palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions1

workhorse done and nixpkgs-fmt

Browse source
This commit is contained in:
Ingolf Wagner 2021-11-01 09:20:42 +01:00
commit fc33e57a54
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
124 changed files with 3142 additions and 2590 deletions

96
nixos/system/all/borg-jobs.nix
View file

@ -20,58 +20,62 @@
};
};
config = let
config =
let
servers = [
{
name = "workhorse";
host = "workhorse.private";
}
{
name = "pepe";
host = "pepe.private";
}
];
servers = [
{
name = "workhorse";
host = "workhorse.private";
}
{
name = "pepe";
host = "pepe.private";
}
];
dirs = config.backup.dirs;
dirs = config.backup.dirs;
myHostname = config.networking.hostName;
myHostname = config.networking.hostName;
setup = server: {
paths = config.backup.dirs;
exclude = config.backup.exclude;
doInit = true;
repo = "borg@${server}:./${myHostname}";
encryption = {
mode = "repokey-blake2";
passCommand =
"cat ${config.sops.secrets.backup_repository_passphrase.path}";
};
environment.BORG_RSH =
"ssh -i ${toString config.sops.secrets.backup_ssh_rsa_private.path}";
compression = "auto,lzma";
startAt = "daily";
prune.keep = {
within = "10d"; # Keep all backups in the last 10 days.
weekly = 8; # Keep 8 additional end of week archives.
monthly = -1; # Keep end of month archive for every month
};
setup = server: {
paths = config.backup.dirs;
exclude = config.backup.exclude;
doInit = true;
repo = "borg@${server}:./${myHostname}";
encryption = {
mode = "repokey-blake2";
passCommand =
"cat ${config.sops.secrets.backup_repository_passphrase.path}";
};
environment.BORG_RSH =
"ssh -i ${toString config.sops.secrets.backup_ssh_rsa_private.path}";
compression = "auto,lzma";
startAt = "daily";
prune.keep = {
within = "10d"; # Keep all backups in the last 10 days.
weekly = 8; # Keep 8 additional end of week archives.
monthly = -1; # Keep end of month archive for every month
};
in
{
sops.secrets.backup_repository_passphrase = { };
sops.secrets.backup_ssh_rsa_private = { };
services.borgbackup.jobs =
let
setups = map ({ name, host }: { "${name}" = setup host; }) servers;
setupAttrs = lib.zipAttrsWith (_: vals: lib.head vals) setups;
nonEmptySetups =
lib.filterAttrs (_: { paths, ... }: builtins.length paths != 0)
setupAttrs;
in
nonEmptySetups;
};
in {
sops.secrets.backup_repository_passphrase = { };
sops.secrets.backup_ssh_rsa_private = { };
services.borgbackup.jobs = let
setups = map ({ name, host }: { "${name}" = setup host; }) servers;
setupAttrs = lib.zipAttrsWith (_: vals: lib.head vals) setups;
nonEmptySetups =
lib.filterAttrs (_: { paths, ... }: builtins.length paths != 0)
setupAttrs;
in nonEmptySetups;
};
}

36
nixos/system/all/borg-scripts.nix
View file

@ -1,20 +1,24 @@
{ pkgs, lib, ... }: {
environment.systemPackages = let
createScript = command: host: repository:
pkgs.writers.writeBashBin
"borg-${command}-on-${host}-for-${repository}" ''
${pkgs.borgbackup}/bin/borg \
${command} \
--rsh='ssh -i ~/.ssh/card_rsa.pub' borg@${host}.private:${repository}/. \
"$@"
'';
hosts = [ "workhorse" "pepe" ];
repositories = [ "workhorse" "pepe" "sterni" "workout" ];
commands = [ "list" ];
in lib.flatten (map (command:
map
(host: map (repository: createScript command host repository) repositories)
hosts) commands);
environment.systemPackages =
let
createScript = command: host: repository:
pkgs.writers.writeBashBin
"borg-${command}-on-${host}-for-${repository}" ''
${pkgs.borgbackup}/bin/borg \
${command} \
--rsh='ssh -i ~/.ssh/card_rsa.pub' borg@${host}.private:${repository}/. \
"$@"
'';
hosts = [ "workhorse" "pepe" ];
repositories = [ "workhorse" "pepe" "sterni" "workout" ];
commands = [ "list" ];
in
lib.flatten (map
(command:
map
(host: map (repository: createScript command host repository) repositories)
hosts)
commands);
}

3
nixos/system/all/grub.nix
View file

@ -5,7 +5,8 @@ let
rev = "fe27cbc99e994d50bb4269a9388e3f7d60492ffa";
sha256 = "1z8zc4k2mh8d56ipql8vfljvdjczrrna5ckgzjsdyrndfkwv8ghw";
};
in {
in
{
boot.loader.grub.extraConfig = ''
set theme=($drive1)//themes/fallout-grub-theme/theme.txt

40
nixos/system/all/networking-qos.nix
View file

@ -26,28 +26,30 @@
};
};
config = let
kbits = number:
import (pkgs.runCommand "round-${toString number}" { }
''awk 'BEGIN{printf "\"%ikbit\"", ${toString number}}' > $out'');
config =
let
kbits = number:
import (pkgs.runCommand "round-${toString number}" { }
''awk 'BEGIN{printf "\"%ikbit\"", ${toString number}}' > $out'');
interface = config.configuration.fireqos.interface;
input = "${toString config.configuration.fireqos.input}kbit";
output = "${toString config.configuration.fireqos.output}kbit";
tincInput = kbits (config.configuration.fireqos.input * 0.7);
tincOutput = kbits (config.configuration.fireqos.output * 0.7);
useBalancedForExperimenting = false;
interface = config.configuration.fireqos.interface;
input = "${toString config.configuration.fireqos.input}kbit";
output = "${toString config.configuration.fireqos.output}kbit";
tincInput = kbits (config.configuration.fireqos.input * 0.7);
tincOutput = kbits (config.configuration.fireqos.output * 0.7);
useBalancedForExperimenting = false;
tincPorts =
lib.mapAttrsToList (name: configuration: toString configuration.port)
config.module.cluster.services.tinc;
tincPorts =
lib.mapAttrsToList (name: configuration: toString configuration.port)
config.module.cluster.services.tinc;
in {
in
{
# https://firehol.org/tutorial/fireqos-new-user/
services.fireqos.enable = config.configuration.fireqos.enable;
systemd.services.fireqos.wantedBy = [ "multi-user.target" ];
services.fireqos.config = ''
# https://firehol.org/tutorial/fireqos-new-user/
services.fireqos.enable = config.configuration.fireqos.enable;
systemd.services.fireqos.wantedBy = [ "multi-user.target" ];
services.fireqos.config = ''
# ------------------- world
@ -121,6 +123,6 @@
'';
};
};
}

42
nixos/system/all/nginx-landingpage.nix
View file

@ -228,28 +228,32 @@
}
{
text = "Syncthings";
items = map ({ name, host ? "${name}.private", ... }: {
label = name;
href = "http://${host}:8384/";
image =
"https://media.giphy.com/media/JoyU4vuzwj6ZA7Ging/giphy.gif";
}) (map (name: { inherit name; }) (lib.attrNames
config.module.cluster.services.tinc."private".hosts));
items = map
({ name, host ? "${name}.private", ... }: {
label = name;
href = "http://${host}:8384/";
image =
"https://media.giphy.com/media/JoyU4vuzwj6ZA7Ging/giphy.gif";
})
(map (name: { inherit name; }) (lib.attrNames
config.module.cluster.services.tinc."private".hosts));
}
{
text = "netdata";
items = map ({ name, host ? "${name}.private", ... }: {
label = name;
href = "http://${host}:19999/";
image = "https://media.giphy.com/media/BkjdN6MQCDPaw/giphy.gif";
}) (map (name: { inherit name; }) [
"workhorse"
"porani"
"pepe"
"sputnik"
]
#(lib.attrNames config.module.cluster.services.tinc."private".hosts)
);
items = map
({ name, host ? "${name}.private", ... }: {
label = name;
href = "http://${host}:19999/";
image = "https://media.giphy.com/media/BkjdN6MQCDPaw/giphy.gif";
})
(map (name: { inherit name; }) [
"workhorse"
"porani"
"pepe"
"sputnik"
]
#(lib.attrNames config.module.cluster.services.tinc."private".hosts)
);
}
];
};

3
nixos/system/all/nginx.nix
View file

@ -2,7 +2,8 @@
let
access_log_sink = "workhorse.private:12304";
error_log_sink = "workhorse.private:12305";
in {
in
{
security.acme.email = "contact@ingolf-wagner.de";
security.acme.acceptTerms = true;

17
nixos/system/all/packages.nix
View file

@ -29,14 +29,17 @@ let
EOF
'';
storepath = let
dirname = "${pkgs.coreutils-full}/bin/dirname";
readlink = "${pkgs.coreutils-full}/bin/readlink";
in pkgs.writers.writeBashBin "storepath" ''
${dirname} $( ${readlink} $( type -p "$1" ) )
'';
storepath =
let
dirname = "${pkgs.coreutils-full}/bin/dirname";
readlink = "${pkgs.coreutils-full}/bin/readlink";
in
pkgs.writers.writeBashBin "storepath" ''
${dirname} $( ${readlink} $( type -p "$1" ) )
'';
in {
in
{
#imports = [ ./packages/llvm-config-dummy.nix ];

78
nixos/system/all/packages/llvm-config-dummy.nix
View file

@ -1,41 +1,43 @@
{ pkgs, config, lib, ... }:
with pkgs.lib; {
environment.systemPackages = let
llvm = pkgs.llvm;
llvm-config = pkgs.writers.writeBashBin "llvm-config" ''
while [[ $# -gt 0 ]]; do
arg="$1"
case $arg in
--assertion-mode)
echo "OFF"
;;
--bindir)
echo "${getBin llvm}/bin"
;;
--libdir)
echo "${getLib llvm}/lib"
;;
--includedir)
echo "${getDev llvm}/include"
;;
--prefix)
echo "${llvm.out}"
;;
--src-root)
echo "/build/llvm";
;;
--obj-root)
echo "/build/llvm/build";
;;
--cmakedir)
echo "${getDev llvm}/lib/cmake/llvm"
;;
*)
echo "Unhandled argument '$arg' passed to dummy llvm-config!"
exit 1
esac
shift
done
'';
in [ llvm-config ];
environment.systemPackages =
let
llvm = pkgs.llvm;
llvm-config = pkgs.writers.writeBashBin "llvm-config" ''
while [[ $# -gt 0 ]]; do
arg="$1"
case $arg in
--assertion-mode)
echo "OFF"
;;
--bindir)
echo "${getBin llvm}/bin"
;;
--libdir)
echo "${getLib llvm}/lib"
;;
--includedir)
echo "${getDev llvm}/include"
;;
--prefix)
echo "${llvm.out}"
;;
--src-root)
echo "/build/llvm";
;;
--obj-root)
echo "/build/llvm/build";
;;
--cmakedir)
echo "${getDev llvm}/lib/cmake/llvm"
;;
*)
echo "Unhandled argument '$arg' passed to dummy llvm-config!"
exit 1
esac
shift
done
'';
in
[ llvm-config ];
}

4
nixos/system/all/shell.nix
View file

@ -1,4 +1,2 @@
{ config, lib, ... }:
{
}
{ }

79
nixos/system/all/sshd-known-hosts-bootup.nix
View file

@ -3,47 +3,56 @@ with lib;
let
computers = {
workhorse = {
onionId = fileContents ../../private_assets/onion_id_workhorse;
publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/I4JBA1HHTH2xsrEM7xtxkhRDE42lZcBrdBvN46WTx";
};
porani = {
onionId = fileContents ../../private_assets/onion_id_porani;
publicKey =
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGFaTRGqMd/rKpyMUP6wVbgiWFOUvUV2qS/B5Xe02UUch/wxR4fTCY+vnzku5K0V/qqJpjYLgHotwZFqO/8lFu4=";
};
#workhorse = {
# onionId = fileContents ../../private_assets/onion_id_workhorse;
# publicKey =
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/I4JBA1HHTH2xsrEM7xtxkhRDE42lZcBrdBvN46WTx";
#};
#porani = {
# onionId = fileContents ../../private_assets/onion_id_porani;
# publicKey =
# "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGFaTRGqMd/rKpyMUP6wVbgiWFOUvUV2qS/B5Xe02UUch/wxR4fTCY+vnzku5K0V/qqJpjYLgHotwZFqO/8lFu4=";
#};
};
in {
in
{
services.openssh.knownHosts = mapAttrs' (name:
{ onionId, publicKey, ... }: {
name = "${name}-init-ssh";
value = {
hostNames = [ onionId ];
inherit publicKey;
};
}) computers;
services.openssh.knownHosts = mapAttrs'
(name:
{ onionId, publicKey, ... }: {
name = "${name}-init-ssh";
value = {
hostNames = [ onionId ];
inherit publicKey;
};
})
computers;
environment.systemPackages = let
environment.systemPackages =
let
ssh = mapAttrsToList (name:
{ onionId, ... }:
pkgs.writers.writeDashBin "ssh-boot-to-${name}" ''
${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 23
'') computers;
ssh = mapAttrsToList
(name:
{ onionId, ... }:
pkgs.writers.writeDashBin "ssh-boot-to-${name}" ''
${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 23
'')
computers;
password = mapAttrsToList (name:
{ onionId, ... }:
pkgs.writers.writeDashBin "unlock-boot-${name}" ''
${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 23 '
echo -n "enter password : "
read password
echo "$password" > /crypt-ramfs/passphrase
'
'') computers;
password = mapAttrsToList
(name:
{ onionId, ... }:
pkgs.writers.writeDashBin "unlock-boot-${name}" ''
${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 23 '
echo -n "enter password : "
read password
echo "$password" > /crypt-ramfs/passphrase
'
'')
computers;
in ssh ++ password;
in
ssh ++ password;
}

34
nixos/system/all/syncthing.nix
View file

@ -5,23 +5,25 @@ with lib; {
guiAddress = lib.mkDefault "${config.networking.hostName}.private:8384";
declarative = {
overrideDevices = true;
devices = let
device = name: id: {
"${name}" = {
name = name;
id = id;
addresses =
[ "tcp://${name}.private:22000" "tcp://${name}.private:21027" ];
devices =
let
device = name: id: {
"${name}" = {
name = name;
id = id;
addresses =
[ "tcp://${name}.private:22000" "tcp://${name}.private:21027" ];
};
};
};
in (device "workhorse"
"AFSAKB6-JLH4QAS-DSRMPI3-6PVCIHF-IIAVLPC-STPNO3Y-YRDU5NW-QD445QI")
// (device "pepe"
"SZLXFW3-VTAC7UB-V2Z7CHE-3VZAYPL-6D72AK6-OCDMPZP-G4FPY5P-FL6ZVAG")
// (device "workout"
"DZOOAKG-GI2SVOS-QEVMFL7-TRHVTPQ-ADIJEVH-RH5WV3J-6M7MJHC-C53EOAC")
// (device "sterni"
"ZFNNKPD-ZSOAYJQ-VROXXDB-5MD3UTJ-GDCNTSQ-G5POVV3-UZG5HFT-CCAU3AD") // {
in
(device "workhorse"
"AFSAKB6-JLH4QAS-DSRMPI3-6PVCIHF-IIAVLPC-STPNO3Y-YRDU5NW-QD445QI")
// (device "pepe"
"SZLXFW3-VTAC7UB-V2Z7CHE-3VZAYPL-6D72AK6-OCDMPZP-G4FPY5P-FL6ZVAG")
// (device "workout"
"DZOOAKG-GI2SVOS-QEVMFL7-TRHVTPQ-ADIJEVH-RH5WV3J-6M7MJHC-C53EOAC")
// (device "sterni"
"ZFNNKPD-ZSOAYJQ-VROXXDB-5MD3UTJ-GDCNTSQ-G5POVV3-UZG5HFT-CCAU3AD") // {
"porani" = {
name = "porani";
id =

3
nixos/system/all/tinc.nix
View file

@ -7,7 +7,8 @@ let
sha256 = "0kczrr6dr5dmhx2kbanw46w6ig2v3w42rqhjanv87xhwkgw81l08";
};
in {
in
{
imports = [ ../../modules ];