Browse Source

some changes after nix 2.0

master
Yorick van Pelt 2 years ago
parent
commit
ba70783346
16 changed files with 137 additions and 219 deletions
  1. +4
    -0
      conf
  2. +5
    -31
      logical/ascanius.nix
  3. +0
    -9
      logical/jarvis.nix
  4. +17
    -40
      logical/woodhouse.nix
  5. +12
    -23
      modules/tor-hidden-service.nix
  6. +1
    -2
      physical/fractal.nix
  7. +8
    -28
      physical/hp8570w.nix
  8. +5
    -11
      physical/hp8570w/powerdown.nix
  9. +1
    -3
      physical/nuc.nix
  10. +13
    -48
      physical/xps9360.nix
  11. +2
    -2
      roles/collectd.nix
  12. +6
    -5
      roles/common.nix
  13. +18
    -15
      roles/graphical.nix
  14. +44
    -0
      roles/hardware.nix
  15. +0
    -2
      roles/pub.nix
  16. +1
    -0
      roles/workstation.nix

+ 4
- 0
conf View File

@@ -15,6 +15,10 @@ stable)
export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-17.03/nixexprs.tar.xz:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH"
eval ${@:3}
;;
checkout)
export NIX_PATH="nixpkgs=`pwd`/../nixpkgs:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH"
eval ${@:3}
;;
channel)
export NIX_PATH="/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=`pwd`/logical/$2.nix:$NIX_PATH"
eval ${@:3}


+ 5
- 31
logical/ascanius.nix View File

@@ -1,7 +1,3 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, ... }:

let secrets = import <secrets>;
@@ -13,34 +9,12 @@ in
../roles/workstation.nix
];

system.stateVersion = "17.09";
# no, not that Ascanius.
networking.hostName = secrets.hostnames.ascanius;
services.tor.hiddenServices.ssh.map = [
{ port = 22; }
];
services.tor.service-keys.ssh = "/run/keys/torkeys/ssh.ascanius.key";

nixpkgs.config = {
packageOverrides = pkgs : {
bluez = pkgs.bluez5;
# https://github.com/NixOS/nixpkgs/issues/22099
trustedGrub = pkgs.grub2.overrideDerivation (attr: rec {
version = "2.x-20170910";
name = "trustedGRUB2-${version}";
buildInputs = attr.buildInputs ++ (with pkgs;[autoconf automake]);
prePatch = ''
rm -rf po
tar Jxf ${pkgs.grub2.src} grub-2.02/po
cp -r grub-2.02/po po
./autogen.sh
'';
src = pkgs.fetchFromGitHub {
repo = "TrustedGRUB2";
owner = "Rohde-Schwarz-Cybersecurity";
rev = "e656aaabd3bc5abda6c62c8967ebfd0c53ef179b";
sha256 = "08lq4prqhn923i8a7q79s4lsfnqgk4jd255xzk1wy12vg45dwlsc";
};
});
};
};


services.tor.hiddenServices.ssh.map = [{ port = 22; }];
nix.gc.automatic = pkgs.lib.mkOverride 30 false;
}

+ 0
- 9
logical/jarvis.nix View File

@@ -1,7 +1,3 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, lib, ... }:

{
@@ -23,10 +19,5 @@
services.xserver.displayManager.sessionCommands = ''
${pkgs.xorg.xrandr}/bin/xrandr --dpi 192
'';
nix.gc.automatic = pkgs.lib.mkOverride 30 false;
# nix.trustedBinaryCaches = [http://192.168.1.27:5000];
# nix.binaryCachePublicKeys = [
# "hydra.example.org-1:NbZfmBIhIevVM5OZ81TbwruSC9etkIrdi1mR6AAdm98="
# ];
virtualisation.virtualbox.host.enable = pkgs.lib.mkOverride 30 false;
}

+ 17
- 40
logical/woodhouse.nix View File

@@ -1,25 +1,30 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, lib, ... }:
let
secrets = import <secrets>;
mkFuseMount = device: opts: {
# todo: "ServerAliveCountMax=3" "ServerAliveInterval=30"

device = "${pkgs.sshfsFuse}/bin/sshfs#${device}";
fsType = "fuse";
options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user"
"defaults" "allow_other" "transform_symlinks" "default_permissions"
"uid=1000"
"reconnect" "IdentityFile=/root/.ssh/id_sshfs"] ++ opts;
};
in
{
imports =
[ # Include the results of the hardware scan.
../physical/nuc.nix
../roles/common.nix
../roles/collectd.nix
../modules/tor-hidden-service.nix
# ../roles/collectd.nix
../roles/graphical.nix
];

networking.hostName = secrets.hostnames.woodhouse;

# The NixOS release to be compatible with for stateful data such as databases.
system.stateVersion = "16.09";
system.stateVersion = "17.09";


services.xserver = {
@@ -27,42 +32,14 @@ in
};



services.tor.hiddenServices = [
{ name = "ssh";
port = 22;
hostname = secrets.tor_hostnames."ssh.woodhouse";
private_key = "/run/keys/torkeys/ssh.woodhouse.key"; }
];
services.tor.hiddenServices.ssh.map = [ {port = 22;} ];
services.tor.service-keys.ssh = "/run/keys/torkeys/ssh.woodhouse.key";

system.fsPackages = [ pkgs.sshfsFuse ];
fileSystems."/mnt/frumar" = {
# todo: "ServerAliveCountMax=3" "ServerAliveInterval=30"

device = "${pkgs.sshfsFuse}/bin/sshfs#yorick@" + secrets.hostnames.frumar + ":/data/yorick";
fsType = "fuse";
options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user"
"defaults" "allow_other" "transform_symlinks" "default_permissions"
"uid=1000"
"reconnect" "IdentityFile=/root/.ssh/id_sshfs"];
};
fileSystems."/mnt/oxygen" = {
device = "${pkgs.sshfsFuse}/bin/sshfs#yorick@oxygen.obfusk.ch:";
fsType = "fuse";
options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user"
"defaults" "allow_other" "transform_symlinks" "default_permissions"
"uid=1000"
"reconnect" "IdentityFile=/root/.ssh/id_sshfs"];
};

fileSystems."/mnt/nyamsas" = {
device = "${pkgs.sshfsFuse}/bin/sshfs#yorick@nyamsas.quezacotl.nl:";
fsType = "fuse";
options = ["noauto" "x-systemd.automount" "_netdev" "users" "idmap=user"
"defaults" "allow_other" "transform_symlinks" "default_permissions"
"uid=1000"
"reconnect" "IdentityFile=/root/.ssh/id_sshfs" "port=1337"];
};
fileSystems."/mnt/frumar" = mkFuseMount "yorick@${secrets.hostnames.frumar}:/data/yorick" [];
fileSystems."/mnt/oxygen" = mkFuseMount "yorick@oxygen.obfusk.ch:" [];
fileSystems."/mnt/nyamsas" = mkFuseMount "yorick@nyamsas.quezacotl.nl:" ["port=1337"];


networking.firewall.allowedTCPPorts = [7 8080 9090 9777]; # kodi


+ 12
- 23
modules/tor-hidden-service.nix View File

@@ -3,25 +3,15 @@
with lib;

let
hiddenServices = config.services.tor.hiddenServices;
service-keys = config.services.tor.service-keys;
torDir = "/var/lib/tor";
in {
options.services.tor = {
hiddenServices = mkOption { default = []; };
options.services.tor.service-keys = mkOption {
default = {};
type = with types; loaOf string;
};

config = mkIf (hiddenServices != []) {
assertions = map (hiddenService: {
assertion = hasAttr "name" hiddenService && hasAttr "port" hiddenService;
message = "all hidden services should define a name and a port..";
}) hiddenServices;

services.tor.enable = true;

services.tor.extraConfig = concatStringsSep "\n" (map (hiddenService: ''
HiddenServiceDir /var/lib/tor/${hiddenService.name}
HiddenServicePort ${toString (if hasAttr "remote_port" hiddenService then hiddenService.remote_port else hiddenService.port)} 127.0.0.1:${toString hiddenService.port}
'') hiddenServices);

config = mkIf (service-keys != {}) {
systemd.services."install-tor-hidden-service-keys" = {
wantedBy = ["tor.service"];
serviceConfig.Type = "oneshot";
@@ -29,14 +19,13 @@ in {
serviceConfig.Group = "keys";
# TODO: update on change?
# TODO: better ways to get the keys on the server
script = concatStringsSep "\n" (map (hiddenService: if (hasAttr "private_key" hiddenService && hasAttr "hostname" hiddenService) then ''
if ! [[ -e /var/lib/tor/${hiddenService.name}/private_key ]]; then
mkdir -p /var/lib/tor/${hiddenService.name}/
cp ${hiddenService.private_key} /var/lib/tor/${hiddenService.name}/private_key
echo ${hiddenService.hostname} > /var/lib/tor/${hiddenService.name}/hostname
chmod -R 700 /var/lib/tor/${hiddenService.name};
script = concatStringsSep "\n" (mapAttrsToList (name: keypath: ''
if ! [[ -e ${torDir}/onion/${name}/private_key ]]; then
mkdir -p ${torDir}/onion/${name}/
cp ${keypath} ${torDir}/onion/${name}/private_key
chmod -R 700 ${torDir}/onion/${name}
fi
'' else "true") hiddenServices);
'') service-keys);
};
};
}

+ 1
- 2
physical/fractal.nix View File

@@ -9,8 +9,7 @@
];

boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
yorick.cpu = "intel";

# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;


+ 8
- 28
physical/hp8570w.nix View File

@@ -1,47 +1,27 @@
# I'm modifying this file anyways.
{ config, lib, pkgs, ... }:

{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
./hp8570w/powerdown.nix
];
imports = [
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
./hp8570w/powerdown.nix
];

hardware.cpu.intel.updateMicrocode = true;
yorick = { cpu = "intel"; gpu = "nvidia"; laptop = true; };

boot = {
loader.grub = {
enable = true;
device = "/dev/sda";
trustedBoot = {
enable = true;
systemHasTPM = "YES_TPM_is_activated";
};
};
kernelPackages = pkgs.linuxPackages_latest;
kernelModules = ["nvidiabl" "kvm-intel"];
};
services.xserver.videoDrivers = ["nouveau"];
services.xserver.synaptics.enable = true;

networking.wireless.enable = true;
hardware.bluetooth.enable = true;


# ideal... doesn't work.
#services.udev.extraRules = ''
# KERNEL=="nvidia_backlight", SUBSYSTEM=="backlight", MODE="666"
#'';
# for now
systemd.services."display-manager".preStart = ''
chmod a+w $(realpath /sys/class/backlight/nv_backlight/brightness) || true
'';
# this makes sure my wifi doesn't take a minute to work
services.udev.extraRules = ''
SUBSYSTEM=="firmware", ACTION=="add", ATTR{loading}="-1"
'';

boot.initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usbhid" "usb_storage" "btrfs" "dm_crypt" ];
boot.initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usbhid" "usb_storage" ];
boot.initrd.luks.devices = [ {
name = "nix-root-enc";
device = "/dev/sdb2";
@@ -65,6 +45,6 @@

nix.maxJobs = 8;

services.tcsd.enable = true; # it has a TPM. maybe use this?
environment.systemPackages = with pkgs; [btrfs-progs tpm-tools];
#services.tcsd.enable = true; # it has a TPM. maybe use this?
#environment.systemPackages = with pkgs; [tpm-tools];
}

+ 5
- 11
physical/hp8570w/powerdown.nix View File

@@ -13,15 +13,9 @@ in
SUBSYSTEM=="power_supply", ATTR{online}=="1", RUN+="${powersw}"
'';

systemd.services.powerswitch = {
enable = true;
wantedBy = [ "multi-user.target" "suspend.target" ];
after = [ "suspend.target" "display-manager.service" ];
description = "Run powerswitch sometimes";
preStart = "sleep 4s";
serviceConfig = {
Type = "oneshot";
ExecStart = powersw;
};
};
powerManagement.powerUpCommands = ''
sleep 4s
${powersw}/bin/powerswitch
'';
}

+ 1
- 3
physical/nuc.nix View File

@@ -9,9 +9,7 @@
];

boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
hardware.cpu.intel.updateMicrocode = true;
yorick = { cpu = "intel"; gpu = "intel"; };

boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;


+ 13
- 48
physical/xps9360.nix View File

@@ -1,40 +1,22 @@
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];

boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.blacklistedKernelModules = ["psmouse"];

boot.kernelPackages = pkgs.linuxPackages_latest;


# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
imports = [
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
yorick = { cpu = "intel"; gpu = "intel"; laptop = true; };


hardware.cpu.intel.updateMicrocode = true;

boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
kernelPackages = pkgs.linuxPackages_latest;
};

services.xserver.libinput.enable = true;
services.thermald.enable = true;
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.blacklistedKernelModules = ["psmouse"];

networking.wireless.enable = true;
networking.dhcpcd.extraConfig = ''
noarp
'';
hardware.bluetooth.enable = true;
# https://wiki.archlinux.org/index.php/Dell_XPS_13_(9360)#Module-based_Powersaving_Options
# might require linux 4.11
boot.kernelParams = ["i915.enable_fbc=1" "i915.enable_guc_loading=1" "i915.enable_guc_submission=1" "i915.enable_huc=1" "i915.enable_psr=2" "intel_iommu=on"];
# now we wait until enable_psr=1 is fixed

fileSystems."/" =
{ device = "/dev/disk/by-uuid/a751e4ea-f1aa-48e1-9cbe-423878e29b62";
@@ -57,24 +39,7 @@
];

nix.maxJobs = lib.mkDefault 4;

environment.systemPackages = [pkgs.btrfs-progs];
# ideal... doesn't work.
#services.udev.extraRules = ''
# KERNEL=="intel_backlight", SUBSYSTEM=="backlight", MODE="666"
#'';
# for now
systemd.services."display-manager".preStart = ''
chmod a+w $(realpath /sys/class/backlight/intel_backlight/brightness) || true
'';
# this makes sure my wifi doesn't take a minute to work
services.udev.extraRules = ''
SUBSYSTEM=="firmware", ACTION=="add", ATTR{loading}="-1"
'';

services.xserver.videoDrivers = ["modesetting"];
hardware.opengl.extraPackages = [ pkgs.vaapiIntel ];
# bigger console font
i18n.consoleFont = "latarcyrheb-sun32";
}

+ 2
- 2
roles/collectd.nix View File

@@ -56,11 +56,11 @@ in
libxml2 = null;
libtool = null;
lvm2 = null;
libmysql = null;
mysql = null;
protobufc = null;
python = null;
rabbitmq-c = null;
riemann = null;
riemann_c_client = null;
rrdtool = null;
varnish = null;
yajl = null;


+ 6
- 5
roles/common.nix View File

@@ -2,7 +2,10 @@ let secrets = import <secrets>;
in
{ config, pkgs, lib, ...}:
{
imports = [];
imports = [
../roles/hardware.nix
../modules/tor-hidden-service.nix
];
time.timeZone = "Europe/Amsterdam";
users.mutableUsers = false;
users.extraUsers.root = {
@@ -12,6 +15,7 @@ in

};
services.timesyncd.enable = true;
services.fail2ban.enable = true;
users.extraUsers.yorick = {
isNormalUser = true;
uid = 1000;
@@ -22,6 +26,7 @@ in

# Nix
nixpkgs.config.allowUnfree = true;
nix.package = pkgs.nixUnstable;


nix.trustedBinaryCaches = config.nix.binaryCaches ++ [http://hydra.cryp.to];
@@ -32,10 +37,6 @@ in

nix.extraOptions = ''
allow-unsafe-native-code-during-evaluation = true
allow-unfree = true
#binary-caches-parallel-connections = 3
#connect-timeout = 5
keep-going = true
'';

# Networking


+ 18
- 15
roles/graphical.nix View File

@@ -8,11 +8,6 @@ in
# Enable the X11 windowing system.
services.xserver = {
enable = true;
synaptics = {
twoFingerScroll = true;
horizontalScroll = true;
scrollDelta = -107; # inverted scrolling
};
libinput = {
naturalScrolling = true;
tappingDragLock = false;
@@ -23,16 +18,24 @@ in
# xkbOptions = "eurosign:e";
windowManager.i3 = {
enable = true;
} // (if (lib.versionAtLeast config.system.nixosRelease "17.03") then {
package = pkgs.i3-gaps;
} else {});
};
hardware.opengl = {
enable = true;
driSupport32Bit = config.yorick.support32bit;
};
};
hardware.pulseaudio.enable = true;
hardware.pulseaudio.support32Bit = config.yorick.support32bit;
hardware.opengl = {
enable = true;
driSupport32Bit = config.yorick.support32bit;
};
sound.enable = true;
hardware.pulseaudio = {
enable = true;
support32Bit = config.yorick.support32bit;
};
users.extraUsers.yorick.extraGroups = ["video"];
# fix backlight permissions
services.udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness"
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness"
'';

fonts = {
enableFontDir = true;
@@ -47,8 +50,8 @@ in
];
};
# spotify
networking.firewall.allowedTCPPorts = [57621];
networking.firewall.allowedUDPPorts = [57621];
networking.firewall.allowedTCPPorts = [55025 57621];
networking.firewall.allowedUDPPorts = [55025 57621];

users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword;
services.openssh.forwardX11 = true;


+ 44
- 0
roles/hardware.nix View File

@@ -0,0 +1,44 @@
{ config, lib, pkgs, ... }:
let cfg = config.yorick; in
with lib;
{
options.yorick = {
cpu = mkOption {
type = types.nullOr (types.enum ["intel"]);
};
gpu = mkOption {
type = types.nullOr (types.enum ["intel" "nvidia"]);
default = null;
};
laptop = mkEnableOption "laptop settings";
};
config = mkMerge [
(mkIf (cfg.gpu == "intel") {
# https://wiki.archlinux.org/index.php/Dell_XPS_13_(9360)#Module-based_Powersaving_Options
boot.kernelParams = ["i915.enable_fbc=1" "i915.enable_guc_loading=1" "i915.enable_guc_submission=1" "i915.enable_huc=1" "i915.enable_psr=2"];
# now we wait until enable_psr=1 is fixed
services.xserver.videoDrivers = ["modesetting"];
hardware.opengl.extraPackages = [ pkgs.vaapiIntel ];
})
(mkIf (cfg.gpu == "nvidia") {
boot.kernelModules = ["nvidiabl"];
services.xserver.videoDrivers = ["nvidia"];
boot.extraModulePackages = [config.boot.kernelPackages.nvidiabl];
})
(mkIf (cfg.cpu == "intel") {
hardware.cpu.intel.updateMicrocode = true;
boot.kernelModules = ["kvm-intel"];
})
(mkIf (cfg.laptop) {
services.xserver.libinput.enable = true;
networking.wireless.enable = true;
hardware.bluetooth.enable = true;
# gotta go faster
networking.dhcpcd.extraConfig = ''
noarp
'';
services.thermald.enable = true;
})
];
}

+ 0
- 2
roles/pub.nix View File

@@ -1,6 +1,4 @@
{ config, pkgs, lib, ... }:
let secrets = import <secrets>;
in
{
#imports = [../modules/nginx.nix];
config = {


+ 1
- 0
roles/workstation.nix View File

@@ -25,4 +25,5 @@
'';
virtualisation.virtualbox.host.enable = true;
yorick.support32bit = true;
nix.gc.automatic = pkgs.lib.mkOverride 30 false;
}

Loading…
Cancel
Save