Compare commits
55 commits
d610c9ebab
...
3838f068ee
Author | SHA1 | Date | |
---|---|---|---|
|
3838f068ee | ||
|
bc595a1198 | ||
|
b04dd0738b | ||
|
1cdd13956b | ||
|
e50d61faf4 | ||
|
11871fc506 | ||
|
8f6fa5939b | ||
|
ee4d9bcc4f | ||
|
ac30776e4c | ||
|
22a49f5599 | ||
|
8cdd63bdcc | ||
|
33d716ea6b | ||
|
aed8c552ba | ||
|
96ee5a488e | ||
|
eec51b58b3 | ||
|
161486b887 | ||
|
29e3213e4b | ||
|
7e1e13e897 | ||
|
53187fb603 | ||
|
800045c1c5 | ||
|
77459df69c | ||
|
7e2c61ad88 | ||
|
50688f4500 | ||
|
4f6924d5d7 | ||
|
b24094155a | ||
|
1447d96b43 | ||
|
848eccb959 | ||
|
569d891a7e | ||
|
7a4f203752 | ||
|
efd451e180 | ||
|
3fa5c09a62 | ||
|
9cdfeba305 | ||
|
0780abb35d | ||
|
1b9105f158 | ||
|
26aaec9101 | ||
|
cc5d655ef7 | ||
|
e471c24d93 | ||
|
509f283924 | ||
|
40e5456517 | ||
|
060261dc90 | ||
|
69bbf19f91 | ||
|
8327f1860d | ||
|
f411567ad6 | ||
|
ca0e7382a3 | ||
|
9b7ff29143 | ||
|
4f6ed530db | ||
|
2b9062e1f1 | ||
|
d5f1ef4af6 | ||
|
36fc0508b0 | ||
|
8efad90f4b | ||
|
db6e5d3828 | ||
|
ccec2860ec | ||
|
e717d0081e | ||
|
695f8bae20 | ||
|
7d856ed1f1 |
98 changed files with 1090 additions and 835 deletions
.forgejo/workflows
components
features
flake.lockflake.nixhomes
common
palo
images
machines
cherry
chungus
cream
orbi
buildbot-master.nixbuildbot-worker.nixconfiguration.nix
facts
hardware-configuration
media-nextcloud.nixmedia-transmission2.nixservice-forgejo-runner.nixservice-nix-cache.nixservice-photoprism.nixservice-surrealdb.nixservice-vikunja.nixsocial-matrix-terranix.nixprobe
sternchen
usbstick
modules
system/all
treefmt.toml
|
@ -5,7 +5,7 @@ on:
|
|||
branches:
|
||||
- "**"
|
||||
schedule:
|
||||
- cron: "30 2 * * *" # not to frequent, GitHub only allows a few pulls per hour
|
||||
- cron: "30 2/6 * * *" # not to frequent, GitHub only allows a few pulls per hour
|
||||
|
||||
jobs:
|
||||
nix build:
|
||||
|
@ -64,6 +64,9 @@ jobs:
|
|||
- name: nix build sternchen
|
||||
run: nix build .#nixosConfigurations.sternchen.config.system.build.toplevel
|
||||
|
||||
- name: nix build usbstick
|
||||
run: nix build .#nixosConfigurations.usbstick.config.system.build.toplevel
|
||||
|
||||
- name: commit & push
|
||||
if: ${{ github.event_name == 'schedule' }}
|
||||
# only if all nix builds are fine we update our branch
|
||||
|
|
|
@ -10,6 +10,7 @@
|
|||
./nixos
|
||||
./terminal
|
||||
./timezone.nix
|
||||
./virtualisation
|
||||
./yubikey.nix
|
||||
];
|
||||
|
||||
|
|
|
@ -34,50 +34,59 @@ in
|
|||
home = "${homeFolder}/development-browser";
|
||||
homeBackup = "${backupFolder}/development-browser";
|
||||
gpu = false;
|
||||
sudoUsers = [ config.users.users.mainUser.name ];
|
||||
};
|
||||
google = {
|
||||
home = "${homeFolder}/google-browser";
|
||||
homeBackup = "${backupFolder}/google-browser";
|
||||
gpu = false;
|
||||
sudoUsers = [ config.users.users.mainUser.name ];
|
||||
};
|
||||
finance = {
|
||||
home = "${homeFolder}/finance-browser";
|
||||
homeBackup = "${backupFolder}/finance-browser";
|
||||
gpu = false;
|
||||
sudoUsers = [ config.users.users.mainUser.name ];
|
||||
};
|
||||
facebook = {
|
||||
home = "${homeFolder}/facebook-browser";
|
||||
homeBackup = "${backupFolder}/facebook-browser";
|
||||
gpu = false;
|
||||
sudoUsers = [ config.users.users.mainUser.name ];
|
||||
};
|
||||
shopping = {
|
||||
home = "${homeFolder}/shopping-browser";
|
||||
homeBackup = "${backupFolder}/shopping-browser";
|
||||
gpu = false;
|
||||
sudoUsers = [ config.users.users.mainUser.name ];
|
||||
};
|
||||
jobrad = {
|
||||
browserType = "chrome";
|
||||
home = "${homeFolder}/jobrad-chrome";
|
||||
homeBackup = "${backupFolder}/jobrad-chrome";
|
||||
gpu = false;
|
||||
sudoUsers = [ config.users.users.mainUser.name ];
|
||||
};
|
||||
firefox-tmp = {
|
||||
browserType = "firefox";
|
||||
home = "${homeFolder}/firefox-tmp";
|
||||
homeBackup = "${backupFolder}/firefox-tmp-browser";
|
||||
gpu = false;
|
||||
sudoUsers = [ config.users.users.mainUser.name ];
|
||||
};
|
||||
chromium-tmp = {
|
||||
browserType = "chrome";
|
||||
home = "${homeFolder}/chromium-tmp";
|
||||
homeBackup = "${backupFolder}/chrome-tmp-browser";
|
||||
gpu = false;
|
||||
sudoUsers = [ config.users.users.mainUser.name ];
|
||||
};
|
||||
google-tmp = {
|
||||
browserType = "google";
|
||||
home = "${homeFolder}/google-tmp";
|
||||
homeBackup = "${backupFolder}google-tmp-browser";
|
||||
gpu = false;
|
||||
sudoUsers = [ config.users.users.mainUser.name ];
|
||||
};
|
||||
|
||||
};
|
||||
|
|
|
@ -10,7 +10,6 @@ with lib;
|
|||
./audio.nix
|
||||
./browser.nix
|
||||
./cups.nix
|
||||
./fonts.nix
|
||||
./home-manager
|
||||
./kmonad.nix
|
||||
#./noti.nix # todo: make this different (use password store and such)
|
||||
|
|
|
@ -1,36 +0,0 @@
|
|||
{ pkgs, config, lib, ... }:
|
||||
with lib;
|
||||
{
|
||||
options.components.gui.style.enable = mkOption {
|
||||
type = lib.types.bool;
|
||||
default = config.components.gui.enable;
|
||||
};
|
||||
|
||||
config = mkIf (config.components.gui.style.enable) {
|
||||
|
||||
fonts.packages = with pkgs; [
|
||||
|
||||
corefonts
|
||||
hasklig
|
||||
inconsolata
|
||||
source-code-pro
|
||||
symbola
|
||||
ubuntu_font_family
|
||||
|
||||
# symbol fonts
|
||||
# ------------
|
||||
nerdfonts
|
||||
powerline-fonts
|
||||
font-awesome
|
||||
fira-code-symbols
|
||||
jetbrains-mono
|
||||
|
||||
# shell font
|
||||
# ----------
|
||||
terminus_font
|
||||
gohufont
|
||||
|
||||
];
|
||||
|
||||
};
|
||||
}
|
|
@ -4,10 +4,10 @@ with lib;
|
|||
|
||||
options.components.gui.wayland.enable = mkOption {
|
||||
type = lib.types.bool;
|
||||
default = ! config.components.gui.xorg.enable;
|
||||
default = !config.components.gui.xorg.enable;
|
||||
};
|
||||
|
||||
config = mkIf config.components.gui.wayland.enable {
|
||||
programs.hyprland.enable = true;
|
||||
config = mkIf (config.components.gui.wayland.enable && config.components.gui.enable) {
|
||||
programs.sway.enable = false;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -9,7 +9,7 @@ with lib;
|
|||
default = config.components.gui.enable;
|
||||
};
|
||||
|
||||
config = mkIf config.components.gui.xorg.enable {
|
||||
config = mkIf (config.components.gui.xorg.enable && config.components.gui.enable) {
|
||||
|
||||
# system.custom.fonts.enable = true;
|
||||
services.displayManager = {
|
||||
|
|
|
@ -5,9 +5,11 @@ let
|
|||
|
||||
cfg = config.components.mainUser;
|
||||
|
||||
# todo : use optionalList
|
||||
dockerGroup =
|
||||
if (config.virtualisation.docker.enable) then [ "docker" ] else [ ];
|
||||
|
||||
# todo : use optionalList
|
||||
vboxGroup =
|
||||
if (config.virtualisation.virtualbox.host.enable) then
|
||||
[ "vboxusers" ]
|
||||
|
|
|
@ -11,7 +11,6 @@ with types;
|
|||
|
||||
imports = [
|
||||
#./avahi.nix
|
||||
./fail2ban.nix
|
||||
./hosts.nix
|
||||
./nginx.nix
|
||||
./sshd
|
||||
|
|
|
@ -11,7 +11,6 @@ let
|
|||
echo "${config.networking.hostName}" | boxes -d ansi -s 80x1 -a r > $out
|
||||
'';
|
||||
|
||||
|
||||
in
|
||||
{
|
||||
|
||||
|
@ -31,10 +30,6 @@ in
|
|||
default = [ ];
|
||||
description = "keys to root login";
|
||||
};
|
||||
sshguard.enable = mkOption {
|
||||
type = bool;
|
||||
default = config.components.network.sshd.enable;
|
||||
};
|
||||
onlyTincAccess = mkOption {
|
||||
type = bool;
|
||||
default = false;
|
||||
|
@ -71,12 +66,6 @@ in
|
|||
|
||||
})
|
||||
|
||||
(mkIf cfg.sshguard.enable {
|
||||
environment.systemPackages = [ pkgs.ipset ];
|
||||
services.sshguard.enable = lib.mkDefault true;
|
||||
#boot.kernelModules = ["xt_set"];
|
||||
})
|
||||
|
||||
(mkIf (cfg.onlyTincAccess && cfg.enable) {
|
||||
networking.firewall.extraCommands = ''
|
||||
iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
|
||||
|
|
|
@ -9,9 +9,6 @@ let
|
|||
(machine:
|
||||
{
|
||||
hostNames = [
|
||||
"[${machine}]:2222"
|
||||
"[${machine}.${tld}]:2222"
|
||||
"[${machine}.private]:2222"
|
||||
"${machine}"
|
||||
"${machine}.${tld}"
|
||||
"${machine}.private"
|
||||
|
@ -19,9 +16,23 @@ let
|
|||
publicKey = publicKey machine;
|
||||
}
|
||||
);
|
||||
bootMachines = clanLib.readFactFromAllMachines "ssh.boot.id_ed25519.pub";
|
||||
knownBootHosts = lib.mapAttrs'
|
||||
(machine: publicKey: nameValuePair
|
||||
"boot_${machine}"
|
||||
{
|
||||
inherit publicKey;
|
||||
hostNames = [
|
||||
"[${machine}]:2222"
|
||||
"[${machine}.public]:2222"
|
||||
];
|
||||
}
|
||||
)
|
||||
bootMachines;
|
||||
in
|
||||
{
|
||||
|
||||
# todo : move this to the proper place
|
||||
options.components.network.zerotier = {
|
||||
enable = mkOption {
|
||||
type = bool;
|
||||
|
@ -30,6 +41,6 @@ in
|
|||
};
|
||||
|
||||
config = mkIf config.components.network.zerotier.enable {
|
||||
services.openssh.knownHosts = knownHosts;
|
||||
services.openssh.knownHosts = knownHosts // knownBootHosts;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -26,6 +26,7 @@ let
|
|||
"prowlarr.orbi" = hosts.orbi;
|
||||
"photoprism.orbi" = hosts.orbi;
|
||||
# chungus
|
||||
"video.chungus" = hosts.chungus;
|
||||
"de.tts.chungus" = hosts.chungus;
|
||||
"en.tts.chungus" = hosts.chungus;
|
||||
"flix.chungus" = hosts.chungus;
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
{
|
||||
imports = [
|
||||
./upgrade-diff.nix
|
||||
./tor-ssh.nix
|
||||
];
|
||||
|
||||
options.components.nixos.enable = lib.mkOption {
|
||||
|
|
|
@ -1,137 +0,0 @@
|
|||
{ config, lib, pkgs, factsGenerator, clanLib, ... }:
|
||||
with lib;
|
||||
with types;
|
||||
|
||||
{
|
||||
options.components.nixos.boot = {
|
||||
|
||||
enable = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
};
|
||||
|
||||
kernelModules = mkOption {
|
||||
type = listOf str;
|
||||
default = [ ];
|
||||
description =
|
||||
"lspci -v will tell you which kernel module is used for the ethernet interface";
|
||||
};
|
||||
|
||||
ssh.enable = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = config.components.nixos.boot.enable;
|
||||
};
|
||||
|
||||
tor.enable = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = config.components.nixos.boot.ssh.enable;
|
||||
};
|
||||
};
|
||||
|
||||
config = mkMerge [
|
||||
|
||||
# todo : not working at the moment, because onion hostnames are secrets
|
||||
(
|
||||
let
|
||||
onionIds = clanLib.readFactFromAllMachines "tor.initrd.hostname";
|
||||
generateOnionUnlockScript = machine: onionId: pkgs.writers.writeDashBin "unlock-boot-${machine}-via-tor" ''
|
||||
${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222
|
||||
'';
|
||||
in
|
||||
{
|
||||
# add known hosts
|
||||
services.openssh.knownHosts =
|
||||
mapAttrs
|
||||
(_machine: onionId: {
|
||||
hostNames = [ "[${onionId}]:2222" ];
|
||||
})
|
||||
onionIds;
|
||||
|
||||
# create unlook tor boot script
|
||||
environment.systemPackages =
|
||||
mapAttrsToList generateOnionUnlockScript onionIds;
|
||||
}
|
||||
)
|
||||
|
||||
# tor part
|
||||
# --------
|
||||
(mkIf (config.components.nixos.boot.tor.enable) {
|
||||
|
||||
#services.tor = {
|
||||
# enable = true;
|
||||
# client.enable = true;
|
||||
# relay.onionServices.bootup.map = [{ port = 2222; }];
|
||||
#};
|
||||
|
||||
# tor setup
|
||||
clan.core.facts.services.initrd_tor = factsGenerator.tor { name = ""; };
|
||||
|
||||
boot.initrd.secrets = {
|
||||
"/etc/tor/onion/bootup/tor.priv" = config.clan.core.facts.services.initrd_tor.secret."tor.initrd.priv".path;
|
||||
"/etc/tor/onion/bootup/hostname" = config.clan.core.facts.services.initrd_tor.secret."tor.initrd.hostname".path;
|
||||
};
|
||||
|
||||
#boot.initrd.extraUtilsCommands = ''
|
||||
# copy_bin_and_libs ${pkgs.tor}/bin/tor
|
||||
#'';
|
||||
|
||||
# fixme: this thing is not working for some reason.
|
||||
boot.initrd.systemd.packages = [ pkgs.tor pkgs.iproute2 pkgs.coreutils ];
|
||||
boot.initrd.systemd.services.tor = {
|
||||
path = [ pkgs.tor pkgs.iproute2 pkgs.coreutils ];
|
||||
# todo: set wanted by
|
||||
script =
|
||||
let
|
||||
torRc = pkgs.writeText "tor.rc" ''
|
||||
DataDirectory /etc/tor
|
||||
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
|
||||
SOCKSPort 127.0.0.1:9063
|
||||
HiddenServiceDir /etc/tor/onion/bootup
|
||||
HiddenServicePort 2222 127.0.0.1:2222
|
||||
'';
|
||||
in
|
||||
''
|
||||
echo "tor: preparing onion folder"
|
||||
# have to do this otherwise tor does not want to start
|
||||
chmod -R 700 /etc/tor
|
||||
|
||||
echo "make sure localhost is up"
|
||||
ip a a 127.0.0.1/8 dev lo
|
||||
ip link set lo up
|
||||
|
||||
echo "tor: starting tor"
|
||||
tor -f ${torRc} --verify-config
|
||||
tor -f ${torRc}
|
||||
'';
|
||||
};
|
||||
})
|
||||
|
||||
|
||||
# ssh part
|
||||
# --------
|
||||
(mkIf (config.components.nixos.boot.ssh.enable) {
|
||||
|
||||
# boot
|
||||
boot.initrd.systemd.enable = true;
|
||||
boot.initrd.systemd.contents."/etc/hostname".text = "unlock.${config.networking.hostName}";
|
||||
|
||||
# network
|
||||
boot.initrd.systemd.network.enable = true;
|
||||
boot.initrd.availableKernelModules = config.components.nixos.boot.kernelModules;
|
||||
|
||||
# ssh
|
||||
boot.initrd.network.enable = true;
|
||||
boot.initrd.network.ssh = {
|
||||
enable = true;
|
||||
#authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ;
|
||||
#authorizedKeyFiles = config.users.users.root.openssh.authorizedKeys.keyFiles;
|
||||
port = 2222;
|
||||
hostKeys = map ({ path, ... }: path) config.services.openssh.hostKeys;
|
||||
};
|
||||
|
||||
|
||||
})
|
||||
|
||||
];
|
||||
}
|
||||
|
|
@ -13,7 +13,6 @@ with lib;
|
|||
./git.nix
|
||||
./heygpt.nix
|
||||
./hoard.nix
|
||||
./oh-my-posh
|
||||
./remote-install.nix
|
||||
./wtf.nix
|
||||
./zsh.nix
|
||||
|
|
|
@ -1,26 +0,0 @@
|
|||
{ pkgs, config, lib, ... }:
|
||||
with lib;
|
||||
{
|
||||
options.components.terminal.oh-my-posh.enable = mkOption {
|
||||
type = lib.types.bool;
|
||||
default = config.components.terminal.enable;
|
||||
};
|
||||
|
||||
config = mkIf (config.components.terminal.oh-my-posh.enable) {
|
||||
|
||||
home-manager.users =
|
||||
let
|
||||
poshConfig = {
|
||||
programs.oh-my-posh = {
|
||||
enable = true;
|
||||
# useTheme = "gruvbox";
|
||||
settings = builtins.fromJSON (builtins.readFile ./gruvbox.json);
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
mainUser = poshConfig;
|
||||
root = poshConfig;
|
||||
};
|
||||
};
|
||||
}
|
15
components/virtualisation/default.nix
Normal file
15
components/virtualisation/default.nix
Normal file
|
@ -0,0 +1,15 @@
|
|||
{ config, lib, ... }:
|
||||
{
|
||||
imports = [
|
||||
./docker.nix
|
||||
./podman.nix
|
||||
./virtualbox.nix
|
||||
./qemu.nix
|
||||
];
|
||||
|
||||
options.components.virtualisation.enable = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
};
|
||||
|
||||
}
|
16
components/virtualisation/docker.nix
Normal file
16
components/virtualisation/docker.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
{
|
||||
|
||||
options.components.virtualisation.docker.enable = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = config.components.virtualisation.enable;
|
||||
};
|
||||
|
||||
config = mkIf config.components.virtualisation.docker.enable {
|
||||
|
||||
virtualisation.docker.enable = true;
|
||||
|
||||
};
|
||||
|
||||
}
|
19
components/virtualisation/podman.nix
Normal file
19
components/virtualisation/podman.nix
Normal file
|
@ -0,0 +1,19 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
{
|
||||
|
||||
options.components.virtualisation.podman.enable = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = config.components.virtualisation.enable;
|
||||
};
|
||||
|
||||
config = mkIf config.components.virtualisation.podman.enable {
|
||||
|
||||
virtualisation.podman.enable = true;
|
||||
|
||||
# make sure /var/lib/containers/storage is a zfs dataset
|
||||
virtualisation.podman.extraPackages = [ pkgs.zfs ];
|
||||
|
||||
};
|
||||
|
||||
}
|
27
components/virtualisation/qemu.nix
Normal file
27
components/virtualisation/qemu.nix
Normal file
|
@ -0,0 +1,27 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
{
|
||||
|
||||
options.components.virtualisation.qemu.enable = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = config.components.virtualisation.enable;
|
||||
};
|
||||
|
||||
config = mkIf config.components.virtualisation.qemu.enable {
|
||||
|
||||
virtualisation.libvirtd.enable = true;
|
||||
#virtualisation.libvirtd.allowedBridges = ["virbr0"];
|
||||
virtualisation.libvirtd.onShutdown = "shutdown";
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.qemu_kvm
|
||||
#(pkgs.quickemu.override { qemu_full = pkgs.qemu_kvm; })
|
||||
pkgs.quickemu
|
||||
pkgs.virt-manager
|
||||
];
|
||||
|
||||
users.users.mainUser.extraGroups = [ "libvirtd" ];
|
||||
|
||||
};
|
||||
|
||||
}
|
21
components/virtualisation/virtualbox.nix
Normal file
21
components/virtualisation/virtualbox.nix
Normal file
|
@ -0,0 +1,21 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
{
|
||||
|
||||
options.components.virtualisation.virtualbox.enable = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = config.components.virtualisation.enable;
|
||||
};
|
||||
|
||||
config = mkIf config.components.virtualisation.virtualbox.enable {
|
||||
|
||||
virtualisation.virtualbox = {
|
||||
host.enable = true;
|
||||
guest.enable = true;
|
||||
};
|
||||
|
||||
users.extraGroups.vboxusers.members = [ config.users.users.mainUser.name ];
|
||||
|
||||
};
|
||||
|
||||
}
|
|
@ -16,8 +16,14 @@ with lib;
|
|||
services.pcscd.enable = true;
|
||||
services.udev.packages = [ pkgs.yubikey-personalization ];
|
||||
|
||||
|
||||
environment.systemPackages = [
|
||||
|
||||
pkgs.yubikey-personalization
|
||||
pkgs.yubikey-personalization-gui
|
||||
pkgs.yubikey-manager
|
||||
pkgs.yubikey-manager-qt
|
||||
|
||||
# for `gpg --export $keyid | hokey lint` to check keys
|
||||
#pkgs.haskellPackages.hopenpgp-tools
|
||||
|
||||
|
|
6
features/boot/default.nix
Normal file
6
features/boot/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{
|
||||
imports = [
|
||||
./ssh.nix
|
||||
./tor.nix
|
||||
];
|
||||
}
|
45
features/boot/ssh.nix
Normal file
45
features/boot/ssh.nix
Normal file
|
@ -0,0 +1,45 @@
|
|||
{ config, lib, pkgs, factsGenerator, clanLib, ... }:
|
||||
with lib;
|
||||
with types;
|
||||
|
||||
{
|
||||
options.features.boot.ssh = {
|
||||
enable = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
};
|
||||
kernelModules = mkOption {
|
||||
type = listOf str;
|
||||
default = [ ];
|
||||
description =
|
||||
"nix-shell -p pciutils --run 'lspci -v' will tell you which kernel module is used for the ethernet interface";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf (config.features.boot.ssh.enable) {
|
||||
|
||||
# ssh host key
|
||||
clan.core.facts.services."boot.ssh" = factsGenerator.ssh { name = "boot"; };
|
||||
|
||||
# todo: maybe put this in a component
|
||||
# boot
|
||||
boot.initrd.systemd.enable = true;
|
||||
boot.initrd.systemd.contents."/etc/hostname".text = "unlock.${config.networking.hostName}";
|
||||
|
||||
# network
|
||||
boot.initrd.systemd.network.enable = true;
|
||||
boot.initrd.availableKernelModules = config.features.boot.ssh.kernelModules;
|
||||
|
||||
# ssh
|
||||
boot.initrd.network.enable = true;
|
||||
boot.initrd.network.ssh = {
|
||||
enable = true;
|
||||
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
||||
port = 2222;
|
||||
hostKeys = [ config.clan.core.facts.services."boot.ssh".secret."ssh.boot.id_ed25519".path ];
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
69
features/boot/tor.nix
Normal file
69
features/boot/tor.nix
Normal file
|
@ -0,0 +1,69 @@
|
|||
{ config, lib, pkgs, factsGenerator, clanLib, ... }:
|
||||
with lib;
|
||||
with types;
|
||||
{
|
||||
options.features.boot.tor = {
|
||||
enable = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf (config.features.boot.tor.enable) {
|
||||
|
||||
# tor secrets
|
||||
clan.core.facts.services."initrd.tor" = factsGenerator.tor {
|
||||
name = "initrd";
|
||||
addressPrefix = "init";
|
||||
};
|
||||
boot.initrd.secrets =
|
||||
mapAttrs' (name: file: nameValuePair "/etc/tor/onion/bootup/${name}" file)
|
||||
(genAttrs [
|
||||
"hostname"
|
||||
"hs_ed25519_public_key"
|
||||
"hs_ed25519_secret_key"
|
||||
]
|
||||
(secret: config.clan.core.facts.services."initrd.tor".secret."tor.initrd.${secret}".path));
|
||||
|
||||
boot.initrd.systemd.storePaths = [
|
||||
pkgs.tor
|
||||
pkgs.iproute2
|
||||
pkgs.coreutils
|
||||
];
|
||||
boot.initrd.systemd.contents = {
|
||||
"/etc/tor/tor.rc".text = ''
|
||||
DataDirectory /etc/tor
|
||||
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
|
||||
SOCKSPort 127.0.0.1:9063
|
||||
HiddenServiceDir /etc/tor/onion/bootup
|
||||
HiddenServicePort 2222 127.0.0.1:2222
|
||||
'';
|
||||
};
|
||||
|
||||
boot.initrd.systemd.services.tor = {
|
||||
description = "tor during init";
|
||||
wantedBy = [ "initrd.target" ];
|
||||
after = [ "network.target" "initrd-nixos-copy-secrets.service" ];
|
||||
before = [ "shutdown.target" ];
|
||||
conflicts = [ "shutdown.target" ];
|
||||
|
||||
unitConfig.DefaultDependencies = false;
|
||||
path = [
|
||||
pkgs.tor
|
||||
pkgs.iproute2
|
||||
pkgs.coreutils
|
||||
];
|
||||
script =
|
||||
''
|
||||
echo "tor: preparing onion folder"
|
||||
# have to do this otherwise tor does not want to start
|
||||
chmod -R 700 /etc/tor
|
||||
|
||||
echo "tor: starting tor"
|
||||
tor -f /etc/tor/tor.rc --verify-config
|
||||
tor -f /etc/tor/tor.rc
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
6
features/default.nix
Normal file
6
features/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{
|
||||
imports = [
|
||||
./boot
|
||||
./network
|
||||
];
|
||||
}
|
6
features/network/default.nix
Normal file
6
features/network/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{
|
||||
imports = [
|
||||
./fail2ban.nix
|
||||
./sshguard.nix
|
||||
];
|
||||
}
|
|
@ -1,14 +1,14 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
{
|
||||
options.components.network.fail2ban.enable = mkOption {
|
||||
options.features.network.fail2ban.enable = mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
};
|
||||
|
||||
config = mkMerge [
|
||||
(mkIf config.components.network.fail2ban.enable {
|
||||
environment.systemPackages = [ pkgs.fail2ban pkgs.ipset ];
|
||||
(mkIf config.features.network.fail2ban.enable {
|
||||
environment.systemPackages = [ pkgs.fail2ban ];
|
||||
services.fail2ban = {
|
||||
enable = true;
|
||||
#package = pkgs.legacy_2311.fail2ban;
|
||||
|
@ -19,7 +19,7 @@ with lib;
|
|||
# custom defined jails
|
||||
# --------------------
|
||||
# https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf
|
||||
(mkIf config.components.network.fail2ban.enable {
|
||||
(mkIf config.features.network.fail2ban.enable {
|
||||
services.fail2ban.jails.nginx-git-not-found.settings = {
|
||||
port = "http,https";
|
||||
logpath = "%(nginx_error_log)s";
|
||||
|
@ -33,7 +33,7 @@ with lib;
|
|||
'';
|
||||
};
|
||||
})
|
||||
(mkIf config.components.network.fail2ban.enable {
|
||||
(mkIf config.features.network.fail2ban.enable {
|
||||
services.fail2ban.jails.nginx-git-bad-request.settings = {
|
||||
port = "http,https";
|
||||
logpath = "%(nginx_error_log)s";
|
18
features/network/sshguard.nix
Normal file
18
features/network/sshguard.nix
Normal file
|
@ -0,0 +1,18 @@
|
|||
{ pkgs, config, lib, assets, ... }:
|
||||
with lib;
|
||||
with types;
|
||||
{
|
||||
|
||||
options.features.network.sshguard = {
|
||||
enable = mkOption {
|
||||
type = bool;
|
||||
default = false;
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf config.features.network.sshguard.enable {
|
||||
environment.systemPackages = [ pkgs.ipset ];
|
||||
services.sshguard.enable = true;
|
||||
};
|
||||
|
||||
}
|
272
flake.lock
272
flake.lock
|
@ -114,27 +114,6 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"buildbot-nix": {
|
||||
"inputs": {
|
||||
"flake-parts": "flake-parts",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1721974127,
|
||||
"narHash": "sha256-JRFXABMMytNM/v1mQAq7wJvk6Gm8EHyDwbGJ1x1m8V4=",
|
||||
"owner": "MagicRB",
|
||||
"repo": "buildbot-nix",
|
||||
"rev": "7390710de1d2096a24804a47ca55f20221529041",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "MagicRB",
|
||||
"ref": "pydantic-convert",
|
||||
"repo": "buildbot-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"clan-core": {
|
||||
"inputs": {
|
||||
"disko": "disko",
|
||||
|
@ -146,14 +125,15 @@
|
|||
"nixpkgs"
|
||||
],
|
||||
"sops-nix": "sops-nix",
|
||||
"treefmt-nix": "treefmt-nix_2"
|
||||
"systems": "systems",
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1722268611,
|
||||
"narHash": "sha256-D3rKirDy5SaLPVs0hpYA0J59TBb0+nkfUMlk48YpciI=",
|
||||
"lastModified": 1724336239,
|
||||
"narHash": "sha256-p8zpAx/w3PjaGaTyOP/wus4eJAdHPKxOtvDKfEHcs9Y=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "99a87a6120291deef7a2320a94e1fbdbf5674ab6",
|
||||
"revCount": 3595,
|
||||
"rev": "3fe873855a39b71e2b4e9fca1be1ec10cf5a6024",
|
||||
"revCount": 3822,
|
||||
"type": "git",
|
||||
"url": "https://git.clan.lol/clan/clan-core"
|
||||
},
|
||||
|
@ -167,15 +147,15 @@
|
|||
"clan-core": [
|
||||
"clan-core"
|
||||
],
|
||||
"flake-parts": "flake-parts_2",
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
"flake-parts": "flake-parts",
|
||||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1721508205,
|
||||
"narHash": "sha256-X4xVtKAkA/gVqIaCw0L5Rk9062VqlHiH0VK5En5Oi5s=",
|
||||
"lastModified": 1723143645,
|
||||
"narHash": "sha256-/71L2ZBM9AmUpEQC19Rf7AxA+BhIquObB8aZDkfVRz8=",
|
||||
"owner": "mrvandalo",
|
||||
"repo": "clan-fact-generators",
|
||||
"rev": "b3fb36c18871861f510330c272b455eb718cd3e4",
|
||||
"rev": "620c5d3185594b3e2d91e29a7590f44abae4319c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -192,11 +172,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1721417620,
|
||||
"narHash": "sha256-6q9b1h8fI3hXg2DG6/vrKWCeG8c5Wj2Kvv22RCgedzg=",
|
||||
"lastModified": 1723080788,
|
||||
"narHash": "sha256-C5LbM5VMdcolt9zHeLQ0bYMRjUL+N+AL5pK7/tVTdes=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "bec6e3cde912b8acb915fecdc509eda7c973fb42",
|
||||
"rev": "ffc1f95f6c28e1c6d1e587b51a2147027a3e45ed",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -244,27 +224,6 @@
|
|||
}
|
||||
},
|
||||
"flake-parts": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": [
|
||||
"buildbot-nix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1719994518,
|
||||
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-parts_2": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": "nixpkgs-lib"
|
||||
},
|
||||
|
@ -282,18 +241,18 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-parts_3": {
|
||||
"flake-parts_2": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1719994518,
|
||||
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
|
||||
"lastModified": 1722555600,
|
||||
"narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
|
||||
"rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -302,7 +261,7 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-parts_4": {
|
||||
"flake-parts_3": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": [
|
||||
"nixos-anywhere",
|
||||
|
@ -340,7 +299,7 @@
|
|||
},
|
||||
"flake-utils_2": {
|
||||
"inputs": {
|
||||
"systems": "systems"
|
||||
"systems": "systems_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1694529238,
|
||||
|
@ -373,7 +332,7 @@
|
|||
},
|
||||
"flake-utils_4": {
|
||||
"inputs": {
|
||||
"systems": "systems_2"
|
||||
"systems": "systems_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1694529238,
|
||||
|
@ -424,14 +383,14 @@
|
|||
},
|
||||
"home-manager": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_3"
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1722936497,
|
||||
"narHash": "sha256-UBst8PkhY0kqTgdKiR8MtTBt4c1XmjJoOV11efjsC/o=",
|
||||
"lastModified": 1723986931,
|
||||
"narHash": "sha256-Fy+KEvDQ+Hc8lJAV3t6leXhZJ2ncU5/esxkgt3b8DEY=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "a6c743980e23f4cef6c2a377f9ffab506568413a",
|
||||
"rev": "2598861031b78aadb4da7269df7ca9ddfc3e1671",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -468,11 +427,11 @@
|
|||
},
|
||||
"locked": {
|
||||
"dir": "nix",
|
||||
"lastModified": 1721551388,
|
||||
"narHash": "sha256-JR9/TqQi4a14kmH+iypGZKa7H2VZhr2jL9QgHLx3LUw=",
|
||||
"lastModified": 1724217668,
|
||||
"narHash": "sha256-cqeOaZkDdcttgWjlokEXYyokBm3guoOGQUC1lvOurO0=",
|
||||
"owner": "kmonad",
|
||||
"repo": "kmonad",
|
||||
"rev": "31c591b647d277fe34cb06fc70b0d053dd15f867",
|
||||
"rev": "4c324f1631b3b2f7e17e804b0ed3ac314e57bcb8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -485,7 +444,7 @@
|
|||
"landingpage": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": "nixpkgs_4"
|
||||
"nixpkgs": "nixpkgs_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1709213960,
|
||||
|
@ -504,11 +463,11 @@
|
|||
"nixos-anywhere": {
|
||||
"inputs": {
|
||||
"disko": "disko_2",
|
||||
"flake-parts": "flake-parts_4",
|
||||
"flake-parts": "flake-parts_3",
|
||||
"nixos-images": "nixos-images_2",
|
||||
"nixos-stable": "nixos-stable",
|
||||
"nixpkgs": "nixpkgs_5",
|
||||
"treefmt-nix": "treefmt-nix_3"
|
||||
"nixpkgs": "nixpkgs_4",
|
||||
"treefmt-nix": "treefmt-nix_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1722000256,
|
||||
|
@ -526,11 +485,11 @@
|
|||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1722278305,
|
||||
"narHash": "sha256-xLBAegsn9wbj+pQfbX07kykd5VBV3Ywk3IbObVAAlWA=",
|
||||
"lastModified": 1724067415,
|
||||
"narHash": "sha256-WJBAEFXAtA41RMpK8mvw0cQ62CJkNMBtzcEeNIJV7b0=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "eab049fe178c11395d65a858ba1b56461ba9652d",
|
||||
"rev": "b09c46430ffcf18d575acf5c339b38ac4e1db5d2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -550,11 +509,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1721571445,
|
||||
"narHash": "sha256-2MnlPVcNJZ9Nbu90kFyo7+lng366gswErP4FExfrUbc=",
|
||||
"lastModified": 1724028934,
|
||||
"narHash": "sha256-2M5dqS7UbAKfrO+1U+P/t5S2QIGbuGIsTNMYJzwB17g=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixos-images",
|
||||
"rev": "accee005735844d57b411d9969c5d0aabc6a55f6",
|
||||
"rev": "b733f0680a42cc01d6ad53896fb5ca40a66d5e79",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -606,16 +565,16 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1721838734,
|
||||
"narHash": "sha256-o87oh2nLDzZ1E9+j1I6GaEvd9865OWGYvxaPSiH9DEU=",
|
||||
"owner": "Nixos",
|
||||
"lastModified": 1717196966,
|
||||
"narHash": "sha256-yZKhxVIKd2lsbOqYd5iDoUIwsRZFqE87smE2Vzf6Ck0=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "1855c9961e0bfa2e776fa4b58b7d43149eeed431",
|
||||
"rev": "57610d2f8f0937f39dbd72251e9614b1561942d8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Nixos",
|
||||
"ref": "nixos-unstable-small",
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
|
@ -654,11 +613,11 @@
|
|||
},
|
||||
"nixpkgs-legacy_2405": {
|
||||
"locked": {
|
||||
"lastModified": 1722087241,
|
||||
"narHash": "sha256-2ShmEaFi0kJVOEEu5gmlykN5dwjWYWYUJmlRTvZQRpU=",
|
||||
"lastModified": 1724242322,
|
||||
"narHash": "sha256-HMpK7hNjhEk4z5SFg5UtxEio9OWFocHdaQzCfW1pE7w=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "8c50662509100d53229d4be607f1a3a31157fa12",
|
||||
"rev": "224042e9a3039291f22f4f2ded12af95a616cca0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -682,11 +641,11 @@
|
|||
},
|
||||
"nixpkgs-unstable-small": {
|
||||
"locked": {
|
||||
"lastModified": 1722979953,
|
||||
"narHash": "sha256-aFtHVx8WBrf6i3Rf+gYcilRuoimfmlzB9btc+br89R4=",
|
||||
"lastModified": 1724306539,
|
||||
"narHash": "sha256-9jF5qr44cnvWoXhE0cr114GHT5Adav3q/DKJ6n9tor8=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "9d938b4e45c9a6d04efc45405b3187fbfcff2f85",
|
||||
"rev": "6c31eb9b990446880000e3297f69f4fdee5b69d7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -698,11 +657,11 @@
|
|||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1717196966,
|
||||
"narHash": "sha256-yZKhxVIKd2lsbOqYd5iDoUIwsRZFqE87smE2Vzf6Ck0=",
|
||||
"lastModified": 1723175592,
|
||||
"narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "57610d2f8f0937f39dbd72251e9614b1561942d8",
|
||||
"rev": "5e0ca22929f3342b19569b21b2f3462f053e497b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -713,22 +672,6 @@
|
|||
}
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1722185531,
|
||||
"narHash": "sha256-veKR07psFoJjINLC8RK4DiLniGGMgF3QMlS4tb74S6k=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "52ec9ac3b12395ad677e8b62106f0b98c1f8569d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_4": {
|
||||
"locked": {
|
||||
"lastModified": 1645527175,
|
||||
"narHash": "sha256-WeewqaO48sCctiN+iwgZZEJRU29Si7vHHoLCINAvuk8=",
|
||||
|
@ -743,7 +686,7 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_5": {
|
||||
"nixpkgs_4": {
|
||||
"locked": {
|
||||
"lastModified": 1717926692,
|
||||
"narHash": "sha256-THcv8qDqobZefHHluPjx/8n+MtVVb8ag/oJbKMqKNRo=",
|
||||
|
@ -759,13 +702,13 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_6": {
|
||||
"nixpkgs_5": {
|
||||
"locked": {
|
||||
"lastModified": 1722813957,
|
||||
"narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=",
|
||||
"lastModified": 1724224976,
|
||||
"narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa",
|
||||
"rev": "c374d94f1536013ca8e92341b540eba4c22f9c62",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -775,7 +718,7 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_7": {
|
||||
"nixpkgs_6": {
|
||||
"locked": {
|
||||
"lastModified": 1701263465,
|
||||
"narHash": "sha256-lNXUIlkfyDyp9Ox21hr+wsEf/IBklLvb6bYcyeXbdRc=",
|
||||
|
@ -791,7 +734,7 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_8": {
|
||||
"nixpkgs_7": {
|
||||
"locked": {
|
||||
"lastModified": 1632855891,
|
||||
"narHash": "sha256-crW76mt9/kbUBiKy/KiSnsQ9JEYgD3StDuYAMVkTbM0=",
|
||||
|
@ -805,13 +748,13 @@
|
|||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs_9": {
|
||||
"nixpkgs_8": {
|
||||
"locked": {
|
||||
"lastModified": 1722179153,
|
||||
"narHash": "sha256-ZJ75T0GWpLI4hoaL+YxueHD2pXG+VYpYtPJdwbkERVs=",
|
||||
"lastModified": 1724265050,
|
||||
"narHash": "sha256-RbWuBZn2QYNRPgfrQLtj7/AMEXOmlLT+kduufdmcRP8=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "dcfb2878c687e5eb5fcbc5116969c45c85be34e2",
|
||||
"rev": "e590723c5186bdad64e3cdaf9ed72cb984caa48e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -824,7 +767,7 @@
|
|||
"overviewer": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils_2",
|
||||
"nixpkgs": "nixpkgs_7",
|
||||
"nixpkgs": "nixpkgs_6",
|
||||
"pandoc_template": "pandoc_template"
|
||||
},
|
||||
"locked": {
|
||||
|
@ -881,7 +824,7 @@
|
|||
"polygon-art": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils_3",
|
||||
"nixpkgs": "nixpkgs_8"
|
||||
"nixpkgs": "nixpkgs_7"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1688766095,
|
||||
|
@ -899,11 +842,11 @@
|
|||
},
|
||||
"private_assets": {
|
||||
"locked": {
|
||||
"lastModified": 1722954537,
|
||||
"narHash": "sha256-Ed0weP9KpP2g9hdTzCSk89yV2oD2c4poA21z4fLcBgk=",
|
||||
"lastModified": 1723916901,
|
||||
"narHash": "sha256-/1i1OTqP8Q7DmNqvwyAmKvxxzYr9qiniNM790lKOl4c=",
|
||||
"ref": "main",
|
||||
"rev": "0c236ccc4382ecaad64595756d242b206fd49aec",
|
||||
"revCount": 58,
|
||||
"rev": "e7a82f91a7347be4cbc786a22450a78bc11c71ce",
|
||||
"revCount": 67,
|
||||
"type": "git",
|
||||
"url": "ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-assets.git"
|
||||
},
|
||||
|
@ -915,11 +858,11 @@
|
|||
},
|
||||
"retiolum": {
|
||||
"locked": {
|
||||
"lastModified": 1719907580,
|
||||
"narHash": "sha256-arE8H5HXoPwcjQXnUH1pmnh2pi37+5hXjo4UPpYJ7FY=",
|
||||
"lastModified": 1723579214,
|
||||
"narHash": "sha256-YKzjA2J1io2FR6Y1ZS98jKDLnxWKnJXq4ITto93e5Zg=",
|
||||
"owner": "Mic92",
|
||||
"repo": "retiolum",
|
||||
"rev": "7e5194b7aba337bc06b5a33738284ef98eef6cbf",
|
||||
"rev": "be646cb8778ad3dd11a5f9227bc3b8ae4338d46f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -930,17 +873,16 @@
|
|||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"buildbot-nix": "buildbot-nix",
|
||||
"clan-core": "clan-core",
|
||||
"clan-fact-generators": "clan-fact-generators",
|
||||
"flake-parts": "flake-parts_3",
|
||||
"flake-parts": "flake-parts_2",
|
||||
"home-manager": "home-manager",
|
||||
"home-manager-utils": "home-manager-utils",
|
||||
"kmonad": "kmonad",
|
||||
"landingpage": "landingpage",
|
||||
"nixos-anywhere": "nixos-anywhere",
|
||||
"nixos-hardware": "nixos-hardware",
|
||||
"nixpkgs": "nixpkgs_6",
|
||||
"nixpkgs": "nixpkgs_5",
|
||||
"nixpkgs-legacy_2211": "nixpkgs-legacy_2211",
|
||||
"nixpkgs-legacy_2311": "nixpkgs-legacy_2311",
|
||||
"nixpkgs-legacy_2405": "nixpkgs-legacy_2405",
|
||||
|
@ -966,11 +908,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1721531171,
|
||||
"narHash": "sha256-AsvPw7T0tBLb53xZGcUC3YPqlIpdxoSx56u8vPCr6gU=",
|
||||
"lastModified": 1723501126,
|
||||
"narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "909e8cfb60d83321d85c8d17209d733658a21c95",
|
||||
"rev": "be0eec2d27563590194a9206f551a6f73d52fa34",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -981,14 +923,14 @@
|
|||
},
|
||||
"srvos": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_9"
|
||||
"nixpkgs": "nixpkgs_8"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1722263926,
|
||||
"narHash": "sha256-xhuXR7hKOM4dQwDvHyZYn+aHbUDHnpi4+yPhsyP+mwU=",
|
||||
"lastModified": 1724287640,
|
||||
"narHash": "sha256-MAjp8fUU6/WambitI/jOVxgjuH3YEfE6A8l4EtonktY=",
|
||||
"owner": "nix-community",
|
||||
"repo": "srvos",
|
||||
"rev": "1f867a5658bfc4318ea6f83304b2a1bc4a0b28ee",
|
||||
"rev": "9810f43ff22a10b6f70c38d6085ac6c201b26640",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -1016,11 +958,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1722946882,
|
||||
"narHash": "sha256-mxtnMye8gs82tdQbVC+g6v3aPOZlH150f9WyntHIkTg=",
|
||||
"lastModified": 1724260414,
|
||||
"narHash": "sha256-EP1yFDEm/f7+j+fE3TI7KZb5xJH6KNMtmlZciktC71c=",
|
||||
"owner": "danth",
|
||||
"repo": "stylix",
|
||||
"rev": "5853f1a8bd072f2ebabfc3de3973084353cf6f1e",
|
||||
"rev": "c5f8f06543b70248a076f888177c7362a24d5dcc",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -1059,6 +1001,21 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems_3": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"taskshell": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils_4",
|
||||
|
@ -1083,16 +1040,16 @@
|
|||
"treefmt-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"buildbot-nix",
|
||||
"clan-core",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1721769617,
|
||||
"narHash": "sha256-6Pqa0bi5nV74IZcENKYRToRNM5obo1EQ+3ihtunJ014=",
|
||||
"lastModified": 1723808491,
|
||||
"narHash": "sha256-rhis3qNuGmJmYC/okT7Dkc4M8CeUuRCSvW6kC2f3hBc=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "8db8970be1fb8be9c845af7ebec53b699fe7e009",
|
||||
"rev": "1d07739554fdc4f8481068f1b11d6ab4c1a4167a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -1102,27 +1059,6 @@
|
|||
}
|
||||
},
|
||||
"treefmt-nix_2": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"clan-core",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1721458737,
|
||||
"narHash": "sha256-wNXLQ/ATs1S4Opg1PmuNoJ+Wamqj93rgZYV3Di7kxkg=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "888bfb10a9b091d9ed2f5f8064de8d488f7b7c97",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"treefmt-nix_3": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixos-anywhere",
|
||||
|
|
72
flake.nix
72
flake.nix
|
@ -76,9 +76,6 @@
|
|||
inputs.home-manager.follows = "home-manager";
|
||||
};
|
||||
|
||||
#buildbot-nix.url = "github:nix-community/buildbot-nix";
|
||||
buildbot-nix.url = "github:MagicRB/buildbot-nix?ref=pydantic-convert";
|
||||
|
||||
# smoke test framwork to trigger tests (enable if I want to use it for real)
|
||||
#smoke = {
|
||||
# url = github:SamirTalwar/smoke;
|
||||
|
@ -97,7 +94,6 @@
|
|||
|
||||
outputs =
|
||||
inputs@{ self
|
||||
, buildbot-nix
|
||||
, clan-core
|
||||
, clan-fact-generators
|
||||
, flake-parts
|
||||
|
@ -176,6 +172,7 @@
|
|||
clanLib = import ./lib/clanlib.nix { inherit (pkgs) lib; machineDir = ./machines; };
|
||||
zerotierDeviceName = "ztbn67ogn2";
|
||||
components = ./components;
|
||||
features = ./features;
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -247,15 +244,20 @@
|
|||
"${config.clan.core.clanDir}/machines/chungus/facts/ssh.rbackup.id_ed25519.pub"
|
||||
];
|
||||
})
|
||||
{
|
||||
# disable emergency mode everywhere, although it might be needed on laptops
|
||||
boot.initrd.systemd.emergencyAccess = false;
|
||||
boot.initrd.systemd.suppressedUnits = [
|
||||
"emergency.service"
|
||||
"emergency.target"
|
||||
];
|
||||
systemd.enableEmergencyMode = false;
|
||||
}
|
||||
# configure nix
|
||||
({ pkgs, lib, clanLib, ... }:
|
||||
{
|
||||
nix.settings.substituters = [
|
||||
"http://cache.orbi.wg0/"
|
||||
];
|
||||
nix.settings.trusted-public-keys = [
|
||||
(clanLib.readFact "nix-serve.pub" "orbi")
|
||||
];
|
||||
nix.settings.substituters = [ "http://cache.orbi.wg0" ];
|
||||
nix.settings.trusted-public-keys = [ (clanLib.readFact "nix-serve.pub" "orbi") ];
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
nix.settings.max-jobs = 1;
|
||||
# no channesl needed this way
|
||||
|
@ -268,6 +270,8 @@
|
|||
documentation.nixos.options.warningsAreErrors = false; # todo make this true again
|
||||
documentation.nixos.extraModules = [
|
||||
./components
|
||||
./features
|
||||
#./modules
|
||||
inputs.clan-core.nixosModules.clanCore
|
||||
# inputs.stylix.nixosModules.stylix # fixme: not working
|
||||
permown.nixosModules.permown
|
||||
|
@ -280,6 +284,12 @@
|
|||
boot.loader.generic-extlinux-compatible.configurationLimit = lib.mkDefault 10;
|
||||
boot.loader.grub.configurationLimit = lib.mkDefault 10;
|
||||
})
|
||||
# My Structure
|
||||
./components
|
||||
./features
|
||||
./modules # todo : spread this across features and components
|
||||
#./system/all # todo : spread this across features and components
|
||||
|
||||
# some modules I always use
|
||||
permown.nixosModules.permown
|
||||
kmonad.nixosModules.default
|
||||
|
@ -299,15 +309,15 @@
|
|||
stylix.image = ./assets/wallpaper.png;
|
||||
stylix.fonts = {
|
||||
serif = {
|
||||
package = pkgs.ubuntu_font_family;
|
||||
package = pkgs.nerdfonts.override { fonts = [ "Ubuntu" ]; };
|
||||
name = "Ubuntu";
|
||||
};
|
||||
sansSerif = {
|
||||
package = pkgs.ubuntu_font_family;
|
||||
package = pkgs.nerdfonts.override { fonts = [ "Ubuntu" ]; };
|
||||
name = "Ubuntu";
|
||||
};
|
||||
monospace = {
|
||||
package = pkgs.jetbrains-mono;
|
||||
package = pkgs.nerdfonts.override { fonts = [ "JetBrainsMono" ]; };
|
||||
name = "JetBrains Mono";
|
||||
};
|
||||
emoji = {
|
||||
|
@ -316,11 +326,6 @@
|
|||
};
|
||||
sizes.popups = 15;
|
||||
};
|
||||
# todo: remove this if not needed anymore
|
||||
#home-manager.sharedModules = [
|
||||
# { stylix.targets.bemenu.enable = false; }
|
||||
#];
|
||||
|
||||
};
|
||||
|
||||
homeManagerModules = { pkgs, config, ... }: {
|
||||
|
@ -420,6 +425,7 @@
|
|||
nixos-hardware.nixosModules.framework-13th-gen-intel
|
||||
retiolum.nixosModules.retiolum
|
||||
private_assets.nixosModules.yubikey
|
||||
private_assets.nixosModules.cherry
|
||||
homeManagerModules
|
||||
stylixModules
|
||||
{ home-manager.users.mainUser.gui.enable = true; }
|
||||
|
@ -458,17 +464,12 @@
|
|||
host = "orbi.bear";
|
||||
#host = "95.216.66.212";
|
||||
modules = [
|
||||
zerotierModules
|
||||
homeManagerModules
|
||||
stylixModules
|
||||
zerotierModules
|
||||
srvos.nixosModules.hardware-hetzner-online-intel
|
||||
#srvos.nixosModules.server
|
||||
#srvos.nixosModules.mixins-terminfo
|
||||
{
|
||||
# not needed for servers in general
|
||||
boot.initrd.systemd.emergencyAccess = false;
|
||||
systemd.enableEmergencyMode = false;
|
||||
}
|
||||
{
|
||||
home-manager.users.mainUser = import ./homes/palo;
|
||||
home-manager.users.root = import ./homes/root;
|
||||
|
@ -481,13 +482,15 @@
|
|||
|
||||
probe = clanSetup {
|
||||
name = "probe";
|
||||
host = "probe.bear";
|
||||
#host = "167.235.205.150";
|
||||
host = "95.217.18.54";
|
||||
modules = [
|
||||
homeManagerModules
|
||||
stylixModules
|
||||
srvos.nixosModules.hardware-hetzner-cloud
|
||||
srvos.nixosModules.server
|
||||
srvos.nixosModules.mixins-terminfo
|
||||
#inputs.clan-core.clanModules.sshd
|
||||
{
|
||||
home-manager.users.mainUser = import ./homes/palo;
|
||||
home-manager.users.root = import ./homes/root;
|
||||
|
@ -498,6 +501,25 @@
|
|||
];
|
||||
};
|
||||
|
||||
usbstick = clanSetup {
|
||||
name = "usbstick";
|
||||
#host = "usbstick.bear";
|
||||
host = "10.100.0.100";
|
||||
modules = [
|
||||
homeManagerModules
|
||||
stylixModules
|
||||
zerotierModules
|
||||
{ home-manager.users.mainUser.gui.enable = true; }
|
||||
{
|
||||
home-manager.users.mainUser = import ./homes/palo;
|
||||
home-manager.users.root = import ./homes/root;
|
||||
}
|
||||
{
|
||||
clan.core.machineDescription = "USB-Stick for Backup";
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
{ lib, ... }:
|
||||
{
|
||||
imports = [
|
||||
./editor.nix
|
||||
./oh-my-posh
|
||||
./packages.nix
|
||||
./terminal.nix
|
||||
./zfs.nix
|
||||
|
|
|
@ -1,11 +1,10 @@
|
|||
{ lib, ... }:
|
||||
{
|
||||
programs.vim = {
|
||||
enable = true;
|
||||
defaultEditor = true;
|
||||
defaultEditor = lib.mkDefault true;
|
||||
};
|
||||
|
||||
programs.helix = {
|
||||
enable = true;
|
||||
# defaultEditor = true;
|
||||
};
|
||||
}
|
10
homes/common/oh-my-posh/default.nix
Normal file
10
homes/common/oh-my-posh/default.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{ pkgs, config, lib, ... }:
|
||||
with lib;
|
||||
{
|
||||
programs.oh-my-posh = {
|
||||
enable = true;
|
||||
# https://ohmyposh.dev/docs/themes
|
||||
#useTheme = "gmay"; # ganz nice, aber farben sind ein bisl schrill
|
||||
settings = builtins.fromJSON (builtins.readFile ./gmay.json);
|
||||
};
|
||||
}
|
96
homes/common/oh-my-posh/gmay.json
Normal file
96
homes/common/oh-my-posh/gmay.json
Normal file
|
@ -0,0 +1,96 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/JanDeDobbeleer/oh-my-posh/main/themes/schema.json",
|
||||
"blocks": [
|
||||
{
|
||||
"alignment": "left",
|
||||
"segments": [
|
||||
{
|
||||
"background": "#076678",
|
||||
"foreground": "#EBDBB2",
|
||||
"leading_diamond": "\ue0b6",
|
||||
"style": "diamond",
|
||||
"template": " {{ if .WSL }}WSL at {{ end }}{{.Icon}} ",
|
||||
"type": "os"
|
||||
},
|
||||
{
|
||||
"background": "#076678",
|
||||
"foreground": "#EBDBB2",
|
||||
"style": "powerline",
|
||||
"template": " {{ .UserName }}@{{ .HostName }} ",
|
||||
"type": "session"
|
||||
},
|
||||
{
|
||||
"background": "#B57614",
|
||||
"foreground": "#EBDBB2",
|
||||
"powerline_symbol": "\ue0b0",
|
||||
"properties": {
|
||||
"style": "full"
|
||||
},
|
||||
"style": "powerline",
|
||||
"template": " \ue5ff {{ .Path }} ",
|
||||
"type": "path"
|
||||
},
|
||||
{
|
||||
"background": "#79740E",
|
||||
"foreground": "#EBDBB2",
|
||||
"powerline_symbol": "\ue0b0",
|
||||
"properties": {
|
||||
"time_format": "2006-01-02 15:04:05"
|
||||
},
|
||||
"style": "powerline",
|
||||
"template": " {{ .CurrentDate | date .Format }} ",
|
||||
"type": "time"
|
||||
},
|
||||
{
|
||||
"background": "#8F3F71",
|
||||
"foreground": "#EBDBB2",
|
||||
"powerline_symbol": "\ue0b0",
|
||||
"properties": {
|
||||
"fetch_stash_count": true,
|
||||
"fetch_upstream_icon": true
|
||||
},
|
||||
"style": "powerline",
|
||||
"template": " {{ .UpstreamIcon }}{{ .HEAD }}{{ if gt .StashCount 0 }} \ueb4b {{ .StashCount }}{{ end }} ",
|
||||
"type": "git"
|
||||
},
|
||||
{
|
||||
"background": "#9D0006",
|
||||
"foreground": "#EBDBB2",
|
||||
"powerline_symbol": "\ue0b0",
|
||||
"style": "powerline",
|
||||
"template": " \uf0e7 ",
|
||||
"type": "root"
|
||||
},
|
||||
{
|
||||
"background": "#427B58",
|
||||
"background_templates": ["{{ if gt .Code 0 }}#9D0006{{ end }}"],
|
||||
"foreground": "#EBDBB2",
|
||||
"leading_diamond": "<transparent,background>\ue0b0</>",
|
||||
"properties": {
|
||||
"always_enabled": true
|
||||
},
|
||||
"style": "diamond",
|
||||
"template": " \ueb05 ",
|
||||
"trailing_diamond": "\ue0b4",
|
||||
"type": "status"
|
||||
}
|
||||
],
|
||||
"type": "prompt"
|
||||
},
|
||||
{
|
||||
"alignment": "left",
|
||||
"newline": true,
|
||||
"segments": [
|
||||
{
|
||||
"foreground": "#076678",
|
||||
"style": "plain",
|
||||
"template": "\uf0a9 ",
|
||||
"type": "text"
|
||||
}
|
||||
],
|
||||
"type": "prompt"
|
||||
}
|
||||
],
|
||||
"final_space": true,
|
||||
"version": 2
|
||||
}
|
|
@ -23,7 +23,7 @@ with lib;
|
|||
|
||||
tldr
|
||||
|
||||
bandwhich
|
||||
bandwhich # todo : put this to common/networking.nix
|
||||
|
||||
unzip
|
||||
genpass
|
||||
|
|
|
@ -21,6 +21,7 @@ with lib;
|
|||
${pkgs.zfs}/bin/zfs list -o ${concatStringsSep "," options} "$@"
|
||||
''
|
||||
)
|
||||
pkgs.zfs-prune-snapshots
|
||||
];
|
||||
}
|
||||
];
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
|
||||
imports = [
|
||||
../common
|
||||
./editor.nix
|
||||
./git.nix
|
||||
./gpg.nix
|
||||
./gui
|
||||
|
|
|
@ -49,8 +49,8 @@ in
|
|||
enable = true;
|
||||
bars = {
|
||||
my = {
|
||||
icons = "awesome5";
|
||||
theme = "gruvbox-light";
|
||||
icons = "material-nf"; # nerd fonts (influenced by stylix.font settings)
|
||||
theme = "gruvbox-light"; # not configured by stylix yet.
|
||||
# https://github.com/greshake/i3status-rust/blob/v0.22.0/doc/blocks.md
|
||||
blocks = [
|
||||
{
|
||||
|
|
|
@ -79,7 +79,7 @@ with lib;
|
|||
termtosvg
|
||||
|
||||
#surrealist
|
||||
surrealdb
|
||||
#surrealdb # fixme: not working because of rust update or something
|
||||
|
||||
boxes
|
||||
|
||||
|
|
|
@ -1,7 +1,22 @@
|
|||
# NixOS livesystem to generate yubikeys in an air-gapped manner
|
||||
# screenshot: https://dl.thalheim.io/wmxIqucOEo2xuLk0Ut45fQ/yubikey-live-system.png
|
||||
# $ nixos-generator -f iso -c yubikey-image.nix
|
||||
{ pkgs, ... }: {
|
||||
# $ nix-shell -p nixos-generate --run "nixos-generate -f iso -c yubikey-image.nix"
|
||||
{ pkgs, ... }:
|
||||
let
|
||||
guide = pkgs.stdenv.mkDerivation {
|
||||
name = "yubikey-guide-2019-01-21.html";
|
||||
src = pkgs.fetchFromGitHub {
|
||||
owner = "drduh";
|
||||
repo = "YubiKey-Guide";
|
||||
rev = "035d98ebbed54a0218ccbf23905054d32f97508e";
|
||||
sha256 = "0rzy06a5xgfjpaklxdgrxml24d0vhk78lb577l3z4x7a2p32dbyq";
|
||||
};
|
||||
buildInputs = [ pkgs.pandoc ];
|
||||
installPhase =
|
||||
"pandoc --highlight-style pygments -s --toc README.md -o $out";
|
||||
};
|
||||
in
|
||||
{
|
||||
environment.interactiveShellInit = ''
|
||||
export GNUPGHOME=/run/user/$(id -u)/gnupghome
|
||||
if [ ! -d $GNUPGHOME ]; then
|
||||
|
@ -9,8 +24,7 @@
|
|||
fi
|
||||
cp ${
|
||||
pkgs.fetchurl {
|
||||
url =
|
||||
"https://raw.githubusercontent.com/drduh/config/662c16404eef04f506a6a208f1253fee2f4895d9/gpg.conf";
|
||||
url = "https://raw.githubusercontent.com/drduh/config/662c16404eef04f506a6a208f1253fee2f4895d9/gpg.conf";
|
||||
sha256 = "118fmrsn28fz629y7wwwcx7r1wfn59h3mqz1snyhf8b5yh0sb8la";
|
||||
}
|
||||
} "$GNUPGHOME/gpg.conf"
|
||||
|
@ -19,6 +33,9 @@
|
|||
|
||||
environment.systemPackages = with pkgs; [
|
||||
yubikey-personalization
|
||||
yubikey-personalization-gui
|
||||
yubikey-manager
|
||||
yubikey-manager-qt
|
||||
cryptsetup
|
||||
pwgen
|
||||
midori
|
||||
|
@ -35,35 +52,25 @@
|
|||
networking.wireless.enable = false;
|
||||
networking.dhcpcd.enable = false;
|
||||
|
||||
services.mingetty.helpLine = "The 'root' account has an empty password.";
|
||||
services.getty.helpLine = "The 'root' account has an empty password.";
|
||||
|
||||
services.displayManager = {
|
||||
defaultSession = "xfce";
|
||||
autoLogin = {
|
||||
enable = true;
|
||||
user = "root";
|
||||
};
|
||||
};
|
||||
services.xserver = {
|
||||
enable = true;
|
||||
displayManager.auto.enable = true;
|
||||
|
||||
desktopManager =
|
||||
let
|
||||
guide = pkgs.stdenv.mkDerivation {
|
||||
name = "yubikey-guide-2019-01-21.html";
|
||||
src = pkgs.fetchFromGitHub {
|
||||
owner = "drduh";
|
||||
repo = "YubiKey-Guide";
|
||||
rev = "035d98ebbed54a0218ccbf23905054d32f97508e";
|
||||
sha256 = "0rzy06a5xgfjpaklxdgrxml24d0vhk78lb577l3z4x7a2p32dbyq";
|
||||
};
|
||||
buildInputs = [ pkgs.pandoc ];
|
||||
installPhase =
|
||||
"pandoc --highlight-style pygments -s --toc README.md -o $out";
|
||||
};
|
||||
in
|
||||
{
|
||||
default = "xfce";
|
||||
xterm.enable = false;
|
||||
xfce.enable = true;
|
||||
xfce.extraSessionCommands = ''
|
||||
${pkgs.midori}/bin/midori ${guide} &
|
||||
${pkgs.xfce.terminal}/bin/xfce4-terminal &
|
||||
'';
|
||||
};
|
||||
desktopManager = {
|
||||
xterm.enable = false;
|
||||
xfce.enable = true;
|
||||
};
|
||||
displayManager = {
|
||||
sessionCommands = ''
|
||||
${pkgs.midori}/bin/midori ${guide} &
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -3,17 +3,14 @@
|
|||
|
||||
imports = [
|
||||
|
||||
../../components
|
||||
../../modules
|
||||
|
||||
./hardware-configuration
|
||||
|
||||
./syncthing.nix
|
||||
./qemu.nix
|
||||
|
||||
./network-tinc.nix
|
||||
./network-tinc_retiolum.nix
|
||||
./network-wireguard.nix
|
||||
./network-wireguard-wg0.nix
|
||||
./network-wireguard-wg1.nix
|
||||
|
||||
./37c3.nix
|
||||
|
||||
|
@ -40,12 +37,13 @@
|
|||
# (promptKey "pushover.api_key");
|
||||
|
||||
|
||||
components.virtualisation.enable = true;
|
||||
|
||||
components.gui.enable = true;
|
||||
components.mainUser.enable = true;
|
||||
components.media.enable = true;
|
||||
components.media.tts-client.enable = false;
|
||||
components.network.enable = true;
|
||||
components.network.sshd.sshguard.enable = false;
|
||||
components.network.wifi.enable = true;
|
||||
components.terminal.enable = true;
|
||||
|
||||
|
@ -127,15 +125,6 @@
|
|||
|
||||
services.printing.enable = true;
|
||||
|
||||
virtualisation = {
|
||||
docker.enable = true;
|
||||
podman.enable = true;
|
||||
virtualbox = {
|
||||
host.enable = false;
|
||||
guest.enable = false;
|
||||
};
|
||||
};
|
||||
|
||||
# for congress and streaming
|
||||
hardware.graphics.enable = true;
|
||||
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
imports = [
|
||||
./disko-config.nix
|
||||
./hardware-configuration.nix
|
||||
./graphics.nix
|
||||
];
|
||||
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
@ -23,4 +24,6 @@
|
|||
ACTION=="add|change", KERNEL=="sd[a-z]*[0-9]*|mmcblk[0-9]*p[0-9]*|nvme[0-9]*n[0-9]*p[0-9]*", ENV{ID_FS_TYPE}=="zfs_member", ATTR{../queue/scheduler}="none"
|
||||
'';
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
|
19
machines/cherry/hardware-configuration/graphics.nix
Normal file
19
machines/cherry/hardware-configuration/graphics.nix
Normal file
|
@ -0,0 +1,19 @@
|
|||
# https://wiki.nixos.org/wiki/Accelerated_Video_Playback
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
|
||||
hardware.graphics.enable = true;
|
||||
hardware.graphics.extraPackages = with pkgs; [
|
||||
intel-media-driver # LIBVA_DRIVER_NAME=iHD
|
||||
#vaapi-intel-hybrid
|
||||
intel-vaapi-driver # For older processors. LIBVA_DRIVER_NAME=i965
|
||||
#vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
|
||||
#vaapiVdpau
|
||||
#libvdpau-va-gl
|
||||
];
|
||||
hardware.graphics.enable32Bit = true;
|
||||
hardware.graphics.extraPackages32 = with pkgs.pkgsi686Linux; [ intel-vaapi-driver ];
|
||||
|
||||
environment.sessionVariables = { LIBVA_DRIVER_NAME = "i965"; }; # Optionally, set the environment variable
|
||||
|
||||
}
|
23
machines/cherry/network-wireguard-wg1.nix
Normal file
23
machines/cherry/network-wireguard-wg1.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
{ pkgs, config, ... }:
|
||||
{
|
||||
clan.core.facts.services.wg1 = {
|
||||
secret."wg1.conf" = { };
|
||||
generator = {
|
||||
# I download the config from my fritz.box
|
||||
# cat wg_config.conf | pass insert -m machiens/<name>/wg1.conf
|
||||
prompt = "please enter the wg1.conf";
|
||||
path = with pkgs; [ coreutils ];
|
||||
script = ''
|
||||
echo "$prompt_value" > "$secrets"/wg1.conf
|
||||
'';
|
||||
};
|
||||
};
|
||||
home-manager.users.root.home.packages = [
|
||||
(pkgs.writers.writeBashBin "wg1-up" ''
|
||||
${pkgs.wireguard-tools}/bin/wg-quick up ${config.clan.core.facts.services.wg1.secret."wg1.conf".path}
|
||||
'')
|
||||
(pkgs.writers.writeBashBin "wg1-down" ''
|
||||
${pkgs.wireguard-tools}/bin/wg-quick down ${config.clan.core.facts.services.wg1.secret."wg1.conf".path}
|
||||
'')
|
||||
];
|
||||
}
|
|
@ -1,17 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
|
||||
virtualisation.libvirtd.enable = true;
|
||||
#virtualisation.libvirtd.allowedBridges = ["virbr0"];
|
||||
virtualisation.libvirtd.onShutdown = "shutdown";
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.qemu_kvm
|
||||
#(pkgs.quickemu.override { qemu_full = pkgs.qemu_kvm; })
|
||||
pkgs.quickemu
|
||||
pkgs.virt-manager
|
||||
];
|
||||
|
||||
users.users.mainUser.extraGroups = [ "libvirtd" ];
|
||||
|
||||
}
|
|
@ -5,9 +5,6 @@
|
|||
# todo : remove
|
||||
../../system/all
|
||||
|
||||
../../components
|
||||
../../modules
|
||||
|
||||
./hardware-configuration
|
||||
|
||||
./packages.nix
|
||||
|
@ -58,9 +55,9 @@
|
|||
components.network.wifi.enable = false;
|
||||
components.terminal.enable = true;
|
||||
|
||||
components.nixos.boot.enable = true;
|
||||
components.nixos.boot.kernelModules = [ "e1000e" ];
|
||||
components.nixos.boot.tor.enable = false;
|
||||
features.boot.ssh.enable = true;
|
||||
features.boot.ssh.kernelModules = [ "e1000e" ];
|
||||
features.boot.tor.enable = true;
|
||||
|
||||
components.monitor.enable = true;
|
||||
components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317";
|
||||
|
@ -69,20 +66,9 @@
|
|||
|
||||
services.printing.enable = false;
|
||||
|
||||
virtualisation.podman.extraPackages = [ pkgs.zfs ]; # make sure /var/lib/containers/storage is a zfs dataset
|
||||
|
||||
networking.hostName = "chungus";
|
||||
|
||||
|
||||
hardware.graphics.enable = true;
|
||||
hardware.graphics.enable32Bit = true;
|
||||
hardware.graphics.extraPackages = with pkgs; [
|
||||
intel-media-driver # LIBVA_DRIVER_NAME=iHD
|
||||
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
|
||||
vaapiVdpau
|
||||
libvdpau-va-gl
|
||||
];
|
||||
|
||||
# nix-shell -p speedtest_cli --run speedtest
|
||||
#configuration.fireqos = {
|
||||
# enable = false;
|
||||
|
|
1
machines/chungus/facts/ssh.boot.id_ed25519.pub
Normal file
1
machines/chungus/facts/ssh.boot.id_ed25519.pub
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBPrtiYl85Wfn+6Iw4caHF3qT4qkgf/ZAYelUjWdSEbn nixbld@cream
|
|
@ -3,10 +3,12 @@
|
|||
imports = [
|
||||
./disko-config.nix
|
||||
./hardware-configuration.nix
|
||||
./graphics.nix
|
||||
];
|
||||
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
|
||||
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
|
||||
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
|
19
machines/chungus/hardware-configuration/graphics.nix
Normal file
19
machines/chungus/hardware-configuration/graphics.nix
Normal file
|
@ -0,0 +1,19 @@
|
|||
# https://wiki.nixos.org/wiki/Accelerated_Video_Playback
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
|
||||
hardware.graphics.enable = true;
|
||||
hardware.graphics.extraPackages = with pkgs; [
|
||||
intel-media-driver # LIBVA_DRIVER_NAME=iHD
|
||||
#vaapi-intel-hybrid
|
||||
intel-vaapi-driver # For older processors. LIBVA_DRIVER_NAME=i965
|
||||
#vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
|
||||
#vaapiVdpau
|
||||
#libvdpau-va-gl
|
||||
];
|
||||
hardware.graphics.enable32Bit = true;
|
||||
hardware.graphics.extraPackages32 = with pkgs.pkgsi686Linux; [ intel-vaapi-driver ];
|
||||
|
||||
environment.sessionVariables = { LIBVA_DRIVER_NAME = "i965"; }; # Optionally, set the environment variable
|
||||
|
||||
}
|
|
@ -3,17 +3,14 @@
|
|||
|
||||
imports = [
|
||||
|
||||
../../components
|
||||
../../modules
|
||||
|
||||
./hardware-configuration.nix
|
||||
|
||||
./syncthing.nix
|
||||
./qemu.nix
|
||||
|
||||
./network-tinc.nix
|
||||
./network-tinc_retiolum.nix
|
||||
./network-wireguard.nix
|
||||
./network-wireguard-wg0.nix
|
||||
./network-wireguard-wg1.nix
|
||||
|
||||
];
|
||||
|
||||
|
@ -24,6 +21,8 @@
|
|||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
|
||||
|
||||
components.virtualisation.enable = true;
|
||||
|
||||
components.gui.enable = true;
|
||||
components.gui.xorg.enable = true;
|
||||
components.gui.wayland.enable = false;
|
||||
|
@ -113,15 +112,6 @@
|
|||
|
||||
services.printing.enable = true;
|
||||
|
||||
virtualisation = {
|
||||
docker.enable = true;
|
||||
podman.enable = true;
|
||||
virtualbox = {
|
||||
host.enable = false;
|
||||
guest.enable = false;
|
||||
};
|
||||
};
|
||||
|
||||
samba-share = {
|
||||
enable = false;
|
||||
folders = {
|
||||
|
|
|
@ -1 +1 @@
|
|||
lkvs1E4lCXt+Q7lvg/vU2JQyDfqseYo68Ecbb/Hg8YA
|
||||
B3EKYRxqFjIGR2VYajjDqX0gltPJNwcno5PUhafKWKB
|
|
@ -1,13 +1,13 @@
|
|||
-----BEGIN RSA PUBLIC KEY-----
|
||||
MIICCgKCAgEAxqrCGJriL5L1ehBf7CrdpL6Ao/ssyj5ZoPdlTP47WtBRahQcp8e0
|
||||
xWkAACyiSW2rdvK9hBE4Z7cXHenm8obABl69Q6rLdkxIOM7GBK08cX7ZZrRAdyA1
|
||||
Bp9FQWoeHZFq4zBayp889HjPgauglguVlPiXaxh5NhqQkKX4Bkcp4f+OtBMvV0Uf
|
||||
kf80J5pknliV/I85VDt0Ofyuuvot9p4GAegeaGaTgIpMrbGvqdpnB+ZiI9lFylCf
|
||||
tubRvrX1TsaqrWzFu8B2XL6ZXGCY0IrJXs7P0RsG9OysCK7N9WPVrpX+zGFSCCk+
|
||||
3UuKan9AFVOWA72Jj+glIU2i2d3D+Re8kvNmLCQ9GCM2c8Gy+r38UPN1/WTEe7az
|
||||
94ivkczOgg4tIzMCN2JuAYLtoy3JK46Bbexk3i9KgtX5acNrKilQBDKHktqr0oJ8
|
||||
Bz53kFP/X7oY+0RIPePL9OPQu8LRyFXeWeuQQUBgqDmttoWBtHEO6vicKFgwN0bl
|
||||
5J6urUJQYC7aabfYO4aDfgVSRr7cELZkbIsx6Lkj5bOrraaJ2pS5H3QGSBUFifAq
|
||||
mUdKKkBsYltKe8BsqKvQEysT3cGaGlkeP5OaKHN4qG7hGvLk71YjrYlWlIswdMAp
|
||||
D2UgJ5/fcDswSAnFBlLYIqQwC7vMLoqTZPkQ0AN/DxHJCuXfRoU2vhkCAwEAAQ==
|
||||
MIICCgKCAgEAnzhalF1rqLdSsT6HAGuQ6x1kC9Ty3FjoKR2Y5RCO9YIyEgRE8qfR
|
||||
jkne+wIIleODUDMZYuvUe9X5hm8w6wDzxlwCPitwhDlOxoSBnXfbL6YL9rZBn3lC
|
||||
JFkpEPtAJYnfM64R4/UjSndHlCVuH7tltD/1tmfG6IbSsIeDVz+pWZdEmBJfCiDl
|
||||
aqP2gb1oIwe9TgJX2EC2ugW+6Jh9oPNIOP2Q5eLvty5WPhUSGQDWVMr5u0Rgc1oU
|
||||
hhAvrfue7MFqUwX+o0Zq93eVAu/51dhTtqwwVgZVlHK7Wkak4yTRGPAP9v9vbKeK
|
||||
7GpQuvbiI5OphhSFPjyCN1XMqVgFxqsnLsflIPbQdxCkBgFxhmNf31BDlXWHWD5e
|
||||
7BfFYc1tZFcEWKhguoCSesJvh1BVsiZzfya96lGd/+ttcKBUKX4tdznEQsV/MVhC
|
||||
cVnQD6k8PN4BIWVJtcq5oM9h6Yt6avtv8TeuaLp/Janco4JmYYFIfRETnz6ye/fG
|
||||
OiKJnGQ1yohSE6n8ZUK1QYdYezZfI8QhF7GHK7he9x13L9xmXoybV+REXlRvh4S2
|
||||
bi9lWTKhQVIHb/qLIdQuaAnK1xg4tdNzL43KEpPstGlAnG8uUNL8hCJL3m220RPK
|
||||
lEbtLhayRzQ9zgj/hBQZa/hMGGyiqV1hiTbEEWAusJdGTUPYhjAelOkCAwEAAQ==
|
||||
-----END RSA PUBLIC KEY-----
|
||||
|
|
23
machines/cream/network-wireguard-wg1.nix
Normal file
23
machines/cream/network-wireguard-wg1.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
{ pkgs, config, ... }:
|
||||
{
|
||||
clan.core.facts.services.wg1 = {
|
||||
secret."wg1.conf" = { };
|
||||
generator = {
|
||||
# I download the config from my fritz.box
|
||||
# cat wg_config.conf | pass insert -m machiens/<name>/wg1.conf
|
||||
prompt = "please enter the wg1.conf";
|
||||
path = with pkgs; [ coreutils ];
|
||||
script = ''
|
||||
echo "$prompt_value" > "$secrets"/wg1.conf
|
||||
'';
|
||||
};
|
||||
};
|
||||
home-manager.users.root.home.packages = [
|
||||
(pkgs.writers.writeBashBin "wg1-up" ''
|
||||
${pkgs.wireguard-tools}/bin/wg-quick up ${config.clan.core.facts.services.wg1.secret."wg1.conf".path}
|
||||
'')
|
||||
(pkgs.writers.writeBashBin "wg1-down" ''
|
||||
${pkgs.wireguard-tools}/bin/wg-quick up ${config.clan.core.facts.services.wg1.secret."wg1.conf".path}
|
||||
'')
|
||||
];
|
||||
}
|
|
@ -1,17 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
|
||||
virtualisation.libvirtd.enable = true;
|
||||
#virtualisation.libvirtd.allowedBridges = ["virbr0"];
|
||||
virtualisation.libvirtd.onShutdown = "shutdown";
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.qemu_kvm
|
||||
#(pkgs.quickemu.override { qemu_full = pkgs.qemu_kvm; })
|
||||
pkgs.quickemu
|
||||
pkgs.virt-manager
|
||||
];
|
||||
|
||||
users.users.mainUser.extraGroups = [ "libvirtd" ];
|
||||
|
||||
}
|
|
@ -1,53 +0,0 @@
|
|||
{ pkgs, inputs, ... }: {
|
||||
|
||||
imports = [
|
||||
inputs.buildbot-nix.nixosModules.buildbot-master
|
||||
];
|
||||
|
||||
containers.buildbot = {
|
||||
privateNetwork = false;
|
||||
autoStart = true;
|
||||
|
||||
config = { config, lib, ... }: {
|
||||
nixpkgs.pkgs = pkgs;
|
||||
imports = [
|
||||
../../components/monitor/container.nix
|
||||
inputs.buildbot-nix.nixosModules.buildbot-master
|
||||
];
|
||||
system.stateVersion = "24.05";
|
||||
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
|
||||
|
||||
services.postgresql = {
|
||||
settings.port = 5433;
|
||||
};
|
||||
|
||||
services.buildbot-nix.master = {
|
||||
enable = true;
|
||||
dbUrl = "postgresql://@:5433/buildbot";
|
||||
# Domain name under which the buildbot frontend is reachable
|
||||
domain = "orbi.private:8010";
|
||||
admins = [ "palo" ];
|
||||
workersFile = pkgs.writeText "workers.json" ''
|
||||
[
|
||||
{ "name": "test", "pass": "password", "cores": 2 }
|
||||
]
|
||||
'';
|
||||
|
||||
# How to authenticate against buildbot
|
||||
authBackend = "none";
|
||||
|
||||
# How to authenticate against gitea
|
||||
gitea = {
|
||||
enable = true;
|
||||
instanceUrl = "https://git.ingolf-wagner.de";
|
||||
webhookSecretFile = pkgs.writeText "gitea-webhook-secret" "my-secret";
|
||||
tokenFile = pkgs.writeText "gitea-token" "my-token";
|
||||
topic = "buildbot";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
}
|
|
@ -1,12 +0,0 @@
|
|||
{ pkgs, inputs, ... }: {
|
||||
|
||||
imports = [
|
||||
inputs.buildbot-nix.nixosModules.buildbot-worker
|
||||
];
|
||||
|
||||
services.buildbot-nix.worker = {
|
||||
enable = true;
|
||||
workerPasswordFile = pkgs.writeText "worker-password-file" "password";
|
||||
};
|
||||
|
||||
}
|
|
@ -1,13 +1,12 @@
|
|||
{ lib, config, pkgs, ... }: {
|
||||
{ lib, config, pkgs, modulesPath, ... }: {
|
||||
imports = [
|
||||
|
||||
(modulesPath + "/profiles/hardened.nix")
|
||||
|
||||
./hardware-configuration
|
||||
|
||||
../../system/all/defaults.nix
|
||||
|
||||
../../components
|
||||
../../modules
|
||||
|
||||
./service-forgejo-runner.nix
|
||||
./service-forgejo.nix
|
||||
./service-hedgedoc.nix
|
||||
|
@ -35,10 +34,8 @@
|
|||
#./social-jitsi.nix
|
||||
./social-matrix-terranix.nix
|
||||
|
||||
#./buildbot-worker.nix
|
||||
#./buildbot-master.nix
|
||||
|
||||
];
|
||||
|
||||
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
|
||||
|
||||
networking.hostName = "orbi";
|
||||
|
@ -50,17 +47,14 @@
|
|||
components.network.nginx.landingpage.enable = false;
|
||||
components.network.wifi.enable = false;
|
||||
|
||||
components.network.fail2ban.enable = true;
|
||||
components.network.sshd.sshguard.enable = false;
|
||||
|
||||
components.nixos.boot.enable = true;
|
||||
components.nixos.boot.tor.enable = false;
|
||||
features.network.fail2ban.enable = true;
|
||||
features.boot.ssh.enable = true;
|
||||
|
||||
components.monitor.enable = true;
|
||||
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
|
||||
networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];
|
||||
components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317";
|
||||
components.monitor.opentelemetry.exporter.endpoint = "10.100.0.2:4317"; # chnungus
|
||||
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
|
||||
networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];
|
||||
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email = "contact@ingolf-wagner.de";
|
||||
|
|
1
machines/orbi/facts/ssh.boot.id_ed25519.pub
Normal file
1
machines/orbi/facts/ssh.boot.id_ed25519.pub
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9YxtLgaTfVKi7iwuM6hdIsgnZWSSIfzauqpFP4X4Oc nixbld@cherry
|
|
@ -1,30 +1,5 @@
|
|||
{ config, pkgs, modulesPath, lib, factsGenerator, ... }:
|
||||
|
||||
let
|
||||
|
||||
# in rescue shell
|
||||
# ---------------
|
||||
# apt install -y lshw
|
||||
# lshw -C network | grep -Poh 'driver=[[:alnum:]]+'
|
||||
networkInterfaceModule = "e1000e";
|
||||
|
||||
# ip addr
|
||||
networkInterface = "enp0s31f6";
|
||||
|
||||
# From the Hetzner control panel
|
||||
ipv4 = {
|
||||
address = "95.216.66.212"; # the ip address
|
||||
gateway = "95.216.66.193"; # the gateway ip address
|
||||
netmask = "255.255.255.192"; # the netmask -- might not be the same for you!
|
||||
prefixLength = 26; # must match the netmask, see <https://www.pawprint.net/designresources/netmask-converter.php>
|
||||
};
|
||||
ipv6 = {
|
||||
address = "2a01:4f9:2b:326::2"; # the ipv6 addres
|
||||
gateway = "fe80::1"; # the ipv6 gateway
|
||||
prefixLength = 64; # shown in the control panel
|
||||
};
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
system.stateVersion = "23.11";
|
||||
|
@ -32,21 +7,16 @@ in
|
|||
imports = [
|
||||
./disko-config.nix
|
||||
./hardware-configuration.nix
|
||||
./hetzner.nix
|
||||
];
|
||||
|
||||
services.smartd.enable = true;
|
||||
|
||||
# Use GRUB2 as the boot loader.
|
||||
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
efiSupport = false; # we created a ef02 partition because uefi is not supported on hetzner online machines.
|
||||
};
|
||||
|
||||
# root password
|
||||
clan.core.facts.services.rootPassword = factsGenerator.password { name = "root"; };
|
||||
users.users.root.hashedPasswordFile = config.clan.core.facts.services.rootPassword.secret."password.root.pam".path;
|
||||
|
||||
# todo : use component for that
|
||||
services.openssh.settings.PermitRootLogin = "prohibit-password";
|
||||
services.openssh.settings.PasswordAuthentication = false;
|
||||
|
||||
|
@ -56,25 +26,4 @@ in
|
|||
clan.core.facts.services.zfs = factsGenerator.zfs { };
|
||||
networking.hostId = config.clan.core.facts.services.zfs.public."zfs.hostId".value;
|
||||
|
||||
systemd.network.networks."10-uplink".networkConfig.Address = ipv6.address;
|
||||
boot.initrd.systemd.network.networks."10-uplink" = config.systemd.network.networks."10-uplink";
|
||||
|
||||
# todo: use ssh component
|
||||
boot.initrd.kernelModules = [ networkInterfaceModule ];
|
||||
boot.initrd.network = {
|
||||
enable = true;
|
||||
ssh = {
|
||||
enable = true;
|
||||
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
||||
port = 2222;
|
||||
hostKeys = [
|
||||
# make sure you use --copy-host-keys during nixos-anywhere
|
||||
# (you can create ne ssh keys later, again)
|
||||
# rm /etc/ssh/ssh_host_* && systemctl restart sshd.service
|
||||
/etc/ssh/ssh_host_rsa_key
|
||||
/etc/ssh/ssh_host_ed25519_key
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -4,11 +4,7 @@
|
|||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
(modulesPath + "/profiles/hardened.nix")
|
||||
];
|
||||
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
|
|
38
machines/orbi/hardware-configuration/hetzner.nix
Normal file
38
machines/orbi/hardware-configuration/hetzner.nix
Normal file
|
@ -0,0 +1,38 @@
|
|||
{ config, ... }:
|
||||
let
|
||||
|
||||
# ip addr
|
||||
networkInterface = "enp0s31f6";
|
||||
|
||||
# From the Hetzner control panel
|
||||
ipv4 = {
|
||||
address = "95.216.66.212"; # the ip address
|
||||
gateway = "95.216.66.193"; # the gateway ip address
|
||||
netmask = "255.255.255.192"; # the netmask -- might not be the same for you!
|
||||
prefixLength = 26; # must match the netmask, see <https://www.pawprint.net/designresources/netmask-converter.php>
|
||||
};
|
||||
ipv6 = {
|
||||
address = "2a01:4f9:2b:326::2"; # the ipv6 addres
|
||||
gateway = "fe80::1"; # the ipv6 gateway
|
||||
prefixLength = 64; # shown in the control panel
|
||||
};
|
||||
|
||||
in
|
||||
{
|
||||
systemd.network.networks."10-uplink".networkConfig.Address = ipv6.address;
|
||||
boot.initrd.systemd.network.networks."10-uplink" = config.systemd.network.networks."10-uplink";
|
||||
|
||||
# in rescue shell
|
||||
# ---------------
|
||||
# apt install -y lshw
|
||||
# lshw -C network | grep -Poh 'driver=[[:alnum:]]+'
|
||||
boot.initrd.kernelModules = [ "e1000e" ];
|
||||
|
||||
# Use GRUB2 as the boot loader.
|
||||
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
efiSupport = false; # we created a ef02 partition because uefi is not supported on hetzner online machines.
|
||||
};
|
||||
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
{ pkgs, config, factsGenerator, ... }:
|
||||
{ pkgs, config, factsGenerator, components, ... }:
|
||||
|
||||
# don't forget the database backup before upgrading
|
||||
# -------------------------------------------------
|
||||
|
@ -85,7 +85,7 @@ in
|
|||
|
||||
config = { config, lib, ... }: {
|
||||
nixpkgs.pkgs = pkgs;
|
||||
imports = [ ../../components/monitor/container.nix ];
|
||||
imports = [ "${components}/monitor/container.nix" ];
|
||||
system.stateVersion = "23.11";
|
||||
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ lib, pkgs, config, ... }:
|
||||
{ lib, pkgs, config, components, ... }:
|
||||
let
|
||||
uiPort = 9091;
|
||||
in
|
||||
|
@ -25,7 +25,7 @@ in
|
|||
|
||||
config = { config, lib, ... }: {
|
||||
nixpkgs.pkgs = pkgs;
|
||||
imports = [ ../../components/monitor/container.nix ];
|
||||
imports = [ "${components}/monitor/container.nix" ];
|
||||
system.stateVersion = "21.05";
|
||||
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
|
||||
|
||||
|
|
|
@ -3,10 +3,7 @@ let inherit (utils) escapeSystemdPath;
|
|||
in
|
||||
{
|
||||
|
||||
virtualisation = {
|
||||
# docker.enable = true;
|
||||
podman.enable = true;
|
||||
};
|
||||
virtualisation.podman.enable = true;
|
||||
|
||||
#nix.settings.trusted-users = [ "root" "gitea-runner"];
|
||||
nix.settings.allowed-users = [ "*" "gitea-runner" ];
|
||||
|
|
|
@ -36,7 +36,7 @@
|
|||
alias ${pkgs.writeText "cache-info" ''
|
||||
StoreDir: /nix/store
|
||||
WantMassQuery: 1
|
||||
Priority: 42
|
||||
Priority: 10
|
||||
''};
|
||||
allow ${config.wireguard.wg0.subnet};
|
||||
deny all;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{ config, pkgs, lib, components, ... }:
|
||||
let
|
||||
mySQLPackage = pkgs.mysql;
|
||||
photoprismPort = 2342;
|
||||
|
@ -15,10 +15,14 @@ in
|
|||
|
||||
config = { config, lib, ... }: {
|
||||
nixpkgs.pkgs = pkgs;
|
||||
imports = [ ../../components/monitor/container.nix ];
|
||||
imports = [ "${components}/monitor/container.nix" ];
|
||||
system.stateVersion = "23.11";
|
||||
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
|
||||
|
||||
environment.systemPackages = [
|
||||
config.services.photoprism.package
|
||||
];
|
||||
|
||||
# Photoprism
|
||||
# ----------
|
||||
services.photoprism = {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, lib, clanCore, factsGenerator, ... }:
|
||||
{ config, pkgs, lib, clanCore, factsGenerator, components, ... }:
|
||||
let
|
||||
surrealdbPort = 8000;
|
||||
in
|
||||
|
@ -12,7 +12,7 @@ in
|
|||
|
||||
config = { config, lib, ... }: {
|
||||
nixpkgs.pkgs = pkgs;
|
||||
imports = [ ../../components/monitor/container.nix ];
|
||||
imports = [ "${components}/monitor/container.nix" ];
|
||||
system.stateVersion = "24.05";
|
||||
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{ config, pkgs, lib, components, ... }:
|
||||
let
|
||||
vikunjaPort = 3456;
|
||||
mysqlPort = 3337;
|
||||
|
@ -13,7 +13,7 @@ in
|
|||
|
||||
config = { config, lib, ... }: {
|
||||
nixpkgs.pkgs = pkgs;
|
||||
imports = [ ../../components/monitor/container.nix ];
|
||||
imports = [ "${components}/monitor/container.nix" ];
|
||||
system.stateVersion = "24.05";
|
||||
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, factsGenerator, ... }:
|
||||
{ config, pkgs, factsGenerator, components, ... }:
|
||||
let
|
||||
# 1. create DNS entry `matrix.terranix.org A - 95.216.66.212`
|
||||
# 2. test with : https://federationtester.matrix.org/#terranix.org
|
||||
|
@ -66,7 +66,7 @@ in
|
|||
|
||||
config = { config, lib, ... }: {
|
||||
nixpkgs.pkgs = pkgs;
|
||||
imports = [ ../../components/monitor/container.nix ];
|
||||
imports = [ "${components}/monitor/container.nix" ];
|
||||
system.stateVersion = "23.11";
|
||||
services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
|
||||
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
{ lib, config, pkgs, ... }: {
|
||||
imports = [
|
||||
./hardware-configuration
|
||||
../../components
|
||||
../../modules
|
||||
];
|
||||
|
||||
system.stateVersion = "24.11";
|
||||
|
@ -10,8 +8,13 @@
|
|||
components.mainUser.enable = true;
|
||||
components.network.enable = true;
|
||||
|
||||
features.boot.ssh.enable = true;
|
||||
features.boot.tor.enable = true;
|
||||
|
||||
components.monitor.enable = false;
|
||||
|
||||
networking.hostName = "probe";
|
||||
users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkqVvuJSvRMO5pG2CHNNBxjB7HlJudK4TQs3BhbOWOD" ];
|
||||
users.users.root.initialPassword = "admin";
|
||||
#users.users.root.initialPassword = "admin";
|
||||
|
||||
}
|
||||
|
|
1
machines/probe/facts/ssh.boot.id_ed25519.pub
Normal file
1
machines/probe/facts/ssh.boot.id_ed25519.pub
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGpSFQ3qd9iXkIxhLdP2ic6pGNPKlyKfQdeMN2IutmE nixbld@cream
|
|
@ -1,13 +1,12 @@
|
|||
{ config, factsGenerator, clanLib, ... }:
|
||||
{
|
||||
imports = [
|
||||
./disko-config.nix
|
||||
#./disko-config-simple.nix
|
||||
./disko-config-encrypted.nix
|
||||
./hardware-configuration.nix
|
||||
./hetzner.nix # to more me to components
|
||||
];
|
||||
|
||||
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
|
|
@ -0,0 +1,44 @@
|
|||
# Example to create a bios compatible gpt partition
|
||||
{ lib, ... }:
|
||||
{
|
||||
disko.devices = {
|
||||
disk.disk1 = {
|
||||
device = lib.mkDefault "/dev/sda";
|
||||
type = "disk";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
boot = {
|
||||
name = "boot";
|
||||
size = "1M";
|
||||
type = "EF02";
|
||||
};
|
||||
esp = {
|
||||
name = "ESP";
|
||||
size = "500M";
|
||||
type = "EF00";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
};
|
||||
};
|
||||
root = {
|
||||
name = "root";
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "luks";
|
||||
name = "root";
|
||||
settings.allowDiscards = true;
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "ext4";
|
||||
mountpoint = "/";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,12 +1,22 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
|
||||
# set up hetzner cloud network
|
||||
systemd.network.enable = true;
|
||||
systemd.network.networks."10-private-hetzner" = {
|
||||
systemd.network.networks."10-uplink" = {
|
||||
matchConfig.Name = "en*";
|
||||
networkConfig.DHCP = "ipv4";
|
||||
linkConfig.RequiredForOnline = "routable";
|
||||
};
|
||||
|
||||
# set up hetzner cloud network during init
|
||||
boot.initrd.systemd.network.networks."10-uplink" = config.systemd.network.networks."10-uplink";
|
||||
boot.initrd.availableKernelModules = [ "virtio_pci" ]; # network kernel module
|
||||
|
||||
# set up hetzner boot loader
|
||||
boot.loader.grub = {
|
||||
efiSupport = true;
|
||||
efiInstallAsRemovable = true;
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -2,8 +2,6 @@
|
|||
|
||||
imports = [
|
||||
|
||||
../../components
|
||||
../../modules
|
||||
./hardware-configuration.nix
|
||||
./packages.nix
|
||||
./syncthing.nix
|
||||
|
@ -19,8 +17,6 @@
|
|||
|
||||
components.gui.enable = true;
|
||||
components.gui.kmonad.enable = false;
|
||||
components.gui.style.enable = false; # installes nerd-fonts which seem not to work.
|
||||
#components.gui.noti.enable = false;
|
||||
|
||||
components.terminal.enable = true;
|
||||
components.network.enable = true;
|
||||
|
@ -86,13 +82,5 @@
|
|||
};
|
||||
};
|
||||
|
||||
virtualisation = {
|
||||
docker.enable = false;
|
||||
virtualbox = {
|
||||
host.enable = false;
|
||||
guest.enable = false;
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
||||
|
|
53
machines/usbstick/configuration.nix
Normal file
53
machines/usbstick/configuration.nix
Normal file
|
@ -0,0 +1,53 @@
|
|||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
imports = [
|
||||
|
||||
./hardware-configuration
|
||||
#./tinc.nix
|
||||
#./syncthing.nix
|
||||
./network-wireguard-wg0.nix
|
||||
|
||||
];
|
||||
|
||||
components.gui.enable = true;
|
||||
components.gui.wayland.enable = false;
|
||||
components.gui.xorg.enable = true;
|
||||
components.mainUser.enable = true;
|
||||
components.monitor.enable = false;
|
||||
components.network.enable = true;
|
||||
components.network.wifi.enable = true;
|
||||
components.terminal.enable = true;
|
||||
|
||||
networking.hostName = "usbstick";
|
||||
|
||||
# Set your time zone.
|
||||
#time.timeZone = "Europe/Berlin";
|
||||
|
||||
#environment.systemPackages = with pkgs; [
|
||||
# vim
|
||||
# wget
|
||||
# htop
|
||||
# silver-searcher
|
||||
#];
|
||||
|
||||
#environment.extraInit = ''
|
||||
# # use vi shortcuts
|
||||
# # ----------------
|
||||
# set -o vi
|
||||
# EDITOR=vim
|
||||
#'';
|
||||
|
||||
services.openssh.enable = true;
|
||||
|
||||
#users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw== contact@ingolf-wagner.de" ];
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "22.05"; # Did you read the comment?
|
||||
|
||||
}
|
||||
|
1
machines/usbstick/facts/ssh.id_ed25519.pub
Normal file
1
machines/usbstick/facts/ssh.id_ed25519.pub
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB1Jma/RepkDoEdmc1mwGRvK9r4qr4AplNAdX8V/dAhZ nixbld@cream
|
1
machines/usbstick/facts/syncthing.pub
Normal file
1
machines/usbstick/facts/syncthing.pub
Normal file
|
@ -0,0 +1 @@
|
|||
TLJUGR3-CBQ2E72-FZZQQBD-OELT4RG-ME7KCDJ-O4E6V5C-QRCQHZ4-XU3WXAV
|
1
machines/usbstick/facts/wireguard.wg0.cidr
Normal file
1
machines/usbstick/facts/wireguard.wg0.cidr
Normal file
|
@ -0,0 +1 @@
|
|||
10.100.0.100/32
|
1
machines/usbstick/facts/wireguard.wg0.ip
Normal file
1
machines/usbstick/facts/wireguard.wg0.ip
Normal file
|
@ -0,0 +1 @@
|
|||
10.100.0.100
|
1
machines/usbstick/facts/wireguard.wg0.pub
Normal file
1
machines/usbstick/facts/wireguard.wg0.pub
Normal file
|
@ -0,0 +1 @@
|
|||
gZaTuiQRtbYROEbdcCrpGvJcNYBXuoskaj1GBQcL3Gg=
|
1
machines/usbstick/facts/zerotier-ip
Normal file
1
machines/usbstick/facts/zerotier-ip
Normal file
|
@ -0,0 +1 @@
|
|||
fdb3:fdc0:b880:37a1:3a99:930f:937c:e1a3
|
19
machines/usbstick/hardware-configuration/default.nix
Normal file
19
machines/usbstick/hardware-configuration/default.nix
Normal file
|
@ -0,0 +1,19 @@
|
|||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
#./disko-config.nix # todo: not used yet (use a simple installer usb stick for that)
|
||||
];
|
||||
|
||||
|
||||
# grub configuraton
|
||||
# -----------------
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.efiSupport = true;
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
boot.loader.grub.efiInstallAsRemovable = true;
|
||||
boot.tmp.useTmpfs = true;
|
||||
|
||||
# zfs
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
networking.hostId = "2ed43034";
|
||||
}
|
44
machines/usbstick/hardware-configuration/disko-config.nix
Normal file
44
machines/usbstick/hardware-configuration/disko-config.nix
Normal file
|
@ -0,0 +1,44 @@
|
|||
# Example to create a bios compatible gpt partition
|
||||
{ lib, ... }:
|
||||
{
|
||||
disko.devices = {
|
||||
disk.disk1 = {
|
||||
device = lib.mkDefault "/dev/sda";
|
||||
type = "disk";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
boot = {
|
||||
name = "boot";
|
||||
size = "1M";
|
||||
type = "EF02";
|
||||
};
|
||||
esp = {
|
||||
name = "ESP";
|
||||
size = "500M";
|
||||
type = "EF00";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
};
|
||||
};
|
||||
root = {
|
||||
name = "root";
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "luks";
|
||||
name = "root";
|
||||
settings.allowDiscards = true;
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "ext4";
|
||||
mountpoint = "/";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,48 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ];
|
||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
#device = "/dev/disk/by-uuid/b3dc4880-fb1b-415d-a5a8-a53b9f0a9ab6";
|
||||
device = "/dev/mapper/root-enc";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
boot.initrd.luks.devices."root-enc".device = "/dev/disk/by-uuid/c2a56e0f-f831-4d21-8cf4-7ddf3901ea8a";
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/EBCE-D756";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp0s25.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.tinc.private.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.tinc.retiolum.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.tinc.secret.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.virbr0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
|
||||
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
33
machines/usbstick/network-wireguard-wg0.nix
Normal file
33
machines/usbstick/network-wireguard-wg0.nix
Normal file
|
@ -0,0 +1,33 @@
|
|||
{ config, factsGenerator, clanLib, ... }:
|
||||
{
|
||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||
clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
|
||||
clan.core.facts.services.wireguard_ip = factsGenerator.public {
|
||||
"wireguard.wg0.cidr" = "10.100.0.100/32";
|
||||
"wireguard.wg0.ip" = "10.100.0.100";
|
||||
};
|
||||
|
||||
# Enable WireGuard
|
||||
networking.wg-quick.interfaces = {
|
||||
# Hub and Spoke Setup
|
||||
# https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
|
||||
wg0 = {
|
||||
address = [
|
||||
config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
|
||||
];
|
||||
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
||||
privateKeyFile = config.clan.core.facts.services.wireguard.secret."wireguard.wg0.key".path;
|
||||
mtu = 1280;
|
||||
|
||||
peers = [
|
||||
{
|
||||
publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi";
|
||||
allowedIPs = [
|
||||
(clanLib.readFact "wireguard.wg0.cidr" "orbi")
|
||||
];
|
||||
endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
37
machines/usbstick/syncthing.nix
Normal file
37
machines/usbstick/syncthing.nix
Normal file
|
@ -0,0 +1,37 @@
|
|||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
services.syncthing = {
|
||||
enable = true;
|
||||
openDefaultPorts = false;
|
||||
user = "palo";
|
||||
dataDir = "/home/palo/.syncthing";
|
||||
configDir = "/home/palo/.syncthing";
|
||||
overrideFolders = true;
|
||||
folders = {
|
||||
|
||||
# on encrypted drive
|
||||
# ------------------
|
||||
private = {
|
||||
enable = true;
|
||||
path = "/home/palo/private";
|
||||
};
|
||||
desktop = {
|
||||
enable = true;
|
||||
path = "/home/palo/desktop";
|
||||
};
|
||||
finance = {
|
||||
enable = true;
|
||||
path = "/home/palo/finance";
|
||||
};
|
||||
password-store = {
|
||||
enable = true;
|
||||
path = "/home/palo/.password-store";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.permown."/home/palo/music-library" = {
|
||||
owner = "palo";
|
||||
group = "users";
|
||||
};
|
||||
}
|
5
machines/usbstick/tinc.nix
Normal file
5
machines/usbstick/tinc.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
tinc.private.enable = true;
|
||||
tinc.private.ipv4 = "10.23.42.25";
|
||||
}
|
|
@ -232,7 +232,6 @@ in
|
|||
'';
|
||||
};
|
||||
sudoUsers = mkOption {
|
||||
default = [ config.users.users.mainUser.name ];
|
||||
type = with types; listOf str;
|
||||
description = ''
|
||||
user allowed to run sudo without password to start the browser
|
||||
|
|
|
@ -3,7 +3,6 @@
|
|||
imports = [
|
||||
./browser.nix
|
||||
./castget.nix
|
||||
#./init-ssh.nix
|
||||
./rbackup.nix
|
||||
./samba-share.nix
|
||||
./taskwarrior-autotag.nix
|
||||
|
|
|
@ -1,105 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.configuration.init-ssh;
|
||||
in
|
||||
{
|
||||
|
||||
# todo : this is kinda deprecated. It should be replaced some day with something more simple, and put in a module.
|
||||
options.configuration.init-ssh = {
|
||||
|
||||
enable = mkOption {
|
||||
default = "disable";
|
||||
type = with types; enum [ "disable" "prepare" "enabled" ];
|
||||
};
|
||||
|
||||
kernelModules = mkOption {
|
||||
type = with types; listOf str;
|
||||
description =
|
||||
"lspci -v will tell you which kernel module is used for the ethernet interface";
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
default = 2222;
|
||||
type = with types; int;
|
||||
};
|
||||
|
||||
authorizedKeys = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = config.users.users.root.openssh.authorizedKeys.keys
|
||||
++ (map (keyFile: lib.fileContents keyFile)
|
||||
config.users.users.root.openssh.authorizedKeys.keyFiles);
|
||||
};
|
||||
hostKey = mkOption {
|
||||
default = "/etc/secrets/initrd/ssh_host_ed25519_key";
|
||||
type = with types; path;
|
||||
description = ''
|
||||
To generate keys, use ssh-keygen(1):
|
||||
# ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
|
||||
# ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = mkMerge [
|
||||
|
||||
(mkIf (cfg.enable != "disable") {
|
||||
services.tor = {
|
||||
enable = true;
|
||||
client.enable = true;
|
||||
relay.onionServices.bootup.map = [{ port = 22; }];
|
||||
};
|
||||
})
|
||||
|
||||
(mkIf (cfg.enable == "enabled") {
|
||||
|
||||
# tor setup
|
||||
boot.initrd.secrets = {
|
||||
"/etc/tor/onion/bootup" = /var/lib/tor/onion/bootup;
|
||||
};
|
||||
|
||||
boot.initrd.extraUtilsCommands = ''
|
||||
copy_bin_and_libs ${pkgs.tor}/bin/tor
|
||||
'';
|
||||
|
||||
boot.initrd.network.postCommands =
|
||||
let
|
||||
torRc = (pkgs.writeText "tor.rc" ''
|
||||
DataDirectory /etc/tor
|
||||
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
|
||||
SOCKSPort 127.0.0.1:9063
|
||||
HiddenServiceDir /etc/tor/onion/bootup
|
||||
HiddenServicePort ${toString cfg.port} 127.0.0.1:${toString cfg.port}
|
||||
'');
|
||||
in
|
||||
''
|
||||
echo "tor: preparing onion folder"
|
||||
# have to do this otherwise tor does not want to start
|
||||
chmod -R 700 /etc/tor
|
||||
|
||||
echo "make sure localhost is up"
|
||||
ip a a 127.0.0.1/8 dev lo
|
||||
# ifconfig lo up
|
||||
ip link set lo up
|
||||
|
||||
echo "tor: starting tor"
|
||||
tor -f ${torRc} --verify-config
|
||||
tor -f ${torRc} &
|
||||
'';
|
||||
|
||||
# ssh setup
|
||||
# todo add the ssh host fingerprint to your trusted stuff
|
||||
# todo set ssh host key here
|
||||
boot.initrd.network.enable = true;
|
||||
boot.initrd.network.ssh = {
|
||||
enable = true;
|
||||
authorizedKeys = cfg.authorizedKeys;
|
||||
port = cfg.port;
|
||||
hostKeys = [ cfg.hostKey ];
|
||||
};
|
||||
boot.initrd.availableKernelModules = cfg.kernelModules;
|
||||
})
|
||||
];
|
||||
}
|
||||
|
|
@ -2,8 +2,6 @@
|
|||
|
||||
imports = [
|
||||
|
||||
../../modules
|
||||
../../components/network
|
||||
./defaults.nix
|
||||
./grub.nix
|
||||
./packages.nix
|
||||
|
|
|
@ -13,7 +13,7 @@ options = [
|
|||
"-w", # write back to the file
|
||||
]
|
||||
includes = ["*.sh"]
|
||||
excludes = ["./scripts/hetzner-dedicated-wipe-and-install-nixos.sh"]
|
||||
excludes = ["scripts/hetzner-dedicated-wipe-and-install-nixos.sh"]
|
||||
|
||||
#[formatter.shellcheck]
|
||||
#command = "shellcheck"
|
||||
|
|
Loading…
Reference in a new issue