From f771aa24bfca841ebda3930a2ca573e6186d7342 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Fri, 23 Sep 2022 20:29:18 +0200 Subject: [PATCH] add mobi and it works --- flake.lock | 56 ++++++-------- flake.nix | 25 +++++-- images/lib/remote-access.nix | 13 ++-- .../assets/ssh/{card_rsa.pub => palo_rsa.pub} | 0 nixos/assets/tinc/mobi_host_file | 24 +++--- nixos/machines/mobi/configuration.nix | 62 +++++++++++++-- .../machines/mobi/hardware-configuration.nix | 75 ++++++++----------- nixos/machines/mobi/syncthing.nix | 42 +++++++++++ nixos/machines/pepe/borg.nix | 2 +- nixos/machines/pepe/syncthing.nix | 4 + nixos/machines/robi/borg.nix | 2 +- nixos/machines/robi/nginx.nix | 35 ++++----- nixos/machines/sterni/configuration.nix | 3 + nixos/machines/sterni/qemu.nix | 17 +++++ nixos/machines/sterni/syncthing.nix | 4 + nixos/modules/system/audio.nix | 2 +- nixos/system/all/borg-scripts.nix | 2 +- nixos/system/all/sshd-known-hosts-private.nix | 4 +- nixos/system/all/sshd.nix | 2 +- nixos/system/all/syncthing.nix | 17 ++++- nixos/system/desktop/home-manager.nix | 10 +-- nixos/system/desktop/home-manager/ssh.nix | 2 +- nixos/system/desktop/sshd.nix | 21 ++++-- 23 files changed, 278 insertions(+), 146 deletions(-) rename nixos/assets/ssh/{card_rsa.pub => palo_rsa.pub} (100%) create mode 100644 nixos/machines/mobi/syncthing.nix create mode 100644 nixos/machines/sterni/qemu.nix diff --git a/flake.lock b/flake.lock index f873b04..7358db3 100644 --- a/flake.lock +++ b/flake.lock @@ -3,7 +3,7 @@ "barcode-reader": { "inputs": { "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs" }, "locked": { "lastModified": 1636602745, @@ -38,16 +38,18 @@ "inputs": { "flake-compat": "flake-compat", "nix-eval-jobs": "nix-eval-jobs", - "nixpkgs": "nixpkgs", + "nixpkgs": [ + "nixpkgs" + ], "stable": "stable", "utils": "utils" }, "locked": { - "lastModified": 1661669123, - "narHash": "sha256-nXslD8Sbs6G9/MN7HOr+YrBCCmUdS/MpEuxJGlWeSgM=", + "lastModified": 1663742427, + "narHash": "sha256-1gcXLVbZRVbRfNo6bHemNxdnEBgs6W0QPw675/uso3w=", "owner": "zhaofengli", "repo": "colmena", - "rev": "e7356e2c5cbc19be6e04d284c943b24bbde81a9b", + "rev": "a8e6b999cfec9fadc2ca81994da44182e73be7eb", "type": "github" }, "original": { @@ -546,16 +548,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1660485612, - "narHash": "sha256-sSLW1KaB1adKTJn9+Ja3h3AaS7QCZyhUKiSUStcLg80=", - "owner": "NixOS", + "lastModified": 1636416043, + "narHash": "sha256-Esz9X97OeAsNoJUVuqlCu2LDWcyLE24huUonhOY3JGw=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "6512b21eabb4d52e87ea2edcf31a288e67b2e4f8", + "rev": "db6044d5debaff0749420c3553d1b89fc6c5c5f8", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixos-unstable", + "owner": "nixos", "repo": "nixpkgs", "type": "github" } @@ -615,21 +616,6 @@ } }, "nixpkgs_2": { - "locked": { - "lastModified": 1636416043, - "narHash": "sha256-Esz9X97OeAsNoJUVuqlCu2LDWcyLE24huUonhOY3JGw=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "db6044d5debaff0749420c3553d1b89fc6c5c5f8", - "type": "github" - }, - "original": { - "owner": "nixos", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { "locked": { "lastModified": 1661700591, "narHash": "sha256-NZa+z+TJC+Hk+87+LKkjFFmBn4GyMVEPcWFXFU+aTkU=", @@ -645,7 +631,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_3": { "locked": { "lastModified": 1632855891, "narHash": "sha256-crW76mt9/kbUBiKy/KiSnsQ9JEYgD3StDuYAMVkTbM0=", @@ -659,7 +645,7 @@ "type": "indirect" } }, - "nixpkgs_5": { + "nixpkgs_4": { "locked": { "lastModified": 1661353537, "narHash": "sha256-1E2IGPajOsrkR49mM5h55OtYnU0dGyre6gl60NXKITE=", @@ -774,7 +760,7 @@ "polygon-art": { "inputs": { "flake-utils": "flake-utils_6", - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1632864714, @@ -833,7 +819,7 @@ "home-manager": "home-manager", "home-manager-utils": "home-manager-utils", "krops": "krops", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_2", "nixpkgs-fmt": "nixpkgs-fmt", "nixpkgs-unstable": "nixpkgs-unstable", "polygon-art": "polygon-art", @@ -878,11 +864,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1663688404, - "narHash": "sha256-eGKtvyakb/6jncb5oQXa0c6usLvQ8DMDjr5LtBbpdzY=", + "lastModified": 1663876023, + "narHash": "sha256-esUjNxIvrKZXukSbZbre4l5nS++Iqhc19LGHcizHEk4=", "ref": "main", - "rev": "43bc5b41992e585f8b02a18c66b478fd165ed817", - "revCount": 36, + "rev": "6b43a1b2f4ba34f684614d15f54e68d88eea2612", + "revCount": 38, "type": "git", "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git" }, @@ -910,7 +896,7 @@ }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_4", "nixpkgs-22_05": "nixpkgs-22_05" }, "locked": { diff --git a/flake.nix b/flake.nix index 87a1d18..73014db 100644 --- a/flake.nix +++ b/flake.nix @@ -14,7 +14,10 @@ }; # colmena # ------- - colmena.url = "github:zhaofengli/colmena"; + colmena = { + url = "github:zhaofengli/colmena"; + inputs.nixpkgs.follows = "nixpkgs"; + }; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; polygon-art = { url = "git+https://git.ingolf-wagner.de/palo/polygon-art.git"; @@ -157,7 +160,7 @@ sterni = { name, nodes, pkgs, ... }: { deployment.allowLocalDeployment = true; deployment.targetHost = "${name}.private"; - deployment.tags = [ "desktop" "online" ]; + deployment.tags = [ "desktop" "online" "private" ]; imports = [ grocy-scanner.nixosModule ]; @@ -186,7 +189,7 @@ pepe = { name, nodes, pkgs, ... }: { deployment.targetHost = "${name}.private"; - deployment.tags = [ "server" "online" ]; + deployment.tags = [ "server" "online" "private" ]; imports = [ grocy-scanner.nixosModule ]; @@ -194,10 +197,22 @@ robi = { name, nodes, pkgs, ... }: { deployment.targetHost = "${name}"; - deployment.tags = [ "server" "online" ]; + deployment.tags = [ "server" "online" "private" ]; imports = [ ]; }; - + mobi = { name, nodes, pkgs, ... }: { + deployment.targetHost = "${name}.private"; + deployment.tags = [ "desktop" "usb" "private" ]; + imports = [ + grocy-scanner.nixosModule + ]; + home-manager.users.mainUser = { + imports = [ + doom-emacs-nix.hmModule + home-manager-utils.hmModule + ]; + }; + }; }; }; } diff --git a/images/lib/remote-access.nix b/images/lib/remote-access.nix index 5542440..dcd7ff1 100644 --- a/images/lib/remote-access.nix +++ b/images/lib/remote-access.nix @@ -97,16 +97,19 @@ config = let torDirectory = "/var/lib/tor"; - hiddenServiceDir = torDirectory + "/liveos"; + hiddenServiceDir = torDirectory + "/onion/hidden-ssh"; in { services.tor = { enable = true; client.enable = true; - extraConfig = '' - HiddenServiceDir ${hiddenServiceDir} - HiddenServicePort 22 127.0.0.1:22 - ''; + relay.onionServices.hidden-ssh = { + version = 3; + map = [{ + port = 22; + target.port = 22; + }]; + }; }; systemd.services.hidden-ssh-announce = { description = "irc announce hidden ssh"; diff --git a/nixos/assets/ssh/card_rsa.pub b/nixos/assets/ssh/palo_rsa.pub similarity index 100% rename from nixos/assets/ssh/card_rsa.pub rename to nixos/assets/ssh/palo_rsa.pub diff --git a/nixos/assets/tinc/mobi_host_file b/nixos/assets/tinc/mobi_host_file index ac1792b..32ace85 100644 --- a/nixos/assets/tinc/mobi_host_file +++ b/nixos/assets/tinc/mobi_host_file @@ -1,14 +1,14 @@ -Ed25519PublicKey = 94CccmfAuNtQzopd5NiVYjTjZvSgabMh66BI/iyVmnJ +Ed25519PublicKey = X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB -----BEGIN RSA PUBLIC KEY----- -MIICCgKCAgEA8m9cBRv+9K8ywH19CZKDidwmzEa+2j3rkFjek+uPLVCHX5FlVQv+ -flX5fY06DuaPzWKf4MoXHxmVa9T/WOcKZJUmhSJC2AVorhuPihOx0FNrQr69bamy -x03fiH0pHmDXumNdGMUcNf+06Zu2Nr9yze8rE1B97zb0RPBf+XC1uHw4E4PrWC/F -swibj9U45bp07wFvJrkAsngw4c6+TFERW6TK5DPKDQs7KfgdsqFGLvg2cY5phwC1 -08HBC7eTf2xG6paaS7gEbhDMQ/K47Lbhbv2srnYfaBw5iyc8f29ZwEuNfE4V15B3 -foz/kGAhceTuBKNCVvKvqSIL2yEsibFVyl7zlgGp3EKWuR5ETQAspJViGILwiyq6 -iRYQ1AxxyroqS146CUAB8/68w0PwroKt8lXMEtx58S7/OAW0KnXGxwqSfocH+iE4 -qry9pPuSs7RR6lXBB0nvSfTbaZDMUXtiyV24+pyZgl5Q31kDgUWgFpzGRBc/CTO2 -h8OmUcvEyLxh3bruu0SQGXa35G1Igsumuh/uLifgHB/odLYY00PhEdpp52BswgXe -yz88nfXMOyvm7ROEyA7r2qruM1kEHDSQ8IRuxhd8YebyI7k6mYVE8CR5T89QfVl3 -mrNk+f6Q/cpFiNBxr7+UBCiHix3/GDAD4NEgvu5nfqinTA34FuscTS8CAwEAAQ== +MIICCgKCAgEAxubIDrvtrZ6fKPkuwQ+sK6YlToTfVtg3HCTOR7iDf47arkuG3dTb +BgnkbB/8+KzztaYLQoLnGFugxKKtMGBvMGCo6YLtxrjuaz3aDmhpmGCJh80r80/i +8WWg1CAkboKHmaiFpS/LBxAWQUGP+YJSoTLuDwtd794wX9MxLh4x5uGRp4rCj9+4 +DdGemLZkZz6Je+cBkf8qrw1Dr8CPiJk47a7bZhyKVnQ3PyvrGOjFolfcI22xp8j3 +7y55DIMWhVsm6EWFK4/pzAqi9JdRd7xy8c9WRIcAHJDlSdf+ERbIjUDJC8fgMlNl +UII0SqLnBscIbqz2dMuoldeqg9S1fOiTekReLJqpLmAIn+iwpT8KW5QaESu2eh6M +Ok0sJ8A+aphuZ+FDd2FUmWQiENnPzFGYQ/SuNAA7hR5plSCbjpodulNQFY93I8y3 +vRru6rm/ac+7SehWPBgHGl12UJluvHn32Q85bJ2vdtn9ONgcOdjSLA58nzfc1hv/ +OA5MzIJTvDJqwjZew8A/pyz6kxrGBqnXCzzt46tvj0yZ/VhIgL3qDTR/wzRV3N14 +3Z7TToIQKBPSYNxxCEHXxVQb8oWdGzeE7X52iFeYKhxj+ikZxkoXhCgIRYrDBQ0k +lnpJU+fbeFddZ4bAdqPxVT+perK33Wzgp9s4+KLh8ldpcRm8S29sNIcCAwEAAQ== -----END RSA PUBLIC KEY----- diff --git a/nixos/machines/mobi/configuration.nix b/nixos/machines/mobi/configuration.nix index 2e5a1df..e4e5e1d 100644 --- a/nixos/machines/mobi/configuration.nix +++ b/nixos/machines/mobi/configuration.nix @@ -2,19 +2,26 @@ imports = [ - + ../../system/desktop ./hardware-configuration.nix ./tinc.nix + ./syncthing.nix ]; - system.custom.wifi.interfaces = [ ]; - - networking.hostName = "mobi"; - security.wrappers = { - pmount.source = "${pkgs.pmount}/bin/pmount"; - pumount.source = "${pkgs.pmount}/bin/pumount"; + pmount = { + source = "${pkgs.pmount}/bin/pmount"; + setuid = true; + owner = "root"; + group = "root"; + }; + pumount = { + source = "${pkgs.pmount}/bin/pumount"; + setuid = true; + owner = "root"; + group = "root"; + }; }; # fonts @@ -28,5 +35,46 @@ height = 768; }; + # grub configuraton + # ----------------- + boot.loader.grub.enable = true; + boot.loader.grub.efiSupport = true; + boot.loader.grub.device = "/dev/sda"; + boot.loader.grub.efiInstallAsRemovable = true; + boot.tmpOnTmpfs = true; + + networking.networkmanager.enable = true; + networking.hostName = "mobi"; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + environment.systemPackages = with pkgs; [ + vim + wget + htop + silver-searcher + ]; + + environment.extraInit = '' + # use vi shortcuts + # ---------------- + set -o vi + EDITOR=vim + ''; + + services.openssh.enable = true; + desktop.ssh.onlyTinc = false; + + users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw== contact@ingolf-wagner.de" ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.05"; # Did you read the comment? + } diff --git a/nixos/machines/mobi/hardware-configuration.nix b/nixos/machines/mobi/hardware-configuration.nix index fb0e6d5..6707e93 100644 --- a/nixos/machines/mobi/hardware-configuration.nix +++ b/nixos/machines/mobi/hardware-configuration.nix @@ -1,58 +1,47 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, modulesPath, ... }: { - imports = [ ]; + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = - [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - # efi boot loader configuration using grub - boot.loader.efi.canTouchEfiVariables = false; - boot.loader.grub = { - device = "nodev"; - efiInstallAsRemovable = true; - efiSupport = true; - enable = true; - version = 2; - }; - - fileSystems."/share/" = { - device = "/dev/ram1"; - fsType = "tmpfs"; - }; - - # NTFS support - # ------------ - environment.systemPackages = [ pkgs.ntfs3g ]; - - # lvm volume group - # ---------------- - boot.initrd.luks.devices = { - mobi = { - device = "/dev/disk/by-uuid/e138095f-c703-4dea-bb1c-bf888b8e1b81"; - preLVM = true; + fileSystems."/" = + { + device = "/dev/disk/by-uuid/978cfc56-b47d-4d94-adae-18a4209519a5"; + fsType = "ext4"; }; - }; - # root - # ---- - fileSystems."/" = { - options = [ "noatime" "nodiratime" "discard" ]; - device = "/dev/mobi/root"; - fsType = "ext4"; - }; + boot.initrd.luks.devices."root-enc".device = "/dev/disk/by-uuid/cf30f4a6-578e-418a-9d18-d32fbf992b0c"; - # boot - # ---- - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/064D-3144"; - fsType = "vfat"; - }; + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/AEE5-221F"; + fsType = "vfat"; + }; + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s25.useDHCP = lib.mkDefault true; + # networking.interfaces.tinc.private.useDHCP = lib.mkDefault true; + # networking.interfaces.tinc.retiolum.useDHCP = lib.mkDefault true; + # networking.interfaces.tinc.secret.useDHCP = lib.mkDefault true; + # networking.interfaces.virbr0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/nixos/machines/mobi/syncthing.nix b/nixos/machines/mobi/syncthing.nix new file mode 100644 index 0000000..b65be7e --- /dev/null +++ b/nixos/machines/mobi/syncthing.nix @@ -0,0 +1,42 @@ +{ config, pkgs, lib, ... }: { + + #sops.secrets.syncthing_cert = { }; + #sops.secrets.syncthing_key = { }; + + services.syncthing = { + enable = true; + openDefaultPorts = false; + user = "palo"; + dataDir = "/home/palo/.syncthing"; + configDir = "/home/palo/.syncthing"; + #cert = toString config.sops.secrets.syncthing_cert.path; + #key = toString config.sops.secrets.syncthing_key.path; + overrideFolders = true; + folders = { + + # on encrypted drive + # ------------------ + private = { + enable = true; + path = "/home/palo/private"; + }; + desktop = { + enable = true; + path = "/home/palo/desktop"; + }; + finance = { + enable = true; + path = "/home/palo/finance"; + }; + password-store = { + enable = true; + path = "/home/palo/.password-store"; + }; + }; + }; + + system.permown."/home/palo/music-library" = { + owner = "palo"; + group = "users"; + }; +} diff --git a/nixos/machines/pepe/borg.nix b/nixos/machines/pepe/borg.nix index 692cd1f..f30de89 100644 --- a/nixos/machines/pepe/borg.nix +++ b/nixos/machines/pepe/borg.nix @@ -8,7 +8,7 @@ authorizedKeys = [ # todo rename (lib.fileContents ../../assets/ssh/borg_access.pub) - (lib.fileContents ../../assets/ssh/card_rsa.pub) + (lib.fileContents ../../assets/ssh/palo_rsa.pub) ]; }; }; diff --git a/nixos/machines/pepe/syncthing.nix b/nixos/machines/pepe/syncthing.nix index 9cb901d..24395a5 100644 --- a/nixos/machines/pepe/syncthing.nix +++ b/nixos/machines/pepe/syncthing.nix @@ -43,6 +43,10 @@ enable = true; path = "/home/syncthing/private"; }; + password-store = { + enable = true; + path = "/home/syncthing/password-store"; + }; desktop = { enable = true; path = "/home/syncthing/desktop"; diff --git a/nixos/machines/robi/borg.nix b/nixos/machines/robi/borg.nix index 09106e4..d43d403 100644 --- a/nixos/machines/robi/borg.nix +++ b/nixos/machines/robi/borg.nix @@ -6,7 +6,7 @@ allowSubRepos = true; authorizedKeys = [ (lib.fileContents ../../assets/ssh/borg_access.pub) - (lib.fileContents ../../assets/ssh/card_rsa.pub) + (lib.fileContents ../../assets/ssh/palo_rsa.pub) ]; }; }; diff --git a/nixos/machines/robi/nginx.nix b/nixos/machines/robi/nginx.nix index 67c7bcb..347f7b1 100644 --- a/nixos/machines/robi/nginx.nix +++ b/nixos/machines/robi/nginx.nix @@ -53,27 +53,28 @@ in alias = pkgs.writeText "key" (lib.fileContents ../../assets/pgp.key); }; "= /palo_rsa.pub" = { - alias = pkgs.writeText "key" (lib.fileContents ../../assets/ssh/card_rsa.pub); + alias = pkgs.writeText "key" (lib.fileContents ../../assets/ssh/palo_rsa.pub); }; } // error.locations; }; - "stable-diffusion.ingolf-wagner.de" = { - forceSSL = true; - enableACME = true; - extraConfig = error.extraConfig; - root = "/srv/www/stable-diffusion"; - locations = { - "/model-v1-4.ckpt" = { - basicAuthFile = "${private_assets}/stable-diffusion-htpasswd"; - tryFiles = "/stable-diffusion-v-1-4-original/sd-v1-4.ckpt =404"; - }; - #"/model-v1-3.ckpt" = { - # basicAuthFile = "${private_assets}/stable-diffusion-htpasswd"; - # tryFiles = "stable-diffusion-v-1-3-original/sd-v1-3.ckpt"; - #}; - } // error.locations; - }; + # "stable-diffusion.ingolf-wagner.de" = { + # forceSSL = true; + # enableACME = true; + # extraConfig = error.extraConfig; + # root = "/srv/www/stable-diffusion"; + # locations = { + # "/model-v1-4.ckpt" = { + # basicAuthFile = "${private_assets}/stable-diffusion-htpasswd"; + # tryFiles = "/stable-diffusion-v-1-4-original/sd-v1-4.ckpt =404"; + # }; + # #"/model-v1-3.ckpt" = { + # # basicAuthFile = "${private_assets}/stable-diffusion-htpasswd"; + # # tryFiles = "stable-diffusion-v-1-3-original/sd-v1-3.ckpt"; + # #}; + # } // error.locations; + # }; + "travel.ingolf-wagner.de" = { forceSSL = true; enableACME = true; diff --git a/nixos/machines/sterni/configuration.nix b/nixos/machines/sterni/configuration.nix index a895b1d..d47df18 100644 --- a/nixos/machines/sterni/configuration.nix +++ b/nixos/machines/sterni/configuration.nix @@ -12,11 +12,14 @@ #./wifi-access-point.nix #./wireshark.nix ./scanner.nix + ./qemu.nix ]; + services.nginx.enable = true; + #sops.defaultSopsFile = ../../secrets/sterni.yaml; networking.hostName = "sterni"; diff --git a/nixos/machines/sterni/qemu.nix b/nixos/machines/sterni/qemu.nix new file mode 100644 index 0000000..f14ad8d --- /dev/null +++ b/nixos/machines/sterni/qemu.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: + +{ + + virtualisation.libvirtd.enable = true; + #virtualisation.libvirtd.allowedBridges = ["virbr0"]; + virtualisation.libvirtd.onShutdown = "shutdown"; + + environment.systemPackages = [ + pkgs.qemu_kvm + pkgs.virt-manager + ]; + + users.users.mainUser.extraGroups = [ "libvirtd" ]; + + +} diff --git a/nixos/machines/sterni/syncthing.nix b/nixos/machines/sterni/syncthing.nix index cb0b2bd..32ab35d 100644 --- a/nixos/machines/sterni/syncthing.nix +++ b/nixos/machines/sterni/syncthing.nix @@ -16,6 +16,10 @@ # on encrypted drive # ------------------ + password-store = { + enable = true; + path = "/home/palo/.password-store"; + }; private = { enable = true; path = "/home/palo/private"; diff --git a/nixos/modules/system/audio.nix b/nixos/modules/system/audio.nix index 288e1f5..181be32 100644 --- a/nixos/modules/system/audio.nix +++ b/nixos/modules/system/audio.nix @@ -104,7 +104,7 @@ in enable = true; package = pkgs.pulseaudioFull; # all in audio group can do audio - systemWide = true; + systemWide = false; extraConfig = '' # automatically switch to newly-connected devices load-module module-switch-on-connect diff --git a/nixos/system/all/borg-scripts.nix b/nixos/system/all/borg-scripts.nix index 613cc30..3bf884a 100644 --- a/nixos/system/all/borg-scripts.nix +++ b/nixos/system/all/borg-scripts.nix @@ -7,7 +7,7 @@ "borg-${command}-on-${host}-for-${repository}" '' ${pkgs.borgbackup}/bin/borg \ ${command} \ - --rsh='ssh -i ~/.ssh/card_rsa.pub' borg@${host}.private:${repository}/. \ + --rsh='ssh -i ~/.ssh/palo_rsa.pub' borg@${host}.private:${repository}/. \ "$@" ''; hosts = [ "pepe" "robi" ]; diff --git a/nixos/system/all/sshd-known-hosts-private.nix b/nixos/system/all/sshd-known-hosts-private.nix index 65ba273..e56af94 100644 --- a/nixos/system/all/sshd-known-hosts-private.nix +++ b/nixos/system/all/sshd-known-hosts-private.nix @@ -36,7 +36,7 @@ config.module.cluster.services.tinc.private.hosts.sterni.tincIp config.module.cluster.services.tinc.secret.hosts.sterni.tincIp ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyHmHJy2Va45p9mn+Hj3DyaY5yxnQIKvXeACHjzgSKt"; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht"; }; "pepe.private" = { hostNames = [ @@ -51,7 +51,7 @@ "mobi.private" config.module.cluster.services.tinc.private.hosts.mobi.tincIp ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhBtcipW9rV6hHS2hv5tl5hd8vW8dnuFfFwnAs2u0kS"; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk"; }; }; } diff --git a/nixos/system/all/sshd.nix b/nixos/system/all/sshd.nix index fc5b615..463235e 100644 --- a/nixos/system/all/sshd.nix +++ b/nixos/system/all/sshd.nix @@ -11,7 +11,7 @@ with lib; tools.enable = true; sshd = { enable = true; - rootKeyFiles = [ (toString ../../assets/ssh/card_rsa.pub) ]; + rootKeyFiles = [ (toString ../../assets/ssh/palo_rsa.pub) ]; }; }; diff --git a/nixos/system/all/syncthing.nix b/nixos/system/all/syncthing.nix index ae58d86..bd11080 100644 --- a/nixos/system/all/syncthing.nix +++ b/nixos/system/all/syncthing.nix @@ -25,11 +25,11 @@ with lib; { // (device "workhorse" "AFSAKB6-JLH4QAS-DSRMPI3-6PVCIHF-IIAVLPC-STPNO3Y-YRDU5NW-QD445QI") // (device "pepe" "SZLXFW3-VTAC7UB-V2Z7CHE-3VZAYPL-6D72AK6-OCDMPZP-G4FPY5P-FL6ZVAG") // (device "sterni" "ZFNNKPD-ZSOAYJQ-VROXXDB-5MD3UTJ-GDCNTSQ-G5POVV3-UZG5HFT-CCAU3AD") + // (device "mobi" "NGI7UN6-MR2YPYI-L7DGN3I-JFZU2N3-RJBJV6K-2VZVQSJ-PWLZYOK-PXZYRAF") // { bumba = { name = "windows-bumba"; id = "JS7PWTO-VKFGBUP-GNFLSWP-MGFJ2KH-HLO2LKW-V3RPCR6-PCB5SQC-42FCKQZ"; - #addresses = [ "dynamic" ]; }; } // { @@ -47,7 +47,16 @@ with lib; { private = { enable = lib.mkDefault false; watch = lib.mkDefault false; - devices = [ "pepe" "sterni" ]; + devices = [ "pepe" "sterni" "mobi" ]; + versioning = { + type = "simple"; + params.keep = "10"; + }; + }; + password-store = { + enable = lib.mkDefault false; + watch = lib.mkDefault false; + devices = [ "pepe" "sterni" "mobi" ]; versioning = { type = "simple"; params.keep = "10"; @@ -56,12 +65,12 @@ with lib; { desktop = { enable = lib.mkDefault false; watch = lib.mkDefault false; - devices = [ "pepe" "sterni" ]; + devices = [ "pepe" "sterni" "mobi" ]; }; finance = { enable = lib.mkDefault false; watch = lib.mkDefault false; - devices = [ "pepe" "sterni" ]; + devices = [ "pepe" "sterni" "mobi" ]; versioning = { type = "simple"; params.keep = "10"; diff --git a/nixos/system/desktop/home-manager.nix b/nixos/system/desktop/home-manager.nix index d5b5353..6563108 100644 --- a/nixos/system/desktop/home-manager.nix +++ b/nixos/system/desktop/home-manager.nix @@ -84,13 +84,13 @@ in }; home.git-pull = { - enable = mkDefault true; + enable = mkDefault false; repositories = [ # krebs - { - source = "git@github.com:krebs/stockholm.git"; - target = "~/dev/krebs/stockholm"; - } + #{ + # source = "git@github.com:krebs/stockholm.git"; + # target = "~/dev/krebs/stockholm"; + #} { source = "git@github.com:krebs/rc3-map.git"; target = "~/dev/krebs/rc3-map"; diff --git a/nixos/system/desktop/home-manager/ssh.nix b/nixos/system/desktop/home-manager/ssh.nix index 57f7fc8..ad2561a 100644 --- a/nixos/system/desktop/home-manager/ssh.nix +++ b/nixos/system/desktop/home-manager/ssh.nix @@ -5,7 +5,7 @@ with lib; { programs.ssh.enable = true; programs.ssh.matchBlocks = { "*" = { - identityFile = "~/.ssh/card_rsa.pub"; + identityFile = "~/.ssh/palo_rsa.pub"; identitiesOnly = true; }; "lassul.us" = { diff --git a/nixos/system/desktop/sshd.nix b/nixos/system/desktop/sshd.nix index fd6dddc..5762fbe 100644 --- a/nixos/system/desktop/sshd.nix +++ b/nixos/system/desktop/sshd.nix @@ -1,6 +1,17 @@ -{ config, ... }: { - # make sure ssh is only available trough the tinc - networking.firewall.extraCommands = '' - iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0 - ''; +{ config, lib, ... }: +with lib; +let cfg = config.desktop.ssh.onlyTinc; +in { + options.desktop.ssh.onlyTinc = mkOption { + type = with types; bool; + default = true; + description = '' + make sure ssh is only available trough the tinc + ''; + }; + config = mkIf cfg { + networking.firewall.extraCommands = '' + iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0 + ''; + }; }