add mobi and it works
This commit is contained in:
parent
9964d154d4
commit
f771aa24bf
23 changed files with 278 additions and 146 deletions
56
flake.lock
56
flake.lock
|
@ -3,7 +3,7 @@
|
|||
"barcode-reader": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils_3",
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1636602745,
|
||||
|
@ -38,16 +38,18 @@
|
|||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"nix-eval-jobs": "nix-eval-jobs",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"stable": "stable",
|
||||
"utils": "utils"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1661669123,
|
||||
"narHash": "sha256-nXslD8Sbs6G9/MN7HOr+YrBCCmUdS/MpEuxJGlWeSgM=",
|
||||
"lastModified": 1663742427,
|
||||
"narHash": "sha256-1gcXLVbZRVbRfNo6bHemNxdnEBgs6W0QPw675/uso3w=",
|
||||
"owner": "zhaofengli",
|
||||
"repo": "colmena",
|
||||
"rev": "e7356e2c5cbc19be6e04d284c943b24bbde81a9b",
|
||||
"rev": "a8e6b999cfec9fadc2ca81994da44182e73be7eb",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -546,16 +548,15 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1660485612,
|
||||
"narHash": "sha256-sSLW1KaB1adKTJn9+Ja3h3AaS7QCZyhUKiSUStcLg80=",
|
||||
"owner": "NixOS",
|
||||
"lastModified": 1636416043,
|
||||
"narHash": "sha256-Esz9X97OeAsNoJUVuqlCu2LDWcyLE24huUonhOY3JGw=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "6512b21eabb4d52e87ea2edcf31a288e67b2e4f8",
|
||||
"rev": "db6044d5debaff0749420c3553d1b89fc6c5c5f8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
|
@ -615,21 +616,6 @@
|
|||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1636416043,
|
||||
"narHash": "sha256-Esz9X97OeAsNoJUVuqlCu2LDWcyLE24huUonhOY3JGw=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "db6044d5debaff0749420c3553d1b89fc6c5c5f8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1661700591,
|
||||
"narHash": "sha256-NZa+z+TJC+Hk+87+LKkjFFmBn4GyMVEPcWFXFU+aTkU=",
|
||||
|
@ -645,7 +631,7 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_4": {
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1632855891,
|
||||
"narHash": "sha256-crW76mt9/kbUBiKy/KiSnsQ9JEYgD3StDuYAMVkTbM0=",
|
||||
|
@ -659,7 +645,7 @@
|
|||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs_5": {
|
||||
"nixpkgs_4": {
|
||||
"locked": {
|
||||
"lastModified": 1661353537,
|
||||
"narHash": "sha256-1E2IGPajOsrkR49mM5h55OtYnU0dGyre6gl60NXKITE=",
|
||||
|
@ -774,7 +760,7 @@
|
|||
"polygon-art": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils_6",
|
||||
"nixpkgs": "nixpkgs_4"
|
||||
"nixpkgs": "nixpkgs_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1632864714,
|
||||
|
@ -833,7 +819,7 @@
|
|||
"home-manager": "home-manager",
|
||||
"home-manager-utils": "home-manager-utils",
|
||||
"krops": "krops",
|
||||
"nixpkgs": "nixpkgs_3",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"nixpkgs-fmt": "nixpkgs-fmt",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
"polygon-art": "polygon-art",
|
||||
|
@ -878,11 +864,11 @@
|
|||
"secrets": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1663688404,
|
||||
"narHash": "sha256-eGKtvyakb/6jncb5oQXa0c6usLvQ8DMDjr5LtBbpdzY=",
|
||||
"lastModified": 1663876023,
|
||||
"narHash": "sha256-esUjNxIvrKZXukSbZbre4l5nS++Iqhc19LGHcizHEk4=",
|
||||
"ref": "main",
|
||||
"rev": "43bc5b41992e585f8b02a18c66b478fd165ed817",
|
||||
"revCount": 36,
|
||||
"rev": "6b43a1b2f4ba34f684614d15f54e68d88eea2612",
|
||||
"revCount": 38,
|
||||
"type": "git",
|
||||
"url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
|
||||
},
|
||||
|
@ -910,7 +896,7 @@
|
|||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_5",
|
||||
"nixpkgs": "nixpkgs_4",
|
||||
"nixpkgs-22_05": "nixpkgs-22_05"
|
||||
},
|
||||
"locked": {
|
||||
|
|
25
flake.nix
25
flake.nix
|
@ -14,7 +14,10 @@
|
|||
};
|
||||
# colmena
|
||||
# -------
|
||||
colmena.url = "github:zhaofengli/colmena";
|
||||
colmena = {
|
||||
url = "github:zhaofengli/colmena";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
polygon-art = {
|
||||
url = "git+https://git.ingolf-wagner.de/palo/polygon-art.git";
|
||||
|
@ -157,7 +160,7 @@
|
|||
sterni = { name, nodes, pkgs, ... }: {
|
||||
deployment.allowLocalDeployment = true;
|
||||
deployment.targetHost = "${name}.private";
|
||||
deployment.tags = [ "desktop" "online" ];
|
||||
deployment.tags = [ "desktop" "online" "private" ];
|
||||
imports = [
|
||||
grocy-scanner.nixosModule
|
||||
];
|
||||
|
@ -186,7 +189,7 @@
|
|||
|
||||
pepe = { name, nodes, pkgs, ... }: {
|
||||
deployment.targetHost = "${name}.private";
|
||||
deployment.tags = [ "server" "online" ];
|
||||
deployment.tags = [ "server" "online" "private" ];
|
||||
imports = [
|
||||
grocy-scanner.nixosModule
|
||||
];
|
||||
|
@ -194,10 +197,22 @@
|
|||
|
||||
robi = { name, nodes, pkgs, ... }: {
|
||||
deployment.targetHost = "${name}";
|
||||
deployment.tags = [ "server" "online" ];
|
||||
deployment.tags = [ "server" "online" "private" ];
|
||||
imports = [ ];
|
||||
};
|
||||
|
||||
mobi = { name, nodes, pkgs, ... }: {
|
||||
deployment.targetHost = "${name}.private";
|
||||
deployment.tags = [ "desktop" "usb" "private" ];
|
||||
imports = [
|
||||
grocy-scanner.nixosModule
|
||||
];
|
||||
home-manager.users.mainUser = {
|
||||
imports = [
|
||||
doom-emacs-nix.hmModule
|
||||
home-manager-utils.hmModule
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -97,16 +97,19 @@
|
|||
config =
|
||||
let
|
||||
torDirectory = "/var/lib/tor";
|
||||
hiddenServiceDir = torDirectory + "/liveos";
|
||||
hiddenServiceDir = torDirectory + "/onion/hidden-ssh";
|
||||
in
|
||||
{
|
||||
services.tor = {
|
||||
enable = true;
|
||||
client.enable = true;
|
||||
extraConfig = ''
|
||||
HiddenServiceDir ${hiddenServiceDir}
|
||||
HiddenServicePort 22 127.0.0.1:22
|
||||
'';
|
||||
relay.onionServices.hidden-ssh = {
|
||||
version = 3;
|
||||
map = [{
|
||||
port = 22;
|
||||
target.port = 22;
|
||||
}];
|
||||
};
|
||||
};
|
||||
systemd.services.hidden-ssh-announce = {
|
||||
description = "irc announce hidden ssh";
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
Ed25519PublicKey = 94CccmfAuNtQzopd5NiVYjTjZvSgabMh66BI/iyVmnJ
|
||||
Ed25519PublicKey = X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB
|
||||
-----BEGIN RSA PUBLIC KEY-----
|
||||
MIICCgKCAgEA8m9cBRv+9K8ywH19CZKDidwmzEa+2j3rkFjek+uPLVCHX5FlVQv+
|
||||
flX5fY06DuaPzWKf4MoXHxmVa9T/WOcKZJUmhSJC2AVorhuPihOx0FNrQr69bamy
|
||||
x03fiH0pHmDXumNdGMUcNf+06Zu2Nr9yze8rE1B97zb0RPBf+XC1uHw4E4PrWC/F
|
||||
swibj9U45bp07wFvJrkAsngw4c6+TFERW6TK5DPKDQs7KfgdsqFGLvg2cY5phwC1
|
||||
08HBC7eTf2xG6paaS7gEbhDMQ/K47Lbhbv2srnYfaBw5iyc8f29ZwEuNfE4V15B3
|
||||
foz/kGAhceTuBKNCVvKvqSIL2yEsibFVyl7zlgGp3EKWuR5ETQAspJViGILwiyq6
|
||||
iRYQ1AxxyroqS146CUAB8/68w0PwroKt8lXMEtx58S7/OAW0KnXGxwqSfocH+iE4
|
||||
qry9pPuSs7RR6lXBB0nvSfTbaZDMUXtiyV24+pyZgl5Q31kDgUWgFpzGRBc/CTO2
|
||||
h8OmUcvEyLxh3bruu0SQGXa35G1Igsumuh/uLifgHB/odLYY00PhEdpp52BswgXe
|
||||
yz88nfXMOyvm7ROEyA7r2qruM1kEHDSQ8IRuxhd8YebyI7k6mYVE8CR5T89QfVl3
|
||||
mrNk+f6Q/cpFiNBxr7+UBCiHix3/GDAD4NEgvu5nfqinTA34FuscTS8CAwEAAQ==
|
||||
MIICCgKCAgEAxubIDrvtrZ6fKPkuwQ+sK6YlToTfVtg3HCTOR7iDf47arkuG3dTb
|
||||
BgnkbB/8+KzztaYLQoLnGFugxKKtMGBvMGCo6YLtxrjuaz3aDmhpmGCJh80r80/i
|
||||
8WWg1CAkboKHmaiFpS/LBxAWQUGP+YJSoTLuDwtd794wX9MxLh4x5uGRp4rCj9+4
|
||||
DdGemLZkZz6Je+cBkf8qrw1Dr8CPiJk47a7bZhyKVnQ3PyvrGOjFolfcI22xp8j3
|
||||
7y55DIMWhVsm6EWFK4/pzAqi9JdRd7xy8c9WRIcAHJDlSdf+ERbIjUDJC8fgMlNl
|
||||
UII0SqLnBscIbqz2dMuoldeqg9S1fOiTekReLJqpLmAIn+iwpT8KW5QaESu2eh6M
|
||||
Ok0sJ8A+aphuZ+FDd2FUmWQiENnPzFGYQ/SuNAA7hR5plSCbjpodulNQFY93I8y3
|
||||
vRru6rm/ac+7SehWPBgHGl12UJluvHn32Q85bJ2vdtn9ONgcOdjSLA58nzfc1hv/
|
||||
OA5MzIJTvDJqwjZew8A/pyz6kxrGBqnXCzzt46tvj0yZ/VhIgL3qDTR/wzRV3N14
|
||||
3Z7TToIQKBPSYNxxCEHXxVQb8oWdGzeE7X52iFeYKhxj+ikZxkoXhCgIRYrDBQ0k
|
||||
lnpJU+fbeFddZ4bAdqPxVT+perK33Wzgp9s4+KLh8ldpcRm8S29sNIcCAwEAAQ==
|
||||
-----END RSA PUBLIC KEY-----
|
||||
|
|
|
@ -2,19 +2,26 @@
|
|||
|
||||
imports = [
|
||||
|
||||
<system/desktop>
|
||||
../../system/desktop
|
||||
./hardware-configuration.nix
|
||||
./tinc.nix
|
||||
./syncthing.nix
|
||||
|
||||
];
|
||||
|
||||
system.custom.wifi.interfaces = [ ];
|
||||
|
||||
networking.hostName = "mobi";
|
||||
|
||||
security.wrappers = {
|
||||
pmount.source = "${pkgs.pmount}/bin/pmount";
|
||||
pumount.source = "${pkgs.pmount}/bin/pumount";
|
||||
pmount = {
|
||||
source = "${pkgs.pmount}/bin/pmount";
|
||||
setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
};
|
||||
pumount = {
|
||||
source = "${pkgs.pmount}/bin/pumount";
|
||||
setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
};
|
||||
};
|
||||
|
||||
# fonts
|
||||
|
@ -28,5 +35,46 @@
|
|||
height = 768;
|
||||
};
|
||||
|
||||
# grub configuraton
|
||||
# -----------------
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.efiSupport = true;
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
boot.loader.grub.efiInstallAsRemovable = true;
|
||||
boot.tmpOnTmpfs = true;
|
||||
|
||||
networking.networkmanager.enable = true;
|
||||
networking.hostName = "mobi";
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
wget
|
||||
htop
|
||||
silver-searcher
|
||||
];
|
||||
|
||||
environment.extraInit = ''
|
||||
# use vi shortcuts
|
||||
# ----------------
|
||||
set -o vi
|
||||
EDITOR=vim
|
||||
'';
|
||||
|
||||
services.openssh.enable = true;
|
||||
desktop.ssh.onlyTinc = false;
|
||||
|
||||
users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw== contact@ingolf-wagner.de" ];
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "22.05"; # Did you read the comment?
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -1,58 +1,47 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, ... }:
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules =
|
||||
[ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
|
||||
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ];
|
||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
# efi boot loader configuration using grub
|
||||
boot.loader.efi.canTouchEfiVariables = false;
|
||||
boot.loader.grub = {
|
||||
device = "nodev";
|
||||
efiInstallAsRemovable = true;
|
||||
efiSupport = true;
|
||||
enable = true;
|
||||
version = 2;
|
||||
};
|
||||
|
||||
fileSystems."/share/" = {
|
||||
device = "/dev/ram1";
|
||||
fsType = "tmpfs";
|
||||
};
|
||||
|
||||
# NTFS support
|
||||
# ------------
|
||||
environment.systemPackages = [ pkgs.ntfs3g ];
|
||||
|
||||
# lvm volume group
|
||||
# ----------------
|
||||
boot.initrd.luks.devices = {
|
||||
mobi = {
|
||||
device = "/dev/disk/by-uuid/e138095f-c703-4dea-bb1c-bf888b8e1b81";
|
||||
preLVM = true;
|
||||
};
|
||||
};
|
||||
|
||||
# root
|
||||
# ----
|
||||
fileSystems."/" = {
|
||||
options = [ "noatime" "nodiratime" "discard" ];
|
||||
device = "/dev/mobi/root";
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/978cfc56-b47d-4d94-adae-18a4209519a5";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
# boot
|
||||
# ----
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/064D-3144";
|
||||
boot.initrd.luks.devices."root-enc".device = "/dev/disk/by-uuid/cf30f4a6-578e-418a-9d18-d32fbf992b0c";
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/AEE5-221F";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp0s25.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.tinc.private.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.tinc.retiolum.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.tinc.secret.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.virbr0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
|
||||
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
||||
|
|
42
nixos/machines/mobi/syncthing.nix
Normal file
42
nixos/machines/mobi/syncthing.nix
Normal file
|
@ -0,0 +1,42 @@
|
|||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
#sops.secrets.syncthing_cert = { };
|
||||
#sops.secrets.syncthing_key = { };
|
||||
|
||||
services.syncthing = {
|
||||
enable = true;
|
||||
openDefaultPorts = false;
|
||||
user = "palo";
|
||||
dataDir = "/home/palo/.syncthing";
|
||||
configDir = "/home/palo/.syncthing";
|
||||
#cert = toString config.sops.secrets.syncthing_cert.path;
|
||||
#key = toString config.sops.secrets.syncthing_key.path;
|
||||
overrideFolders = true;
|
||||
folders = {
|
||||
|
||||
# on encrypted drive
|
||||
# ------------------
|
||||
private = {
|
||||
enable = true;
|
||||
path = "/home/palo/private";
|
||||
};
|
||||
desktop = {
|
||||
enable = true;
|
||||
path = "/home/palo/desktop";
|
||||
};
|
||||
finance = {
|
||||
enable = true;
|
||||
path = "/home/palo/finance";
|
||||
};
|
||||
password-store = {
|
||||
enable = true;
|
||||
path = "/home/palo/.password-store";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
system.permown."/home/palo/music-library" = {
|
||||
owner = "palo";
|
||||
group = "users";
|
||||
};
|
||||
}
|
|
@ -8,7 +8,7 @@
|
|||
authorizedKeys = [
|
||||
# todo rename
|
||||
(lib.fileContents ../../assets/ssh/borg_access.pub)
|
||||
(lib.fileContents ../../assets/ssh/card_rsa.pub)
|
||||
(lib.fileContents ../../assets/ssh/palo_rsa.pub)
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
@ -43,6 +43,10 @@
|
|||
enable = true;
|
||||
path = "/home/syncthing/private";
|
||||
};
|
||||
password-store = {
|
||||
enable = true;
|
||||
path = "/home/syncthing/password-store";
|
||||
};
|
||||
desktop = {
|
||||
enable = true;
|
||||
path = "/home/syncthing/desktop";
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
allowSubRepos = true;
|
||||
authorizedKeys = [
|
||||
(lib.fileContents ../../assets/ssh/borg_access.pub)
|
||||
(lib.fileContents ../../assets/ssh/card_rsa.pub)
|
||||
(lib.fileContents ../../assets/ssh/palo_rsa.pub)
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
@ -53,27 +53,28 @@ in
|
|||
alias = pkgs.writeText "key" (lib.fileContents ../../assets/pgp.key);
|
||||
};
|
||||
"= /palo_rsa.pub" = {
|
||||
alias = pkgs.writeText "key" (lib.fileContents ../../assets/ssh/card_rsa.pub);
|
||||
alias = pkgs.writeText "key" (lib.fileContents ../../assets/ssh/palo_rsa.pub);
|
||||
};
|
||||
} // error.locations;
|
||||
};
|
||||
|
||||
"stable-diffusion.ingolf-wagner.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
extraConfig = error.extraConfig;
|
||||
root = "/srv/www/stable-diffusion";
|
||||
locations = {
|
||||
"/model-v1-4.ckpt" = {
|
||||
basicAuthFile = "${private_assets}/stable-diffusion-htpasswd";
|
||||
tryFiles = "/stable-diffusion-v-1-4-original/sd-v1-4.ckpt =404";
|
||||
};
|
||||
#"/model-v1-3.ckpt" = {
|
||||
# "stable-diffusion.ingolf-wagner.de" = {
|
||||
# forceSSL = true;
|
||||
# enableACME = true;
|
||||
# extraConfig = error.extraConfig;
|
||||
# root = "/srv/www/stable-diffusion";
|
||||
# locations = {
|
||||
# "/model-v1-4.ckpt" = {
|
||||
# basicAuthFile = "${private_assets}/stable-diffusion-htpasswd";
|
||||
# tryFiles = "stable-diffusion-v-1-3-original/sd-v1-3.ckpt";
|
||||
#};
|
||||
} // error.locations;
|
||||
};
|
||||
# tryFiles = "/stable-diffusion-v-1-4-original/sd-v1-4.ckpt =404";
|
||||
# };
|
||||
# #"/model-v1-3.ckpt" = {
|
||||
# # basicAuthFile = "${private_assets}/stable-diffusion-htpasswd";
|
||||
# # tryFiles = "stable-diffusion-v-1-3-original/sd-v1-3.ckpt";
|
||||
# #};
|
||||
# } // error.locations;
|
||||
# };
|
||||
|
||||
"travel.ingolf-wagner.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
|
|
@ -12,11 +12,14 @@
|
|||
#./wifi-access-point.nix
|
||||
#./wireshark.nix
|
||||
./scanner.nix
|
||||
./qemu.nix
|
||||
|
||||
];
|
||||
|
||||
|
||||
services.nginx.enable = true;
|
||||
|
||||
|
||||
#sops.defaultSopsFile = ../../secrets/sterni.yaml;
|
||||
networking.hostName = "sterni";
|
||||
|
||||
|
|
17
nixos/machines/sterni/qemu.nix
Normal file
17
nixos/machines/sterni/qemu.nix
Normal file
|
@ -0,0 +1,17 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
|
||||
virtualisation.libvirtd.enable = true;
|
||||
#virtualisation.libvirtd.allowedBridges = ["virbr0"];
|
||||
virtualisation.libvirtd.onShutdown = "shutdown";
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.qemu_kvm
|
||||
pkgs.virt-manager
|
||||
];
|
||||
|
||||
users.users.mainUser.extraGroups = [ "libvirtd" ];
|
||||
|
||||
|
||||
}
|
|
@ -16,6 +16,10 @@
|
|||
|
||||
# on encrypted drive
|
||||
# ------------------
|
||||
password-store = {
|
||||
enable = true;
|
||||
path = "/home/palo/.password-store";
|
||||
};
|
||||
private = {
|
||||
enable = true;
|
||||
path = "/home/palo/private";
|
||||
|
|
|
@ -104,7 +104,7 @@ in
|
|||
enable = true;
|
||||
package = pkgs.pulseaudioFull;
|
||||
# all in audio group can do audio
|
||||
systemWide = true;
|
||||
systemWide = false;
|
||||
extraConfig = ''
|
||||
# automatically switch to newly-connected devices
|
||||
load-module module-switch-on-connect
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
"borg-${command}-on-${host}-for-${repository}" ''
|
||||
${pkgs.borgbackup}/bin/borg \
|
||||
${command} \
|
||||
--rsh='ssh -i ~/.ssh/card_rsa.pub' borg@${host}.private:${repository}/. \
|
||||
--rsh='ssh -i ~/.ssh/palo_rsa.pub' borg@${host}.private:${repository}/. \
|
||||
"$@"
|
||||
'';
|
||||
hosts = [ "pepe" "robi" ];
|
||||
|
|
|
@ -36,7 +36,7 @@
|
|||
config.module.cluster.services.tinc.private.hosts.sterni.tincIp
|
||||
config.module.cluster.services.tinc.secret.hosts.sterni.tincIp
|
||||
];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyHmHJy2Va45p9mn+Hj3DyaY5yxnQIKvXeACHjzgSKt";
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
|
||||
};
|
||||
"pepe.private" = {
|
||||
hostNames = [
|
||||
|
@ -51,7 +51,7 @@
|
|||
"mobi.private"
|
||||
config.module.cluster.services.tinc.private.hosts.mobi.tincIp
|
||||
];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhBtcipW9rV6hHS2hv5tl5hd8vW8dnuFfFwnAs2u0kS";
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -11,7 +11,7 @@ with lib;
|
|||
tools.enable = true;
|
||||
sshd = {
|
||||
enable = true;
|
||||
rootKeyFiles = [ (toString ../../assets/ssh/card_rsa.pub) ];
|
||||
rootKeyFiles = [ (toString ../../assets/ssh/palo_rsa.pub) ];
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -25,11 +25,11 @@ with lib; {
|
|||
// (device "workhorse" "AFSAKB6-JLH4QAS-DSRMPI3-6PVCIHF-IIAVLPC-STPNO3Y-YRDU5NW-QD445QI")
|
||||
// (device "pepe" "SZLXFW3-VTAC7UB-V2Z7CHE-3VZAYPL-6D72AK6-OCDMPZP-G4FPY5P-FL6ZVAG")
|
||||
// (device "sterni" "ZFNNKPD-ZSOAYJQ-VROXXDB-5MD3UTJ-GDCNTSQ-G5POVV3-UZG5HFT-CCAU3AD")
|
||||
// (device "mobi" "NGI7UN6-MR2YPYI-L7DGN3I-JFZU2N3-RJBJV6K-2VZVQSJ-PWLZYOK-PXZYRAF")
|
||||
// {
|
||||
bumba = {
|
||||
name = "windows-bumba";
|
||||
id = "JS7PWTO-VKFGBUP-GNFLSWP-MGFJ2KH-HLO2LKW-V3RPCR6-PCB5SQC-42FCKQZ";
|
||||
#addresses = [ "dynamic" ];
|
||||
};
|
||||
}
|
||||
// {
|
||||
|
@ -47,7 +47,16 @@ with lib; {
|
|||
private = {
|
||||
enable = lib.mkDefault false;
|
||||
watch = lib.mkDefault false;
|
||||
devices = [ "pepe" "sterni" ];
|
||||
devices = [ "pepe" "sterni" "mobi" ];
|
||||
versioning = {
|
||||
type = "simple";
|
||||
params.keep = "10";
|
||||
};
|
||||
};
|
||||
password-store = {
|
||||
enable = lib.mkDefault false;
|
||||
watch = lib.mkDefault false;
|
||||
devices = [ "pepe" "sterni" "mobi" ];
|
||||
versioning = {
|
||||
type = "simple";
|
||||
params.keep = "10";
|
||||
|
@ -56,12 +65,12 @@ with lib; {
|
|||
desktop = {
|
||||
enable = lib.mkDefault false;
|
||||
watch = lib.mkDefault false;
|
||||
devices = [ "pepe" "sterni" ];
|
||||
devices = [ "pepe" "sterni" "mobi" ];
|
||||
};
|
||||
finance = {
|
||||
enable = lib.mkDefault false;
|
||||
watch = lib.mkDefault false;
|
||||
devices = [ "pepe" "sterni" ];
|
||||
devices = [ "pepe" "sterni" "mobi" ];
|
||||
versioning = {
|
||||
type = "simple";
|
||||
params.keep = "10";
|
||||
|
|
|
@ -84,13 +84,13 @@ in
|
|||
};
|
||||
|
||||
home.git-pull = {
|
||||
enable = mkDefault true;
|
||||
enable = mkDefault false;
|
||||
repositories = [
|
||||
# krebs
|
||||
{
|
||||
source = "git@github.com:krebs/stockholm.git";
|
||||
target = "~/dev/krebs/stockholm";
|
||||
}
|
||||
#{
|
||||
# source = "git@github.com:krebs/stockholm.git";
|
||||
# target = "~/dev/krebs/stockholm";
|
||||
#}
|
||||
{
|
||||
source = "git@github.com:krebs/rc3-map.git";
|
||||
target = "~/dev/krebs/rc3-map";
|
||||
|
|
|
@ -5,7 +5,7 @@ with lib; {
|
|||
programs.ssh.enable = true;
|
||||
programs.ssh.matchBlocks = {
|
||||
"*" = {
|
||||
identityFile = "~/.ssh/card_rsa.pub";
|
||||
identityFile = "~/.ssh/palo_rsa.pub";
|
||||
identitiesOnly = true;
|
||||
};
|
||||
"lassul.us" = {
|
||||
|
|
|
@ -1,6 +1,17 @@
|
|||
{ config, ... }: {
|
||||
# make sure ssh is only available trough the tinc
|
||||
{ config, lib, ... }:
|
||||
with lib;
|
||||
let cfg = config.desktop.ssh.onlyTinc;
|
||||
in {
|
||||
options.desktop.ssh.onlyTinc = mkOption {
|
||||
type = with types; bool;
|
||||
default = true;
|
||||
description = ''
|
||||
make sure ssh is only available trough the tinc
|
||||
'';
|
||||
};
|
||||
config = mkIf cfg {
|
||||
networking.firewall.extraCommands = ''
|
||||
iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue