port to flakes

2021-06-13 13:43:21 +02:00 · 2021-06-13 13:43:21 +02:00 · 2d9150098e
commit 2d9150098e
parent deaa4fb75c
76 changed files with 721 additions and 315 deletions
--- a/nixos/ifrit/configuration.nix
+++ b/nixos/ifrit/configuration.nix
@ -0,0 +1,218 @@
+{ config, pkgs, lib, ... }:
+let
+  hostAliases = [
+    "ifrit.dadada.li"
+    "bs.vpn.dadada.li"
+    "media.dadada.li"
+    "media.local"
+  ];
+  backups = "/mnt/storage/backup";
+in
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  dadada = {
+    admin.enable = true;
+    fileShare.enable = true;
+
+    vpnServer.enable = true;
+    vpnServer.peers = {
+      "metis" = {
+        id = "1";
+        key = "u+HCYDbK0zwbIEfGf+LVQErlJ0vchf5ZYj0N93NB5ns=";
+      };
+      "morax" = {
+        id = "2";
+        key = "Lq5QLGoI3r3BXEJ72dWH9UTmY/8uaYRPLQB5WWHqJUE=";
+      };
+      "gorgon" = {
+        id = "3";
+        key = "0eWP1hzkyoXlrjPSOq+6Y1u8tnFH+SejBJs8f8lf+iU=";
+      };
+      "surgat" = {
+        id = "4";
+        key = "+paiOqOITdLy3oqoI2DhOj4k8gncAcjFLkJrxJl0iBE=";
+      };
+      "pruflas" = {
+        id = "5";
+        key = "o8B8rTA+u5XOJK4JI+TRCFjVJn/3T7UofLqFRIPoNQk=";
+      };
+      "fginfo" = {
+        id = "6";
+        key = "zadidMDiALJUHdhMrGqAa5RGjPN/x5XJ8aR5elnaeUc=";
+      };
+      "fginfo-git" = {
+        id = "7";
+        key = "5EaLm7uC8XzoN8+BaGzgGRUU4q5shM7gQJcs/d7n+Vo=";
+      };
+    };
+  };
+
+  services.borgbackup.repos = {
+    "metis" = {
+      allowSubRepos = false;
+      authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnc1gCi8lbhlLmPKvaExtCxVaAni8RrOuHUQO6wTbzR root@metis" ];
+      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
+      path = "${backups}/metis";
+      quota = "1T";
+    };
+    "gorgon" = {
+      allowSubRepos = false;
+      authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6p9b2D7y2W+9BGee2yk2xsCRewNNaE6oS3CqlW61ti root@gorgon" ];
+      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
+      path = "${backups}/gorgon";
+      quota = "1T";
+    };
+    "surgat" = {
+      allowSubRepos = false;
+      authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGhatanrNG+M6jAkU7Yi44mJmTreJkqyZ6Z+qiEgV7O root@surgat" ];
+      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
+      path = "${backups}/surgat";
+      quota = "50G";
+    };
+    "pruflas" = {
+      allowSubRepos = false;
+      authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBk7f9DSnXCOIUsxFsjCKG23vHShV4TSzzPJunPOwa1I root@pruflas" ];
+      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
+      path = "${backups}/pruflas";
+      quota = "50G";
+    };
+    "wohnzimmerpi" = {
+      allowSubRepos = false;
+      authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6uZ8mPQJWOL984gZKKPyxp7VLcxk42TpTh5iPP6N6k root@wohnzimmerpi" ];
+      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
+      path = "${backups}/wohnzimmerpi";
+      quota = "50G";
+    };
+    "fginfo" = {
+      allowSubRepos = false;
+      authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxsyJeZVlVix0FPE8S/Gx0DVutS1ZNESVdYvHBwo36wGlYpSsQoSy/2HSwbpxs88MOGw1QNboxvvpBxCWxZ5HyjxuO5SwYgtmpjPXvmqfVqNXXnLChhSnKgk9b+HesQJCbHyrF9ZAJXEFCOGhOL3YTgd6lTX3lQUXgh/LEDlrPrigUMDNPecPWxpPskP6Vvpe9u+duhL+ihyxXaV+CoPk8nkWrov5jCGPiM48pugbwAfqARyZDgFpmWwL7Xg2UKgVZ1ttHZCWwH+htgioVZMYpdkQW1aq6LLGwN34Hj2VKXzmJN5frh6vQoZr2AFGHNKyJwAMpqnoY//QwuREpZTrh root@fginfo.ibr.cs.tu-bs.de" ];
+      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
+      path = "${backups}/fginfo";
+      quota = "10G";
+    };
+    "fginfo-git" = {
+      allowSubRepos = false;
+      authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmI6cUv3j0T9ofFB286sDwXwwczqi41cp4MZyGH3VWQnqBPNjICqAdY3CLhgvGBCxSe6ZgKQ+5YLsGSSlU1uhrJXW2UiVKuIPd0kjMF/9e8hmNoTTh0pdk9THfz9LLAdI1vPin1EeVReuDXlZkCI7DFYuTO9yiyZ1uLZUfT1KBRoqiqyypZhut7zT3UaDs2L+Y5hho6WiTdm7INuz6HEB7qYXzrmx93hlcuLZA7fDfyMO9F4APZFUqefcUIEyDI2b+Q/8Q2/rliT2PoC69XLVlj7HyVhfgKsOnopwBDNF3rRcJ6zz4WICPM18i4ZCmfoDTL/cFr5c41Lan1X7wS5wR root@fginfo-git" ];
+      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
+      path = "${backups}/fginfo-git";
+      quota = "10G";
+    };
+  };
+
+  networking.hostName = "ifrit";
+  networking.domain = "dadada.li";
+
+  networking.hosts = {
+    "127.0.0.1" = hostAliases;
+    "::1" = hostAliases;
+  };
+
+  networking.nameservers = [
+    "1.1.1.1"
+    "1.0.0.1"
+  ];
+
+  # weird issues with crappy plastic router
+  networking.interfaces."ens3".tempAddress = "disabled";
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "us";
+  };
+
+  networking.useDHCP = false;
+  networking.interfaces.ens3.useDHCP = true;
+
+  fileSystems."/mnt/storage" = {
+    device = "/dev/disk/by-uuid/a34e36fc-d7dd-4ceb-93c4-48f9c2727cb7";
+    mountPoint = "/mnt/storage";
+    neededForBoot = false;
+    options = [ "nofail" ];
+  };
+
+  networking.firewall = {
+    enable = true;
+    allowPing = true;
+    allowedTCPPorts = [
+      22 # SSH
+      80
+      443 # HTTP(S)
+      111
+      2049 # NFS
+      139
+      445 # SMB
+    ];
+    allowedUDPPorts = [
+      137
+      138
+      111
+      2049 # NFS
+      51234 # Wireguard
+    ];
+  };
+
+  security.acme = {
+    email = "d553a78d-0349-48db-9c20-5b27af3a1dfc@dadada.li";
+    acceptTerms = true;
+    #  certs."webchat.dadada.li" = {
+    #    credentialsFile = "/var/lib/lego/acme-joker.env";
+    #    dnsProvider = "joker";
+    #    postRun = "systemctl reload nginx.service";
+    #  };
+    #  certs."weechat.dadada.li" = {
+    #    credentialsFile = "/var/lib/lego/acme-joker.env";
+    #    dnsProvider = "joker";
+    #    postRun = "systemctl reload nginx.service";
+    #  };
+  };
+
+  users.users."mist" = {
+    isNormalUser = true;
+  };
+
+  services.avahi = {
+    enable = false;
+    publish = {
+      enable = true;
+      addresses = true;
+      workstation = false;
+    };
+  };
+
+  environment.systemPackages = [ pkgs.curl ];
+  systemd = {
+    timers.ddns-joker = {
+      wantedBy = [ "timers.target" ];
+      partOf = [ "ddns-joker.service" ];
+      timerConfig.OnCalendar = "hourly";
+    };
+    services.ddns-joker = {
+      serviceConfig.Type = "oneshot";
+      script = ''
+        function url() {
+        echo "https://svc.joker.com/nic/update?username=$1&password=$2&hostname=$3"
+        }
+
+        IFS=':'
+        read -r user password < /var/lib/ddns/credentials
+        unset IFS
+
+        curl_url=$(url "$user" "$password" bs.vpn.dadada.li)
+
+        ${pkgs.curl}/bin/curl -4 "$curl_url"
+        ${pkgs.curl}/bin/curl -6 "$curl_url"
+      '';
+    };
+  };
+
+  system.stateVersion = "20.03";
+}