palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add mobi and it works

Browse source
This commit is contained in:
Ingolf Wagner 2022-09-23 20:29:18 +02:00
parent 9964d154d4
commit f771aa24bf
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
23 changed files with 278 additions and 146 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
flake.lock
View file

@ -3,7 +3,7 @@
"barcode-reader": { "barcode-reader": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_3", "flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs"
}, },
"locked": { "locked": {
"lastModified": 1636602745, "lastModified": 1636602745,
@ -38,16 +38,18 @@
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"nix-eval-jobs": "nix-eval-jobs", "nix-eval-jobs": "nix-eval-jobs",
"nixpkgs": "nixpkgs", "nixpkgs": [
"nixpkgs"
],
"stable": "stable", "stable": "stable",
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1661669123, "lastModified": 1663742427,
"narHash": "sha256-nXslD8Sbs6G9/MN7HOr+YrBCCmUdS/MpEuxJGlWeSgM=", "narHash": "sha256-1gcXLVbZRVbRfNo6bHemNxdnEBgs6W0QPw675/uso3w=",
"owner": "zhaofengli", "owner": "zhaofengli",
"repo": "colmena", "repo": "colmena",
"rev": "e7356e2c5cbc19be6e04d284c943b24bbde81a9b", "rev": "a8e6b999cfec9fadc2ca81994da44182e73be7eb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -546,16 +548,15 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1660485612, "lastModified": 1636416043,
"narHash": "sha256-sSLW1KaB1adKTJn9+Ja3h3AaS7QCZyhUKiSUStcLg80=", "narHash": "sha256-Esz9X97OeAsNoJUVuqlCu2LDWcyLE24huUonhOY3JGw=",
"owner": "NixOS", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6512b21eabb4d52e87ea2edcf31a288e67b2e4f8", "rev": "db6044d5debaff0749420c3553d1b89fc6c5c5f8",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -615,21 +616,6 @@
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": {
"lastModified": 1636416043,
"narHash": "sha256-Esz9X97OeAsNoJUVuqlCu2LDWcyLE24huUonhOY3JGw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "db6044d5debaff0749420c3553d1b89fc6c5c5f8",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1661700591, "lastModified": 1661700591,
"narHash": "sha256-NZa+z+TJC+Hk+87+LKkjFFmBn4GyMVEPcWFXFU+aTkU=", "narHash": "sha256-NZa+z+TJC+Hk+87+LKkjFFmBn4GyMVEPcWFXFU+aTkU=",
@ -645,7 +631,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_4": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1632855891, "lastModified": 1632855891,
"narHash": "sha256-crW76mt9/kbUBiKy/KiSnsQ9JEYgD3StDuYAMVkTbM0=", "narHash": "sha256-crW76mt9/kbUBiKy/KiSnsQ9JEYgD3StDuYAMVkTbM0=",
@ -659,7 +645,7 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs_5": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1661353537, "lastModified": 1661353537,
"narHash": "sha256-1E2IGPajOsrkR49mM5h55OtYnU0dGyre6gl60NXKITE=", "narHash": "sha256-1E2IGPajOsrkR49mM5h55OtYnU0dGyre6gl60NXKITE=",
@ -774,7 +760,7 @@
"polygon-art": { "polygon-art": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_6", "flake-utils": "flake-utils_6",
"nixpkgs": "nixpkgs_4" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
"lastModified": 1632864714, "lastModified": 1632864714,
@ -833,7 +819,7 @@
"home-manager": "home-manager", "home-manager": "home-manager",
"home-manager-utils": "home-manager-utils", "home-manager-utils": "home-manager-utils",
"krops": "krops", "krops": "krops",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_2",
"nixpkgs-fmt": "nixpkgs-fmt", "nixpkgs-fmt": "nixpkgs-fmt",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"polygon-art": "polygon-art", "polygon-art": "polygon-art",
@ -878,11 +864,11 @@
"secrets": { "secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1663688404, "lastModified": 1663876023,
"narHash": "sha256-eGKtvyakb/6jncb5oQXa0c6usLvQ8DMDjr5LtBbpdzY=", "narHash": "sha256-esUjNxIvrKZXukSbZbre4l5nS++Iqhc19LGHcizHEk4=",
"ref": "main", "ref": "main",
"rev": "43bc5b41992e585f8b02a18c66b478fd165ed817", "rev": "6b43a1b2f4ba34f684614d15f54e68d88eea2612",
"revCount": 36, "revCount": 38,
"type": "git", "type": "git",
"url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git" "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
}, },
@ -910,7 +896,7 @@
}, },
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_5", "nixpkgs": "nixpkgs_4",
"nixpkgs-22_05": "nixpkgs-22_05" "nixpkgs-22_05": "nixpkgs-22_05"
}, },
"locked": { "locked": {

25
flake.nix
View file

@ -14,7 +14,10 @@
}; };
# colmena # colmena
# ------- # -------
colmena.url = "github:zhaofengli/colmena"; colmena = {
url = "github:zhaofengli/colmena";
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
polygon-art = { polygon-art = {
url = "git+https://git.ingolf-wagner.de/palo/polygon-art.git"; url = "git+https://git.ingolf-wagner.de/palo/polygon-art.git";
@ -157,7 +160,7 @@
sterni = { name, nodes, pkgs, ... }: { sterni = { name, nodes, pkgs, ... }: {
deployment.allowLocalDeployment = true; deployment.allowLocalDeployment = true;
deployment.targetHost = "${name}.private"; deployment.targetHost = "${name}.private";
deployment.tags = [ "desktop" "online" ]; deployment.tags = [ "desktop" "online" "private" ];
imports = [ imports = [
grocy-scanner.nixosModule grocy-scanner.nixosModule
]; ];
@ -186,7 +189,7 @@
pepe = { name, nodes, pkgs, ... }: { pepe = { name, nodes, pkgs, ... }: {
deployment.targetHost = "${name}.private"; deployment.targetHost = "${name}.private";
deployment.tags = [ "server" "online" ]; deployment.tags = [ "server" "online" "private" ];
imports = [ imports = [
grocy-scanner.nixosModule grocy-scanner.nixosModule
]; ];
@ -194,10 +197,22 @@
robi = { name, nodes, pkgs, ... }: { robi = { name, nodes, pkgs, ... }: {
deployment.targetHost = "${name}"; deployment.targetHost = "${name}";
deployment.tags = [ "server" "online" ]; deployment.tags = [ "server" "online" "private" ];
imports = [ ]; imports = [ ];
}; };
mobi = { name, nodes, pkgs, ... }: {
deployment.targetHost = "${name}.private";
deployment.tags = [ "desktop" "usb" "private" ];
imports = [
grocy-scanner.nixosModule
];
home-manager.users.mainUser = {
imports = [
doom-emacs-nix.hmModule
home-manager-utils.hmModule
];
};
};
}; };
}; };
} }

13
images/lib/remote-access.nix
View file

@ -97,16 +97,19 @@
config = config =
let let
torDirectory = "/var/lib/tor"; torDirectory = "/var/lib/tor";
hiddenServiceDir = torDirectory + "/liveos"; hiddenServiceDir = torDirectory + "/onion/hidden-ssh";
in in
{ {
services.tor = { services.tor = {
enable = true; enable = true;
client.enable = true; client.enable = true;
extraConfig = '' relay.onionServices.hidden-ssh = {
HiddenServiceDir ${hiddenServiceDir} version = 3;
HiddenServicePort 22 127.0.0.1:22 map = [{
''; port = 22;
target.port = 22;
}];
};
}; };
systemd.services.hidden-ssh-announce = { systemd.services.hidden-ssh-announce = {
description = "irc announce hidden ssh"; description = "irc announce hidden ssh";

0
nixos/assets/ssh/card_rsa.pub → nixos/assets/ssh/palo_rsa.pub
View file

24
nixos/assets/tinc/mobi_host_file
View file

@ -1,14 +1,14 @@
Ed25519PublicKey = 94CccmfAuNtQzopd5NiVYjTjZvSgabMh66BI/iyVmnJ Ed25519PublicKey = X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEA8m9cBRv+9K8ywH19CZKDidwmzEa+2j3rkFjek+uPLVCHX5FlVQv+ MIICCgKCAgEAxubIDrvtrZ6fKPkuwQ+sK6YlToTfVtg3HCTOR7iDf47arkuG3dTb
flX5fY06DuaPzWKf4MoXHxmVa9T/WOcKZJUmhSJC2AVorhuPihOx0FNrQr69bamy BgnkbB/8+KzztaYLQoLnGFugxKKtMGBvMGCo6YLtxrjuaz3aDmhpmGCJh80r80/i
x03fiH0pHmDXumNdGMUcNf+06Zu2Nr9yze8rE1B97zb0RPBf+XC1uHw4E4PrWC/F 8WWg1CAkboKHmaiFpS/LBxAWQUGP+YJSoTLuDwtd794wX9MxLh4x5uGRp4rCj9+4
swibj9U45bp07wFvJrkAsngw4c6+TFERW6TK5DPKDQs7KfgdsqFGLvg2cY5phwC1 DdGemLZkZz6Je+cBkf8qrw1Dr8CPiJk47a7bZhyKVnQ3PyvrGOjFolfcI22xp8j3
08HBC7eTf2xG6paaS7gEbhDMQ/K47Lbhbv2srnYfaBw5iyc8f29ZwEuNfE4V15B3 7y55DIMWhVsm6EWFK4/pzAqi9JdRd7xy8c9WRIcAHJDlSdf+ERbIjUDJC8fgMlNl
foz/kGAhceTuBKNCVvKvqSIL2yEsibFVyl7zlgGp3EKWuR5ETQAspJViGILwiyq6 UII0SqLnBscIbqz2dMuoldeqg9S1fOiTekReLJqpLmAIn+iwpT8KW5QaESu2eh6M
iRYQ1AxxyroqS146CUAB8/68w0PwroKt8lXMEtx58S7/OAW0KnXGxwqSfocH+iE4 Ok0sJ8A+aphuZ+FDd2FUmWQiENnPzFGYQ/SuNAA7hR5plSCbjpodulNQFY93I8y3
qry9pPuSs7RR6lXBB0nvSfTbaZDMUXtiyV24+pyZgl5Q31kDgUWgFpzGRBc/CTO2 vRru6rm/ac+7SehWPBgHGl12UJluvHn32Q85bJ2vdtn9ONgcOdjSLA58nzfc1hv/
h8OmUcvEyLxh3bruu0SQGXa35G1Igsumuh/uLifgHB/odLYY00PhEdpp52BswgXe OA5MzIJTvDJqwjZew8A/pyz6kxrGBqnXCzzt46tvj0yZ/VhIgL3qDTR/wzRV3N14
yz88nfXMOyvm7ROEyA7r2qruM1kEHDSQ8IRuxhd8YebyI7k6mYVE8CR5T89QfVl3 3Z7TToIQKBPSYNxxCEHXxVQb8oWdGzeE7X52iFeYKhxj+ikZxkoXhCgIRYrDBQ0k
mrNk+f6Q/cpFiNBxr7+UBCiHix3/GDAD4NEgvu5nfqinTA34FuscTS8CAwEAAQ== lnpJU+fbeFddZ4bAdqPxVT+perK33Wzgp9s4+KLh8ldpcRm8S29sNIcCAwEAAQ==
-----END RSA PUBLIC KEY----- -----END RSA PUBLIC KEY-----

62
nixos/machines/mobi/configuration.nix
View file

@ -2,19 +2,26 @@
imports = [ imports = [
<system/desktop> ../../system/desktop
./hardware-configuration.nix ./hardware-configuration.nix
./tinc.nix ./tinc.nix
./syncthing.nix
]; ];
system.custom.wifi.interfaces = [ ];
networking.hostName = "mobi";
security.wrappers = { security.wrappers = {
pmount.source = "${pkgs.pmount}/bin/pmount"; pmount = {
pumount.source = "${pkgs.pmount}/bin/pumount"; source = "${pkgs.pmount}/bin/pmount";
setuid = true;
owner = "root";
group = "root";
};
pumount = {
source = "${pkgs.pmount}/bin/pumount";
setuid = true;
owner = "root";
group = "root";
};
}; };
# fonts # fonts
@ -28,5 +35,46 @@
height = 768; height = 768;
}; };
# grub configuraton
# -----------------
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.device = "/dev/sda";
boot.loader.grub.efiInstallAsRemovable = true;
boot.tmpOnTmpfs = true;
networking.networkmanager.enable = true;
networking.hostName = "mobi";
# Set your time zone.
time.timeZone = "Europe/Berlin";
environment.systemPackages = with pkgs; [
vim
wget
htop
silver-searcher
];
environment.extraInit = ''
# use vi shortcuts
# ----------------
set -o vi
EDITOR=vim
'';
services.openssh.enable = true;
desktop.ssh.onlyTinc = false;
users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw== contact@ingolf-wagner.de" ];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
} }

71
nixos/machines/mobi/hardware-configuration.nix
View file

@ -1,58 +1,47 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ]; imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ];
[ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
# efi boot loader configuration using grub fileSystems."/" =
boot.loader.efi.canTouchEfiVariables = false; {
boot.loader.grub = { device = "/dev/disk/by-uuid/978cfc56-b47d-4d94-adae-18a4209519a5";
device = "nodev";
efiInstallAsRemovable = true;
efiSupport = true;
enable = true;
version = 2;
};
fileSystems."/share/" = {
device = "/dev/ram1";
fsType = "tmpfs";
};
# NTFS support
# ------------
environment.systemPackages = [ pkgs.ntfs3g ];
# lvm volume group
# ----------------
boot.initrd.luks.devices = {
mobi = {
device = "/dev/disk/by-uuid/e138095f-c703-4dea-bb1c-bf888b8e1b81";
preLVM = true;
};
};
# root
# ----
fileSystems."/" = {
options = [ "noatime" "nodiratime" "discard" ];
device = "/dev/mobi/root";
fsType = "ext4"; fsType = "ext4";
}; };
# boot boot.initrd.luks.devices."root-enc".device = "/dev/disk/by-uuid/cf30f4a6-578e-418a-9d18-d32fbf992b0c";
# ----
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/disk/by-uuid/064D-3144"; {
device = "/dev/disk/by-uuid/AEE5-221F";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s25.useDHCP = lib.mkDefault true;
# networking.interfaces.tinc.private.useDHCP = lib.mkDefault true;
# networking.interfaces.tinc.retiolum.useDHCP = lib.mkDefault true;
# networking.interfaces.tinc.secret.useDHCP = lib.mkDefault true;
# networking.interfaces.virbr0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

42
nixos/machines/mobi/syncthing.nix Normal file
View file

@ -0,0 +1,42 @@
{ config, pkgs, lib, ... }: {
#sops.secrets.syncthing_cert = { };
#sops.secrets.syncthing_key = { };
services.syncthing = {
enable = true;
openDefaultPorts = false;
user = "palo";
dataDir = "/home/palo/.syncthing";
configDir = "/home/palo/.syncthing";
#cert = toString config.sops.secrets.syncthing_cert.path;
#key = toString config.sops.secrets.syncthing_key.path;
overrideFolders = true;
folders = {
# on encrypted drive
# ------------------
private = {
enable = true;
path = "/home/palo/private";
};
desktop = {
enable = true;
path = "/home/palo/desktop";
};
finance = {
enable = true;
path = "/home/palo/finance";
};
password-store = {
enable = true;
path = "/home/palo/.password-store";
};
};
};
system.permown."/home/palo/music-library" = {
owner = "palo";
group = "users";
};
}

2
nixos/machines/pepe/borg.nix
View file

@ -8,7 +8,7 @@
authorizedKeys = [ authorizedKeys = [
# todo rename # todo rename
(lib.fileContents ../../assets/ssh/borg_access.pub) (lib.fileContents ../../assets/ssh/borg_access.pub)
(lib.fileContents ../../assets/ssh/card_rsa.pub) (lib.fileContents ../../assets/ssh/palo_rsa.pub)
]; ];
}; };
}; };

4
nixos/machines/pepe/syncthing.nix
View file

@ -43,6 +43,10 @@
enable = true; enable = true;
path = "/home/syncthing/private"; path = "/home/syncthing/private";
}; };
password-store = {
enable = true;
path = "/home/syncthing/password-store";
};
desktop = { desktop = {
enable = true; enable = true;
path = "/home/syncthing/desktop"; path = "/home/syncthing/desktop";

2
nixos/machines/robi/borg.nix
View file

@ -6,7 +6,7 @@
allowSubRepos = true; allowSubRepos = true;
authorizedKeys = [ authorizedKeys = [
(lib.fileContents ../../assets/ssh/borg_access.pub) (lib.fileContents ../../assets/ssh/borg_access.pub)
(lib.fileContents ../../assets/ssh/card_rsa.pub) (lib.fileContents ../../assets/ssh/palo_rsa.pub)
]; ];
}; };
}; };

31
nixos/machines/robi/nginx.nix
View file

@ -53,27 +53,28 @@ in
alias = pkgs.writeText "key" (lib.fileContents ../../assets/pgp.key); alias = pkgs.writeText "key" (lib.fileContents ../../assets/pgp.key);
}; };
"= /palo_rsa.pub" = { "= /palo_rsa.pub" = {
alias = pkgs.writeText "key" (lib.fileContents ../../assets/ssh/card_rsa.pub); alias = pkgs.writeText "key" (lib.fileContents ../../assets/ssh/palo_rsa.pub);
}; };
} // error.locations; } // error.locations;
}; };
"stable-diffusion.ingolf-wagner.de" = { # "stable-diffusion.ingolf-wagner.de" = {
forceSSL = true; # forceSSL = true;
enableACME = true; # enableACME = true;
extraConfig = error.extraConfig; # extraConfig = error.extraConfig;
root = "/srv/www/stable-diffusion"; # root = "/srv/www/stable-diffusion";
locations = { # locations = {
"/model-v1-4.ckpt" = { # "/model-v1-4.ckpt" = {
basicAuthFile = "${private_assets}/stable-diffusion-htpasswd";
tryFiles = "/stable-diffusion-v-1-4-original/sd-v1-4.ckpt =404";
};
#"/model-v1-3.ckpt" = {
# basicAuthFile = "${private_assets}/stable-diffusion-htpasswd"; # basicAuthFile = "${private_assets}/stable-diffusion-htpasswd";
# tryFiles = "stable-diffusion-v-1-3-original/sd-v1-3.ckpt"; # tryFiles = "/stable-diffusion-v-1-4-original/sd-v1-4.ckpt =404";
# }; # };
} // error.locations; # #"/model-v1-3.ckpt" = {
}; # # basicAuthFile = "${private_assets}/stable-diffusion-htpasswd";
# # tryFiles = "stable-diffusion-v-1-3-original/sd-v1-3.ckpt";
# #};
# } // error.locations;
# };
"travel.ingolf-wagner.de" = { "travel.ingolf-wagner.de" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;

3
nixos/machines/sterni/configuration.nix
View file

@ -12,11 +12,14 @@
#./wifi-access-point.nix #./wifi-access-point.nix
#./wireshark.nix #./wireshark.nix
./scanner.nix ./scanner.nix
./qemu.nix
]; ];
services.nginx.enable = true; services.nginx.enable = true;
#sops.defaultSopsFile = ../../secrets/sterni.yaml; #sops.defaultSopsFile = ../../secrets/sterni.yaml;
networking.hostName = "sterni"; networking.hostName = "sterni";

17
nixos/machines/sterni/qemu.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, lib, pkgs, ... }:
{
virtualisation.libvirtd.enable = true;
#virtualisation.libvirtd.allowedBridges = ["virbr0"];
virtualisation.libvirtd.onShutdown = "shutdown";
environment.systemPackages = [
pkgs.qemu_kvm
pkgs.virt-manager
];
users.users.mainUser.extraGroups = [ "libvirtd" ];
}

4
nixos/machines/sterni/syncthing.nix
View file

@ -16,6 +16,10 @@
# on encrypted drive # on encrypted drive
# ------------------ # ------------------
password-store = {
enable = true;
path = "/home/palo/.password-store";
};
private = { private = {
enable = true; enable = true;
path = "/home/palo/private"; path = "/home/palo/private";

2
nixos/modules/system/audio.nix
View file

@ -104,7 +104,7 @@ in
enable = true; enable = true;
package = pkgs.pulseaudioFull; package = pkgs.pulseaudioFull;
# all in audio group can do audio # all in audio group can do audio
systemWide = true; systemWide = false;
extraConfig = '' extraConfig = ''
# automatically switch to newly-connected devices # automatically switch to newly-connected devices
load-module module-switch-on-connect load-module module-switch-on-connect

2
nixos/system/all/borg-scripts.nix
View file

@ -7,7 +7,7 @@
"borg-${command}-on-${host}-for-${repository}" '' "borg-${command}-on-${host}-for-${repository}" ''
${pkgs.borgbackup}/bin/borg \ ${pkgs.borgbackup}/bin/borg \
${command} \ ${command} \
--rsh='ssh -i ~/.ssh/card_rsa.pub' borg@${host}.private:${repository}/. \ --rsh='ssh -i ~/.ssh/palo_rsa.pub' borg@${host}.private:${repository}/. \
"$@" "$@"
''; '';
hosts = [ "pepe" "robi" ]; hosts = [ "pepe" "robi" ];

4
nixos/system/all/sshd-known-hosts-private.nix
View file

@ -36,7 +36,7 @@
config.module.cluster.services.tinc.private.hosts.sterni.tincIp config.module.cluster.services.tinc.private.hosts.sterni.tincIp
config.module.cluster.services.tinc.secret.hosts.sterni.tincIp config.module.cluster.services.tinc.secret.hosts.sterni.tincIp
]; ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyHmHJy2Va45p9mn+Hj3DyaY5yxnQIKvXeACHjzgSKt"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
}; };
"pepe.private" = { "pepe.private" = {
hostNames = [ hostNames = [
@ -51,7 +51,7 @@
"mobi.private" "mobi.private"
config.module.cluster.services.tinc.private.hosts.mobi.tincIp config.module.cluster.services.tinc.private.hosts.mobi.tincIp
]; ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhBtcipW9rV6hHS2hv5tl5hd8vW8dnuFfFwnAs2u0kS"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
}; };
}; };
} }

2
nixos/system/all/sshd.nix
View file

@ -11,7 +11,7 @@ with lib;
tools.enable = true; tools.enable = true;
sshd = { sshd = {
enable = true; enable = true;
rootKeyFiles = [ (toString ../../assets/ssh/card_rsa.pub) ]; rootKeyFiles = [ (toString ../../assets/ssh/palo_rsa.pub) ];
}; };
}; };

17
nixos/system/all/syncthing.nix
View file

@ -25,11 +25,11 @@ with lib; {
// (device "workhorse" "AFSAKB6-JLH4QAS-DSRMPI3-6PVCIHF-IIAVLPC-STPNO3Y-YRDU5NW-QD445QI") // (device "workhorse" "AFSAKB6-JLH4QAS-DSRMPI3-6PVCIHF-IIAVLPC-STPNO3Y-YRDU5NW-QD445QI")
// (device "pepe" "SZLXFW3-VTAC7UB-V2Z7CHE-3VZAYPL-6D72AK6-OCDMPZP-G4FPY5P-FL6ZVAG") // (device "pepe" "SZLXFW3-VTAC7UB-V2Z7CHE-3VZAYPL-6D72AK6-OCDMPZP-G4FPY5P-FL6ZVAG")
// (device "sterni" "ZFNNKPD-ZSOAYJQ-VROXXDB-5MD3UTJ-GDCNTSQ-G5POVV3-UZG5HFT-CCAU3AD") // (device "sterni" "ZFNNKPD-ZSOAYJQ-VROXXDB-5MD3UTJ-GDCNTSQ-G5POVV3-UZG5HFT-CCAU3AD")
// (device "mobi" "NGI7UN6-MR2YPYI-L7DGN3I-JFZU2N3-RJBJV6K-2VZVQSJ-PWLZYOK-PXZYRAF")
// { // {
bumba = { bumba = {
name = "windows-bumba"; name = "windows-bumba";
id = "JS7PWTO-VKFGBUP-GNFLSWP-MGFJ2KH-HLO2LKW-V3RPCR6-PCB5SQC-42FCKQZ"; id = "JS7PWTO-VKFGBUP-GNFLSWP-MGFJ2KH-HLO2LKW-V3RPCR6-PCB5SQC-42FCKQZ";
#addresses = [ "dynamic" ];
}; };
} }
// { // {
@ -47,7 +47,16 @@ with lib; {
private = { private = {
enable = lib.mkDefault false; enable = lib.mkDefault false;
watch = lib.mkDefault false; watch = lib.mkDefault false;
devices = [ "pepe" "sterni" ]; devices = [ "pepe" "sterni" "mobi" ];
versioning = {
type = "simple";
params.keep = "10";
};
};
password-store = {
enable = lib.mkDefault false;
watch = lib.mkDefault false;
devices = [ "pepe" "sterni" "mobi" ];
versioning = { versioning = {
type = "simple"; type = "simple";
params.keep = "10"; params.keep = "10";
@ -56,12 +65,12 @@ with lib; {
desktop = { desktop = {
enable = lib.mkDefault false; enable = lib.mkDefault false;
watch = lib.mkDefault false; watch = lib.mkDefault false;
devices = [ "pepe" "sterni" ]; devices = [ "pepe" "sterni" "mobi" ];
}; };
finance = { finance = {
enable = lib.mkDefault false; enable = lib.mkDefault false;
watch = lib.mkDefault false; watch = lib.mkDefault false;
devices = [ "pepe" "sterni" ]; devices = [ "pepe" "sterni" "mobi" ];
versioning = { versioning = {
type = "simple"; type = "simple";
params.keep = "10"; params.keep = "10";

10
nixos/system/desktop/home-manager.nix
View file

@ -84,13 +84,13 @@ in
}; };
home.git-pull = { home.git-pull = {
enable = mkDefault true; enable = mkDefault false;
repositories = [ repositories = [
# krebs # krebs
{ #{
source = "git@github.com:krebs/stockholm.git"; # source = "git@github.com:krebs/stockholm.git";
target = "~/dev/krebs/stockholm"; # target = "~/dev/krebs/stockholm";
} #}
{ {
source = "git@github.com:krebs/rc3-map.git"; source = "git@github.com:krebs/rc3-map.git";
target = "~/dev/krebs/rc3-map"; target = "~/dev/krebs/rc3-map";

2
nixos/system/desktop/home-manager/ssh.nix
View file

@ -5,7 +5,7 @@ with lib; {
programs.ssh.enable = true; programs.ssh.enable = true;
programs.ssh.matchBlocks = { programs.ssh.matchBlocks = {
"*" = { "*" = {
identityFile = "~/.ssh/card_rsa.pub"; identityFile = "~/.ssh/palo_rsa.pub";
identitiesOnly = true; identitiesOnly = true;
}; };
"lassul.us" = { "lassul.us" = {

15
nixos/system/desktop/sshd.nix
View file

@ -1,6 +1,17 @@
{ config, ... }: { { config, lib, ... }:
# make sure ssh is only available trough the tinc with lib;
let cfg = config.desktop.ssh.onlyTinc;
in {
options.desktop.ssh.onlyTinc = mkOption {
type = with types; bool;
default = true;
description = ''
make sure ssh is only available trough the tinc
'';
};
config = mkIf cfg {
networking.firewall.extraCommands = '' networking.firewall.extraCommands = ''
iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0 iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
''; '';
};
} }