introduced features

This commit is contained in:
Ingolf Wagner 2024-08-08 16:39:50 +02:00
parent 40e5456517
commit 509f283924
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
23 changed files with 113 additions and 158 deletions

View file

@ -34,50 +34,59 @@ in
home = "${homeFolder}/development-browser"; home = "${homeFolder}/development-browser";
homeBackup = "${backupFolder}/development-browser"; homeBackup = "${backupFolder}/development-browser";
gpu = false; gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
}; };
google = { google = {
home = "${homeFolder}/google-browser"; home = "${homeFolder}/google-browser";
homeBackup = "${backupFolder}/google-browser"; homeBackup = "${backupFolder}/google-browser";
gpu = false; gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
}; };
finance = { finance = {
home = "${homeFolder}/finance-browser"; home = "${homeFolder}/finance-browser";
homeBackup = "${backupFolder}/finance-browser"; homeBackup = "${backupFolder}/finance-browser";
gpu = false; gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
}; };
facebook = { facebook = {
home = "${homeFolder}/facebook-browser"; home = "${homeFolder}/facebook-browser";
homeBackup = "${backupFolder}/facebook-browser"; homeBackup = "${backupFolder}/facebook-browser";
gpu = false; gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
}; };
shopping = { shopping = {
home = "${homeFolder}/shopping-browser"; home = "${homeFolder}/shopping-browser";
homeBackup = "${backupFolder}/shopping-browser"; homeBackup = "${backupFolder}/shopping-browser";
gpu = false; gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
}; };
jobrad = { jobrad = {
browserType = "chrome"; browserType = "chrome";
home = "${homeFolder}/jobrad-chrome"; home = "${homeFolder}/jobrad-chrome";
homeBackup = "${backupFolder}/jobrad-chrome"; homeBackup = "${backupFolder}/jobrad-chrome";
gpu = false; gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
}; };
firefox-tmp = { firefox-tmp = {
browserType = "firefox"; browserType = "firefox";
home = "${homeFolder}/firefox-tmp"; home = "${homeFolder}/firefox-tmp";
homeBackup = "${backupFolder}/firefox-tmp-browser"; homeBackup = "${backupFolder}/firefox-tmp-browser";
gpu = false; gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
}; };
chromium-tmp = { chromium-tmp = {
browserType = "chrome"; browserType = "chrome";
home = "${homeFolder}/chromium-tmp"; home = "${homeFolder}/chromium-tmp";
homeBackup = "${backupFolder}/chrome-tmp-browser"; homeBackup = "${backupFolder}/chrome-tmp-browser";
gpu = false; gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
}; };
google-tmp = { google-tmp = {
browserType = "google"; browserType = "google";
home = "${homeFolder}/google-tmp"; home = "${homeFolder}/google-tmp";
homeBackup = "${backupFolder}google-tmp-browser"; homeBackup = "${backupFolder}google-tmp-browser";
gpu = false; gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
}; };
}; };

View file

@ -1,16 +0,0 @@
{ lib, config, ... }:
{
imports = [
./ssh.nix
./tor.nix
];
options.components.nixos.boot.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf (config.components.nixos.boot.enable) { };
}

View file

@ -1,95 +0,0 @@
{ config, lib, pkgs, factsGenerator, clanLib, ... }:
with lib;
with types;
{
options.components.nixos.boot.tor = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
config = mkMerge [
# todo : not working at the moment, because onion hostnames are secrets
#(
# let
# onionIds = clanLib.readFactFromAllMachines "tor.initrd.hostname";
# generateOnionUnlockScript = machine: onionId: pkgs.writers.writeDashBin "unlock-boot-${machine}-via-tor" ''
# ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222
# '';
# in
# {
# # add known hosts
# services.openssh.knownHosts =
# mapAttrs
# (_machine: onionId: {
# hostNames = [ "[${onionId}]:2222" ];
# })
# onionIds;
# # create unlook tor boot script
# environment.systemPackages =
# mapAttrsToList generateOnionUnlockScript onionIds;
# }
#)
# tor part
# --------
(mkIf (config.components.nixos.boot.tor.enable) {
# tor secrets
clan.core.facts.services."initrd.tor" = factsGenerator.tor {
name = "initrd";
addressPrefix = "init";
};
boot.initrd.secrets = {
"/etc/tor/onion/bootup/tor.priv" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.priv".path;
"/etc/tor/onion/bootup/hostname" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.hostname".path;
};
boot.initrd.systemd.storePaths = [
pkgs.tor
pkgs.iproute2
pkgs.coreutils
];
boot.initrd.systemd.contents = {
"/etc/tor/tor.rc".text = ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 2222 127.0.0.1:2222
'';
};
boot.initrd.systemd.services.tor = {
description = "tor during init";
wantedBy = [ "initrd.target" ];
after = [ "network.target" "initrd-nixos-copy-secrets.service" ];
before = [ "shutdown.target" ];
conflicts = [ "shutdown.target" ];
unitConfig.DefaultDependencies = false;
path = [
pkgs.tor
pkgs.iproute2
pkgs.coreutils
];
script =
''
echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor
echo "tor: starting tor"
tor -f /etc/tor/tor.rc --verify-config
tor -f /etc/tor/tor.rc
'';
};
})
];
}

View file

@ -2,7 +2,6 @@
{ {
imports = [ imports = [
./upgrade-diff.nix ./upgrade-diff.nix
./boot
]; ];
options.components.nixos.enable = lib.mkOption { options.components.nixos.enable = lib.mkOption {

View file

@ -0,0 +1,6 @@
{
imports = [
./ssh.nix
./tor.nix
];
}

View file

@ -3,10 +3,10 @@ with lib;
with types; with types;
{ {
options.components.nixos.boot.ssh = { options.features.boot.ssh = {
enable = lib.mkOption { enable = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
default = config.components.nixos.boot.enable; default = false;
}; };
kernelModules = mkOption { kernelModules = mkOption {
type = listOf str; type = listOf str;
@ -16,12 +16,7 @@ with types;
}; };
}; };
config = mkIf (config.components.nixos.boot.ssh.enable) { config = mkIf (config.features.boot.ssh.enable) {
# root password
#clan.core.facts.services.rootPassword = factsGenerator.password { name = "root"; };
#users.users.root.hashedPasswordFile = config.clan.core.facts.services.rootPassword.secret."password.root.pam".path; # fixme not working for some reason
#users.users.root.initalPassword = "admin";
# ssh host key # ssh host key
clan.core.facts.services."boot.ssh" = factsGenerator.ssh { name = "boot"; }; clan.core.facts.services."boot.ssh" = factsGenerator.ssh { name = "boot"; };
@ -32,7 +27,7 @@ with types;
# network # network
boot.initrd.systemd.network.enable = true; boot.initrd.systemd.network.enable = true;
boot.initrd.availableKernelModules = config.components.nixos.boot.ssh.kernelModules; boot.initrd.availableKernelModules = config.features.boot.ssh.kernelModules;
# ssh # ssh
boot.initrd.network.enable = true; boot.initrd.network.enable = true;

65
features/boot/tor.nix Normal file
View file

@ -0,0 +1,65 @@
{ config, lib, pkgs, factsGenerator, clanLib, ... }:
with lib;
with types;
{
options.features.boot.tor = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
config = mkIf (config.features.boot.tor.enable) {
# tor secrets
clan.core.facts.services."initrd.tor" = factsGenerator.tor {
name = "initrd";
addressPrefix = "init";
};
boot.initrd.secrets = {
"/etc/tor/onion/bootup/tor.priv" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.priv".path;
"/etc/tor/onion/bootup/hostname" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.hostname".path;
};
boot.initrd.systemd.storePaths = [
pkgs.tor
pkgs.iproute2
pkgs.coreutils
];
boot.initrd.systemd.contents = {
"/etc/tor/tor.rc".text = ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 2222 127.0.0.1:2222
'';
};
boot.initrd.systemd.services.tor = {
description = "tor during init";
wantedBy = [ "initrd.target" ];
after = [ "network.target" "initrd-nixos-copy-secrets.service" ];
before = [ "shutdown.target" ];
conflicts = [ "shutdown.target" ];
unitConfig.DefaultDependencies = false;
path = [
pkgs.tor
pkgs.iproute2
pkgs.coreutils
];
script =
''
echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor
echo "tor: starting tor"
tor -f /etc/tor/tor.rc --verify-config
tor -f /etc/tor/tor.rc
'';
};
};
}

3
features/default.nix Normal file
View file

@ -0,0 +1,3 @@
{
imports = [ ./boot ];
}

View file

@ -172,6 +172,7 @@
clanLib = import ./lib/clanlib.nix { inherit (pkgs) lib; machineDir = ./machines; }; clanLib = import ./lib/clanlib.nix { inherit (pkgs) lib; machineDir = ./machines; };
zerotierDeviceName = "ztbn67ogn2"; zerotierDeviceName = "ztbn67ogn2";
components = ./components; components = ./components;
features = ./features;
}; };
}; };
@ -260,6 +261,8 @@
documentation.nixos.options.warningsAreErrors = false; # todo make this true again documentation.nixos.options.warningsAreErrors = false; # todo make this true again
documentation.nixos.extraModules = [ documentation.nixos.extraModules = [
./components ./components
./features
#./modules
inputs.clan-core.nixosModules.clanCore inputs.clan-core.nixosModules.clanCore
# inputs.stylix.nixosModules.stylix # fixme: not working # inputs.stylix.nixosModules.stylix # fixme: not working
permown.nixosModules.permown permown.nixosModules.permown
@ -272,6 +275,12 @@
boot.loader.generic-extlinux-compatible.configurationLimit = lib.mkDefault 10; boot.loader.generic-extlinux-compatible.configurationLimit = lib.mkDefault 10;
boot.loader.grub.configurationLimit = lib.mkDefault 10; boot.loader.grub.configurationLimit = lib.mkDefault 10;
}) })
# My Structure
./components
./features
./modules # todo : spread this across features and components
#./system/all # todo : spread this across features and components
# some modules I always use # some modules I always use
permown.nixosModules.permown permown.nixosModules.permown
kmonad.nixosModules.default kmonad.nixosModules.default

View file

@ -3,9 +3,6 @@
imports = [ imports = [
../../components
../../modules
./hardware-configuration ./hardware-configuration
./syncthing.nix ./syncthing.nix

View file

@ -5,9 +5,6 @@
# todo : remove # todo : remove
../../system/all ../../system/all
../../components
../../modules
./hardware-configuration ./hardware-configuration
./packages.nix ./packages.nix
@ -58,8 +55,7 @@
components.network.wifi.enable = false; components.network.wifi.enable = false;
components.terminal.enable = true; components.terminal.enable = true;
components.nixos.boot.enable = true; features.boot.ssh.kernelModules = [ "e1000e" ];
components.nixos.boot.ssh.kernelModules = [ "e1000e" ];
components.monitor.enable = true; components.monitor.enable = true;
components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317"; components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317";

View file

@ -3,9 +3,6 @@
imports = [ imports = [
../../components
../../modules
./hardware-configuration.nix ./hardware-configuration.nix
./syncthing.nix ./syncthing.nix

View file

@ -5,9 +5,6 @@
../../system/all/defaults.nix ../../system/all/defaults.nix
../../components
../../modules
./service-forgejo-runner.nix ./service-forgejo-runner.nix
./service-forgejo.nix ./service-forgejo.nix
./service-hedgedoc.nix ./service-hedgedoc.nix
@ -50,7 +47,8 @@
components.network.fail2ban.enable = true; components.network.fail2ban.enable = true;
components.network.sshd.sshguard.enable = false; components.network.sshd.sshguard.enable = false;
components.nixos.boot.enable = true; features.boot.ssh.enable = true;
features.boot.tor.enable = true;
components.monitor.enable = true; components.monitor.enable = true;
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];

View file

@ -1,4 +1,4 @@
{ pkgs, config, factsGenerator, ... }: { pkgs, config, factsGenerator, components, ... }:
# don't forget the database backup before upgrading # don't forget the database backup before upgrading
# ------------------------------------------------- # -------------------------------------------------
@ -85,7 +85,7 @@ in
config = { config, lib, ... }: { config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs; nixpkgs.pkgs = pkgs;
imports = [ ../../components/monitor/container.nix ]; imports = [ "${components}/monitor/container.nix" ];
system.stateVersion = "23.11"; system.stateVersion = "23.11";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

View file

@ -1,4 +1,4 @@
{ lib, pkgs, config, ... }: { lib, pkgs, config, components, ... }:
let let
uiPort = 9091; uiPort = 9091;
in in
@ -25,7 +25,7 @@ in
config = { config, lib, ... }: { config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs; nixpkgs.pkgs = pkgs;
imports = [ ../../components/monitor/container.nix ]; imports = [ "${components}/monitor/container.nix" ];
system.stateVersion = "21.05"; system.stateVersion = "21.05";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, components, ... }:
let let
mySQLPackage = pkgs.mysql; mySQLPackage = pkgs.mysql;
photoprismPort = 2342; photoprismPort = 2342;
@ -15,7 +15,7 @@ in
config = { config, lib, ... }: { config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs; nixpkgs.pkgs = pkgs;
imports = [ ../../components/monitor/container.nix ]; imports = [ "${components}/monitor/container.nix" ];
system.stateVersion = "23.11"; system.stateVersion = "23.11";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, clanCore, factsGenerator, ... }: { config, pkgs, lib, clanCore, factsGenerator, components, ... }:
let let
surrealdbPort = 8000; surrealdbPort = 8000;
in in
@ -12,7 +12,7 @@ in
config = { config, lib, ... }: { config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs; nixpkgs.pkgs = pkgs;
imports = [ ../../components/monitor/container.nix ]; imports = [ "${components}/monitor/container.nix" ];
system.stateVersion = "24.05"; system.stateVersion = "24.05";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, components, ... }:
let let
vikunjaPort = 3456; vikunjaPort = 3456;
mysqlPort = 3337; mysqlPort = 3337;
@ -13,7 +13,7 @@ in
config = { config, lib, ... }: { config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs; nixpkgs.pkgs = pkgs;
imports = [ ../../components/monitor/container.nix ]; imports = [ "${components}/monitor/container.nix" ];
system.stateVersion = "24.05"; system.stateVersion = "24.05";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

View file

@ -1,4 +1,4 @@
{ config, pkgs, factsGenerator, ... }: { config, pkgs, factsGenerator, components, ... }:
let let
# 1. create DNS entry `matrix.terranix.org A - 95.216.66.212` # 1. create DNS entry `matrix.terranix.org A - 95.216.66.212`
# 2. test with : https://federationtester.matrix.org/#terranix.org # 2. test with : https://federationtester.matrix.org/#terranix.org
@ -66,7 +66,7 @@ in
config = { config, lib, ... }: { config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs; nixpkgs.pkgs = pkgs;
imports = [ ../../components/monitor/container.nix ]; imports = [ "${components}/monitor/container.nix" ];
system.stateVersion = "23.11"; system.stateVersion = "23.11";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

View file

@ -1,8 +1,6 @@
{ lib, config, pkgs, ... }: { { lib, config, pkgs, ... }: {
imports = [ imports = [
./hardware-configuration ./hardware-configuration
../../components
../../modules
]; ];
system.stateVersion = "24.11"; system.stateVersion = "24.11";
@ -10,9 +8,8 @@
components.mainUser.enable = true; components.mainUser.enable = true;
components.network.enable = true; components.network.enable = true;
components.nixos.boot.enable = true; features.boot.ssh.enable = true;
components.nixos.boot.ssh.enable = true; features.boot.tor.enable = true;
components.nixos.boot.tor.enable = true;
components.monitor.enable = false; components.monitor.enable = false;

View file

@ -2,8 +2,6 @@
imports = [ imports = [
../../components
../../modules
./hardware-configuration.nix ./hardware-configuration.nix
./packages.nix ./packages.nix
./syncthing.nix ./syncthing.nix

View file

@ -232,7 +232,6 @@ in
''; '';
}; };
sudoUsers = mkOption { sudoUsers = mkOption {
default = [ config.users.users.mainUser.name ];
type = with types; listOf str; type = with types; listOf str;
description = '' description = ''
user allowed to run sudo without password to start the browser user allowed to run sudo without password to start the browser

View file

@ -2,8 +2,6 @@
imports = [ imports = [
../../modules
../../components/network
./defaults.nix ./defaults.nix
./grub.nix ./grub.nix
./packages.nix ./packages.nix