dadada/nix-config
dadada/nix-config
1
0
Fork 0
Code Issues 2 Pull requests 5 Projects Releases Packages Wiki Activity Actions 1

port to flakes

Browse source
This commit is contained in:
Tim Schubert 2021-06-13 13:43:21 +02:00
parent deaa4fb75c
commit 2d9150098e
Signed by: dadada
GPG key ID: EEB8D1CE62C4DFEA
76 changed files with 721 additions and 315 deletions
Download patch file Download diff file Expand all files Collapse all files

69
nixos/configurations.nix Normal file
View file

@ -0,0 +1,69 @@
{ self
, nixpkgs
, nixosSystem
, home-manager
, nixos-hardware
}:
let adapterModule = {
imports = [ ./modules ];
nix.nixPath = [
"home-manager=${home-manager}"
"nixpkgs=${nixpkgs}"
"dadada=${self}"
];
nix.registry = {
home-manager.flake = home-manager;
nixpkgs.flake = nixpkgs;
dadada.flake = self;
};
nix.binaryCachePublicKeys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"gorgon:eEE/PToceRh34UnnoFENERhk89dGw5yXOpJ2CUbfL/Q="
];
nix.requireSignedBinaryCaches = true;
nix.useSandbox = true;
nixpkgs.overlays = (nixpkgs.lib.attrValues self.overlays);
};
in
{
gorgon = nixosSystem {
system = "x86_64-linux";
modules = [
adapterModule
nixos-hardware.nixosModules.lenovo-thinkpad-t14s-amd-gen1
#home-manager.nixosModules.home-manager
#{
# home-manager.useGlobalPkgs = true;
# home-manager.useUserPackages = true;
# home-manager.users.dadada = self.hmConfigurations.home;
#}
./modules/profiles/laptop.nix
./gorgon/configuration.nix
];
};
ifrit = nixosSystem {
system = "x86_64-linux";
modules = [
adapterModule
./modules/profiles/server.nix
./ifrit/configuration.nix
];
};
surgat = nixosSystem {
system = "x86_64-linux";
modules = [
adapterModule
./modules/profiles/server.nix
./surgat/configuration.nix
];
};
pruflas = nixosSystem {
system = "x86_64-linux";
modules = [
adapterModule
./modules/profiles/server.nix
./pruflas/configuration.nix
];
};
}

118
nixos/gorgon/configuration.nix Normal file
View file

@ -0,0 +1,118 @@
{ config, pkgs, lib, ... }:
let
signHook = pkgs.writeShellScript "/etc/nix/sign-cache.sh"
''
set -eu
set -f # disable globbing
export IFS=' '
echo "Signing paths" $OUT_PATHS
nix store sign --key-file /etc/nix/key.private $OUT_PATHS
'';
in
{
imports = [
./hardware-configuration.nix
];
nix.package = pkgs.nixUnstable;
nix.extraOptions = ''
experimental-features = nix-command flakes
post-build-hook = ${signHook}
'';
# conflicts with power-management
services.tlp.enable = false;
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelModules = [ "kvm-amd" ];
networking.hostName = "gorgon";
dadada = {
autoUpgrade.enable = false;
headphones.enable = true;
steam.enable = true;
#fido2 = {
# credential = "04ea2813a116f634e90f9728dbbb45f1c0f93b7811941a5a14fb75e711794df0c26552dae2262619c1da2be7562ec9dd94888c71a9326fea70dfe16214b5ea8ec01473070000";
# enablePam = true;
#};
luks.uuid = "3d0e5b93-90ca-412a-b4e0-3e6bfa47d3f4";
networking = {
enableBsShare = true;
useLocalResolver = true;
vpnExtension = "3";
};
backupClient = {
enable = true;
bs = true;
gs = false;
};
};
boot.kernel.sysctl = {
"vm.swappiness" = 90;
};
programs.adb.enable = true;
# Enable CUPS to print documents.
services.printing = {
enable = true;
browsing = true;
drivers = with pkgs; [
hplip
brlaser
brgenml1lpr
brgenml1cupswrapper
];
};
services.miniflux = {
enable = true;
config = {
CLEANUP_FREQUENCY = "48";
LISTEN_ADDR = "localhost:8080";
};
adminCredentialsFile = "/var/lib/miniflux/admin-credentials";
};
environment.systemPackages = [ pkgs.ghostscript ];
networking.firewall = {
enable = true;
allowedTCPPorts = [
22000 # Syncthing
];
allowedUDPPorts = [
21027 # Syncthing
];
};
users.users = {
dadada = {
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" "libvirtd" "adbusers" "kvm" "video" "scanner" "lp" "docker" ];
shell = "/run/current-system/sw/bin/zsh";
};
};
networking.hosts = {
"fd42:dead:beef:0:5054:ff:fefb:7361" = [
"media.dadada.li"
"ifrit.dadada.li"
];
"192.168.42.103" = [
"media.dadada.li"
"ifrit.dadada.li"
];
"fd42:dead:beef::5054:ff:fe8b:58df" = [ "iot.dadada.li" ];
"fd42:dead:beef::20d:b9ff:fe4c:c9ac" = [ "agares.dadada.li" ];
"192.168.42.15" = [ "agares.dadada.li" "agares" ];
"192.168.42.11" = [ "wohnzimmerpi.dadada.li" "wohnzimmerpi" ];
"10.1.2.9" = [ "fgprinter.fginfo.tu-bs.de" ];
};
system.stateVersion = "20.03";
}

42
nixos/gorgon/hardware-configuration.nix Normal file
View file

@ -0,0 +1,42 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/2478e089-e5d6-480c-8530-4ea46988f9f7";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/5B90-D460";
fsType = "vfat";
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/a617625e-9325-4612-a086-954fb4b99ee0";
fsType = "ext4";
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/1f6ab0fb-ef4d-45b1-a731-ad0e7a440eef";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/92310a00-7f69-4775-85cb-38e1790f71db"; }
];
nix.maxJobs = lib.mkDefault 16;
}

218
nixos/ifrit/configuration.nix Normal file
View file

@ -0,0 +1,218 @@
{ config, pkgs, lib, ... }:
let
hostAliases = [
"ifrit.dadada.li"
"bs.vpn.dadada.li"
"media.dadada.li"
"media.local"
];
backups = "/mnt/storage/backup";
in
{
imports = [
./hardware-configuration.nix
];
dadada = {
admin.enable = true;
fileShare.enable = true;
vpnServer.enable = true;
vpnServer.peers = {
"metis" = {
id = "1";
key = "u+HCYDbK0zwbIEfGf+LVQErlJ0vchf5ZYj0N93NB5ns=";
};
"morax" = {
id = "2";
key = "Lq5QLGoI3r3BXEJ72dWH9UTmY/8uaYRPLQB5WWHqJUE=";
};
"gorgon" = {
id = "3";
key = "0eWP1hzkyoXlrjPSOq+6Y1u8tnFH+SejBJs8f8lf+iU=";
};
"surgat" = {
id = "4";
key = "+paiOqOITdLy3oqoI2DhOj4k8gncAcjFLkJrxJl0iBE=";
};
"pruflas" = {
id = "5";
key = "o8B8rTA+u5XOJK4JI+TRCFjVJn/3T7UofLqFRIPoNQk=";
};
"fginfo" = {
id = "6";
key = "zadidMDiALJUHdhMrGqAa5RGjPN/x5XJ8aR5elnaeUc=";
};
"fginfo-git" = {
id = "7";
key = "5EaLm7uC8XzoN8+BaGzgGRUU4q5shM7gQJcs/d7n+Vo=";
};
};
};
services.borgbackup.repos = {
"metis" = {
allowSubRepos = false;
authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnc1gCi8lbhlLmPKvaExtCxVaAni8RrOuHUQO6wTbzR root@metis" ];
authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
path = "${backups}/metis";
quota = "1T";
};
"gorgon" = {
allowSubRepos = false;
authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6p9b2D7y2W+9BGee2yk2xsCRewNNaE6oS3CqlW61ti root@gorgon" ];
authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
path = "${backups}/gorgon";
quota = "1T";
};
"surgat" = {
allowSubRepos = false;
authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGhatanrNG+M6jAkU7Yi44mJmTreJkqyZ6Z+qiEgV7O root@surgat" ];
authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
path = "${backups}/surgat";
quota = "50G";
};
"pruflas" = {
allowSubRepos = false;
authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBk7f9DSnXCOIUsxFsjCKG23vHShV4TSzzPJunPOwa1I root@pruflas" ];
authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
path = "${backups}/pruflas";
quota = "50G";
};
"wohnzimmerpi" = {
allowSubRepos = false;
authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6uZ8mPQJWOL984gZKKPyxp7VLcxk42TpTh5iPP6N6k root@wohnzimmerpi" ];
authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
path = "${backups}/wohnzimmerpi";
quota = "50G";
};
"fginfo" = {
allowSubRepos = false;
authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxsyJeZVlVix0FPE8S/Gx0DVutS1ZNESVdYvHBwo36wGlYpSsQoSy/2HSwbpxs88MOGw1QNboxvvpBxCWxZ5HyjxuO5SwYgtmpjPXvmqfVqNXXnLChhSnKgk9b+HesQJCbHyrF9ZAJXEFCOGhOL3YTgd6lTX3lQUXgh/LEDlrPrigUMDNPecPWxpPskP6Vvpe9u+duhL+ihyxXaV+CoPk8nkWrov5jCGPiM48pugbwAfqARyZDgFpmWwL7Xg2UKgVZ1ttHZCWwH+htgioVZMYpdkQW1aq6LLGwN34Hj2VKXzmJN5frh6vQoZr2AFGHNKyJwAMpqnoY//QwuREpZTrh root@fginfo.ibr.cs.tu-bs.de" ];
authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
path = "${backups}/fginfo";
quota = "10G";
};
"fginfo-git" = {
allowSubRepos = false;
authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmI6cUv3j0T9ofFB286sDwXwwczqi41cp4MZyGH3VWQnqBPNjICqAdY3CLhgvGBCxSe6ZgKQ+5YLsGSSlU1uhrJXW2UiVKuIPd0kjMF/9e8hmNoTTh0pdk9THfz9LLAdI1vPin1EeVReuDXlZkCI7DFYuTO9yiyZ1uLZUfT1KBRoqiqyypZhut7zT3UaDs2L+Y5hho6WiTdm7INuz6HEB7qYXzrmx93hlcuLZA7fDfyMO9F4APZFUqefcUIEyDI2b+Q/8Q2/rliT2PoC69XLVlj7HyVhfgKsOnopwBDNF3rRcJ6zz4WICPM18i4ZCmfoDTL/cFr5c41Lan1X7wS5wR root@fginfo-git" ];
authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
path = "${backups}/fginfo-git";
quota = "10G";
};
};
networking.hostName = "ifrit";
networking.domain = "dadada.li";
networking.hosts = {
"127.0.0.1" = hostAliases;
"::1" = hostAliases;
};
networking.nameservers = [
"1.1.1.1"
"1.0.0.1"
];
# weird issues with crappy plastic router
networking.interfaces."ens3".tempAddress = "disabled";
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
networking.useDHCP = false;
networking.interfaces.ens3.useDHCP = true;
fileSystems."/mnt/storage" = {
device = "/dev/disk/by-uuid/a34e36fc-d7dd-4ceb-93c4-48f9c2727cb7";
mountPoint = "/mnt/storage";
neededForBoot = false;
options = [ "nofail" ];
};
networking.firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = [
22 # SSH
80
443 # HTTP(S)
111
2049 # NFS
139
445 # SMB
];
allowedUDPPorts = [
137
138
111
2049 # NFS
51234 # Wireguard
];
};
security.acme = {
email = "d553a78d-0349-48db-9c20-5b27af3a1dfc@dadada.li";
acceptTerms = true;
# certs."webchat.dadada.li" = {
# credentialsFile = "/var/lib/lego/acme-joker.env";
# dnsProvider = "joker";
# postRun = "systemctl reload nginx.service";
# };
# certs."weechat.dadada.li" = {
# credentialsFile = "/var/lib/lego/acme-joker.env";
# dnsProvider = "joker";
# postRun = "systemctl reload nginx.service";
# };
};
users.users."mist" = {
isNormalUser = true;
};
services.avahi = {
enable = false;
publish = {
enable = true;
addresses = true;
workstation = false;
};
};
environment.systemPackages = [ pkgs.curl ];
systemd = {
timers.ddns-joker = {
wantedBy = [ "timers.target" ];
partOf = [ "ddns-joker.service" ];
timerConfig.OnCalendar = "hourly";
};
services.ddns-joker = {
serviceConfig.Type = "oneshot";
script = ''
function url() {
echo "https://svc.joker.com/nic/update?username=$1&password=$2&hostname=$3"
}
IFS=':'
read -r user password < /var/lib/ddns/credentials
unset IFS
curl_url=$(url "$user" "$password" bs.vpn.dadada.li)
${pkgs.curl}/bin/curl -4 "$curl_url"
${pkgs.curl}/bin/curl -6 "$curl_url"
'';
};
};
system.stateVersion = "20.03";
}

26
nixos/ifrit/hardware-configuration.nix Normal file
View file

@ -0,0 +1,26 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix" )
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/0b4f5f01-5849-4f05-9822-b648abbc2485";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/53b5715e-2724-4800-9cfc-f892115681b6"; }
];
nix.maxJobs = lib.mkDefault 2;
}

61
nixos/modules/admin.nix Normal file
View file

@ -0,0 +1,61 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.dadada.admin;
in
{
options = {
dadada.admin = {
enable = mkEnableOption "Enable admin access";
users = mkOption {
type = with types; attrsOf (listOf path);
default = [ ];
description = ''
List of admin users with root access to all the machine.
'';
example = literalExample "\"user1\" = [ /path/to/key1 /path/to/key2 ]";
};
rat = mkOption {
type = types.bool;
default = false;
description = ''
Enable NAT and firewall traversal for SSH via tor hidden service
'';
};
};
};
config = mkIf cfg.enable {
services.sshd.enable = true;
services.openssh.passwordAuthentication = false;
security.sudo.wheelNeedsPassword = false;
users.users = mapAttrs
(user: keys: (
{
extraGroups = [ "wheel" ];
isNormalUser = true;
openssh.authorizedKeys.keyFiles = keys;
}))
cfg.users;
users.mutableUsers = mkDefault false;
networking.firewall.allowedTCPPorts = [ 22 ];
environment.systemPackages = with pkgs; [
vim
tmux
];
services.tor.relay.onionServices = {
"rat" = mkIf cfg.rat.enable {
name = "rat";
map = [{ port = 22; }];
};
};
};
}

85
nixos/modules/backup.nix Normal file
View file

@ -0,0 +1,85 @@
{ config, pkgs, lib, ... }:
with lib;
let
backupExcludes = [
"/backup"
"/dev"
"/efi"
"/home/*/.cache"
"/home/*/.config/Riot/Cache"
"/home/iserv"
"/lost+found"
"/mnt"
"/nix"
"/proc"
"/run"
"/sys"
"/tmp"
"/var/cache"
"/var/log"
"/var/tmp"
];
cfg = config.dadada.backupClient;
in
{
options = {
dadada.backupClient = {
enable = mkEnableOption "Enable backup client";
gs = mkEnableOption "Enable backup to GS location";
bs = mkEnableOption "Enable backup to BS location";
};
};
config = mkIf cfg.enable {
fileSystems = mkIf cfg.gs {
"/backup" = {
device = "/dev/disk/by-uuid/0fdab735-cc3e-493a-b4ec-cbf6a77d48d5";
fsType = "ext4";
options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" ];
};
};
services.borgbackup.jobs.gs = mkIf cfg.gs {
paths = "/";
exclude = backupExcludes;
repo = "/backup/${config.networking.hostName}";
doInit = false;
encryption = {
mode = "repokey";
passCommand = "cat /var/lib/borgbackup/gs/passphrase";
};
compression = "auto,lz4";
prune.keep = {
within = "1d"; # Keep all archives from the last day
daily = 7;
weekly = 2;
monthly = -1; # Keep at least one archive for each month
yearly = -1; # Keep at least one archive for each year
};
startAt = "monthly";
};
networking.hosts = mkIf cfg.bs {
"fd42:dead:beef:0:5054:ff:fefb:7361" = [
"media.dadada.li"
];
};
services.borgbackup.jobs.bs = mkIf cfg.bs {
paths = "/";
exclude = backupExcludes;
repo = "borg@media.dadada.li:/mnt/storage/backup/${config.networking.hostName}";
doInit = true;
environment = {
BORG_RSH = "ssh -i /var/lib/borgbackup/bs/id_ed25519 -o 'StrictHostKeyChecking accept-new'";
};
encryption = {
mode = "repokey";
passCommand = "cat /var/lib/borgbackup/bs/passphrase";
};
compression = "auto,lz4";
startAt = "daily";
};
};
}

19
nixos/modules/default.nix Normal file
View file

@ -0,0 +1,19 @@
{ ... }:
{
imports = [
./admin.nix
./backup.nix
./element.nix
./fido2.nix
./fileShare.nix
./gitea.nix
./headphones.nix
./homepage.nix
./networking.nix
./share.nix
./steam.nix
./update.nix
./vpnServer.nix
./weechat.nix
];
}

36
nixos/modules/element.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, pkgs, lib, ... }:
let
cfg = config.dadada.element;
in
{
options.dadada.element = {
enable = lib.mkEnableOption "Enable element webapp";
};
config = lib.mkIf cfg.enable {
services.nginx.virtualHosts."element.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
serverAliases = [
"element.${config.networking.domain}"
];
root = pkgs.element-web.override {
conf = {
default_server_config."m.homeserver" = {
"base_url" = "https://matrix.stratum0.org/";
"server_name" = "Stratum 0";
};
};
};
locations = {
"/robots.txt" = {
extraConfig = ''
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
'';
};
};
};
};
}

56
nixos/modules/fido2.nix Normal file
View file

@ -0,0 +1,56 @@
{ config, pkgs, lib, ... }:
with lib;
let
luks = config.dadada.luks;
fido2 = config.dadada.fido2;
in
{
options = {
dadada.luks = {
uuid = mkOption {
type = with types; nullOr str;
description = "Device UUID";
default = null;
};
};
dadada.fido2 = {
enablePam = mkEnableOption "Enable PAM U2F";
credential = mkOption {
type = with types; nullOr str;
description = "FIDO2 credential string";
default = null;
};
};
};
config = {
boot.initrd.luks.devices = mkIf (luks.uuid != null) {
root = {
device = "/dev/disk/by-uuid/${luks.uuid}";
preLVM = true;
allowDiscards = true;
fido2 = mkIf (fido2.credential != null) {
credential = fido2.credential;
passwordLess = true;
};
};
};
boot.initrd.luks.fido2Support = mkIf (fido2.credential != null) true;
environment.systemPackages = mkIf (fido2.credential != null) (with pkgs; [
linuxPackages.acpi_call
fido2luks
python27Packages.dbus-python
python38Packages.solo-python
]);
security.pam.u2f = mkIf fido2.enablePam {
enable = true;
control = "sufficient";
cue = true;
};
};
}

46
nixos/modules/fileShare.nix Normal file
View file

@ -0,0 +1,46 @@
{ config, lib, ... }:
with lib;
let
cfg = config.dadada.fileShare;
sharePath = "/mnt/storage/share";
ipv6 = "fd42:dead:beef::/48";
ipv4 = "192.168.42.0/24";
in
{
options.dadada.fileShare = {
enable = mkEnableOption "Enable file share server";
};
config = mkIf cfg.enable {
services.samba = {
enable = true;
securityType = "user";
extraConfig = ''
workgroup = WORKGROUP
server string = media
netbios name = media
security = user
guest account = nobody
map to guest = bad user
'';
shares = {
public = {
path = sharePath;
browseable = "yes";
"read only" = "yes";
"guest ok" = "yes";
"guest only" = "yes";
"create mask" = "0660";
"directory mask" = "2770";
"force user" = "nobody";
"force group" = "nobody";
};
};
};
services.nfs = {
server.enable = true;
server.exports = ''
${sharePath} ${ipv6}(rw,all_squash,insecure,subtree_check) ${ipv4}(rw,all_squash,insecure,subtree_check) # map to user/group - in this case nobody
'';
};
};
}

65
nixos/modules/gitea.nix Normal file
View file

@ -0,0 +1,65 @@
{ config, pkgs, lib, ... }:
let
redisSocket = "127.0.0.1:6379";
cfg = config.dadada.gitea;
in
{
options.dadada.gitea = {
enable = lib.mkEnableOption "Enable gitea";
};
config = lib.mkIf cfg.enable {
services.gitea = {
enable = true;
appName = "dadada Gitea";
rootUrl = "https://git.dadada.li/";
log.level = "Error";
domain = config.networking.domain;
ssh.enable = true;
cookieSecure = true;
enableUnixSocket = true;
database = {
type = "postgres";
};
disableRegistration = true;
settings = {
server = {
LANDING_PAGE = "explore";
OFFLINE_MODE = true;
};
picture = {
DISABLE_GRAVATAR = true;
REPOSITORY_AVATAR_FALLBACK = "random";
ENABLE_FEDERATED_AVATAR = false;
};
other = {
SHOW_FOOTER_BRANDING = false;
SHOW_FOOTER_VERSION = false;
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
};
log = {
DISABLE_ROUTER_LOG = true;
};
cache = {
ENABLE = true;
ADAPTER = "redis";
HOST = "network=tcp,addr=${redisSocket},db=0,pool_size=100,idle_timeout=180";
};
};
};
services.redis = {
enable = true;
vmOverCommit = true;
#unixSocket = redisSocket;
};
services.nginx.virtualHosts."git.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
proxy_pass http://unix:/run/gitea/gitea.sock:/;
'';
};
};
}

25
nixos/modules/headphones.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.dadada.headphones;
in
{
options = {
dadada.headphones = {
enable = mkEnableOption "Enable bluetooth headphones with more audio codecs.";
};
};
config = mkIf cfg.enable {
hardware = {
bluetooth.enable = true;
pulseaudio = {
enable = true;
extraModules = [ pkgs.pulseaudio-modules-bt ];
extraConfig = ''
set-source-volume 1 10000
'';
package = pkgs.pulseaudioFull;
};
};
};
}

18
nixos/modules/homepage.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, pkgs, lib, ... }:
let
cfg = config.dadada.homePage;
in
with lib; {
options.dadada.homePage = {
enable = mkEnableOption "Enable home page";
};
config = mkIf cfg.enable {
services.nginx.enable = true;
services.nginx.virtualHosts."dadada.li" = {
enableACME = true;
forceSSL = true;
root = "/var/lib/www/dadada.li";
};
};
}

101
nixos/modules/networking.nix Normal file
View file

@ -0,0 +1,101 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.dadada.networking;
in
{
options = {
dadada.networking = {
useLocalResolver = mkEnableOption "Enable local caching name server";
wanInterfaces = mkOption {
type = with types; listOf str;
description = "WAN network interfaces";
default = [ ];
};
vpnExtension = mkOption {
type = with types; nullOr str;
description = "Last part of VPN address";
default = null;
};
enableBsShare = mkEnableOption "Enable network share at BS location";
};
};
config = {
networking.resolvconf.useLocalResolver = mkIf cfg.useLocalResolver true;
services.unbound = mkIf cfg.useLocalResolver {
enable = true;
settings = {
server.interface = [
"127.0.0.1"
"::1"
];
tls-upstream = "yes";
tls-cert-bundle = "/etc/ssl/certs/ca-bundle.crt";
forward-zone = [
{
name = ".";
forward-tls-upstream = "yes";
forward-addr = [
"2606:4700:4700::1001@853#cloudflare-dns.com"
"2606:4700:4700::1111@853#cloudflare-dns.com"
"1.1.1.1@853#cloudflare-dns.com"
"1.0.0.1@853#cloudflare-dns.com"
];
}
];
};
};
networking.useDHCP = false;
networking.interfaces = listToAttrs (forEach cfg.wanInterfaces (i: nameValuePair i {
useDHCP = true;
}));
networking.wireguard.interfaces = mkIf (cfg.vpnExtension != null) {
bs = {
ips = [ "fd42:dead:beef:1337::${cfg.vpnExtension}/64" ];
listenPort = 51234;
privateKeyFile = "/var/lib/wireguard/privkey";
peers = [
{
publicKey = "lFB2DWtzp55ajV0Fk/OWdO9JlGvN9QsayYKQQHV3GEs=";
allowedIPs = [ "fd42:dead:beef::/48" ];
endpoint = "bs.vpn.dadada.li:51234";
persistentKeepalive = 25;
}
];
};
};
# https://lists.zx2c4.com/pipermail/wireguard/2017-November/002028.html
systemd.timers.wg-reresolve-dns = mkIf (cfg.vpnExtension != null) {
wantedBy = [ "timers.target" ];
partOf = [ "wg-reresolve-dns.service" ];
timerConfig.OnCalendar = "hourly";
};
systemd.services.wg-reresolve-dns = mkIf (cfg.vpnExtension != null) {
serviceConfig.Type = "oneshot";
script = ''
${pkgs.wireguard-tools}/bin/wg set bs peer lFB2DWtzp55ajV0Fk/OWdO9JlGvN9QsayYKQQHV3GEs= endpoint bs.vpn.dadada.li:51234 persistent-keepalive 25 allowed-ips fd42:dead:beef::/48
'';
};
fileSystems."/mnt/media.dadada.li" = mkIf cfg.enableBsShare {
device = "media.dadada.li:/mnt/storage/share";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" ];
};
networking.firewall = {
enable = true;
allowedUDPPorts = [
51234 # Wireguard
5353 # mDNS
];
};
};
}

55
nixos/modules/profiles/laptop.nix Normal file
View file

@ -0,0 +1,55 @@
{ config, pkgs, lib, ... }:
with lib;
{
networking.domain = mkDefault "dadada.li";
services.fwupd.enable = mkDefault true;
fonts.fonts = mkDefault (with pkgs; [
source-code-pro
]);
time.timeZone = mkDefault "Europe/Berlin";
i18n.defaultLocale = mkDefault "en_US.UTF-8";
console.keyMap = mkDefault "us";
users.mutableUsers = mkDefault true;
programs.zsh = mkDefault {
enable = true;
autosuggestions.enable = true;
enableCompletion = true;
histSize = 100000;
vteIntegration = true;
syntaxHighlighting = {
enable = true;
highlighters = [ "main" "brackets" "pattern" "root" "line" ];
};
};
virtualisation = {
libvirtd.enable = mkDefault true;
docker.enable = mkDefault true;
};
virtualisation.docker.extraOptions = mkDefault "--bip=192.168.1.5/24";
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = mkDefault true;
boot.loader.efi.canTouchEfiVariables = mkDefault true;
services.fstrim.enable = mkDefault true;
services.avahi.enable = false;
networking.networkmanager.enable = mkDefault true;
networking.firewall.enable = mkDefault true;
services.xserver.enable = mkDefault true;
services.xserver.displayManager.gdm.enable = mkDefault true;
services.xserver.desktopManager.gnome.enable = mkDefault true;
xdg.mime.enable = mkDefault true;
}

21
nixos/modules/profiles/server.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, pkgs, lib, ... }:
with lib;
{
networking.domain = mkDefault "dadada.li";
dadada.admin.users = {
"dadada" = [ "${pkgs.keys}/dadada.pub" ];
};
dadada.autoUpgrade.enable = mkDefault false;
environment.noXlibs = mkDefault true;
documentation.enable = mkDefault false;
documentation.nixos.enable = mkDefault false;
i18n.defaultLocale = mkDefault "en_US.UTF-8";
console = mkDefault {
font = "Lat2-Terminus16";
keyMap = "us";
};
}

30
nixos/modules/share.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.dadada.share;
in
{
options.dadada.share = {
enable = mkEnableOption "Enable file share";
};
config = mkIf cfg.enable {
services.nginx.enable = true;
services.nginx.virtualHosts."share.dadada.li" = {
enableACME = true;
forceSSL = true;
root = "/var/lib/share";
locations = {
"/robots.txt" = {
extraConfig = ''
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
'';
};
};
};
};
}

23
nixos/modules/steam.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.dadada.steam;
in
{
options = {
dadada.steam = {
enable = mkEnableOption "Enable Steam config";
};
};
config = mkIf cfg.enable {
nixpkgs.config.allowUnfree = true;
hardware.opengl = {
enable = true;
driSupport32Bit = true;
extraPackages32 = with pkgs.pkgsi686Linux; [ libva ];
};
hardware.pulseaudio.support32Bit = true;
};
}

28
nixos/modules/update.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.dadada.autoUpgrade;
in
{
options.dadada.autoUpgrade = {
enable = mkEnableOption "Enable automatic upgrades";
};
config = mkIf cfg.enable {
nix = {
autoOptimiseStore = false;
useSandbox = true;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
};
system.autoUpgrade = {
enable = true;
dates = "daily";
};
};
}

50
nixos/modules/vpnServer.nix Normal file
View file

@ -0,0 +1,50 @@
{ config, lib, ... }:
with lib;
let
cfg = config.dadada.vpnServer;
wgPeer = { name, ... }: {
options = {
name = mkOption {
internal = true;
default = name;
};
id = mkOption {
description = "VPN client id";
default = 0;
type = types.str;
};
key = mkOption {
description = "VPN client public key";
default = "";
type = types.str;
};
};
};
in
{
options.dadada.vpnServer = {
enable = mkEnableOption "Enable wireguard gateway";
peers = mkOption {
description = "Set of extensions and public keys of peers";
type = with types; attrsOf (submodule wgPeer);
default = { };
};
};
config = mkIf cfg.enable {
networking.wireguard.enable = true;
networking.wireguard.interfaces."wg0" = {
allowedIPsAsRoutes = true;
privateKeyFile = "/var/lib/wireguard/wg0-key";
ips = [ "fd42:dead:beef:1337::0/64" ];
listenPort = 51234;
peers = map
(peer: (
{
allowedIPs = [ "fd42:dead:beef:1337::${peer.id}/128" ];
publicKey = peer.key;
}))
(attrValues cfg.peers);
};
};
}

58
nixos/modules/weechat.nix Normal file
View file

@ -0,0 +1,58 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.dadada.weechat;
in
{
options.dadada.weechat = {
enable = mkEnableOption "Enable weechat relay";
};
config = mkIf cfg.enable {
services.weechat = {
enable = true;
sessionName = "weechat-dadada";
};
services.nginx.enable = true;
services.nginx.virtualHosts."webchat.dadada.li" = {
enableACME = true;
forceSSL = true;
root = pkgs.glowing-bear;
locations = {
"/robots.txt" = {
extraConfig = ''
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
'';
};
};
};
services.nginx.virtualHosts."weechat.dadada.li" = {
useACMEHost = "webchat.dadada.li";
forceSSL = true;
root = "${pkgs.nginx}/html";
locations = {
"/weechat" = {
extraConfig = ''
proxy_pass http://localhost:9001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 8h;
'';
};
"/robots.txt" = {
extraConfig = ''
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
'';
};
};
};
};
}

14
nixos/modules/zsh.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, pkgs, lib, ... }:
{
programs.zsh = {
enable = true;
autosuggestions.enable = true;
enableCompletion = true;
histSize = 100000;
vteIntegration = true;
syntaxHighlighting = {
enable = true;
highlighters = [ "main" "brackets" "pattern" "root" "line" ];
};
};
}

108
nixos/pruflas/configuration.nix Normal file
View file

@ -0,0 +1,108 @@
{ config, pkgs, lib, ... }:
with lib;
let
hostName = "pruflas";
in
{
imports = [ ./hardware-configuration.nix ];
networking.hostName = hostName;
networking.hosts = {
"10.3.3.3" = [ "hydra.dadada.li" ];
};
services.logind.lidSwitch = "ignore";
services.hydra = {
enable = true;
package = pkgs.hydra-unstable;
hydraURL = "https://hydra.dadada.li";
notificationSender = "hydra@localhost";
buildMachinesFiles = [ ];
useSubstitutes = true;
listenHost = "hydra.dadada.li";
port = 3000;
};
nix.buildMachines = [
{
hostName = "localhost";
system = "x86_64-linux";
supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ];
maxJobs = 8;
}
];
services.nginx = {
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
logError = "/dev/null";
appendHttpConfig = ''
access_log off;
'';
};
dadada.admin.enable = true;
dadada.networking.vpnExtension = "5";
dadada.backupClient = {
enable = true;
bs = true;
};
networking.useDHCP = false;
networking.interfaces."enp0s25".useDHCP = true;
networking.firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = [
22 # SSH
80
443 # HTTPS
3000 # Hydra
];
allowedUDPPorts = [
51234 # Wireguard
51235 # Wireguard
];
};
security.acme = {
email = "d553a78d-0349-48db-9c20-5b27af3a1dfc@dadada.li";
acceptTerms = true;
};
boot.kernelModules = [ "kvm-intel" ];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
swapDevices = [
{
device = "/var/swapfile";
size = 32768;
}
];
networking.wireguard.interfaces."hydra" = {
ips = [ "10.3.3.3/24" ];
listenPort = 51235;
privateKeyFile = "/var/lib/wireguard/hydra";
peers = [
{
publicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY=";
allowedIPs = [ "10.3.3.1/32" ];
endpoint = "surgat.dadada.li:51235";
persistentKeepalive = 25;
}
];
};
system.stateVersion = "20.09";
}

34
nixos/pruflas/hardware-configuration.nix Normal file
View file

@ -0,0 +1,34 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/6d7ea470-1909-4e84-82a6-d5d5e9eecf78";
fsType = "ext4";
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/337f04a7-4fe9-49a2-8a58-07dd4bc85168";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0494-CB52";
fsType = "vfat";
};
swapDevices = [ ];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

124
nixos/surgat/configuration.nix Normal file
View file

@ -0,0 +1,124 @@
{ config, pkgs, lib, ... }:
let
hostName = "surgat";
in
{
imports = [
./hardware-configuration.nix
];
networking.hostName = hostName;
services.nginx = {
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
logError = "/dev/null";
appendHttpConfig = ''
access_log off;
'';
};
services.nginx.virtualHosts."hydra.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
root = "${pkgs.nginx}/html";
locations."/" = {
proxyPass = "http://10.3.3.3:3000/";
extraConfig = ''
proxy_redirect default;
'';
};
};
dadada.admin = {
enable = true;
users = {
"dadada" = [ "${pkgs.keys}/dadada.pub" ];
};
};
dadada.element.enable = true;
dadada.gitea.enable = true;
dadada.networking.vpnExtension = "4";
dadada.weechat.enable = true;
dadada.homePage.enable = true;
dadada.share.enable = true;
dadada.backupClient = {
enable = true;
bs = true;
};
networking.useDHCP = false;
networking.interfaces.ens3.useDHCP = true;
networking.firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = [
22 # SSH
80
443 # HTTPS
];
allowedUDPPorts = [
51234 # Wireguard
51235 # Wireguard
];
};
security.acme = {
email = "d553a78d-0349-48db-9c20-5b27af3a1dfc@dadada.li";
acceptTerms = true;
};
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
networking.interfaces."ens3".ipv6.addresses = [{
address = "2a01:4f8:c17:1d70::";
prefixLength = 64;
}];
networking.defaultGateway6 = {
address = "fe80::1";
interface = "ens3";
};
#boot.initrd.network.ssh = {
# enable = true;
# port = 22;
# authorizedKeys = "${keys}/dadada.pub";
# hostKeys = [
# ];
#};
swapDevices = [
{
device = "/var/swapfile";
size = 4096;
}
];
networking.wireguard.interfaces."hydra" = {
ips = [ "10.3.3.1/24" ];
listenPort = 51235;
privateKeyFile = "/var/lib/wireguard/hydra";
peers = [
{
publicKey = "CTKwL6+SJIqKXr1DIHejMDgjoxlWPaT78Pz3+JqcNlw=";
allowedIPs = [ "10.3.3.3/32" ];
persistentKeepalive = 25;
}
];
};
system.stateVersion = "20.09";
}

30
nixos/surgat/hardware-configuration.nix Normal file
View file

@ -0,0 +1,30 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/bd0b4d2d-37e5-444b-82ba-d7629114bf11";
fsType = "ext4";
};
boot.initrd.luks.devices."surgat".device = "/dev/disk/by-uuid/5aa2b4d3-5711-451c-bd35-7c33b5019093";
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/472bc34f-3803-44ee-ad2a-f0080c0a44d3";
fsType = "ext2";
};
swapDevices = [ ];
}