Compare commits

...

55 commits

Author SHA1 Message Date
Ingolf Wagner
3838f068ee
update 2024-08-23 07:54:41 +02:00
Ingolf Wagner
bc595a1198
fiddeling with photoprism 2024-08-23 07:51:07 +02:00
Ingolf Wagner
b04dd0738b
update 2024-08-23 06:40:05 +02:00
Ingolf Wagner
1cdd13956b
update 2024-08-23 06:39:17 +02:00
Ingolf Wagner
e50d61faf4
increase update attempt rate. 2024-08-22 22:14:58 +02:00
Ingolf Wagner
11871fc506
update 2024-08-18 13:38:02 +02:00
Ingolf Wagner
8f6fa5939b
fix opengl 2024-08-17 19:01:35 +02:00
Ingolf Wagner
ee4d9bcc4f
fix typo 2024-08-17 19:00:59 +02:00
Ingolf Wagner
ac30776e4c
update 2024-08-16 23:07:02 +02:00
Forgejo Action :robot
22a49f5599 ⬆️ nix flake update 2024-08-15 03:13:29 +02:00
Ingolf Wagner
8cdd63bdcc
fix sternchen 2024-08-14 16:57:40 +02:00
Ingolf Wagner
33d716ea6b
vim for everybody as default 2024-08-14 16:43:55 +02:00
Ingolf Wagner
aed8c552ba
update yubikey-image.nix 2024-08-14 11:24:08 +02:00
Ingolf Wagner
96ee5a488e
update 2024-08-13 13:21:55 +02:00
Ingolf Wagner
eec51b58b3
update 2024-08-12 01:42:31 +02:00
Ingolf Wagner
161486b887
fix fonts and oh-my-posh 2024-08-11 21:09:53 +02:00
Ingolf Wagner
29e3213e4b
create virtualisation component. 2024-08-11 14:46:03 +02:00
Ingolf Wagner
7e1e13e897
enable virtualbox 2024-08-11 11:35:04 +02:00
Forgejo Action :robot
53187fb603 ⬆️ nix flake update 2024-08-11 03:03:25 +02:00
Ingolf Wagner
800045c1c5
working on usbstick 2024-08-11 00:02:35 +02:00
Ingolf Wagner
77459df69c
Update facts/secrets for service zerotier in machine usbstick 2024-08-11 00:02:34 +02:00
Forgejo Action :robot
7e2c61ad88 ⬆️ nix flake update 2024-08-10 02:42:26 +02:00
Ingolf Wagner
50688f4500
use gui on usbstick 2024-08-09 16:27:15 +02:00
Ingolf Wagner
4f6924d5d7
give access to wg0 in usbstick 2024-08-09 16:07:11 +02:00
Ingolf Wagner
b24094155a
Update facts/secrets for service wireguard_ip in machine usbstick 2024-08-09 15:47:09 +02:00
Ingolf Wagner
1447d96b43
Update facts/secrets for service wireguard in machine usbstick 2024-08-09 15:47:08 +02:00
Ingolf Wagner
848eccb959
made usbstick work again 2024-08-09 02:45:22 +02:00
Ingolf Wagner
569d891a7e
Update facts/secrets for service zerotier in machine usbstick 2024-08-09 02:45:21 +02:00
Ingolf Wagner
7a4f203752
Update facts/secrets for service openssh in machine usbstick 2024-08-09 02:45:20 +02:00
Ingolf Wagner
efd451e180
Update facts/secrets for service syncthing in machine usbstick 2024-08-09 02:45:19 +02:00
Ingolf Wagner
3fa5c09a62
make usbsticks work again 2024-08-09 02:45:18 +02:00
Forgejo Action :robot
9cdfeba305 ⬆️ nix flake update 2024-08-09 02:40:30 +02:00
Ingolf Wagner
0780abb35d
fix tor unlock for chungus 2024-08-08 21:19:42 +02:00
Ingolf Wagner
1b9105f158
initrd.systemd: disable emergency mode
we disable emergency mode in systemd, but if systemd is enabled during boot we still end up in emergency mode eventually, this will fix that.
2024-08-08 19:47:00 +02:00
Ingolf Wagner
26aaec9101
fixing fail2ban and set up ssh + tor on chungus 2024-08-08 19:25:19 +02:00
Ingolf Wagner
cc5d655ef7
cleanup 2024-08-08 17:30:08 +02:00
Ingolf Wagner
e471c24d93
cleanup 2024-08-08 17:05:09 +02:00
Ingolf Wagner
509f283924
introduced features 2024-08-08 16:39:50 +02:00
Ingolf Wagner
40e5456517
delete buildbot 2024-08-08 15:59:15 +02:00
Ingolf Wagner
060261dc90
Update facts/secrets for service boot.ssh in machine chungus 2024-08-08 15:48:27 +02:00
Forgejo Action :robot
69bbf19f91 ⬆️ nix flake update 2024-08-08 02:57:24 +02:00
Ingolf Wagner
8327f1860d
made tor work 2024-08-08 01:12:10 +02:00
Ingolf Wagner
f411567ad6
refactor hardware/hetzner.nix 2024-08-08 00:14:52 +02:00
Ingolf Wagner
ca0e7382a3
use cache.orbi.wg0 again 2024-08-07 23:08:28 +02:00
Ingolf Wagner
9b7ff29143
refactor 2024-08-07 22:03:11 +02:00
Ingolf Wagner
4f6ed530db
Update facts/secrets for service boot.ssh in machine orbi 2024-08-07 21:52:03 +02:00
Ingolf Wagner
2b9062e1f1
refactor 2024-08-07 21:51:43 +02:00
Ingolf Wagner
d5f1ef4af6
extract nixos.boot.ssh and set up probe 2024-08-07 21:39:32 +02:00
Ingolf Wagner
36fc0508b0
add zfs-tools 2024-08-07 18:36:33 +02:00
Ingolf Wagner
8efad90f4b
Update facts/secrets for service tinc_retiolum in machine cream 2024-08-07 09:55:57 +02:00
Ingolf Wagner
db6e5d3828
update wg1 scripts 2024-08-07 09:14:40 +02:00
Ingolf Wagner
ccec2860ec
raise priority of cache.orbi.wg0 2024-08-07 08:39:02 +02:00
Ingolf Wagner
e717d0081e
add wg1 (fritz.box) wireguard 2024-08-07 08:14:16 +02:00
Ingolf Wagner
695f8bae20
flake.lock update 2024-08-07 07:42:11 +02:00
Ingolf Wagner
7d856ed1f1
clean up 2024-08-07 07:03:56 +02:00
98 changed files with 1090 additions and 835 deletions
.forgejo/workflows
components
features
flake.lockflake.nix
homes
images
machines
modules
system/all
treefmt.toml

View file

@ -5,7 +5,7 @@ on:
branches:
- "**"
schedule:
- cron: "30 2 * * *" # not to frequent, GitHub only allows a few pulls per hour
- cron: "30 2/6 * * *" # not to frequent, GitHub only allows a few pulls per hour
jobs:
nix build:
@ -64,6 +64,9 @@ jobs:
- name: nix build sternchen
run: nix build .#nixosConfigurations.sternchen.config.system.build.toplevel
- name: nix build usbstick
run: nix build .#nixosConfigurations.usbstick.config.system.build.toplevel
- name: commit & push
if: ${{ github.event_name == 'schedule' }}
# only if all nix builds are fine we update our branch

View file

@ -10,6 +10,7 @@
./nixos
./terminal
./timezone.nix
./virtualisation
./yubikey.nix
];

View file

@ -34,50 +34,59 @@ in
home = "${homeFolder}/development-browser";
homeBackup = "${backupFolder}/development-browser";
gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
};
google = {
home = "${homeFolder}/google-browser";
homeBackup = "${backupFolder}/google-browser";
gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
};
finance = {
home = "${homeFolder}/finance-browser";
homeBackup = "${backupFolder}/finance-browser";
gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
};
facebook = {
home = "${homeFolder}/facebook-browser";
homeBackup = "${backupFolder}/facebook-browser";
gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
};
shopping = {
home = "${homeFolder}/shopping-browser";
homeBackup = "${backupFolder}/shopping-browser";
gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
};
jobrad = {
browserType = "chrome";
home = "${homeFolder}/jobrad-chrome";
homeBackup = "${backupFolder}/jobrad-chrome";
gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
};
firefox-tmp = {
browserType = "firefox";
home = "${homeFolder}/firefox-tmp";
homeBackup = "${backupFolder}/firefox-tmp-browser";
gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
};
chromium-tmp = {
browserType = "chrome";
home = "${homeFolder}/chromium-tmp";
homeBackup = "${backupFolder}/chrome-tmp-browser";
gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
};
google-tmp = {
browserType = "google";
home = "${homeFolder}/google-tmp";
homeBackup = "${backupFolder}google-tmp-browser";
gpu = false;
sudoUsers = [ config.users.users.mainUser.name ];
};
};

View file

@ -10,7 +10,6 @@ with lib;
./audio.nix
./browser.nix
./cups.nix
./fonts.nix
./home-manager
./kmonad.nix
#./noti.nix # todo: make this different (use password store and such)

View file

@ -1,36 +0,0 @@
{ pkgs, config, lib, ... }:
with lib;
{
options.components.gui.style.enable = mkOption {
type = lib.types.bool;
default = config.components.gui.enable;
};
config = mkIf (config.components.gui.style.enable) {
fonts.packages = with pkgs; [
corefonts
hasklig
inconsolata
source-code-pro
symbola
ubuntu_font_family
# symbol fonts
# ------------
nerdfonts
powerline-fonts
font-awesome
fira-code-symbols
jetbrains-mono
# shell font
# ----------
terminus_font
gohufont
];
};
}

View file

@ -4,10 +4,10 @@ with lib;
options.components.gui.wayland.enable = mkOption {
type = lib.types.bool;
default = ! config.components.gui.xorg.enable;
default = !config.components.gui.xorg.enable;
};
config = mkIf config.components.gui.wayland.enable {
programs.hyprland.enable = true;
config = mkIf (config.components.gui.wayland.enable && config.components.gui.enable) {
programs.sway.enable = false;
};
}

View file

@ -9,7 +9,7 @@ with lib;
default = config.components.gui.enable;
};
config = mkIf config.components.gui.xorg.enable {
config = mkIf (config.components.gui.xorg.enable && config.components.gui.enable) {
# system.custom.fonts.enable = true;
services.displayManager = {

View file

@ -5,9 +5,11 @@ let
cfg = config.components.mainUser;
# todo : use optionalList
dockerGroup =
if (config.virtualisation.docker.enable) then [ "docker" ] else [ ];
# todo : use optionalList
vboxGroup =
if (config.virtualisation.virtualbox.host.enable) then
[ "vboxusers" ]

View file

@ -11,7 +11,6 @@ with types;
imports = [
#./avahi.nix
./fail2ban.nix
./hosts.nix
./nginx.nix
./sshd

View file

@ -11,7 +11,6 @@ let
echo "${config.networking.hostName}" | boxes -d ansi -s 80x1 -a r > $out
'';
in
{
@ -31,10 +30,6 @@ in
default = [ ];
description = "keys to root login";
};
sshguard.enable = mkOption {
type = bool;
default = config.components.network.sshd.enable;
};
onlyTincAccess = mkOption {
type = bool;
default = false;
@ -71,12 +66,6 @@ in
})
(mkIf cfg.sshguard.enable {
environment.systemPackages = [ pkgs.ipset ];
services.sshguard.enable = lib.mkDefault true;
#boot.kernelModules = ["xt_set"];
})
(mkIf (cfg.onlyTincAccess && cfg.enable) {
networking.firewall.extraCommands = ''
iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0

View file

@ -9,9 +9,6 @@ let
(machine:
{
hostNames = [
"[${machine}]:2222"
"[${machine}.${tld}]:2222"
"[${machine}.private]:2222"
"${machine}"
"${machine}.${tld}"
"${machine}.private"
@ -19,9 +16,23 @@ let
publicKey = publicKey machine;
}
);
bootMachines = clanLib.readFactFromAllMachines "ssh.boot.id_ed25519.pub";
knownBootHosts = lib.mapAttrs'
(machine: publicKey: nameValuePair
"boot_${machine}"
{
inherit publicKey;
hostNames = [
"[${machine}]:2222"
"[${machine}.public]:2222"
];
}
)
bootMachines;
in
{
# todo : move this to the proper place
options.components.network.zerotier = {
enable = mkOption {
type = bool;
@ -30,6 +41,6 @@ in
};
config = mkIf config.components.network.zerotier.enable {
services.openssh.knownHosts = knownHosts;
services.openssh.knownHosts = knownHosts // knownBootHosts;
};
}

View file

@ -26,6 +26,7 @@ let
"prowlarr.orbi" = hosts.orbi;
"photoprism.orbi" = hosts.orbi;
# chungus
"video.chungus" = hosts.chungus;
"de.tts.chungus" = hosts.chungus;
"en.tts.chungus" = hosts.chungus;
"flix.chungus" = hosts.chungus;

View file

@ -2,7 +2,6 @@
{
imports = [
./upgrade-diff.nix
./tor-ssh.nix
];
options.components.nixos.enable = lib.mkOption {

View file

@ -1,137 +0,0 @@
{ config, lib, pkgs, factsGenerator, clanLib, ... }:
with lib;
with types;
{
options.components.nixos.boot = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
kernelModules = mkOption {
type = listOf str;
default = [ ];
description =
"lspci -v will tell you which kernel module is used for the ethernet interface";
};
ssh.enable = lib.mkOption {
type = lib.types.bool;
default = config.components.nixos.boot.enable;
};
tor.enable = lib.mkOption {
type = lib.types.bool;
default = config.components.nixos.boot.ssh.enable;
};
};
config = mkMerge [
# todo : not working at the moment, because onion hostnames are secrets
(
let
onionIds = clanLib.readFactFromAllMachines "tor.initrd.hostname";
generateOnionUnlockScript = machine: onionId: pkgs.writers.writeDashBin "unlock-boot-${machine}-via-tor" ''
${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222
'';
in
{
# add known hosts
services.openssh.knownHosts =
mapAttrs
(_machine: onionId: {
hostNames = [ "[${onionId}]:2222" ];
})
onionIds;
# create unlook tor boot script
environment.systemPackages =
mapAttrsToList generateOnionUnlockScript onionIds;
}
)
# tor part
# --------
(mkIf (config.components.nixos.boot.tor.enable) {
#services.tor = {
# enable = true;
# client.enable = true;
# relay.onionServices.bootup.map = [{ port = 2222; }];
#};
# tor setup
clan.core.facts.services.initrd_tor = factsGenerator.tor { name = ""; };
boot.initrd.secrets = {
"/etc/tor/onion/bootup/tor.priv" = config.clan.core.facts.services.initrd_tor.secret."tor.initrd.priv".path;
"/etc/tor/onion/bootup/hostname" = config.clan.core.facts.services.initrd_tor.secret."tor.initrd.hostname".path;
};
#boot.initrd.extraUtilsCommands = ''
# copy_bin_and_libs ${pkgs.tor}/bin/tor
#'';
# fixme: this thing is not working for some reason.
boot.initrd.systemd.packages = [ pkgs.tor pkgs.iproute2 pkgs.coreutils ];
boot.initrd.systemd.services.tor = {
path = [ pkgs.tor pkgs.iproute2 pkgs.coreutils ];
# todo: set wanted by
script =
let
torRc = pkgs.writeText "tor.rc" ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 2222 127.0.0.1:2222
'';
in
''
echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor
echo "make sure localhost is up"
ip a a 127.0.0.1/8 dev lo
ip link set lo up
echo "tor: starting tor"
tor -f ${torRc} --verify-config
tor -f ${torRc}
'';
};
})
# ssh part
# --------
(mkIf (config.components.nixos.boot.ssh.enable) {
# boot
boot.initrd.systemd.enable = true;
boot.initrd.systemd.contents."/etc/hostname".text = "unlock.${config.networking.hostName}";
# network
boot.initrd.systemd.network.enable = true;
boot.initrd.availableKernelModules = config.components.nixos.boot.kernelModules;
# ssh
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
#authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ;
#authorizedKeyFiles = config.users.users.root.openssh.authorizedKeys.keyFiles;
port = 2222;
hostKeys = map ({ path, ... }: path) config.services.openssh.hostKeys;
};
})
];
}

View file

@ -13,7 +13,6 @@ with lib;
./git.nix
./heygpt.nix
./hoard.nix
./oh-my-posh
./remote-install.nix
./wtf.nix
./zsh.nix

View file

@ -1,26 +0,0 @@
{ pkgs, config, lib, ... }:
with lib;
{
options.components.terminal.oh-my-posh.enable = mkOption {
type = lib.types.bool;
default = config.components.terminal.enable;
};
config = mkIf (config.components.terminal.oh-my-posh.enable) {
home-manager.users =
let
poshConfig = {
programs.oh-my-posh = {
enable = true;
# useTheme = "gruvbox";
settings = builtins.fromJSON (builtins.readFile ./gruvbox.json);
};
};
in
{
mainUser = poshConfig;
root = poshConfig;
};
};
}

View file

@ -0,0 +1,15 @@
{ config, lib, ... }:
{
imports = [
./docker.nix
./podman.nix
./virtualbox.nix
./qemu.nix
];
options.components.virtualisation.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
}

View file

@ -0,0 +1,16 @@
{ config, lib, pkgs, ... }:
with lib;
{
options.components.virtualisation.docker.enable = lib.mkOption {
type = lib.types.bool;
default = config.components.virtualisation.enable;
};
config = mkIf config.components.virtualisation.docker.enable {
virtualisation.docker.enable = true;
};
}

View file

@ -0,0 +1,19 @@
{ config, lib, pkgs, ... }:
with lib;
{
options.components.virtualisation.podman.enable = lib.mkOption {
type = lib.types.bool;
default = config.components.virtualisation.enable;
};
config = mkIf config.components.virtualisation.podman.enable {
virtualisation.podman.enable = true;
# make sure /var/lib/containers/storage is a zfs dataset
virtualisation.podman.extraPackages = [ pkgs.zfs ];
};
}

View file

@ -0,0 +1,27 @@
{ config, lib, pkgs, ... }:
with lib;
{
options.components.virtualisation.qemu.enable = lib.mkOption {
type = lib.types.bool;
default = config.components.virtualisation.enable;
};
config = mkIf config.components.virtualisation.qemu.enable {
virtualisation.libvirtd.enable = true;
#virtualisation.libvirtd.allowedBridges = ["virbr0"];
virtualisation.libvirtd.onShutdown = "shutdown";
environment.systemPackages = [
pkgs.qemu_kvm
#(pkgs.quickemu.override { qemu_full = pkgs.qemu_kvm; })
pkgs.quickemu
pkgs.virt-manager
];
users.users.mainUser.extraGroups = [ "libvirtd" ];
};
}

View file

@ -0,0 +1,21 @@
{ config, lib, pkgs, ... }:
with lib;
{
options.components.virtualisation.virtualbox.enable = lib.mkOption {
type = lib.types.bool;
default = config.components.virtualisation.enable;
};
config = mkIf config.components.virtualisation.virtualbox.enable {
virtualisation.virtualbox = {
host.enable = true;
guest.enable = true;
};
users.extraGroups.vboxusers.members = [ config.users.users.mainUser.name ];
};
}

View file

@ -16,8 +16,14 @@ with lib;
services.pcscd.enable = true;
services.udev.packages = [ pkgs.yubikey-personalization ];
environment.systemPackages = [
pkgs.yubikey-personalization
pkgs.yubikey-personalization-gui
pkgs.yubikey-manager
pkgs.yubikey-manager-qt
# for `gpg --export $keyid | hokey lint` to check keys
#pkgs.haskellPackages.hopenpgp-tools

View file

@ -0,0 +1,6 @@
{
imports = [
./ssh.nix
./tor.nix
];
}

45
features/boot/ssh.nix Normal file
View file

@ -0,0 +1,45 @@
{ config, lib, pkgs, factsGenerator, clanLib, ... }:
with lib;
with types;
{
options.features.boot.ssh = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
kernelModules = mkOption {
type = listOf str;
default = [ ];
description =
"nix-shell -p pciutils --run 'lspci -v' will tell you which kernel module is used for the ethernet interface";
};
};
config = mkIf (config.features.boot.ssh.enable) {
# ssh host key
clan.core.facts.services."boot.ssh" = factsGenerator.ssh { name = "boot"; };
# todo: maybe put this in a component
# boot
boot.initrd.systemd.enable = true;
boot.initrd.systemd.contents."/etc/hostname".text = "unlock.${config.networking.hostName}";
# network
boot.initrd.systemd.network.enable = true;
boot.initrd.availableKernelModules = config.features.boot.ssh.kernelModules;
# ssh
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
port = 2222;
hostKeys = [ config.clan.core.facts.services."boot.ssh".secret."ssh.boot.id_ed25519".path ];
};
};
}

69
features/boot/tor.nix Normal file
View file

@ -0,0 +1,69 @@
{ config, lib, pkgs, factsGenerator, clanLib, ... }:
with lib;
with types;
{
options.features.boot.tor = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
config = mkIf (config.features.boot.tor.enable) {
# tor secrets
clan.core.facts.services."initrd.tor" = factsGenerator.tor {
name = "initrd";
addressPrefix = "init";
};
boot.initrd.secrets =
mapAttrs' (name: file: nameValuePair "/etc/tor/onion/bootup/${name}" file)
(genAttrs [
"hostname"
"hs_ed25519_public_key"
"hs_ed25519_secret_key"
]
(secret: config.clan.core.facts.services."initrd.tor".secret."tor.initrd.${secret}".path));
boot.initrd.systemd.storePaths = [
pkgs.tor
pkgs.iproute2
pkgs.coreutils
];
boot.initrd.systemd.contents = {
"/etc/tor/tor.rc".text = ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 2222 127.0.0.1:2222
'';
};
boot.initrd.systemd.services.tor = {
description = "tor during init";
wantedBy = [ "initrd.target" ];
after = [ "network.target" "initrd-nixos-copy-secrets.service" ];
before = [ "shutdown.target" ];
conflicts = [ "shutdown.target" ];
unitConfig.DefaultDependencies = false;
path = [
pkgs.tor
pkgs.iproute2
pkgs.coreutils
];
script =
''
echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor
echo "tor: starting tor"
tor -f /etc/tor/tor.rc --verify-config
tor -f /etc/tor/tor.rc
'';
};
};
}

6
features/default.nix Normal file
View file

@ -0,0 +1,6 @@
{
imports = [
./boot
./network
];
}

View file

@ -0,0 +1,6 @@
{
imports = [
./fail2ban.nix
./sshguard.nix
];
}

View file

@ -1,14 +1,14 @@
{ config, lib, pkgs, ... }:
with lib;
{
options.components.network.fail2ban.enable = mkOption {
options.features.network.fail2ban.enable = mkOption {
type = lib.types.bool;
default = false;
};
config = mkMerge [
(mkIf config.components.network.fail2ban.enable {
environment.systemPackages = [ pkgs.fail2ban pkgs.ipset ];
(mkIf config.features.network.fail2ban.enable {
environment.systemPackages = [ pkgs.fail2ban ];
services.fail2ban = {
enable = true;
#package = pkgs.legacy_2311.fail2ban;
@ -19,7 +19,7 @@ with lib;
# custom defined jails
# --------------------
# https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf
(mkIf config.components.network.fail2ban.enable {
(mkIf config.features.network.fail2ban.enable {
services.fail2ban.jails.nginx-git-not-found.settings = {
port = "http,https";
logpath = "%(nginx_error_log)s";
@ -33,7 +33,7 @@ with lib;
'';
};
})
(mkIf config.components.network.fail2ban.enable {
(mkIf config.features.network.fail2ban.enable {
services.fail2ban.jails.nginx-git-bad-request.settings = {
port = "http,https";
logpath = "%(nginx_error_log)s";

View file

@ -0,0 +1,18 @@
{ pkgs, config, lib, assets, ... }:
with lib;
with types;
{
options.features.network.sshguard = {
enable = mkOption {
type = bool;
default = false;
};
};
config = mkIf config.features.network.sshguard.enable {
environment.systemPackages = [ pkgs.ipset ];
services.sshguard.enable = true;
};
}

View file

@ -114,27 +114,6 @@
"type": "github"
}
},
"buildbot-nix": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": "nixpkgs",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1721974127,
"narHash": "sha256-JRFXABMMytNM/v1mQAq7wJvk6Gm8EHyDwbGJ1x1m8V4=",
"owner": "MagicRB",
"repo": "buildbot-nix",
"rev": "7390710de1d2096a24804a47ca55f20221529041",
"type": "github"
},
"original": {
"owner": "MagicRB",
"ref": "pydantic-convert",
"repo": "buildbot-nix",
"type": "github"
}
},
"clan-core": {
"inputs": {
"disko": "disko",
@ -146,14 +125,15 @@
"nixpkgs"
],
"sops-nix": "sops-nix",
"treefmt-nix": "treefmt-nix_2"
"systems": "systems",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1722268611,
"narHash": "sha256-D3rKirDy5SaLPVs0hpYA0J59TBb0+nkfUMlk48YpciI=",
"lastModified": 1724336239,
"narHash": "sha256-p8zpAx/w3PjaGaTyOP/wus4eJAdHPKxOtvDKfEHcs9Y=",
"ref": "refs/heads/main",
"rev": "99a87a6120291deef7a2320a94e1fbdbf5674ab6",
"revCount": 3595,
"rev": "3fe873855a39b71e2b4e9fca1be1ec10cf5a6024",
"revCount": 3822,
"type": "git",
"url": "https://git.clan.lol/clan/clan-core"
},
@ -167,15 +147,15 @@
"clan-core": [
"clan-core"
],
"flake-parts": "flake-parts_2",
"nixpkgs": "nixpkgs_2"
"flake-parts": "flake-parts",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1721508205,
"narHash": "sha256-X4xVtKAkA/gVqIaCw0L5Rk9062VqlHiH0VK5En5Oi5s=",
"lastModified": 1723143645,
"narHash": "sha256-/71L2ZBM9AmUpEQC19Rf7AxA+BhIquObB8aZDkfVRz8=",
"owner": "mrvandalo",
"repo": "clan-fact-generators",
"rev": "b3fb36c18871861f510330c272b455eb718cd3e4",
"rev": "620c5d3185594b3e2d91e29a7590f44abae4319c",
"type": "github"
},
"original": {
@ -192,11 +172,11 @@
]
},
"locked": {
"lastModified": 1721417620,
"narHash": "sha256-6q9b1h8fI3hXg2DG6/vrKWCeG8c5Wj2Kvv22RCgedzg=",
"lastModified": 1723080788,
"narHash": "sha256-C5LbM5VMdcolt9zHeLQ0bYMRjUL+N+AL5pK7/tVTdes=",
"owner": "nix-community",
"repo": "disko",
"rev": "bec6e3cde912b8acb915fecdc509eda7c973fb42",
"rev": "ffc1f95f6c28e1c6d1e587b51a2147027a3e45ed",
"type": "github"
},
"original": {
@ -244,27 +224,6 @@
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"buildbot-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1719994518,
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
@ -282,18 +241,18 @@
"type": "github"
}
},
"flake-parts_3": {
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1719994518,
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
"lastModified": 1722555600,
"narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
"rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
"type": "github"
},
"original": {
@ -302,7 +261,7 @@
"type": "github"
}
},
"flake-parts_4": {
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": [
"nixos-anywhere",
@ -340,7 +299,7 @@
},
"flake-utils_2": {
"inputs": {
"systems": "systems"
"systems": "systems_2"
},
"locked": {
"lastModified": 1694529238,
@ -373,7 +332,7 @@
},
"flake-utils_4": {
"inputs": {
"systems": "systems_2"
"systems": "systems_3"
},
"locked": {
"lastModified": 1694529238,
@ -424,14 +383,14 @@
},
"home-manager": {
"inputs": {
"nixpkgs": "nixpkgs_3"
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1722936497,
"narHash": "sha256-UBst8PkhY0kqTgdKiR8MtTBt4c1XmjJoOV11efjsC/o=",
"lastModified": 1723986931,
"narHash": "sha256-Fy+KEvDQ+Hc8lJAV3t6leXhZJ2ncU5/esxkgt3b8DEY=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "a6c743980e23f4cef6c2a377f9ffab506568413a",
"rev": "2598861031b78aadb4da7269df7ca9ddfc3e1671",
"type": "github"
},
"original": {
@ -468,11 +427,11 @@
},
"locked": {
"dir": "nix",
"lastModified": 1721551388,
"narHash": "sha256-JR9/TqQi4a14kmH+iypGZKa7H2VZhr2jL9QgHLx3LUw=",
"lastModified": 1724217668,
"narHash": "sha256-cqeOaZkDdcttgWjlokEXYyokBm3guoOGQUC1lvOurO0=",
"owner": "kmonad",
"repo": "kmonad",
"rev": "31c591b647d277fe34cb06fc70b0d053dd15f867",
"rev": "4c324f1631b3b2f7e17e804b0ed3ac314e57bcb8",
"type": "github"
},
"original": {
@ -485,7 +444,7 @@
"landingpage": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_4"
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1709213960,
@ -504,11 +463,11 @@
"nixos-anywhere": {
"inputs": {
"disko": "disko_2",
"flake-parts": "flake-parts_4",
"flake-parts": "flake-parts_3",
"nixos-images": "nixos-images_2",
"nixos-stable": "nixos-stable",
"nixpkgs": "nixpkgs_5",
"treefmt-nix": "treefmt-nix_3"
"nixpkgs": "nixpkgs_4",
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1722000256,
@ -526,11 +485,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1722278305,
"narHash": "sha256-xLBAegsn9wbj+pQfbX07kykd5VBV3Ywk3IbObVAAlWA=",
"lastModified": 1724067415,
"narHash": "sha256-WJBAEFXAtA41RMpK8mvw0cQ62CJkNMBtzcEeNIJV7b0=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "eab049fe178c11395d65a858ba1b56461ba9652d",
"rev": "b09c46430ffcf18d575acf5c339b38ac4e1db5d2",
"type": "github"
},
"original": {
@ -550,11 +509,11 @@
]
},
"locked": {
"lastModified": 1721571445,
"narHash": "sha256-2MnlPVcNJZ9Nbu90kFyo7+lng366gswErP4FExfrUbc=",
"lastModified": 1724028934,
"narHash": "sha256-2M5dqS7UbAKfrO+1U+P/t5S2QIGbuGIsTNMYJzwB17g=",
"owner": "nix-community",
"repo": "nixos-images",
"rev": "accee005735844d57b411d9969c5d0aabc6a55f6",
"rev": "b733f0680a42cc01d6ad53896fb5ca40a66d5e79",
"type": "github"
},
"original": {
@ -606,16 +565,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1721838734,
"narHash": "sha256-o87oh2nLDzZ1E9+j1I6GaEvd9865OWGYvxaPSiH9DEU=",
"owner": "Nixos",
"lastModified": 1717196966,
"narHash": "sha256-yZKhxVIKd2lsbOqYd5iDoUIwsRZFqE87smE2Vzf6Ck0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1855c9961e0bfa2e776fa4b58b7d43149eeed431",
"rev": "57610d2f8f0937f39dbd72251e9614b1561942d8",
"type": "github"
},
"original": {
"owner": "Nixos",
"ref": "nixos-unstable-small",
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
@ -654,11 +613,11 @@
},
"nixpkgs-legacy_2405": {
"locked": {
"lastModified": 1722087241,
"narHash": "sha256-2ShmEaFi0kJVOEEu5gmlykN5dwjWYWYUJmlRTvZQRpU=",
"lastModified": 1724242322,
"narHash": "sha256-HMpK7hNjhEk4z5SFg5UtxEio9OWFocHdaQzCfW1pE7w=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "8c50662509100d53229d4be607f1a3a31157fa12",
"rev": "224042e9a3039291f22f4f2ded12af95a616cca0",
"type": "github"
},
"original": {
@ -682,11 +641,11 @@
},
"nixpkgs-unstable-small": {
"locked": {
"lastModified": 1722979953,
"narHash": "sha256-aFtHVx8WBrf6i3Rf+gYcilRuoimfmlzB9btc+br89R4=",
"lastModified": 1724306539,
"narHash": "sha256-9jF5qr44cnvWoXhE0cr114GHT5Adav3q/DKJ6n9tor8=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9d938b4e45c9a6d04efc45405b3187fbfcff2f85",
"rev": "6c31eb9b990446880000e3297f69f4fdee5b69d7",
"type": "github"
},
"original": {
@ -698,11 +657,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1717196966,
"narHash": "sha256-yZKhxVIKd2lsbOqYd5iDoUIwsRZFqE87smE2Vzf6Ck0=",
"lastModified": 1723175592,
"narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "57610d2f8f0937f39dbd72251e9614b1561942d8",
"rev": "5e0ca22929f3342b19569b21b2f3462f053e497b",
"type": "github"
},
"original": {
@ -713,22 +672,6 @@
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1722185531,
"narHash": "sha256-veKR07psFoJjINLC8RK4DiLniGGMgF3QMlS4tb74S6k=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "52ec9ac3b12395ad677e8b62106f0b98c1f8569d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1645527175,
"narHash": "sha256-WeewqaO48sCctiN+iwgZZEJRU29Si7vHHoLCINAvuk8=",
@ -743,7 +686,7 @@
"type": "github"
}
},
"nixpkgs_5": {
"nixpkgs_4": {
"locked": {
"lastModified": 1717926692,
"narHash": "sha256-THcv8qDqobZefHHluPjx/8n+MtVVb8ag/oJbKMqKNRo=",
@ -759,13 +702,13 @@
"type": "github"
}
},
"nixpkgs_6": {
"nixpkgs_5": {
"locked": {
"lastModified": 1722813957,
"narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=",
"lastModified": 1724224976,
"narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa",
"rev": "c374d94f1536013ca8e92341b540eba4c22f9c62",
"type": "github"
},
"original": {
@ -775,7 +718,7 @@
"type": "github"
}
},
"nixpkgs_7": {
"nixpkgs_6": {
"locked": {
"lastModified": 1701263465,
"narHash": "sha256-lNXUIlkfyDyp9Ox21hr+wsEf/IBklLvb6bYcyeXbdRc=",
@ -791,7 +734,7 @@
"type": "github"
}
},
"nixpkgs_8": {
"nixpkgs_7": {
"locked": {
"lastModified": 1632855891,
"narHash": "sha256-crW76mt9/kbUBiKy/KiSnsQ9JEYgD3StDuYAMVkTbM0=",
@ -805,13 +748,13 @@
"type": "indirect"
}
},
"nixpkgs_9": {
"nixpkgs_8": {
"locked": {
"lastModified": 1722179153,
"narHash": "sha256-ZJ75T0GWpLI4hoaL+YxueHD2pXG+VYpYtPJdwbkERVs=",
"lastModified": 1724265050,
"narHash": "sha256-RbWuBZn2QYNRPgfrQLtj7/AMEXOmlLT+kduufdmcRP8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dcfb2878c687e5eb5fcbc5116969c45c85be34e2",
"rev": "e590723c5186bdad64e3cdaf9ed72cb984caa48e",
"type": "github"
},
"original": {
@ -824,7 +767,7 @@
"overviewer": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs_7",
"nixpkgs": "nixpkgs_6",
"pandoc_template": "pandoc_template"
},
"locked": {
@ -881,7 +824,7 @@
"polygon-art": {
"inputs": {
"flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs_8"
"nixpkgs": "nixpkgs_7"
},
"locked": {
"lastModified": 1688766095,
@ -899,11 +842,11 @@
},
"private_assets": {
"locked": {
"lastModified": 1722954537,
"narHash": "sha256-Ed0weP9KpP2g9hdTzCSk89yV2oD2c4poA21z4fLcBgk=",
"lastModified": 1723916901,
"narHash": "sha256-/1i1OTqP8Q7DmNqvwyAmKvxxzYr9qiniNM790lKOl4c=",
"ref": "main",
"rev": "0c236ccc4382ecaad64595756d242b206fd49aec",
"revCount": 58,
"rev": "e7a82f91a7347be4cbc786a22450a78bc11c71ce",
"revCount": 67,
"type": "git",
"url": "ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-assets.git"
},
@ -915,11 +858,11 @@
},
"retiolum": {
"locked": {
"lastModified": 1719907580,
"narHash": "sha256-arE8H5HXoPwcjQXnUH1pmnh2pi37+5hXjo4UPpYJ7FY=",
"lastModified": 1723579214,
"narHash": "sha256-YKzjA2J1io2FR6Y1ZS98jKDLnxWKnJXq4ITto93e5Zg=",
"owner": "Mic92",
"repo": "retiolum",
"rev": "7e5194b7aba337bc06b5a33738284ef98eef6cbf",
"rev": "be646cb8778ad3dd11a5f9227bc3b8ae4338d46f",
"type": "github"
},
"original": {
@ -930,17 +873,16 @@
},
"root": {
"inputs": {
"buildbot-nix": "buildbot-nix",
"clan-core": "clan-core",
"clan-fact-generators": "clan-fact-generators",
"flake-parts": "flake-parts_3",
"flake-parts": "flake-parts_2",
"home-manager": "home-manager",
"home-manager-utils": "home-manager-utils",
"kmonad": "kmonad",
"landingpage": "landingpage",
"nixos-anywhere": "nixos-anywhere",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_6",
"nixpkgs": "nixpkgs_5",
"nixpkgs-legacy_2211": "nixpkgs-legacy_2211",
"nixpkgs-legacy_2311": "nixpkgs-legacy_2311",
"nixpkgs-legacy_2405": "nixpkgs-legacy_2405",
@ -966,11 +908,11 @@
]
},
"locked": {
"lastModified": 1721531171,
"narHash": "sha256-AsvPw7T0tBLb53xZGcUC3YPqlIpdxoSx56u8vPCr6gU=",
"lastModified": 1723501126,
"narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "909e8cfb60d83321d85c8d17209d733658a21c95",
"rev": "be0eec2d27563590194a9206f551a6f73d52fa34",
"type": "github"
},
"original": {
@ -981,14 +923,14 @@
},
"srvos": {
"inputs": {
"nixpkgs": "nixpkgs_9"
"nixpkgs": "nixpkgs_8"
},
"locked": {
"lastModified": 1722263926,
"narHash": "sha256-xhuXR7hKOM4dQwDvHyZYn+aHbUDHnpi4+yPhsyP+mwU=",
"lastModified": 1724287640,
"narHash": "sha256-MAjp8fUU6/WambitI/jOVxgjuH3YEfE6A8l4EtonktY=",
"owner": "nix-community",
"repo": "srvos",
"rev": "1f867a5658bfc4318ea6f83304b2a1bc4a0b28ee",
"rev": "9810f43ff22a10b6f70c38d6085ac6c201b26640",
"type": "github"
},
"original": {
@ -1016,11 +958,11 @@
]
},
"locked": {
"lastModified": 1722946882,
"narHash": "sha256-mxtnMye8gs82tdQbVC+g6v3aPOZlH150f9WyntHIkTg=",
"lastModified": 1724260414,
"narHash": "sha256-EP1yFDEm/f7+j+fE3TI7KZb5xJH6KNMtmlZciktC71c=",
"owner": "danth",
"repo": "stylix",
"rev": "5853f1a8bd072f2ebabfc3de3973084353cf6f1e",
"rev": "c5f8f06543b70248a076f888177c7362a24d5dcc",
"type": "github"
},
"original": {
@ -1059,6 +1001,21 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"taskshell": {
"inputs": {
"flake-utils": "flake-utils_4",
@ -1083,16 +1040,16 @@
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"buildbot-nix",
"clan-core",
"nixpkgs"
]
},
"locked": {
"lastModified": 1721769617,
"narHash": "sha256-6Pqa0bi5nV74IZcENKYRToRNM5obo1EQ+3ihtunJ014=",
"lastModified": 1723808491,
"narHash": "sha256-rhis3qNuGmJmYC/okT7Dkc4M8CeUuRCSvW6kC2f3hBc=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "8db8970be1fb8be9c845af7ebec53b699fe7e009",
"rev": "1d07739554fdc4f8481068f1b11d6ab4c1a4167a",
"type": "github"
},
"original": {
@ -1102,27 +1059,6 @@
}
},
"treefmt-nix_2": {
"inputs": {
"nixpkgs": [
"clan-core",
"nixpkgs"
]
},
"locked": {
"lastModified": 1721458737,
"narHash": "sha256-wNXLQ/ATs1S4Opg1PmuNoJ+Wamqj93rgZYV3Di7kxkg=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "888bfb10a9b091d9ed2f5f8064de8d488f7b7c97",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_3": {
"inputs": {
"nixpkgs": [
"nixos-anywhere",

View file

@ -76,9 +76,6 @@
inputs.home-manager.follows = "home-manager";
};
#buildbot-nix.url = "github:nix-community/buildbot-nix";
buildbot-nix.url = "github:MagicRB/buildbot-nix?ref=pydantic-convert";
# smoke test framwork to trigger tests (enable if I want to use it for real)
#smoke = {
# url = github:SamirTalwar/smoke;
@ -97,7 +94,6 @@
outputs =
inputs@{ self
, buildbot-nix
, clan-core
, clan-fact-generators
, flake-parts
@ -176,6 +172,7 @@
clanLib = import ./lib/clanlib.nix { inherit (pkgs) lib; machineDir = ./machines; };
zerotierDeviceName = "ztbn67ogn2";
components = ./components;
features = ./features;
};
};
@ -247,15 +244,20 @@
"${config.clan.core.clanDir}/machines/chungus/facts/ssh.rbackup.id_ed25519.pub"
];
})
{
# disable emergency mode everywhere, although it might be needed on laptops
boot.initrd.systemd.emergencyAccess = false;
boot.initrd.systemd.suppressedUnits = [
"emergency.service"
"emergency.target"
];
systemd.enableEmergencyMode = false;
}
# configure nix
({ pkgs, lib, clanLib, ... }:
{
nix.settings.substituters = [
"http://cache.orbi.wg0/"
];
nix.settings.trusted-public-keys = [
(clanLib.readFact "nix-serve.pub" "orbi")
];
nix.settings.substituters = [ "http://cache.orbi.wg0" ];
nix.settings.trusted-public-keys = [ (clanLib.readFact "nix-serve.pub" "orbi") ];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.settings.max-jobs = 1;
# no channesl needed this way
@ -268,6 +270,8 @@
documentation.nixos.options.warningsAreErrors = false; # todo make this true again
documentation.nixos.extraModules = [
./components
./features
#./modules
inputs.clan-core.nixosModules.clanCore
# inputs.stylix.nixosModules.stylix # fixme: not working
permown.nixosModules.permown
@ -280,6 +284,12 @@
boot.loader.generic-extlinux-compatible.configurationLimit = lib.mkDefault 10;
boot.loader.grub.configurationLimit = lib.mkDefault 10;
})
# My Structure
./components
./features
./modules # todo : spread this across features and components
#./system/all # todo : spread this across features and components
# some modules I always use
permown.nixosModules.permown
kmonad.nixosModules.default
@ -299,15 +309,15 @@
stylix.image = ./assets/wallpaper.png;
stylix.fonts = {
serif = {
package = pkgs.ubuntu_font_family;
package = pkgs.nerdfonts.override { fonts = [ "Ubuntu" ]; };
name = "Ubuntu";
};
sansSerif = {
package = pkgs.ubuntu_font_family;
package = pkgs.nerdfonts.override { fonts = [ "Ubuntu" ]; };
name = "Ubuntu";
};
monospace = {
package = pkgs.jetbrains-mono;
package = pkgs.nerdfonts.override { fonts = [ "JetBrainsMono" ]; };
name = "JetBrains Mono";
};
emoji = {
@ -316,11 +326,6 @@
};
sizes.popups = 15;
};
# todo: remove this if not needed anymore
#home-manager.sharedModules = [
# { stylix.targets.bemenu.enable = false; }
#];
};
homeManagerModules = { pkgs, config, ... }: {
@ -420,6 +425,7 @@
nixos-hardware.nixosModules.framework-13th-gen-intel
retiolum.nixosModules.retiolum
private_assets.nixosModules.yubikey
private_assets.nixosModules.cherry
homeManagerModules
stylixModules
{ home-manager.users.mainUser.gui.enable = true; }
@ -458,17 +464,12 @@
host = "orbi.bear";
#host = "95.216.66.212";
modules = [
zerotierModules
homeManagerModules
stylixModules
zerotierModules
srvos.nixosModules.hardware-hetzner-online-intel
#srvos.nixosModules.server
#srvos.nixosModules.mixins-terminfo
{
# not needed for servers in general
boot.initrd.systemd.emergencyAccess = false;
systemd.enableEmergencyMode = false;
}
{
home-manager.users.mainUser = import ./homes/palo;
home-manager.users.root = import ./homes/root;
@ -481,13 +482,15 @@
probe = clanSetup {
name = "probe";
host = "probe.bear";
#host = "167.235.205.150";
host = "95.217.18.54";
modules = [
homeManagerModules
stylixModules
srvos.nixosModules.hardware-hetzner-cloud
srvos.nixosModules.server
srvos.nixosModules.mixins-terminfo
#inputs.clan-core.clanModules.sshd
{
home-manager.users.mainUser = import ./homes/palo;
home-manager.users.root = import ./homes/root;
@ -498,6 +501,25 @@
];
};
usbstick = clanSetup {
name = "usbstick";
#host = "usbstick.bear";
host = "10.100.0.100";
modules = [
homeManagerModules
stylixModules
zerotierModules
{ home-manager.users.mainUser.gui.enable = true; }
{
home-manager.users.mainUser = import ./homes/palo;
home-manager.users.root = import ./homes/root;
}
{
clan.core.machineDescription = "USB-Stick for Backup";
}
];
};
};
};

View file

@ -1,6 +1,8 @@
{ lib, ... }:
{
imports = [
./editor.nix
./oh-my-posh
./packages.nix
./terminal.nix
./zfs.nix

View file

@ -1,11 +1,10 @@
{ lib, ... }:
{
programs.vim = {
enable = true;
defaultEditor = true;
defaultEditor = lib.mkDefault true;
};
programs.helix = {
enable = true;
# defaultEditor = true;
};
}

View file

@ -0,0 +1,10 @@
{ pkgs, config, lib, ... }:
with lib;
{
programs.oh-my-posh = {
enable = true;
# https://ohmyposh.dev/docs/themes
#useTheme = "gmay"; # ganz nice, aber farben sind ein bisl schrill
settings = builtins.fromJSON (builtins.readFile ./gmay.json);
};
}

View file

@ -0,0 +1,96 @@
{
"$schema": "https://raw.githubusercontent.com/JanDeDobbeleer/oh-my-posh/main/themes/schema.json",
"blocks": [
{
"alignment": "left",
"segments": [
{
"background": "#076678",
"foreground": "#EBDBB2",
"leading_diamond": "\ue0b6",
"style": "diamond",
"template": " {{ if .WSL }}WSL at {{ end }}{{.Icon}} ",
"type": "os"
},
{
"background": "#076678",
"foreground": "#EBDBB2",
"style": "powerline",
"template": " {{ .UserName }}@{{ .HostName }} ",
"type": "session"
},
{
"background": "#B57614",
"foreground": "#EBDBB2",
"powerline_symbol": "\ue0b0",
"properties": {
"style": "full"
},
"style": "powerline",
"template": " \ue5ff {{ .Path }} ",
"type": "path"
},
{
"background": "#79740E",
"foreground": "#EBDBB2",
"powerline_symbol": "\ue0b0",
"properties": {
"time_format": "2006-01-02 15:04:05"
},
"style": "powerline",
"template": " {{ .CurrentDate | date .Format }} ",
"type": "time"
},
{
"background": "#8F3F71",
"foreground": "#EBDBB2",
"powerline_symbol": "\ue0b0",
"properties": {
"fetch_stash_count": true,
"fetch_upstream_icon": true
},
"style": "powerline",
"template": " {{ .UpstreamIcon }}{{ .HEAD }}{{ if gt .StashCount 0 }} \ueb4b {{ .StashCount }}{{ end }} ",
"type": "git"
},
{
"background": "#9D0006",
"foreground": "#EBDBB2",
"powerline_symbol": "\ue0b0",
"style": "powerline",
"template": " \uf0e7 ",
"type": "root"
},
{
"background": "#427B58",
"background_templates": ["{{ if gt .Code 0 }}#9D0006{{ end }}"],
"foreground": "#EBDBB2",
"leading_diamond": "<transparent,background>\ue0b0</>",
"properties": {
"always_enabled": true
},
"style": "diamond",
"template": " \ueb05 ",
"trailing_diamond": "\ue0b4",
"type": "status"
}
],
"type": "prompt"
},
{
"alignment": "left",
"newline": true,
"segments": [
{
"foreground": "#076678",
"style": "plain",
"template": "\uf0a9 ",
"type": "text"
}
],
"type": "prompt"
}
],
"final_space": true,
"version": 2
}

View file

@ -23,7 +23,7 @@ with lib;
tldr
bandwhich
bandwhich # todo : put this to common/networking.nix
unzip
genpass

View file

@ -21,6 +21,7 @@ with lib;
${pkgs.zfs}/bin/zfs list -o ${concatStringsSep "," options} "$@"
''
)
pkgs.zfs-prune-snapshots
];
}
];

View file

@ -2,7 +2,6 @@
imports = [
../common
./editor.nix
./git.nix
./gpg.nix
./gui

View file

@ -49,8 +49,8 @@ in
enable = true;
bars = {
my = {
icons = "awesome5";
theme = "gruvbox-light";
icons = "material-nf"; # nerd fonts (influenced by stylix.font settings)
theme = "gruvbox-light"; # not configured by stylix yet.
# https://github.com/greshake/i3status-rust/blob/v0.22.0/doc/blocks.md
blocks = [
{

View file

@ -79,7 +79,7 @@ with lib;
termtosvg
#surrealist
surrealdb
#surrealdb # fixme: not working because of rust update or something
boxes

View file

@ -1,7 +1,22 @@
# NixOS livesystem to generate yubikeys in an air-gapped manner
# screenshot: https://dl.thalheim.io/wmxIqucOEo2xuLk0Ut45fQ/yubikey-live-system.png
# $ nixos-generator -f iso -c yubikey-image.nix
{ pkgs, ... }: {
# $ nix-shell -p nixos-generate --run "nixos-generate -f iso -c yubikey-image.nix"
{ pkgs, ... }:
let
guide = pkgs.stdenv.mkDerivation {
name = "yubikey-guide-2019-01-21.html";
src = pkgs.fetchFromGitHub {
owner = "drduh";
repo = "YubiKey-Guide";
rev = "035d98ebbed54a0218ccbf23905054d32f97508e";
sha256 = "0rzy06a5xgfjpaklxdgrxml24d0vhk78lb577l3z4x7a2p32dbyq";
};
buildInputs = [ pkgs.pandoc ];
installPhase =
"pandoc --highlight-style pygments -s --toc README.md -o $out";
};
in
{
environment.interactiveShellInit = ''
export GNUPGHOME=/run/user/$(id -u)/gnupghome
if [ ! -d $GNUPGHOME ]; then
@ -9,8 +24,7 @@
fi
cp ${
pkgs.fetchurl {
url =
"https://raw.githubusercontent.com/drduh/config/662c16404eef04f506a6a208f1253fee2f4895d9/gpg.conf";
url = "https://raw.githubusercontent.com/drduh/config/662c16404eef04f506a6a208f1253fee2f4895d9/gpg.conf";
sha256 = "118fmrsn28fz629y7wwwcx7r1wfn59h3mqz1snyhf8b5yh0sb8la";
}
} "$GNUPGHOME/gpg.conf"
@ -19,6 +33,9 @@
environment.systemPackages = with pkgs; [
yubikey-personalization
yubikey-personalization-gui
yubikey-manager
yubikey-manager-qt
cryptsetup
pwgen
midori
@ -35,35 +52,25 @@
networking.wireless.enable = false;
networking.dhcpcd.enable = false;
services.mingetty.helpLine = "The 'root' account has an empty password.";
services.getty.helpLine = "The 'root' account has an empty password.";
services.displayManager = {
defaultSession = "xfce";
autoLogin = {
enable = true;
user = "root";
};
};
services.xserver = {
enable = true;
displayManager.auto.enable = true;
desktopManager =
let
guide = pkgs.stdenv.mkDerivation {
name = "yubikey-guide-2019-01-21.html";
src = pkgs.fetchFromGitHub {
owner = "drduh";
repo = "YubiKey-Guide";
rev = "035d98ebbed54a0218ccbf23905054d32f97508e";
sha256 = "0rzy06a5xgfjpaklxdgrxml24d0vhk78lb577l3z4x7a2p32dbyq";
};
buildInputs = [ pkgs.pandoc ];
installPhase =
"pandoc --highlight-style pygments -s --toc README.md -o $out";
};
in
{
default = "xfce";
xterm.enable = false;
xfce.enable = true;
xfce.extraSessionCommands = ''
${pkgs.midori}/bin/midori ${guide} &
${pkgs.xfce.terminal}/bin/xfce4-terminal &
'';
};
desktopManager = {
xterm.enable = false;
xfce.enable = true;
};
displayManager = {
sessionCommands = ''
${pkgs.midori}/bin/midori ${guide} &
'';
};
};
}

View file

@ -3,17 +3,14 @@
imports = [
../../components
../../modules
./hardware-configuration
./syncthing.nix
./qemu.nix
./network-tinc.nix
./network-tinc_retiolum.nix
./network-wireguard.nix
./network-wireguard-wg0.nix
./network-wireguard-wg1.nix
./37c3.nix
@ -40,12 +37,13 @@
# (promptKey "pushover.api_key");
components.virtualisation.enable = true;
components.gui.enable = true;
components.mainUser.enable = true;
components.media.enable = true;
components.media.tts-client.enable = false;
components.network.enable = true;
components.network.sshd.sshguard.enable = false;
components.network.wifi.enable = true;
components.terminal.enable = true;
@ -127,15 +125,6 @@
services.printing.enable = true;
virtualisation = {
docker.enable = true;
podman.enable = true;
virtualbox = {
host.enable = false;
guest.enable = false;
};
};
# for congress and streaming
hardware.graphics.enable = true;

View file

@ -3,6 +3,7 @@
imports = [
./disko-config.nix
./hardware-configuration.nix
./graphics.nix
];
boot.loader.efi.canTouchEfiVariables = true;
@ -23,4 +24,6 @@
ACTION=="add|change", KERNEL=="sd[a-z]*[0-9]*|mmcblk[0-9]*p[0-9]*|nvme[0-9]*n[0-9]*p[0-9]*", ENV{ID_FS_TYPE}=="zfs_member", ATTR{../queue/scheduler}="none"
'';
}

View file

@ -0,0 +1,19 @@
# https://wiki.nixos.org/wiki/Accelerated_Video_Playback
{ pkgs, ... }:
{
hardware.graphics.enable = true;
hardware.graphics.extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD
#vaapi-intel-hybrid
intel-vaapi-driver # For older processors. LIBVA_DRIVER_NAME=i965
#vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
#vaapiVdpau
#libvdpau-va-gl
];
hardware.graphics.enable32Bit = true;
hardware.graphics.extraPackages32 = with pkgs.pkgsi686Linux; [ intel-vaapi-driver ];
environment.sessionVariables = { LIBVA_DRIVER_NAME = "i965"; }; # Optionally, set the environment variable
}

View file

@ -0,0 +1,23 @@
{ pkgs, config, ... }:
{
clan.core.facts.services.wg1 = {
secret."wg1.conf" = { };
generator = {
# I download the config from my fritz.box
# cat wg_config.conf | pass insert -m machiens/<name>/wg1.conf
prompt = "please enter the wg1.conf";
path = with pkgs; [ coreutils ];
script = ''
echo "$prompt_value" > "$secrets"/wg1.conf
'';
};
};
home-manager.users.root.home.packages = [
(pkgs.writers.writeBashBin "wg1-up" ''
${pkgs.wireguard-tools}/bin/wg-quick up ${config.clan.core.facts.services.wg1.secret."wg1.conf".path}
'')
(pkgs.writers.writeBashBin "wg1-down" ''
${pkgs.wireguard-tools}/bin/wg-quick down ${config.clan.core.facts.services.wg1.secret."wg1.conf".path}
'')
];
}

View file

@ -1,17 +0,0 @@
{ config, lib, pkgs, ... }:
{
virtualisation.libvirtd.enable = true;
#virtualisation.libvirtd.allowedBridges = ["virbr0"];
virtualisation.libvirtd.onShutdown = "shutdown";
environment.systemPackages = [
pkgs.qemu_kvm
#(pkgs.quickemu.override { qemu_full = pkgs.qemu_kvm; })
pkgs.quickemu
pkgs.virt-manager
];
users.users.mainUser.extraGroups = [ "libvirtd" ];
}

View file

@ -5,9 +5,6 @@
# todo : remove
../../system/all
../../components
../../modules
./hardware-configuration
./packages.nix
@ -58,9 +55,9 @@
components.network.wifi.enable = false;
components.terminal.enable = true;
components.nixos.boot.enable = true;
components.nixos.boot.kernelModules = [ "e1000e" ];
components.nixos.boot.tor.enable = false;
features.boot.ssh.enable = true;
features.boot.ssh.kernelModules = [ "e1000e" ];
features.boot.tor.enable = true;
components.monitor.enable = true;
components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317";
@ -69,20 +66,9 @@
services.printing.enable = false;
virtualisation.podman.extraPackages = [ pkgs.zfs ]; # make sure /var/lib/containers/storage is a zfs dataset
networking.hostName = "chungus";
hardware.graphics.enable = true;
hardware.graphics.enable32Bit = true;
hardware.graphics.extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
vaapiVdpau
libvdpau-va-gl
];
# nix-shell -p speedtest_cli --run speedtest
#configuration.fireqos = {
# enable = false;

View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBPrtiYl85Wfn+6Iw4caHF3qT4qkgf/ZAYelUjWdSEbn nixbld@cream

View file

@ -3,10 +3,12 @@
imports = [
./disko-config.nix
./hardware-configuration.nix
./graphics.nix
];
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.systemd-boot.enable = true;
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
boot.supportedFilesystems = [ "zfs" ];

View file

@ -0,0 +1,19 @@
# https://wiki.nixos.org/wiki/Accelerated_Video_Playback
{ pkgs, ... }:
{
hardware.graphics.enable = true;
hardware.graphics.extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD
#vaapi-intel-hybrid
intel-vaapi-driver # For older processors. LIBVA_DRIVER_NAME=i965
#vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
#vaapiVdpau
#libvdpau-va-gl
];
hardware.graphics.enable32Bit = true;
hardware.graphics.extraPackages32 = with pkgs.pkgsi686Linux; [ intel-vaapi-driver ];
environment.sessionVariables = { LIBVA_DRIVER_NAME = "i965"; }; # Optionally, set the environment variable
}

View file

@ -3,17 +3,14 @@
imports = [
../../components
../../modules
./hardware-configuration.nix
./syncthing.nix
./qemu.nix
./network-tinc.nix
./network-tinc_retiolum.nix
./network-wireguard.nix
./network-wireguard-wg0.nix
./network-wireguard-wg1.nix
];
@ -24,6 +21,8 @@
boot.loader.efi.canTouchEfiVariables = true;
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
components.virtualisation.enable = true;
components.gui.enable = true;
components.gui.xorg.enable = true;
components.gui.wayland.enable = false;
@ -113,15 +112,6 @@
services.printing.enable = true;
virtualisation = {
docker.enable = true;
podman.enable = true;
virtualbox = {
host.enable = false;
guest.enable = false;
};
};
samba-share = {
enable = false;
folders = {

View file

@ -1 +1 @@
lkvs1E4lCXt+Q7lvg/vU2JQyDfqseYo68Ecbb/Hg8YA
B3EKYRxqFjIGR2VYajjDqX0gltPJNwcno5PUhafKWKB

View file

@ -1,13 +1,13 @@
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAxqrCGJriL5L1ehBf7CrdpL6Ao/ssyj5ZoPdlTP47WtBRahQcp8e0
xWkAACyiSW2rdvK9hBE4Z7cXHenm8obABl69Q6rLdkxIOM7GBK08cX7ZZrRAdyA1
Bp9FQWoeHZFq4zBayp889HjPgauglguVlPiXaxh5NhqQkKX4Bkcp4f+OtBMvV0Uf
kf80J5pknliV/I85VDt0Ofyuuvot9p4GAegeaGaTgIpMrbGvqdpnB+ZiI9lFylCf
tubRvrX1TsaqrWzFu8B2XL6ZXGCY0IrJXs7P0RsG9OysCK7N9WPVrpX+zGFSCCk+
3UuKan9AFVOWA72Jj+glIU2i2d3D+Re8kvNmLCQ9GCM2c8Gy+r38UPN1/WTEe7az
94ivkczOgg4tIzMCN2JuAYLtoy3JK46Bbexk3i9KgtX5acNrKilQBDKHktqr0oJ8
Bz53kFP/X7oY+0RIPePL9OPQu8LRyFXeWeuQQUBgqDmttoWBtHEO6vicKFgwN0bl
5J6urUJQYC7aabfYO4aDfgVSRr7cELZkbIsx6Lkj5bOrraaJ2pS5H3QGSBUFifAq
mUdKKkBsYltKe8BsqKvQEysT3cGaGlkeP5OaKHN4qG7hGvLk71YjrYlWlIswdMAp
D2UgJ5/fcDswSAnFBlLYIqQwC7vMLoqTZPkQ0AN/DxHJCuXfRoU2vhkCAwEAAQ==
MIICCgKCAgEAnzhalF1rqLdSsT6HAGuQ6x1kC9Ty3FjoKR2Y5RCO9YIyEgRE8qfR
jkne+wIIleODUDMZYuvUe9X5hm8w6wDzxlwCPitwhDlOxoSBnXfbL6YL9rZBn3lC
JFkpEPtAJYnfM64R4/UjSndHlCVuH7tltD/1tmfG6IbSsIeDVz+pWZdEmBJfCiDl
aqP2gb1oIwe9TgJX2EC2ugW+6Jh9oPNIOP2Q5eLvty5WPhUSGQDWVMr5u0Rgc1oU
hhAvrfue7MFqUwX+o0Zq93eVAu/51dhTtqwwVgZVlHK7Wkak4yTRGPAP9v9vbKeK
7GpQuvbiI5OphhSFPjyCN1XMqVgFxqsnLsflIPbQdxCkBgFxhmNf31BDlXWHWD5e
7BfFYc1tZFcEWKhguoCSesJvh1BVsiZzfya96lGd/+ttcKBUKX4tdznEQsV/MVhC
cVnQD6k8PN4BIWVJtcq5oM9h6Yt6avtv8TeuaLp/Janco4JmYYFIfRETnz6ye/fG
OiKJnGQ1yohSE6n8ZUK1QYdYezZfI8QhF7GHK7he9x13L9xmXoybV+REXlRvh4S2
bi9lWTKhQVIHb/qLIdQuaAnK1xg4tdNzL43KEpPstGlAnG8uUNL8hCJL3m220RPK
lEbtLhayRzQ9zgj/hBQZa/hMGGyiqV1hiTbEEWAusJdGTUPYhjAelOkCAwEAAQ==
-----END RSA PUBLIC KEY-----

View file

@ -0,0 +1,23 @@
{ pkgs, config, ... }:
{
clan.core.facts.services.wg1 = {
secret."wg1.conf" = { };
generator = {
# I download the config from my fritz.box
# cat wg_config.conf | pass insert -m machiens/<name>/wg1.conf
prompt = "please enter the wg1.conf";
path = with pkgs; [ coreutils ];
script = ''
echo "$prompt_value" > "$secrets"/wg1.conf
'';
};
};
home-manager.users.root.home.packages = [
(pkgs.writers.writeBashBin "wg1-up" ''
${pkgs.wireguard-tools}/bin/wg-quick up ${config.clan.core.facts.services.wg1.secret."wg1.conf".path}
'')
(pkgs.writers.writeBashBin "wg1-down" ''
${pkgs.wireguard-tools}/bin/wg-quick up ${config.clan.core.facts.services.wg1.secret."wg1.conf".path}
'')
];
}

View file

@ -1,17 +0,0 @@
{ config, lib, pkgs, ... }:
{
virtualisation.libvirtd.enable = true;
#virtualisation.libvirtd.allowedBridges = ["virbr0"];
virtualisation.libvirtd.onShutdown = "shutdown";
environment.systemPackages = [
pkgs.qemu_kvm
#(pkgs.quickemu.override { qemu_full = pkgs.qemu_kvm; })
pkgs.quickemu
pkgs.virt-manager
];
users.users.mainUser.extraGroups = [ "libvirtd" ];
}

View file

@ -1,53 +0,0 @@
{ pkgs, inputs, ... }: {
imports = [
inputs.buildbot-nix.nixosModules.buildbot-master
];
containers.buildbot = {
privateNetwork = false;
autoStart = true;
config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs;
imports = [
../../components/monitor/container.nix
inputs.buildbot-nix.nixosModules.buildbot-master
];
system.stateVersion = "24.05";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
services.postgresql = {
settings.port = 5433;
};
services.buildbot-nix.master = {
enable = true;
dbUrl = "postgresql://@:5433/buildbot";
# Domain name under which the buildbot frontend is reachable
domain = "orbi.private:8010";
admins = [ "palo" ];
workersFile = pkgs.writeText "workers.json" ''
[
{ "name": "test", "pass": "password", "cores": 2 }
]
'';
# How to authenticate against buildbot
authBackend = "none";
# How to authenticate against gitea
gitea = {
enable = true;
instanceUrl = "https://git.ingolf-wagner.de";
webhookSecretFile = pkgs.writeText "gitea-webhook-secret" "my-secret";
tokenFile = pkgs.writeText "gitea-token" "my-token";
topic = "buildbot";
};
};
};
};
}

View file

@ -1,12 +0,0 @@
{ pkgs, inputs, ... }: {
imports = [
inputs.buildbot-nix.nixosModules.buildbot-worker
];
services.buildbot-nix.worker = {
enable = true;
workerPasswordFile = pkgs.writeText "worker-password-file" "password";
};
}

View file

@ -1,13 +1,12 @@
{ lib, config, pkgs, ... }: {
{ lib, config, pkgs, modulesPath, ... }: {
imports = [
(modulesPath + "/profiles/hardened.nix")
./hardware-configuration
../../system/all/defaults.nix
../../components
../../modules
./service-forgejo-runner.nix
./service-forgejo.nix
./service-hedgedoc.nix
@ -35,10 +34,8 @@
#./social-jitsi.nix
./social-matrix-terranix.nix
#./buildbot-worker.nix
#./buildbot-master.nix
];
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
networking.hostName = "orbi";
@ -50,17 +47,14 @@
components.network.nginx.landingpage.enable = false;
components.network.wifi.enable = false;
components.network.fail2ban.enable = true;
components.network.sshd.sshguard.enable = false;
components.nixos.boot.enable = true;
components.nixos.boot.tor.enable = false;
features.network.fail2ban.enable = true;
features.boot.ssh.enable = true;
components.monitor.enable = true;
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];
components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317";
components.monitor.opentelemetry.exporter.endpoint = "10.100.0.2:4317"; # chnungus
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];
security.acme.acceptTerms = true;
security.acme.defaults.email = "contact@ingolf-wagner.de";

View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9YxtLgaTfVKi7iwuM6hdIsgnZWSSIfzauqpFP4X4Oc nixbld@cherry

View file

@ -1,30 +1,5 @@
{ config, pkgs, modulesPath, lib, factsGenerator, ... }:
let
# in rescue shell
# ---------------
# apt install -y lshw
# lshw -C network | grep -Poh 'driver=[[:alnum:]]+'
networkInterfaceModule = "e1000e";
# ip addr
networkInterface = "enp0s31f6";
# From the Hetzner control panel
ipv4 = {
address = "95.216.66.212"; # the ip address
gateway = "95.216.66.193"; # the gateway ip address
netmask = "255.255.255.192"; # the netmask -- might not be the same for you!
prefixLength = 26; # must match the netmask, see <https://www.pawprint.net/designresources/netmask-converter.php>
};
ipv6 = {
address = "2a01:4f9:2b:326::2"; # the ipv6 addres
gateway = "fe80::1"; # the ipv6 gateway
prefixLength = 64; # shown in the control panel
};
in
{
system.stateVersion = "23.11";
@ -32,21 +7,16 @@ in
imports = [
./disko-config.nix
./hardware-configuration.nix
./hetzner.nix
];
services.smartd.enable = true;
# Use GRUB2 as the boot loader.
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
boot.loader.grub = {
enable = true;
efiSupport = false; # we created a ef02 partition because uefi is not supported on hetzner online machines.
};
# root password
clan.core.facts.services.rootPassword = factsGenerator.password { name = "root"; };
users.users.root.hashedPasswordFile = config.clan.core.facts.services.rootPassword.secret."password.root.pam".path;
# todo : use component for that
services.openssh.settings.PermitRootLogin = "prohibit-password";
services.openssh.settings.PasswordAuthentication = false;
@ -56,25 +26,4 @@ in
clan.core.facts.services.zfs = factsGenerator.zfs { };
networking.hostId = config.clan.core.facts.services.zfs.public."zfs.hostId".value;
systemd.network.networks."10-uplink".networkConfig.Address = ipv6.address;
boot.initrd.systemd.network.networks."10-uplink" = config.systemd.network.networks."10-uplink";
# todo: use ssh component
boot.initrd.kernelModules = [ networkInterfaceModule ];
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
port = 2222;
hostKeys = [
# make sure you use --copy-host-keys during nixos-anywhere
# (you can create ne ssh keys later, again)
# rm /etc/ssh/ssh_host_* && systemctl restart sshd.service
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_ed25519_key
];
};
};
}

View file

@ -4,11 +4,7 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
(modulesPath + "/profiles/hardened.nix")
];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" ];
boot.initrd.kernelModules = [ ];

View file

@ -0,0 +1,38 @@
{ config, ... }:
let
# ip addr
networkInterface = "enp0s31f6";
# From the Hetzner control panel
ipv4 = {
address = "95.216.66.212"; # the ip address
gateway = "95.216.66.193"; # the gateway ip address
netmask = "255.255.255.192"; # the netmask -- might not be the same for you!
prefixLength = 26; # must match the netmask, see <https://www.pawprint.net/designresources/netmask-converter.php>
};
ipv6 = {
address = "2a01:4f9:2b:326::2"; # the ipv6 addres
gateway = "fe80::1"; # the ipv6 gateway
prefixLength = 64; # shown in the control panel
};
in
{
systemd.network.networks."10-uplink".networkConfig.Address = ipv6.address;
boot.initrd.systemd.network.networks."10-uplink" = config.systemd.network.networks."10-uplink";
# in rescue shell
# ---------------
# apt install -y lshw
# lshw -C network | grep -Poh 'driver=[[:alnum:]]+'
boot.initrd.kernelModules = [ "e1000e" ];
# Use GRUB2 as the boot loader.
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
boot.loader.grub = {
enable = true;
efiSupport = false; # we created a ef02 partition because uefi is not supported on hetzner online machines.
};
}

View file

@ -1,4 +1,4 @@
{ pkgs, config, factsGenerator, ... }:
{ pkgs, config, factsGenerator, components, ... }:
# don't forget the database backup before upgrading
# -------------------------------------------------
@ -85,7 +85,7 @@ in
config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs;
imports = [ ../../components/monitor/container.nix ];
imports = [ "${components}/monitor/container.nix" ];
system.stateVersion = "23.11";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

View file

@ -1,4 +1,4 @@
{ lib, pkgs, config, ... }:
{ lib, pkgs, config, components, ... }:
let
uiPort = 9091;
in
@ -25,7 +25,7 @@ in
config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs;
imports = [ ../../components/monitor/container.nix ];
imports = [ "${components}/monitor/container.nix" ];
system.stateVersion = "21.05";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

View file

@ -3,10 +3,7 @@ let inherit (utils) escapeSystemdPath;
in
{
virtualisation = {
# docker.enable = true;
podman.enable = true;
};
virtualisation.podman.enable = true;
#nix.settings.trusted-users = [ "root" "gitea-runner"];
nix.settings.allowed-users = [ "*" "gitea-runner" ];

View file

@ -36,7 +36,7 @@
alias ${pkgs.writeText "cache-info" ''
StoreDir: /nix/store
WantMassQuery: 1
Priority: 42
Priority: 10
''};
allow ${config.wireguard.wg0.subnet};
deny all;

View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, components, ... }:
let
mySQLPackage = pkgs.mysql;
photoprismPort = 2342;
@ -15,10 +15,14 @@ in
config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs;
imports = [ ../../components/monitor/container.nix ];
imports = [ "${components}/monitor/container.nix" ];
system.stateVersion = "23.11";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
environment.systemPackages = [
config.services.photoprism.package
];
# Photoprism
# ----------
services.photoprism = {

View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, clanCore, factsGenerator, ... }:
{ config, pkgs, lib, clanCore, factsGenerator, components, ... }:
let
surrealdbPort = 8000;
in
@ -12,7 +12,7 @@ in
config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs;
imports = [ ../../components/monitor/container.nix ];
imports = [ "${components}/monitor/container.nix" ];
system.stateVersion = "24.05";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, components, ... }:
let
vikunjaPort = 3456;
mysqlPort = 3337;
@ -13,7 +13,7 @@ in
config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs;
imports = [ ../../components/monitor/container.nix ];
imports = [ "${components}/monitor/container.nix" ];
system.stateVersion = "24.05";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

View file

@ -1,4 +1,4 @@
{ config, pkgs, factsGenerator, ... }:
{ config, pkgs, factsGenerator, components, ... }:
let
# 1. create DNS entry `matrix.terranix.org A - 95.216.66.212`
# 2. test with : https://federationtester.matrix.org/#terranix.org
@ -66,7 +66,7 @@ in
config = { config, lib, ... }: {
nixpkgs.pkgs = pkgs;
imports = [ ../../components/monitor/container.nix ];
imports = [ "${components}/monitor/container.nix" ];
system.stateVersion = "23.11";
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

View file

@ -1,8 +1,6 @@
{ lib, config, pkgs, ... }: {
imports = [
./hardware-configuration
../../components
../../modules
];
system.stateVersion = "24.11";
@ -10,8 +8,13 @@
components.mainUser.enable = true;
components.network.enable = true;
features.boot.ssh.enable = true;
features.boot.tor.enable = true;
components.monitor.enable = false;
networking.hostName = "probe";
users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkqVvuJSvRMO5pG2CHNNBxjB7HlJudK4TQs3BhbOWOD" ];
users.users.root.initialPassword = "admin";
#users.users.root.initialPassword = "admin";
}

View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGpSFQ3qd9iXkIxhLdP2ic6pGNPKlyKfQdeMN2IutmE nixbld@cream

View file

@ -1,13 +1,12 @@
{ config, factsGenerator, clanLib, ... }:
{
imports = [
./disko-config.nix
#./disko-config-simple.nix
./disko-config-encrypted.nix
./hardware-configuration.nix
./hetzner.nix # to more me to components
];
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
}

View file

@ -0,0 +1,44 @@
# Example to create a bios compatible gpt partition
{ lib, ... }:
{
disko.devices = {
disk.disk1 = {
device = lib.mkDefault "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "luks";
name = "root";
settings.allowDiscards = true;
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

View file

@ -1,12 +1,22 @@
{ config, ... }:
{
# set up hetzner cloud network
systemd.network.enable = true;
systemd.network.networks."10-private-hetzner" = {
systemd.network.networks."10-uplink" = {
matchConfig.Name = "en*";
networkConfig.DHCP = "ipv4";
linkConfig.RequiredForOnline = "routable";
};
# set up hetzner cloud network during init
boot.initrd.systemd.network.networks."10-uplink" = config.systemd.network.networks."10-uplink";
boot.initrd.availableKernelModules = [ "virtio_pci" ]; # network kernel module
# set up hetzner boot loader
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
};
}

View file

@ -2,8 +2,6 @@
imports = [
../../components
../../modules
./hardware-configuration.nix
./packages.nix
./syncthing.nix
@ -19,8 +17,6 @@
components.gui.enable = true;
components.gui.kmonad.enable = false;
components.gui.style.enable = false; # installes nerd-fonts which seem not to work.
#components.gui.noti.enable = false;
components.terminal.enable = true;
components.network.enable = true;
@ -86,13 +82,5 @@
};
};
virtualisation = {
docker.enable = false;
virtualbox = {
host.enable = false;
guest.enable = false;
};
};
}

View file

@ -0,0 +1,53 @@
{ config, pkgs, lib, ... }: {
imports = [
./hardware-configuration
#./tinc.nix
#./syncthing.nix
./network-wireguard-wg0.nix
];
components.gui.enable = true;
components.gui.wayland.enable = false;
components.gui.xorg.enable = true;
components.mainUser.enable = true;
components.monitor.enable = false;
components.network.enable = true;
components.network.wifi.enable = true;
components.terminal.enable = true;
networking.hostName = "usbstick";
# Set your time zone.
#time.timeZone = "Europe/Berlin";
#environment.systemPackages = with pkgs; [
# vim
# wget
# htop
# silver-searcher
#];
#environment.extraInit = ''
# # use vi shortcuts
# # ----------------
# set -o vi
# EDITOR=vim
#'';
services.openssh.enable = true;
#users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw== contact@ingolf-wagner.de" ];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
}

View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB1Jma/RepkDoEdmc1mwGRvK9r4qr4AplNAdX8V/dAhZ nixbld@cream

View file

@ -0,0 +1 @@
TLJUGR3-CBQ2E72-FZZQQBD-OELT4RG-ME7KCDJ-O4E6V5C-QRCQHZ4-XU3WXAV

View file

@ -0,0 +1 @@
10.100.0.100/32

View file

@ -0,0 +1 @@
10.100.0.100

View file

@ -0,0 +1 @@
gZaTuiQRtbYROEbdcCrpGvJcNYBXuoskaj1GBQcL3Gg=

View file

@ -0,0 +1 @@
fdb3:fdc0:b880:37a1:3a99:930f:937c:e1a3

View file

@ -0,0 +1,19 @@
{
imports = [
./hardware-configuration.nix
#./disko-config.nix # todo: not used yet (use a simple installer usb stick for that)
];
# grub configuraton
# -----------------
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.device = "/dev/sda";
boot.loader.grub.efiInstallAsRemovable = true;
boot.tmp.useTmpfs = true;
# zfs
boot.supportedFilesystems = [ "zfs" ];
networking.hostId = "2ed43034";
}

View file

@ -0,0 +1,44 @@
# Example to create a bios compatible gpt partition
{ lib, ... }:
{
disko.devices = {
disk.disk1 = {
device = lib.mkDefault "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "luks";
name = "root";
settings.allowDiscards = true;
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

View file

@ -0,0 +1,48 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
#device = "/dev/disk/by-uuid/b3dc4880-fb1b-415d-a5a8-a53b9f0a9ab6";
device = "/dev/mapper/root-enc";
fsType = "ext4";
};
boot.initrd.luks.devices."root-enc".device = "/dev/disk/by-uuid/c2a56e0f-f831-4d21-8cf4-7ddf3901ea8a";
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/EBCE-D756";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s25.useDHCP = lib.mkDefault true;
# networking.interfaces.tinc.private.useDHCP = lib.mkDefault true;
# networking.interfaces.tinc.retiolum.useDHCP = lib.mkDefault true;
# networking.interfaces.tinc.secret.useDHCP = lib.mkDefault true;
# networking.interfaces.virbr0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -0,0 +1,33 @@
{ config, factsGenerator, clanLib, ... }:
{
networking.firewall.allowedUDPPorts = [ 51820 ];
clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
clan.core.facts.services.wireguard_ip = factsGenerator.public {
"wireguard.wg0.cidr" = "10.100.0.100/32";
"wireguard.wg0.ip" = "10.100.0.100";
};
# Enable WireGuard
networking.wg-quick.interfaces = {
# Hub and Spoke Setup
# https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
wg0 = {
address = [
config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
];
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
privateKeyFile = config.clan.core.facts.services.wireguard.secret."wireguard.wg0.key".path;
mtu = 1280;
peers = [
{
publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi";
allowedIPs = [
(clanLib.readFact "wireguard.wg0.cidr" "orbi")
];
endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi";
}
];
};
};
}

View file

@ -0,0 +1,37 @@
{ config, pkgs, lib, ... }: {
services.syncthing = {
enable = true;
openDefaultPorts = false;
user = "palo";
dataDir = "/home/palo/.syncthing";
configDir = "/home/palo/.syncthing";
overrideFolders = true;
folders = {
# on encrypted drive
# ------------------
private = {
enable = true;
path = "/home/palo/private";
};
desktop = {
enable = true;
path = "/home/palo/desktop";
};
finance = {
enable = true;
path = "/home/palo/finance";
};
password-store = {
enable = true;
path = "/home/palo/.password-store";
};
};
};
services.permown."/home/palo/music-library" = {
owner = "palo";
group = "users";
};
}

View file

@ -0,0 +1,5 @@
{ config, ... }:
{
tinc.private.enable = true;
tinc.private.ipv4 = "10.23.42.25";
}

View file

@ -232,7 +232,6 @@ in
'';
};
sudoUsers = mkOption {
default = [ config.users.users.mainUser.name ];
type = with types; listOf str;
description = ''
user allowed to run sudo without password to start the browser

View file

@ -3,7 +3,6 @@
imports = [
./browser.nix
./castget.nix
#./init-ssh.nix
./rbackup.nix
./samba-share.nix
./taskwarrior-autotag.nix

View file

@ -1,105 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.configuration.init-ssh;
in
{
# todo : this is kinda deprecated. It should be replaced some day with something more simple, and put in a module.
options.configuration.init-ssh = {
enable = mkOption {
default = "disable";
type = with types; enum [ "disable" "prepare" "enabled" ];
};
kernelModules = mkOption {
type = with types; listOf str;
description =
"lspci -v will tell you which kernel module is used for the ethernet interface";
};
port = mkOption {
default = 2222;
type = with types; int;
};
authorizedKeys = mkOption {
type = with types; listOf str;
default = config.users.users.root.openssh.authorizedKeys.keys
++ (map (keyFile: lib.fileContents keyFile)
config.users.users.root.openssh.authorizedKeys.keyFiles);
};
hostKey = mkOption {
default = "/etc/secrets/initrd/ssh_host_ed25519_key";
type = with types; path;
description = ''
To generate keys, use ssh-keygen(1):
# ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
# ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
'';
};
};
config = mkMerge [
(mkIf (cfg.enable != "disable") {
services.tor = {
enable = true;
client.enable = true;
relay.onionServices.bootup.map = [{ port = 22; }];
};
})
(mkIf (cfg.enable == "enabled") {
# tor setup
boot.initrd.secrets = {
"/etc/tor/onion/bootup" = /var/lib/tor/onion/bootup;
};
boot.initrd.extraUtilsCommands = ''
copy_bin_and_libs ${pkgs.tor}/bin/tor
'';
boot.initrd.network.postCommands =
let
torRc = (pkgs.writeText "tor.rc" ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort ${toString cfg.port} 127.0.0.1:${toString cfg.port}
'');
in
''
echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor
echo "make sure localhost is up"
ip a a 127.0.0.1/8 dev lo
# ifconfig lo up
ip link set lo up
echo "tor: starting tor"
tor -f ${torRc} --verify-config
tor -f ${torRc} &
'';
# ssh setup
# todo add the ssh host fingerprint to your trusted stuff
# todo set ssh host key here
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
authorizedKeys = cfg.authorizedKeys;
port = cfg.port;
hostKeys = [ cfg.hostKey ];
};
boot.initrd.availableKernelModules = cfg.kernelModules;
})
];
}

View file

@ -2,8 +2,6 @@
imports = [
../../modules
../../components/network
./defaults.nix
./grub.nix
./packages.nix

View file

@ -13,7 +13,7 @@ options = [
"-w", # write back to the file
]
includes = ["*.sh"]
excludes = ["./scripts/hetzner-dedicated-wipe-and-install-nixos.sh"]
excludes = ["scripts/hetzner-dedicated-wipe-and-install-nixos.sh"]
#[formatter.shellcheck]
#command = "shellcheck"