwtHBPPwYK4dNlhpn!5tZJeQrP~|>=tb=| zebD8YwLube>y8!-`#Yw`!Ty7SK4DR7s;N-%pS3~<;3ABo3P|zx4T2=(SEJhZlzQe|OQ*QiN^mF$f~52z From 29aa38554352b9cf7823c7ce5b6ef1dc5662c809 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 11 Mar 2018 18:49:27 +0100 Subject: [PATCH 099/172] add cloc command --- conf | 3 +++ deploy/nix_cloc | 5 +++++ 2 files changed, 8 insertions(+) create mode 100644 deploy/nix_cloc diff --git a/conf b/conf index b64188c..593359b 100755 --- a/conf +++ b/conf @@ -23,4 +23,7 @@ channel) export NIX_PATH="/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" eval ${@:3} ;; +cloc) + cloc --read-lang-def=deploy/nix_cloc . + ;; esac diff --git a/deploy/nix_cloc b/deploy/nix_cloc new file mode 100644 index 0000000..9300a1f --- /dev/null +++ b/deploy/nix_cloc @@ -0,0 +1,5 @@ +Nix + filter remove_matches ^\s*# + filter remove_inline #.*$ + extension nix + 3rd_gen_scale 3.9 From be7225c47cb0fc989f5afd21f91b97020e4a3dd4 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 11 Mar 2018 19:21:08 +0100 Subject: [PATCH 100/172] reorganize --- README.md | 21 ++++++++++-------- conf | 2 +- logical/ascanius.nix | 9 ++------ logical/frumar.nix | 9 ++------ logical/jarvis.nix | 9 ++------ logical/pennyworth.nix | 25 ++++++---------------- logical/woodhouse.nix | 19 ++++++---------- roles/hardware.nix => physical/default.nix | 6 +++--- physical/fractal.nix | 3 ++- physical/hp8570w.nix | 3 ++- physical/kassala.nix | 3 ++- physical/nuc.nix | 3 ++- physical/xps9360.nix | 3 ++- roles/{common.nix => default.nix} | 11 +++------- roles/graphical.nix | 1 + roles/server.nix | 8 +++++++ roles/workstation.nix | 2 +- {roles => services}/collectd.nix | 0 services/default.nix | 10 +++++++++ {roles => services}/gogs.nix | 0 {roles => services}/graphs.nix | 0 {roles => services}/mail.nix | 0 {roles => services}/pub.nix | 0 {roles => services}/quassel.nix | 0 {roles => services}/website.nix | 0 {roles => services}/xmpp.nix | 0 26 files changed, 68 insertions(+), 79 deletions(-) rename roles/hardware.nix => physical/default.nix (91%) rename roles/{common.nix => default.nix} (90%) create mode 100644 roles/server.nix rename {roles => services}/collectd.nix (100%) create mode 100644 services/default.nix rename {roles => services}/gogs.nix (100%) rename {roles => services}/graphs.nix (100%) rename {roles => services}/mail.nix (100%) rename {roles => services}/pub.nix (100%) rename {roles => services}/quassel.nix (100%) rename {roles => services}/website.nix (100%) rename {roles => services}/xmpp.nix (100%) diff --git a/README.md b/README.md index 48ea7cb..2b982dd 100644 --- a/README.md +++ b/README.md @@ -7,23 +7,24 @@ Systems [frumar](https://en.wikipedia.org/wiki/Frumar) -------- -Physical server. Mostly used for files. (storage: 6 TB hdd + 256GB ssd, RAM: 8GB, 2 cores ht) +Physical [server](./roles/server.nix). Mostly used for files. (storage: 6 TB hdd + 256GB ssd, RAM: 8GB, 2 cores ht) -- [git hosting](./roles/gogs.nix) -- [public files](./roles/pub.nix) +- [git hosting](./services/gogs.nix) +- [public files](./services/pub.nix) - torrents -- [quassel](./roles/quassel.nix) +- [quassel](./services/quassel.nix) [pennyworth](https://en.wikipedia.org/wiki/Alfred_Pennyworth) ---------- +[Server](./roles/server.nix). VPS (Storage: 80GB, RAM: 1GB, 2 cores) -- [grafana](./roles/graphs.nix) -- [website](./roles/website.nix) -- [email](./roles/mail.nix) -- [prosody](./roles/xmpp.nix) -- [asterisk](./roles/asterisk.nix) +- [grafana](./services/graphs.nix) +- [website](./services/website.nix) +- [email](./services/mail.nix) +- [prosody](./services/xmpp.nix) +- [asterisk](./services/asterisk.nix) [woodhouse](https://en.wikipedia.org/wiki/List_of_Archer_characters#Recurring_characters) ----------- @@ -37,6 +38,7 @@ intel nuc connected to the tv (storage: 64GB ssd, RAM: 4GB) [ascanius](https://en.wikipedia.org/wiki/Frumar) ---------- +[workstation](./roles/workstation.nix). hp elitebook 8570w (RAM: 16GB, 4 cores ht, storage: 256GB ssd + 300GB HDD) - includes a power saving script @@ -44,6 +46,7 @@ hp elitebook 8570w (RAM: 16GB, 4 cores ht, storage: 256GB ssd + 300GB HDD) [jarvis](https://en.wikipedia.org/wiki/Edwin_Jarvis) -------- +[workstation](./roles/workstation.nix). dell xps 13 (RAM: 16GB, storage: 512GB ssd, 2 cores ht) - for now, just run powertop --auto-tune after a reboot I guess diff --git a/conf b/conf index 593359b..130dcff 100755 --- a/conf +++ b/conf @@ -5,7 +5,7 @@ then sudo chgrp nixbld deploy_key chmod 640 deploy_key fi -export NIX_PATH="ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix +export NIX_PATH="ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix:yori-nix=`pwd` case $1 in git) export NIX_PATH="nixpkgs=https://github.com/NixOS/nixpkgs/archive/master.tar.gz:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" diff --git a/logical/ascanius.nix b/logical/ascanius.nix index 6058945..5d7cd20 100644 --- a/logical/ascanius.nix +++ b/logical/ascanius.nix @@ -1,16 +1,11 @@ { config, pkgs, ... }: -let secrets = import ; -in { imports = - [ ../physical/hp8570w.nix - ../roles/common.nix - ../roles/workstation.nix + [ + ]; system.stateVersion = "17.09"; - # no, not that Ascanius. - networking.hostName = secrets.hostnames.ascanius; } diff --git a/logical/frumar.nix b/logical/frumar.nix index 6917703..aa6450e 100644 --- a/logical/frumar.nix +++ b/logical/frumar.nix @@ -1,16 +1,11 @@ { config, pkgs, ... }: -let secrets = import ; -in { imports = [ - ../physical/fractal.nix - ../roles/common.nix + + ]; - networking.hostName = secrets.hostnames.frumar; - - # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "15.09"; services.nginx.enable = true; diff --git a/logical/jarvis.nix b/logical/jarvis.nix index f48bf09..68fa02f 100644 --- a/logical/jarvis.nix +++ b/logical/jarvis.nix @@ -2,16 +2,11 @@ { imports = - [ # Include the results of the hardware scan. - ../physical/xps9360.nix - ../roles/common.nix - ../roles/workstation.nix + [ + ]; - networking.hostName = "jarvis"; # Define your hostname. - - # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "17.09"; #networking.enableIPv6 = lib.mkOverride 30 true; diff --git a/logical/pennyworth.nix b/logical/pennyworth.nix index 2dfa35a..67b5416 100644 --- a/logical/pennyworth.nix +++ b/logical/pennyworth.nix @@ -4,27 +4,16 @@ { config, pkgs, lib, ... }: -let - secrets = import ; - yoricc = import ../packages/yori-cc.nix; -in { imports = [ - ../physical/kassala.nix - ../roles/common.nix - ../modules/muflax-blog.nix + + + ../modules/muflax-blog.nix ]; - networking.hostName = secrets.hostnames.pennyworth; - - services.nixosManual.enable = false; - - environment.noXlibs = true; - networking.enableIPv6 = lib.mkOverride 30 true; system.stateVersion = "16.03"; - yorick = { cpu = null; }; services.nginx.enable = true; services.yorick = { @@ -32,11 +21,9 @@ in mail = { enable = true; mainUser = "yorick"; - users = { - yorick = with secrets; { - password = yorick_mailPassword; - domains = email_domains; - }; + users.yorick = { + password = (import ).yorick_mailPassword; + domains = ["yori.cc" "yorickvanpelt.nl"]; }; }; xmpp = { diff --git a/logical/woodhouse.nix b/logical/woodhouse.nix index 463b899..9195169 100644 --- a/logical/woodhouse.nix +++ b/logical/woodhouse.nix @@ -13,26 +13,21 @@ mkFuseMount = device: opts: { }; in { - imports = - [ # Include the results of the hardware scan. - ../physical/nuc.nix - ../roles/common.nix - # ../roles/collectd.nix - ../roles/graphical.nix - ]; + imports = [ + + + ]; - networking.hostName = secrets.hostnames.woodhouse; - - # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "17.09"; + # fuse mounts system.fsPackages = [ pkgs.sshfsFuse ]; fileSystems."/mnt/frumar" = mkFuseMount "yorick@${secrets.hostnames.frumar}:/data/yorick" []; fileSystems."/mnt/oxygen" = mkFuseMount "yorick@oxygen.obfusk.ch:" []; fileSystems."/mnt/nyamsas" = mkFuseMount "yorick@nyamsas.quezacotl.nl:" ["port=1337"]; - - networking.firewall.allowedTCPPorts = [7 8080 9090 9777]; # kodi + # kodi ports + networking.firewall.allowedTCPPorts = [7 8080 9090 9777]; } diff --git a/roles/hardware.nix b/physical/default.nix similarity index 91% rename from roles/hardware.nix rename to physical/default.nix index 3583928..0bac40f 100644 --- a/roles/hardware.nix +++ b/physical/default.nix @@ -1,10 +1,10 @@ { config, lib, pkgs, ... }: -let cfg = config.yorick; in +let cfg = config.hardware.yorick; in with lib; { - options.yorick = { + options.hardware.yorick = { cpu = mkOption { - type = types.nullOr (types.enum ["intel"]); + type = types.nullOr (types.enum ["intel" "virtual"]); }; gpu = mkOption { type = types.nullOr (types.enum ["intel" "nvidia"]); diff --git a/physical/fractal.nix b/physical/fractal.nix index 8e3a7a8..f6d5574 100644 --- a/physical/fractal.nix +++ b/physical/fractal.nix @@ -6,10 +6,11 @@ { imports = [ + ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" ]; - yorick.cpu = "intel"; + hardware.yorick.cpu = "intel"; # Use the GRUB 2 boot loader. boot.loader.grub.enable = true; diff --git a/physical/hp8570w.nix b/physical/hp8570w.nix index ac34d0b..543ac75 100644 --- a/physical/hp8570w.nix +++ b/physical/hp8570w.nix @@ -3,10 +3,11 @@ { imports = [ + ./hp8570w/powerdown.nix ]; - yorick = { cpu = "intel"; gpu = "nvidia"; laptop = true; }; + hardware.yorick = { cpu = "intel"; gpu = "nvidia"; laptop = true; }; boot = { loader.grub = { diff --git a/physical/kassala.nix b/physical/kassala.nix index e90671c..0558288 100644 --- a/physical/kassala.nix +++ b/physical/kassala.nix @@ -3,7 +3,7 @@ let ipconf = (import ).ipconf.${config.networking.hostName}; in { - imports = [ ../modules/nixos-in-place.nix ]; + imports = [ ../modules/nixos-in-place.nix ]; "nixos-in-place" = { enable = true; rootfs = "/dev/disk/by-uuid/7165e542-0995-474c-a228-9592339e0604"; @@ -44,4 +44,5 @@ in ip -6 route add default via ${gateway6} || true ''; nix.maxJobs = lib.mkDefault 2; + hardware.yorick.cpu = "virtual"; } diff --git a/physical/nuc.nix b/physical/nuc.nix index c5b2e6b..8b5fc00 100644 --- a/physical/nuc.nix +++ b/physical/nuc.nix @@ -6,10 +6,11 @@ { imports = [ + ]; boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; - yorick = { cpu = "intel"; gpu = "intel"; }; + hardware.yorick = { cpu = "intel"; gpu = "intel"; }; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; diff --git a/physical/xps9360.nix b/physical/xps9360.nix index 8cbd31f..59a5129 100644 --- a/physical/xps9360.nix +++ b/physical/xps9360.nix @@ -2,8 +2,9 @@ { imports = [ + ]; - yorick = { cpu = "intel"; gpu = "intel"; laptop = true; }; + hardware.yorick = { cpu = "intel"; gpu = "intel"; laptop = true; }; boot = { diff --git a/roles/common.nix b/roles/default.nix similarity index 90% rename from roles/common.nix rename to roles/default.nix index bd29e9d..b134c3c 100644 --- a/roles/common.nix +++ b/roles/default.nix @@ -2,20 +2,15 @@ let secrets = import ; in { config, pkgs, lib, ...}: let - machine = with lib; head (splitString "." config.networking.hostName); + machine = lib.removeSuffix ".nix" (builtins.baseNameOf ); in { imports = [ - ../roles/hardware.nix ../modules/tor-hidden-service.nix ../modules/nginx.nix - ../roles/pub.nix - ../roles/quassel.nix - ../roles/gogs.nix - ../roles/mail.nix - ../roles/website.nix - ../roles/xmpp.nix + ]; + networking.hostName = secrets.hostnames.${machine}; time.timeZone = "Europe/Amsterdam"; users.mutableUsers = false; users.extraUsers.root = { diff --git a/roles/graphical.nix b/roles/graphical.nix index 462db09..f098c1a 100644 --- a/roles/graphical.nix +++ b/roles/graphical.nix @@ -2,6 +2,7 @@ let secrets = import ; in { config, lib, pkgs, ... }: { + imports = [ ]; options.yorick.support32bit = with lib; mkOption { type = types.bool; default = false; }; config = { diff --git a/roles/server.nix b/roles/server.nix new file mode 100644 index 0000000..ea430a2 --- /dev/null +++ b/roles/server.nix @@ -0,0 +1,8 @@ +{ + imports = [ ]; + + services.nixosManual.enable = false; + + environment.noXlibs = true; + +} diff --git a/roles/workstation.nix b/roles/workstation.nix index 391410a..2cc2b90 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: { imports = [ - ../roles/graphical.nix + ]; users.extraUsers.yorick.extraGroups = ["input"]; services.redshift = { diff --git a/roles/collectd.nix b/services/collectd.nix similarity index 100% rename from roles/collectd.nix rename to services/collectd.nix diff --git a/services/default.nix b/services/default.nix new file mode 100644 index 0000000..acf564b --- /dev/null +++ b/services/default.nix @@ -0,0 +1,10 @@ +{ + imports = [ + ./gogs.nix + ./mail.nix + ./pub.nix + ./quassel.nix + ./website.nix + ./xmpp.nix + ] +} diff --git a/roles/gogs.nix b/services/gogs.nix similarity index 100% rename from roles/gogs.nix rename to services/gogs.nix diff --git a/roles/graphs.nix b/services/graphs.nix similarity index 100% rename from roles/graphs.nix rename to services/graphs.nix diff --git a/roles/mail.nix b/services/mail.nix similarity index 100% rename from roles/mail.nix rename to services/mail.nix diff --git a/roles/pub.nix b/services/pub.nix similarity index 100% rename from roles/pub.nix rename to services/pub.nix diff --git a/roles/quassel.nix b/services/quassel.nix similarity index 100% rename from roles/quassel.nix rename to services/quassel.nix diff --git a/roles/website.nix b/services/website.nix similarity index 100% rename from roles/website.nix rename to services/website.nix diff --git a/roles/xmpp.nix b/services/xmpp.nix similarity index 100% rename from roles/xmpp.nix rename to services/xmpp.nix From 2689bfb633a1ed41f58fb2bea5f83c0a0159496a Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 11 Mar 2018 19:24:22 +0100 Subject: [PATCH 101/172] remove hydra stuff --- network.nix | 15 --------------- release-unstable.nix | 9 --------- secrets_dummy.nix | 18 ------------------ 3 files changed, 42 deletions(-) delete mode 100644 network.nix delete mode 100644 release-unstable.nix delete mode 100644 secrets_dummy.nix diff --git a/network.nix b/network.nix deleted file mode 100644 index dc23373..0000000 --- a/network.nix +++ /dev/null @@ -1,15 +0,0 @@ -with (import ).hostnames; { - network.description = "yorick's stuff"; - frumar = { - imports = [./frumar/configuration.nix]; - deployment.targetHost = frumar; - }; - pennyworth = { - imports = [./pennyworth/configuration.nix]; - deployment.targetHost = pennyworth; - }; - woodhouse = { - imports = [./woodhouse/configuration.nix]; - deployment.targetHost = woodhouse; - }; -} diff --git a/release-unstable.nix b/release-unstable.nix deleted file mode 100644 index 7662f1a..0000000 --- a/release-unstable.nix +++ /dev/null @@ -1,9 +0,0 @@ -let - nixos = import ; - nixpkgs = import {}; - nixosFor = path: nixos {configuration = import path;}; -in -{ - ascanius = nixpkgs.lib.hydraJob (nixosFor ./logical/ascanius.nix).system; - jarvis = nixpkgs.lib.hydraJob (nixosFor ./logical/jarvis.nix).system; -} diff --git a/secrets_dummy.nix b/secrets_dummy.nix deleted file mode 100644 index eb33136..0000000 --- a/secrets_dummy.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - pennyworth_hashedPassword = ""; - yorick_hashedPassword = ""; - tor_hostnames = { - "ssh.pennyworth" = "q.onion"; - "ssh.frumar" = "q.onion"; - "ssh.woodhouse" = "q.onion"; - "ssh.ascanius" = "q.onion"; - }; - hostnames = { - frumar = "q"; - ospinio = "q"; - ascanius = "q"; - pennyworth = "q"; - woodhouse = "q"; - jarvis = "q"; - }; -} From 7d51eaa7d8a70a3742d1db2e53f71da80802049a Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 11 Mar 2018 19:41:14 +0100 Subject: [PATCH 102/172] fail2ban recidive jail so I can lock myself out optimally --- roles/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/default.nix b/roles/default.nix index b134c3c..234a15f 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -21,6 +21,14 @@ in }; services.timesyncd.enable = true; services.fail2ban.enable = true; + # ban repeat offenders longer + services.fail2ban.jails.recidive = '' + filter = recidive + action = iptables-allports[name=recidive] + maxretry = 5 + bantime = 604800 ; 1 week + findtime = 86400 ; 1 day + ''; users.extraUsers.yorick = { isNormalUser = true; uid = 1000; From c4ca9690a5f3a7e5dae8752548b4bb9aced954f1 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 11 Mar 2018 23:17:55 +0100 Subject: [PATCH 103/172] add key deployment, fix pennyworth --- deploy/keys.nix | 19 ++++++ keys/ssh.jarvis.key | Bin 0 -> 909 bytes logical/pennyworth.nix | 3 +- modules/tor-hidden-service.nix | 3 +- physical/kassala.nix | 2 + roles/common.nix | 117 +++++++++++++++++++++++++++++++++ roles/default.nix | 4 +- roles/server.nix | 1 + secrets.nix | Bin 1567 -> 1612 bytes services/default.nix | 2 +- 10 files changed, 147 insertions(+), 4 deletions(-) create mode 100644 deploy/keys.nix create mode 100644 keys/ssh.jarvis.key create mode 100644 roles/common.nix diff --git a/deploy/keys.nix b/deploy/keys.nix new file mode 100644 index 0000000..55febbe --- /dev/null +++ b/deploy/keys.nix @@ -0,0 +1,19 @@ +{ pkgs, lib, config, ... }: +with lib; +let cfg = config.deployment.keyys; in +{ + options.deployment.keyys = mkOption { type = types.listOf types.path; default = []; }; + options.deployment.keys-copy = mkOption { type = types.package; }; + config = { + deployment.keys-copy = pkgs.writeShellScriptBin "copy-keys" (if cfg != [] then '' + set -e + ssh root@$1 "mkdir -p /root/keys" + scp ${concatMapStringsSep " " toString cfg} root@$1:/root/keys + echo "uploaded keys" + '' else '' + echo "no keys to upload" + ''); + + }; + +} diff --git a/keys/ssh.jarvis.key b/keys/ssh.jarvis.key new file mode 100644 index 0000000000000000000000000000000000000000..32c7090a31701f310f74c2a475cd81a1287663c7 GIT binary patch literal 909 zcmV;819JQTM@dveQdv+`0MRYM#_|Rr3xLe42&VSRMyj{o#{fKdlZEsmIr))`Laonm zn7UWwk3Z2f!_=j{h-q7C`c@=IYrKXNw(Fxx+ryFrWhFlzrj|!EB^(jj|@_DC; z1H6lNGOn5ge1pmio$Gl_5m^xyk*f(qaBQafd76RhJa%yJs#fMs(d8lzVepiBgELxj z5ja*lxQlWu&zaGTqIDpzK$Z>+qT$}AHf3@G*+{Qv`h&)Veid%p4NQOD9332T1H4Kz zXm=K`&_aQCf{d&@*2U}*?N454?}D2TMmkEstlm7PRrH(LF8zewy(jil>f^T_LY=8@ z^D&-G>*IkFEONWJ!fJ3JCD^tn>>9y*F|rzzz*|`XU7)ygZCA>ZFD?2Zd~9WqYHcaR z>a<=mlIyieEeNmIq7V~k z+*p(T@tIqTXc2g5C#Y)U9BilqE^G;lI!+Q~G~;N(NnJa=YWHx;d-MdJ$*8}()ka2H zk@?yoD2e%umceAr$LJfEO@s-#DxsdozH^G)%%^tN%!C?&K3CNpZxU8>L*h zZuyjw{VHfYOlkvFE;g$=b9$OUzFe5u0n#>Y@EsVX0}FmtcZmK$1g8G4<*N1{2ss13 z{~ZqPdL7SK@srJ@P;+f?;`1-n2rJK`;3`E7?78|q_y8MhpQ4OJrtI<^pUb1~*k2iQ zQHz0449y>r1%K!nz5KL&lH-6#Wa3*#ZC@KCAh|-T#JW-%ebpgRp|xrL;$0p&v#k`4 zcg0<$p3DSf@I1*xHIrVQ)l}j~Z$x2n?1bhw{-}C_^(P2Xs6NIO}~ z+Ydo#bbv{eXm90BUUW>D}0&wvD8E2=nuEz?Qrx^{pLIaz@~el`m)6&Qij?3&A0 jIOh%TbB!w*uT ]; } diff --git a/modules/tor-hidden-service.nix b/modules/tor-hidden-service.nix index 5fd411b..0774338 100644 --- a/modules/tor-hidden-service.nix +++ b/modules/tor-hidden-service.nix @@ -15,7 +15,7 @@ in { systemd.services."install-tor-hidden-service-keys" = { wantedBy = ["tor.service"]; serviceConfig.Type = "oneshot"; - serviceConfig.User = "tor"; + serviceConfig.User = "root"; serviceConfig.Group = "keys"; # TODO: update on change? # TODO: better ways to get the keys on the server @@ -24,6 +24,7 @@ in { mkdir -p ${torDir}/onion/${name}/ cp ${keypath} ${torDir}/onion/${name}/private_key chmod -R 700 ${torDir}/onion/${name} + chown -R tor ${torDir}/onion/${name} fi '') service-keys); }; diff --git a/physical/kassala.nix b/physical/kassala.nix index 0558288..b37e8c6 100644 --- a/physical/kassala.nix +++ b/physical/kassala.nix @@ -13,6 +13,8 @@ in # before: /nixos/nix/* /boot/grub/menu.lst # after: /nix/* /old-root/boot/grub/menu.lst boot = { + kernelPackages = pkgs.linuxPackages_latest; + blacklistedKernelModules = ["coretemp"]; # use grub 1, don't install loader.grub = { version = 1; diff --git a/roles/common.nix b/roles/common.nix new file mode 100644 index 0000000..ca1dd58 --- /dev/null +++ b/roles/common.nix @@ -0,0 +1,117 @@ +let secrets = import ; +in +{ config, pkgs, lib, ...}: +let + machine = with lib; head (splitString "." config.networking.hostName); +in +{ + imports = [ + ../modules/tor-hidden-service.nix + ../modules/nginx.nix + ../roles/pub.nix + ../roles/quassel.nix + ../roles/gogs.nix + ../roles/mail.nix + ../roles/website.nix + ../roles/xmpp.nix + ]; + time.timeZone = "Europe/Amsterdam"; + users.mutableUsers = false; + users.extraUsers.root = { + openssh.authorizedKeys.keys = config.users.extraUsers.yorick.openssh.authorizedKeys.keys; + # root password is useful from console, ssh has password logins disabled + hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own + + }; + services.timesyncd.enable = true; + services.fail2ban.enable = true; + users.extraUsers.yorick = { + isNormalUser = true; + uid = 1000; + extraGroups = ["wheel"]; + group = "users"; + openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [yorick]; + }; + + # Nix + nixpkgs.config.allowUnfree = true; + nix.package = pkgs.nixUnstable; + + nix.buildCores = config.nix.maxJobs; + + nix.extraOptions = '' + allow-unsafe-native-code-during-evaluation = true + ''; + + # Networking + networking.enableIPv6 = false; + + services.openssh = { + enable = true; + passwordAuthentication = false; + challengeResponseAuthentication = false; + }; + + services.tor = { + enable = true; + client.enable = true; + # ssh hidden service + hiddenServices.ssh.map = [{ port = 22; }]; + service-keys.ssh = "/root/keys/ssh.${machine}.key"; + }; + + programs.ssh.extraConfig = '' + Host *.onion + ProxyCommand nc -xlocalhost:9050 -X5 %h %p + '' + + (with lib; (flip concatMapStrings) (filter (hasPrefix "ssh.") (attrNames secrets.tor_hostnames)) (name: '' + Host ${removePrefix "ssh." name}.onion + hostname ${secrets.tor_hostnames.${name}} + '' + )); + + environment.systemPackages = with pkgs; [ + # v important. + cowsay ponysay + ed # ed, man! + sl + rlwrap + + vim + + # system stuff + ethtool inetutils + pciutils usbutils + iotop powertop htop + psmisc lsof + smartmontools hdparm + lm_sensors + ncdu + + # utils + file which + reptyr + tmux + bc + mkpasswd + shadow + + # archiving + xdelta + atool + unrar p7zip + unzip zip + + # network + nmap mtr bind + socat netcat-openbsd + lftp wget rsync + + git + nix-repl + rxvt_unicode.terminfo + ]; + nix.gc.automatic = true; + +} + diff --git a/roles/default.nix b/roles/default.nix index 234a15f..3214df8 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -8,6 +8,7 @@ in imports = [ ../modules/tor-hidden-service.nix ../modules/nginx.nix + ]; networking.hostName = secrets.hostnames.${machine}; @@ -61,8 +62,9 @@ in client.enable = true; # ssh hidden service hiddenServices.ssh.map = [{ port = 22; }]; - service-keys.ssh = "/run/keys/torkeys/ssh.${machine}.key"; + service-keys.ssh = "/root/keys/ssh.${machine}.key"; }; + deployment.keyys = [ ( + "/ssh.${machine}.key") ]; programs.ssh.extraConfig = '' Host *.onion diff --git a/roles/server.nix b/roles/server.nix index ea430a2..07c8ef4 100644 --- a/roles/server.nix +++ b/roles/server.nix @@ -4,5 +4,6 @@ services.nixosManual.enable = false; environment.noXlibs = true; + networking.firewall.logRefusedConnections = false; # Silence logging of scanners and knockers } diff --git a/secrets.nix b/secrets.nix index 32c7ebf08694b42cdd86c02fa3d044fee46be532..1e8c352579287b418507cd4f194eb47b3050f7d3 100644 GIT binary patch literal 1612 zcmV-S2DAA9M@dveQdv+`00bhZ7>tu)^;&?v^`3wc1lIZZ)#&O!Nvz?Nol=Hb?h7)1YSkitZgpV(KeYY6Lj(*HMzi@Cm`pOd6c{rPY)a4C&MOd_B+LSm|_@;DL9w+U_e4rUchI_$x|Yg zzNK758{LUS86dGzbdqZ}0&W#i(;*%^E%At7D{8(%n>Q{NM+Z-C;Vu{kqR$if{!ji+ zAh3#1e}uSCX>|S}wv}Q=llDzB6{ViYK4AWVN+}p?WCp0FW7Q2hLk>{;i^mH)xqhR7^F{{0tQvbjMuo-`DlO< zGLj>r3o#TSxANgU-gHk}eiL#xC{vDoL`=8F!yipk>N)BEvwxB31JB z)X#S0B3$fI6eRd8+EKy)$}!--yMO#K_7+nV=0i-FTc+cKYmPh5{N8sdX8On`EJ8WV zlS#d#!WN4%YldSi!wCa*39CJpO95HE%XQ$}>;F{9Zj}XY2%12IeX<(S zMr2Sw%Og#kL}ErgR;fA+ShFuC`Nf77x|QPPi8|79FAm+sm<8t9rtj_f;~`xU;8O&8 zFrLX4EUi05rsNUmi*#~9eB^}VrUuL_`n?IbS-xFvyd=z~1IgW2!U}5RF@IG;ImH*r z9zdYKWJ1UVSuck}%&8Sh+qs7sh|E}9+4H)3PYZW;yAMrJ;4H{@uWglCXI=kj%I0#E1>Ub3bW63r*2!!i%FEjTGj2Bqb%*I_D?v@GH7Uh^G&@7#` z_L1w;b-lp4>aFtXJ35i}C-z-PGxI|SQ?q8ekmfU$BX7Fz5s5C+cy;Ktb1F+{D?!y_ zNPj|d{MRO#lhB3igGn4_iES2uLV;r0b)cmhaJV}NY?WTz_Ye zFBGFytQeX=!JD*c>P{AAfe~}PVyJ%(O_{AT#W}iF_QhD(m);Q3Ch^w0W2jaS*b{U8oGan%y4`@!MdZUOx zg+ktL{t{($=#j>r=R53X0SxDz%c1{!}uVfg_7u){0J74D$x zLKlSq$2fyPT!n{aR%W5ZPqs~8L49}nHLA;Qn^tyBG_J_WggJ7rc{}k&f+jw$0atChN5GQh}*$Xu0s zPF3kCD03SAS>&6YX%-ZD--3TrV;yvxRS}g;rS=b?O^L78x+c?m0JZmU)*sKr0$<{` zB?ujTjR?Mm?4)zoPFx;7ffMRcBM!+ z`{e<3L>9*W`eG^Ue3@f?N4!fXmrFm^JtL^98bn>~Qa>;;-$h9I-a*n*>$NUGeDr>$ z7mz`>ygWL&?k4f76q?(4^5F;2I(fi|{pXX=2Q8SQ%_jk8J|y&NX^dv;c;Yhqst`}| z!Yo6S*C+4!L*yH^-FluXWC+YnXII*8&sHdPqpn5{CHged`v;PQ=4^=vt0RNq4eA)H zCRI2U=1mElA`|*z>Mmkf!+Uxf0;q-Z2Qr<%Wv6r^hVB00%kpaFQJ~u#e?;>+l1vZ_ zgS(>hE=$J2A%}`GshBs2pUQ@MmEO&jyV162g_(w?s;9W`jM#Jr@U=xXzj}KX3kWdZsK!vFc+T)i=9po> zbFB<3FAg1bGCGW$>gj7{-zSJ7lAeTt)ZeB3brD5A-yJ}K&9U_)PL#=R+*UQr Rvea1c?_R}Sf#G()q{?r_3w;0p diff --git a/services/default.nix b/services/default.nix index acf564b..eb5a420 100644 --- a/services/default.nix +++ b/services/default.nix @@ -6,5 +6,5 @@ ./quassel.nix ./website.nix ./xmpp.nix - ] + ]; } From 926e9f69605337dc93a8d6ee1f8558244e0c67ea Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 11 Mar 2018 23:18:22 +0100 Subject: [PATCH 104/172] update helper script --- conf | 71 +++++++++++++++++++++++++++++++++++++--------------- servers.json | 22 ++++++++++++++++ 2 files changed, 73 insertions(+), 20 deletions(-) create mode 100644 servers.json diff --git a/conf b/conf index 130dcff..52c3856 100755 --- a/conf +++ b/conf @@ -5,25 +5,56 @@ then sudo chgrp nixbld deploy_key chmod 640 deploy_key fi -export NIX_PATH="ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix:yori-nix=`pwd` +export NIX_PATH="ssh-id-file=$PWD/deploy_key":secrets=$PWD/secrets.nix:yori-nix=$PWD +function get_channel { + case $1 in + git) + echo "nixpkgs=https://github.com/NixOS/nixpkgs/archive/master.tar.gz" + ;; + stable) + echo "nixpkgs=https://nixos.org/channels/nixos-17.03/nixexprs.tar.xz" + ;; + checkout) + echo "nixpkgs=$PWD/../nixpkgs" + ;; + channel) + echo "/nix/var/nix/profiles/per-user/root/channels/nixos" + ;; + esac +} case $1 in -git) - export NIX_PATH="nixpkgs=https://github.com/NixOS/nixpkgs/archive/master.tar.gz:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" - eval ${@:3} - ;; -stable) - export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-17.03/nixexprs.tar.xz:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" - eval ${@:3} - ;; -checkout) - export NIX_PATH="nixpkgs=`pwd`/../nixpkgs:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" - eval ${@:3} - ;; -channel) - export NIX_PATH="/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" - eval ${@:3} - ;; -cloc) - cloc --read-lang-def=deploy/nix_cloc . - ;; + cloc) + exec cloc --read-lang-def=deploy/nix_cloc . + ;; + copy-keys) + $0 exec "$2" nix build -f "\\" config.deployment.keys-copy --out-link copy-keys + TARGET_HOST=$(jq -r ".$2.host"" "\\" + ;; + build) + exec "$0" exec "$2" nixos-rebuild build + ;; + boot) + TARGET_HOST=$(jq -r ".$2.host" Date: Sun, 11 Mar 2018 23:30:05 +0100 Subject: [PATCH 105/172] add copy command --- conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/conf b/conf index 52c3856..28a2b63 100755 --- a/conf +++ b/conf @@ -47,6 +47,10 @@ case $1 in build) exec "$0" exec "$2" nixos-rebuild build ;; + copy) + TARGET_HOST=$(jq -r ".$2.host" Date: Thu, 22 Mar 2018 12:07:34 +0100 Subject: [PATCH 106/172] un-hardcode physical path --- physical/xps9360.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/physical/xps9360.nix b/physical/xps9360.nix index 59a5129..2f9b5a6 100644 --- a/physical/xps9360.nix +++ b/physical/xps9360.nix @@ -2,7 +2,7 @@ { imports = [ - + ./. ]; hardware.yorick = { cpu = "intel"; gpu = "intel"; laptop = true; }; From 134fa178d44ab47af018e7de491eaba85b827c53 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 22 Mar 2018 17:31:19 +0100 Subject: [PATCH 107/172] remove nixpkgs dependency from xps9360 config --- physical/xps9360.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/physical/xps9360.nix b/physical/xps9360.nix index 2f9b5a6..ee4e643 100644 --- a/physical/xps9360.nix +++ b/physical/xps9360.nix @@ -1,11 +1,12 @@ { config, lib, pkgs, ... }: { imports = [ - ./. ]; hardware.yorick = { cpu = "intel"; gpu = "intel"; laptop = true; }; + hardware.enableRedistributableFirmware = true; # needed? + boot = { loader = { @@ -40,7 +41,7 @@ ]; nix.maxJobs = lib.mkDefault 4; - + # bigger console font i18n.consoleFont = "latarcyrheb-sun32"; } From 8b222d648acc38fa41b62b6b610875baaf080609 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 31 Mar 2018 02:42:09 +0200 Subject: [PATCH 108/172] add skl binary cache --- logical/ascanius.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/logical/ascanius.nix b/logical/ascanius.nix index 5d7cd20..26021ce 100644 --- a/logical/ascanius.nix +++ b/logical/ascanius.nix @@ -8,4 +8,12 @@ system.stateVersion = "17.09"; + + nix.binaryCaches = [ + "https://cache.nixos.org" + "https://builder.serokell.review" + ]; + nix.binaryCachePublicKeys = [ + "serokell:ic/49yTkeFIk4EBX1CZ/Wlt5fQfV7yCifaJyoM+S3Ss=" + ]; } From c340dd24f3e22826207b076490c7ee0d6b480053 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 4 May 2018 14:28:08 +0200 Subject: [PATCH 109/172] add serokell cache --- logical/ascanius.nix | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/logical/ascanius.nix b/logical/ascanius.nix index 26021ce..7668091 100644 --- a/logical/ascanius.nix +++ b/logical/ascanius.nix @@ -9,11 +9,15 @@ system.stateVersion = "17.09"; - nix.binaryCaches = [ - "https://cache.nixos.org" - "https://builder.serokell.review" - ]; - nix.binaryCachePublicKeys = [ - "serokell:ic/49yTkeFIk4EBX1CZ/Wlt5fQfV7yCifaJyoM+S3Ss=" - ]; + nix = { + binaryCaches = [ + "https://cache.nixos.org" + ]; + trustedBinaryCaches = config.nix.binaryCaches ++ [ + "https://builder.serokell.io" + ]; + binaryCachePublicKeys = [ + "serokell:ic/49yTkeFIk4EBX1CZ/Wlt5fQfV7yCifaJyoM+S3Ss=" + ]; + }; } From 611ecec9ab89c999727d54a6350d162ac11d5024 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 12 May 2018 18:11:34 +0200 Subject: [PATCH 110/172] Need root to deploy --- conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/conf b/conf index 28a2b63..333177e 100755 --- a/conf +++ b/conf @@ -49,15 +49,15 @@ case $1 in ;; copy) TARGET_HOST=$(jq -r ".$2.host" Date: Sat, 12 May 2018 18:12:02 +0200 Subject: [PATCH 111/172] Only make quassel container when enabled --- services/quassel.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/quassel.nix b/services/quassel.nix index 87252e1..2ddc413 100644 --- a/services/quassel.nix +++ b/services/quassel.nix @@ -3,7 +3,7 @@ options.services.yorick.quassel = { enable = lib.mkEnableOption "quassel container"; }; - config = { + config = lib.mkIf config.services.yorick.quassel.enable { containers.quassel = { config = { config, pkgs, ... }: { services.postgresql = { From 0ff7fb71484381dde0fb2916da1a0707aeaf634d Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 12 May 2018 18:12:16 +0200 Subject: [PATCH 112/172] fstrim woodhouse --- physical/nuc.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/physical/nuc.nix b/physical/nuc.nix index 8b5fc00..186a11e 100644 --- a/physical/nuc.nix +++ b/physical/nuc.nix @@ -19,6 +19,7 @@ fileSystems."/" = { device = "/dev/disk/by-uuid/fa5026b1-0f73-4233-a417-780c65f3f038"; fsType = "btrfs"; + options = ["defaults" "relatime" "discard"]; }; fileSystems."/boot" = From adb903bd30df217260e8f8049988bb006b336391 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 12 May 2018 18:13:48 +0200 Subject: [PATCH 113/172] Add lumiguide public key --- logical/ascanius.nix | 11 ----------- roles/workstation.nix | 17 +++++++++++++++++ 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/logical/ascanius.nix b/logical/ascanius.nix index 7668091..295532e 100644 --- a/logical/ascanius.nix +++ b/logical/ascanius.nix @@ -9,15 +9,4 @@ system.stateVersion = "17.09"; - nix = { - binaryCaches = [ - "https://cache.nixos.org" - ]; - trustedBinaryCaches = config.nix.binaryCaches ++ [ - "https://builder.serokell.io" - ]; - binaryCachePublicKeys = [ - "serokell:ic/49yTkeFIk4EBX1CZ/Wlt5fQfV7yCifaJyoM+S3Ss=" - ]; - }; } diff --git a/roles/workstation.nix b/roles/workstation.nix index 2cc2b90..d54aaa8 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -31,3 +31,20 @@ services.pcscd.enable = true; #environment.systemPackages = [pkgs.yubikey-manager]; } + nix = { + gc.automatic = pkgs.lib.mkOverride 30 false; + binaryCaches = [ + "https://cache.nixos.org" + ]; + trustedBinaryCaches = config.nix.binaryCaches ++ [ + "https://builder.serokell.io" + "https://cache.lumi.guide" + ]; + binaryCachePublicKeys = [ + "serokell:ic/49yTkeFIk4EBX1CZ/Wlt5fQfV7yCifaJyoM+S3Ss=" + "cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE=" + ]; + #extraOptions = '' + # netrc-file = ${nixnetrc} + #''; + }; From 89815b898184ad3f9c3dcbb49335ab90bd482d53 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 12 May 2018 18:14:28 +0200 Subject: [PATCH 114/172] Start gpg agent with systemd-user --- roles/workstation.nix | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/roles/workstation.nix b/roles/workstation.nix index d54aaa8..05af9f8 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -18,11 +18,12 @@ drivers = [ pkgs.gutenprint ]; }; environment.systemPackages = [pkgs.ghostscript pkgs.yubikey-manager]; - services.xserver.displayManager.sessionCommands = '' - gpg-connect-agent /bye - unset SSH_AGENT_PID - export SSH_AUTH_SOCK="''${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh" - ''; + nix.gc.automatic = pkgs.lib.mkOverride 30 false; + #services.xserver.displayManager.sessionCommands = '' + # gpg-connect-agent /bye + # unset SSH_AGENT_PID + # export SSH_AUTH_SOCK="''${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh" + #''; virtualisation.virtualbox.host.enable = true; yorick.support32bit = true; nix.gc.automatic = pkgs.lib.mkOverride 30 false; From 5d9fdc8b33cb8ed2846b209e77e3a51a62f85b3a Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 12 May 2018 18:15:42 +0200 Subject: [PATCH 115/172] disbale redshifit, move nix gc --- roles/common.nix | 1 - roles/workstation.nix | 12 +----------- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/roles/common.nix b/roles/common.nix index ca1dd58..eae45c8 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -35,7 +35,6 @@ in # Nix nixpkgs.config.allowUnfree = true; - nix.package = pkgs.nixUnstable; nix.buildCores = config.nix.maxJobs; diff --git a/roles/workstation.nix b/roles/workstation.nix index 05af9f8..223b2c5 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -4,15 +4,6 @@ ]; users.extraUsers.yorick.extraGroups = ["input"]; - services.redshift = { - enable = true; - latitude = "51.8"; - longitude = "5.8"; - temperature = { - day = 6500; - night = 5500; - }; - }; services.printing = { enable = true; drivers = [ pkgs.gutenprint ]; @@ -26,12 +17,10 @@ #''; virtualisation.virtualbox.host.enable = true; yorick.support32bit = true; - nix.gc.automatic = pkgs.lib.mkOverride 30 false; # yubikey hardware.u2f.enable = true; services.pcscd.enable = true; #environment.systemPackages = [pkgs.yubikey-manager]; -} nix = { gc.automatic = pkgs.lib.mkOverride 30 false; binaryCaches = [ @@ -49,3 +38,4 @@ # netrc-file = ${nixnetrc} #''; }; +} From f7fb38af62c41824aed4df4f088b0a84bb9dec40 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 13 May 2018 01:03:19 +0200 Subject: [PATCH 116/172] Add qca6174 firmware update, switch to overlay --- packages/default.nix | 7 ++ packages/firmware_qca6174.nix | 14 ++++ physical/xps9360.nix | 2 + roles/common.nix | 116 ---------------------------------- roles/default.nix | 1 + roles/workstation.nix | 1 - 6 files changed, 24 insertions(+), 117 deletions(-) create mode 100644 packages/default.nix create mode 100644 packages/firmware_qca6174.nix delete mode 100644 roles/common.nix diff --git a/packages/default.nix b/packages/default.nix new file mode 100644 index 0000000..0da4db9 --- /dev/null +++ b/packages/default.nix @@ -0,0 +1,7 @@ +[ (self: super: { + gogitget = super.callPackage ./gogitget.nix {}; + shallot = super.callPackage ./shallot.nix {}; + yori-cc = super.callPackage ./yori-cc.nix {}; + firmware_qca6174 = super.callPackage ./firmware_qca6174.nix {}; + +})] diff --git a/packages/firmware_qca6174.nix b/packages/firmware_qca6174.nix new file mode 100644 index 0000000..69832da --- /dev/null +++ b/packages/firmware_qca6174.nix @@ -0,0 +1,14 @@ +{ stdenv, fetchurl }: +stdenv.mkDerivation rec { + target = "QCA6174"; + branch = "4.4.1.c1"; + version = "${branch}-00042"; + name = "${target}-firmware-${version}"; + src = fetchurl { + url = "https://github.com/kvalo/ath10k-firmware/raw/master/${target}/hw3.0/${branch}/firmware-6.bin_RM.${version}-QCARMSWP-1"; + sha256 = "01vvz3qhqw5l3yilcqgk1spk4y9k4qy7na7a57cbl037r231szdh"; + }; + buildCommand = '' + install -D $src $out/lib/firmware/ath10k/${target}/hw3.0/firmware-6.bin + ''; +} diff --git a/physical/xps9360.nix b/physical/xps9360.nix index 2f9b5a6..00c0587 100644 --- a/physical/xps9360.nix +++ b/physical/xps9360.nix @@ -43,4 +43,6 @@ # bigger console font i18n.consoleFont = "latarcyrheb-sun32"; + + hardware.firmware = lib.mkBefore [ pkgs.firmware_qca6174 ]; } diff --git a/roles/common.nix b/roles/common.nix deleted file mode 100644 index eae45c8..0000000 --- a/roles/common.nix +++ /dev/null @@ -1,116 +0,0 @@ -let secrets = import ; -in -{ config, pkgs, lib, ...}: -let - machine = with lib; head (splitString "." config.networking.hostName); -in -{ - imports = [ - ../modules/tor-hidden-service.nix - ../modules/nginx.nix - ../roles/pub.nix - ../roles/quassel.nix - ../roles/gogs.nix - ../roles/mail.nix - ../roles/website.nix - ../roles/xmpp.nix - ]; - time.timeZone = "Europe/Amsterdam"; - users.mutableUsers = false; - users.extraUsers.root = { - openssh.authorizedKeys.keys = config.users.extraUsers.yorick.openssh.authorizedKeys.keys; - # root password is useful from console, ssh has password logins disabled - hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own - - }; - services.timesyncd.enable = true; - services.fail2ban.enable = true; - users.extraUsers.yorick = { - isNormalUser = true; - uid = 1000; - extraGroups = ["wheel"]; - group = "users"; - openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [yorick]; - }; - - # Nix - nixpkgs.config.allowUnfree = true; - - nix.buildCores = config.nix.maxJobs; - - nix.extraOptions = '' - allow-unsafe-native-code-during-evaluation = true - ''; - - # Networking - networking.enableIPv6 = false; - - services.openssh = { - enable = true; - passwordAuthentication = false; - challengeResponseAuthentication = false; - }; - - services.tor = { - enable = true; - client.enable = true; - # ssh hidden service - hiddenServices.ssh.map = [{ port = 22; }]; - service-keys.ssh = "/root/keys/ssh.${machine}.key"; - }; - - programs.ssh.extraConfig = '' - Host *.onion - ProxyCommand nc -xlocalhost:9050 -X5 %h %p - '' + - (with lib; (flip concatMapStrings) (filter (hasPrefix "ssh.") (attrNames secrets.tor_hostnames)) (name: '' - Host ${removePrefix "ssh." name}.onion - hostname ${secrets.tor_hostnames.${name}} - '' - )); - - environment.systemPackages = with pkgs; [ - # v important. - cowsay ponysay - ed # ed, man! - sl - rlwrap - - vim - - # system stuff - ethtool inetutils - pciutils usbutils - iotop powertop htop - psmisc lsof - smartmontools hdparm - lm_sensors - ncdu - - # utils - file which - reptyr - tmux - bc - mkpasswd - shadow - - # archiving - xdelta - atool - unrar p7zip - unzip zip - - # network - nmap mtr bind - socat netcat-openbsd - lftp wget rsync - - git - nix-repl - rxvt_unicode.terminfo - ]; - nix.gc.automatic = true; - -} - diff --git a/roles/default.nix b/roles/default.nix index 3214df8..576ce6f 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -41,6 +41,7 @@ in # Nix nixpkgs.config.allowUnfree = true; nix.package = pkgs.nixUnstable; + nixpkgs.overlays = import ../packages; nix.buildCores = config.nix.maxJobs; diff --git a/roles/workstation.nix b/roles/workstation.nix index 223b2c5..052676d 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -9,7 +9,6 @@ drivers = [ pkgs.gutenprint ]; }; environment.systemPackages = [pkgs.ghostscript pkgs.yubikey-manager]; - nix.gc.automatic = pkgs.lib.mkOverride 30 false; #services.xserver.displayManager.sessionCommands = '' # gpg-connect-agent /bye # unset SSH_AGENT_PID From 5a5a234fd9b0501189695af7aea98a1ec1dbd111 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 25 May 2018 00:27:43 +0200 Subject: [PATCH 117/172] update pennyworth, move git --- conf | 2 +- logical/pennyworth.nix | 38 +++++++++++++++++++++++++++++++++++++- packages/default.nix | 12 +++++++++++- servers.json | 2 +- 4 files changed, 50 insertions(+), 4 deletions(-) diff --git a/conf b/conf index 333177e..e907540 100755 --- a/conf +++ b/conf @@ -12,7 +12,7 @@ function get_channel { echo "nixpkgs=https://github.com/NixOS/nixpkgs/archive/master.tar.gz" ;; stable) - echo "nixpkgs=https://nixos.org/channels/nixos-17.03/nixexprs.tar.xz" + echo "nixpkgs=https://nixos.org/channels/nixos-18.03/nixexprs.tar.xz" ;; checkout) echo "nixpkgs=$PWD/../nixpkgs" diff --git a/logical/pennyworth.nix b/logical/pennyworth.nix index 26a5996..1605c7f 100644 --- a/logical/pennyworth.nix +++ b/logical/pennyworth.nix @@ -27,7 +27,7 @@ }; }; xmpp = { - enable = true; + enable = false; vhost = "yori.cc"; admins = [ "yorick@yori.cc" ]; }; @@ -51,5 +51,41 @@ private_key = "/root/keys/http.muflax.key"; }; }; + users.extraUsers.git = { + createHome = true; + home = config.services.gitea.stateDir; extraGroups = [ "git" ]; useDefaultShell = true;}; + services.gitea = { + enable = true; + user = "git"; + database.user = "root"; + database.name = "gogs"; + #dump.enable = true; TODO: backups + domain = "git.yori.cc"; + rootUrl = "https://git.yori.cc/"; + httpAddress = "localhost"; + cookieSecure = true; + extraConfig = '' + [service] + REGISTER_EMAIL_CONFIRM = false + ENABLE_NOTIFY_MAIL = false + DISABLE_REGISTRATION = true + REQUIRE_SIGNIN_VIEW = false + [picture] + DISABLE_GRAVATAR = false + [mailer] + ENABLED = false + AVATAR_UPLOAD_PATH = ${config.services.gitea.stateDir}/data/avatars + ''; + }; + services.nginx.virtualHosts."git.yori.cc" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.gitea.httpPort}"; + extraConfig = '' + proxy_buffering off; + ''; + }; + }; deployment.keyys = [ ]; } diff --git a/packages/default.nix b/packages/default.nix index 0da4db9..a1cd4d9 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -3,5 +3,15 @@ shallot = super.callPackage ./shallot.nix {}; yori-cc = super.callPackage ./yori-cc.nix {}; firmware_qca6174 = super.callPackage ./firmware_qca6174.nix {}; - + gitea = + super.gitea.overrideDerivation (o: rec { + version = "1.4.1"; + name = "gitea-${version}"; + src = self.fetchFromGitHub { + owner = "go-gitea"; + repo = "gitea"; + rev = "v${version}"; + sha256 = "1mid67c4021m7mi4ablx1w5v43831gzn8xpg8n30a4zmr70781wm"; + }; + }); })] diff --git a/servers.json b/servers.json index 8cbf7f5..41dbce8 100644 --- a/servers.json +++ b/servers.json @@ -1,6 +1,6 @@ { "pennyworth": { - "pkgs": "channel", + "pkgs": "stable", "host": "pennyworth.yori.cc" }, "jarvis": { From e6419467f96ab0385288ddc931eb3e2933c2d846 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 20 Nov 2018 21:47:45 +0100 Subject: [PATCH 118/172] update for new usecase --- logical/ascanius.nix | 17 +++++++++++++++-- roles/default.nix | 1 - servers.json | 2 +- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/logical/ascanius.nix b/logical/ascanius.nix index 295532e..3d24c05 100644 --- a/logical/ascanius.nix +++ b/logical/ascanius.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: { imports = @@ -8,5 +8,18 @@ system.stateVersion = "17.09"; - + nix = { + binaryCaches = [ + "https://cache.nixos.org" + "https://disciplina.cachix.org" + ]; + binaryCachePublicKeys = [ + "serokell:ic/49yTkeFIk4EBX1CZ/Wlt5fQfV7yCifaJyoM+S3Ss=" + "disciplina.cachix.org-1:zDeIFV5cu22v04EUuRITz/rYxpBCGKY82x0mIyEYjxE=" + ]; + }; + users.users.lars = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBze0fBV/Fpz9bz1WKkbPlj8h526ZfduOcQVlA+7j0+yzlT+jX6nLNjXNmIi6JZoERj8lG4/avkagldj+wwqWrKM2xOMgIUx34i+br5+U4Y7DedljfPV9k8eE55SI4BjfO697V7BhHP4eooRUjNVmqSmRAld06hJzMj7irGWHK+RPrK0M1BvGgSV5pL50jzQGd2unxvNuxSk1rWBNfNEGt6ok0G8/ud0Gw5QbcYWzbbnKBB8JsgBct22txtcgVbRyqftD+vpFl0Oyq4tiQbSHqa8qpFyV/wTf4Cs1Zz7WrqH+2xfx+oUsCOfMKuvCI8FKtriAWEmfOM42bBi50v2kj" ]; + }; } diff --git a/roles/default.nix b/roles/default.nix index 576ce6f..6951e52 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -115,7 +115,6 @@ in lftp wget rsync git - nix-repl rxvt_unicode.terminfo ]; nix.gc.automatic = true; diff --git a/servers.json b/servers.json index 41dbce8..7b94c9e 100644 --- a/servers.json +++ b/servers.json @@ -9,7 +9,7 @@ }, "ascanius": { "pkgs": "channel", - "host": "192.168.1.6" + "host": "localhost" }, "woodhouse": { "pkgs": "channel", From 17cb322d241192b983595b137d276d9d76990e05 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 20 Nov 2018 22:26:42 +0100 Subject: [PATCH 119/172] enable ipv6 everywhere, unify nix cache config --- logical/ascanius.nix | 8 +++----- logical/jarvis.nix | 2 -- logical/pennyworth.nix | 2 -- physical/nixos-hardware.nix | 4 ++++ physical/xps9360-hardware-config.nix | 30 ++++++++++++++++++++++++++++ roles/default.nix | 11 +--------- roles/server.nix | 1 + roles/workstation.nix | 13 ++++++++---- 8 files changed, 48 insertions(+), 23 deletions(-) create mode 100644 physical/nixos-hardware.nix create mode 100644 physical/xps9360-hardware-config.nix diff --git a/logical/ascanius.nix b/logical/ascanius.nix index 3d24c05..c7f5c52 100644 --- a/logical/ascanius.nix +++ b/logical/ascanius.nix @@ -13,13 +13,11 @@ "https://cache.nixos.org" "https://disciplina.cachix.org" ]; - binaryCachePublicKeys = [ - "serokell:ic/49yTkeFIk4EBX1CZ/Wlt5fQfV7yCifaJyoM+S3Ss=" - "disciplina.cachix.org-1:zDeIFV5cu22v04EUuRITz/rYxpBCGKY82x0mIyEYjxE=" - ]; }; users.users.lars = { isNormalUser = true; - openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBze0fBV/Fpz9bz1WKkbPlj8h526ZfduOcQVlA+7j0+yzlT+jX6nLNjXNmIi6JZoERj8lG4/avkagldj+wwqWrKM2xOMgIUx34i+br5+U4Y7DedljfPV9k8eE55SI4BjfO697V7BhHP4eooRUjNVmqSmRAld06hJzMj7irGWHK+RPrK0M1BvGgSV5pL50jzQGd2unxvNuxSk1rWBNfNEGt6ok0G8/ud0Gw5QbcYWzbbnKBB8JsgBct22txtcgVbRyqftD+vpFl0Oyq4tiQbSHqa8qpFyV/wTf4Cs1Zz7WrqH+2xfx+oUsCOfMKuvCI8FKtriAWEmfOM42bBi50v2kj" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBze0fBV/Fpz9bz1WKkbPlj8h526ZfduOcQVlA+7j0+yzlT+jX6nLNjXNmIi6JZoERj8lG4/avkagldj+wwqWrKM2xOMgIUx34i+br5+U4Y7DedljfPV9k8eE55SI4BjfO697V7BhHP4eooRUjNVmqSmRAld06hJzMj7irGWHK+RPrK0M1BvGgSV5pL50jzQGd2unxvNuxSk1rWBNfNEGt6ok0G8/ud0Gw5QbcYWzbbnKBB8JsgBct22txtcgVbRyqftD+vpFl0Oyq4tiQbSHqa8qpFyV/wTf4Cs1Zz7WrqH+2xfx+oUsCOfMKuvCI8FKtriAWEmfOM42bBi50v2kj" + ]; }; } diff --git a/logical/jarvis.nix b/logical/jarvis.nix index 68fa02f..7bcd0c7 100644 --- a/logical/jarvis.nix +++ b/logical/jarvis.nix @@ -8,8 +8,6 @@ system.stateVersion = "17.09"; - #networking.enableIPv6 = lib.mkOverride 30 true; - services.xserver.displayManager.sessionCommands = '' ${pkgs.xorg.xrandr}/bin/xrandr --dpi 192 diff --git a/logical/pennyworth.nix b/logical/pennyworth.nix index 1605c7f..718f8fb 100644 --- a/logical/pennyworth.nix +++ b/logical/pennyworth.nix @@ -11,8 +11,6 @@ ../modules/muflax-blog.nix ]; - networking.enableIPv6 = lib.mkOverride 30 true; - system.stateVersion = "16.03"; services.nginx.enable = true; diff --git a/physical/nixos-hardware.nix b/physical/nixos-hardware.nix new file mode 100644 index 0000000..bb469e6 --- /dev/null +++ b/physical/nixos-hardware.nix @@ -0,0 +1,4 @@ +builtins.fetchTarball { + url = "https://github.com/NixOS/nixos-hardware/archive/d534770be7f699b3332ef09bd043745a38d115ad.tar.gz"; + sha256 = "0h4xzs0bp0v01rzqm023ia2rgmcxv32jdiinp7ylxxh384vf5h0h"; +} diff --git a/physical/xps9360-hardware-config.nix b/physical/xps9360-hardware-config.nix new file mode 100644 index 0000000..87673e6 --- /dev/null +++ b/physical/xps9360-hardware-config.nix @@ -0,0 +1,30 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "rtsx_pci_sdmmc" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/a751e4ea-f1aa-48e1-9cbe-423878e29b62"; + fsType = "btrfs"; + }; + + boot.initrd.luks.devices."nix-crypt".device = "/dev/disk/by-uuid/320ef81d-283f-4916-ac26-ecfb0f31e549"; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/0E07-7805"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/d9c4c15b-0e9c-47f6-8675-93b1b8de5f9d"; } + ]; + + nix.maxJobs = lib.mkDefault 4; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; +} diff --git a/roles/default.nix b/roles/default.nix index 6951e52..d104423 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -21,15 +21,6 @@ in }; services.timesyncd.enable = true; - services.fail2ban.enable = true; - # ban repeat offenders longer - services.fail2ban.jails.recidive = '' - filter = recidive - action = iptables-allports[name=recidive] - maxretry = 5 - bantime = 604800 ; 1 week - findtime = 86400 ; 1 day - ''; users.extraUsers.yorick = { isNormalUser = true; uid = 1000; @@ -50,7 +41,7 @@ in ''; # Networking - networking.enableIPv6 = false; + networking.enableIPv6 = true; services.openssh = { enable = true; diff --git a/roles/server.nix b/roles/server.nix index 07c8ef4..b8fe7f3 100644 --- a/roles/server.nix +++ b/roles/server.nix @@ -2,6 +2,7 @@ imports = [ ]; services.nixosManual.enable = false; + services.sshguard.enable = true; environment.noXlibs = true; networking.firewall.logRefusedConnections = false; # Silence logging of scanners and knockers diff --git a/roles/workstation.nix b/roles/workstation.nix index 052676d..2258666 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -26,15 +26,20 @@ "https://cache.nixos.org" ]; trustedBinaryCaches = config.nix.binaryCaches ++ [ - "https://builder.serokell.io" + "ssh://yorick@jupiter.serokell.io" + "ssh-ng://jupiter" "https://cache.lumi.guide" + "https://serokell.cachix.org" ]; binaryCachePublicKeys = [ "serokell:ic/49yTkeFIk4EBX1CZ/Wlt5fQfV7yCifaJyoM+S3Ss=" + "serokell-1:aIojg2Vxgv7MkzPJoftOO/I8HKX622sT+c0fjnZBLj0=" "cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE=" + "serokell.cachix.org-1:5DscEJD6c1dD1Mc/phTIbs13+iW22AVbx0HqiSb+Lq8=" + "disciplina.cachix.org-1:zDeIFV5cu22v04EUuRITz/rYxpBCGKY82x0mIyEYjxE=" ]; - #extraOptions = '' - # netrc-file = ${nixnetrc} - #''; + extraOptions = '' + netrc-file = ${nixnetrc} + ''; }; } From 3e4aecccd5defb0dd4f819daa5d1ef0595dcfc37 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 20 Nov 2018 22:28:02 +0100 Subject: [PATCH 120/172] xps9360: move hw config to nixos-hardware --- packages/default.nix | 1 - physical/xps9360.nix | 55 ++++++++++++++------------------------------ 2 files changed, 17 insertions(+), 39 deletions(-) diff --git a/packages/default.nix b/packages/default.nix index a1cd4d9..bd801f7 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -2,7 +2,6 @@ gogitget = super.callPackage ./gogitget.nix {}; shallot = super.callPackage ./shallot.nix {}; yori-cc = super.callPackage ./yori-cc.nix {}; - firmware_qca6174 = super.callPackage ./firmware_qca6174.nix {}; gitea = super.gitea.overrideDerivation (o: rec { version = "1.4.1"; diff --git a/physical/xps9360.nix b/physical/xps9360.nix index b032a43..af37c73 100644 --- a/physical/xps9360.nix +++ b/physical/xps9360.nix @@ -1,49 +1,28 @@ { config, lib, pkgs, ... }: { imports = [ - ./. + "${import ./nixos-hardware.nix}/dell/xps/13-9360" + ./xps9360-hardware-config.nix ]; - hardware.yorick = { cpu = "intel"; gpu = "intel"; laptop = true; }; - hardware.enableRedistributableFirmware = true; # needed? + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.kernelParams = [ "i915.enable_psr=0" ]; + fileSystems."/".options = ["defaults" "relatime" "discard"]; + boot.initrd.luks.devices."nix-crypt".allowDiscards = true; - boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - kernelPackages = pkgs.linuxPackages_latest; - }; + # intel huc, guc. qca6174 (older firmware) + hardware.enableRedistributableFirmware = true; - boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; - boot.blacklistedKernelModules = ["psmouse"]; + # hardware is thermal-limited + services.thermald.enable = lib.mkDefault true; + services.xserver.libinput.enable = true; - fileSystems."/" = - { device = "/dev/disk/by-uuid/a751e4ea-f1aa-48e1-9cbe-423878e29b62"; - fsType = "btrfs"; - options = ["defaults" "relatime" "discard"]; - }; - - boot.initrd.luks.devices."nix-crypt" = { - device = "/dev/disk/by-uuid/320ef81d-283f-4916-ac26-ecfb0f31e549"; - allowDiscards = true; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/0E07-7805"; - fsType = "vfat"; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/d9c4c15b-0e9c-47f6-8675-93b1b8de5f9d"; } - ]; - - nix.maxJobs = lib.mkDefault 4; - - # bigger console font - i18n.consoleFont = "latarcyrheb-sun32"; - - hardware.firmware = lib.mkBefore [ pkgs.firmware_qca6174 ]; + networking.wireless.enable = true; + hardware.bluetooth.enable = true; + # gotta go faster + networking.dhcpcd.extraConfig = '' + noarp + ''; } From 29e637daa3f6730896c81593a71d449ea4da9300 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 20 Nov 2018 22:28:58 +0100 Subject: [PATCH 121/172] move pub.yori.cc to pennyworth --- logical/pennyworth.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/logical/pennyworth.nix b/logical/pennyworth.nix index 718f8fb..582ce7b 100644 --- a/logical/pennyworth.nix +++ b/logical/pennyworth.nix @@ -15,6 +15,7 @@ services.nginx.enable = true; services.yorick = { + public = { enable = true; vhost = "pub.yori.cc"; }; website = { enable = true; vhost = "yorickvanpelt.nl"; }; mail = { enable = true; From 9b48ce871cf935a31a8dc588527cd0f3031885e1 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 20 Nov 2018 22:29:47 +0100 Subject: [PATCH 122/172] woodhouse: disable mounts, add tv user --- logical/woodhouse.nix | 14 ++++++++++---- physical/nuc.nix | 2 +- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/logical/woodhouse.nix b/logical/woodhouse.nix index 9195169..487c461 100644 --- a/logical/woodhouse.nix +++ b/logical/woodhouse.nix @@ -23,11 +23,17 @@ in # fuse mounts system.fsPackages = [ pkgs.sshfsFuse ]; - fileSystems."/mnt/frumar" = mkFuseMount "yorick@${secrets.hostnames.frumar}:/data/yorick" []; - fileSystems."/mnt/oxygen" = mkFuseMount "yorick@oxygen.obfusk.ch:" []; - fileSystems."/mnt/nyamsas" = mkFuseMount "yorick@nyamsas.quezacotl.nl:" ["port=1337"]; + + #fileSystems."/mnt/frumar" = mkFuseMount "yorick@${secrets.hostnames.frumar}:/data/yorick" []; + #fileSystems."/mnt/oxygen" = mkFuseMount "yorick@oxygen.obfusk.ch:" []; + #fileSystems."/mnt/nyamsas" = mkFuseMount "yorick@nyamsas.quezacotl.nl:" ["port=1337"]; # kodi ports networking.firewall.allowedTCPPorts = [7 8080 9090 9777]; - + users.users.tv = { + isNormalUser = true; + uid = 1043; + extraGroups = [ "wheel" ]; + hashedPassword = "$6$hD4ESAGS8O1d$yctx6spOPZ0nt/6cgYpsWZ86UoXw3ISRpf2gbdhbl8JgDz6Psjx6JCqJ9NsMi5BHnXlgRRK/z2SVrTjHEsqQR."; + }; } diff --git a/physical/nuc.nix b/physical/nuc.nix index 186a11e..b447144 100644 --- a/physical/nuc.nix +++ b/physical/nuc.nix @@ -33,7 +33,7 @@ nix.maxJobs = lib.mkDefault 4; services.xserver.videoDrivers = ["intel"]; - + networking.wireless.enable = true; environment.systemPackages = with pkgs; [ btrfs-progs ]; From b2aa339593bff3851985d38a64910bc9370117dc Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 20 Nov 2018 22:30:30 +0100 Subject: [PATCH 123/172] add config for japanese typing, wireshark, bluetooth headphones --- roles/workstation.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/roles/workstation.nix b/roles/workstation.nix index 2258666..e0cd4e1 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -3,7 +3,7 @@ imports = [ ]; - users.extraUsers.yorick.extraGroups = ["input"]; + users.extraUsers.yorick.extraGroups = [ "input" "wireshark" ]; services.printing = { enable = true; drivers = [ pkgs.gutenprint ]; @@ -19,7 +19,17 @@ # yubikey hardware.u2f.enable = true; services.pcscd.enable = true; + sound.enable = true; #environment.systemPackages = [pkgs.yubikey-manager]; + fonts.fonts = [ pkgs.emojione ]; + # bluetooth headphones + hardware.pulseaudio.package = pkgs.pulseaudioFull; + # japanese typing + i18n.inputMethod = { + enabled = "fcitx"; + fcitx.engines = with pkgs.fcitx-engines; [ mozc ]; + }; + programs.wireshark.enable = true; nix = { gc.automatic = pkgs.lib.mkOverride 30 false; binaryCaches = [ From 6922a4e3a056990ecc4c70c82411eba06a53fb51 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 20 Nov 2018 22:31:05 +0100 Subject: [PATCH 124/172] stop running tor everywhere --- modules/muflax-blog.nix | 1 + roles/default.nix | 18 ------------------ 2 files changed, 1 insertion(+), 18 deletions(-) diff --git a/modules/muflax-blog.nix b/modules/muflax-blog.nix index 5bfd51c..f303c3a 100644 --- a/modules/muflax-blog.nix +++ b/modules/muflax-blog.nix @@ -49,6 +49,7 @@ in with lib; { } '') ["daily" "gospel" "blog"]); }; + services.tor.enable = true; services.tor.hiddenServices.muflax-blog.map = [{ port = 80; toPort = cfg.web-server.port; }]; services.tor.service-keys.muflax-blog = cfg.hidden-service.private_key; diff --git a/roles/default.nix b/roles/default.nix index d104423..8dd936b 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -49,24 +49,6 @@ in challengeResponseAuthentication = false; }; - services.tor = { - enable = true; - client.enable = true; - # ssh hidden service - hiddenServices.ssh.map = [{ port = 22; }]; - service-keys.ssh = "/root/keys/ssh.${machine}.key"; - }; - deployment.keyys = [ ( + "/ssh.${machine}.key") ]; - - programs.ssh.extraConfig = '' - Host *.onion - ProxyCommand nc -xlocalhost:9050 -X5 %h %p - '' + - (with lib; (flip concatMapStrings) (filter (hasPrefix "ssh.") (attrNames secrets.tor_hostnames)) (name: '' - Host ${removePrefix "ssh." name}.onion - hostname ${secrets.tor_hostnames.${name}} - '' - )); environment.systemPackages = with pkgs; [ # v important. From 2cadffe7300a970630729c81f4aea30db2af0d48 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 20 Nov 2018 22:39:16 +0100 Subject: [PATCH 125/172] add lumi cache example --- roles/workstation.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/workstation.nix b/roles/workstation.nix index e0cd4e1..4d26be7 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -1,4 +1,11 @@ { config, lib, pkgs, ... }: +let + nixnetrc = pkgs.writeText "netrc" '' + machine cache.lumi.guide + login lumi + password aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa= + ''; +in { imports = [ From d09ae68cdf62144cf497a565c9150264675bdc7d Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 20 Nov 2018 22:39:49 +0100 Subject: [PATCH 126/172] remove lumi cache example --- roles/workstation.nix | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/roles/workstation.nix b/roles/workstation.nix index 4d26be7..e2b32eb 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -1,11 +1,4 @@ { config, lib, pkgs, ... }: -let - nixnetrc = pkgs.writeText "netrc" '' - machine cache.lumi.guide - login lumi - password aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa= - ''; -in { imports = [ @@ -45,7 +38,6 @@ in trustedBinaryCaches = config.nix.binaryCaches ++ [ "ssh://yorick@jupiter.serokell.io" "ssh-ng://jupiter" - "https://cache.lumi.guide" "https://serokell.cachix.org" ]; binaryCachePublicKeys = [ @@ -55,8 +47,5 @@ in "serokell.cachix.org-1:5DscEJD6c1dD1Mc/phTIbs13+iW22AVbx0HqiSb+Lq8=" "disciplina.cachix.org-1:zDeIFV5cu22v04EUuRITz/rYxpBCGKY82x0mIyEYjxE=" ]; - extraOptions = '' - netrc-file = ${nixnetrc} - ''; }; } From 7f8ba9ae559eba9ca8b2b2de69577876435943ed Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 20 Nov 2018 22:40:13 +0100 Subject: [PATCH 127/172] update for local environment --- conf | 2 +- logical/jarvis.nix | 1 - roles/default.nix | 1 - servers.json | 6 +++--- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/conf b/conf index e907540..8d8301a 100755 --- a/conf +++ b/conf @@ -15,7 +15,7 @@ function get_channel { echo "nixpkgs=https://nixos.org/channels/nixos-18.03/nixexprs.tar.xz" ;; checkout) - echo "nixpkgs=$PWD/../nixpkgs" + echo "nixpkgs=$PWD/../projects/nixpkgs" ;; channel) echo "/nix/var/nix/profiles/per-user/root/channels/nixos" diff --git a/logical/jarvis.nix b/logical/jarvis.nix index 7bcd0c7..2f715be 100644 --- a/logical/jarvis.nix +++ b/logical/jarvis.nix @@ -12,5 +12,4 @@ services.xserver.displayManager.sessionCommands = '' ${pkgs.xorg.xrandr}/bin/xrandr --dpi 192 ''; - virtualisation.virtualbox.host.enable = pkgs.lib.mkOverride 30 false; } diff --git a/roles/default.nix b/roles/default.nix index 8dd936b..2ef35bc 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -31,7 +31,6 @@ in # Nix nixpkgs.config.allowUnfree = true; - nix.package = pkgs.nixUnstable; nixpkgs.overlays = import ../packages; nix.buildCores = config.nix.maxJobs; diff --git a/servers.json b/servers.json index 7b94c9e..4bfcb6d 100644 --- a/servers.json +++ b/servers.json @@ -4,16 +4,16 @@ "host": "pennyworth.yori.cc" }, "jarvis": { - "pkgs": "channel", + "pkgs": "checkout", "host": "localhost" }, "ascanius": { "pkgs": "channel", - "host": "localhost" + "host": "ascanius.home.yori.cc" }, "woodhouse": { "pkgs": "channel", - "host": "192.168.1.9" + "host": "woodhouse.home.yori.cc" }, "frumar": { "pkgs": "channel", From 676ad945e5774df4301a808be789816d69a51e82 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 20 Nov 2018 22:45:29 +0100 Subject: [PATCH 128/172] update local host name --- servers.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/servers.json b/servers.json index 4bfcb6d..fc44136 100644 --- a/servers.json +++ b/servers.json @@ -4,8 +4,8 @@ "host": "pennyworth.yori.cc" }, "jarvis": { - "pkgs": "checkout", - "host": "localhost" + "pkgs": "channel", + "host": "jarvis.home.yori.cc" }, "ascanius": { "pkgs": "channel", From 47c8bd6fb0f91dc03ac2353aa6388604d2eca476 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 20 Nov 2018 22:48:01 +0100 Subject: [PATCH 129/172] rm allow-unsafe-native-code-during-evaluation --- roles/default.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/default.nix b/roles/default.nix index 2ef35bc..bd51fce 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -35,10 +35,6 @@ in nix.buildCores = config.nix.maxJobs; - nix.extraOptions = '' - allow-unsafe-native-code-during-evaluation = true - ''; - # Networking networking.enableIPv6 = true; From 4751d60fe499e1c78e769a1a249ffe3adf5fb19d Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 21 May 2020 17:39:38 +0200 Subject: [PATCH 130/172] initial commit --- conf | 65 +++--- deploy/nix_cloc | 5 - deploy_key | Bin 1701 -> 0 bytes keys/wg.ascanius.key | Bin 0 -> 67 bytes keys/wg.blackadder.key | Bin 0 -> 67 bytes keys/wg.frumar.key | Bin 0 -> 67 bytes keys/wg.jarvis.key | Bin 0 -> 67 bytes keys/wg.pennyworth.key | Bin 0 -> 67 bytes keys/wg.woodhouse.key | Bin 0 -> 67 bytes logical/ascanius.nix | 2 + logical/blackadder.nix | 42 ++++ logical/frumar.nix | 75 ++++++- logical/jarvis.nix | 29 ++- logical/pennyworth.nix | 120 +++++------ logical/woodhouse.nix | 35 +++- modules/backup.nix | 59 ------ modules/mailz.nix | 287 --------------------------- modules/nixos-in-place.nix | 4 +- modules/tor-hidden-service.nix | 2 +- modules/victoriametrics.nix | 49 +++++ nix/sources.json | 38 ++++ nix/sources.nix | 136 +++++++++++++ packages/default.nix | 13 -- packages/firmware_qca6174.nix | 14 -- packages/gogitget.nix | 20 -- packages/shallot.nix | 24 --- packages/yori-cc.nix | 11 +- physical/3950x-hardware-config.nix | 38 ++++ physical/3950x.nix | 22 ++ physical/apu2c4.nix | 22 ++ physical/default.nix | 43 +--- physical/fractal.nix | 31 ++- physical/hetznercloud.nix | 39 ++++ physical/hp8570w.nix | 14 +- physical/kassala.nix | 50 ----- physical/nixos-hardware.nix | 4 - physical/nuc.nix | 39 ++-- physical/xps9360-hardware-config.nix | 2 +- physical/xps9360.nix | 33 ++- roles/default.nix | 59 ++++-- roles/graphical.nix | 80 ++++---- roles/homeserver.nix | 17 ++ roles/server.nix | 7 +- roles/workstation.nix | 51 +++-- secrets.nix | Bin 1612 -> 1721 bytes servers.json | 22 -- servers.nix | 24 +++ services/default.nix | 6 +- services/git.nix | 52 +++++ services/gogs.nix | 4 +- services/mail.nix | 38 ---- services/pub.nix | 2 +- services/website.nix | 4 +- services/xmpp.nix | 4 +- sshkeys.nix | 2 +- vpn.nix | 21 ++ 56 files changed, 921 insertions(+), 839 deletions(-) delete mode 100644 deploy/nix_cloc delete mode 100644 deploy_key create mode 100644 keys/wg.ascanius.key create mode 100644 keys/wg.blackadder.key create mode 100644 keys/wg.frumar.key create mode 100644 keys/wg.jarvis.key create mode 100644 keys/wg.pennyworth.key create mode 100644 keys/wg.woodhouse.key create mode 100644 logical/blackadder.nix delete mode 100644 modules/backup.nix delete mode 100644 modules/mailz.nix create mode 100644 modules/victoriametrics.nix create mode 100644 nix/sources.json create mode 100644 nix/sources.nix delete mode 100644 packages/firmware_qca6174.nix delete mode 100644 packages/gogitget.nix delete mode 100644 packages/shallot.nix create mode 100644 physical/3950x-hardware-config.nix create mode 100644 physical/3950x.nix create mode 100644 physical/apu2c4.nix create mode 100644 physical/hetznercloud.nix delete mode 100644 physical/kassala.nix delete mode 100644 physical/nixos-hardware.nix create mode 100644 roles/homeserver.nix delete mode 100644 servers.json create mode 100644 servers.nix create mode 100644 services/git.nix delete mode 100644 services/mail.nix create mode 100644 vpn.nix diff --git a/conf b/conf index 8d8301a..db7410a 100755 --- a/conf +++ b/conf @@ -1,63 +1,54 @@ #!/usr/bin/env bash -if ! [ -e deploy_key ] || ! [ -e secrets.nix ] +set -xeuo pipefail +if ! [ -e secrets.nix ] then git crypt unlock - sudo chgrp nixbld deploy_key - chmod 640 deploy_key fi -export NIX_PATH="ssh-id-file=$PWD/deploy_key":secrets=$PWD/secrets.nix:yori-nix=$PWD -function get_channel { - case $1 in - git) - echo "nixpkgs=https://github.com/NixOS/nixpkgs/archive/master.tar.gz" - ;; - stable) - echo "nixpkgs=https://nixos.org/channels/nixos-18.03/nixexprs.tar.xz" - ;; - checkout) - echo "nixpkgs=$PWD/../projects/nixpkgs" - ;; - channel) - echo "/nix/var/nix/profiles/per-user/root/channels/nixos" - ;; - esac -} -case $1 in - cloc) - exec cloc --read-lang-def=deploy/nix_cloc . - ;; +# TODO: remove nixpkgs dependency +export NIX_PATH=yori-nix=$PWD:nixpkgs=channel:nixos-unstable +host=$1 +TARGET_HOST=$(nix eval --raw -f vpn.nix ips.$host) +#TARGET_HOST=192.168.178.1 +case $2 in copy-keys) - $0 exec "$2" nix build -f "\\" config.deployment.keys-copy --out-link copy-keys - TARGET_HOST=$(jq -r ".$2.host"" config.deployment.keys-copy --out-link copy-keys ./copy-keys/bin/copy-keys "$TARGET_HOST" # rm ./copy-keys ;; exec) CHANNEL=$(jq -r ".$2.pkgs"" "\\" + exec "$0" exec "$2" nix repl '' '' ;; build) - exec "$0" exec "$2" nixos-rebuild build + nix build -f servers.nix "$host" --show-trace ;; copy) - TARGET_HOST=$(jq -r ".$2.host"v1&&tt7kg^`ra3pLp3w>P7xXDEH+)kV#Y^PH>KifX8dlo~O+>tXE5~ zJiP#SEJQMn3a0~dCa|M1>pJA}&cw6K!Tr;m4g8npK%OEhC0MaJC{ATa3sMM!UpzQe;>40wB zfWlHRL8v1ur1;G((plLnAWkT}CrVpWK4+B?tSei0ea5m=0~#E0YA}I!{crH{@G%Dr z#8MS={ICBv$#0llOpi4!39a1k>U2I(I%Ie$oH$mh5q&Nb*VRu0s4(sXzzpK9jLSCw zj1jfOd9jpMR#Ex-m4s3%fAm}rp?y>dJ^p-gyt`~F`qRS!xnKeyVNgcP3O&`n{pRNHYdjz0BT{X%>SNvLe?w3Zv8f)e# z%ye%y#IhF4Xk7(HfqD)McKZ;8!QoRB9Iv?#k0jh<9yd#MZ*>k*2*o=w9?y%JRaM5b zR*vY~5;afxq}_GLuk^yv7|r5x__6{#-n`I}v5&=_^BHH9E>xn-Pd*au*0DK}O4SC( zCUeI&A$I<<#PdkAGsGLNk#+_{bvXXHCr{cpn9ysR6n zcBcq+7UU7W)RB6r^V1)ihP(=ujnCZMXen(wa!xYnjPO?4yz+lNy}Dh_5)k>A9<;@6 zK1?xt00lpr-ed!%Ai^rMKee7XKY0cObQA|5vSVKlGlY6xpA&8gZDSa{(eQEii;C~g z1{G~j*XJuqA---`Sz)kQv~<`d+1{@|OrK~DmyXAxV!jaOx$0HyN#om_p6(sBIiQ2wt*vNn}jsvE17<962o_c)agc6L*} z-=yvgpK@1%nlo`z!WC?UlK$&P`82aLIV-dY9ZJq(aFNK0Z_4$xPMOvFvuGpKZAPlj z#4$#+ZA;M(zAU(fFMYEG;Ghy*aaleTGI=*M{e1U+9l>`;L#TFiYdiH3d^H6kFA_|G zvB#o3e=ir(R@T#)t~hsGfRrdscC)iT(4iegW8r0IL;0RFB&!fQMh?hiq@(d>atdSR zxhg_-W0FowF34Ipb(OqVCpl2CAom;8rX;X{)Y{KL*@0!?j?!KYvJjZwQ+AK&8k*r{ z%|9B>(GUq#5NGYOFIPRFPdH_Q7($zzJh*iFE5d$zAHA69{#19{B5vBpzSs-V&-HHz zJzqV%&KnuiJ+trfo00YS7X-yYo~j?Y zORg9l!Rs#t?67+ahYz-njMQlWf-JWS@<2ngDR>t4n#zTu!$tleg`Bv%GREl04V*R`4=Mm*%w<1ooH2edsJ diff --git a/keys/wg.ascanius.key b/keys/wg.ascanius.key new file mode 100644 index 0000000000000000000000000000000000000000..bffe9eb42d9539647491b65bce0ac7b947e7f89b GIT binary patch literal 67 zcmV-J0KESIM@dveQdv+`01REA6VN)!Z93~>4hg_4xHy}4X74ua0a!(*mmmwOmPqNG Z%^LN;Lr(b8i?(E6G4<`A+>xQZ5gv}v9*_V4 literal 0 HcmV?d00001 diff --git a/keys/wg.blackadder.key b/keys/wg.blackadder.key new file mode 100644 index 0000000000000000000000000000000000000000..7465562d73336c326af36381f6bd6328d7ea6e85 GIT binary patch literal 67 zcmV-J0KESIM@dveQdv+`0FeL!6)c}Hxnd4+j=})4&SdvAVnA{j%mRi7-r|676!tSy ZGlJG37Po$J(9JK%d literal 0 HcmV?d00001 diff --git a/keys/wg.pennyworth.key b/keys/wg.pennyworth.key new file mode 100644 index 0000000000000000000000000000000000000000..9eb68a877a7927541f7f1d5e631e001f25ccca80 GIT binary patch literal 67 zcmV-J0KESIM@dveQdv+`0JVwl%%f<$76R^ItX@rl_q#5>ZX|o_{0$Qce&xw@!iOx8 ZNr4Xt(n1w{gdV?<7!cYD$;L|q{HNfQ9ohf@ literal 0 HcmV?d00001 diff --git a/keys/wg.woodhouse.key b/keys/wg.woodhouse.key new file mode 100644 index 0000000000000000000000000000000000000000..91b24e026241ade77b0b5fdc093b73ba3131fc41 GIT binary patch literal 67 zcmV-J0KESIM@dveQdv+`0ONqluL&J6v|);s47K!6P@YHMN*k3c&b{-HSaU8``%|}O ZX=RDZ2QK|~ktt^;cfERePwgp6Y7xO;9YO#A literal 0 HcmV?d00001 diff --git a/logical/ascanius.nix b/logical/ascanius.nix index c7f5c52..66a491e 100644 --- a/logical/ascanius.nix +++ b/logical/ascanius.nix @@ -13,6 +13,7 @@ "https://cache.nixos.org" "https://disciplina.cachix.org" ]; + trustedUsers = [ "root" "lars" ]; }; users.users.lars = { isNormalUser = true; @@ -20,4 +21,5 @@ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBze0fBV/Fpz9bz1WKkbPlj8h526ZfduOcQVlA+7j0+yzlT+jX6nLNjXNmIi6JZoERj8lG4/avkagldj+wwqWrKM2xOMgIUx34i+br5+U4Y7DedljfPV9k8eE55SI4BjfO697V7BhHP4eooRUjNVmqSmRAld06hJzMj7irGWHK+RPrK0M1BvGgSV5pL50jzQGd2unxvNuxSk1rWBNfNEGt6ok0G8/ud0Gw5QbcYWzbbnKBB8JsgBct22txtcgVbRyqftD+vpFl0Oyq4tiQbSHqa8qpFyV/wTf4Cs1Zz7WrqH+2xfx+oUsCOfMKuvCI8FKtriAWEmfOM42bBi50v2kj" ]; }; + boot.kernelPackages = pkgs.linuxPackages_4_19; } diff --git a/logical/blackadder.nix b/logical/blackadder.nix new file mode 100644 index 0000000..b14c584 --- /dev/null +++ b/logical/blackadder.nix @@ -0,0 +1,42 @@ +{ config, pkgs, lib, ... }: +{ + imports = + [ ../physical/3950x.nix + ../roles/workstation.nix + ]; + + nixpkgs.overlays = [ (import (builtins.fetchTarball https://github.com/colemickens/nixpkgs-wayland/archive/master.tar.gz)) ]; + system.stateVersion = "19.09"; + + networking.wireguard.interfaces = { + wg-lumi = { + privateKeyFile = "/home/yorick/engineering/lumi/secrets/devel/vpn/wg/workstations.yorick-homepc.key"; + ips = [ "10.109.0.18" ]; + peers = [ { + publicKey = "6demp+PX2XyVoMovDj4xHQ2ZHKoj4QAF8maWpjcyzzI="; + endpoint = "wg.lumi.guide:31727"; + allowedIPs = [ "10.96.0.0/12" "10.0.12.0/22" "10.0.1.0/26" ]; + }]; + postSetup = "ip link set dev wg-lumi mtu 1408"; + }; + }; + + # development + services.postgresql = { + enable = true; + enableTCPIP = true; + package = pkgs.postgresql_10; + }; + # users.users.pie = { + # isNormalUser = true; + # openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDpj2GrPpXtAp9Is0wDyQNl8EQnBiITkSAjhf7EjIqX" ]; + # }; + # services.nfs.server = { + # enable = true; + # exports = '' + # /export 10.40.0.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash) + # /export/nfs/client1 10.40.0.0/24(insecure,rw,sync,no_subtree_check,crossmnt,all_squash,anonuid=0,anongid=0,no_root_squash) + # /export/nfs/client1/nix 10.40.0.0/24(insecure,ro,sync,no_subtree_check,crossmnt) + # ''; + # }; +} diff --git a/logical/frumar.nix b/logical/frumar.nix index aa6450e..1618dca 100644 --- a/logical/frumar.nix +++ b/logical/frumar.nix @@ -1,19 +1,74 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { imports = [ - - + ../physical/fractal.nix + ../roles/server.nix + ../roles/homeserver.nix + ../services/torrent-wg.nix ]; - system.stateVersion = "15.09"; + networking.hostId = "0702dbe9"; services.nginx.enable = true; - services.yorick = { - public = { enable = true; vhost = "pub.yori.cc"; }; - gogs = { enable = true; vhost = "git.yori.cc"; }; - quassel.enable = true; + services.nginx.virtualHosts."${config.networking.hostName}" = { + enableACME = lib.mkForce false; + forceSSL = lib.mkForce false; + default = true; + }; + boot.supportedFilesystems = [ "zfs" ]; + services.yorick.torrent-vpn = { + enable = true; name = "mullvad-nl3"; namespace = "torrent"; + }; + services.plex = { + enable = true; + openFirewall = true; + }; + services.victoriametrics = { + enable = true; + retentionPeriod = 12; + }; + services.prometheus = { + enable = true; + extraFlags = [ + "--web.enable-admin-api" + ]; + # victoriametrics + extraConfig.remote_write = [ { url = "http://127.0.0.1:8428/api/v1/write"; } ]; + scrapeConfigs = [ { + job_name = "smartmeter"; + # prometheus doesn't support mdns :thinking_face: + static_configs = [ { targets = [ "192.168.178.30" ]; } ]; + scrape_interval = "10s"; + } { + job_name = "node"; + static_configs = [ { targets = [ "localhost:9100" ]; } ]; + # } { + # job_name = "unifi"; + # static_configs = [ { targets = [ "localhost:9130" ]; } ]; + } { + job_name = "thermometer"; + static_configs = [ { targets = [ "192.168.178.21:8000" ]; } ]; + }]; + exporters.node.enable = true; + # exporters.unifi = { + # enable = true; + # unifiAddress = "https://woodhouse.home.yori.cc:8443"; + # unifiInsecure = true; + # unifiUsername = "ReadOnlyUser"; + # unifiPassword = "ReadOnlyPassword"; + # }; + }; + networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 3000 9090 ]; + networking.firewall.allowedTCPPorts = [ 1883 ]; + networking.firewall.allowedUDPPorts = [ 1883 ]; + services.rabbitmq = { + enable = true; + plugins = [ "rabbitmq_mqtt" "rabbitmq_management" ]; + }; + services.grafana = { + enable = true; + addr = "0.0.0.0"; + domain = "grafana.yori.cc"; }; - - } diff --git a/logical/jarvis.nix b/logical/jarvis.nix index 2f715be..08db58b 100644 --- a/logical/jarvis.nix +++ b/logical/jarvis.nix @@ -1,15 +1,30 @@ { config, pkgs, lib, ... }: - { imports = - [ - + [ ../physical/xps9360.nix + ../roles/workstation.nix ]; - + nixpkgs.overlays = [ (import (builtins.fetchTarball https://github.com/colemickens/nixpkgs-wayland/archive/master.tar.gz)) ]; system.stateVersion = "17.09"; - services.xserver.displayManager.sessionCommands = '' - ${pkgs.xorg.xrandr}/bin/xrandr --dpi 192 - ''; + networking.wireguard.interfaces = { + wg-lumi = { + privateKeyFile = "/home/yorick/engineering/lumi/secrets/devel/vpn/wg/workstations.yorick.key"; + ips = [ "10.109.0.10" ]; + peers = [ { + publicKey = "6demp+PX2XyVoMovDj4xHQ2ZHKoj4QAF8maWpjcyzzI="; + endpoint = "wg.lumi.guide:31727"; + allowedIPs = [ "10.96.0.0/12" "10.0.12.0/22" "10.0.1.0/26" ]; + }]; + postSetup = "ip link set dev wg-lumi mtu 1371"; + }; + }; + + # development + services.postgresql = { + enable = true; + enableTCPIP = true; + package = pkgs.postgresql_10; + }; } diff --git a/logical/pennyworth.nix b/logical/pennyworth.nix index 582ce7b..4d3ca4c 100644 --- a/logical/pennyworth.nix +++ b/logical/pennyworth.nix @@ -3,42 +3,51 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, lib, ... }: - +let + sslforward = proxyPass: { + forceSSL = true; + enableACME = true; + locations."/" = { + inherit proxyPass; + proxyWebsockets = true; + }; + }; + vpn = import ../vpn.nix; +in { imports = [ - - - ../modules/muflax-blog.nix + ../physical/hetznercloud.nix + ../roles/server.nix + (builtins.fetchTarball { + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.1/nixos-mailserver-v2.2.1.tar.gz"; + sha256 = "03d49v8qnid9g9rha0wg2z6vic06mhp0b049s3whccn1axvs2zzx"; + }) + ../modules/muflax-blog.nix ]; - system.stateVersion = "16.03"; + system.stateVersion = "19.03"; services.nginx.enable = true; services.yorick = { public = { enable = true; vhost = "pub.yori.cc"; }; website = { enable = true; vhost = "yorickvanpelt.nl"; }; - mail = { - enable = true; - mainUser = "yorick"; - users.yorick = { - password = (import ).yorick_mailPassword; - domains = ["yori.cc" "yorickvanpelt.nl"]; + git = { enable = true; vhost = "git.yori.cc"; }; + muflax-church = { enable = true; vhost = "muflax.church"; }; + }; + mailserver = rec { + enable = true; + fqdn = "pennyworth.yori.cc"; + domains = [ "yori.cc" "yorickvanpelt.nl" ]; + loginAccounts = { + "yorick@yori.cc" = { + hashedPassword = (import ../secrets.nix).yorick_mailPassword; + catchAll = domains; + aliases = [ "@yori.cc" "@yorickvanpelt.nl" ]; }; }; - xmpp = { - enable = false; - vhost = "yori.cc"; - admins = [ "yorick@yori.cc" ]; - }; + certificateScheme = 3; + enableImapSsl = true; }; - services.nginx.virtualHosts."yori.cc" = { - enableACME = true; - forceSSL = true; - globalRedirect = "yorickvanpelt.nl"; - }; - - - services.muflax-blog = { enable = true; @@ -50,41 +59,36 @@ private_key = "/root/keys/http.muflax.key"; }; }; - users.extraUsers.git = { - createHome = true; - home = config.services.gitea.stateDir; extraGroups = [ "git" ]; useDefaultShell = true;}; - services.gitea = { - enable = true; - user = "git"; - database.user = "root"; - database.name = "gogs"; - #dump.enable = true; TODO: backups - domain = "git.yori.cc"; - rootUrl = "https://git.yori.cc/"; - httpAddress = "localhost"; - cookieSecure = true; - extraConfig = '' - [service] - REGISTER_EMAIL_CONFIRM = false - ENABLE_NOTIFY_MAIL = false - DISABLE_REGISTRATION = true - REQUIRE_SIGNIN_VIEW = false - [picture] - DISABLE_GRAVATAR = false - [mailer] - ENABLED = false - AVATAR_UPLOAD_PATH = ${config.services.gitea.stateDir}/data/avatars + services.nginx.commonHttpConfig = '' + access_log off; + ''; + services.nginx.virtualHosts = { + "yori.cc" = { + enableACME = true; + forceSSL = true; + globalRedirect = "yorickvanpelt.nl"; + }; + "grafana.yori.cc" = sslforward "http://${vpn.ips.frumar}:3000"; + "ubiquiti.yori.cc" = sslforward "https://${vpn.ips.woodhouse}:8443"; + "prometheus.yori.cc" = { + # only over vpn + listen = [ { addr = "10.209.0.1"; port = 80; } ]; + locations."/".proxyPass = "http://10.209.0.3:9090"; + }; + "pub.yori.cc".locations."/muflax/".extraConfig = '' + rewrite ^/muflax/(.*)$ https://alt.muflax.church/$1 permanent; ''; }; - services.nginx.virtualHosts."git.yori.cc" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.gitea.httpPort}"; - extraConfig = '' - proxy_buffering off; - ''; - }; - }; deployment.keyys = [ ]; + networking.firewall.allowedUDPPorts = [ 31790 ]; # wg + networking.wireguard.interfaces.wg-y.peers = + lib.mkForce (lib.mapAttrsToList (machine: publicKey: { + inherit publicKey; + allowedIPs = [ "${vpn.ips.${machine}}/32" ]; + }) vpn.keys); + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + environment.noXlibs = true; + users.users.yorick.packages = with pkgs; [ + python2 sshfs-fuse weechat + ]; } diff --git a/logical/woodhouse.nix b/logical/woodhouse.nix index 487c461..262ecee 100644 --- a/logical/woodhouse.nix +++ b/logical/woodhouse.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: let - secrets = import ; + #secrets = import ; mkFuseMount = device: opts: { # todo: "ServerAliveCountMax=3" "ServerAliveInterval=30" @@ -16,24 +16,47 @@ in imports = [ + # ]; - system.stateVersion = "17.09"; + # nixpkgs.overlays = [ (import (builtins.fetchTarball https://github.com/colemickens/nixpkgs-wayland/archive/master.tar.gz)) ]; + # system.stateVersion = "17.09"; # fuse mounts system.fsPackages = [ pkgs.sshfsFuse ]; - + # programs.sway = { + # enable = true; + # extraSessionCommands = '' + # export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${lib.makeLibraryPath (with pkgs; [ libxkbcommon libglvnd wayland ])} + # ''; + # }; #fileSystems."/mnt/frumar" = mkFuseMount "yorick@${secrets.hostnames.frumar}:/data/yorick" []; - #fileSystems."/mnt/oxygen" = mkFuseMount "yorick@oxygen.obfusk.ch:" []; - #fileSystems."/mnt/nyamsas" = mkFuseMount "yorick@nyamsas.quezacotl.nl:" ["port=1337"]; + hardware.bluetooth.enable = true; # kodi ports - networking.firewall.allowedTCPPorts = [7 8080 9090 9777]; + networking.firewall.allowedTCPPorts = [7 8080 8443 9090 9777]; users.users.tv = { isNormalUser = true; uid = 1043; extraGroups = [ "wheel" ]; hashedPassword = "$6$hD4ESAGS8O1d$yctx6spOPZ0nt/6cgYpsWZ86UoXw3ISRpf2gbdhbl8JgDz6Psjx6JCqJ9NsMi5BHnXlgRRK/z2SVrTjHEsqQR."; + packages = with pkgs; [ plex-media-player ]; }; + services.xserver.windowManager.i3.enable = true; + networking.useNetworkd = true; + networking.dhcpcd.enable = false; + services.resolved.enable = true; + services.nscd.enable = false; + networking.interfaces.eno1.useDHCP = true; + networking.useDHCP = false; + #services.xserver.enable = lib.mkForce false; + # services.unifi = { + # enable = true; + # unifiPackage = pkgs.unifiStable; + # }; + # todo: debug: + services.resolved.extraConfig = "MulticastDNS=true"; + systemd.network.networks."40-eno1".networkConfig.MulticastDNS="yes"; + services.fstrim.enable = true; } diff --git a/modules/backup.nix b/modules/backup.nix deleted file mode 100644 index 27a221f..0000000 --- a/modules/backup.nix +++ /dev/null @@ -1,59 +0,0 @@ -{ config, pkgs, lib, ... }: -let -cfg = config.services.backup; -inherit (lib) mkEnableOption mkOption types mkIf -flip mapAttrs' nameValuePair; -in -{ - - options.services.backup = { - enable = mkOption { type = types.bool; default = false; }; - backups = mkOption { - type = types.loaOf types.optionSet; - options = { - dir = mkOption { type = types.str; }; - remote = mkOption { type = types.str; }; - keyfile = mkOption { type = types.str; }; - keyid = mkOption { type = types.str; default = "root"; }; - exclude = mkOption { type = types.str; default = ""; }; - interval = mkOption { type = types.str; default = "weekly"; }; - }; - }; - }; - config = mkIf cfg.enable { - # TODO: generate key in pre-start? - systemd.services = let - sectionToService = name: data: with data; { - description = "Back up ${name}"; - serviceConfig = { - IOSchedulingClass="idle"; - #Type = "oneshot"; - }; - script = '' - source ${keyfile} - ${pkgs.duplicity}/bin/duplicity ${dir} ${remote} \ - --ssl-cacert-file /etc/ssl/certs/ca-bundle.crt \ - --encrypt-key ${keyid} \ - --exclude-filelist ${pkgs.writeText "dupignore" exclude} \ - --asynchronous-upload \ - --volsize 100 \ - --allow-source-mismatch - ''; - after = ["network.target" "network-online.target"]; - wants = ["network-online.target"]; - }; - in flip mapAttrs' cfg.backups (name: data: nameValuePair - ("backup-${name}") - (sectionToService name data)); - systemd.timers = flip mapAttrs' cfg.backups (name: data: nameValuePair - ("backup-${name}") - ({ - description = "Periodically backups ${name}"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = data.interval; - Unit = "backup-${name}.service"; - }; - })); - }; -} diff --git a/modules/mailz.nix b/modules/mailz.nix deleted file mode 100644 index 4bf7169..0000000 --- a/modules/mailz.nix +++ /dev/null @@ -1,287 +0,0 @@ -# https://github.com/valeriangalliat/nixos-mailz -# manual actions: -# run sa-update -# configure DNS (dkim at /var/lib/dkim/*/default.txt) -# mkdir /var/empty/.spamassassin -# chown -R spamd /var/empty/.spamassassin -# possibly unneeded: -# chgrp -R vmail /var/spool/mail -# chmod g+rwx /var/spool/mail -# TODO: rspamd? -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.mailz; - - alldomains = lib.concatLists (mapAttrsToList (n: usr: usr.domains) cfg.users); - - files = { - credentials = pkgs.writeText "credentials" - (concatStringsSep "\n" - (flip mapAttrsToList cfg.users - (user: options: "${user} ${options.password}"))); - - # dovecot2 - users = pkgs.writeText "users" - (concatStringsSep "\n" - (flip mapAttrsToList cfg.users - (user: options: "${user}:${options.password}:::::"))); - - domains = pkgs.writeText "domains" - (concatStringsSep "\n" alldomains); - - spamassassinSieve = pkgs.writeText "spamassassin.sieve" '' - require "fileinto"; - if header :contains "X-Spam-Flag" "YES" { - fileinto "Spam"; - } - ''; - - }; - - -in - -{ - options = { - services.mailz = { - domain = mkOption { - default = cfg.networking.hostName; - type = types.str; - description = "Domain for this mail server."; - }; - - user = mkOption { - default = "vmail"; - type = types.str; - }; - - group = mkOption { - default = "vmail"; - type = types.str; - }; - - uid = mkOption { - default = 2000; - type = types.int; - }; - - gid = mkOption { - default = 2000; - type = types.int; - }; - - dkimDirectory = mkOption { - default = "/var/lib/dkim"; - type = types.str; - description = "Where to store DKIM keys."; - }; - - dkimBits = mkOption { - type = types.int; - default = 2048; - description = "Size of the generated DKIM key."; - }; - - mainUser = mkOption { - example = "root"; - type = types.str; - }; - - keydir = mkOption { - type = types.str; - description = "The place to look for the ssl key"; - default = "${config.security.acme.directory}/${cfg.domain}"; - }; - - users = mkOption { - default = { }; - type = types.loaOf types.optionSet; - description = '' - Attribute set of users. - ''; - - options = { - password = mkOption { - type = types.str; - description = '' - The user password, generated with - smtpctl encrypt. - ''; - }; - domains = mkOption { - type = types.listOf types.str; - example = ["example.com"]; - }; - - }; - - example = { - "foo" = { - password = "encrypted"; - }; - "bar" = { - password = "encrypted"; - }; - }; - }; - }; - }; - - config = mkIf (cfg.users != { }) { - system.activationScripts.mailz = '' - # Make sure SpamAssassin database is present - #if ! [ -d /etc/spamassassin ]; then - # cp -r ${pkgs.spamassassin}/share/spamassassin /etc - #fi - - # Make sure a DKIM private key exist - if ! [ -d ${cfg.dkimDirectory} ]; then - mkdir -p ${cfg.dkimDirectory} - chmod 700 ${cfg.dkimDirectory} - chown ${config.services.rmilter.user} ${cfg.dkimDirectory} - fi - # Generate missing keys - '' + - (lib.concatMapStringsSep "\n" (domain: '' - if ! [ -e ${cfg.dkimDirectory}/${domain}.default.key ]; then - ${pkgs.opendkim}/bin/opendkim-genkey --bits ${toString cfg.dkimBits} --domain ${domain} --directory ${cfg.dkimDirectory} --selector default - mv ${cfg.dkimDirectory}/default.private ${cfg.dkimDirectory}/${domain}.default.key - mv ${cfg.dkimDirectory}/default.txt ${cfg.dkimDirectory}/${domain}.default.txt - chown ${config.services.rmilter.user} ${cfg.dkimDirectory}/${domain}.default.* - fi - '') alldomains); - services.rspamd.enable = true; - services.rmilter = { - enable = true; - socketActivation = false; - #debug = true; - rspamd.enable = true; - postfix.enable = true; - extraConfig = '' - dkim { - domain { - key = ${cfg.dkimDirectory}; - domain = "*"; - selector = "default"; - }; - header_canon = relaxed; - body_canon = relaxed; - sign_alg = sha256; - }; - ''; - }; - - services.postfix = { - enable = true; - destination = alldomains ++ ["$myhostname" "localhost.$mydomain" "$mydomain" "localhost"]; - sslCert = "${cfg.keydir}/fullchain.pem"; - sslKey = "${cfg.keydir}/key.pem"; - postmasterAlias = cfg.mainUser; - enableSubmission = true; - virtual = lib.concatStringsSep "\n" (lib.mapAttrsToList (name: usr: - lib.concatMapStringsSep "\n" (dom: "@${dom} ${name}") usr.domains) cfg.users); - extraConfig = '' - mailbox_transport = lmtp:unix:dovecot-lmtp - ''; - submissionOptions = { - "smtpd_tls_security_level" = "encrypt"; - "smtpd_sasl_auth_enable" = "yes"; - "smtpd_sasl_type" = "dovecot"; - "smtpd_sasl_path" = "/var/lib/postfix/auth"; - "smtpd_client_restrictions" = "permit_sasl_authenticated,reject"; - #"milter_macro_daemon_name" = "ORIGINATING"; - }; - }; - - services.dovecot2 = { - enable = true; - enablePop3 = false; - enableLmtp = true; - mailLocation = "maildir:/var/spool/mail/%n"; - mailUser = cfg.user; - mailGroup = cfg.group; - modules = [ pkgs.dovecot_pigeonhole ]; - sslServerCert = "${cfg.keydir}/fullchain.pem"; - sslServerKey = "${cfg.keydir}/key.pem"; - enablePAM = false; - sieveScripts = { before = files.spamassassinSieve; }; - extraConfig = '' - postmaster_address = postmaster@${head alldomains} - - service lmtp { - unix_listener /var/lib/postfix/queue/dovecot-lmtp { - mode = 0660 - user = postfix - group = postfix - } - } - service auth { - unix_listener /var/lib/postfix/auth { - mode = 0660 - # Assuming the default Postfix user and group - user = postfix - group = postfix - } - } - - userdb { - driver = passwd-file - args = username_format=%n ${files.users} - default_fields = uid=${cfg.user} gid=${cfg.user} home=/var/spool/mail/%n - } - - passdb { - driver = passwd-file - args = username_format=%n ${files.users} - } - - namespace inbox { - inbox = yes - - mailbox Sent { - auto = subscribe - special_use = \Sent - } - - mailbox Drafts { - auto = subscribe - special_use = \Drafts - } - - mailbox Spam { - auto = create - special_use = \Junk - } - - mailbox Trash { - auto = subscribe - special_use = \Trash - } - - mailbox Archive { - auto = subscribe - special_use = \Archive - } - } - - protocol lmtp { - mail_plugins = $mail_plugins sieve - } - ''; - }; - - users.extraUsers = optional (cfg.user == "vmail") { - uid = cfg.uid; - group = cfg.group; - }; - - users.extraGroups = optional (cfg.group == "vmail") { - gid = cfg.gid; - }; - - networking.firewall.allowedTCPPorts = [ 25 587 993 ]; - }; -} diff --git a/modules/nixos-in-place.nix b/modules/nixos-in-place.nix index 88204a9..d51cf01 100644 --- a/modules/nixos-in-place.nix +++ b/modules/nixos-in-place.nix @@ -8,11 +8,11 @@ in options."nixos-in-place" = { enable = mkEnableOption "enable nixos-in-place FS"; rootfs = mkOption { - type = types.string; + type = types.str; description = "device name for root fs"; }; swapfs = mkOption { - type = types.string; + type = types.str; description = "device name for root fs"; }; }; diff --git a/modules/tor-hidden-service.nix b/modules/tor-hidden-service.nix index 0774338..7a20fa9 100644 --- a/modules/tor-hidden-service.nix +++ b/modules/tor-hidden-service.nix @@ -8,7 +8,7 @@ let in { options.services.tor.service-keys = mkOption { default = {}; - type = with types; loaOf string; + type = with types; loaOf str; }; config = mkIf (service-keys != {}) { diff --git a/modules/victoriametrics.nix b/modules/victoriametrics.nix new file mode 100644 index 0000000..ef3a554 --- /dev/null +++ b/modules/victoriametrics.nix @@ -0,0 +1,49 @@ +{ config, pkgs, lib, ... }: +let cfg = config.services.victoriametrics; in +{ + options.services.victoriametrics = with lib; { + enable = mkEnableOption "victoriametrics"; + package = mkOption { + type = types.package; + default = pkgs.victoriametrics; + defaultText = "pkgs.victoriametrics"; + description = '' + The VictoriaMetrics distribution to use. + ''; + }; + http = mkOption { + default = ":8428"; + type = types.str; + description = '' + The listen address for the http interface. + ''; + }; + retentionPeriod = mkOption { + type = types.int; + default = 1; + description = '' + Retention period in months. + ''; + }; + extraOptions = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra options to pass to VictoriaMetrics. See + the README or victoriametrics -help for more + information. + ''; + }; + }; + config = lib.mkIf cfg.enable { + systemd.services.victoriametrics = { + description = "VictoriaMetrics time series database"; + serviceConfig = { + StateDirectory = "victoriametrics"; + DynamicUser = true; + ExecStart = "${cfg.package}/bin/victoria-metrics -storageDataPath=/var/lib/victoriametrics -httpListenAddr ${cfg.http} -retentionPeriod ${toString cfg.retentionPeriod} ${lib.concatStringsSep " " cfg.extraOptions}"; + }; + wantedBy = [ "multi-user.target" ]; + }; + }; +} diff --git a/nix/sources.json b/nix/sources.json new file mode 100644 index 0000000..3ce9739 --- /dev/null +++ b/nix/sources.json @@ -0,0 +1,38 @@ +{ + "niv": { + "branch": "master", + "description": "Easy dependency management for Nix projects", + "homepage": "https://github.com/nmattia/niv", + "owner": "nmattia", + "repo": "niv", + "rev": "c8f74f44b5f5df2c8f20a1834460d012e74d78f9", + "sha256": "0zmhxgl37f1p2aiqjmiccflpgga6phj6vmqs3jd33z0frj6hsy5c", + "type": "tarball", + "url": "https://github.com/nmattia/niv/archive/c8f74f44b5f5df2c8f20a1834460d012e74d78f9.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixos-hardware": { + "branch": "master", + "description": "A collection of NixOS modules covering hardware quirks.", + "homepage": "", + "owner": "nixos", + "repo": "nixos-hardware", + "rev": "89c4ddb0e60e5a643ab15f68b2f4ded43134f492", + "sha256": "1a0mplnj0zx33f4lm7kwg6z6iwgdkg2pxy58plkj6w59ibfl2l27", + "type": "tarball", + "url": "https://github.com/nixos/nixos-hardware/archive/89c4ddb0e60e5a643ab15f68b2f4ded43134f492.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixpkgs": { + "branch": "nixos-19.03", + "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to", + "homepage": "https://github.com/NixOS/nixpkgs", + "owner": "NixOS", + "repo": "nixpkgs-channels", + "rev": "c8db7a8a16ee9d54103cade6e766509e1d1c8d7b", + "sha256": "1b3h4mwpi10blzpvgsc0191k4shaw3nw0qd2p82hygbr8vv4g9dv", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs-channels/archive/c8db7a8a16ee9d54103cade6e766509e1d1c8d7b.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + } +} diff --git a/nix/sources.nix b/nix/sources.nix new file mode 100644 index 0000000..718ea6f --- /dev/null +++ b/nix/sources.nix @@ -0,0 +1,136 @@ +# This file has been generated by Niv. + +let + + # + # The fetchers. fetch_ fetches specs of type . + # + + fetch_file = pkgs: spec: + if spec.builtin or true then + builtins_fetchurl { inherit (spec) url sha256; } + else + pkgs.fetchurl { inherit (spec) url sha256; }; + + fetch_tarball = pkgs: spec: + if spec.builtin or true then + builtins_fetchTarball { inherit (spec) url sha256; } + else + pkgs.fetchzip { inherit (spec) url sha256; }; + + fetch_git = spec: + builtins.fetchGit { url = spec.repo; inherit (spec) rev ref; }; + + fetch_builtin-tarball = spec: + builtins.trace + '' + WARNING: + The niv type "builtin-tarball" will soon be deprecated. You should + instead use `builtin = true`. + + $ niv modify -a type=tarball -a builtin=true + '' + builtins_fetchTarball { inherit (spec) url sha256; }; + + fetch_builtin-url = spec: + builtins.trace + '' + WARNING: + The niv type "builtin-url" will soon be deprecated. You should + instead use `builtin = true`. + + $ niv modify -a type=file -a builtin=true + '' + (builtins_fetchurl { inherit (spec) url sha256; }); + + # + # Various helpers + # + + # The set of packages used when specs are fetched using non-builtins. + mkPkgs = sources: + if hasNixpkgsPath + then + if hasThisAsNixpkgsPath + then import (builtins_fetchTarball { inherit (mkNixpkgs sources) url sha256; }) {} + else import {} + else + import (builtins_fetchTarball { inherit (mkNixpkgs sources) url sha256; }) {}; + + mkNixpkgs = sources: + if builtins.hasAttr "nixpkgs" sources + then sources.nixpkgs + else abort + '' + Please specify either (through -I or NIX_PATH=nixpkgs=...) or + add a package called "nixpkgs" to your sources.json. + ''; + + hasNixpkgsPath = (builtins.tryEval ).success; + hasThisAsNixpkgsPath = + (builtins.tryEval ).success && == ./.; + + # The actual fetching function. + fetch = pkgs: name: spec: + + if ! builtins.hasAttr "type" spec then + abort "ERROR: niv spec ${name} does not have a 'type' attribute" + else if spec.type == "file" then fetch_file pkgs spec + else if spec.type == "tarball" then fetch_tarball pkgs spec + else if spec.type == "git" then fetch_git spec + else if spec.type == "builtin-tarball" then fetch_builtin-tarball spec + else if spec.type == "builtin-url" then fetch_builtin-url spec + else + abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; + + # Ports of functions for older nix versions + + # a Nix version of mapAttrs if the built-in doesn't exist + mapAttrs = builtins.mapAttrs or ( + f: set: with builtins; + listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set)) + ); + + # fetchTarball version that is compatible between all the versions of Nix + builtins_fetchTarball = { url, sha256 }@attrs: + let + inherit (builtins) lessThan nixVersion fetchTarball; + in + if lessThan nixVersion "1.12" then + fetchTarball { inherit url; } + else + fetchTarball attrs; + + # fetchurl version that is compatible between all the versions of Nix + builtins_fetchurl = { url, sha256 }@attrs: + let + inherit (builtins) lessThan nixVersion fetchurl; + in + if lessThan nixVersion "1.12" then + fetchurl { inherit url; } + else + fetchurl attrs; + + # Create the final "sources" from the config + mkSources = config: + mapAttrs ( + name: spec: + if builtins.hasAttr "outPath" spec + then abort + "The values in sources.json should not have an 'outPath' attribute" + else + spec // { outPath = fetch config.pkgs name spec; } + ) config.sources; + + # The "config" used by the fetchers + mkConfig = + { sourcesFile ? ./sources.json + }: rec { + # The sources, i.e. the attribute set of spec name to spec + sources = builtins.fromJSON (builtins.readFile sourcesFile); + # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers + pkgs = mkPkgs sources; + }; +in +mkSources (mkConfig {}) // + { __functor = _: settings: mkSources (mkConfig settings); } diff --git a/packages/default.nix b/packages/default.nix index bd801f7..51eef8f 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -1,16 +1,3 @@ [ (self: super: { - gogitget = super.callPackage ./gogitget.nix {}; - shallot = super.callPackage ./shallot.nix {}; yori-cc = super.callPackage ./yori-cc.nix {}; - gitea = - super.gitea.overrideDerivation (o: rec { - version = "1.4.1"; - name = "gitea-${version}"; - src = self.fetchFromGitHub { - owner = "go-gitea"; - repo = "gitea"; - rev = "v${version}"; - sha256 = "1mid67c4021m7mi4ablx1w5v43831gzn8xpg8n30a4zmr70781wm"; - }; - }); })] diff --git a/packages/firmware_qca6174.nix b/packages/firmware_qca6174.nix deleted file mode 100644 index 69832da..0000000 --- a/packages/firmware_qca6174.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ stdenv, fetchurl }: -stdenv.mkDerivation rec { - target = "QCA6174"; - branch = "4.4.1.c1"; - version = "${branch}-00042"; - name = "${target}-firmware-${version}"; - src = fetchurl { - url = "https://github.com/kvalo/ath10k-firmware/raw/master/${target}/hw3.0/${branch}/firmware-6.bin_RM.${version}-QCARMSWP-1"; - sha256 = "01vvz3qhqw5l3yilcqgk1spk4y9k4qy7na7a57cbl037r231szdh"; - }; - buildCommand = '' - install -D $src $out/lib/firmware/ath10k/${target}/hw3.0/firmware-6.bin - ''; -} diff --git a/packages/gogitget.nix b/packages/gogitget.nix deleted file mode 100644 index 6a0ef40..0000000 --- a/packages/gogitget.nix +++ /dev/null @@ -1,20 +0,0 @@ -# this is the secure fetchgit, but it actually works -{ fetchgit, writeScript, openssh, stdenv }: args: derivation ((fetchgit args).drvAttrs // { - SSH_AUTH_SOCK = if (builtins.tryEval ).success - then builtins.toString - else null; - GIT_SSH = writeScript "fetchgit-ssh" '' - #! ${stdenv.shell} - TEMP_ID=$(mktemp) - cp ${let - sshIdFile = if (builtins.tryEval ).success - then - else builtins.trace '' - That didn't work. - '' "/var/lib/empty/config"; - in builtins.toString sshIdFile} $TEMP_ID - chown `whoami` $TEMP_ID - chmod 400 $TEMP_ID - exec -a ssh ${openssh}/bin/ssh -F /dev/null -i $TEMP_ID -o StrictHostKeyChecking=no "$@" - ''; -}) diff --git a/packages/shallot.nix b/packages/shallot.nix deleted file mode 100644 index fad7a90..0000000 --- a/packages/shallot.nix +++ /dev/null @@ -1,24 +0,0 @@ -with import {}; - -stdenv.mkDerivation { - name = "shallot-0.0.3-alpha"; - - src = fetchFromGitHub { - rev = "831de01b13b309933d32efe8388444ef6a831cfb"; - owner = "katmagic"; - repo = "Shallot"; - sha256 = "0zlgl13vmv6zj1jk5cfjqg66n3qq9yp2202llpgvfl16rzxrlv5r"; - }; - - buildInputs = [openssl]; - - buildPhase = '' - ./configure - make - ''; - - installPhase = '' - mkdir -p $out/bin - mv shallot $out/bin - ''; -} \ No newline at end of file diff --git a/packages/yori-cc.nix b/packages/yori-cc.nix index 725b9f1..92f5a5f 100644 --- a/packages/yori-cc.nix +++ b/packages/yori-cc.nix @@ -1,14 +1,11 @@ { stdenv, callPackage }: -let gogitget = callPackage ./gogitget.nix {}; in - stdenv.mkDerivation { - name = "yori-cc-1.3.5"; + name = "yori-cc-1.5"; - src = gogitget { - "url" = "git@git.yori.cc:yorick/yori-cc.git"; - "rev" = "f049e4330dfb64bbbaf700897269c003fce8b5c4"; - "sha256" = "1x8knlsp7cx52sr15gr0yhj1vl8ncznrqn4nvaycgwmhr1kysffr"; + src = builtins.fetchGit { + url = "git@git.yori.cc:yorick/yori-cc.git"; + rev = "68c75ab84cceaf98dd8fd0646b97d73f966b8962"; }; buildInputs = [ ]; diff --git a/physical/3950x-hardware-config.nix b/physical/3950x-hardware-config.nix new file mode 100644 index 0000000..0b89336 --- /dev/null +++ b/physical/3950x-hardware-config.nix @@ -0,0 +1,38 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "rpool/root/nixos"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "rpool/home"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/5D0A-7902"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/61a23e27-2cd4-4456-bcde-aec68be04239"; } + ]; + + nix.maxJobs = lib.mkDefault 32; + # High-DPI console + #i18n.consoleFont = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz"; +} diff --git a/physical/3950x.nix b/physical/3950x.nix new file mode 100644 index 0000000..e44e2c4 --- /dev/null +++ b/physical/3950x.nix @@ -0,0 +1,22 @@ +{ config, pkgs, lib, ... }: +let sources = import ../nix/sources.nix; +in +{ + imports = + [ ./. + ./3950x-hardware-config.nix + "${sources.nixos-hardware}/common/cpu/amd" + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.supportedFilesystems = [ "zfs" ]; + boot.kernelModules = [ "nct6775" ]; + boot.kernelPackages = pkgs.linuxPackages_latest; + networking.hostId = "c7736638"; + services.zfs.autoScrub.enable = true; + services.zfs.trim.enable = true; + + networking.useDHCP = false; + networking.interfaces.enp9s0.useDHCP = true; +} diff --git a/physical/apu2c4.nix b/physical/apu2c4.nix new file mode 100644 index 0000000..b6eb949 --- /dev/null +++ b/physical/apu2c4.nix @@ -0,0 +1,22 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/1396f814-6cc2-4988-992a-3558fa1ac5a2"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/5f8f358d-f63c-48ad-a322-d1aeb403e4ff"; } + ]; + + nix.maxJobs = lib.mkDefault 4; +} diff --git a/physical/default.nix b/physical/default.nix index 0bac40f..c92b7a0 100644 --- a/physical/default.nix +++ b/physical/default.nix @@ -1,44 +1,3 @@ -{ config, lib, pkgs, ... }: -let cfg = config.hardware.yorick; in -with lib; { - options.hardware.yorick = { - cpu = mkOption { - type = types.nullOr (types.enum ["intel" "virtual"]); - }; - gpu = mkOption { - type = types.nullOr (types.enum ["intel" "nvidia"]); - default = null; - }; - laptop = mkEnableOption "laptop settings"; - }; - config = mkMerge [ - (mkIf (cfg.gpu == "intel") { - # https://wiki.archlinux.org/index.php/Dell_XPS_13_(9360)#Module-based_Powersaving_Options - boot.kernelParams = ["i915.enable_fbc=1" "i915.enable_guc_loading=1" "i915.enable_guc_submission=1" "i915.enable_huc=1" "i915.enable_psr=2"]; - # now we wait until enable_psr=1 is fixed - services.xserver.videoDrivers = ["modesetting"]; - hardware.opengl.extraPackages = [ pkgs.vaapiIntel ]; - }) - (mkIf (cfg.gpu == "nvidia") { - boot.kernelModules = ["nvidiabl"]; - services.xserver.videoDrivers = ["nvidia"]; - boot.extraModulePackages = [config.boot.kernelPackages.nvidiabl]; - }) - (mkIf (cfg.cpu == "intel") { - hardware.cpu.intel.updateMicrocode = true; - boot.kernelModules = ["kvm-intel"]; - }) - (mkIf (cfg.laptop) { - services.xserver.libinput.enable = true; - - networking.wireless.enable = true; - hardware.bluetooth.enable = true; - # gotta go faster - networking.dhcpcd.extraConfig = '' - noarp - ''; - services.thermald.enable = true; - }) - ]; + hardware.enableRedistributableFirmware = true; } diff --git a/physical/fractal.nix b/physical/fractal.nix index f6d5574..7471c5d 100644 --- a/physical/fractal.nix +++ b/physical/fractal.nix @@ -1,22 +1,21 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. { config, lib, pkgs, ... }: - +let sources = import ../nix/sources.nix; +in { imports = - [ - + [ ./. + "${sources.nixos-hardware}/common/cpu/intel" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" ]; - hardware.yorick.cpu = "intel"; # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - # Define on which hard drive you want to install Grub. - boot.loader.grub.device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S21PNXAG441016B"; + boot.loader.grub = { + enable = true; + version = 2; + # Define on which hard drive you want to install Grub. + device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S21PNXAG441016B"; + }; fileSystems."/" = @@ -28,6 +27,16 @@ swapDevices = [ { device = "/dev/disk/by-label/nixos-swap"; } ]; + fileSystems."/data" = + { device = "frumar-new"; + fsType = "zfs"; + }; + + fileSystems."/data/plexmedia" = + { device = "frumar-new/plexmedia"; + fsType = "zfs"; + }; nix.maxJobs = 4; + services.avahi.interfaces = [ "enp2s0" ]; } diff --git a/physical/hetznercloud.nix b/physical/hetznercloud.nix new file mode 100644 index 0000000..38e0af1 --- /dev/null +++ b/physical/hetznercloud.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: +let + ipconf = (import ../secrets.nix).ipconf.${config.networking.hostName}; +in +{ + imports = + # todo: impure: + [ + ]; + + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/sda"; + }; + + fileSystems."/" = + { device = "/dev/sda1"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + nix.maxJobs = lib.mkDefault 1; + #services.nscd.enable = false; + networking.dhcpcd.enable = false; + systemd.network.enable = true; + systemd.network.networks."40-hetzner" = { + DHCP = "ipv4"; + address = [ ipconf.mainIPv6 ]; + gateway = [ "fe80::1" ]; + matchConfig.Name = "ens3"; + }; + services.fstrim.enable = true; +} diff --git a/physical/hp8570w.nix b/physical/hp8570w.nix index 543ac75..08534a3 100644 --- a/physical/hp8570w.nix +++ b/physical/hp8570w.nix @@ -7,7 +7,7 @@ ./hp8570w/powerdown.nix ]; - hardware.yorick = { cpu = "intel"; gpu = "nvidia"; laptop = true; }; + hardware.yorick = { cpu = "intel"; gpu = "nvidia"; }; boot = { loader.grub = { @@ -48,4 +48,16 @@ #services.tcsd.enable = true; # it has a TPM. maybe use this? #environment.systemPackages = with pkgs; [tpm-tools]; + services.xserver.libinput.enable = true; + + networking.wireless.enable = true; + hardware.bluetooth.enable = true; + # gotta go faster + networking.dhcpcd.extraConfig = '' + noarp + ''; + services.thermald.enable = true; + boot.kernelModules = ["nvidiabl"]; + services.xserver.videoDrivers = ["nvidia"]; + boot.extraModulePackages = [config.boot.kernelPackages.nvidiabl]; } diff --git a/physical/kassala.nix b/physical/kassala.nix deleted file mode 100644 index b37e8c6..0000000 --- a/physical/kassala.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ config, lib, pkgs, ... }: -let - ipconf = (import ).ipconf.${config.networking.hostName}; -in -{ - imports = [ ../modules/nixos-in-place.nix ]; - "nixos-in-place" = { - enable = true; - rootfs = "/dev/disk/by-uuid/7165e542-0995-474c-a228-9592339e0604"; - swapfs = "/dev/disk/by-uuid/baaf824a-bee0-4037-a237-3a69f1db7985"; - }; - # fs layout: - # before: /nixos/nix/* /boot/grub/menu.lst - # after: /nix/* /old-root/boot/grub/menu.lst - boot = { - kernelPackages = pkgs.linuxPackages_latest; - blacklistedKernelModules = ["coretemp"]; - # use grub 1, don't install - loader.grub = { - version = 1; - extraPerEntryConfig = "root (hd0,0)"; # do we need this? - mirroredBoots = [{ - path = "/old-root/boot"; - devices = ["nodev"]; - }]; - splashImage = null; - }; - initrd.availableKernelModules = [ "xen_blkfront" ]; - }; - sound.enable = false; - networking = { - usePredictableInterfaceNames = false; # only eth0 - interfaces.eth0 = { - useDHCP = false; - inherit (ipconf) ipv4 ipv6; - }; - inherit (ipconf) nameservers; - # ideally, it should add a route for this automatically - #defaultGateway = ipconf.gateway4; - #defaultGateway6 = ipconf.gateway6; - }; - systemd.services."network-setup".postStart = with ipconf; '' - ip route add ${gateway4} dev eth0 || true - ip route add default via ${gateway4} || true - ip -6 route add ${gateway6} dev eth0 || true - ip -6 route add default via ${gateway6} || true - ''; - nix.maxJobs = lib.mkDefault 2; - hardware.yorick.cpu = "virtual"; -} diff --git a/physical/nixos-hardware.nix b/physical/nixos-hardware.nix deleted file mode 100644 index bb469e6..0000000 --- a/physical/nixos-hardware.nix +++ /dev/null @@ -1,4 +0,0 @@ -builtins.fetchTarball { - url = "https://github.com/NixOS/nixos-hardware/archive/d534770be7f699b3332ef09bd043745a38d115ad.tar.gz"; - sha256 = "0h4xzs0bp0v01rzqm023ia2rgmcxv32jdiinp7ylxxh384vf5h0h"; -} diff --git a/physical/nuc.nix b/physical/nuc.nix index b447144..afa1c7b 100644 --- a/physical/nuc.nix +++ b/physical/nuc.nix @@ -1,40 +1,41 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. { config, lib, pkgs, ... }: - +let sources = import ../nix/sources.nix; +in { + imports = [ + "${sources.nixos-hardware}/common/cpu/intel" ]; - - boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; - hardware.yorick = { cpu = "intel"; gpu = "intel"; }; - boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + fileSystems."/" = - { device = "/dev/disk/by-uuid/fa5026b1-0f73-4233-a417-780c65f3f038"; - fsType = "btrfs"; - options = ["defaults" "relatime" "discard"]; + { device = "/dev/disk/by-uuid/3e148654-0ed8-4354-8159-e3499c6fa299"; + fsType = "ext4"; }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/729B-0F6C"; + { device = "/dev/disk/by-uuid/439E-26EA"; fsType = "vfat"; }; - swapDevices = - [ { device = "/dev/disk/by-uuid/086b6aaa-a737-4747-91d6-b4923bf14858"; } - ]; + swapDevices = [ ]; nix.maxJobs = lib.mkDefault 4; - services.xserver.videoDrivers = ["intel"]; - networking.wireless.enable = true; - environment.systemPackages = with pkgs; [ - btrfs-progs + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + nixpkgs.config.packageOverrides = pkgs: { + vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; + }; + hardware.opengl.extraPackages = with pkgs; [ + intel-media-driver # only available starting nixos-19.03 or the current nixos-unstable ]; } diff --git a/physical/xps9360-hardware-config.nix b/physical/xps9360-hardware-config.nix index 87673e6..185f0db 100644 --- a/physical/xps9360-hardware-config.nix +++ b/physical/xps9360-hardware-config.nix @@ -22,7 +22,7 @@ }; swapDevices = - [ { device = "/dev/disk/by-uuid/d9c4c15b-0e9c-47f6-8675-93b1b8de5f9d"; } + [ { device = "/dev/disk/by-uuid/198ddaba-a849-41de-993d-862c2d37937a"; } ]; nix.maxJobs = lib.mkDefault 4; diff --git a/physical/xps9360.nix b/physical/xps9360.nix index af37c73..ad527c8 100644 --- a/physical/xps9360.nix +++ b/physical/xps9360.nix @@ -1,26 +1,43 @@ { config, lib, pkgs, ... }: +let sources = import ../nix/sources.nix; +in { imports = [ - "${import ./nixos-hardware.nix}/dell/xps/13-9360" + "${sources.nixos-hardware}/dell/xps/13-9360" ./xps9360-hardware-config.nix ]; boot.kernelPackages = pkgs.linuxPackages_latest; - boot.kernelParams = [ "i915.enable_psr=0" ]; + boot.kernelModules = [ "i8k" ]; + boot.extraModprobeConfig = '' + options i8k ignore_dmi=1 + ''; fileSystems."/".options = ["defaults" "relatime" "discard"]; boot.initrd.luks.devices."nix-crypt".allowDiscards = true; - # intel huc, guc. qca6174 (older firmware) - hardware.enableRedistributableFirmware = true; - - # hardware is thermal-limited - services.thermald.enable = lib.mkDefault true; + services.undervolt = rec { + enable = true; + coreOffset = "-50"; + gpuOffset = "-50"; + uncoreOffset = "-50"; + analogioOffset = "-50"; + }; + services.tlp.extraConfig = '' + CPU_SCALING_GOVERNOR_ON_AC=performance + CPU_SCALING_GOVERNOR_ON_BAT=powersave + ''; services.xserver.libinput.enable = true; - networking.wireless.enable = true; + networking.wireless = { + enable = false; + iwd.enable = true; + }; hardware.bluetooth.enable = true; + + services.udev.packages = [ pkgs.crda ]; + hardware.firmware = [ pkgs.wireless-regdb ]; # gotta go faster networking.dhcpcd.extraConfig = '' noarp diff --git a/roles/default.nix b/roles/default.nix index bd51fce..b16bd5d 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -1,39 +1,41 @@ -let secrets = import ; +let secrets = import ../secrets.nix; in -{ config, pkgs, lib, ...}: +{ config, pkgs, lib, name, ...}: let - machine = lib.removeSuffix ".nix" (builtins.baseNameOf ); + machine = name; + vpn = import ../vpn.nix; in { imports = [ ../modules/tor-hidden-service.nix ../modules/nginx.nix - - + ../deploy/keys.nix + ../services ]; networking.hostName = secrets.hostnames.${machine}; time.timeZone = "Europe/Amsterdam"; users.mutableUsers = false; - users.extraUsers.root = { - openssh.authorizedKeys.keys = config.users.extraUsers.yorick.openssh.authorizedKeys.keys; + users.users.root = { + openssh.authorizedKeys.keys = config.users.users.yorick.openssh.authorizedKeys.keys; # root password is useful from console, ssh has password logins disabled hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own }; services.timesyncd.enable = true; - users.extraUsers.yorick = { + users.users.yorick = { isNormalUser = true; uid = 1000; extraGroups = ["wheel"]; group = "users"; - openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [yorick]; + openssh.authorizedKeys.keys = with (import ../sshkeys.nix); yorick; + hashedPassword = secrets.yorick_hashedPassword; }; # Nix nixpkgs.config.allowUnfree = true; nixpkgs.overlays = import ../packages; - nix.buildCores = config.nix.maxJobs; + #nix.buildCores = config.nix.maxJobs; # Networking networking.enableIPv6 = true; @@ -47,17 +49,17 @@ in environment.systemPackages = with pkgs; [ # v important. - cowsay ponysay + cowsay #ponysay ed # ed, man! sl rlwrap - vim + #vim # system stuff ethtool inetutils pciutils usbutils - iotop powertop htop + /*iotop*/ powertop htop psmisc lsof smartmontools hdparm lm_sensors @@ -73,19 +75,40 @@ in # archiving xdelta + libarchive atool - unrar p7zip - unzip zip # network nmap mtr bind socat netcat-openbsd lftp wget rsync - git - rxvt_unicode.terminfo + #gitMinimal + #rxvt_unicode.terminfo ]; nix.gc.automatic = true; -} + services.avahi = { + ipv6 = true; + hostName = machine; + }; + deployment.keyys = [ (+"/wg.${machine}.key") ]; + networking.wireguard.interfaces.wg-y = { + privateKeyFile = "/root/keys/wg.${machine}.key"; + ips = [ vpn.ips.${machine} ]; + listenPort = 31790; + peers = [ { + publicKey = vpn.keys.pennyworth; + endpoint = "pennyworth.yori.cc:31790"; + allowedIPs = [ "10.209.0.0/24" ]; + persistentKeepalive = 30; + }]; + postSetup = "ip link set dev wg-y mtu 1371"; + }; + security.acme.email = "acme@yori.cc"; + security.acme.acceptTerms = true; + nix.binaryCachePublicKeys = + [ "yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0=" ]; + nix.trustedUsers = ["@wheel"]; +} diff --git a/roles/graphical.nix b/roles/graphical.nix index f098c1a..c7ab4a4 100644 --- a/roles/graphical.nix +++ b/roles/graphical.nix @@ -1,27 +1,12 @@ let secrets = import ; -in -{ config, lib, pkgs, ... }: -{ - imports = [ ]; +in { config, lib, pkgs, ... }: { + imports = [ ./. ]; options.yorick.support32bit = with lib; - mkOption { type = types.bool; default = false; }; + mkOption { + type = types.bool; + default = false; + }; config = { - # Enable the X11 windowing system. - services.xserver = { - enable = true; - libinput = { - naturalScrolling = true; - tappingDragLock = false; - }; - layout = "us"; - xkbOptions = "caps:escape"; - displayManager.slim.defaultUser = "yorick"; - # xkbOptions = "eurosign:e"; - windowManager.i3 = { - enable = true; - package = pkgs.i3-gaps; - }; - }; hardware.opengl = { enable = true; driSupport32Bit = config.yorick.support32bit; @@ -31,30 +16,37 @@ in enable = true; support32Bit = config.yorick.support32bit; }; - users.extraUsers.yorick.extraGroups = ["video"]; + users.users.yorick.extraGroups = [ "video" ]; # fix backlight permissions - services.udev.extraRules = '' - ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness" - ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness" - ''; + services.udev.extraRules = '' + ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness" + ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness" + ''; - fonts = { - enableFontDir = true; - enableGhostscriptFonts = true; - fonts = with pkgs; [ - corefonts # Micrsoft free fonts - inconsolata # monospaced - source-code-pro - ubuntu_font_family # Ubuntu fonts - source-han-sans-japanese - iosevka - ]; + fonts = { + enableFontDir = true; + enableGhostscriptFonts = true; + fonts = with pkgs; [ + corefonts # Micrsoft free fonts + inconsolata # monospaced + source-code-pro + ubuntu_font_family # Ubuntu fonts + source-han-sans-japanese + iosevka + font-awesome + ]; + }; + # spotify + networking.firewall.allowedTCPPorts = [ 55025 57621 ]; + networking.firewall.allowedUDPPorts = [ 55025 57621 ]; + + services.openssh.forwardX11 = true; + + programs.sway = { + enable = true; + extraSessionCommands = '' + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${lib.makeLibraryPath (with pkgs; [ libxkbcommon libglvnd wayland ])} + ''; + }; }; - # spotify - networking.firewall.allowedTCPPorts = [55025 57621]; - networking.firewall.allowedUDPPorts = [55025 57621]; - - users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword; - services.openssh.forwardX11 = true; -}; } diff --git a/roles/homeserver.nix b/roles/homeserver.nix new file mode 100644 index 0000000..a0eec7c --- /dev/null +++ b/roles/homeserver.nix @@ -0,0 +1,17 @@ +{lib, ...}: { + users.users.lars = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbieYUtRGQ4nf4glQvrZDn72doP6W2uw2z9VqFq5sZLROXYa4jW8nwx4h+BiArGs+VPwn6lfsP19PX6yNIk74C/SkO26S1Zvbe7ffNusi6PH2BQIOWeAYKk+eZH+ZOeD8z07uDB7QffwRLwzSaPFg+zfRzsMFoXH/GE9qOQ4lnfk8czTZL7zbZf/yS7mDFztClXFciYsVwgRXNiFpfc+9mOkU0oBWtGo/WGUhB0Hds3a4ylyjjVAcC/l1H2bvc/Q3d6bbn23pUFl2V78Yg1B4b1MT34qbBV6whXAQd7KM9tND2ZhpF2XQ7Spi1QlOac0jup+sE+3bbvcjNqTI05DwJO/dX5F2gSAFkvSY4ZPqSX5ilE/hj4DQuhRgLmQdbVl5IFV9aLYqUvJcCqX9jRFMly4YTFXsFz18rGkxOYGZabcE1usBM2zRVDTtEP6Si5ii76Ocvp8aNFBB2Kf1whg8tziTv3kQEQ9fd2sRtE2J3xveJiwXjUBU2uikSOKe8JP47Tb6PYlv7Ty/6OI51aUQn++R72VNajdBJ1r1osp7leqTJ+sXuLlWLo/a7lDpDmgEI7dbxqmpjLcMce0JzqLKlP1Q2U/nkYy86xkjSTH1rNUI2JAbJx3iTcGy7bq12yfjNfcGAqY4GVXvisK1cpbF0RCjaFExwtmzorljHh6ZHjQ==" + ]; + }; + services.avahi = { + enable = true; + nssmdns = true; + publish = { + enable = true; + addresses = true; + }; + }; + networking.firewall.logRefusedConnections = lib.mkForce true; +} diff --git a/roles/server.nix b/roles/server.nix index b8fe7f3..7d6dc17 100644 --- a/roles/server.nix +++ b/roles/server.nix @@ -1,10 +1,11 @@ { - imports = [ ]; + imports = [ ./. ]; - services.nixosManual.enable = false; + documentation.nixos.enable = false; services.sshguard.enable = true; + programs.mosh.enable = true; environment.noXlibs = true; - networking.firewall.logRefusedConnections = false; # Silence logging of scanners and knockers + networking.firewall.logRefusedConnections = false; # Silence logging of scanners and knockers } diff --git a/roles/workstation.nix b/roles/workstation.nix index e2b32eb..875952a 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -1,39 +1,45 @@ { config, lib, pkgs, ... }: +let + nixNetrcFile = pkgs.runCommand "nix-netrc-file" +{ hostname = "cache.lumi.guide"; + username = "lumi"; +} '' + cat > $out < + ./graphical.nix ]; - users.extraUsers.yorick.extraGroups = [ "input" "wireshark" ]; + users.extraUsers.yorick.extraGroups = [ "input" "wireshark" "dialout" ]; services.printing = { enable = true; drivers = [ pkgs.gutenprint ]; }; - environment.systemPackages = [pkgs.ghostscript pkgs.yubikey-manager]; - #services.xserver.displayManager.sessionCommands = '' - # gpg-connect-agent /bye - # unset SSH_AGENT_PID - # export SSH_AUTH_SOCK="''${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh" - #''; - virtualisation.virtualbox.host.enable = true; + environment.systemPackages = with pkgs; [ + pkgs.ghostscript pkgs.yubikey-manager + ]; + virtualisation.virtualbox.host.enable = false; yorick.support32bit = true; # yubikey hardware.u2f.enable = true; services.pcscd.enable = true; - sound.enable = true; #environment.systemPackages = [pkgs.yubikey-manager]; fonts.fonts = [ pkgs.emojione ]; # bluetooth headphones hardware.pulseaudio.package = pkgs.pulseaudioFull; - # japanese typing - i18n.inputMethod = { - enabled = "fcitx"; - fcitx.engines = with pkgs.fcitx-engines; [ mozc ]; - }; programs.wireshark.enable = true; nix = { gc.automatic = pkgs.lib.mkOverride 30 false; binaryCaches = [ "https://cache.nixos.org" + "https://cache.lumi.guide/" + "s3://yorick-cache?endpoint=s3.eu-central-1.wasabisys.com&profile=wasabi-private" + #"https://nixpkgs-wayland.cachix.org" ]; trustedBinaryCaches = config.nix.binaryCaches ++ [ "ssh://yorick@jupiter.serokell.io" @@ -45,7 +51,20 @@ "serokell-1:aIojg2Vxgv7MkzPJoftOO/I8HKX622sT+c0fjnZBLj0=" "cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE=" "serokell.cachix.org-1:5DscEJD6c1dD1Mc/phTIbs13+iW22AVbx0HqiSb+Lq8=" - "disciplina.cachix.org-1:zDeIFV5cu22v04EUuRITz/rYxpBCGKY82x0mIyEYjxE=" + "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" ]; + extraOptions = '' + netrc-file = ${nixNetrcFile} + ''; }; + services.avahi = { + enable = true; + nssmdns = true; + }; + virtualisation.libvirtd.enable = true; + users.users.yorick.extraGroups = [ "libvirtd" ]; + users.users.yorick.shell = pkgs.fish; + services.udev.extraRules = '' + SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5bf0", MODE="0664", GROUP="dialout" + ''; } diff --git a/secrets.nix b/secrets.nix index 1e8c352579287b418507cd4f194eb47b3050f7d3..e10620bc051e9ac0efd619a7b40a6d5df4cf803f 100644 GIT binary patch literal 1721 zcmV;q21fY+M@dveQdv+`0EZ(ES1%}z`*RhMe&o+J7$55KyuzflXy=$YPS9!_Wif|e zfl)R=ymq}iHcdeD6f1T?>dX<=_j@6xuINKhGf4|#EbY;qAeDeG*Xn>~?%g&(=FQQl zMWr?-63Uf=8-#e~UmG+5A+UZAwrVG}?tuPbYv({C4_kzQ$^Da}4Yc^V&_liSl%B_$ z)0+I^^)Klyb+akSs$fTF*in5FGmyY*ca)p5v8b3i_S!{S#9YHI72i--XKYr$6^X*0 zpJ##S)^M}V&0v@ygr{Pte&$OjS$1lS-${w=Cj2SAFoxdq=F%!QZ`83FBq<>>rirZP zxoZ64E~Zx=6<0{w-ElwfcGJNdlP%`UMjaz-BvKPxyusO}0qqUwe%#MFh*iXKR6aBF z-UJOC_M9K^x|A^LbQqU<5b8gAGBuMAR82I34$k$Uv3E5$*JVThNpr$WJEPW4a$u6aJH>hU1*0PD% zWZok|6`^BLhsh`prO&2$$;}s&6)+O3f)_3dZx>K>3<`@^XJ;dz87`E<@**JGFL7T< zN9Cjsv1mNYM$1~?iLBJcJ~bYPbhOtmy!Kb;ayA)_)OvSltUzI{-F$>Ge1Sg#89ev` z^*0+)@ClfIqnsf$E%_lHgyemIrp0+dueloGG|s)S;l1YuoiDpUs1l>U1+LRZM}BV; z2f$L(HWP)?TT8TC{)Pbfr{Ko?y`u-Pu7JgnMx677N{2->8FS*tMu;nmiKuCwv>ahhnr3*gRkau|aA|}SU`qK)wwql@$ zwIJW;P4yjD&E%t3W$_f`)4_8ZC8@iygfB?4_RDTjJ3s;v>x7A7?83Xq5N5l;Hu*1i_bcbTNJ5v>iq$e^Ri|a$I3Zxb# z8g=2#5~PKVic{xg%1v;o|I)Go@kGE9cKz1fGU}w?_Gn1DNw^_-wuAob8x$OO zqzL}&WBVVSuFyf1Ea(ONMp_#mB$QV#eor7Y871n&@Co+fFd-I--*vf(1!_JN$eQH~ z$x^9+c9uP{$=0(7G_-wcN3A3$#*w%~zVwnxL@bmeN*M>v15${tnCA5U%Dn4=iYL6K zhOHH#JOImvW_`*oDW&xEgTF>_0I~J9OBp-HV=gBZvY^=t?_-A)D%ZLeXyCKQ-5vIc ze1{U=6`A|QiA7Hux;r(6E#z3FIhQY}8emyT!5!j7R>aiTM*$qY5G zy+^_0R^%UxP%DuzyhE{LTV|DBUP1%WV3c`3VR_~$LRld_F<}`DbcupcA5y8B5V}j8 zQA7dXvmG1g^v>#v*0G#8kU~+x$o#(3a-hWlsIDGEv(#|^R89oNk&GnoF z9?2yRAXO!qD@Sov!ze7e2o>tHBpy*1wLmrTVNkD2mgguTZ7xy!TK9vpkXK!Zsll58KV3xmC?`b-+nQWEoe P>X&dISOfuyaUE$PQ0+)M literal 1612 zcmV-S2DAA9M@dveQdv+`00bhZ7>tu)^;&?v^`3wc1lIZZ)#&O!Nvz?Nol=Hb?h7)1YSkitZgpV(KeYY6Lj(*HMzi@Cm`pOd6c{rPY)a4C&MOd_B+LSm|_@;DL9w+U_e4rUchI_$x|Yg zzNK758{LUS86dGzbdqZ}0&W#i(;*%^E%At7D{8(%n>Q{NM+Z-C;Vu{kqR$if{!ji+ zAh3#1e}uSCX>|S}wv}Q=llDzB6{ViYK4AWVN+}p?WCp0FW7Q2hLk>{;i^mH)xqhR7^F{{0tQvbjMuo-`DlO< zGLj>r3o#TSxANgU-gHk}eiL#xC{vDoL`=8F!yipk>N)BEvwxB31JB z)X#S0B3$fI6eRd8+EKy)$}!--yMO#K_7+nV=0i-FTc+cKYmPh5{N8sdX8On`EJ8WV zlS#d#!WN4%YldSi!wCa*39CJpO95HE%XQ$}>;F{9Zj}XY2%12IeX<(S zMr2Sw%Og#kL}ErgR;fA+ShFuC`Nf77x|QPPi8|79FAm+sm<8t9rtj_f;~`xU;8O&8 zFrLX4EUi05rsNUmi*#~9eB^}VrUuL_`n?IbS-xFvyd=z~1IgW2!U}5RF@IG;ImH*r z9zdYKWJ1UVSuck}%&8Sh+qs7sh|E}9+4H)3PYZW;yAMrJ;4H{@uWglCXI=kj%I0#E1>Ub3bW63r*2!; + n = url: conf: let + c = import "${url}/nixos/lib/eval-config.nix" { + modules = [ ./roles conf ]; + extraArgs.name = lib.removeSuffix ".nix" (builtins.baseNameOf conf); + extraArgs.nixpkgs = url; + }; + in c.config.system.build // c; + git = n "https://github.com/NixOS/nixpkgs/archive/master.tar.gz"; + stable = n (builtins.fetchTarball "channel:nixos-20.03"); + unstable = n (builtins.fetchTarball "channel:nixos-unstable-small"); + checkout = n ../projects/nixpkgs; + channel = n "/nix/var/nix/profiles/per-user/root/channels/nixos"; +in +{ + pennyworth = (unstable ./logical/pennyworth.nix).toplevel; + jarvis = (channel ./logical/jarvis.nix).toplevel; + blackadder = (channel ./logical/blackadder.nix).toplevel; + ascanius = (channel ./logical/ascanius.nix).toplevel; + woodhouse = (channel ./logical/woodhouse.nix).toplevel; # 192.168.178.39 + frumar = (channel ./logical/frumar.nix).toplevel; # frumar.local + zazu = (stable ./logical/zazu.nix).toplevel; +} diff --git a/services/default.nix b/services/default.nix index eb5a420..735789a 100644 --- a/services/default.nix +++ b/services/default.nix @@ -1,10 +1,8 @@ { imports = [ - ./gogs.nix - ./mail.nix + ./git.nix + ./muflax-church.nix ./pub.nix - ./quassel.nix ./website.nix - ./xmpp.nix ]; } diff --git a/services/git.nix b/services/git.nix new file mode 100644 index 0000000..bd97b30 --- /dev/null +++ b/services/git.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.yorick.git; + inherit (cfg) vhost; +in +{ + options.services.yorick.git = with lib; { + enable = mkEnableOption "git"; + vhost = mkOption { type = types.str; }; + }; + config = lib.mkIf cfg.enable { + users.extraUsers.git = { + createHome = true; + home = config.services.gitea.stateDir; extraGroups = [ "git" ]; useDefaultShell = true; + }; + services.gitea = { + enable = true; + user = "git"; + database.user = "root"; + database.name = "gogs"; + database.createDatabase = false; + #dump.enable = true; TODO: backups + domain = cfg.vhost; + rootUrl = "https://${cfg.vhost}/"; + httpAddress = "localhost"; + cookieSecure = true; + log.level = "Warn"; + disableRegistration = true; + settings.service = { + REGISTER_EMAIL_CONFIRM = false; + ENABLE_NOTIFY_MAIL = false; + REQUIRE_SIGNIN_VIEW = false; + }; + settings.picture.DISABLE_GRAVATAR = false; + settings.mailer = { + ENABLED = false; + AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/data/avatars"; + }; + }; + services.nginx.virtualHosts.${vhost} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.gitea.httpPort}"; + extraConfig = '' + proxy_buffering off; + ''; + }; + }; + }; +} diff --git a/services/gogs.nix b/services/gogs.nix index e7c8a1e..5baf704 100644 --- a/services/gogs.nix +++ b/services/gogs.nix @@ -5,9 +5,9 @@ in { options.services.yorick.gogs = with lib; { enable = mkEnableOption "gogs"; - dir = mkOption { type = types.string; default = "/var/gogs"; }; + dir = mkOption { type = types.str; default = "/var/gogs"; }; port = mkOption { type = types.int; default = 8001; }; - vhost = mkOption { type = types.string; }; + vhost = mkOption { type = types.str; }; }; config = lib.mkIf cfg.enable { diff --git a/services/mail.nix b/services/mail.nix deleted file mode 100644 index d2df22f..0000000 --- a/services/mail.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ config, pkgs, lib, ... }: -let -cfg = config.services.yorick.mail; -in -{ - imports = [ - ../modules/mailz.nix - ../modules/backup.nix - ]; - options.services.yorick.mail = with lib; { - enable = mkEnableOption "mail service"; - mainUser = mkOption { type = types.string; }; - users = mkOption {}; - }; - config = lib.mkIf cfg.enable { - # email - services.mailz = rec { - domain = config.networking.hostName; - keydir = "${config.security.acme.directory}/${domain}"; - inherit (cfg) mainUser users; - }; - security.acme.certs.${config.networking.hostName}.postRun = '' - systemctl reload dovecot2.service postfix.service - ''; - services.backup = { - enable = true; - backups = { - mail = { - dir = "/var/spool/mail"; - remote = "webdavs://mail@yorickvp.stackstorage.com/remote.php/webdav//mail_bak"; - keyfile = "/var/backup/creds"; - interval = "daily"; - }; - }; - }; - - }; -} diff --git a/services/pub.nix b/services/pub.nix index 31d886c..8b7d340 100644 --- a/services/pub.nix +++ b/services/pub.nix @@ -3,7 +3,7 @@ let cfg = config.services.yorick.public; in { options.services.yorick.public = { enable = lib.mkEnableOption "public hosting"; - vhost = lib.mkOption { type = lib.types.string; }; + vhost = lib.mkOption { type = lib.types.str; }; }; #imports = [../modules/nginx.nix]; config = lib.mkIf cfg.enable { diff --git a/services/website.nix b/services/website.nix index 8657647..d4cec95 100644 --- a/services/website.nix +++ b/services/website.nix @@ -9,10 +9,10 @@ in options.services.yorick = { website = { enable = mkEnableOption "yoricc website"; - vhost = mkOption { type = types.string; }; + vhost = mkOption { type = types.str; }; pkg = mkOption { type = types.package; default = yoricc; }; }; - redirect = mkOption { type = types.loaOf types.string; default = []; }; + redirect = mkOption { type = types.loaOf types.str; default = []; }; }; config.services.nginx.virtualHosts = with cfg; mkIf enable { ${vhost} = { diff --git a/services/xmpp.nix b/services/xmpp.nix index 7e80d85..132cd26 100644 --- a/services/xmpp.nix +++ b/services/xmpp.nix @@ -8,8 +8,8 @@ in { options.services.yorick.xmpp = with lib; { enable = mkEnableOption "xmpp"; - vhost = mkOption { type = types.string; }; - admins = mkOption { type = types.listOf types.string; }; + vhost = mkOption { type = types.str; }; + admins = mkOption { type = types.listOf types.str; }; }; config = lib.mkIf cfg.enable { # XMPP diff --git a/sshkeys.nix b/sshkeys.nix index 814e3da..eba2344 100644 --- a/sshkeys.nix +++ b/sshkeys.nix @@ -1,5 +1,5 @@ { public = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZv+hBDmjxF8h9Gxwvy0o7sMgOsqwp8pVj9AlpG90Y7agvkOm2IGtFueVfiDe0yWPXT0/EIiVWcPhWwcVkbY/BkypPJSMLnlcQ6ld+aO1g+BtdDaVuxcTSvQ77UCT2p+wftxoq1EiUdlhTsXpPucrBd+5NOde+jlPBE4qChIAf2zhOIByJAGT+M4Ie3eV4p5S9LB9CMI4s32gNUBbSA8UDmkjpBXkf9a1TZzdkOGWUmUFXt53/O8LZlGK9kkA5TsjM2xaxDjCLWf5wEcey4JsEggi1prE4aB68Q7+kdbvDiVSEFyZn0A/A9RXHBRAgW8yPdh+EGC56iDW/wkGxWBY5"; deploy = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGGQytwzcR2DrnYQlnZSbXNpSClCFFvy4gqak8r7u8nYplu5azdq6yNN5TRAEoseiTl2WbdnwgVNluze5FF8a5p2XDyu754YF9nyNbQvzWt5dyjFLemDbj5vAzUnQY+52L9qwo5OK3oG2qZx76T7B5CnEN/JDJxGT3xveRyVUSTnNj/N0iiYVsOcEzGpkdKf/5QOGHuZWJrqwz2CNalKbXAJU9mEOHAH+fSxSmf99YCwwF+GyfYUL3eGIZ9CP1pUQX0CZKq8APW+rLlXJuGOrLTNYWd2jTzea95oiyMQeDhidTeyyPWi2GI32tRHVegg6wMzFo7b/m1f/BI18h9psn"; - yorick = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDo1N5E6qkb3McJOvv0PqI7E8iYLAcjil5RWc+zeTtN/"; + yorick = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDo1N5E6qkb3McJOvv0PqI7E8iYLAcjil5RWc+zeTtN/" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFQm2OJ8PlnDHfI7FV3hddXP0t2jgKAiCnnuWIc+LK4dnyGmlC/ihIe9KhSENZEnzVAXnYAMOoOvpkVa5p0Itf1n0anCK3k2vDq0Jz9nY3ZXmkSHE09QGCpSG8kU6j+zWJPo2jWYNtxYMRmmHAuzzOdlPY9Q199PEvHVaqzpSVhIdhqhEcmap8oqHW6KbJu+17nLGGQB5XiTB1SlTxbg62copA9KMcvQzNGIooKs5QyrU/B0g05EfbogH7xOLbwYAK676DTUBEcKpEUYFMMv+DBcU4cH2EI6UTLxI5ohrS1pxk20zu5nTRMlQRUETpWN4EbEPfOzF8FW1YOwdttfCas8D6Y6t9gA4o8GpylBG9AElVw7VyOFeBR+AtchormH+wH6nZEvzs6wg2d84I8xo5qYGUJIQS7OYxypjlY01IFCCa/7rjzXGDmdWAP/UEu85ys9FSryn9Ey5DXDQOqhMHguOwQDUyaArWyRCCBzKbx6cPZw2D9bLfDxbnaC2/5dVyxHJXoWmwneX2E/UT5QwtG1nyLShIZhYgO9lfDpO61Mz9Jjap3sj6mJPxHZc5SGye0j47xV6kX4vbSgfoSHHnasaI3fR2ZBS7tnfq1ebxXqFFSPHK6uHjLgDHtkMisvjOVZnybuXB296pjv6K1o2G3qlUnImOqfxZxvuy4Xl/mw== cardno:000607186578"]; } diff --git a/vpn.nix b/vpn.nix new file mode 100644 index 0000000..bdad675 --- /dev/null +++ b/vpn.nix @@ -0,0 +1,21 @@ +{ + ips = { + pennyworth = "10.209.0.1"; + jarvis = "10.209.0.2"; + frumar = "10.209.0.3"; + woodhouse = "10.209.0.4"; + ascanius = "10.209.0.5"; + blackadder = "10.209.0.6"; + zazu = "10.209.0.7"; + }; + keys = { + # for i in wg.*.key; do echo $(echo $i | cut -d. -f2) = \"$(wg pubkey < $i)\"\;; done + ascanius = "zZ3gegDspSKBJutp99VzODZNcJ1qQF3OH2nrlxhICwI="; + blackadder = "+SfIbW9/MmA5iIVUUzkKPeWmZvwhP8y9qWo67o2UZUA="; + frumar = "UpFw4KmrvmOWdMOJ+LHvMzgN7cQMnasqlkzF8/apoGI="; + jarvis = "2/Qaq5uiy8uGGnZLIfjeomL47XjZCsJ1dDFDD9Nlq3E="; + pennyworth = "XoeUMsiSOWBFEFuAu+S4iQd3MzkyGhIj9dtxzZ0I500="; + woodhouse = "ICzlnC4zKUYvpQ0o5AFq2rG7CCqWUFVn3UqkLSoYNgI="; + zazu = "6X5EdNMO1MtFi18LCRGZ2cBD0d50Wq+pwkwVubjY1Ew="; + }; +} From 4a5e235e8163b3f217bbe4d0875c9cf1dd93b1bc Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 21 May 2020 18:12:08 +0200 Subject: [PATCH 131/172] rm deploy key --- sshkeys.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/sshkeys.nix b/sshkeys.nix index eba2344..e0a41ec 100644 --- a/sshkeys.nix +++ b/sshkeys.nix @@ -1,5 +1,4 @@ { public = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZv+hBDmjxF8h9Gxwvy0o7sMgOsqwp8pVj9AlpG90Y7agvkOm2IGtFueVfiDe0yWPXT0/EIiVWcPhWwcVkbY/BkypPJSMLnlcQ6ld+aO1g+BtdDaVuxcTSvQ77UCT2p+wftxoq1EiUdlhTsXpPucrBd+5NOde+jlPBE4qChIAf2zhOIByJAGT+M4Ie3eV4p5S9LB9CMI4s32gNUBbSA8UDmkjpBXkf9a1TZzdkOGWUmUFXt53/O8LZlGK9kkA5TsjM2xaxDjCLWf5wEcey4JsEggi1prE4aB68Q7+kdbvDiVSEFyZn0A/A9RXHBRAgW8yPdh+EGC56iDW/wkGxWBY5"; - deploy = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGGQytwzcR2DrnYQlnZSbXNpSClCFFvy4gqak8r7u8nYplu5azdq6yNN5TRAEoseiTl2WbdnwgVNluze5FF8a5p2XDyu754YF9nyNbQvzWt5dyjFLemDbj5vAzUnQY+52L9qwo5OK3oG2qZx76T7B5CnEN/JDJxGT3xveRyVUSTnNj/N0iiYVsOcEzGpkdKf/5QOGHuZWJrqwz2CNalKbXAJU9mEOHAH+fSxSmf99YCwwF+GyfYUL3eGIZ9CP1pUQX0CZKq8APW+rLlXJuGOrLTNYWd2jTzea95oiyMQeDhidTeyyPWi2GI32tRHVegg6wMzFo7b/m1f/BI18h9psn"; yorick = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDo1N5E6qkb3McJOvv0PqI7E8iYLAcjil5RWc+zeTtN/" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFQm2OJ8PlnDHfI7FV3hddXP0t2jgKAiCnnuWIc+LK4dnyGmlC/ihIe9KhSENZEnzVAXnYAMOoOvpkVa5p0Itf1n0anCK3k2vDq0Jz9nY3ZXmkSHE09QGCpSG8kU6j+zWJPo2jWYNtxYMRmmHAuzzOdlPY9Q199PEvHVaqzpSVhIdhqhEcmap8oqHW6KbJu+17nLGGQB5XiTB1SlTxbg62copA9KMcvQzNGIooKs5QyrU/B0g05EfbogH7xOLbwYAK676DTUBEcKpEUYFMMv+DBcU4cH2EI6UTLxI5ohrS1pxk20zu5nTRMlQRUETpWN4EbEPfOzF8FW1YOwdttfCas8D6Y6t9gA4o8GpylBG9AElVw7VyOFeBR+AtchormH+wH6nZEvzs6wg2d84I8xo5qYGUJIQS7OYxypjlY01IFCCa/7rjzXGDmdWAP/UEu85ys9FSryn9Ey5DXDQOqhMHguOwQDUyaArWyRCCBzKbx6cPZw2D9bLfDxbnaC2/5dVyxHJXoWmwneX2E/UT5QwtG1nyLShIZhYgO9lfDpO61Mz9Jjap3sj6mJPxHZc5SGye0j47xV6kX4vbSgfoSHHnasaI3fR2ZBS7tnfq1ebxXqFFSPHK6uHjLgDHtkMisvjOVZnybuXB296pjv6K1o2G3qlUnImOqfxZxvuy4Xl/mw== cardno:000607186578"]; } From 4a324709067f9125868c099ba37f7c27ebe8207a Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 23 May 2020 13:01:10 +0200 Subject: [PATCH 132/172] add mullvad config --- keys/wg.mullvad-nl3.key | Bin 0 -> 67 bytes keys/wg.zazu.key | Bin 0 -> 67 bytes services/torrent-wg.nix | 37 +++++++++++++++++++++++++++++++++++++ 3 files changed, 37 insertions(+) create mode 100644 keys/wg.mullvad-nl3.key create mode 100644 keys/wg.zazu.key create mode 100644 services/torrent-wg.nix diff --git a/keys/wg.mullvad-nl3.key b/keys/wg.mullvad-nl3.key new file mode 100644 index 0000000000000000000000000000000000000000..91584a6cb02b346f0ac75689b9a6a0bdff69605a GIT binary patch literal 67 zcmV-J0KESIM@dveQdv+`0Ilk2|18SBkx@O!i1J9UX)o}l=xsPU^W+i1-FGW;diXLu ZWHAOfiwi6EF8j{$#(CCRQIIO)^=c=^Asqk! literal 0 HcmV?d00001 diff --git a/keys/wg.zazu.key b/keys/wg.zazu.key new file mode 100644 index 0000000000000000000000000000000000000000..ea44d6ab4cfc191c407b2a733a127e49a4f8e639 GIT binary patch literal 67 zcmV-J0KESIM@dveQdv+`0N6P)+(|#RAf~v03^p1|w{F0-35uU+PV91l ZlTb354?F8KIg>0hanir7x^RM}q}ZDe9t!{f literal 0 HcmV?d00001 diff --git a/services/torrent-wg.nix b/services/torrent-wg.nix new file mode 100644 index 0000000..fca2c77 --- /dev/null +++ b/services/torrent-wg.nix @@ -0,0 +1,37 @@ +{lib, config, ...}: +let + cfg = config.services.yorick.torrent-vpn; +in +{ + options.services.yorick.torrent-vpn = with lib; { + enable = mkEnableOption "torrent-vpn"; + name = mkOption { type = types.str; }; + namespace = mkOption { type = types.str; }; + }; + config = { + deployment.keyys = [ (+"/wg.${cfg.name}.key") ]; + networking.wireguard.interfaces.${cfg.name} = { + # curl -s https://api.mullvad.net/www/relays/all/ | jq '.[] | select(.type == "wireguard" and .country_code == "nl")' + ips = ["10.64.19.76/32" "fc00:bbbb:bbbb:bb01::1:134b/128"]; + privateKeyFile = "/root/keys/wg.${cfg.name}.key"; + peers = [{ + publicKey = "hnRyse6QxPPcZOoSwRsHUtK1W+APWXnIoaDTmH6JsHQ="; + allowedIPs = ["0.0.0.0/0" "::0/0"]; + endpoint = "185.65.134.224:31173"; + }]; + interfaceNamespace = cfg.namespace; + }; + systemd.services."wireguard-${cfg.name}" = { + preStart = '' + ip netns add "${cfg.namespace}" + ''; + postStop = '' + ip netns del "${cfg.namespace}" + ''; + }; + environment.etc."netns/torrent/resolv.conf".text = '' + nameserver 193.138.218.74 + ''; + }; +} +# todo: presets From ff14515c6bba1696e26173fa7b3cb26012ceb279 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 23 May 2020 13:17:37 +0200 Subject: [PATCH 133/172] add zazu config --- logical/zazu.nix | 197 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 197 insertions(+) create mode 100644 logical/zazu.nix diff --git a/logical/zazu.nix b/logical/zazu.nix new file mode 100644 index 0000000..d4bc6c3 --- /dev/null +++ b/logical/zazu.nix @@ -0,0 +1,197 @@ +# Edit this configuration file to define what should be installed on your system. Help is available in the configuration.nix(5) man page and in the NixOS manual (accessible by running ‘nixos-help’). +let sources = import ../nix/sources.nix; in +{ config, lib, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ../physical/apu2c4.nix + # + ../roles + "${sources.nixos-hardware}/pcengines/apu" + + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + + boot.kernel.sysctl = { + "net.ipv6.conf.all.forwarding" = true; + "net.ipv6.conf.enp1s0.accept_ra" = 2; + }; + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.enp1s0 = { + useDHCP = true; + tempAddress = "disabled"; + }; + #networking.interfaces.enp2s0.useDHCP = false; + networking.interfaces.enp3s0.useDHCP = false; + networking.interfaces.enp2s0 = { + tempAddress = "disabled"; + ipv4.addresses = [{ + address = "192.168.178.1"; + prefixLength = 24; + }]; + useDHCP = true; + }; + # systemd.services.network-link-br0.unitConfig.After = lib.mkForce [ "network-pre.target" "br0-netdev.service" ]; + # systemd.services.network-link-br0.unitConfig.BindsTo = lib.mkForce [ "br0-netdev.service" ]; + networking.nat = { + enable = true; + externalInterface = "dslite1"; + internalIPs = [ "192.168.178.1/24" ]; + }; + networking.defaultGateway = { + address = "192.0.0.1"; + interface = "dslite1"; + }; + systemd.services.dslite1-netdev = { + wantedBy = [ "network-setup.service" "sys-subsystem-net-devices-dslite1.device" ]; + bindsTo = []; + partOf = [ "network-setup.service" ]; + after = [ "network-pre.target" "network-addresses-enp1s0.service" "network-link-enp1s0.service" ]; + before = [ "network-setup.service" ]; + path = [ pkgs.iproute ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + ip tunnel add dslite1 mode ip4ip6 local 2a02:a212:2200:4c00:20d:b9ff:fe56:ba04 remote 2001:730:2000:2::31 encaplimit none + ip link set dslite1 up + ''; + postStop = '' + ip link del dslite1 || true + ''; + }; + networking.interfaces.dslite1 = { + mtu = 1452; # todo: ipv6 fragmenting? + ipv4.addresses = [{ + address = "192.0.0.2"; + prefixLength = 24; + }]; + }; + # networking.bridges = { + # br0.interfaces = [ "enp2s0" "enp3s0" ]; + # }; + networking.dhcpcd.persistent = true; + # request prefix delegation + networking.dhcpcd.extraConfig = '' + noipv6rs + ipv6only + interface enp1s0 + ipv6rs + iaid 1 + ia_pd 1/::/60 enp2s0/0/64 + ''; + services.dnsmasq = { + enable = true; + servers = [ "8.8.8.8" "1.1.1.1" ]; + }; + services.dhcpd4 = { + interfaces = [ "enp2s0" ]; + enable = true; + machines = [ + { hostName = "amateria"; ethernetAddress = "a8:a1:59:15:8b:63"; ipAddress = "192.168.178.42"; } + { hostName = "blackadder"; ethernetAddress = "a8:a1:59:03:8a:75"; ipAddress = "192.168.178.33"; } + { hostName = "frumar"; ethernetAddress = "bc:5f:f4:e8:42:9f"; ipAddress = "192.168.178.37"; } + { hostName = "jarvis"; ethernetAddress = "18:1d:ea:35:13:58"; ipAddress = "192.168.178.34"; } + { hostName = "jarvis-dock"; ethernetAddress = "64:4b:f0:10:05:f2"; ipAddress = "192.168.178.13"; } + { hostName = "printer"; ethernetAddress = "30:05:5c:44:20:a7"; ipAddress = "192.168.178.26"; } + { hostName = "raspberrypi"; ethernetAddress = "b8:27:eb:b9:ec:3a"; ipAddress = "192.168.178.21"; } + { hostName = "smartMeter"; ethernetAddress = "5c:cf:7f:26:ca:91"; ipAddress = "192.168.178.30"; } + { hostName = "gang-ap"; ethernetAddress = "b4:fb:e4:2d:fc:f3"; ipAddress = "192.168.178.32"; } + { hostName = "woodhouse"; ethernetAddress = "94:c6:91:15:1f:c5"; ipAddress = "192.168.178.39"; } + ]; + extraConfig = '' + subnet 192.168.178.0 netmask 255.255.255.0 { + option subnet-mask 255.255.255.0; + option broadcast-address 192.168.178.255; + option routers 192.168.178.1; + option domain-name-servers 192.168.178.1; + range 192.168.178.3 192.168.178.200; + } + ''; + }; + services.radvd = { + enable = true; + config = '' + interface enp2s0 { + AdvSendAdvert on; + prefix 2a02:a212:2200:4c70::/64 { + AdvOnLink on; + AdvAutonomous on; + }; + }; + ''; + }; + networking.firewall.allowedUDPPorts = [ 53 ]; + networking.firewall.allowedTCPPorts = [ 53 ]; + + services.fstrim.enable = true; + + # Select internationalisation properties. + # i18n = { + # consoleFont = "Lat2-Terminus16"; + # consoleKeyMap = "us"; + # defaultLocale = "en_US.UTF-8"; + # }; + + # Set your time zone. + time.timeZone = "Europe/Amsterdam"; + + # List packages installed in system profile. To search, run: + # $ nix search wget + # environment.systemPackages = with pkgs; [ + # wget vim + # ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # pinentryFlavor = "gnome3"; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Enable CUPS to print documents. + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.09"; # Did you read the comment? + services.udisks2.enable = false; + boot.supportedFilesystems = lib.mkForce [ "ext4" ]; + boot.initrd.supportedFilesystems = lib.mkForce [ "ext4" ]; + security.polkit.enable = false; + nixpkgs.overlays = [ (self: super: { + dhcpcd = super.dhcpcd.overrideAttrs (o: rec { + pname = "dhcpcd"; + version = "8.1.9"; + src = self.fetchurl { + url = "mirror://roy/${pname}/${pname}-${version}.tar.xz"; + sha256 = "1kzv61bgrd0zwiy6r218zkccx36j9p5mz1gxqvbhg05xn9g50alf"; + }; + patches = []; + }); + }) ]; +} From 61dcd07b7e934bf813a63c7696778dd54ea99bdb Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 2 Jan 2021 20:26:35 +0100 Subject: [PATCH 134/172] rm ascanius --- logical/ascanius.nix | 25 -- physical/hp8570w.nix | 63 ---- physical/hp8570w/powerdown.nix | 21 -- physical/hp8570w/powerdown/Makefile | 6 - physical/hp8570w/powerdown/default.nix | 19 - physical/hp8570w/powerdown/license.txt | 339 ------------------ physical/hp8570w/powerdown/powerdown | 55 --- .../hp8570w/powerdown/powerdown-functions | 154 -------- physical/hp8570w/powerdown/powernow | 57 --- physical/hp8570w/powerdown/powerswitch | 7 - physical/hp8570w/powerdown/powerup | 57 --- 11 files changed, 803 deletions(-) delete mode 100644 logical/ascanius.nix delete mode 100644 physical/hp8570w.nix delete mode 100644 physical/hp8570w/powerdown.nix delete mode 100755 physical/hp8570w/powerdown/Makefile delete mode 100644 physical/hp8570w/powerdown/default.nix delete mode 100644 physical/hp8570w/powerdown/license.txt delete mode 100755 physical/hp8570w/powerdown/powerdown delete mode 100755 physical/hp8570w/powerdown/powerdown-functions delete mode 100755 physical/hp8570w/powerdown/powernow delete mode 100755 physical/hp8570w/powerdown/powerswitch delete mode 100755 physical/hp8570w/powerdown/powerup diff --git a/logical/ascanius.nix b/logical/ascanius.nix deleted file mode 100644 index 66a491e..0000000 --- a/logical/ascanius.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ lib, config, pkgs, ... }: - -{ - imports = - [ - - ]; - - system.stateVersion = "17.09"; - - nix = { - binaryCaches = [ - "https://cache.nixos.org" - "https://disciplina.cachix.org" - ]; - trustedUsers = [ "root" "lars" ]; - }; - users.users.lars = { - isNormalUser = true; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBze0fBV/Fpz9bz1WKkbPlj8h526ZfduOcQVlA+7j0+yzlT+jX6nLNjXNmIi6JZoERj8lG4/avkagldj+wwqWrKM2xOMgIUx34i+br5+U4Y7DedljfPV9k8eE55SI4BjfO697V7BhHP4eooRUjNVmqSmRAld06hJzMj7irGWHK+RPrK0M1BvGgSV5pL50jzQGd2unxvNuxSk1rWBNfNEGt6ok0G8/ud0Gw5QbcYWzbbnKBB8JsgBct22txtcgVbRyqftD+vpFl0Oyq4tiQbSHqa8qpFyV/wTf4Cs1Zz7WrqH+2xfx+oUsCOfMKuvCI8FKtriAWEmfOM42bBi50v2kj" - ]; - }; - boot.kernelPackages = pkgs.linuxPackages_4_19; -} diff --git a/physical/hp8570w.nix b/physical/hp8570w.nix deleted file mode 100644 index 08534a3..0000000 --- a/physical/hp8570w.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - imports = [ - - - ./hp8570w/powerdown.nix - ]; - - hardware.yorick = { cpu = "intel"; gpu = "nvidia"; }; - - boot = { - loader.grub = { - enable = true; - device = "/dev/sda"; - }; - kernelPackages = pkgs.linuxPackages_latest; - }; - - # this makes sure my wifi doesn't take a minute to work - services.udev.extraRules = '' - SUBSYSTEM=="firmware", ACTION=="add", ATTR{loading}="-1" - ''; - - boot.initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usbhid" "usb_storage" ]; - boot.initrd.luks.devices = [ { - name = "nix-root-enc"; - device = "/dev/sdb2"; - allowDiscards = true; - }]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/a21dd1ae-b1ef-47d2-854e-4f561f0bfb4c"; - fsType = "btrfs"; - options = ["defaults" "relatime" "discard"]; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/8a141d3a-4a7f-4ece-9881-b958649e956d"; - fsType = "ext2"; - }; - - - - swapDevices = [ ]; - - nix.maxJobs = 8; - - #services.tcsd.enable = true; # it has a TPM. maybe use this? - #environment.systemPackages = with pkgs; [tpm-tools]; - services.xserver.libinput.enable = true; - - networking.wireless.enable = true; - hardware.bluetooth.enable = true; - # gotta go faster - networking.dhcpcd.extraConfig = '' - noarp - ''; - services.thermald.enable = true; - boot.kernelModules = ["nvidiabl"]; - services.xserver.videoDrivers = ["nvidia"]; - boot.extraModulePackages = [config.boot.kernelPackages.nvidiabl]; -} diff --git a/physical/hp8570w/powerdown.nix b/physical/hp8570w/powerdown.nix deleted file mode 100644 index d49d35b..0000000 --- a/physical/hp8570w/powerdown.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - pd = pkgs.callPackage ./powerdown {}; - powersw = "${pd}/bin/powerswitch"; -in -{ - - # the scripts are pretty heavily modified. - # from https://github.com/march-linux/powerdown - services.udev.extraRules = '' - SUBSYSTEM=="power_supply", ATTR{online}=="0", RUN+="${powersw}" - SUBSYSTEM=="power_supply", ATTR{online}=="1", RUN+="${powersw}" - ''; - - powerManagement.powerUpCommands = '' - sleep 4s - ${powersw}/bin/powerswitch - ''; - -} diff --git a/physical/hp8570w/powerdown/Makefile b/physical/hp8570w/powerdown/Makefile deleted file mode 100755 index fde6036..0000000 --- a/physical/hp8570w/powerdown/Makefile +++ /dev/null @@ -1,6 +0,0 @@ -install: - install -m 644 -D powerdown-functions $(DESTDIR)/lib/powerdown-functions - install -D powerdown $(DESTDIR)/bin/powerdown - install -D powerup $(DESTDIR)/bin/powerup - install -D powernow $(DESTDIR)/bin/powernow - install -D powerswitch $(DESTDIR)/bin/powerswitch diff --git a/physical/hp8570w/powerdown/default.nix b/physical/hp8570w/powerdown/default.nix deleted file mode 100644 index 9e68d03..0000000 --- a/physical/hp8570w/powerdown/default.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ pkgs ? import {} }: -let - inherit (pkgs) stdenv makeWrapper lib; - powerswpackages = with pkgs; [ hdparm iw gawk kmod ]; - powerswpath = lib.makeBinPath powerswpackages; -in -stdenv.mkDerivation rec { - name = "powerdown"; - src = ./.; - buildPhase = "true"; - nativeBuildInputs = [ makeWrapper ]; - makeFlags = "DESTDIR=$(out)"; - postInstall = '' - wrapProgram $out/bin/powerup --prefix PATH : ${powerswpath} - wrapProgram $out/bin/powerdown --prefix PATH : ${powerswpath} - wrapProgram $out/bin/powernow --prefix PATH : ${powerswpath} - wrapProgram $out/bin/powerswitch --prefix PATH : ${powerswpath} - ''; -} diff --git a/physical/hp8570w/powerdown/license.txt b/physical/hp8570w/powerdown/license.txt deleted file mode 100644 index d159169..0000000 --- a/physical/hp8570w/powerdown/license.txt +++ /dev/null @@ -1,339 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Lesser General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License along - with this program; if not, write to the Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) year name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - , 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Lesser General -Public License instead of this License. diff --git a/physical/hp8570w/powerdown/powerdown b/physical/hp8570w/powerdown/powerdown deleted file mode 100755 index c024a5b..0000000 --- a/physical/hp8570w/powerdown/powerdown +++ /dev/null @@ -1,55 +0,0 @@ -#!/usr/bin/env bash -# powerdown - powersave script -# please use this with xset dpms, hdparm - -if [[ $EUID != 0 ]]; then - echo "[powerdown] must be run as root" - exit 1 -fi - -source $( dirname "${BASH_SOURCE[0]}" )/../lib/powerdown-functions -lock - -# bus -for i in /sys/bus/*/devices/*/power/control; do opt "$i" auto; done - -# usb autosuspend -for i in /sys/bus/usb/devices/*/power/autosuspend; do opt "$i" 10; done -usb_powersave - -# nmi_watchdog -opt /proc/sys/kernel/nmi_watchdog 0 - -# cpu -for i in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do opt "$i" powersave; done -#load_mod msr - -# kernel write mode -opt /proc/sys/vm/laptop_mode 5 -opt /proc/sys/vm/dirty_ratio 90 -opt /proc/sys/vm/dirty_background_ratio 1 -opt /proc/sys/vm/dirty_expire_centisecs 60000 -opt /proc/sys/vm/dirty_writeback_centisecs 60000 - -# disk -for i in /sys/class/scsi_host/host*/link_power_management_policy; do opt "$i" min_power; done -hdparm -y /dev/sda -#for dev in $(awk '/^\/dev\/sd/ {print $1}' /etc/mtab); do run blockdev --setra 4096 "$dev"; done - -# sound card -opt /sys/module/snd_hda_intel/parameters/power_save 1 -opt /sys/module/snd_hda_intel/parameters/power_save_controller Y - -# net -for i in $(iw dev | awk '$1 == "Interface" { print $2 }'); do run iw dev "$i" set power_save on; done - -# screen -for i in /sys/class/backlight/*; do opt "$i/brightness" "$(num_scale "$i/max_brightness" 1)"; done - -# webcam -#unload_mod_recursive videodev - -# bluetooth -#unload_mod_recursive bluetooth - -exit 0 diff --git a/physical/hp8570w/powerdown/powerdown-functions b/physical/hp8570w/powerdown/powerdown-functions deleted file mode 100755 index ff7e40a..0000000 --- a/physical/hp8570w/powerdown/powerdown-functions +++ /dev/null @@ -1,154 +0,0 @@ -#!/usr/bin/env bash -# powerdown-functions - -shopt -s nullglob extglob - -# turn on kernel options -opt() { - [[ -f "$1" ]] || return - [[ -w "$1" ]] && echo "$2" | tee "$1" &>/dev/null || echo "[powerdown] cannot write $2 to $1" -} - -# unload kernel module -unload_mod() { - has_mod "$1" || return - modprobe -r "$1" || echo "[powerdown] cannot unload module $1" -} - -unload_mod_recursive() { - local dep - for dep in $(lsmod | awk -v mod="$1" '$1==mod {gsub(",", " ", $4); print $4}'); do - unload_mod_recursive "$dep" - done - unload_mod "$1" -} - -# load kernel module -load_mod() { - has_mod "$1" || return - modprobe "$1" || echo "[powerdown] cannot load module $1" -} - -# module exists -has_mod() { - modprobe -nq "$1" -} - -# module loaded -mod_loaded() { - grep -qs "^$1 " /proc/modules -} - -# brightness scale 0 to 5 -# $1 = max file -# $2 = value -num_scale() { - echo $(($(< "$1") / 5 * $2)) -} - -# command -run() { - "$@" &> /dev/null || echo "[powerdown] cannot run $@" -} - -has_bat() { - local bat - for bat in /sys/class/power_supply/BAT*; do - return 0 - done - return 1 -} - -# get current power usage -display_power() { - if ! has_bat; then - echo "[powerdown] no battery" - return - fi - local bat - for bat in /sys/class/power_supply/BAT*; do - local watt - if [[ -f "$bat/power_now" ]]; then - watt="$(bc <<< "scale=3; $(< "$bat/power_now") / 1000000")" - else - watt="$(bc <<< "scale=3; $(< "$bat/current_now") * $(< "$bat/voltage_now") / 1000000000000")" - fi - echo "[powerdown] $(basename "$bat") using $watt watts" - done -} - -# get readahead -display_readahead() { - echo "- $1 readahead: $(blockdev --getra "$1")" -} - -# dump kernel option content -dump () { - [[ -r "$1" ]] || return - echo "- $1: $(< "$1")" -} - -display_module() { - has_mod "$1" || return - echo -n "- $1 " - mod_loaded "$1" && echo "loaded" || echo "not loaded" -} - -display_wireless() { - echo "- $1 $(iw dev "$1" get power_save)" -} - -hibernate_offset() { - filefrag -v /hibernate | awk 'NR==4 {print $4}' | tr -d . -} - -root_part() { - df / | awk 'NR==2 {print $1}' -} - -has_swap_part () { - grep -qs swap /etc/fstab -} - -can_suspend_to_disk () { - [[ -f /hibernate ]] || has_swap_part -} - -swap_part() { - awk '$3=="swap" {print $1; exit}' /etc/fstab -} - -resume_boot_option() { - if [[ -f /hibernate ]]; then - echo "resume=$(root_part) resume_offset=$(hibernate_offset)" - elif has_swap_part; then - echo "resume=$(swap_part)" - fi -} - -# lock the file until the script finishes -lock() { - local LOCK=/tmp/powerdown.lock - if ! mkdir "$LOCK" 2> /dev/null; then - echo "Working... $LOCK" - exit - fi - trap "rm -rf $LOCK" EXIT -} - -# $1 = device path -is_usb_hid() { - local subdev - for subdev in $1/*:*; do - # USB_DEVICE_CLASS 3 = HID - [[ "$(< "$subdev/bInterfaceClass")" == 03 ]] && return 0 - done - return 1 -} - -usb_powersave() { - local usbdev - for usbdev in /sys/bus/usb/devices/+([^:]); do - is_usb_hid "$usbdev" && opt "$usbdev/power/control" on || opt "$usbdev/power/control" auto - done -} diff --git a/physical/hp8570w/powerdown/powernow b/physical/hp8570w/powerdown/powernow deleted file mode 100755 index 3902444..0000000 --- a/physical/hp8570w/powerdown/powernow +++ /dev/null @@ -1,57 +0,0 @@ -#!/usr/bin/env bash -# powerdown - get energy usagei - -if [[ $EUID != 0 ]]; then - echo "[powerdown] must be run as root" - exit 1 -fi - -source $( dirname "${BASH_SOURCE[0]}" )/../lib/powerdown-functions - -lock -display_power -echo - -# nmi_watchdog -dump /proc/sys/kernel/nmi_watchdog - -# cpu -for i in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do dump "$i"; done - -# aspm -dump /sys/module/pcie_aspm/parameters/policy - -# kernel write mode -dump /proc/sys/vm/laptop_mode -dump /proc/sys/vm/dirty_ratio -dump /proc/sys/vm/dirty_background_ratio -dump /proc/sys/vm/dirty_expire_centisecs -dump /proc/sys/vm/dirty_writeback_centisecs - - -# disk -for dev in $(awk '/^\/dev\/sd/ {print $1}' /etc/mtab); do display_readahead "$dev"; done -for i in /sys/class/scsi_host/host*/link_power_management_policy; do dump "$i"; done - -# sound card -dump /sys/module/snd_hda_intel/parameters/power_save -dump /sys/module/snd_hda_intel/parameters/power_save_controller -dump /sys/module/snd_ac97_codec/parameters/power_save - -# net -for i in $(iw dev | awk '$1 == "Interface" { print $2 }'); do display_wireless "$i"; done - -# screen -for i in /sys/class/backlight/*; do dump "$i/brightness"; done - -# webcam -display_module videodev - -# bluetooth -display_module bluetooth - -# i915 -dump /sys/module/i915/parameters/i915_enable_rc6 -dump /sys/module/i915/parameters/lvds_downclock -dump /sys/module/i915/parameters/i915_enable_fbc -for i in /sys/kernel/debug/dri/*/i915_max_freq; do dump "$i"; done diff --git a/physical/hp8570w/powerdown/powerswitch b/physical/hp8570w/powerdown/powerswitch deleted file mode 100755 index c4c63db..0000000 --- a/physical/hp8570w/powerdown/powerswitch +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env bash -if [ `cat /sys/class/power_supply/AC/online` -eq 1 ] -then - $( dirname "${BASH_SOURCE[0]}" )/powerup -else - $( dirname "${BASH_SOURCE[0]}" )/powerdown -fi diff --git a/physical/hp8570w/powerdown/powerup b/physical/hp8570w/powerdown/powerup deleted file mode 100755 index 155394d..0000000 --- a/physical/hp8570w/powerdown/powerup +++ /dev/null @@ -1,57 +0,0 @@ -#!/usr/bin/env bash -# powerdown - powerup -# - -if [[ $EUID != 0 ]]; then - echo "[powerdown] must be run as root" - exit 1 -fi - -source $( dirname "${BASH_SOURCE[0]}" )/../lib/powerdown-functions -lock - -# bus -for i in /sys/bus/*/devices/*/power/control; do opt "$i" on; done - -# usb autosuspend -for i in /sys/bus/usb/devices/*/power/autosuspend; do opt "$i" 600; done -for i in /sys/bus/usb/devices/*/power/control; do opt "$i" on; done - -# nmi_watchdog -opt /proc/sys/kernel/nmi_watchdog 1 - -# cpu -for i in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do opt "$i" performance; done - - -# kernel write mode -opt /proc/sys/vm/laptop_mode 0 -opt /proc/sys/vm/dirty_ratio 20 -opt /proc/sys/vm/dirty_background_ratio 10 -opt /proc/sys/vm/dirty_expire_centisecs 3000 -opt /proc/sys/vm/dirty_writeback_centisecs 500 - -# disk -for i in /sys/class/scsi_host/host*/link_power_management_policy; do opt "$i" medium_power; done -hdparm -y /dev/sda - -# sound card -opt /sys/module/snd_hda_intel/parameters/power_save 0 -opt /sys/module/snd_hda_intel/parameters/power_save_controller Y - -# net -for i in $(iw dev | awk '$1 == "Interface" { print $2 }'); do run iw dev "$i" set power_save off; done - -# screen -for i in /sys/class/backlight/*; do opt "$i/brightness" "$(num_scale "$i/max_brightness" 5 )"; done - -# webcam -load_mod videodev - -# bluetooth -load_mod bluetooth - - -# i915 -#opt /sys/module/i915/parameters/i915_enable_rc6 0 -exit 0 From d7d44d71a82a95ce66f98be3d740f85cec57d445 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 2 Jan 2021 20:28:51 +0100 Subject: [PATCH 135/172] blackadder: switch to encrypted zfs home --- physical/3950x-hardware-config.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/physical/3950x-hardware-config.nix b/physical/3950x-hardware-config.nix index 0b89336..0c04697 100644 --- a/physical/3950x-hardware-config.nix +++ b/physical/3950x-hardware-config.nix @@ -19,7 +19,7 @@ }; fileSystems."/home" = - { device = "rpool/home"; + { device = "rpool/home-enc"; fsType = "zfs"; }; From 8d7f0e5eda2bbc7281f4a31fef877c58cacebe86 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 2 Jan 2021 20:35:00 +0100 Subject: [PATCH 136/172] bump nixpkgs to unstable --- nix/sources.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/nix/sources.json b/nix/sources.json index 3ce9739..57edd2e 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -17,22 +17,22 @@ "homepage": "", "owner": "nixos", "repo": "nixos-hardware", - "rev": "89c4ddb0e60e5a643ab15f68b2f4ded43134f492", - "sha256": "1a0mplnj0zx33f4lm7kwg6z6iwgdkg2pxy58plkj6w59ibfl2l27", + "rev": "c242378e63b0ec334e964ac0c0fbbdd2b3e89ebf", + "sha256": "1z4cr5gsyfdpcy31vqg4ikalbxmnnac6jjk1nl8mxj0h0ix7pp36", "type": "tarball", - "url": "https://github.com/nixos/nixos-hardware/archive/89c4ddb0e60e5a643ab15f68b2f4ded43134f492.tar.gz", + "url": "https://github.com/nixos/nixos-hardware/archive/c242378e63b0ec334e964ac0c0fbbdd2b3e89ebf.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs": { - "branch": "nixos-19.03", + "branch": "nixos-unstable", "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to", "homepage": "https://github.com/NixOS/nixpkgs", "owner": "NixOS", - "repo": "nixpkgs-channels", - "rev": "c8db7a8a16ee9d54103cade6e766509e1d1c8d7b", - "sha256": "1b3h4mwpi10blzpvgsc0191k4shaw3nw0qd2p82hygbr8vv4g9dv", + "repo": "nixpkgs", + "rev": "733e537a8ad76fd355b6f501127f7d0eb8861775", + "sha256": "1rjvbycd8dkkflal8qysi9d571xmgqq46py3nx0wvbzwbkvzf7aw", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs-channels/archive/c8db7a8a16ee9d54103cade6e766509e1d1c8d7b.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/733e537a8ad76fd355b6f501127f7d0eb8861775.tar.gz", "url_template": "https://github.com///archive/.tar.gz" } } From 4485c8ce8b91e984a743bf6662b116e7e7517d5e Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 2 Jan 2021 20:35:06 +0100 Subject: [PATCH 137/172] update niv --- nix/sources.nix | 169 +++++++++++++++++++++++++++++------------------- 1 file changed, 102 insertions(+), 67 deletions(-) diff --git a/nix/sources.nix b/nix/sources.nix index 718ea6f..b796fff 100644 --- a/nix/sources.nix +++ b/nix/sources.nix @@ -6,83 +6,100 @@ let # The fetchers. fetch_ fetches specs of type . # - fetch_file = pkgs: spec: - if spec.builtin or true then - builtins_fetchurl { inherit (spec) url sha256; } - else - pkgs.fetchurl { inherit (spec) url sha256; }; + fetch_file = pkgs: name: spec: + let + name' = sanitizeName name + "-src"; + in + if spec.builtin or true then + builtins_fetchurl { inherit (spec) url sha256; name = name'; } + else + pkgs.fetchurl { inherit (spec) url sha256; name = name'; }; - fetch_tarball = pkgs: spec: - if spec.builtin or true then - builtins_fetchTarball { inherit (spec) url sha256; } - else - pkgs.fetchzip { inherit (spec) url sha256; }; + fetch_tarball = pkgs: name: spec: + let + name' = sanitizeName name + "-src"; + in + if spec.builtin or true then + builtins_fetchTarball { name = name'; inherit (spec) url sha256; } + else + pkgs.fetchzip { name = name'; inherit (spec) url sha256; }; - fetch_git = spec: - builtins.fetchGit { url = spec.repo; inherit (spec) rev ref; }; + fetch_git = name: spec: + let + ref = + if spec ? ref then spec.ref else + if spec ? branch then "refs/heads/${spec.branch}" else + if spec ? tag then "refs/tags/${spec.tag}" else + abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; + in + builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; }; - fetch_builtin-tarball = spec: - builtins.trace - '' - WARNING: - The niv type "builtin-tarball" will soon be deprecated. You should - instead use `builtin = true`. + fetch_local = spec: spec.path; - $ niv modify -a type=tarball -a builtin=true - '' - builtins_fetchTarball { inherit (spec) url sha256; }; + fetch_builtin-tarball = name: throw + ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`. + $ niv modify ${name} -a type=tarball -a builtin=true''; - fetch_builtin-url = spec: - builtins.trace - '' - WARNING: - The niv type "builtin-url" will soon be deprecated. You should - instead use `builtin = true`. - - $ niv modify -a type=file -a builtin=true - '' - (builtins_fetchurl { inherit (spec) url sha256; }); + fetch_builtin-url = name: throw + ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`. + $ niv modify ${name} -a type=file -a builtin=true''; # # Various helpers # + # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695 + sanitizeName = name: + ( + concatMapStrings (s: if builtins.isList s then "-" else s) + ( + builtins.split "[^[:alnum:]+._?=-]+" + ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name) + ) + ); + # The set of packages used when specs are fetched using non-builtins. - mkPkgs = sources: - if hasNixpkgsPath - then - if hasThisAsNixpkgsPath - then import (builtins_fetchTarball { inherit (mkNixpkgs sources) url sha256; }) {} - else import {} - else - import (builtins_fetchTarball { inherit (mkNixpkgs sources) url sha256; }) {}; - - mkNixpkgs = sources: - if builtins.hasAttr "nixpkgs" sources - then sources.nixpkgs - else abort - '' - Please specify either (through -I or NIX_PATH=nixpkgs=...) or - add a package called "nixpkgs" to your sources.json. - ''; - - hasNixpkgsPath = (builtins.tryEval ).success; - hasThisAsNixpkgsPath = - (builtins.tryEval ).success && == ./.; + mkPkgs = sources: system: + let + sourcesNixpkgs = + import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; }; + hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; + hasThisAsNixpkgsPath = == ./.; + in + if builtins.hasAttr "nixpkgs" sources + then sourcesNixpkgs + else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then + import {} + else + abort + '' + Please specify either (through -I or NIX_PATH=nixpkgs=...) or + add a package called "nixpkgs" to your sources.json. + ''; # The actual fetching function. fetch = pkgs: name: spec: if ! builtins.hasAttr "type" spec then abort "ERROR: niv spec ${name} does not have a 'type' attribute" - else if spec.type == "file" then fetch_file pkgs spec - else if spec.type == "tarball" then fetch_tarball pkgs spec - else if spec.type == "git" then fetch_git spec - else if spec.type == "builtin-tarball" then fetch_builtin-tarball spec - else if spec.type == "builtin-url" then fetch_builtin-url spec + else if spec.type == "file" then fetch_file pkgs name spec + else if spec.type == "tarball" then fetch_tarball pkgs name spec + else if spec.type == "git" then fetch_git name spec + else if spec.type == "local" then fetch_local spec + else if spec.type == "builtin-tarball" then fetch_builtin-tarball name + else if spec.type == "builtin-url" then fetch_builtin-url name else abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; + # If the environment variable NIV_OVERRIDE_${name} is set, then use + # the path directly as opposed to the fetched source. + replace = name: drv: + let + saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name; + ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; + in + if ersatz == "" then drv else ersatz; + # Ports of functions for older nix versions # a Nix version of mapAttrs if the built-in doesn't exist @@ -91,23 +108,37 @@ let listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set)) ); + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 + range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 + stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 + stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); + concatMapStrings = f: list: concatStrings (map f list); + concatStrings = builtins.concatStringsSep ""; + + # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 + optionalAttrs = cond: as: if cond then as else {}; + # fetchTarball version that is compatible between all the versions of Nix - builtins_fetchTarball = { url, sha256 }@attrs: + builtins_fetchTarball = { url, name ? null, sha256 }@attrs: let inherit (builtins) lessThan nixVersion fetchTarball; in if lessThan nixVersion "1.12" then - fetchTarball { inherit url; } + fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) else fetchTarball attrs; # fetchurl version that is compatible between all the versions of Nix - builtins_fetchurl = { url, sha256 }@attrs: + builtins_fetchurl = { url, name ? null, sha256 }@attrs: let inherit (builtins) lessThan nixVersion fetchurl; in if lessThan nixVersion "1.12" then - fetchurl { inherit url; } + fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) else fetchurl attrs; @@ -119,18 +150,22 @@ let then abort "The values in sources.json should not have an 'outPath' attribute" else - spec // { outPath = fetch config.pkgs name spec; } + spec // { outPath = replace name (fetch config.pkgs name spec); } ) config.sources; # The "config" used by the fetchers mkConfig = - { sourcesFile ? ./sources.json + { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null + , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile) + , system ? builtins.currentSystem + , pkgs ? mkPkgs sources system }: rec { # The sources, i.e. the attribute set of spec name to spec - sources = builtins.fromJSON (builtins.readFile sourcesFile); + inherit sources; + # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers - pkgs = mkPkgs sources; + inherit pkgs; }; + in -mkSources (mkConfig {}) // - { __functor = _: settings: mkSources (mkConfig settings); } +mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); } From a3fce39c2a09ed2909e3d415d439a8a4157984a6 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 2 Jan 2021 20:36:47 +0100 Subject: [PATCH 138/172] servers: all with unstable --- servers.nix | 30 ++++++++---------------------- 1 file changed, 8 insertions(+), 22 deletions(-) diff --git a/servers.nix b/servers.nix index a1e7ddc..7dd2986 100644 --- a/servers.nix +++ b/servers.nix @@ -1,24 +1,10 @@ let - lib = import ; - n = url: conf: let - c = import "${url}/nixos/lib/eval-config.nix" { - modules = [ ./roles conf ]; - extraArgs.name = lib.removeSuffix ".nix" (builtins.baseNameOf conf); - extraArgs.nixpkgs = url; - }; - in c.config.system.build // c; - git = n "https://github.com/NixOS/nixpkgs/archive/master.tar.gz"; - stable = n (builtins.fetchTarball "channel:nixos-20.03"); - unstable = n (builtins.fetchTarball "channel:nixos-unstable-small"); - checkout = n ../projects/nixpkgs; - channel = n "/nix/var/nix/profiles/per-user/root/channels/nixos"; + sources = import ./nix/sources.nix; + nixpkgs = import sources.nixpkgs {}; + nixos = name: configuration: import (nixpkgs.path + "/nixos/lib/eval-config.nix") { + extraArgs = { inherit name; }; + modules = [ ({lib, ... }: { config.nixpkgs.pkgs = lib.mkDefault nixpkgs; }) ] ++ configuration; + }; + names = [ "pennyworth" "jarvis" "blackadder" "woodhouse" "frumar" "zazu" ]; in -{ - pennyworth = (unstable ./logical/pennyworth.nix).toplevel; - jarvis = (channel ./logical/jarvis.nix).toplevel; - blackadder = (channel ./logical/blackadder.nix).toplevel; - ascanius = (channel ./logical/ascanius.nix).toplevel; - woodhouse = (channel ./logical/woodhouse.nix).toplevel; # 192.168.178.39 - frumar = (channel ./logical/frumar.nix).toplevel; # frumar.local - zazu = (stable ./logical/zazu.nix).toplevel; -} +nixpkgs.lib.genAttrs names (name: (nixos name [ ./roles (./logical + "/${name}.nix") ]).config.system.build.toplevel) From db0d7bdae28d69dd0a1c568d60691c3c2d9e6610 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 2 Jan 2021 20:39:48 +0100 Subject: [PATCH 139/172] fix nixpkgs bump issues --- logical/frumar.nix | 2 +- roles/default.nix | 3 ++- roles/graphical.nix | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/logical/frumar.nix b/logical/frumar.nix index 1618dca..f18cbce 100644 --- a/logical/frumar.nix +++ b/logical/frumar.nix @@ -34,7 +34,7 @@ "--web.enable-admin-api" ]; # victoriametrics - extraConfig.remote_write = [ { url = "http://127.0.0.1:8428/api/v1/write"; } ]; + remoteWrite = [ { url = "http://127.0.0.1:8428/api/v1/write"; } ]; scrapeConfigs = [ { job_name = "smartmeter"; # prometheus doesn't support mdns :thinking_face: diff --git a/roles/default.nix b/roles/default.nix index b16bd5d..292cd6b 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -12,7 +12,8 @@ in ../deploy/keys.nix ../services ]; - networking.hostName = secrets.hostnames.${machine}; + networking.domain = "yori.cc"; + networking.hostName = machine; time.timeZone = "Europe/Amsterdam"; users.mutableUsers = false; users.users.root = { diff --git a/roles/graphical.nix b/roles/graphical.nix index c7ab4a4..86e30b6 100644 --- a/roles/graphical.nix +++ b/roles/graphical.nix @@ -24,7 +24,7 @@ in { config, lib, pkgs, ... }: { ''; fonts = { - enableFontDir = true; + fontDir.enable = true; enableGhostscriptFonts = true; fonts = with pkgs; [ corefonts # Micrsoft free fonts From 2554711cc894b58391032f9151d2226ab98e9bfb Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 2 Jan 2021 20:40:13 +0100 Subject: [PATCH 140/172] yori-nix: replace with relative paths --- logical/woodhouse.nix | 4 ++-- physical/nuc.nix | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/logical/woodhouse.nix b/logical/woodhouse.nix index 262ecee..8a1f161 100644 --- a/logical/woodhouse.nix +++ b/logical/woodhouse.nix @@ -14,8 +14,8 @@ mkFuseMount = device: opts: { in { imports = [ - - + ../physical/nuc.nix + ../roles/graphical.nix # ]; diff --git a/physical/nuc.nix b/physical/nuc.nix index afa1c7b..fc17680 100644 --- a/physical/nuc.nix +++ b/physical/nuc.nix @@ -5,7 +5,7 @@ in imports = [ - + ./. "${sources.nixos-hardware}/common/cpu/intel" ]; boot.loader.systemd-boot.enable = true; From 86e5433e94603902e8df584e271c9e85e244b5e3 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 2 Jan 2021 20:48:45 +0100 Subject: [PATCH 141/172] server.nix: noXlibs workaround --- roles/server.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/server.nix b/roles/server.nix index 7d6dc17..c9eef60 100644 --- a/roles/server.nix +++ b/roles/server.nix @@ -7,5 +7,10 @@ environment.noXlibs = true; networking.firewall.logRefusedConnections = false; # Silence logging of scanners and knockers - + # TODO: upstream with noXlibs + # https://github.com/NixOS/nixpkgs/pull/107394 + nixpkgs.overlays = [ (self: super: { + elixir_1_8 = (self.beam.packagesWith (self.beam.interpreters.erlang_nox)).elixir_1_8; + erlang = super.erlang_nox; + }) ]; } From 50377b5cb5cd8f52112684c4359b1479f96e0e24 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 2 Jan 2021 20:49:28 +0100 Subject: [PATCH 142/172] workstation: fix themes, add dymo cups driver --- roles/workstation.nix | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/roles/workstation.nix b/roles/workstation.nix index 875952a..6a65274 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -18,15 +18,18 @@ in users.extraUsers.yorick.extraGroups = [ "input" "wireshark" "dialout" ]; services.printing = { enable = true; - drivers = [ pkgs.gutenprint ]; + drivers = [ pkgs.gutenprint pkgs.cups-dymo ]; }; environment.systemPackages = with pkgs; [ - pkgs.ghostscript pkgs.yubikey-manager + pkgs.ghostscript pkgs.yubikey-manager pkgs.glib ]; + environment.sessionVariables.XDG_DATA_DIRS = with pkgs; [ + "${gnome-themes-extra}/share" + "${gsettings-desktop-schemas}/share/gsettings-schemas/${gsettings-desktop-schemas.name}" + ]; + programs.dconf.enable = true; virtualisation.virtualbox.host.enable = false; yorick.support32bit = true; - # yubikey - hardware.u2f.enable = true; services.pcscd.enable = true; #environment.systemPackages = [pkgs.yubikey-manager]; fonts.fonts = [ pkgs.emojione ]; From 55a85024bc2a52743fe7a071ba17dacee41719e9 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 2 Jan 2021 20:50:12 +0100 Subject: [PATCH 143/172] blackadder: pin linux 5.9, enable bluetooth --- physical/3950x.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/physical/3950x.nix b/physical/3950x.nix index e44e2c4..31ab934 100644 --- a/physical/3950x.nix +++ b/physical/3950x.nix @@ -12,10 +12,11 @@ in boot.loader.efi.canTouchEfiVariables = true; boot.supportedFilesystems = [ "zfs" ]; boot.kernelModules = [ "nct6775" ]; - boot.kernelPackages = pkgs.linuxPackages_latest; + boot.kernelPackages = pkgs.linuxPackages_5_9; networking.hostId = "c7736638"; services.zfs.autoScrub.enable = true; services.zfs.trim.enable = true; + hardware.bluetooth.enable = true; networking.useDHCP = false; networking.interfaces.enp9s0.useDHCP = true; From b2cd4dbac431cfeb818187a78d8182e31690196e Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 2 Jan 2021 20:51:28 +0100 Subject: [PATCH 144/172] xps9360: power tweaks --- physical/xps9360.nix | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/physical/xps9360.nix b/physical/xps9360.nix index ad527c8..5b80c09 100644 --- a/physical/xps9360.nix +++ b/physical/xps9360.nix @@ -18,15 +18,16 @@ in services.undervolt = rec { enable = true; - coreOffset = "-50"; - gpuOffset = "-50"; - uncoreOffset = "-50"; - analogioOffset = "-50"; + coreOffset = -50; + gpuOffset = -50; + uncoreOffset = -50; + analogioOffset = -50; }; - services.tlp.extraConfig = '' - CPU_SCALING_GOVERNOR_ON_AC=performance - CPU_SCALING_GOVERNOR_ON_BAT=powersave - ''; + services.tlp.settings = { + "CPU_SCALING_GOVERNOR_ON_AC" = "performance"; + "CPU_SCALING_GOVERNOR_ON_BAT" = "powersave"; + }; + services.logind.lidSwitch = "ignore"; services.xserver.libinput.enable = true; @@ -35,6 +36,7 @@ in iwd.enable = true; }; hardware.bluetooth.enable = true; + hardware.enableRedistributableFirmware = true; services.udev.packages = [ pkgs.crda ]; hardware.firmware = [ pkgs.wireless-regdb ]; From d2b068a40db890c8c1e4ba73c5e83521273715c9 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 2 Jan 2021 20:51:41 +0100 Subject: [PATCH 145/172] 3950x: some gpu workarounds, who knows what they do --- physical/3950x.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/physical/3950x.nix b/physical/3950x.nix index 31ab934..f757370 100644 --- a/physical/3950x.nix +++ b/physical/3950x.nix @@ -20,4 +20,5 @@ in networking.useDHCP = false; networking.interfaces.enp9s0.useDHCP = true; + boot.kernelParams = [ "amdgpu.ppfeaturemask=0xffffffff" "amdgpu.noretry=0" "amdgpu.lockup_timeout=1000" "amdgpu.gpu_recovery=1" "amdgpu.audio=0" ]; } From 353fa181e0edd546f3356426f3f3d2917df440a5 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 2 Jan 2021 20:52:03 +0100 Subject: [PATCH 146/172] woodhouse: nscd incompatible with resolved --- logical/woodhouse.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/logical/woodhouse.nix b/logical/woodhouse.nix index 8a1f161..5857d0d 100644 --- a/logical/woodhouse.nix +++ b/logical/woodhouse.nix @@ -47,7 +47,7 @@ in networking.useNetworkd = true; networking.dhcpcd.enable = false; services.resolved.enable = true; - services.nscd.enable = false; + #services.nscd.enable = false; networking.interfaces.eno1.useDHCP = true; networking.useDHCP = false; #services.xserver.enable = lib.mkForce false; From d98b24d612a64a07787a145e067f1f267a64d68b Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 2 Jan 2021 20:52:19 +0100 Subject: [PATCH 147/172] secrets.nix: update --- secrets.nix | Bin 1721 -> 974 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/secrets.nix b/secrets.nix index e10620bc051e9ac0efd619a7b40a6d5df4cf803f..48bd2d52b804d806658b3221e175ca79461ee7a5 100644 GIT binary patch literal 974 zcmV;<12OynM@dveQdv+`0A>0yIM~nYP9ukm{M8HC4hvCb6x=k$s^O2q#q9P*)cgi% zNGAZG^^wKWkq*lWI2ADjV&i`Oy}0KXT^^dbZwZIYm9xL!G7C~Euu!Z3`i8NnOKpKs zBL3LT>>gP5hg`=>nw;qg<2}ItpGRQb{f`%!Ig?7Qc=$PJl(DnBbm8tfZtuJ$L*xhG znC5uNYXmk{g2))~?jCdk!kFE9;k<4l2*1Aq{COj0V!5r4E=8xsLK(Y;EN2Kv4)DFo zcCzCuBDp&+N6ODR=Ji%No^4rK#Gzx!kAUOY2UzmequeBfevUH z#f#q3NQ&uD3t$-nKX_HRIu9>q^jX1SDSld;wnh`-1on(yz;OKtp>+Woz2 z4FaK7+c;#aVGAvWSk19KVpmZFnuA7-p~j=WgR_MO`k ze_g5#$o%txBkiz!IG1G^b=tnj5h^kda@&I-`AmB1+TSQ{5ElZkk?Oh2BW@dDZV+j< z*rgrHkS`${ET?AHGfQVI8&{%Ud0SE(j}|FPBiSmz`jSBO$HuGx3lO@dKHuQXnZl2L zRXjty%Q~Q+S&@&e!3rN$+|pP6jyTw1o=(ET%{hApIM=5D%!LX5ed3mZpL6xIjZ;y^ z9uH588Y9gFK1d-u!5?p>{_oz>E;iv#tschxN3I<=R2R52TFk?^4Dg^oGjdI_S9Fh> zrrrImDjRwLPH2qJ6rlf~uf1xCSO`3~7M+8U-i|yn8gnMLbK z`XFZg!;ASzjrL)Bd%#o930d51^WS#e7!5spObmA{c{Jt8*DD1E2WjH@qT0S3h*DfD zJiyIb=iA(Ir!L7Zuiy@l3pWTU(rjFyc`^T@OiX1P#4o$ob=>d8)kb%x2KT4*VLc({ z@TFY75SBLUcM)}z2Cn;NQ-z@Kqc>W#NZd~q`63?e=kFk;U|ZJ$HAkk5D6bR(ifl?e wFIgf|cc2~ljrdX<=_j@6xuINKhGf4|#EbY;qAeDeG*Xn>~?%g&(=FQQl zMWr?-63Uf=8-#e~UmG+5A+UZAwrVG}?tuPbYv({C4_kzQ$^Da}4Yc^V&_liSl%B_$ z)0+I^^)Klyb+akSs$fTF*in5FGmyY*ca)p5v8b3i_S!{S#9YHI72i--XKYr$6^X*0 zpJ##S)^M}V&0v@ygr{Pte&$OjS$1lS-${w=Cj2SAFoxdq=F%!QZ`83FBq<>>rirZP zxoZ64E~Zx=6<0{w-ElwfcGJNdlP%`UMjaz-BvKPxyusO}0qqUwe%#MFh*iXKR6aBF z-UJOC_M9K^x|A^LbQqU<5b8gAGBuMAR82I34$k$Uv3E5$*JVThNpr$WJEPW4a$u6aJH>hU1*0PD% zWZok|6`^BLhsh`prO&2$$;}s&6)+O3f)_3dZx>K>3<`@^XJ;dz87`E<@**JGFL7T< zN9Cjsv1mNYM$1~?iLBJcJ~bYPbhOtmy!Kb;ayA)_)OvSltUzI{-F$>Ge1Sg#89ev` z^*0+)@ClfIqnsf$E%_lHgyemIrp0+dueloGG|s)S;l1YuoiDpUs1l>U1+LRZM}BV; z2f$L(HWP)?TT8TC{)Pbfr{Ko?y`u-Pu7JgnMx677N{2->8FS*tMu;nmiKuCwv>ahhnr3*gRkau|aA|}SU`qK)wwql@$ zwIJW;P4yjD&E%t3W$_f`)4_8ZC8@iygfB?4_RDTjJ3s;v>x7A7?83Xq5N5l;Hu*1i_bcbTNJ5v>iq$e^Ri|a$I3Zxb# z8g=2#5~PKVic{xg%1v;o|I)Go@kGE9cKz1fGU}w?_Gn1DNw^_-wuAob8x$OO zqzL}&WBVVSuFyf1Ea(ONMp_#mB$QV#eor7Y871n&@Co+fFd-I--*vf(1!_JN$eQH~ z$x^9+c9uP{$=0(7G_-wcN3A3$#*w%~zVwnxL@bmeN*M>v15${tnCA5U%Dn4=iYL6K zhOHH#JOImvW_`*oDW&xEgTF>_0I~J9OBp-HV=gBZvY^=t?_-A)D%ZLeXyCKQ-5vIc ze1{U=6`A|QiA7Hux;r(6E#z3FIhQY}8emyT!5!j7R>aiTM*$qY5G zy+^_0R^%UxP%DuzyhE{LTV|DBUP1%WV3c`3VR_~$LRld_F<}`DbcupcA5y8B5V}j8 zQA7dXvmG1g^v>#v*0G#8kU~+x$o#(3a-hWlsIDGEv(#|^R89oNk&GnoF z9?2yRAXO!qD@Sov!ze7e2o>tHBpy*1wLmrTVNkD2mgguTZ7xy!TK9vpkXK!Zsll58KV3xmC?`b-+nQWEoe P>X&dISOfuyaUE$PQ0+)M From 876df0290d5c8220a2c37d9f63e14c32c40e4381 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 2 Jan 2021 21:06:31 +0100 Subject: [PATCH 148/172] move picoscope+ldac+postgres stuff to workstation --- logical/jarvis.nix | 9 +-------- roles/workstation.nix | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+), 8 deletions(-) diff --git a/logical/jarvis.nix b/logical/jarvis.nix index 08db58b..adfe4ff 100644 --- a/logical/jarvis.nix +++ b/logical/jarvis.nix @@ -15,16 +15,9 @@ peers = [ { publicKey = "6demp+PX2XyVoMovDj4xHQ2ZHKoj4QAF8maWpjcyzzI="; endpoint = "wg.lumi.guide:31727"; - allowedIPs = [ "10.96.0.0/12" "10.0.12.0/22" "10.0.1.0/26" ]; + allowedIPs = [ "10.96.0.0/12" "10.0.0.0/17" ]; }]; postSetup = "ip link set dev wg-lumi mtu 1371"; }; }; - - # development - services.postgresql = { - enable = true; - enableTCPIP = true; - package = pkgs.postgresql_10; - }; } diff --git a/roles/workstation.nix b/roles/workstation.nix index 6a65274..b0df440 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -70,4 +70,27 @@ in services.udev.extraRules = '' SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5bf0", MODE="0664", GROUP="dialout" ''; + + # LDAC: + hardware.pulseaudio.extraModules = [ pkgs.pulseaudio-modules-bt ]; + + # picoscope + users.users.yorick.extraGroups = ["pico"]; + services.udev.packages = [ + (pkgs.writeTextDir "lib/udev/rules.d/95-pico.rules" '' + SUBSYSTEMS=="usb", ATTRS{idVendor}=="0ce9", MODE="664",GROUP="pico" + '') + ]; + users.groups.pico = {}; + + # development + services.postgresql = { + enable = true; + enableTCPIP = true; + package = pkgs.postgresql_10; + }; + + + # git + boot.kernel.sysctl."fs.inotify.max_user_watches" = 1024000000; } From 11a1b894f03abce6fc925014cea1d424a72bf7d6 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 16:39:07 +0100 Subject: [PATCH 149/172] workstation: fix eval --- roles/workstation.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/workstation.nix b/roles/workstation.nix index b0df440..e64f437 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -65,7 +65,7 @@ in nssmdns = true; }; virtualisation.libvirtd.enable = true; - users.users.yorick.extraGroups = [ "libvirtd" ]; + users.users.yorick.extraGroups = [ "libvirtd" "pico" ]; users.users.yorick.shell = pkgs.fish; services.udev.extraRules = '' SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5bf0", MODE="0664", GROUP="dialout" @@ -75,7 +75,7 @@ in hardware.pulseaudio.extraModules = [ pkgs.pulseaudio-modules-bt ]; # picoscope - users.users.yorick.extraGroups = ["pico"]; + #users.users.yorick.extraGroups = ["pico"]; services.udev.packages = [ (pkgs.writeTextDir "lib/udev/rules.d/95-pico.rules" '' SUBSYSTEMS=="usb", ATTRS{idVendor}=="0ce9", MODE="664",GROUP="pico" From f49c665b68b9bc2065832b6e399b990993f89fd1 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 16:39:47 +0100 Subject: [PATCH 150/172] new torrent wg setup --- keys/wg.mullvad-nl4.key | Bin 0 -> 67 bytes logical/frumar.nix | 2 +- services/torrent-wg.nix | 15 +++++---------- 3 files changed, 6 insertions(+), 11 deletions(-) create mode 100644 keys/wg.mullvad-nl4.key diff --git a/keys/wg.mullvad-nl4.key b/keys/wg.mullvad-nl4.key new file mode 100644 index 0000000000000000000000000000000000000000..6ff1d02535eb3c50da758792351d47487d2ac57f GIT binary patch literal 67 zcmV-J0KESIM@dveQdv+`0KFqfZzcEjMc6BI60fBQqYjDhP^2XDIRf)~3OYzi*g%A| ZV>RapX~*Moc*ySA^ODKkXdwoYWxS?09?Ad! literal 0 HcmV?d00001 diff --git a/logical/frumar.nix b/logical/frumar.nix index f18cbce..f1bf12b 100644 --- a/logical/frumar.nix +++ b/logical/frumar.nix @@ -18,7 +18,7 @@ }; boot.supportedFilesystems = [ "zfs" ]; services.yorick.torrent-vpn = { - enable = true; name = "mullvad-nl3"; namespace = "torrent"; + enable = true; name = "mullvad-nl4"; namespace = "torrent"; }; services.plex = { enable = true; diff --git a/services/torrent-wg.nix b/services/torrent-wg.nix index fca2c77..598d986 100644 --- a/services/torrent-wg.nix +++ b/services/torrent-wg.nix @@ -1,4 +1,4 @@ -{lib, config, ...}: +{pkgs, lib, config, ...}: let cfg = config.services.yorick.torrent-vpn; in @@ -12,21 +12,16 @@ in deployment.keyys = [ (+"/wg.${cfg.name}.key") ]; networking.wireguard.interfaces.${cfg.name} = { # curl -s https://api.mullvad.net/www/relays/all/ | jq '.[] | select(.type == "wireguard" and .country_code == "nl")' - ips = ["10.64.19.76/32" "fc00:bbbb:bbbb:bb01::1:134b/128"]; + ips = [ "10.66.30.26/32" "fc00:bbbb:bbbb:bb01::3:1e19/128" ]; privateKeyFile = "/root/keys/wg.${cfg.name}.key"; peers = [{ publicKey = "hnRyse6QxPPcZOoSwRsHUtK1W+APWXnIoaDTmH6JsHQ="; allowedIPs = ["0.0.0.0/0" "::0/0"]; - endpoint = "185.65.134.224:31173"; + endpoint = "[2a03:1b20:3:f011::a04f]:51820"; }]; interfaceNamespace = cfg.namespace; - }; - systemd.services."wireguard-${cfg.name}" = { - preStart = '' - ip netns add "${cfg.namespace}" - ''; - postStop = '' - ip netns del "${cfg.namespace}" + preSetup = '' + ${pkgs.iproute}/bin/ip netns add "${cfg.namespace}" || true ''; }; environment.etc."netns/torrent/resolv.conf".text = '' From f144dd17b85bdfdcaa4bdb9ab7b34b95af6ac41a Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 16:40:27 +0100 Subject: [PATCH 151/172] fix frumar zfs boot timeout --- logical/frumar.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/logical/frumar.nix b/logical/frumar.nix index f1bf12b..9ac3573 100644 --- a/logical/frumar.nix +++ b/logical/frumar.nix @@ -59,6 +59,7 @@ # unifiPassword = "ReadOnlyPassword"; # }; }; + boot.zfs.requestEncryptionCredentials = false; networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 3000 9090 ]; networking.firewall.allowedTCPPorts = [ 1883 ]; networking.firewall.allowedUDPPorts = [ 1883 ]; From 4f8a1f5528a80683d668de80fde2f2bec91a1100 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 16:40:38 +0100 Subject: [PATCH 152/172] fix acme failure --- modules/nginx.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nginx.nix b/modules/nginx.nix index 8d69147..72dbffa 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -18,7 +18,7 @@ in recommendedOptimisation = true; serverTokens = false; sslDhparam = "/etc/nginx/dhparam.pem"; - virtualHosts."${config.networking.hostName}" = { + virtualHosts."${config.networking.hostName}.yori.cc" = { enableACME = true; forceSSL = true; default = true; From 8791018fae1f6b59d93784244dcbd44fffaa8860 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 16:41:48 +0100 Subject: [PATCH 153/172] copy-key: fix build --- conf | 2 +- servers.nix | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/conf b/conf index db7410a..4839b60 100755 --- a/conf +++ b/conf @@ -11,7 +11,7 @@ TARGET_HOST=$(nix eval --raw -f vpn.nix ips.$host) #TARGET_HOST=192.168.178.1 case $2 in copy-keys) - $0 exec "$2" nix build -f "" config.deployment.keys-copy --out-link copy-keys + nix build -f servers.nix "$host".config.deployment.keys-copy --out-link copy-keys ./copy-keys/bin/copy-keys "$TARGET_HOST" # rm ./copy-keys ;; diff --git a/servers.nix b/servers.nix index 7dd2986..de9305a 100644 --- a/servers.nix +++ b/servers.nix @@ -7,4 +7,6 @@ let }; names = [ "pennyworth" "jarvis" "blackadder" "woodhouse" "frumar" "zazu" ]; in -nixpkgs.lib.genAttrs names (name: (nixos name [ ./roles (./logical + "/${name}.nix") ]).config.system.build.toplevel) +nixpkgs.lib.genAttrs names (name: (let os = + nixos name [ ./roles (./logical + "/${name}.nix") ]; in + os.config.system.build.toplevel // os)) From 4322929fa3d3681f7cf84f2e8dae78bf5f5db932 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 16:43:55 +0100 Subject: [PATCH 154/172] redeploy jarvis --- modules/tor-hidden-service.nix | 2 +- physical/xps9360-hardware-config.nix | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/tor-hidden-service.nix b/modules/tor-hidden-service.nix index 7a20fa9..dbe6211 100644 --- a/modules/tor-hidden-service.nix +++ b/modules/tor-hidden-service.nix @@ -8,7 +8,7 @@ let in { options.services.tor.service-keys = mkOption { default = {}; - type = with types; loaOf str; + type = with types; attrsOf str; }; config = mkIf (service-keys != {}) { diff --git a/physical/xps9360-hardware-config.nix b/physical/xps9360-hardware-config.nix index 185f0db..e201e76 100644 --- a/physical/xps9360-hardware-config.nix +++ b/physical/xps9360-hardware-config.nix @@ -27,4 +27,6 @@ nix.maxJobs = lib.mkDefault 4; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + # high-resolution display + hardware.video.hidpi.enable = lib.mkDefault true; } From 6498d199d3c0e983c5dfc091ed9e09ed8f707e03 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 17:01:33 +0100 Subject: [PATCH 155/172] roles/workstation: prepare yori-nix cache --- roles/workstation.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/workstation.nix b/roles/workstation.nix index e64f437..1678db4 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -41,7 +41,7 @@ in binaryCaches = [ "https://cache.nixos.org" "https://cache.lumi.guide/" - "s3://yorick-cache?endpoint=s3.eu-central-1.wasabisys.com&profile=wasabi-private" + #"s3://yori-nix?endpoint=s3.eu-central-003.backblazeb2.com&profile=backblaze-read" #"https://nixpkgs-wayland.cachix.org" ]; trustedBinaryCaches = config.nix.binaryCaches ++ [ @@ -54,7 +54,8 @@ in "serokell-1:aIojg2Vxgv7MkzPJoftOO/I8HKX622sT+c0fjnZBLj0=" "cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE=" "serokell.cachix.org-1:5DscEJD6c1dD1Mc/phTIbs13+iW22AVbx0HqiSb+Lq8=" - "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" + #"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" + "yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0=" ]; extraOptions = '' netrc-file = ${nixNetrcFile} From 27cf5f7bb95c2b006a2f8cada0033b5703734e8d Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 17:01:58 +0100 Subject: [PATCH 156/172] blackadder: redeploy --- logical/blackadder.nix | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/logical/blackadder.nix b/logical/blackadder.nix index b14c584..8ff2131 100644 --- a/logical/blackadder.nix +++ b/logical/blackadder.nix @@ -15,18 +15,17 @@ peers = [ { publicKey = "6demp+PX2XyVoMovDj4xHQ2ZHKoj4QAF8maWpjcyzzI="; endpoint = "wg.lumi.guide:31727"; - allowedIPs = [ "10.96.0.0/12" "10.0.12.0/22" "10.0.1.0/26" ]; + allowedIPs = [ "10.96.0.0/12" "10.0.0.0/17" ]; }]; postSetup = "ip link set dev wg-lumi mtu 1408"; }; }; + environment.systemPackages = [ pkgs.spice_gtk ]; + security.wrappers.spice-client-glib-usb-acl-helper.source = "${pkgs.spice_gtk}/bin/spice-client-glib-usb-acl-helper"; + virtualisation.virtualbox.host.enable = lib.mkForce true; + virtualisation.virtualbox.host.enableExtensionPack = true; + users.users.yorick.extraGroups = [ "vboxusers" ]; - # development - services.postgresql = { - enable = true; - enableTCPIP = true; - package = pkgs.postgresql_10; - }; # users.users.pie = { # isNormalUser = true; # openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDpj2GrPpXtAp9Is0wDyQNl8EQnBiITkSAjhf7EjIqX" ]; @@ -39,4 +38,23 @@ # /export/nfs/client1/nix 10.40.0.0/24(insecure,ro,sync,no_subtree_check,crossmnt) # ''; # }; + + services.znapzend = { + enable = true; + pure = true; + features = { + zfsGetType = true; + sendRaw = true; + }; + zetup = { + "rpool/home-enc" = { + plan = "1d=>1h,1m=>1w"; + destinations.frumar = { + host = "root@192.168.178.37"; + dataset = "frumar-new/backup/blackadder"; + plan = "1w=>1d,1y=>1w,10y=>1m,50y=>1y"; + }; + }; + }; + }; } From 8fb7a5cac93cf33a0b8c1b5b94292c35dacdb403 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 17:02:05 +0100 Subject: [PATCH 157/172] yori-nix cache key --- keys/yori-nix.key | Bin 0 -> 117 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 keys/yori-nix.key diff --git a/keys/yori-nix.key b/keys/yori-nix.key new file mode 100644 index 0000000000000000000000000000000000000000..f080c825bfb0485c322eaa1a3161139555c47cdc GIT binary patch literal 117 zcmV-*0E+(rM@dveQdv+`06{*6JwO1DqB_Mye6GmbF}f)I?*}^K`L0XN7Ueoyv(+9w zfp7kt9B7_R>E{BVl9hsYA79R9$;D|D)HrivOAfa)p|5{ literal 0 HcmV?d00001 From 360782bd4a42e4563097157627a165d46263be90 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 17:09:48 +0100 Subject: [PATCH 158/172] treewide: delete unused code --- modules/nixos-in-place.nix | 50 -------------------------- modules/victoriametrics.nix | 49 -------------------------- services/collectd.nix | 70 ------------------------------------- services/gogs.nix | 52 --------------------------- services/graphs.nix | 38 -------------------- services/quassel.nix | 45 ------------------------ services/xmpp.nix | 57 ------------------------------ 7 files changed, 361 deletions(-) delete mode 100644 modules/nixos-in-place.nix delete mode 100644 modules/victoriametrics.nix delete mode 100644 services/collectd.nix delete mode 100644 services/gogs.nix delete mode 100644 services/graphs.nix delete mode 100644 services/quassel.nix delete mode 100644 services/xmpp.nix diff --git a/modules/nixos-in-place.nix b/modules/nixos-in-place.nix deleted file mode 100644 index d51cf01..0000000 --- a/modules/nixos-in-place.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ config, lib, pkgs, ... }: -let - inherit (lib) mkEnableOption mkOption types mkIf; - cfg = config."nixos-in-place"; -in -{ - imports = [ ]; - options."nixos-in-place" = { - enable = mkEnableOption "enable nixos-in-place FS"; - rootfs = mkOption { - type = types.str; - description = "device name for root fs"; - }; - swapfs = mkOption { - type = types.str; - description = "device name for root fs"; - }; - }; - config = mkIf cfg.enable { - boot = { - kernelModules = [ ]; - extraModulePackages = [ ]; - kernelParams = ["root=${cfg.rootfs}" "boot.shell_on_fail"]; - loader.grub = { - enable = true; - storePath = "/nixos/nix/store"; - }; - initrd = { - supportedFilesystems = [ "ext4" ]; - postDeviceCommands = '' - mkdir -p /mnt-root/old-root ; - mount -t ext4 ${cfg.rootfs} /mnt-root/old-root ; - ''; - }; - }; - - fileSystems = { - "/" = { - device = "/old-root/nixos"; - fsType = "none"; - options = [ "bind" ]; - }; - "/old-root" = { - device = cfg.rootfs; - fsType = "ext4"; - }; - }; - swapDevices = [ { device = cfg.swapfs; } ]; - }; -} diff --git a/modules/victoriametrics.nix b/modules/victoriametrics.nix deleted file mode 100644 index ef3a554..0000000 --- a/modules/victoriametrics.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ config, pkgs, lib, ... }: -let cfg = config.services.victoriametrics; in -{ - options.services.victoriametrics = with lib; { - enable = mkEnableOption "victoriametrics"; - package = mkOption { - type = types.package; - default = pkgs.victoriametrics; - defaultText = "pkgs.victoriametrics"; - description = '' - The VictoriaMetrics distribution to use. - ''; - }; - http = mkOption { - default = ":8428"; - type = types.str; - description = '' - The listen address for the http interface. - ''; - }; - retentionPeriod = mkOption { - type = types.int; - default = 1; - description = '' - Retention period in months. - ''; - }; - extraOptions = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Extra options to pass to VictoriaMetrics. See - the README or victoriametrics -help for more - information. - ''; - }; - }; - config = lib.mkIf cfg.enable { - systemd.services.victoriametrics = { - description = "VictoriaMetrics time series database"; - serviceConfig = { - StateDirectory = "victoriametrics"; - DynamicUser = true; - ExecStart = "${cfg.package}/bin/victoria-metrics -storageDataPath=/var/lib/victoriametrics -httpListenAddr ${cfg.http} -retentionPeriod ${toString cfg.retentionPeriod} ${lib.concatStringsSep " " cfg.extraOptions}"; - }; - wantedBy = [ "multi-user.target" ]; - }; - }; -} diff --git a/services/collectd.nix b/services/collectd.nix deleted file mode 100644 index 3ea09b8..0000000 --- a/services/collectd.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ config, pkgs, lib, ...}: -let - secrets = import ; -in -{ - services.collectd = { - enable = true; - extraConfig = '' - LoadPlugin network - - LoadPlugin conntrack - LoadPlugin cpu - LoadPlugin df - LoadPlugin disk - LoadPlugin interface - LoadPlugin fhcount - LoadPlugin load - LoadPlugin memory - LoadPlugin processes - LoadPlugin swap - LoadPlugin tcpconns - LoadPlugin uptime - LoadPlugin users - LoadPlugin sensors - - - - LocalPort "443" - - - - Username "${config.networking.hostName}" - Password "${secrets.influx_pass.${config.networking.hostName}}" - - - - FSType "btrfs" - FSType "ext3" - FSType "ext4" - FSType "vfat" - - ''; - }; - boot.kernel.sysctl."net.core.rmem_max" = 26214400; - boot.kernel.sysctl."net.core.rmem_default" = 26214400; - nixpkgs.config.packageOverrides = pkgs: { - collectd = pkgs.collectd.override { - jdk = null; - libcredis = null; - libdbi = null; - libmemcached = null; cyrus_sasl = null; - libmodbus = null; - libnotify = null; gdk_pixbuf = null; - libsigrok = null; - libvirt = null; - libxml2 = null; - libtool = null; - lvm2 = null; - mysql = null; - protobufc = null; - python = null; - rabbitmq-c = null; - riemann_c_client = null; - rrdtool = null; - varnish = null; - yajl = null; - net_snmp = null; - }; - }; -} diff --git a/services/gogs.nix b/services/gogs.nix deleted file mode 100644 index 5baf704..0000000 --- a/services/gogs.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ config, pkgs, lib, ... }: -let - cfg = config.services.yorick.gogs; -in -{ - options.services.yorick.gogs = with lib; { - enable = mkEnableOption "gogs"; - dir = mkOption { type = types.str; default = "/var/gogs"; }; - port = mkOption { type = types.int; default = 8001; }; - vhost = mkOption { type = types.str; }; - }; - config = lib.mkIf cfg.enable { - - users.extraUsers.git = { home = cfg.dir; extraGroups = [ "git" ]; useDefaultShell = true;}; - users.extraGroups.git = { }; - services.gogs = rec { - enable = true; - user = "git"; - group = "git"; - database.user = "root"; - stateDir = cfg.dir; - repositoryRoot = "${stateDir}/gogs-repositories"; - rootUrl = "https://${cfg.vhost}/"; - httpAddress = "localhost"; - httpPort = cfg.port; - extraConfig = '' - [service] - REGISTER_EMAIL_CONFIRM = false - ENABLE_NOTIFY_MAIL = false - DISABLE_REGISTRATION = true - REQUIRE_SIGNIN_VIEW = false - [picture] - DISABLE_GRAVATAR = false - AVATAR_UPLOAD_PATH = ${cfg.dir}/data/avatars - [mailer] - ENABLED = false - ''; - domain = cfg.vhost; - }; - users.extraUsers.gogs.createHome = lib.mkForce false; - services.nginx.virtualHosts.${cfg.vhost} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString cfg.port}"; - extraConfig = '' - proxy_buffering off; - ''; - }; - }; - }; -} diff --git a/services/graphs.nix b/services/graphs.nix deleted file mode 100644 index be097e6..0000000 --- a/services/graphs.nix +++ /dev/null @@ -1,38 +0,0 @@ -# use together with ./collectd.nix -{ config, pkgs, lib, ...}: -let - secrets = import ; - grafana_port = 3000; - domain = "graphs.yori.cc"; -in -{ - networking.firewall.allowedUDPPorts = [25826]; - services.influxdb = { - enable = true; - extraConfig = { - collectd = [{ - enabled = true; - typesdb = "${pkgs.collectd}/share/collectd/types.db"; - database = "collectd_db"; - "security-level" = "sign"; - "auth-file" = pkgs.writeText "collectd_auth" - (builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: p: "${n}: ${p}") secrets.influx_pass) + "\n"); - port = 25826; - }]; - }; - }; - services.grafana = { - enable = true; - inherit domain; - rootUrl = "https://${domain}/"; - port = grafana_port; - }; - services.nginx.virtualHosts.${domain} = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString grafana_port}"; - }; - }; - -} diff --git a/services/quassel.nix b/services/quassel.nix deleted file mode 100644 index 2ddc413..0000000 --- a/services/quassel.nix +++ /dev/null @@ -1,45 +0,0 @@ -{config, pkgs, lib, ...}: -{ - options.services.yorick.quassel = { - enable = lib.mkEnableOption "quassel container"; - }; - config = lib.mkIf config.services.yorick.quassel.enable { - containers.quassel = { - config = { config, pkgs, ... }: { - services.postgresql = { - enable = true; - package = pkgs.postgresql94; - extraConfig = '' - max_connections = 10 - shared_buffers = 1GB - effective_cache_size = 4GB - work_mem = 50MB - maintenance_work_mem = 100MB - ''; - }; - services.quassel = { - # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/quassel.nix - enable = true; - interfaces = ["0.0.0.0"]; - }; - environment.systemPackages = [ - pkgs.quasselDaemon - ]; - networking.firewall.allowedTCPPorts = [4242]; - }; - privateNetwork = true; - hostAddress = "192.168.125.1"; - localAddress = "192.168.125.11"; - }; - # give the containers networking - networking.nat = { - enable = true; - internalInterfaces = ["ve-+"]; - externalInterface = "enp2s0"; - forwardPorts = [ - { sourcePort = 4242; destination = "192.168.125.11:4242"; } - ]; - }; - networking.firewall.allowedTCPPorts = [4242]; - }; -} diff --git a/services/xmpp.nix b/services/xmpp.nix deleted file mode 100644 index 132cd26..0000000 --- a/services/xmpp.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - acmeKeyDir = "${config.security.acme.directory}/${cfg.vhost}"; - communityModules = [ "mam" "carbons" "smacks" ]; - cfg = config.services.yorick.xmpp; -in -{ - options.services.yorick.xmpp = with lib; { - enable = mkEnableOption "xmpp"; - vhost = mkOption { type = types.str; }; - admins = mkOption { type = types.listOf types.str; }; - }; - config = lib.mkIf cfg.enable { - # XMPP - services.prosody = let - in { - enable = true; - - allowRegistration = false; - extraModules = [ "private" "vcard" "privacy" "compression" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist"] ++ communityModules; - virtualHosts.default = { - enabled = true; - domain = cfg.vhost; - ssl = { - key = "/var/lib/prosody/keys/key.pem"; - cert = "/var/lib/prosody/keys/fullchain.pem"; - }; - }; - # TODO: Component "chat.yori.cc" "muc" # also proxy65 and pubsub? - extraConfig = '' - use_libevent = true - s2s_require_encryption = true - c2s_require_encryption = true - archive_expires_after = "never" - storage = { - archive2 = "sql"; - } - ''; - inherit (cfg) admins; - package = pkgs.prosody.override { - withZlib = true; withDBI = true; - withCommunityModules = communityModules; - }; - }; - systemd.services.prosody.serviceConfig.PermissionsStartOnly = true; - systemd.services.prosody.preStart = '' - mkdir -m 0700 -p /var/lib/prosody/keys - cp ${acmeKeyDir}/key.pem ${acmeKeyDir}/fullchain.pem /var/lib/prosody/keys - chown -R prosody:prosody /var/lib/prosody - ''; - networking.firewall.allowedTCPPorts = [5222 5269]; - security.acme.certs.${cfg.vhost}.postRun = '' - systemctl restart prosody.service - ''; - }; -} From 3f04056f70bb12e2ff9b164a6fb9e9e7e6a36efe Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 17:12:16 +0100 Subject: [PATCH 159/172] treewide: remove impure nixpkgs --- conf | 3 +-- physical/3950x-hardware-config.nix | 4 ++-- physical/hetznercloud.nix | 5 ++--- physical/nuc.nix | 4 ++-- 4 files changed, 7 insertions(+), 9 deletions(-) diff --git a/conf b/conf index 4839b60..2fbb461 100755 --- a/conf +++ b/conf @@ -4,8 +4,7 @@ if ! [ -e secrets.nix ] then git crypt unlock fi -# TODO: remove nixpkgs dependency -export NIX_PATH=yori-nix=$PWD:nixpkgs=channel:nixos-unstable +export NIX_PATH=yori-nix=$PWD host=$1 TARGET_HOST=$(nix eval --raw -f vpn.nix ips.$host) #TARGET_HOST=192.168.178.1 diff --git a/physical/3950x-hardware-config.nix b/physical/3950x-hardware-config.nix index 0c04697..66b12c4 100644 --- a/physical/3950x-hardware-config.nix +++ b/physical/3950x-hardware-config.nix @@ -1,11 +1,11 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, modulesPath, ... }: { imports = - [ + [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; diff --git a/physical/hetznercloud.nix b/physical/hetznercloud.nix index 38e0af1..0a5277c 100644 --- a/physical/hetznercloud.nix +++ b/physical/hetznercloud.nix @@ -1,11 +1,10 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, modulesPath, ... }: let ipconf = (import ../secrets.nix).ipconf.${config.networking.hostName}; in { imports = - # todo: impure: - [ + [ (modulesPath + "/profiles/qemu-guest.nix") ]; boot.kernelPackages = pkgs.linuxPackages_latest; diff --git a/physical/nuc.nix b/physical/nuc.nix index fc17680..8ffb03e 100644 --- a/physical/nuc.nix +++ b/physical/nuc.nix @@ -1,10 +1,10 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, modulesPath, ... }: let sources = import ../nix/sources.nix; in { imports = - [ + [ (modulesPath + "/installer/scan/not-detected.nix") ./. "${sources.nixos-hardware}/common/cpu/intel" ]; From 25959ecdafdebe3b6fceb389f16e9dfac135e799 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 17:13:13 +0100 Subject: [PATCH 160/172] add gitignore --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5b7d75b --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +result +copy-keys \ No newline at end of file From c3f92644f6e54d7f9977e21d522dae34c94eb3b9 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 17:19:53 +0100 Subject: [PATCH 161/172] update readme --- README.md | 36 +++++++++++++++++------------------- 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 2b982dd..e515c04 100644 --- a/README.md +++ b/README.md @@ -7,41 +7,34 @@ Systems [frumar](https://en.wikipedia.org/wiki/Frumar) -------- -Physical [server](./roles/server.nix). Mostly used for files. (storage: 6 TB hdd + 256GB ssd, RAM: 8GB, 2 cores ht) +Physical [server](./roles/server.nix). Mostly used for files. (storage: 30 TB hdd + 256GB ssd, RAM: 16GB, 2 cores ht) -- [git hosting](./services/gogs.nix) -- [public files](./services/pub.nix) +- prometheus +- grafana +- rabbitmq - torrents -- [quassel](./services/quassel.nix) +- plex [pennyworth](https://en.wikipedia.org/wiki/Alfred_Pennyworth) ---------- [Server](./roles/server.nix). -VPS (Storage: 80GB, RAM: 1GB, 2 cores) +Hetzner cloud VPS (Storage: 20GB, RAM: 2GB, 1 core) -- [grafana](./services/graphs.nix) - [website](./services/website.nix) - [email](./services/mail.nix) -- [prosody](./services/xmpp.nix) -- [asterisk](./services/asterisk.nix) +- irc/weechat +- vpn + http gateway for some services [woodhouse](https://en.wikipedia.org/wiki/List_of_Archer_characters#Recurring_characters) ----------- -intel nuc connected to the tv (storage: 64GB ssd, RAM: 4GB) +intel nuc connected to the tv (storage: 250GB ssd, RAM: 8GB) -- kodi -- sshfs mounts to alphonse & frumar +- plex media player +- todo: sshfs mount to frumar -[ascanius](https://en.wikipedia.org/wiki/Frumar) ----------- - -[workstation](./roles/workstation.nix). -hp elitebook 8570w (RAM: 16GB, 4 cores ht, storage: 256GB ssd + 300GB HDD) - -- includes a power saving script [jarvis](https://en.wikipedia.org/wiki/Edwin_Jarvis) -------- @@ -49,8 +42,13 @@ hp elitebook 8570w (RAM: 16GB, 4 cores ht, storage: 256GB ssd + 300GB HDD) [workstation](./roles/workstation.nix). dell xps 13 (RAM: 16GB, storage: 512GB ssd, 2 cores ht) -- for now, just run powertop --auto-tune after a reboot I guess +[blackadder](https://en.wikipedia.org/wiki/Edmund_Blackadder#Edmund_Blackadder_Esq._(Regency_Britain)) +-------- + +[workstation](./roles/workstation.nix). +https://tweakers.net/productcollectie/wijzig/2583112/ +ryzen 9 (RAM: 64GB, storage: 1TB ssd, 16 cores ht) Maintenance =========== From 3bb79a09456bab6362b6440a2550e616a7821f9f Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 17:38:16 +0100 Subject: [PATCH 162/172] remove nixpkgs-wayland impurity --- nix/sources.json | 12 ++++++++++++ roles/workstation.nix | 3 +++ 2 files changed, 15 insertions(+) diff --git a/nix/sources.json b/nix/sources.json index 57edd2e..24d095a 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -34,5 +34,17 @@ "type": "tarball", "url": "https://github.com/NixOS/nixpkgs/archive/733e537a8ad76fd355b6f501127f7d0eb8861775.tar.gz", "url_template": "https://github.com///archive/.tar.gz" + }, + "nixpkgs-wayland": { + "branch": "master", + "description": "Automated, pre-built packages for Wayland (sway/wlroots) tools for NixOS.", + "homepage": "", + "owner": "colemickens", + "repo": "nixpkgs-wayland", + "rev": "80a15b9aaf56cc559cf0028763776cadad36ece2", + "sha256": "02s1k36iypsa7y1brwarz5y74dcrnn5qqplih3jq4dh0baqliiz0", + "type": "tarball", + "url": "https://github.com/colemickens/nixpkgs-wayland/archive/80a15b9aaf56cc559cf0028763776cadad36ece2.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" } } diff --git a/roles/workstation.nix b/roles/workstation.nix index 1678db4..0e15a36 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -1,5 +1,6 @@ { config, lib, pkgs, ... }: let + sources = import ../nix/sources.nix; nixNetrcFile = pkgs.runCommand "nix-netrc-file" { hostname = "cache.lumi.guide"; username = "lumi"; @@ -15,6 +16,8 @@ in imports = [ ./graphical.nix ]; + + nixpkgs.overlays = [ (import sources.nixpkgs-wayland) ]; users.extraUsers.yorick.extraGroups = [ "input" "wireshark" "dialout" ]; services.printing = { enable = true; From ab081f14ea5182ee11c5d0e2bbeb287b60e1417b Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 17:38:59 +0100 Subject: [PATCH 163/172] add lumi-vpn module --- logical/blackadder.nix | 15 +++------------ logical/jarvis.nix | 14 +------------- modules/lumi-vpn.nix | 42 ++++++++++++++++++++++++++++++++++++++++++ roles/default.nix | 1 + roles/workstation.nix | 2 ++ 5 files changed, 49 insertions(+), 25 deletions(-) create mode 100644 modules/lumi-vpn.nix diff --git a/logical/blackadder.nix b/logical/blackadder.nix index 8ff2131..739156a 100644 --- a/logical/blackadder.nix +++ b/logical/blackadder.nix @@ -5,20 +5,11 @@ ../roles/workstation.nix ]; - nixpkgs.overlays = [ (import (builtins.fetchTarball https://github.com/colemickens/nixpkgs-wayland/archive/master.tar.gz)) ]; system.stateVersion = "19.09"; - networking.wireguard.interfaces = { - wg-lumi = { - privateKeyFile = "/home/yorick/engineering/lumi/secrets/devel/vpn/wg/workstations.yorick-homepc.key"; - ips = [ "10.109.0.18" ]; - peers = [ { - publicKey = "6demp+PX2XyVoMovDj4xHQ2ZHKoj4QAF8maWpjcyzzI="; - endpoint = "wg.lumi.guide:31727"; - allowedIPs = [ "10.96.0.0/12" "10.0.0.0/17" ]; - }]; - postSetup = "ip link set dev wg-lumi mtu 1408"; - }; + yorick.lumi-vpn = { + name = "yorick-homepc"; + mtu = 1408; }; environment.systemPackages = [ pkgs.spice_gtk ]; security.wrappers.spice-client-glib-usb-acl-helper.source = "${pkgs.spice_gtk}/bin/spice-client-glib-usb-acl-helper"; diff --git a/logical/jarvis.nix b/logical/jarvis.nix index adfe4ff..17d0cb0 100644 --- a/logical/jarvis.nix +++ b/logical/jarvis.nix @@ -5,19 +5,7 @@ ../roles/workstation.nix ]; - nixpkgs.overlays = [ (import (builtins.fetchTarball https://github.com/colemickens/nixpkgs-wayland/archive/master.tar.gz)) ]; system.stateVersion = "17.09"; - networking.wireguard.interfaces = { - wg-lumi = { - privateKeyFile = "/home/yorick/engineering/lumi/secrets/devel/vpn/wg/workstations.yorick.key"; - ips = [ "10.109.0.10" ]; - peers = [ { - publicKey = "6demp+PX2XyVoMovDj4xHQ2ZHKoj4QAF8maWpjcyzzI="; - endpoint = "wg.lumi.guide:31727"; - allowedIPs = [ "10.96.0.0/12" "10.0.0.0/17" ]; - }]; - postSetup = "ip link set dev wg-lumi mtu 1371"; - }; - }; + yorick.lumi-vpn.name = "yorick"; } diff --git a/modules/lumi-vpn.nix b/modules/lumi-vpn.nix new file mode 100644 index 0000000..e49e0b1 --- /dev/null +++ b/modules/lumi-vpn.nix @@ -0,0 +1,42 @@ +{ config, lib, ... }: +let + cfg = config.yorick.lumi-vpn; + addresses = import "${builtins.getEnv "HOME"}/engineering/lumi/os/gateway/addresses.nix" + { lib.ip4.ip = a: b: c: d: x: lib.concatStringsSep "." (map toString [ a b c d ]); }; +in +{ + options.yorick.lumi-vpn = with lib; { + enable = mkEnableOption "lumi vpn"; + name = mkOption { + type = types.str; + example = "yorick-homepc"; + }; + user = mkOption { + type = types.str; + default = "yorick"; + }; + mtu = mkOption { + type = types.int; + default = 1371; + }; + ip = mkOption { + type = types.str; + example = "10.109.0.1"; + default = addresses.workstations."${cfg.name}"; + }; + }; + config = lib.mkIf cfg.enable { + networking.wireguard.interfaces = { + wg-lumi = { + privateKeyFile = "/home/${cfg.user}/engineering/lumi/secrets/devel/vpn/wg/workstations.${cfg.name}.key"; + ips = [ cfg.ip ]; + peers = [ { + publicKey = "6demp+PX2XyVoMovDj4xHQ2ZHKoj4QAF8maWpjcyzzI="; + endpoint = "wg.lumi.guide:31727"; + allowedIPs = [ "10.96.0.0/12" "10.0.0.0/17" ]; + }]; + postSetup = "ip link set dev wg-lumi mtu ${toString cfg.mtu}"; + }; + }; + }; +} diff --git a/roles/default.nix b/roles/default.nix index 292cd6b..20780ea 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -9,6 +9,7 @@ in imports = [ ../modules/tor-hidden-service.nix ../modules/nginx.nix + ../modules/lumi-vpn.nix ../deploy/keys.nix ../services ]; diff --git a/roles/workstation.nix b/roles/workstation.nix index 0e15a36..b36dac8 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -97,4 +97,6 @@ in # git boot.kernel.sysctl."fs.inotify.max_user_watches" = 1024000000; + + yorick.lumi-vpn.enable = true; } From c2fbcb0896075749c18c0d1436f0889f01264cc5 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 17:40:19 +0100 Subject: [PATCH 164/172] blackaddres: remove usb passthrough --- logical/blackadder.nix | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/logical/blackadder.nix b/logical/blackadder.nix index 739156a..033b617 100644 --- a/logical/blackadder.nix +++ b/logical/blackadder.nix @@ -11,24 +11,6 @@ name = "yorick-homepc"; mtu = 1408; }; - environment.systemPackages = [ pkgs.spice_gtk ]; - security.wrappers.spice-client-glib-usb-acl-helper.source = "${pkgs.spice_gtk}/bin/spice-client-glib-usb-acl-helper"; - virtualisation.virtualbox.host.enable = lib.mkForce true; - virtualisation.virtualbox.host.enableExtensionPack = true; - users.users.yorick.extraGroups = [ "vboxusers" ]; - - # users.users.pie = { - # isNormalUser = true; - # openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDpj2GrPpXtAp9Is0wDyQNl8EQnBiITkSAjhf7EjIqX" ]; - # }; - # services.nfs.server = { - # enable = true; - # exports = '' - # /export 10.40.0.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash) - # /export/nfs/client1 10.40.0.0/24(insecure,rw,sync,no_subtree_check,crossmnt,all_squash,anonuid=0,anongid=0,no_root_squash) - # /export/nfs/client1/nix 10.40.0.0/24(insecure,ro,sync,no_subtree_check,crossmnt) - # ''; - # }; services.znapzend = { enable = true; From ad7f39a84eb458663ed78d5da88aeceba3e5dc8a Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 18:59:55 +0100 Subject: [PATCH 165/172] grafana: google login --- .gitattributes | 1 + keys/grafana.env | Bin 0 -> 174 bytes logical/frumar.nix | 10 ++++++++++ 3 files changed, 11 insertions(+) create mode 100644 keys/grafana.env diff --git a/.gitattributes b/.gitattributes index 1a2f179..690a2a8 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,3 +1,4 @@ secrets.nix filter=git-crypt diff=git-crypt *.key filter=git-crypt diff=git-crypt deploy_key filter=git-crypt diff=git-crypt +keys/** filter=git-crypt diff=git-crypt diff --git a/keys/grafana.env b/keys/grafana.env new file mode 100644 index 0000000000000000000000000000000000000000..334758e9d7b7ea0a75fd45e614e0d441fe16cf3b GIT binary patch literal 174 zcmV;f08#${M@dveQdv+`0Jv)h0c)#gStzO8eje6^&EV8A%1MhGE5j$?4sk7SCuoS> z9MA!m5cxs20&AAmKUZ7mOf=a3kqcOaR{2-D?}G`pnGSaG94Z!t7HDql7?fRr)?tlp zu;J(G{|okrI1{3l6Eg8~$PFf|P69l@C1{WV?FXsH_tqU!bxk-&%lg^U4d2C~fh+R( csk!Mls7l10(s@)C*_*G@txNzo8*70BYrfV}Bme*a literal 0 HcmV?d00001 diff --git a/logical/frumar.nix b/logical/frumar.nix index 9ac3573..daa5a8a 100644 --- a/logical/frumar.nix +++ b/logical/frumar.nix @@ -7,6 +7,8 @@ ../services/torrent-wg.nix ]; + deployment.keyys = [ ../keys/grafana.env ]; + system.stateVersion = "15.09"; networking.hostId = "0702dbe9"; @@ -71,5 +73,13 @@ enable = true; addr = "0.0.0.0"; domain = "grafana.yori.cc"; + rootUrl = "https://grafana.yori.cc/"; + extraOptions = { + AUTH_BASIC_ENABLED = "false"; + AUTH_DISABLE_LOGIN_FORM = "true"; + AUTH_GOOGLE_ENABLED = "true"; + AUTH_GOOGLE_ALLOW_SIGN_UP = "false"; + }; }; + systemd.services.grafana.serviceConfig.EnvironmentFile = "/root/keys/grafana.env"; } From 19ff0bfe622c3e334868f9fb396be88b9331b4ce Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 19:00:09 +0100 Subject: [PATCH 166/172] frumar: autoscrub --- logical/frumar.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/logical/frumar.nix b/logical/frumar.nix index daa5a8a..d0ff3de 100644 --- a/logical/frumar.nix +++ b/logical/frumar.nix @@ -82,4 +82,11 @@ }; }; systemd.services.grafana.serviceConfig.EnvironmentFile = "/root/keys/grafana.env"; + services.zfs = { + trim.enable = false; # no ssd's + autoScrub = { + enable = true; + interval = "*-*-01 02:00:00"; # monthly + 2 hours + }; + }; } From e8a63860c834edf5aed144b848242ef02008e911 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 19:00:33 +0100 Subject: [PATCH 167/172] global: enable prometheus exporters --- logical/pennyworth.nix | 4 ++++ roles/default.nix | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/logical/pennyworth.nix b/logical/pennyworth.nix index 4d3ca4c..5464aae 100644 --- a/logical/pennyworth.nix +++ b/logical/pennyworth.nix @@ -86,6 +86,10 @@ in inherit publicKey; allowedIPs = [ "${vpn.ips.${machine}}/32" ]; }) vpn.keys); + services.prometheus.exporters.wireguard = { + enable = true; + }; + networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 9586 ]; boot.kernel.sysctl."net.ipv4.ip_forward" = 1; environment.noXlibs = true; users.users.yorick.packages = with pkgs; [ diff --git a/roles/default.nix b/roles/default.nix index 20780ea..cc557d0 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -113,4 +113,10 @@ in [ "yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0=" ]; nix.trustedUsers = ["@wheel"]; + services.prometheus.exporters.node = { + enable = true; + enabledCollectors = [ "systemd" ]; + disabledCollectors = [ "rapl" ]; + }; + networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 9100 ]; } From b0a4c834213e2757d9937960be56e81bf952ecd5 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 19:00:46 +0100 Subject: [PATCH 168/172] pennyworth: p1 redirect --- logical/pennyworth.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/logical/pennyworth.nix b/logical/pennyworth.nix index 5464aae..6e527a0 100644 --- a/logical/pennyworth.nix +++ b/logical/pennyworth.nix @@ -68,6 +68,7 @@ in forceSSL = true; globalRedirect = "yorickvanpelt.nl"; }; + "yorickvanpelt.nl".locations."/p1".return = "301 https://git.yori.cc/yorick/meterkast"; "grafana.yori.cc" = sslforward "http://${vpn.ips.frumar}:3000"; "ubiquiti.yori.cc" = sslforward "https://${vpn.ips.woodhouse}:8443"; "prometheus.yori.cc" = { From bd925ad01452d4184b26ef6032798b7e7768cb9a Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 20:57:27 +0100 Subject: [PATCH 169/172] frumar: disable nginx --- logical/frumar.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/logical/frumar.nix b/logical/frumar.nix index d0ff3de..87740dd 100644 --- a/logical/frumar.nix +++ b/logical/frumar.nix @@ -12,12 +12,12 @@ system.stateVersion = "15.09"; networking.hostId = "0702dbe9"; - services.nginx.enable = true; - services.nginx.virtualHosts."${config.networking.hostName}" = { - enableACME = lib.mkForce false; - forceSSL = lib.mkForce false; - default = true; - }; + services.nginx.enable = false; + # services.nginx.virtualHosts."${config.networking.hostName}" = { + # enableACME = lib.mkForce false; + # forceSSL = lib.mkForce false; + # default = true; + # }; boot.supportedFilesystems = [ "zfs" ]; services.yorick.torrent-vpn = { enable = true; name = "mullvad-nl4"; namespace = "torrent"; From 56f9cba5bcf097a3ef622fdec935e4d1be820b71 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 22:06:31 +0100 Subject: [PATCH 170/172] update email, setup backups --- keys/pennyworth_borg_repo.key | Bin 0 -> 70 bytes keys/pennyworth_borg_ssh.key | Bin 0 -> 3403 bytes keys/pennyworth_borg_ssh.key.pub | Bin 0 -> 763 bytes logical/pennyworth.nix | 25 ++++------------- nix/sources.json | 7 +++++ services/backup.nix | 46 +++++++++++++++++++++++++++++++ services/email.nix | 26 +++++++++++++++++ 7 files changed, 84 insertions(+), 20 deletions(-) create mode 100644 keys/pennyworth_borg_repo.key create mode 100644 keys/pennyworth_borg_ssh.key create mode 100644 keys/pennyworth_borg_ssh.key.pub create mode 100644 services/backup.nix create mode 100644 services/email.nix diff --git a/keys/pennyworth_borg_repo.key b/keys/pennyworth_borg_repo.key new file mode 100644 index 0000000000000000000000000000000000000000..3f320f0d4af520f5a38d2fc3287e341c85201881 GIT binary patch literal 70 zcmV-M0J;AFM@dveQdv+`0DZFMTX^IUO8wY+|Gs;v$$1bdjJ3c literal 0 HcmV?d00001 diff --git a/keys/pennyworth_borg_ssh.key b/keys/pennyworth_borg_ssh.key new file mode 100644 index 0000000000000000000000000000000000000000..c830363bb66791f3a50395860b84f2d2a1d0e776 GIT binary patch literal 3403 zcmV-R4YcwAM@dveQdv+`0NWuILs_62z@EZDW0{tcGTP6(Np)rSXBp<({olx^MNH)o zU{ub!d_HOPtQ=wd+XD|XcnC52BbOVd%Dp0N2iI_Lzj+!7BFa2}?&McNOkPOD;B7F# z;0As7GAN;+r3-DmIKc;b)_JB6o%Z2SU`7yvio_SO6#Bhi!FXyNs-HMo8D}SW-abEF##KeaRc9uzG@$%($Sy?$=d3#PSwTnG1H??exs<2NAxr8}z~So9(7;>s701gfsM_J<9hIP|@A{8W` z8{mh6V${MTg%_n|O)UJgIY7SzK;}KDiZgdtq}r^xZGFAG3a!C}=;%MHT)Q^KOQ=`` zR{p8zUby}EE7f#uEZ69DeVzF0ZuD&-G07IJH5^Yen-3Ndis9^*j)Fg3Wx4ra%H5W$ z^xi(v&cqk#ViusNU?lc-j#ca(Vd?9B5aa3Y;#jnLQ!zO|{Eo$mZu1r>` zS}QUclcFciQ>jk1&!moS9HP#MA@dnmTlMoGNA)I6?B?}&%}Igz32S7v!g ziS)==7Fvsf79Rd7P(Wk@n(<4uIceSFJx8^eyad1-Fh|67M`1sK?<;mRFI~b&>b&;fI7-0ym;X@^s z+3Rn9a8^B$C~Iz22t`B1iJ_z5cxP;~HXDvfE*Sw6YN&DUH7s;-fH%`%K-))~)3DK^ zLf8l<03{Y~@?aMnE5E?h2pl2mMDJ#~rhFblxu$w5*^&KK9_aLIAYF`gtSzh z*}d5m4-yIlN(qzwSpj&F+C1fIXzn$9CvtNiU+A<2QfmaHKpEp?-B|1f^)-z@XeE;n zIQ55R+6$byyf6C&F7=+DL9i*(pgkjIQGwR9qT5QuIR0&bcc%Gp9s%yy(Tli95!{#^ z*}`H{)n=#!kldl4_i1lyljj1HXJNMvbwTz1PjV|fC@Ym8jxA*nG&JK?2|hNKw%SBo zvHPEl)@AcGb--rhwKCyV_$=CqKY0%3 zQlf5*wpqq=mQ-oI*kHks7{F>rotlZAG-L%sW|35-Ek2SPL6xHWYlLE5R17RAfUr|E z#lcdUfQ9zyG$9NaDfbS*Xigwd{5D7#lO&(Ed=Vh1~uS&<>?$cR}- z>91kx0dXM@XU*#Lp%vmTz!*GpU%hM>H66|vF!Vs9650qL7l^D-gjSoHm*tfc#O&&^ zJzlMk10i+iZ3MPjAhCa%0i`^4)-{k2ec<~06h{EErPuFTv%0BzZ@Q+bxQKrkF}mT& z=@V3pX9DUmtRfnTIk5hh+YuJazH-hX2fJ30bDOt#m3~Ha*!rW!`fG6tDN1*`2)ltC zA8cG(g#GoZX2ZwK=ET~t(5^nE(X%Oxm|)$fj^1Dh+LK=K*rq);_$$c2CcD??;=^(7G5a;r*e(2;Q3!L>#k0m>_+_tL(XIXeC zt^OnOs=fL5RP1Hm#CxB1FQr?GN95Se{Kf56HzMNYi46XDtkcqw0P0U3C;=scc|d+} zUcK86>xSncaMs#U?h00#%3Rio0Mpvxt)8?KB1Ru3Vr=bqEt8Clz6HZyU~MKr^b>!k z*u0|te{>B)rnXG|Tw=WMRYNTvvGxAHi1MpjjQzyWpAHwTctqa z!dX;Lb03e@qBWRJHczOH7lf1ttwe=V7@$!ci2Qc`#ymZbGAWOt0j%MXfLN;IVs#q; zp0-bYMi4-1JbJ;jqfhtKWjYhk!OYV7r;9|=hkSCQpMTzL?jTygja|CIP#tvZkubKU z6bcN^1`K8IG%><$Ui%x4ZTRzf%onaUMefl7vZbV+sqFgP--W5{u3j^hhwo`=;~noJ z0!rO9kO5R~2kwqLGjJtEnT#1HKX#UyfIpge9+2>qRm1qIt+Afs%(=tNi_`FgMFqVt zVpeXNO6C)H!ZI1=#Fiw&f{+%q;bU}YS7vlN*U}^7%5tRhd7i?37{nA{&B@z|KaYB{ zub85;j`Mt2M5i=+RWZPu@O3h&d@D-5PgS{`;)T%4mmOdnXfTEL!FBwwX-2V?{zU%6 zU3FI>s&JwvAdi<|P3$lYfmZ*#VLyT_T&tS~eOBFy=vT$f2`5%_N0DCy7SLdW2SM#A^+W7M zYtiO?GB&(f>k{i^-3;$~9GT)aID#<@wes*T23la;y4Xms#EbJGJKo{!vc!09($0tW zat43lm1>_*?rvsyoPY!mx&a?R)7Iq|T26E8>^;=-ve3r=*td+c3C+{?S4DkRi_P8V{$$G*4@I%h|UM$bO zfTzj1%d1c0!@Gb_vxM5&>KbU8EZ>?5kU!0XN4HJ-RPwYmV^>Nk0?E)7nl*}IK9$3g ztq0BWJm{7&c*j2?M~Icb@)^7Ni&wB}{x9g&^H+lyH`@omEr2=c(AP{2OsP!4*~c}&h{qC}7`ab<9%&Kq3S+IQ2Rn=S;h_TuLX>4}3=6P3ZRp3k5c))? zq_D%|)}@i|E=b5FZG8zPmeXiN1aMt*7Vk_nu)B0KYf z8vn8p|5X`Zh2wV1^tK9v&?L0MBJ4&qsmIc?b5vv)aMhFke9j{_?(S?0wLkf@S6Pv@ zBH%w}e%MB*DQuW5wOvOrrRHu)(eyO|Y@)sV6987v?(ZVrAJW6HUOlMB$2?+@1s*q9 zWFmCf_WI!~?orMi`+3J2yg0#=Sq#_9~_ujI*e-*%p6B8z0T&)*Y;R@!nAP1i{S<_(#S;t z{cb%9jGVY^H4h|~by5*wRwQY!=5JCtel{{-Pv_3oMbjz5OpSzU6vm7B1AN&$ZYJEV zMAf(>cfXDq8x?b8o;QF1(|yNZ?KG_(Sw;{VXkdSAAM@d%dfzO^<4WfkfSupJex~St z)cto*xm8Iv6;4S8a`n{t{Z%+!hGJihv3-UJ5V(Wba8rsPZ>5D^|5~?5r|)x=jcvY{ zk(b}t)UU5$$_irprypX^UhG9(5U8#~duKgrAxY!jhg54}`LJ0-i?v&Vd)h} zetAH_PqV=Kd}G3Ws~v5unYn#yjULod7(*B(muQu+`6rwQ5G0k9ad4ksV%hJL>Fq)Z>i#TG8SPBvCpRXVx^DIbi{u0nNDi55&ywtQUWw_jnOY?#pSttM zF>#rHsdwWICE?YbT>0TPMlbhNXm58cDdKr%{`K170KS96;lD1$8XTTOfYJp0FQ1$v zKj`ro$@r|Saw8*yA+~xkz}{~IE{I)09gY+Lt~G-)Gj^jK?$3=//archive/.tar.gz" }, + "nixos-mailserver": { + "sha256": "1m8ylrxlkn8nrpsvnivg32ncba9jkfal8a9sjy840hpl1jlm5lc4", + "type": "tarball", + "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864/nixos-mailserver-ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864.tar.gz", + "url_template": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive//nixos-mailserver-.tar.gz", + "version": "ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864" + }, "nixpkgs": { "branch": "nixos-unstable", "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to", diff --git a/services/backup.nix b/services/backup.nix new file mode 100644 index 0000000..5af3a98 --- /dev/null +++ b/services/backup.nix @@ -0,0 +1,46 @@ +{ name, ... }: +{ + deployment.keyys = [ + (../keys + "/${name}_borg_repo.key") + (../keys + "/${name}_borg_ssh.key") + ]; + services.borgbackup.jobs.backup = { + encryption = { + # Keep the encryption key in the repo itself + mode = "repokey-blake2"; + + # Password is used to decrypt the encryption key from the repo + passCommand = "cat /root/keys/${name}_borg_repo.key"; + }; + environment = { + # Make sure we're using Borg >= 1.0 + BORG_REMOTE_PATH = "borg1"; + + # SSH key is specific to the subaccount defined in the repo username + BORG_RSH = "ssh -i /root/keys/${name}_borg_ssh.key"; + }; + + # Define schedule + startAt = "hourly"; + + repo = "14337@ch-s012.rsync.net:${name}"; + paths = [ "/home" "/root" "/var/lib" ]; + + prune.keep = { + # hourly backups for the past week + within = "7d"; + + # daily backups for two weeks before that + daily = 14; + + # weekly backups for a month before that + weekly = 4; + + # monthly backups for 6 months before that + monthly = 6; + + # 2 years + yearly = 2; + }; + }; +} diff --git a/services/email.nix b/services/email.nix new file mode 100644 index 0000000..44a7dc8 --- /dev/null +++ b/services/email.nix @@ -0,0 +1,26 @@ +{ config, pkgs, lib, ... }: +let + sources = import ../nix/sources.nix; +in +{ + imports = [ + ("${sources.nixos-mailserver}") + ]; + + mailserver = rec { + enable = true; + fqdn = "pennyworth.yori.cc"; + domains = [ "yori.cc" "yorickvanpelt.nl" ]; + loginAccounts = { + "yorick@yori.cc" = { + hashedPassword = (import ../secrets.nix).yorick_mailPassword; + catchAll = domains; + aliases = [ "@yori.cc" "@yorickvanpelt.nl" ]; + }; + }; + certificateScheme = 3; + enableImapSsl = true; + }; + + services.borgbackup.jobs.backup.paths = [ "/var/vmail" ]; +} From 77a698c7c36f269fe3dc22ea7bdc382a10aa87ff Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 23 May 2021 17:19:28 +0200 Subject: [PATCH 171/172] update --- logical/blackadder.nix | 18 ++++++++++++++++++ modules/lumi-vpn.nix | 2 +- nix/sources.json | 34 +++++++++++++++++++++++++++++----- nix/sources.nix | 5 ++++- physical/3950x.nix | 16 +++++++++++++--- roles/workstation.nix | 10 ++++++++++ services/pub.nix | 4 ++++ 7 files changed, 79 insertions(+), 10 deletions(-) diff --git a/logical/blackadder.nix b/logical/blackadder.nix index 033b617..4f0abcd 100644 --- a/logical/blackadder.nix +++ b/logical/blackadder.nix @@ -5,6 +5,8 @@ ../roles/workstation.nix ]; + nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; + system.stateVersion = "19.09"; yorick.lumi-vpn = { @@ -12,6 +14,8 @@ mtu = 1408; }; + xdg.autostart.enable = false; + services.znapzend = { enable = true; pure = true; @@ -30,4 +34,18 @@ }; }; }; + + services.udev.extraRules = '' + SUBSYSTEM=="usb", ATTRS{idVendor}=="20b7", ATTRS{idProduct}=="9db1", MODE="0660", GROUP="dialout", TAG+="uaccess" + ''; + + nix.trustedUsers = [ "lars" ]; + users.users.lars = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbieYUtRGQ4nf4glQvrZDn72doP6W2uw2z9VqFq5sZLROXYa4jW8nwx4h+BiArGs+VPwn6lfsP19PX6yNIk74C/SkO26S1Zvbe7ffNusi6PH2BQIOWeAYKk+eZH+ZOeD8z07uDB7QffwRLwzSaPFg+zfRzsMFoXH/GE9qOQ4lnfk8czTZL7zbZf/yS7mDFztClXFciYsVwgRXNiFpfc+9mOkU0oBWtGo/WGUhB0Hds3a4ylyjjVAcC/l1H2bvc/Q3d6bbn23pUFl2V78Yg1B4b1MT34qbBV6whXAQd7KM9tND2ZhpF2XQ7Spi1QlOac0jup+sE+3bbvcjNqTI05DwJO/dX5F2gSAFkvSY4ZPqSX5ilE/hj4DQuhRgLmQdbVl5IFV9aLYqUvJcCqX9jRFMly4YTFXsFz18rGkxOYGZabcE1usBM2zRVDTtEP6Si5ii76Ocvp8aNFBB2Kf1whg8tziTv3kQEQ9fd2sRtE2J3xveJiwXjUBU2uikSOKe8JP47Tb6PYlv7Ty/6OI51aUQn++R72VNajdBJ1r1osp7leqTJ+sXuLlWLo/a7lDpDmgEI7dbxqmpjLcMce0JzqLKlP1Q2U/nkYy86xkjSTH1rNUI2JAbJx3iTcGy7bq12yfjNfcGAqY4GVXvisK1cpbF0RCjaFExwtmzorljHh6ZHjQ== openpgp:0x60F7D1FD" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvdQ963wjgWyFMp6djRTqVwZr3/PQ/V+Qm5JTcxRTdY lumi@channelwood" + ]; + }; + virtualisation.docker.enable = true; } diff --git a/modules/lumi-vpn.nix b/modules/lumi-vpn.nix index e49e0b1..78ec185 100644 --- a/modules/lumi-vpn.nix +++ b/modules/lumi-vpn.nix @@ -17,7 +17,7 @@ in }; mtu = mkOption { type = types.int; - default = 1371; + default = 1371; # 1408 at home }; ip = mkOption { type = types.str; diff --git a/nix/sources.json b/nix/sources.json index e25c1ec..62ea370 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -1,4 +1,16 @@ { + "emacs-overlay": { + "branch": "master", + "description": "Bleeding edge emacs overlay [maintainer=@adisbladis] ", + "homepage": "", + "owner": "nix-community", + "repo": "emacs-overlay", + "rev": "dfed6847f127bd3c2c0cdd71b28d4e63e0ec0e91", + "sha256": "1b0871cr491cf1a4clhv2kwg492gp25gl45w72bmkyjbb6n22c7f", + "type": "tarball", + "url": "https://github.com/nix-community/emacs-overlay/archive/dfed6847f127bd3c2c0cdd71b28d4e63e0ec0e91.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, "niv": { "branch": "master", "description": "Easy dependency management for Nix projects", @@ -31,15 +43,27 @@ "version": "ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864" }, "nixpkgs": { - "branch": "nixos-unstable", + "branch": "master", "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to", "homepage": "https://github.com/NixOS/nixpkgs", - "owner": "NixOS", + "owner": "nixos", "repo": "nixpkgs", - "rev": "733e537a8ad76fd355b6f501127f7d0eb8861775", - "sha256": "1rjvbycd8dkkflal8qysi9d571xmgqq46py3nx0wvbzwbkvzf7aw", + "rev": "9e377a6ce42dccd9b624ae4ce8f978dc892ba0e2", + "sha256": "1r3ll77hyqn28d9i4cf3vqd9v48fmaa1j8ps8c4fm4f8gqf4kpl1", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/733e537a8ad76fd355b6f501127f7d0eb8861775.tar.gz", + "url": "https://github.com/nixos/nixpkgs/archive/9e377a6ce42dccd9b624ae4ce8f978dc892ba0e2.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixpkgs-mozilla": { + "branch": "master", + "description": "mozilla related nixpkgs (extends nixos/nixpkgs repo)", + "homepage": "", + "owner": "mozilla", + "repo": "nixpkgs-mozilla", + "rev": "8c007b60731c07dd7a052cce508de3bb1ae849b4", + "sha256": "1zybp62zz0h077zm2zmqs2wcg3whg6jqaah9hcl1gv4x8af4zhs6", + "type": "tarball", + "url": "https://github.com/mozilla/nixpkgs-mozilla/archive/8c007b60731c07dd7a052cce508de3bb1ae849b4.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs-wayland": { diff --git a/nix/sources.nix b/nix/sources.nix index b796fff..1938409 100644 --- a/nix/sources.nix +++ b/nix/sources.nix @@ -98,7 +98,10 @@ let saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name; ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; in - if ersatz == "" then drv else ersatz; + if ersatz == "" then drv else + # this turns the string into an actual Nix path (for both absolute and + # relative paths) + if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}"; # Ports of functions for older nix versions diff --git a/physical/3950x.nix b/physical/3950x.nix index f757370..23f79ec 100644 --- a/physical/3950x.nix +++ b/physical/3950x.nix @@ -12,13 +12,23 @@ in boot.loader.efi.canTouchEfiVariables = true; boot.supportedFilesystems = [ "zfs" ]; boot.kernelModules = [ "nct6775" ]; - boot.kernelPackages = pkgs.linuxPackages_5_9; + boot.kernelPackages = pkgs.linuxPackages_5_10; networking.hostId = "c7736638"; services.zfs.autoScrub.enable = true; services.zfs.trim.enable = true; hardware.bluetooth.enable = true; networking.useDHCP = false; - networking.interfaces.enp9s0.useDHCP = true; - boot.kernelParams = [ "amdgpu.ppfeaturemask=0xffffffff" "amdgpu.noretry=0" "amdgpu.lockup_timeout=1000" "amdgpu.gpu_recovery=1" "amdgpu.audio=0" ]; + networking.usePredictableInterfaceNames = false; + networking.bridges.br0.interfaces = [ "eth0" ]; + networking.interfaces.br0.useDHCP = true; + # systemd.network.links."98-namepolicy" = { + # matchConfig.OriginalName = "*"; + # linkConfig.NamePolicy = "mac kernel database onboard slot path"; + # }; + boot.kernelParams = [ + "amdgpu.ppfeaturemask=0xffffffff" "amdgpu.noretry=0" "amdgpu.lockup_timeout=1000" "amdgpu.gpu_recovery=1" "amdgpu.audio=0" + # thunderbolt + "pcie_ports=native" "pci=assign-busses,hpbussize=0x33,realloc" + ]; } diff --git a/roles/workstation.nix b/roles/workstation.nix index b36dac8..96ee28b 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -99,4 +99,14 @@ in boot.kernel.sysctl."fs.inotify.max_user_watches" = 1024000000; yorick.lumi-vpn.enable = true; + + services.pipewire.enable = true; + xdg.portal = { + enable = true; + extraPortals = with pkgs; [ + xdg-desktop-portal-wlr + xdg-desktop-portal-gtk + ]; + gtkUsePortal = true; + }; } diff --git a/services/pub.nix b/services/pub.nix index 8b7d340..a8cc787 100644 --- a/services/pub.nix +++ b/services/pub.nix @@ -7,6 +7,10 @@ let cfg = config.services.yorick.public; in }; #imports = [../modules/nginx.nix]; config = lib.mkIf cfg.enable { + systemd.services.nginx.serviceConfig = { + ProtectHome = "tmpfs"; + BindReadOnlyPaths = [ "/home/public/public" ]; + }; users.extraUsers.public = { home = "/home/public"; useDefaultShell = true; From fc2b2c0b780f0811c7dff907e640919ab8a5cd7b Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 23 May 2021 17:20:57 +0200 Subject: [PATCH 172/172] commit muflax-church --- services/muflax-church.nix | 52 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 services/muflax-church.nix diff --git a/services/muflax-church.nix b/services/muflax-church.nix new file mode 100644 index 0000000..8da4ac3 --- /dev/null +++ b/services/muflax-church.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: + +let + muflax-source = builtins.fetchGit { + rev = "e5ce7ae4296c6605a7e886c153d569fc38318096"; + ref = "HEAD"; + url = "https://github.com/fmap/muflax65ngodyewp.onion.git"; +}; +nixpkgs = import (builtins.fetchTarball { + url = "https://github.com/NixOS/nixpkgs-channels/archive/78e9665b48ff45d3e29f45b3ebeb6fc6c6e19922.tar.gz"; + sha256 = "09f50jaijvry9lrnx891qmcf92yb8qs64n1cvy0db2yjrmxsxyw8"; +}) { system = builtins.currentSystem; }; + muflax-church = (nixpkgs.callPackage "${muflax-source}/maintenance" {}).overrideDerivation (default: { + buildPhase = default.buildPhase + "\n" + '' + grep -lr '[^@]muflax.com' out | xargs -r sed -i 's/\([^@]\)muflax.com/\1muflax.church/g;s/http:\/\/\([^@]*\)muflax.church/https:\/\/\1muflax.church/g' + ''; + }); + cfg = config.services.yorick.muflax-church; + inherit (cfg) vhost; + addrs = { + "daily.${vhost}" = "${muflax-church}/daily"; + "blog.${vhost}" = "${muflax-church}/blog"; + "gospel.${vhost}" = "${muflax-church}/gospel"; + "alt.${vhost}" = "/home/public/public/muflax"; + }; + m = x: root: { forceSSL = true; useACMEHost = vhost; inherit root; }; +in +{ + options.services.yorick.muflax-church = with lib; { + enable = mkEnableOption "muflax.church"; + vhost = mkOption { type = types.str; }; + }; + config = lib.mkIf cfg.enable { + services.nginx.virtualHosts = { + ${cfg.vhost} = { + forceSSL = true; + enableACME = true; + root = "${muflax-church}/muflax"; + }; + "daily.${vhost}" = m "${muflax-church}/daily"; + "blog.${vhost}" = m "${muflax-church}/blog"; + "gospel.${vhost}" = m "${muflax-church}/gospel"; + "alt.${vhost}" = m "/home/public/public/muflax"; + } // (lib.mapAttrs m addrs); + security.acme.certs.${vhost}.extraDomainNames = [ + "daily.${vhost}" + "blog.${vhost}" + "gospel.${vhost}" + "alt.${vhost}" + ]; + }; +}