palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

introduced features

Browse source
This commit is contained in:
Ingolf Wagner 2024-08-08 16:39:50 +02:00
parent 40e5456517
commit 509f283924
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
23 changed files with 113 additions and 158 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
components/gui/browser.nix
View file

@ -34,50 +34,59 @@ in
home = "${homeFolder}/development-browser";
homeBackup = "${backupFolder}/development-browser";
gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
};
google = {
home = "${homeFolder}/google-browser";
homeBackup = "${backupFolder}/google-browser";
gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
};
finance = {
home = "${homeFolder}/finance-browser";
homeBackup = "${backupFolder}/finance-browser";
gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
};
facebook = {
home = "${homeFolder}/facebook-browser";
homeBackup = "${backupFolder}/facebook-browser";
gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
};
shopping = {
home = "${homeFolder}/shopping-browser";
homeBackup = "${backupFolder}/shopping-browser";
gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
};
jobrad = {
browserType = "chrome";
home = "${homeFolder}/jobrad-chrome";
homeBackup = "${backupFolder}/jobrad-chrome";
gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
};
firefox-tmp = {
browserType = "firefox";
home = "${homeFolder}/firefox-tmp";
homeBackup = "${backupFolder}/firefox-tmp-browser";
gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
};
chromium-tmp = {
browserType = "chrome";
home = "${homeFolder}/chromium-tmp";
homeBackup = "${backupFolder}/chrome-tmp-browser";
gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
};
google-tmp = {
browserType = "google";
home = "${homeFolder}/google-tmp";
homeBackup = "${backupFolder}google-tmp-browser";
gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
};
};

16
components/nixos/boot/default.nix
View file

@ -1,16 +0,0 @@
{ lib, config, ... }:
{
imports = [
./ssh.nix
./tor.nix
];
options.components.nixos.boot.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf (config.components.nixos.boot.enable) { };
}

95
components/nixos/boot/tor.nix
View file

@ -1,95 +0,0 @@
{ config, lib, pkgs, factsGenerator, clanLib, ... }:
with lib;
with types;
{
options.components.nixos.boot.tor = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
config = mkMerge [
# todo : not working at the moment, because onion hostnames are secrets
#(
# let
# onionIds = clanLib.readFactFromAllMachines "tor.initrd.hostname";
# generateOnionUnlockScript = machine: onionId: pkgs.writers.writeDashBin "unlock-boot-${machine}-via-tor" ''
# ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222
# '';
# in
# {
# # add known hosts
# services.openssh.knownHosts =
# mapAttrs
# (_machine: onionId: {
# hostNames = [ "[${onionId}]:2222" ];
# })
# onionIds;
# # create unlook tor boot script
# environment.systemPackages =
# mapAttrsToList generateOnionUnlockScript onionIds;
# }
#)
# tor part
# --------
(mkIf (config.components.nixos.boot.tor.enable) {
# tor secrets
clan.core.facts.services."initrd.tor" = factsGenerator.tor {
name = "initrd";
addressPrefix = "init";
};
boot.initrd.secrets = {
"/etc/tor/onion/bootup/tor.priv" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.priv".path;
"/etc/tor/onion/bootup/hostname" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.hostname".path;
};
boot.initrd.systemd.storePaths = [
pkgs.tor
pkgs.iproute2
pkgs.coreutils
];
boot.initrd.systemd.contents = {
"/etc/tor/tor.rc".text = ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 2222 127.0.0.1:2222
'';
};
boot.initrd.systemd.services.tor = {
description = "tor during init";
wantedBy = [ "initrd.target" ];
after = [ "network.target" "initrd-nixos-copy-secrets.service" ];
before = [ "shutdown.target" ];
conflicts = [ "shutdown.target" ];
unitConfig.DefaultDependencies = false;
path = [
pkgs.tor
pkgs.iproute2
pkgs.coreutils
];
script =
''
echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor
echo "tor: starting tor"
tor -f /etc/tor/tor.rc --verify-config
tor -f /etc/tor/tor.rc
'';
};
})
];
}

1
components/nixos/default.nix
View file

@ -2,7 +2,6 @@
{
imports = [
./upgrade-diff.nix
./boot
];
options.components.nixos.enable = lib.mkOption {

6
features/boot/default.nix Normal file
View file

@ -0,0 +1,6 @@
{
imports = [
./ssh.nix
./tor.nix
];
}

13
components/nixos/boot/ssh.nix → features/boot/ssh.nix
View file

@ -3,10 +3,10 @@ with lib;
with types;
{
options.components.nixos.boot.ssh = {
options.features.boot.ssh = {
enable = lib.mkOption {
type = lib.types.bool;
default = config.components.nixos.boot.enable;
default = false;
};
kernelModules = mkOption {
type = listOf str;
@ -16,12 +16,7 @@ with types;
};
};
config = mkIf (config.components.nixos.boot.ssh.enable) {
# root password
#clan.core.facts.services.rootPassword = factsGenerator.password { name = "root"; };
#users.users.root.hashedPasswordFile = config.clan.core.facts.services.rootPassword.secret."password.root.pam".path; # fixme not working for some reason
#users.users.root.initalPassword = "admin";
config = mkIf (config.features.boot.ssh.enable) {
# ssh host key
clan.core.facts.services."boot.ssh" = factsGenerator.ssh { name = "boot"; };
@ -32,7 +27,7 @@ with types;
# network
boot.initrd.systemd.network.enable = true;
boot.initrd.availableKernelModules = config.components.nixos.boot.ssh.kernelModules;
boot.initrd.availableKernelModules = config.features.boot.ssh.kernelModules;
# ssh
boot.initrd.network.enable = true;

65
features/boot/tor.nix Normal file
View file

@ -0,0 +1,65 @@
{ config, lib, pkgs, factsGenerator, clanLib, ... }:
with lib;
with types;
{
options.features.boot.tor = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
config = mkIf (config.features.boot.tor.enable) {
# tor secrets
clan.core.facts.services."initrd.tor" = factsGenerator.tor {
name = "initrd";
addressPrefix = "init";
};
boot.initrd.secrets = {
"/etc/tor/onion/bootup/tor.priv" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.priv".path;
"/etc/tor/onion/bootup/hostname" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.hostname".path;
};
boot.initrd.systemd.storePaths = [
pkgs.tor
pkgs.iproute2
pkgs.coreutils
];
boot.initrd.systemd.contents = {
"/etc/tor/tor.rc".text = ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 2222 127.0.0.1:2222
'';
};
boot.initrd.systemd.services.tor = {
description = "tor during init";
wantedBy = [ "initrd.target" ];
after = [ "network.target" "initrd-nixos-copy-secrets.service" ];
before = [ "shutdown.target" ];
conflicts = [ "shutdown.target" ];
unitConfig.DefaultDependencies = false;
path = [
pkgs.tor
pkgs.iproute2
pkgs.coreutils
];
script =
''
echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor
echo "tor: starting tor"
tor -f /etc/tor/tor.rc --verify-config
tor -f /etc/tor/tor.rc
'';
};
};
}

3
features/default.nix Normal file
View file

@ -0,0 +1,3 @@
{
imports = [ ./boot ];
}

9
flake.nix
View file

@ -172,6 +172,7 @@
clanLib = import ./lib/clanlib.nix { inherit (pkgs) lib; machineDir = ./machines; };
zerotierDeviceName = "ztbn67ogn2";
components = ./components;
features = ./features;
};
};
@ -260,6 +261,8 @@
documentation.nixos.options.warningsAreErrors = false; # todo make this true again
documentation.nixos.extraModules = [
./components
./features
#./modules
inputs.clan-core.nixosModules.clanCore
# inputs.stylix.nixosModules.stylix # fixme: not working
permown.nixosModules.permown
@ -272,6 +275,12 @@
boot.loader.generic-extlinux-compatible.configurationLimit = lib.mkDefault 10;
boot.loader.grub.configurationLimit = lib.mkDefault 10;
})
# My Structure
./components
./features
./modules # todo : spread this across features and components
#./system/all # todo : spread this across features and components
# some modules I always use
permown.nixosModules.permown
kmonad.nixosModules.default

3
machines/cherry/configuration.nix
View file

@ -3,9 +3,6 @@
imports = [
../../components
../../modules
./hardware-configuration
./syncthing.nix

6
machines/chungus/configuration.nix
View file

@ -5,9 +5,6 @@
# todo : remove
../../system/all
../../components
../../modules
./hardware-configuration
./packages.nix
@ -58,8 +55,7 @@
components.network.wifi.enable = false;
components.terminal.enable = true;
components.nixos.boot.enable = true;
components.nixos.boot.ssh.kernelModules = [ "e1000e" ];
features.boot.ssh.kernelModules = [ "e1000e" ];
components.monitor.enable = true;
components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317";

3
machines/cream/configuration.nix
View file

@ -3,9 +3,6 @@
imports = [
../../components
../../modules
./hardware-configuration.nix
./syncthing.nix

6
machines/orbi/configuration.nix
View file

@ -5,9 +5,6 @@
../../system/all/defaults.nix
../../components
../../modules
./service-forgejo-runner.nix
./service-forgejo.nix
./service-hedgedoc.nix
@ -50,7 +47,8 @@
components.network.fail2ban.enable = true;
components.network.sshd.sshguard.enable = false;
components.nixos.boot.enable = true;
features.boot.ssh.enable = true;
features.boot.tor.enable = true;
components.monitor.enable = true;
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];

4
machines/orbi/media-nextcloud.nix
View file

@ -1,4 +1,4 @@
{ pkgs, config, factsGenerator, ... }:
{ pkgs, config, factsGenerator, components, ... }:
# don't forget the database backup before upgrading
# -------------------------------------------------
@ -85,7 +85,7 @@ in
config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs;
imports = [ ../../components/monitor/container.nix ];
imports = [ "${components}/monitor/container.nix" ];
system.stateVersion = "23.11";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

4
machines/orbi/media-transmission2.nix
View file

@ -1,4 +1,4 @@
{ lib, pkgs, config, ... }:
{ lib, pkgs, config, components, ... }:
let
uiPort = 9091;
in
@ -25,7 +25,7 @@ in
config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs;
imports = [ ../../components/monitor/container.nix ];
imports = [ "${components}/monitor/container.nix" ];
system.stateVersion = "21.05";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

4
machines/orbi/service-photoprism.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, components, ... }:
let
mySQLPackage = pkgs.mysql;
photoprismPort = 2342;
@ -15,7 +15,7 @@ in
config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs;
imports = [ ../../components/monitor/container.nix ];
imports = [ "${components}/monitor/container.nix" ];
system.stateVersion = "23.11";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

4
machines/orbi/service-surrealdb.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, clanCore, factsGenerator, ... }:
{ config, pkgs, lib, clanCore, factsGenerator, components, ... }:
let
surrealdbPort = 8000;
in
@ -12,7 +12,7 @@ in
config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs;
imports = [ ../../components/monitor/container.nix ];
imports = [ "${components}/monitor/container.nix" ];
system.stateVersion = "24.05";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

4
machines/orbi/service-vikunja.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, components, ... }:
let
vikunjaPort = 3456;
mysqlPort = 3337;
@ -13,7 +13,7 @@ in
config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs;
imports = [ ../../components/monitor/container.nix ];
imports = [ "${components}/monitor/container.nix" ];
system.stateVersion = "24.05";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

4
machines/orbi/social-matrix-terranix.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, factsGenerator, ... }:
{ config, pkgs, factsGenerator, components, ... }:
let
# 1. create DNS entry `matrix.terranix.org A - 95.216.66.212`
# 2. test with : https://federationtester.matrix.org/#terranix.org
@ -66,7 +66,7 @@ in
config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs;
imports = [ ../../components/monitor/container.nix ];
imports = [ "${components}/monitor/container.nix" ];
system.stateVersion = "23.11";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

7
machines/probe/configuration.nix
View file

@ -1,8 +1,6 @@
{ lib, config, pkgs, ... }: {
imports = [
./hardware-configuration
../../components
../../modules
];
system.stateVersion = "24.11";
@ -10,9 +8,8 @@
components.mainUser.enable = true;
components.network.enable = true;
components.nixos.boot.enable = true;
components.nixos.boot.ssh.enable = true;
components.nixos.boot.tor.enable = true;
features.boot.ssh.enable = true;
features.boot.tor.enable = true;
components.monitor.enable = false;

2
machines/sternchen/configuration.nix
View file

@ -2,8 +2,6 @@
imports = [
../../components
../../modules
./hardware-configuration.nix
./packages.nix
./syncthing.nix

1
modules/browser.nix
View file

@ -232,7 +232,6 @@ in
'';
};
sudoUsers = mkOption {
default = [ config.users.users.mainUser.name ];
type = with types; listOf str;
description = ''
user allowed to run sudo without password to start the browser

2
system/all/default.nix
View file

@ -2,8 +2,6 @@
imports = [
../../modules
../../components/network
./defaults.nix
./grub.nix
./packages.nix