add sternchen computer

This commit is contained in:
Ingolf Wagner 2021-03-05 08:22:35 +01:00
parent a3be1e769a
commit 6f793e7e38
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
19 changed files with 444 additions and 22 deletions

View file

@ -0,0 +1,14 @@
Ed25519PublicKey = Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEA1vhCFsFK0QSYDlXSS6ngpZbilplYtaPBzbxWYGAxa5vNtwoaO2Tz
BZ4ptvE26TR2+Jygvlk5xdoNYAL/yhNI9p86vs/pA+sJmBlsYAWOA5qAnXoIL2u4
1CBB9t+uMnQKhyPoBoDq6QXmM1HlFhxtkKVlLyEHxARxu7g/inFtghPqYD/HyjVJ
V6h9OdKEgY+wcn6GGLXGjrSMAsIZP2w8fPQfS45UAtjK+cFODFKElxGZrjqgJP1w
/Jw6nB03yKMGsMHNkiwC2BJbK3+pT92JfyqXRg3REw0hVMZghcsoNtWfBoNYLvFY
qwk+bvf5bVdLxLMEv33+B3F8SScXuwMUpBwCeMi58ltt+OuOVhh8PLA9ncA6tGa9
tzyUo7i8qjGTremSilWIdRYqOexriPKCdnYcJcw/L9Vl2H3QbIj7uVxbszQbqDGS
KM43U5cXgpMIYI9CwxnWB8np7n/IXZFG5E+9afd4kYTLShzaObzu2I1yom0O4Ks7
HsdvlsBgv4iT6ctquHtU6IFsa/Wfm4ntDiAcczoQEXs0F2v839FH62TPTY70xzyd
wQhAdCegb6MYVmVmQL9jv8QDfxwUxtsohbW3ncBDYrdy2rmeiZDGaRJVEbyf6MKI
OfaobRGXY0NnOURX9/fkXSydDKd3rIhOMubfUq0+Smm3YrsHWeZVvNMCAwEAAQ==
-----END RSA PUBLIC KEY-----

View file

@ -1,6 +1,6 @@
{ config, pkgs, lib, ... }: {
networking.firewall.interfaces."tinc.insecure".allowedTCPPorts = [ 8384 ];
networking.firewall.interfaces."tinc.secure".allowedTCPPorts = [ 8384 ];
custom.samba-share = {
enable = true;
@ -12,7 +12,7 @@
};
services.syncthing = {
guiAddress = lib.mkForce "${config.networking.hostName}.insecure:8384";
guiAddress = lib.mkForce "${config.networking.hostName}.secret:8384";
enable = true;
openDefaultPorts = true;
declarative = {

View file

@ -6,7 +6,7 @@
# openPort = true;
# connectTo = [ "sputnik" ];
#};
"insecure" = {
"secure" = {
enable = true;
openPort = true;
connectTo = [ "sputnik" ];

View file

@ -4,7 +4,7 @@
enable = true;
openPort = true;
};
"insecure" = {
"secret" = {
enable = true;
openPort = true;
};

View file

@ -0,0 +1,81 @@
{ config, pkgs, lib, ... }: {
imports = [
<system/desktop>
./hardware-configuration.nix
./packages.nix
#./syncthing.nix
./tinc.nix
];
networking.hostName = "sternchen";
system.custom.mainUser.userName = "tina";
system.custom.wifi.interfaces = [ "wlp3s0" ];
security.wrappers = {
pmount.source = "${pkgs.pmount}/bin/pmount";
pumount.source = "${pkgs.pmount}/bin/pumount";
};
# keybase
services.keybase.enable = false;
services.kbfs.enable = false;
programs.custom.steam.enable = false;
programs.custom.video.enable = false;
services.printing.enable = true;
# fonts
# -----
programs.custom.urxvt.fontSize = 12;
programs.custom.xterm.fontSize = 12;
system.custom.fonts.dpi = 100;
virtualisation = {
docker.enable = false;
virtualbox = {
host.enable = false;
guest.x11 = false;
guest.enable = false;
};
};
configuration.desktop = {
width = 1366;
height = 768;
};
custom.samba-share = {
enable = false;
folders = {
#public = "/home/palo/movies";
share = "/home/share";
#syncthing = "/mnt/syncthing";
#movies = "/mnt/syncthing/movies";
#series = "/mnt/syncthing/series";
};
};
# enable this to use sidequest
programs.adb.enable = false;
users.users.mainUser.extraGroups = [ "adbusers" "video" ];
# for congress and streaming
hardware.opengl = {
enable = true;
extraPackages = [ pkgs.vaapiIntel ];
driSupport32Bit = true;
};
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
}

View file

@ -0,0 +1,79 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
boot.initrd.availableKernelModules =
[ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
# Use the systemd-boot EFI boot loader, not grub
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
zramSwap = {
enable = true;
numDevices = 2;
swapDevices = 1;
memoryPercent = 50;
};
#fileSystems."/share/" = {
# device = "/dev/ram1";
# fsType = "tmpfs";
#};
#fileSystems."/browsers/" = {
# #device = "/dev/ram2";
# #fsType = "tmpfs";
# options = [ "noatime" "nodiratime" "discard" ];
# device = "/dev/vg/browser";
# fsType = "ext4";
#};
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
# lvm volume group
# ----------------
boot.initrd.luks.devices = {
vg = {
device = "/dev/sda2";
preLVM = true;
};
};
# NTFS support
# ------------
environment.systemPackages = [ pkgs.ntfs3g ];
# root
# ----
fileSystems."/" = {
options = [ "noatime" "nodiratime" "discard" ];
device = "/dev/vg/root";
fsType = "ext4";
};
# home
# ----
fileSystems."/home" = {
options = [ "noatime" "nodiratime" "discard" ];
device = "/dev/vg/home";
fsType = "ext4";
};
# boot
# ----
fileSystems."/boot" = {
device = "/dev/sda1";
fsType = "vfat";
};
}

View file

@ -0,0 +1,13 @@
{ config, lib, pkgs, ... }:
let unstable = import <nixpkgs-unstable> { };
in {
# overlay included
#nixpkgs.overlays = [ (import <mozilla-overlay/rust-overlay.nix>) ];
environment.systemPackages = with pkgs; [
darktable
keepass
];
}

View file

@ -0,0 +1,77 @@
{ config, pkgs, lib, ... }: {
services.syncthing = {
enable = true;
openDefaultPorts = false;
user = "palo";
dataDir = "/home/palo/.syncthing";
configDir = "/home/palo/.syncthing";
declarative = {
cert = toString <secrets/syncthing/cert.pem>;
key = toString <secrets/syncthing/key.pem>;
overrideFolders = true;
folders = {
# on encrypted drive
# ------------------
private = {
enable = true;
path = "/home/palo/private";
};
desktop = {
enable = true;
path = "/home/palo/desktop";
};
finance = {
enable = true;
path = "/home/palo/finance";
};
fotos = {
enable = true;
path = "/home/palo/fotos";
};
samples = {
enable = true;
path = "/home/palo/samples";
};
zettlr = {
enable = true;
path = "/home/palo/zettlr";
};
programs = {
enable = true;
path = "/home/palo/programs";
};
# no need to be encrypted
# -----------------------
books = {
enable = true;
path = "/home/palo/books";
};
music-library = {
enable = true;
path = "/home/palo/music-library";
};
music-projects = {
enable = true;
path = "/home/palo/music-projects";
};
smartphone-folder = {
enable = true;
path = "/home/palo/smartphone-folder";
};
processing = {
enable = true;
path = "/home/palo/sketchbook";
};
};
};
};
system.permown."/home/palo/music-library" = {
owner = "palo";
group = "users";
};
}

View file

@ -0,0 +1,24 @@
{ config, lib, pkgs, ... }:
with lib;
{
module.cluster.services.tinc = {
#"private" = {
# enable = true;
# openPort = true;
# connectTo = [ "sputnik" ];
#};
#"retiolum" = {
# enable = true;
# openPort = true;
#};
"secret" = {
enable = true;
openPort = true;
connectTo = [ "sputnik" ];
};
};
}

View file

@ -0,0 +1,84 @@
{ lib, pkgs, ... }:
let
wifi = "wlp0s29u1u2";
ipAddress = "10.123.145.1";
prefixLength = 24;
servedAddressRange = "10.123.145.2,10.123.145.150,12h";
ssid = "bumbumbum";
wifiPassword = lib.fileContents <secrets/wifi-access-point>;
in {
# todo only open needed ports
networking.firewall.trustedInterfaces = [ wifi ];
networking.networkmanager.unmanaged = [ wifi ];
networking.dhcpcd.denyInterfaces = [ wifi ];
networking.interfaces."${wifi}".ipv4.addresses = [{
address = ipAddress;
prefixLength = prefixLength;
}];
# forward traffic coming in trough the access point => provide internet and vpn network access
# todo : forward to own servers
boot.kernel.sysctl = {
"net.ipv4.conf.${wifi}.forwarding" = true;
"net.ipv6.conf.${wifi}.forwarding" = true;
};
systemd.services.hostapd = {
description = "hostapd wireless AP";
path = [ pkgs.hostapd ];
# start manual
# wantedBy = [ "network.target" ];
after = [
"${wifi}-cfg.service"
"nat.service"
"bind.service"
"dhcpd.service"
"sys-subsystem-net-devices-${wifi}.device"
];
serviceConfig = {
ExecStart = "${pkgs.hostapd}/bin/hostapd ${
pkgs.writeText "hostapd.conf" ''
interface=${wifi}
hw_mode=g
channel=10
ieee80211d=1
country_code=DE
ieee80211n=1
wmm_enabled=1
ssid=${ssid}
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=${wifiPassword}
''
}";
Restart = "always";
};
};
services.dnsmasq = {
enable = true;
extraConfig = ''
# Only listen to routers' LAN NIC. Doing so opens up tcp/udp port 53 to
# localhost and udp port 67 to world:
interface=${wifi}
# Explicitly specify the address to listen on
listen-address=${ipAddress}
# Dynamic range of IPs to make available to LAN PC and the lease time.
# Ideally set the lease time to 5m only at first to test everything works okay before you set long-lasting records.
dhcp-range=${servedAddressRange}
'';
};
}

View file

@ -0,0 +1,45 @@
{ pkgs, config, ... }: {
users.users.mainUser.extraGroups = [ "wireshark" ];
programs.wireshark.enable = true;
environment.systemPackages = [
pkgs.wireshark
# alternative packet analyzer (only works with elasticsearch)
pkgs.packetbeat7
];
# elastic search is good for analysing stuff
# https://www.elastic.co/blog/analyzing-network-packets-with-wireshark-elasticsearch-and-kibana
services.elasticsearch.enable = true;
services.elasticsearch.listenAddress =
"${config.networking.hostName}.private";
services.kibana.enable = true;
services.kibana.elasticsearch.hosts =
[ "http://${config.networking.hostName}.private:9200" ];
services.kibana.listenAddress = "${config.networking.hostName}.private";
services.kibana.port = 5601;
# using tshark with elastic search
# --------------------------------
# tshark -r file.pcap -T ek > packages.json
# curl -XPOST "sterni.private:9200/packets/doc/_bulk" -H 'Content-Type: application/json' --data-binary "@packets.json"
services.nginx = {
enable = true;
statusPage = true;
virtualHosts = {
"kibana.${config.networking.hostName}.private" = {
serverAliases = [ ];
locations."/" = {
proxyPass = "http://${config.networking.hostName}.private:${
toString config.services.kibana.port
}";
};
};
};
};
}

View file

@ -14,7 +14,7 @@ with lib;
enable = true;
openPort = true;
};
"insecure" = {
"secret" = {
enable = true;
openPort = true;
connectTo = [ "sputnik" ];

View file

@ -10,7 +10,7 @@
enable = true;
openPort = true;
};
"insecure" = {
"secret" = {
enable = true;
openPort = true;
connectTo = [ "sputnik" ];

View file

@ -2,7 +2,7 @@ let
# host used to install stuff. (can be an onion id if you use torify)
#installHost = "localhost";
installHost = "adsf.onion";
installHost = "mobi.private";
#ops = import ../plops ;
ops = import ((import <nixpkgs> { }).fetchgit {
@ -132,7 +132,7 @@ let
hostPattern = name:
if name == "porani" then
"${name}.insecure"
"${name}.secret"
else if name == "dummy" then
"95.217.223.75"
else
@ -233,7 +233,7 @@ in pkgs.mkShell {
buildInputs = with pkgs;
(servers [ "workhorse" "sputnik" "porani" "dummy" ])
++ (desktops [ "pepe" "workout" "sterni" "mobi" ]) ++ [
++ (desktops [ "pepe" "workout" "sterni" "mobi" "sternchen" ]) ++ [
(pkgs.writers.writeBashBin "reformat" ''
find ${
toString ./.

View file

@ -5,9 +5,9 @@
"sterni.private" = {
hostNames = [
"sterni.private"
"sterni.insecure"
"sterni.secret"
config.module.cluster.services.tinc.private.hosts.sterni.tincIp
config.module.cluster.services.tinc.insecure.hosts.sterni.tincIp
config.module.cluster.services.tinc.secret.hosts.sterni.tincIp
];
publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyHmHJy2Va45p9mn+Hj3DyaY5yxnQIKvXeACHjzgSKt";
@ -24,9 +24,9 @@
"sputnik.private" = {
hostNames = [
"sputnik.private"
"sputnik.insecure"
"sputnik.secret"
config.module.cluster.services.tinc.private.hosts.sputnik.tincIp
config.module.cluster.services.tinc.insecure.hosts.sputnik.tincIp
config.module.cluster.services.tinc.secret.hosts.sputnik.tincIp
];
publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTLXDTqUtl0BQgzH1O7CRulGCRN1P4KU8imL/wjYFh8";
@ -34,17 +34,17 @@
"workhorse.private" = {
hostNames = [
"workhorse.private"
"workhorse.insecure"
"workhorse.secret"
config.module.cluster.services.tinc.private.hosts.workhorse.tincIp
config.module.cluster.services.tinc.insecure.hosts.workhorse.tincIp
config.module.cluster.services.tinc.secret.hosts.workhorse.tincIp
];
publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDaK0Vv33TuGQa/B5p54sGilgpYvfKkBaBGlEBpIk1QB";
};
"porani.insecure" = {
"porani.secret" = {
hostNames = [
"porani.insecure"
config.module.cluster.services.tinc.insecure.hosts.porani.tincIp
"porani.secret"
config.module.cluster.services.tinc.secret.hosts.porani.tincIp
];
publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOKNtRWVrqADgAMtTSWgnpp8gRKUtn4QUMFzQ78fC+aK";

View file

@ -27,7 +27,7 @@ with lib; {
id =
"6YOIA4E-X52ZD5Z-FPNWPRS-77QIMMU-VDIXVZB-6BPQN7A-FFJDU4W-EXEGFAI";
addresses =
[ "tcp://porani.insecure:22000" "tcp://porani.insecure:21027" ];
[ "tcp://porani.secret:22000" "tcp://porani.secret:21027" ];
};
} // {
smartphone = {

View file

@ -44,7 +44,7 @@ in {
};
};
# nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
"insecure" = {
"secret" = {
networkSubnet = "10.123.42.0/24";
port = 721;
extraConfig = ''
@ -54,6 +54,11 @@ in {
privateEd25519KeyFile = toString <secrets/tinc/ed25519_key>;
privateRsaKeyFile = toString <secrets/tinc/rsa_key>;
hosts = {
sternchen = {
tincIp = "10.123.42.25";
# publicKey = lib.fileContents <assets/tinc/sterni_host_file>;
publicKey = lib.fileContents <assets/tinc/sternchen_host_file>;
};
sterni = {
tincIp = "10.123.42.24";
# publicKey = lib.fileContents <assets/tinc/sterni_host_file>;

View file

@ -15,7 +15,7 @@ with lib; {
identitiesOnly = true;
user = "root";
};
"*.insecure" = {
"*.secret" = {
identityFile = "~/.ssh/card_rsa.pub";
identitiesOnly = true;
user = "root";

View file

@ -3,7 +3,7 @@
system.custom.mainUser = {
enable = true;
userName = "palo";
userName = lib.mkDefault "palo";
authorizedKeyFiles =
config.users.users.root.openssh.authorizedKeys.keyFiles;
};