diff --git a/conf b/conf index d479d0f..1fdf2a0 100755 --- a/conf +++ b/conf @@ -15,6 +15,10 @@ stable) export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-17.03/nixexprs.tar.xz:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" eval ${@:3} ;; +checkout) + export NIX_PATH="nixpkgs=`pwd`/../nixpkgs:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" + eval ${@:3} + ;; channel) export NIX_PATH="/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH" eval ${@:3} diff --git a/logical/ascanius.nix b/logical/ascanius.nix index 7da4fdd..a666c18 100644 --- a/logical/ascanius.nix +++ b/logical/ascanius.nix @@ -1,7 +1,3 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - { config, pkgs, ... }: let secrets = import ; @@ -13,34 +9,12 @@ in ../roles/workstation.nix ]; + system.stateVersion = "17.09"; # no, not that Ascanius. networking.hostName = secrets.hostnames.ascanius; + services.tor.hiddenServices.ssh.map = [ + { port = 22; } + ]; + services.tor.service-keys.ssh = "/run/keys/torkeys/ssh.ascanius.key"; - nixpkgs.config = { - packageOverrides = pkgs : { - bluez = pkgs.bluez5; - # https://github.com/NixOS/nixpkgs/issues/22099 - trustedGrub = pkgs.grub2.overrideDerivation (attr: rec { - version = "2.x-20170910"; - name = "trustedGRUB2-${version}"; - buildInputs = attr.buildInputs ++ (with pkgs;[autoconf automake]); - prePatch = '' - rm -rf po - tar Jxf ${pkgs.grub2.src} grub-2.02/po - cp -r grub-2.02/po po - ./autogen.sh - ''; - src = pkgs.fetchFromGitHub { - repo = "TrustedGRUB2"; - owner = "Rohde-Schwarz-Cybersecurity"; - rev = "e656aaabd3bc5abda6c62c8967ebfd0c53ef179b"; - sha256 = "08lq4prqhn923i8a7q79s4lsfnqgk4jd255xzk1wy12vg45dwlsc"; - }; - }); - }; - }; - - - services.tor.hiddenServices.ssh.map = [{ port = 22; }]; - nix.gc.automatic = pkgs.lib.mkOverride 30 false; } diff --git a/logical/jarvis.nix b/logical/jarvis.nix index d47b924..f48bf09 100644 --- a/logical/jarvis.nix +++ b/logical/jarvis.nix @@ -1,7 +1,3 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - { config, pkgs, lib, ... }: { @@ -23,10 +19,5 @@ services.xserver.displayManager.sessionCommands = '' ${pkgs.xorg.xrandr}/bin/xrandr --dpi 192 ''; - nix.gc.automatic = pkgs.lib.mkOverride 30 false; - # nix.trustedBinaryCaches = [http://192.168.1.27:5000]; - # nix.binaryCachePublicKeys = [ - # "hydra.example.org-1:NbZfmBIhIevVM5OZ81TbwruSC9etkIrdi1mR6AAdm98=" - # ]; virtualisation.virtualbox.host.enable = pkgs.lib.mkOverride 30 false; } diff --git a/logical/woodhouse.nix b/logical/woodhouse.nix index da2863c..b833b8d 100644 --- a/logical/woodhouse.nix +++ b/logical/woodhouse.nix @@ -1,25 +1,30 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - { config, pkgs, lib, ... }: let secrets = import ; +mkFuseMount = device: opts: { + # todo: "ServerAliveCountMax=3" "ServerAliveInterval=30" + + device = "${pkgs.sshfsFuse}/bin/sshfs#${device}"; + fsType = "fuse"; + options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user" + "defaults" "allow_other" "transform_symlinks" "default_permissions" + "uid=1000" + "reconnect" "IdentityFile=/root/.ssh/id_sshfs"] ++ opts; +}; in { imports = [ # Include the results of the hardware scan. ../physical/nuc.nix ../roles/common.nix - ../roles/collectd.nix - ../modules/tor-hidden-service.nix + # ../roles/collectd.nix ../roles/graphical.nix ]; networking.hostName = secrets.hostnames.woodhouse; # The NixOS release to be compatible with for stateful data such as databases. - system.stateVersion = "16.09"; + system.stateVersion = "17.09"; services.xserver = { @@ -27,42 +32,14 @@ in }; - - services.tor.hiddenServices = [ - { name = "ssh"; - port = 22; - hostname = secrets.tor_hostnames."ssh.woodhouse"; - private_key = "/run/keys/torkeys/ssh.woodhouse.key"; } - ]; + services.tor.hiddenServices.ssh.map = [ {port = 22;} ]; + services.tor.service-keys.ssh = "/run/keys/torkeys/ssh.woodhouse.key"; system.fsPackages = [ pkgs.sshfsFuse ]; - fileSystems."/mnt/frumar" = { - # todo: "ServerAliveCountMax=3" "ServerAliveInterval=30" - device = "${pkgs.sshfsFuse}/bin/sshfs#yorick@" + secrets.hostnames.frumar + ":/data/yorick"; - fsType = "fuse"; - options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user" - "defaults" "allow_other" "transform_symlinks" "default_permissions" - "uid=1000" - "reconnect" "IdentityFile=/root/.ssh/id_sshfs"]; - }; - fileSystems."/mnt/oxygen" = { - device = "${pkgs.sshfsFuse}/bin/sshfs#yorick@oxygen.obfusk.ch:"; - fsType = "fuse"; - options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user" - "defaults" "allow_other" "transform_symlinks" "default_permissions" - "uid=1000" - "reconnect" "IdentityFile=/root/.ssh/id_sshfs"]; - }; - - fileSystems."/mnt/nyamsas" = { - device = "${pkgs.sshfsFuse}/bin/sshfs#yorick@nyamsas.quezacotl.nl:"; - fsType = "fuse"; - options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user" - "defaults" "allow_other" "transform_symlinks" "default_permissions" - "uid=1000" - "reconnect" "IdentityFile=/root/.ssh/id_sshfs" "port=1337"]; - }; + fileSystems."/mnt/frumar" = mkFuseMount "yorick@${secrets.hostnames.frumar}:/data/yorick" []; + fileSystems."/mnt/oxygen" = mkFuseMount "yorick@oxygen.obfusk.ch:" []; + fileSystems."/mnt/nyamsas" = mkFuseMount "yorick@nyamsas.quezacotl.nl:" ["port=1337"]; networking.firewall.allowedTCPPorts = [7 8080 9090 9777]; # kodi diff --git a/modules/tor-hidden-service.nix b/modules/tor-hidden-service.nix index 0f10328..5fd411b 100644 --- a/modules/tor-hidden-service.nix +++ b/modules/tor-hidden-service.nix @@ -3,25 +3,15 @@ with lib; let - hiddenServices = config.services.tor.hiddenServices; + service-keys = config.services.tor.service-keys; + torDir = "/var/lib/tor"; in { - options.services.tor = { - hiddenServices = mkOption { default = []; }; + options.services.tor.service-keys = mkOption { + default = {}; + type = with types; loaOf string; }; - config = mkIf (hiddenServices != []) { - assertions = map (hiddenService: { - assertion = hasAttr "name" hiddenService && hasAttr "port" hiddenService; - message = "all hidden services should define a name and a port.."; - }) hiddenServices; - - services.tor.enable = true; - - services.tor.extraConfig = concatStringsSep "\n" (map (hiddenService: '' - HiddenServiceDir /var/lib/tor/${hiddenService.name} - HiddenServicePort ${toString (if hasAttr "remote_port" hiddenService then hiddenService.remote_port else hiddenService.port)} 127.0.0.1:${toString hiddenService.port} - '') hiddenServices); - + config = mkIf (service-keys != {}) { systemd.services."install-tor-hidden-service-keys" = { wantedBy = ["tor.service"]; serviceConfig.Type = "oneshot"; @@ -29,14 +19,13 @@ in { serviceConfig.Group = "keys"; # TODO: update on change? # TODO: better ways to get the keys on the server - script = concatStringsSep "\n" (map (hiddenService: if (hasAttr "private_key" hiddenService && hasAttr "hostname" hiddenService) then '' - if ! [[ -e /var/lib/tor/${hiddenService.name}/private_key ]]; then - mkdir -p /var/lib/tor/${hiddenService.name}/ - cp ${hiddenService.private_key} /var/lib/tor/${hiddenService.name}/private_key - echo ${hiddenService.hostname} > /var/lib/tor/${hiddenService.name}/hostname - chmod -R 700 /var/lib/tor/${hiddenService.name}; + script = concatStringsSep "\n" (mapAttrsToList (name: keypath: '' + if ! [[ -e ${torDir}/onion/${name}/private_key ]]; then + mkdir -p ${torDir}/onion/${name}/ + cp ${keypath} ${torDir}/onion/${name}/private_key + chmod -R 700 ${torDir}/onion/${name} fi - '' else "true") hiddenServices); + '') service-keys); }; }; } diff --git a/physical/fractal.nix b/physical/fractal.nix index bcaf31b..8e3a7a8 100644 --- a/physical/fractal.nix +++ b/physical/fractal.nix @@ -9,8 +9,7 @@ ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; + yorick.cpu = "intel"; # Use the GRUB 2 boot loader. boot.loader.grub.enable = true; diff --git a/physical/hp8570w.nix b/physical/hp8570w.nix index be8a1eb..ac34d0b 100644 --- a/physical/hp8570w.nix +++ b/physical/hp8570w.nix @@ -1,47 +1,27 @@ -# I'm modifying this file anyways. { config, lib, pkgs, ... }: { - imports = - [ - ./hp8570w/powerdown.nix - ]; + imports = [ + + ./hp8570w/powerdown.nix + ]; - hardware.cpu.intel.updateMicrocode = true; + yorick = { cpu = "intel"; gpu = "nvidia"; laptop = true; }; boot = { loader.grub = { enable = true; device = "/dev/sda"; - trustedBoot = { - enable = true; - systemHasTPM = "YES_TPM_is_activated"; - }; }; kernelPackages = pkgs.linuxPackages_latest; - kernelModules = ["nvidiabl" "kvm-intel"]; }; - services.xserver.videoDrivers = ["nouveau"]; - services.xserver.synaptics.enable = true; - networking.wireless.enable = true; - hardware.bluetooth.enable = true; - - - # ideal... doesn't work. - #services.udev.extraRules = '' - # KERNEL=="nvidia_backlight", SUBSYSTEM=="backlight", MODE="666" - #''; - # for now - systemd.services."display-manager".preStart = '' - chmod a+w $(realpath /sys/class/backlight/nv_backlight/brightness) || true - ''; # this makes sure my wifi doesn't take a minute to work services.udev.extraRules = '' SUBSYSTEM=="firmware", ACTION=="add", ATTR{loading}="-1" ''; - boot.initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usbhid" "usb_storage" "btrfs" "dm_crypt" ]; + boot.initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usbhid" "usb_storage" ]; boot.initrd.luks.devices = [ { name = "nix-root-enc"; device = "/dev/sdb2"; @@ -65,6 +45,6 @@ nix.maxJobs = 8; - services.tcsd.enable = true; # it has a TPM. maybe use this? - environment.systemPackages = with pkgs; [btrfs-progs tpm-tools]; + #services.tcsd.enable = true; # it has a TPM. maybe use this? + #environment.systemPackages = with pkgs; [tpm-tools]; } diff --git a/physical/hp8570w/powerdown.nix b/physical/hp8570w/powerdown.nix index dc94d5d..d49d35b 100644 --- a/physical/hp8570w/powerdown.nix +++ b/physical/hp8570w/powerdown.nix @@ -13,15 +13,9 @@ in SUBSYSTEM=="power_supply", ATTR{online}=="1", RUN+="${powersw}" ''; - systemd.services.powerswitch = { - enable = true; - wantedBy = [ "multi-user.target" "suspend.target" ]; - after = [ "suspend.target" "display-manager.service" ]; - description = "Run powerswitch sometimes"; - preStart = "sleep 4s"; - serviceConfig = { - Type = "oneshot"; - ExecStart = powersw; - }; - }; + powerManagement.powerUpCommands = '' + sleep 4s + ${powersw}/bin/powerswitch + ''; + } diff --git a/physical/nuc.nix b/physical/nuc.nix index 51f4a00..c5b2e6b 100644 --- a/physical/nuc.nix +++ b/physical/nuc.nix @@ -9,9 +9,7 @@ ]; boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - hardware.cpu.intel.updateMicrocode = true; + yorick = { cpu = "intel"; gpu = "intel"; }; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; diff --git a/physical/xps9360.nix b/physical/xps9360.nix index a605d2f..8cbd31f 100644 --- a/physical/xps9360.nix +++ b/physical/xps9360.nix @@ -1,40 +1,22 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. { config, lib, pkgs, ... }: { - imports = - [ - ]; + imports = [ + + ]; + yorick = { cpu = "intel"; gpu = "intel"; laptop = true; }; + + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + kernelPackages = pkgs.linuxPackages_latest; + }; boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; boot.blacklistedKernelModules = ["psmouse"]; - boot.kernelPackages = pkgs.linuxPackages_latest; - - - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - - hardware.cpu.intel.updateMicrocode = true; - - - services.xserver.libinput.enable = true; - services.thermald.enable = true; - - networking.wireless.enable = true; - networking.dhcpcd.extraConfig = '' - noarp - ''; - hardware.bluetooth.enable = true; - # https://wiki.archlinux.org/index.php/Dell_XPS_13_(9360)#Module-based_Powersaving_Options - # might require linux 4.11 - boot.kernelParams = ["i915.enable_fbc=1" "i915.enable_guc_loading=1" "i915.enable_guc_submission=1" "i915.enable_huc=1" "i915.enable_psr=2" "intel_iommu=on"]; - # now we wait until enable_psr=1 is fixed fileSystems."/" = { device = "/dev/disk/by-uuid/a751e4ea-f1aa-48e1-9cbe-423878e29b62"; @@ -57,24 +39,7 @@ ]; nix.maxJobs = lib.mkDefault 4; - - environment.systemPackages = [pkgs.btrfs-progs]; - # ideal... doesn't work. - #services.udev.extraRules = '' - # KERNEL=="intel_backlight", SUBSYSTEM=="backlight", MODE="666" - #''; - # for now - systemd.services."display-manager".preStart = '' - chmod a+w $(realpath /sys/class/backlight/intel_backlight/brightness) || true - ''; - # this makes sure my wifi doesn't take a minute to work - services.udev.extraRules = '' - SUBSYSTEM=="firmware", ACTION=="add", ATTR{loading}="-1" - ''; - - services.xserver.videoDrivers = ["modesetting"]; - hardware.opengl.extraPackages = [ pkgs.vaapiIntel ]; # bigger console font i18n.consoleFont = "latarcyrheb-sun32"; } diff --git a/roles/collectd.nix b/roles/collectd.nix index c9589c6..3ea09b8 100644 --- a/roles/collectd.nix +++ b/roles/collectd.nix @@ -56,11 +56,11 @@ in libxml2 = null; libtool = null; lvm2 = null; - libmysql = null; + mysql = null; protobufc = null; python = null; rabbitmq-c = null; - riemann = null; + riemann_c_client = null; rrdtool = null; varnish = null; yajl = null; diff --git a/roles/common.nix b/roles/common.nix index f31d304..cf4aeb1 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -2,7 +2,10 @@ let secrets = import ; in { config, pkgs, lib, ...}: { - imports = []; + imports = [ + ../roles/hardware.nix + ../modules/tor-hidden-service.nix + ]; time.timeZone = "Europe/Amsterdam"; users.mutableUsers = false; users.extraUsers.root = { @@ -12,6 +15,7 @@ in }; services.timesyncd.enable = true; + services.fail2ban.enable = true; users.extraUsers.yorick = { isNormalUser = true; uid = 1000; @@ -22,6 +26,7 @@ in # Nix nixpkgs.config.allowUnfree = true; + nix.package = pkgs.nixUnstable; nix.trustedBinaryCaches = config.nix.binaryCaches ++ [http://hydra.cryp.to]; @@ -32,10 +37,6 @@ in nix.extraOptions = '' allow-unsafe-native-code-during-evaluation = true - allow-unfree = true - #binary-caches-parallel-connections = 3 - #connect-timeout = 5 - keep-going = true ''; # Networking diff --git a/roles/graphical.nix b/roles/graphical.nix index d69f414..462db09 100644 --- a/roles/graphical.nix +++ b/roles/graphical.nix @@ -8,11 +8,6 @@ in # Enable the X11 windowing system. services.xserver = { enable = true; - synaptics = { - twoFingerScroll = true; - horizontalScroll = true; - scrollDelta = -107; # inverted scrolling - }; libinput = { naturalScrolling = true; tappingDragLock = false; @@ -23,16 +18,24 @@ in # xkbOptions = "eurosign:e"; windowManager.i3 = { enable = true; - } // (if (lib.versionAtLeast config.system.nixosRelease "17.03") then { package = pkgs.i3-gaps; - } else {}); + }; }; - hardware.opengl = { - enable = true; - driSupport32Bit = config.yorick.support32bit; - }; - hardware.pulseaudio.enable = true; - hardware.pulseaudio.support32Bit = config.yorick.support32bit; + hardware.opengl = { + enable = true; + driSupport32Bit = config.yorick.support32bit; + }; + sound.enable = true; + hardware.pulseaudio = { + enable = true; + support32Bit = config.yorick.support32bit; + }; + users.extraUsers.yorick.extraGroups = ["video"]; + # fix backlight permissions + services.udev.extraRules = '' + ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness" + ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness" + ''; fonts = { enableFontDir = true; @@ -47,8 +50,8 @@ in ]; }; # spotify - networking.firewall.allowedTCPPorts = [57621]; - networking.firewall.allowedUDPPorts = [57621]; + networking.firewall.allowedTCPPorts = [55025 57621]; + networking.firewall.allowedUDPPorts = [55025 57621]; users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword; services.openssh.forwardX11 = true; diff --git a/roles/hardware.nix b/roles/hardware.nix new file mode 100644 index 0000000..3583928 --- /dev/null +++ b/roles/hardware.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, ... }: +let cfg = config.yorick; in +with lib; +{ + options.yorick = { + cpu = mkOption { + type = types.nullOr (types.enum ["intel"]); + }; + gpu = mkOption { + type = types.nullOr (types.enum ["intel" "nvidia"]); + default = null; + }; + laptop = mkEnableOption "laptop settings"; + }; + config = mkMerge [ + (mkIf (cfg.gpu == "intel") { + # https://wiki.archlinux.org/index.php/Dell_XPS_13_(9360)#Module-based_Powersaving_Options + boot.kernelParams = ["i915.enable_fbc=1" "i915.enable_guc_loading=1" "i915.enable_guc_submission=1" "i915.enable_huc=1" "i915.enable_psr=2"]; + # now we wait until enable_psr=1 is fixed + services.xserver.videoDrivers = ["modesetting"]; + hardware.opengl.extraPackages = [ pkgs.vaapiIntel ]; + }) + (mkIf (cfg.gpu == "nvidia") { + boot.kernelModules = ["nvidiabl"]; + services.xserver.videoDrivers = ["nvidia"]; + boot.extraModulePackages = [config.boot.kernelPackages.nvidiabl]; + }) + (mkIf (cfg.cpu == "intel") { + hardware.cpu.intel.updateMicrocode = true; + boot.kernelModules = ["kvm-intel"]; + }) + (mkIf (cfg.laptop) { + services.xserver.libinput.enable = true; + + networking.wireless.enable = true; + hardware.bluetooth.enable = true; + # gotta go faster + networking.dhcpcd.extraConfig = '' + noarp + ''; + services.thermald.enable = true; + }) + ]; +} diff --git a/roles/pub.nix b/roles/pub.nix index 34240de..b15a46c 100644 --- a/roles/pub.nix +++ b/roles/pub.nix @@ -1,6 +1,4 @@ { config, pkgs, lib, ... }: -let secrets = import ; -in { #imports = [../modules/nginx.nix]; config = { diff --git a/roles/workstation.nix b/roles/workstation.nix index 7a73db5..fab4e01 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -25,4 +25,5 @@ ''; virtualisation.virtualbox.host.enable = true; yorick.support32bit = true; + nix.gc.automatic = pkgs.lib.mkOverride 30 false; }