diff --git a/flake.lock b/flake.lock index 1092601..9964a13 100644 --- a/flake.lock +++ b/flake.lock @@ -1294,11 +1294,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1692771442, - "narHash": "sha256-ZyPeoIoDGh4Sfgpcx0grNDVDXNDmR1YHgU1K3z4x2EE=", + "lastModified": 1702813900, + "narHash": "sha256-iW4thfqQUqm3A/nh9pwRUrIHsgavaS3A/pifynJmYkI=", "ref": "main", - "rev": "0a13af540fe8fea07ca020be953b14923a80d25c", - "revCount": 55, + "rev": "647d3f4ead533dc17be45504417acc4d1efe2d87", + "revCount": 56, "type": "git", "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git" }, diff --git a/flake.nix b/flake.nix index f229387..35d045c 100644 --- a/flake.nix +++ b/flake.nix @@ -333,6 +333,19 @@ { home-manager.users.mainUser.gui.enable = true; } ]; }; + cherry = nixosConfigurationSetup { + name = "cherry"; + host = "root@192.168.178.23"; + modules = [ + nixos-hardware.nixosModules.framework-13th-gen-intel + #retiolum.nixosModules.retiolum + #private_assets.nixosModules.jobrad + homeManagerModules + # { home-manager.users.root = import ./nixos/homes/root; } + { home-manager.users.mainUser = import ./nixos/homes/palo; } + { home-manager.users.mainUser.gui.enable = true; } + ]; + }; chungus = nixosConfigurationSetup { name = "chungus"; modules = [ diff --git a/nixos/components/network/tinc/private.nix b/nixos/components/network/tinc/private.nix index 3637af8..f371320 100644 --- a/nixos/components/network/tinc/private.nix +++ b/nixos/components/network/tinc/private.nix @@ -14,6 +14,7 @@ let pepe = "10.23.42.26"; cream = "10.23.42.27"; chungus = "10.23.42.28"; + cherry = "10.23.42.29"; robi = "10.23.42.111"; }; subDomains = { @@ -30,12 +31,6 @@ let "prowlarr.robi" = hosts.robi; "jellyseerr.robi" = hosts.robi; "unmanic.robi" = hosts.robi; - # pepe - "grafana.pepe" = hosts.pepe; - "loki.pepe" = hosts.pepe; - "prometheus.pepe" = hosts.pepe; - "tdarr.pepe" = hosts.pepe; - "tts.pepe" = hosts.pepe; # chungus "de.tts.chungus" = hosts.chungus; "en.tts.chungus" = hosts.chungus; @@ -76,6 +71,10 @@ in subnets = [{ address = hosts.cream; }]; settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL"; }; + cherry = { + subnets = [{ address = hosts.cherry ; }]; + settings.Ed25519PublicKey = "BsPIrZjbzn0aryC0HO3OXSb4oFCMmzNDmMDQmxUXUuC"; + }; sterni = { subnets = [{ address = hosts.sterni; }]; settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O"; diff --git a/nixos/homes/palo/packages/nextcloud.nix b/nixos/homes/palo/packages/nextcloud.nix index db66046..a5bf1c4 100644 --- a/nixos/homes/palo/packages/nextcloud.nix +++ b/nixos/homes/palo/packages/nextcloud.nix @@ -12,8 +12,6 @@ let ~/Nextcloud/${folder} \ "https://${user}:${password}@nextcloud.ingolf-wagner.de" ''; - - in { home.packages = [ diff --git a/nixos/machines/cherry/configuration.nix b/nixos/machines/cherry/configuration.nix new file mode 100644 index 0000000..4d594d9 --- /dev/null +++ b/nixos/machines/cherry/configuration.nix @@ -0,0 +1,146 @@ +{ config, pkgs, lib, ... }: +{ + + imports = [ + + ../../components + ../../system/desktop + ../../system/server/netdata.nix + + ./disko-config.nix + ./hardware-configuration.nix + + ./syncthing.nix + ./cups.nix + ./tinc.nix + #./tinc_retiolum.nix + + ./qemu.nix + ./wireguard.nix + + ]; + + components.gui.enable = true; + components.mainUser.enable = true; + components.media.enable = true; + components.media.tts-client.enable = false; + components.network.enable = true; + components.network.wifi.enable = true; + components.terminal.enable = true; + + home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ]; + + sops.secrets.yubikey_u2fAuthFile = { }; + + components.gui.taskwarrior.config = { + general = { + targets = [ "terranix" "my_github" ]; + log_level = "INFO"; + static_fields = [ "priority" ]; + merge_annotations = false; + }; + terranix = { + service = "github"; + login = "mrVanDalo"; + token = "@oracle:eval:${pkgs.pass}/bin/pass development/github/mrVanDalo/bugwarriorAccessToken"; + username = "mrVanDalo"; + default_priority = ""; + description_template = "{{githubtitle}} {{githuburl}}"; + add_tags = "github"; + project_template = "terranix"; + involved_issues = true; + query = "org:terranix is:open"; + include_user_issues = false; + include_user_repos = false; + }; + my_github = { + service = "github"; + login = "mrVanDalo"; + token = "@oracle:eval:${pkgs.pass}/bin/pass development/github/mrVanDalo/bugwarriorAccessToken"; + username = "mrVanDalo"; + description_template = "{{githubtitle}} {{githuburl}}"; + add_tags = "github"; + include_user_issues = true; + include_user_repos = true; + exclude_repos = [ "azubi" "csv-to-qif" "stepp0r" ]; + }; + # todo : add github issues + }; + + + users.users.mainUser.extraGroups = [ "pipewire" ]; + + services.nginx.enable = true; + + networking.hostName = "cherry"; + + # make sure battery is charged in a way to live for a long time + services.power-profiles-daemon.enable = false; + services.tlp = { + enable = true; + settings = { + CPU_BOOST_ON_BAT = 0; + CPU_SCALING_GOVERNOR_ON_BATTERY = "powersave"; + START_CHARGE_THRESH_BAT0 = 30; + STOP_CHARGE_THRESH_BAT0 = 85; + RUNTIME_PM_ON_BAT = "auto"; + }; + }; + + security.wrappers = { + pmount = { + source = "${pkgs.pmount}/bin/pmount"; + setuid = true; + owner = "root"; + group = "root"; + }; + pumount = { + source = "${pkgs.pmount}/bin/pumount"; + setuid = true; + owner = "root"; + group = "root"; + }; + }; + + programs.custom.steam.enable = true; + services.printing.enable = true; + + # fonts + # ----- + programs.custom.urxvt.fontSize = 16; + programs.custom.urxvt.fontType = "vector"; + programs.custom.xterm.fontSize = 16; + # todo : add xterm fontType + # programs.custom.xterm.fontType = "vector"; + + virtualisation = { + docker.enable = true; + podman.enable = true; + virtualbox = { + host.enable = false; + guest.x11 = false; + guest.enable = false; + }; + }; + + #services.xserver.desktopManager.gnome.enable = true; + #services.xserver.displayManager.lightdm.enable = false; + #services.xserver.displayManager.sddm.enable = true; + + custom.samba-share = { + enable = false; + folders = { + share = "/home/share"; + video = "/home/video-material"; + }; + }; + + + # for congress and streaming + hardware.opengl = { + enable = true; + }; + + system.stateVersion = "23.11"; + +} diff --git a/nixos/machines/cherry/cups.nix b/nixos/machines/cherry/cups.nix new file mode 100644 index 0000000..2c2e41d --- /dev/null +++ b/nixos/machines/cherry/cups.nix @@ -0,0 +1,16 @@ +{ + hardware.printers.ensurePrinters = [ + { + description = "Lexmark E350d"; + deviceUri = "usb://Lexmark/E350d?serial=622Z9ZC"; + location = "office"; + name = "Lexmark_E350d"; + model = "drv:///sample.drv/generic.ppd"; + ppdOptions = { + job-sheets = "none, none"; + media = "na_letter_8.5x11in"; + sides = "one-sided"; + }; + } + ]; +} diff --git a/nixos/machines/cherry/disko-config.nix b/nixos/machines/cherry/disko-config.nix new file mode 100644 index 0000000..1bbe32f --- /dev/null +++ b/nixos/machines/cherry/disko-config.nix @@ -0,0 +1,73 @@ +# nix run github:nix-community/disko -- --mode zap_create_mount ./disko-config.nix +# nixos-generate-config --no-filesystems --root /mnt +{ config, lib, ... }: +{ + + # ZFS already has its own scheduler. Without this my(@Artturin) computer froze for a second when i nix build something. + # copied from : https://github.com/numtide/srvos/blob/main/nixos/common/zfs.nix + services.udev.extraRules = lib.optionalString (config.boot.zfs.enabled) '' + ACTION=="add|change", KERNEL=="sd[a-z]*[0-9]*|mmcblk[0-9]*p[0-9]*|nvme[0-9]*n[0-9]*p[0-9]*", ENV{ID_FS_TYPE}=="zfs_member", ATTR{../queue/scheduler}="none" + ''; + + disko.devices = { + disk = { + root = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "ESP"; + start = "0"; + end = "500MiB"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + } + { + name = "zfs"; + start = "500MiB"; + end = "100%"; + content = { + type = "luks"; + name = "root"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + } + ]; + }; + }; + }; + zpool = { + zroot = { + type = "zpool"; + rootFsOptions = { + mountpoint = "none"; + canmount = "off"; + compression = "lz4"; + }; + datasets = { + "root" = { + type = "zfs_fs"; + mountpoint = "/"; + options = { + mountpoint = "legacy"; + compression = "lz4"; + }; + }; + }; + }; + }; + + }; +} + diff --git a/nixos/machines/cherry/hardware-configuration.nix b/nixos/machines/cherry/hardware-configuration.nix new file mode 100644 index 0000000..3a1f4a3 --- /dev/null +++ b/nixos/machines/cherry/hardware-configuration.nix @@ -0,0 +1,30 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s13f0u2c2.useDHCP = lib.mkDefault true; + # networking.interfaces.tinc.private.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp170s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + # high-resolution display + hardware.video.hidpi.enable = lib.mkDefault true; +} diff --git a/nixos/machines/cherry/qemu.nix b/nixos/machines/cherry/qemu.nix new file mode 100644 index 0000000..f390118 --- /dev/null +++ b/nixos/machines/cherry/qemu.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, ... }: +{ + + virtualisation.libvirtd.enable = true; + #virtualisation.libvirtd.allowedBridges = ["virbr0"]; + virtualisation.libvirtd.onShutdown = "shutdown"; + + environment.systemPackages = [ + pkgs.qemu_kvm + (pkgs.quickemu.override { qemu = pkgs.qemu_kvm; }) + pkgs.virt-manager + ]; + + users.users.mainUser.extraGroups = [ "libvirtd" ]; + +} diff --git a/nixos/machines/cherry/syncthing.nix b/nixos/machines/cherry/syncthing.nix new file mode 100644 index 0000000..e502a44 --- /dev/null +++ b/nixos/machines/cherry/syncthing.nix @@ -0,0 +1,58 @@ +{ config, pkgs, lib, ... }: { + + #sops.secrets.syncthing_cert = { }; + #sops.secrets.syncthing_key = { }; + + services.syncthing = { + enable = true; + openDefaultPorts = false; + user = "palo"; + dataDir = "/home/palo/.syncthing"; + configDir = "/home/palo/.syncthing"; + #cert = toString config.sops.secrets.syncthing_cert.path; + #key = toString config.sops.secrets.syncthing_key.path; + overrideFolders = true; + settings.folders = { + + # on encrypted drive + # ------------------ + password-store = { + enable = true; + path = "/home/palo/.password-store"; + }; + #private = { + # enable = true; + # path = "/home/palo/private"; + #}; + art = { + enable = true; + path = "/home/palo/art"; + }; + desktop = { + enable = true; + path = "/home/palo/desktop"; + }; + finance = { + enable = true; + path = "/home/palo/finance"; + }; + + # no need to be encrypted + # ----------------------- + books = { + enable = true; + path = "/home/palo/books"; + }; + }; + }; + + services.permown."/home/palo/music-library" = { + owner = "palo"; + group = "users"; + }; + + services.permown."/home/palo/finance" = { + owner = "palo"; + group = "syncthing"; + }; +} diff --git a/nixos/machines/cherry/tinc.nix b/nixos/machines/cherry/tinc.nix new file mode 100644 index 0000000..e53ccfe --- /dev/null +++ b/nixos/machines/cherry/tinc.nix @@ -0,0 +1,15 @@ +{ config, ... }: +{ + + tinc.private.enable = true; + tinc.private.ipv4 = "10.23.42.27"; + + tinc.secret.enable = true; + tinc.secret.ipv4 = "10.123.42.27"; + + # retiolum + #networking.retiolum.port = 720; + #sops.secrets.tinc_retiolum_ed25519_key = { }; + #services.tinc.networks.retiolum.ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path; + +} diff --git a/nixos/machines/cherry/tinc_retiolum.nix b/nixos/machines/cherry/tinc_retiolum.nix new file mode 100644 index 0000000..53a0e42 --- /dev/null +++ b/nixos/machines/cherry/tinc_retiolum.nix @@ -0,0 +1,13 @@ +{ config, ... }: +{ + sops.secrets.tinc_retiolum_ed25519_key = { }; + sops.secrets.tinc_retiolum_rsa_key = { }; + + networking.retiolum.port = 720; + networking.retiolum.nodename = "sol"; + + services.tinc.networks.retiolum = { + ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path; + rsaPrivateKeyFile = config.sops.secrets.tinc_retiolum_rsa_key.path; + }; +} diff --git a/nixos/machines/cherry/wireguard.nix b/nixos/machines/cherry/wireguard.nix new file mode 100644 index 0000000..72d8399 --- /dev/null +++ b/nixos/machines/cherry/wireguard.nix @@ -0,0 +1,26 @@ +{ config, ... }: +{ + networking.firewall.allowedUDPPorts = [ 51820 ]; + sops.secrets.wireguard_private = { }; + + # Enable WireGuard + networking.wg-quick.interfaces = { + # Hub and Spoke Setup + # https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/ + wg0 = { + address = [ "10.100.0.7/32" ]; + listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + privateKeyFile = config.sops.secrets.wireguard_private.path; + mtu = 1280; + + peers = [ + { + # robi + publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU="; + allowedIPs = [ "10.100.0.1/24" ]; + endpoint = "ingolf-wagner.de:51820"; + } + ]; + }; + }; +} diff --git a/nixos/machines/cream/configuration.nix b/nixos/machines/cream/configuration.nix index 4871b57..cdba9d6 100644 --- a/nixos/machines/cream/configuration.nix +++ b/nixos/machines/cream/configuration.nix @@ -138,7 +138,6 @@ }; }; - # for congress and streaming hardware.opengl = { enable = true; diff --git a/nixos/machines/robi/network-wireguard.nix b/nixos/machines/robi/network-wireguard.nix index 4ee5cf4..ea4fac1 100644 --- a/nixos/machines/robi/network-wireguard.nix +++ b/nixos/machines/robi/network-wireguard.nix @@ -49,6 +49,11 @@ publicKey = "R1Vk1DDG/LsVU0HHRDmOJshXOVnNzPVbuv5hP7ZSGEQ="; allowedIPs = [ "10.100.0.6/32" ]; } + { + # cherry + publicKey = "ZNnlmPdxAGYtaUvOU2V47tcEhcB06LBCXkSxIvWZL2k="; + allowedIPs = [ "10.100.0.7/32" ]; + } ]; }; }; diff --git a/scripts/nixos-anywhere-pet.sh b/scripts/nixos-anywhere-pet.sh new file mode 100755 index 0000000..772b3b0 --- /dev/null +++ b/scripts/nixos-anywhere-pet.sh @@ -0,0 +1,76 @@ +#!/usr/bin/env nix-shell +#! nix-shell -i bash -p ssh-to-age ssh-to-age boxes + +EXTRA_FILES=$( mktemp -d ) +LUKS_KEY=$( mktemp ) +SSH_HOST_KEY="$EXTRA_FILES/etc/ssh/ssh_host_ed25519_key" + +cat < "$LUKS_KEY" +echo +echo +echo + + +cat <.yaml +EOF + +cat <.yaml + key_groups: + - age: + - *palo + - $AGE_KEY + +EOF + + + +echo +echo make sure you configure services.openssh.hostKeys | boxes -d shell + +cat < $LUKS_KEY + + +EOF