This commit is contained in:
Ingolf Wagner 2023-12-17 13:06:57 +01:00
parent 789131b422
commit 88de00b897
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
16 changed files with 496 additions and 13 deletions

View file

@ -1294,11 +1294,11 @@
"secrets": { "secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1692771442, "lastModified": 1702813900,
"narHash": "sha256-ZyPeoIoDGh4Sfgpcx0grNDVDXNDmR1YHgU1K3z4x2EE=", "narHash": "sha256-iW4thfqQUqm3A/nh9pwRUrIHsgavaS3A/pifynJmYkI=",
"ref": "main", "ref": "main",
"rev": "0a13af540fe8fea07ca020be953b14923a80d25c", "rev": "647d3f4ead533dc17be45504417acc4d1efe2d87",
"revCount": 55, "revCount": 56,
"type": "git", "type": "git",
"url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git" "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
}, },

View file

@ -333,6 +333,19 @@
{ home-manager.users.mainUser.gui.enable = true; } { home-manager.users.mainUser.gui.enable = true; }
]; ];
}; };
cherry = nixosConfigurationSetup {
name = "cherry";
host = "root@192.168.178.23";
modules = [
nixos-hardware.nixosModules.framework-13th-gen-intel
#retiolum.nixosModules.retiolum
#private_assets.nixosModules.jobrad
homeManagerModules
# { home-manager.users.root = import ./nixos/homes/root; }
{ home-manager.users.mainUser = import ./nixos/homes/palo; }
{ home-manager.users.mainUser.gui.enable = true; }
];
};
chungus = nixosConfigurationSetup { chungus = nixosConfigurationSetup {
name = "chungus"; name = "chungus";
modules = [ modules = [

View file

@ -14,6 +14,7 @@ let
pepe = "10.23.42.26"; pepe = "10.23.42.26";
cream = "10.23.42.27"; cream = "10.23.42.27";
chungus = "10.23.42.28"; chungus = "10.23.42.28";
cherry = "10.23.42.29";
robi = "10.23.42.111"; robi = "10.23.42.111";
}; };
subDomains = { subDomains = {
@ -30,12 +31,6 @@ let
"prowlarr.robi" = hosts.robi; "prowlarr.robi" = hosts.robi;
"jellyseerr.robi" = hosts.robi; "jellyseerr.robi" = hosts.robi;
"unmanic.robi" = hosts.robi; "unmanic.robi" = hosts.robi;
# pepe
"grafana.pepe" = hosts.pepe;
"loki.pepe" = hosts.pepe;
"prometheus.pepe" = hosts.pepe;
"tdarr.pepe" = hosts.pepe;
"tts.pepe" = hosts.pepe;
# chungus # chungus
"de.tts.chungus" = hosts.chungus; "de.tts.chungus" = hosts.chungus;
"en.tts.chungus" = hosts.chungus; "en.tts.chungus" = hosts.chungus;
@ -76,6 +71,10 @@ in
subnets = [{ address = hosts.cream; }]; subnets = [{ address = hosts.cream; }];
settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL"; settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
}; };
cherry = {
subnets = [{ address = hosts.cherry ; }];
settings.Ed25519PublicKey = "BsPIrZjbzn0aryC0HO3OXSb4oFCMmzNDmMDQmxUXUuC";
};
sterni = { sterni = {
subnets = [{ address = hosts.sterni; }]; subnets = [{ address = hosts.sterni; }];
settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O"; settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O";

View file

@ -12,8 +12,6 @@ let
~/Nextcloud/${folder} \ ~/Nextcloud/${folder} \
"https://${user}:${password}@nextcloud.ingolf-wagner.de" "https://${user}:${password}@nextcloud.ingolf-wagner.de"
''; '';
in in
{ {
home.packages = [ home.packages = [

View file

@ -0,0 +1,146 @@
{ config, pkgs, lib, ... }:
{
imports = [
../../components
../../system/desktop
../../system/server/netdata.nix
./disko-config.nix
./hardware-configuration.nix
./syncthing.nix
./cups.nix
./tinc.nix
#./tinc_retiolum.nix
./qemu.nix
./wireguard.nix
];
components.gui.enable = true;
components.mainUser.enable = true;
components.media.enable = true;
components.media.tts-client.enable = false;
components.network.enable = true;
components.network.wifi.enable = true;
components.terminal.enable = true;
home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ];
sops.secrets.yubikey_u2fAuthFile = { };
components.gui.taskwarrior.config = {
general = {
targets = [ "terranix" "my_github" ];
log_level = "INFO";
static_fields = [ "priority" ];
merge_annotations = false;
};
terranix = {
service = "github";
login = "mrVanDalo";
token = "@oracle:eval:${pkgs.pass}/bin/pass development/github/mrVanDalo/bugwarriorAccessToken";
username = "mrVanDalo";
default_priority = "";
description_template = "{{githubtitle}} {{githuburl}}";
add_tags = "github";
project_template = "terranix";
involved_issues = true;
query = "org:terranix is:open";
include_user_issues = false;
include_user_repos = false;
};
my_github = {
service = "github";
login = "mrVanDalo";
token = "@oracle:eval:${pkgs.pass}/bin/pass development/github/mrVanDalo/bugwarriorAccessToken";
username = "mrVanDalo";
description_template = "{{githubtitle}} {{githuburl}}";
add_tags = "github";
include_user_issues = true;
include_user_repos = true;
exclude_repos = [ "azubi" "csv-to-qif" "stepp0r" ];
};
# todo : add github issues
};
users.users.mainUser.extraGroups = [ "pipewire" ];
services.nginx.enable = true;
networking.hostName = "cherry";
# make sure battery is charged in a way to live for a long time
services.power-profiles-daemon.enable = false;
services.tlp = {
enable = true;
settings = {
CPU_BOOST_ON_BAT = 0;
CPU_SCALING_GOVERNOR_ON_BATTERY = "powersave";
START_CHARGE_THRESH_BAT0 = 30;
STOP_CHARGE_THRESH_BAT0 = 85;
RUNTIME_PM_ON_BAT = "auto";
};
};
security.wrappers = {
pmount = {
source = "${pkgs.pmount}/bin/pmount";
setuid = true;
owner = "root";
group = "root";
};
pumount = {
source = "${pkgs.pmount}/bin/pumount";
setuid = true;
owner = "root";
group = "root";
};
};
programs.custom.steam.enable = true;
services.printing.enable = true;
# fonts
# -----
programs.custom.urxvt.fontSize = 16;
programs.custom.urxvt.fontType = "vector";
programs.custom.xterm.fontSize = 16;
# todo : add xterm fontType
# programs.custom.xterm.fontType = "vector";
virtualisation = {
docker.enable = true;
podman.enable = true;
virtualbox = {
host.enable = false;
guest.x11 = false;
guest.enable = false;
};
};
#services.xserver.desktopManager.gnome.enable = true;
#services.xserver.displayManager.lightdm.enable = false;
#services.xserver.displayManager.sddm.enable = true;
custom.samba-share = {
enable = false;
folders = {
share = "/home/share";
video = "/home/video-material";
};
};
# for congress and streaming
hardware.opengl = {
enable = true;
};
system.stateVersion = "23.11";
}

View file

@ -0,0 +1,16 @@
{
hardware.printers.ensurePrinters = [
{
description = "Lexmark E350d";
deviceUri = "usb://Lexmark/E350d?serial=622Z9ZC";
location = "office";
name = "Lexmark_E350d";
model = "drv:///sample.drv/generic.ppd";
ppdOptions = {
job-sheets = "none, none";
media = "na_letter_8.5x11in";
sides = "one-sided";
};
}
];
}

View file

@ -0,0 +1,73 @@
# nix run github:nix-community/disko -- --mode zap_create_mount ./disko-config.nix
# nixos-generate-config --no-filesystems --root /mnt
{ config, lib, ... }:
{
# ZFS already has its own scheduler. Without this my(@Artturin) computer froze for a second when i nix build something.
# copied from : https://github.com/numtide/srvos/blob/main/nixos/common/zfs.nix
services.udev.extraRules = lib.optionalString (config.boot.zfs.enabled) ''
ACTION=="add|change", KERNEL=="sd[a-z]*[0-9]*|mmcblk[0-9]*p[0-9]*|nvme[0-9]*n[0-9]*p[0-9]*", ENV{ID_FS_TYPE}=="zfs_member", ATTR{../queue/scheduler}="none"
'';
disko.devices = {
disk = {
root = {
type = "disk";
device = "/dev/nvme0n1";
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "ESP";
start = "0";
end = "500MiB";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
}
{
name = "zfs";
start = "500MiB";
end = "100%";
content = {
type = "luks";
name = "root";
content = {
type = "zfs";
pool = "zroot";
};
};
}
];
};
};
};
zpool = {
zroot = {
type = "zpool";
rootFsOptions = {
mountpoint = "none";
canmount = "off";
compression = "lz4";
};
datasets = {
"root" = {
type = "zfs_fs";
mountpoint = "/";
options = {
mountpoint = "legacy";
compression = "lz4";
};
};
};
};
};
};
}

View file

@ -0,0 +1,30 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s13f0u2c2.useDHCP = lib.mkDefault true;
# networking.interfaces.tinc.private.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp170s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# high-resolution display
hardware.video.hidpi.enable = lib.mkDefault true;
}

View file

@ -0,0 +1,16 @@
{ config, lib, pkgs, ... }:
{
virtualisation.libvirtd.enable = true;
#virtualisation.libvirtd.allowedBridges = ["virbr0"];
virtualisation.libvirtd.onShutdown = "shutdown";
environment.systemPackages = [
pkgs.qemu_kvm
(pkgs.quickemu.override { qemu = pkgs.qemu_kvm; })
pkgs.virt-manager
];
users.users.mainUser.extraGroups = [ "libvirtd" ];
}

View file

@ -0,0 +1,58 @@
{ config, pkgs, lib, ... }: {
#sops.secrets.syncthing_cert = { };
#sops.secrets.syncthing_key = { };
services.syncthing = {
enable = true;
openDefaultPorts = false;
user = "palo";
dataDir = "/home/palo/.syncthing";
configDir = "/home/palo/.syncthing";
#cert = toString config.sops.secrets.syncthing_cert.path;
#key = toString config.sops.secrets.syncthing_key.path;
overrideFolders = true;
settings.folders = {
# on encrypted drive
# ------------------
password-store = {
enable = true;
path = "/home/palo/.password-store";
};
#private = {
# enable = true;
# path = "/home/palo/private";
#};
art = {
enable = true;
path = "/home/palo/art";
};
desktop = {
enable = true;
path = "/home/palo/desktop";
};
finance = {
enable = true;
path = "/home/palo/finance";
};
# no need to be encrypted
# -----------------------
books = {
enable = true;
path = "/home/palo/books";
};
};
};
services.permown."/home/palo/music-library" = {
owner = "palo";
group = "users";
};
services.permown."/home/palo/finance" = {
owner = "palo";
group = "syncthing";
};
}

View file

@ -0,0 +1,15 @@
{ config, ... }:
{
tinc.private.enable = true;
tinc.private.ipv4 = "10.23.42.27";
tinc.secret.enable = true;
tinc.secret.ipv4 = "10.123.42.27";
# retiolum
#networking.retiolum.port = 720;
#sops.secrets.tinc_retiolum_ed25519_key = { };
#services.tinc.networks.retiolum.ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
}

View file

@ -0,0 +1,13 @@
{ config, ... }:
{
sops.secrets.tinc_retiolum_ed25519_key = { };
sops.secrets.tinc_retiolum_rsa_key = { };
networking.retiolum.port = 720;
networking.retiolum.nodename = "sol";
services.tinc.networks.retiolum = {
ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
rsaPrivateKeyFile = config.sops.secrets.tinc_retiolum_rsa_key.path;
};
}

View file

@ -0,0 +1,26 @@
{ config, ... }:
{
networking.firewall.allowedUDPPorts = [ 51820 ];
sops.secrets.wireguard_private = { };
# Enable WireGuard
networking.wg-quick.interfaces = {
# Hub and Spoke Setup
# https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
wg0 = {
address = [ "10.100.0.7/32" ];
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
privateKeyFile = config.sops.secrets.wireguard_private.path;
mtu = 1280;
peers = [
{
# robi
publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
allowedIPs = [ "10.100.0.1/24" ];
endpoint = "ingolf-wagner.de:51820";
}
];
};
};
}

View file

@ -138,7 +138,6 @@
}; };
}; };
# for congress and streaming # for congress and streaming
hardware.opengl = { hardware.opengl = {
enable = true; enable = true;

View file

@ -49,6 +49,11 @@
publicKey = "R1Vk1DDG/LsVU0HHRDmOJshXOVnNzPVbuv5hP7ZSGEQ="; publicKey = "R1Vk1DDG/LsVU0HHRDmOJshXOVnNzPVbuv5hP7ZSGEQ=";
allowedIPs = [ "10.100.0.6/32" ]; allowedIPs = [ "10.100.0.6/32" ];
} }
{
# cherry
publicKey = "ZNnlmPdxAGYtaUvOU2V47tcEhcB06LBCXkSxIvWZL2k=";
allowedIPs = [ "10.100.0.7/32" ];
}
]; ];
}; };
}; };

76
scripts/nixos-anywhere-pet.sh Executable file
View file

@ -0,0 +1,76 @@
#!/usr/bin/env nix-shell
#! nix-shell -i bash -p ssh-to-age ssh-to-age boxes
EXTRA_FILES=$( mktemp -d )
LUKS_KEY=$( mktemp )
SSH_HOST_KEY="$EXTRA_FILES/etc/ssh/ssh_host_ed25519_key"
cat <<EOF | boxes -d ian_jones
- create ssh host keys
- create age key from ssh host key (for sops)
- create luks encryption key
EOF
# make sure you set
# services.openssh.hostKeys = [ { bits = 4096; path = /etc/ssh/ssh_host_ed25519_key; rounds = 100; type = "ed25519"; } ]
mkdir -p "$( dirname "$SSH_HOST_KEY")"
ssh-keygen -a 100 -q -N "" -t ed25519 -f "$SSH_HOST_KEY"
AGE_KEY=$( ssh-to-age < "$SSH_HOST_KEY.pub")
echo
echo
IFS= read -s -p 'LUKS Encryption Password please: ' password
echo -n "$password" > "$LUKS_KEY"
echo
echo
echo
cat <<EOF | boxes -d shell
put this in you .sops.yaml
and run sops updatekeys secrets/<machine>.yaml
EOF
cat <<EOF
keys:
- &palo 42AC51C9482D0834CF488AF1389EC2D64AC71EAC
creation_rules:
- path_regex: secrets/<machine>.yaml
key_groups:
- age:
- *palo
- $AGE_KEY
EOF
echo
echo make sure you configure services.openssh.hostKeys | boxes -d shell
cat <<EOF
services.openssh.hostKeys = [
{
bits = 4096;
path = /etc/ssh/ssh_host_ed25519_key;
rounds = 100;
type = "ed25519";
}
];
EOF
echo
echo add this to your nixos-anywhere options | boxes -d shell
cat <<EOF
nixos-anywhere \\
--extra-files $EXTRA_FILES \\
--disk-encryption-keys <remote_path> $LUKS_KEY
EOF