port to flakes

nixos/modules/admin.nix

@@ -0,0 +1,61 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  cfg = config.dadada.admin;
+in
+{
+  options = {
+    dadada.admin = {
+      enable = mkEnableOption "Enable admin access";
+
+      users = mkOption {
+        type = with types; attrsOf (listOf path);
+        default = [ ];
+        description = ''
+          List of admin users with root access to all the machine.
+        '';
+        example = literalExample "\"user1\" = [ /path/to/key1 /path/to/key2 ]";
+      };
+
+      rat = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable NAT and firewall traversal for SSH via tor hidden service
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.sshd.enable = true;
+    services.openssh.passwordAuthentication = false;
+    security.sudo.wheelNeedsPassword = false;
+
+    users.users = mapAttrs
+      (user: keys: (
+        {
+          extraGroups = [ "wheel" ];
+          isNormalUser = true;
+          openssh.authorizedKeys.keyFiles = keys;
+        }))
+      cfg.users;
+
+    users.mutableUsers = mkDefault false;
+
+    networking.firewall.allowedTCPPorts = [ 22 ];
+
+    environment.systemPackages = with pkgs; [
+      vim
+      tmux
+    ];
+
+    services.tor.relay.onionServices = {
+      "rat" = mkIf cfg.rat.enable {
+        name = "rat";
+        map = [{ port = 22; }];
+      };
+    };
+  };
+}

nixos/modules/backup.nix

@@ -0,0 +1,85 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  backupExcludes = [
+    "/backup"
+    "/dev"
+    "/efi"
+    "/home/*/.cache"
+    "/home/*/.config/Riot/Cache"
+    "/home/iserv"
+    "/lost+found"
+    "/mnt"
+    "/nix"
+    "/proc"
+    "/run"
+    "/sys"
+    "/tmp"
+    "/var/cache"
+    "/var/log"
+    "/var/tmp"
+  ];
+  cfg = config.dadada.backupClient;
+in
+  {
+    options = {
+      dadada.backupClient = {
+        enable = mkEnableOption "Enable backup client";
+        gs = mkEnableOption "Enable backup to GS location";
+        bs = mkEnableOption "Enable backup to BS location";
+      };
+    };
+
+  config = mkIf cfg.enable {
+
+    fileSystems = mkIf cfg.gs {
+      "/backup" = {
+        device = "/dev/disk/by-uuid/0fdab735-cc3e-493a-b4ec-cbf6a77d48d5";
+        fsType = "ext4";
+        options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" ];
+      };
+    };
+
+    services.borgbackup.jobs.gs = mkIf cfg.gs {
+      paths = "/";
+      exclude = backupExcludes;
+      repo = "/backup/${config.networking.hostName}";
+      doInit = false;
+      encryption = {
+        mode = "repokey";
+        passCommand = "cat /var/lib/borgbackup/gs/passphrase";
+      };
+      compression = "auto,lz4";
+      prune.keep = {
+        within = "1d"; # Keep all archives from the last day
+        daily = 7;
+        weekly = 2;
+        monthly = -1; # Keep at least one archive for each month
+        yearly = -1; # Keep at least one archive for each year
+      };
+      startAt = "monthly";
+    };
+
+    networking.hosts = mkIf cfg.bs {
+      "fd42:dead:beef:0:5054:ff:fefb:7361" = [
+        "media.dadada.li"
+      ];
+    };
+
+    services.borgbackup.jobs.bs = mkIf cfg.bs {
+      paths = "/";
+      exclude = backupExcludes;
+      repo = "borg@media.dadada.li:/mnt/storage/backup/${config.networking.hostName}";
+      doInit = true;
+      environment = {
+        BORG_RSH = "ssh -i /var/lib/borgbackup/bs/id_ed25519 -o 'StrictHostKeyChecking accept-new'";
+      };
+      encryption = {
+        mode = "repokey";
+        passCommand = "cat /var/lib/borgbackup/bs/passphrase";
+      };
+      compression = "auto,lz4";
+      startAt = "daily";
+    };
+  };
+}

nixos/modules/default.nix

@@ -0,0 +1,19 @@
+{ ... }:
+{
+  imports = [
+    ./admin.nix
+    ./backup.nix
+    ./element.nix
+    ./fido2.nix
+    ./fileShare.nix
+    ./gitea.nix
+    ./headphones.nix
+    ./homepage.nix
+    ./networking.nix
+    ./share.nix
+    ./steam.nix
+    ./update.nix
+    ./vpnServer.nix
+    ./weechat.nix
+  ];
+}

nixos/modules/element.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.dadada.element;
+in
+{
+  options.dadada.element = {
+    enable = lib.mkEnableOption "Enable element webapp";
+  };
+  config = lib.mkIf cfg.enable {
+    services.nginx.virtualHosts."element.${config.networking.domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      serverAliases = [
+        "element.${config.networking.domain}"
+      ];
+
+      root = pkgs.element-web.override {
+        conf = {
+          default_server_config."m.homeserver" = {
+            "base_url" = "https://matrix.stratum0.org/";
+            "server_name" = "Stratum 0";
+          };
+        };
+      };
+
+      locations = {
+        "/robots.txt" = {
+          extraConfig = ''
+            add_header Content-Type text/plain;
+            return 200 "User-agent: *\nDisallow: /\n";
+          '';
+        };
+      };
+    };
+  };
+}

nixos/modules/fido2.nix

@@ -0,0 +1,56 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  luks = config.dadada.luks;
+  fido2 = config.dadada.fido2;
+in
+{
+  options = {
+    dadada.luks = {
+      uuid = mkOption {
+        type = with types; nullOr str;
+        description = "Device UUID";
+        default = null;
+      };
+    };
+
+    dadada.fido2 = {
+      enablePam = mkEnableOption "Enable PAM U2F";
+      credential = mkOption {
+        type = with types; nullOr str;
+        description = "FIDO2 credential string";
+        default = null;
+      };
+    };
+  };
+
+  config = {
+    boot.initrd.luks.devices = mkIf (luks.uuid != null) {
+      root = {
+        device = "/dev/disk/by-uuid/${luks.uuid}";
+        preLVM = true;
+        allowDiscards = true;
+        fido2 = mkIf (fido2.credential != null) {
+          credential = fido2.credential;
+          passwordLess = true;
+        };
+      };
+    };
+
+    boot.initrd.luks.fido2Support = mkIf (fido2.credential != null) true;
+
+    environment.systemPackages = mkIf (fido2.credential != null) (with pkgs; [
+      linuxPackages.acpi_call
+      fido2luks
+      python27Packages.dbus-python
+      python38Packages.solo-python
+    ]);
+
+    security.pam.u2f = mkIf fido2.enablePam {
+      enable = true;
+      control = "sufficient";
+      cue = true;
+    };
+  };
+
+}

nixos/modules/fileShare.nix

@@ -0,0 +1,46 @@
+{ config, lib, ... }:
+with lib;
+let
+  cfg = config.dadada.fileShare;
+  sharePath = "/mnt/storage/share";
+  ipv6 = "fd42:dead:beef::/48";
+  ipv4 = "192.168.42.0/24";
+in
+{
+  options.dadada.fileShare = {
+    enable = mkEnableOption "Enable file share server";
+  };
+  config = mkIf cfg.enable {
+    services.samba = {
+      enable = true;
+      securityType = "user";
+      extraConfig = ''
+        workgroup = WORKGROUP
+        server string = media
+        netbios name = media
+        security = user
+        guest account = nobody
+        map to guest = bad user
+      '';
+      shares = {
+        public = {
+          path = sharePath;
+          browseable = "yes";
+          "read only" = "yes";
+          "guest ok" = "yes";
+          "guest only" = "yes";
+          "create mask" = "0660";
+          "directory mask" = "2770";
+          "force user" = "nobody";
+          "force group" = "nobody";
+        };
+      };
+    };
+    services.nfs = {
+      server.enable = true;
+      server.exports = ''
+        ${sharePath} ${ipv6}(rw,all_squash,insecure,subtree_check) ${ipv4}(rw,all_squash,insecure,subtree_check) # map to user/group - in this case nobody
+      '';
+    };
+  };
+}

nixos/modules/gitea.nix

@@ -0,0 +1,65 @@
+{ config, pkgs, lib, ... }:
+let
+  redisSocket = "127.0.0.1:6379";
+  cfg = config.dadada.gitea;
+in
+{
+  options.dadada.gitea = {
+    enable = lib.mkEnableOption "Enable gitea";
+  };
+  config = lib.mkIf cfg.enable {
+    services.gitea = {
+      enable = true;
+      appName = "dadada Gitea";
+      rootUrl = "https://git.dadada.li/";
+      log.level = "Error";
+      domain = config.networking.domain;
+      ssh.enable = true;
+      cookieSecure = true;
+      enableUnixSocket = true;
+      database = {
+        type = "postgres";
+      };
+      disableRegistration = true;
+      settings = {
+        server = {
+          LANDING_PAGE = "explore";
+          OFFLINE_MODE = true;
+        };
+        picture = {
+          DISABLE_GRAVATAR = true;
+          REPOSITORY_AVATAR_FALLBACK = "random";
+          ENABLE_FEDERATED_AVATAR = false;
+        };
+        other = {
+          SHOW_FOOTER_BRANDING = false;
+          SHOW_FOOTER_VERSION = false;
+          SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
+        };
+        log = {
+          DISABLE_ROUTER_LOG = true;
+        };
+        cache = {
+          ENABLE = true;
+          ADAPTER = "redis";
+          HOST = "network=tcp,addr=${redisSocket},db=0,pool_size=100,idle_timeout=180";
+        };
+      };
+    };
+
+    services.redis = {
+      enable = true;
+      vmOverCommit = true;
+      #unixSocket = redisSocket;
+    };
+
+    services.nginx.virtualHosts."git.${config.networking.domain}" = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/".extraConfig = ''
+        proxy_pass http://unix:/run/gitea/gitea.sock:/;
+      '';
+    };
+  };
+}

nixos/modules/headphones.nix

@@ -0,0 +1,25 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  cfg = config.dadada.headphones;
+in
+{
+  options = {
+    dadada.headphones = {
+      enable = mkEnableOption "Enable bluetooth headphones with more audio codecs.";
+    };
+  };
+  config = mkIf cfg.enable {
+    hardware = {
+      bluetooth.enable = true;
+      pulseaudio = {
+        enable = true;
+        extraModules = [ pkgs.pulseaudio-modules-bt ];
+        extraConfig = ''
+          set-source-volume 1 10000
+        '';
+        package = pkgs.pulseaudioFull;
+      };
+    };
+  };
+}

nixos/modules/homepage.nix

@@ -0,0 +1,18 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.dadada.homePage;
+in
+with lib; {
+  options.dadada.homePage = {
+    enable = mkEnableOption "Enable home page";
+  };
+  config = mkIf cfg.enable {
+    services.nginx.enable = true;
+
+    services.nginx.virtualHosts."dadada.li" = {
+      enableACME = true;
+      forceSSL = true;
+      root = "/var/lib/www/dadada.li";
+    };
+  };
+}

nixos/modules/networking.nix

@@ -0,0 +1,101 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  cfg = config.dadada.networking;
+in
+{
+  options = {
+    dadada.networking = {
+      useLocalResolver = mkEnableOption "Enable local caching name server";
+      wanInterfaces = mkOption {
+        type = with types; listOf str;
+        description = "WAN network interfaces";
+        default = [ ];
+      };
+      vpnExtension = mkOption {
+        type = with types; nullOr str;
+        description = "Last part of VPN address";
+        default = null;
+      };
+      enableBsShare = mkEnableOption "Enable network share at BS location";
+    };
+  };
+
+  config = {
+    networking.resolvconf.useLocalResolver = mkIf cfg.useLocalResolver true;
+    services.unbound = mkIf cfg.useLocalResolver {
+      enable = true;
+      settings = {
+        server.interface = [
+          "127.0.0.1"
+          "::1"
+        ];
+        tls-upstream = "yes";
+        tls-cert-bundle = "/etc/ssl/certs/ca-bundle.crt";
+        forward-zone = [
+          {
+            name = ".";
+            forward-tls-upstream = "yes";
+            forward-addr = [
+              "2606:4700:4700::1001@853#cloudflare-dns.com"
+              "2606:4700:4700::1111@853#cloudflare-dns.com"
+              "1.1.1.1@853#cloudflare-dns.com"
+              "1.0.0.1@853#cloudflare-dns.com"
+            ];
+          }
+        ];
+      };
+    };
+
+    networking.useDHCP = false;
+
+    networking.interfaces = listToAttrs (forEach cfg.wanInterfaces (i: nameValuePair i {
+      useDHCP = true;
+    }));
+
+    networking.wireguard.interfaces = mkIf (cfg.vpnExtension != null) {
+      bs = {
+        ips = [ "fd42:dead:beef:1337::${cfg.vpnExtension}/64" ];
+        listenPort = 51234;
+
+        privateKeyFile = "/var/lib/wireguard/privkey";
+
+        peers = [
+          {
+            publicKey = "lFB2DWtzp55ajV0Fk/OWdO9JlGvN9QsayYKQQHV3GEs=";
+            allowedIPs = [ "fd42:dead:beef::/48" ];
+            endpoint = "bs.vpn.dadada.li:51234";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+
+    # https://lists.zx2c4.com/pipermail/wireguard/2017-November/002028.html
+    systemd.timers.wg-reresolve-dns = mkIf (cfg.vpnExtension != null) {
+      wantedBy = [ "timers.target" ];
+      partOf = [ "wg-reresolve-dns.service" ];
+      timerConfig.OnCalendar = "hourly";
+    };
+    systemd.services.wg-reresolve-dns = mkIf (cfg.vpnExtension != null) {
+      serviceConfig.Type = "oneshot";
+      script = ''
+        ${pkgs.wireguard-tools}/bin/wg set bs peer lFB2DWtzp55ajV0Fk/OWdO9JlGvN9QsayYKQQHV3GEs= endpoint bs.vpn.dadada.li:51234 persistent-keepalive 25 allowed-ips fd42:dead:beef::/48
+      '';
+    };
+
+    fileSystems."/mnt/media.dadada.li" = mkIf cfg.enableBsShare {
+      device = "media.dadada.li:/mnt/storage/share";
+      fsType = "nfs";
+      options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" ];
+    };
+
+    networking.firewall = {
+      enable = true;
+      allowedUDPPorts = [
+        51234 # Wireguard
+        5353 # mDNS
+      ];
+    };
+  };
+}

nixos/modules/profiles/laptop.nix

@@ -0,0 +1,55 @@
+{ config, pkgs, lib, ... }:
+with lib;
+{
+  networking.domain = mkDefault "dadada.li";
+
+  services.fwupd.enable = mkDefault true;
+
+  fonts.fonts = mkDefault (with pkgs; [
+    source-code-pro
+  ]);
+
+  time.timeZone = mkDefault "Europe/Berlin";
+
+  i18n.defaultLocale = mkDefault "en_US.UTF-8";
+
+  console.keyMap = mkDefault "us";
+
+  users.mutableUsers = mkDefault true;
+
+  programs.zsh = mkDefault {
+    enable = true;
+    autosuggestions.enable = true;
+    enableCompletion = true;
+    histSize = 100000;
+    vteIntegration = true;
+    syntaxHighlighting = {
+      enable = true;
+      highlighters = [ "main" "brackets" "pattern" "root" "line" ];
+    };
+  };
+
+  virtualisation = {
+    libvirtd.enable = mkDefault true;
+    docker.enable = mkDefault true;
+  };
+
+  virtualisation.docker.extraOptions = mkDefault "--bip=192.168.1.5/24";
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = mkDefault true;
+  boot.loader.efi.canTouchEfiVariables = mkDefault true;
+
+  services.fstrim.enable = mkDefault true;
+
+  services.avahi.enable = false;
+
+  networking.networkmanager.enable = mkDefault true;
+  networking.firewall.enable = mkDefault true;
+
+  services.xserver.enable = mkDefault true;
+  services.xserver.displayManager.gdm.enable = mkDefault true;
+  services.xserver.desktopManager.gnome.enable = mkDefault true;
+
+  xdg.mime.enable = mkDefault true;
+}

nixos/modules/profiles/server.nix

@@ -0,0 +1,21 @@
+{ config, pkgs, lib, ... }:
+with lib;
+{
+  networking.domain = mkDefault "dadada.li";
+
+  dadada.admin.users = {
+    "dadada" = [ "${pkgs.keys}/dadada.pub" ];
+  };
+
+  dadada.autoUpgrade.enable = mkDefault false;
+
+  environment.noXlibs = mkDefault true;
+  documentation.enable = mkDefault false;
+  documentation.nixos.enable = mkDefault false;
+
+  i18n.defaultLocale = mkDefault "en_US.UTF-8";
+  console = mkDefault {
+    font = "Lat2-Terminus16";
+    keyMap = "us";
+  };
+}

nixos/modules/share.nix

@@ -0,0 +1,30 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  cfg = config.dadada.share;
+in
+{
+  options.dadada.share = {
+    enable = mkEnableOption "Enable file share";
+  };
+  config = mkIf cfg.enable {
+    services.nginx.enable = true;
+
+    services.nginx.virtualHosts."share.dadada.li" = {
+      enableACME = true;
+      forceSSL = true;
+
+      root = "/var/lib/share";
+
+      locations = {
+        "/robots.txt" = {
+          extraConfig = ''
+            add_header Content-Type text/plain;
+            return 200 "User-agent: *\nDisallow: /\n";
+          '';
+        };
+      };
+    };
+  };
+}

nixos/modules/steam.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  cfg = config.dadada.steam;
+in
+{
+  options = {
+    dadada.steam = {
+      enable = mkEnableOption "Enable Steam config";
+    };
+  };
+  config = mkIf cfg.enable {
+    nixpkgs.config.allowUnfree = true;
+
+    hardware.opengl = {
+      enable = true;
+      driSupport32Bit = true;
+      extraPackages32 = with pkgs.pkgsi686Linux; [ libva ];
+    };
+
+    hardware.pulseaudio.support32Bit = true;
+  };
+}

nixos/modules/update.nix

@@ -0,0 +1,28 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  cfg = config.dadada.autoUpgrade;
+in
+{
+
+  options.dadada.autoUpgrade = {
+    enable = mkEnableOption "Enable automatic upgrades";
+  };
+
+  config = mkIf cfg.enable {
+    nix = {
+      autoOptimiseStore = false;
+      useSandbox = true;
+      gc = {
+        automatic = true;
+        dates = "weekly";
+        options = "--delete-older-than 7d";
+      };
+    };
+
+    system.autoUpgrade = {
+      enable = true;
+      dates = "daily";
+    };
+  };
+}

nixos/modules/vpnServer.nix

@@ -0,0 +1,50 @@
+{ config, lib, ... }:
+
+with lib;
+let
+  cfg = config.dadada.vpnServer;
+  wgPeer = { name, ... }: {
+    options = {
+      name = mkOption {
+        internal = true;
+        default = name;
+      };
+      id = mkOption {
+        description = "VPN client id";
+        default = 0;
+        type = types.str;
+      };
+      key = mkOption {
+        description = "VPN client public key";
+        default = "";
+        type = types.str;
+      };
+    };
+  };
+in
+{
+  options.dadada.vpnServer = {
+    enable = mkEnableOption "Enable wireguard gateway";
+    peers = mkOption {
+      description = "Set of extensions and public keys of peers";
+      type = with types; attrsOf (submodule wgPeer);
+      default = { };
+    };
+  };
+  config = mkIf cfg.enable {
+    networking.wireguard.enable = true;
+    networking.wireguard.interfaces."wg0" = {
+      allowedIPsAsRoutes = true;
+      privateKeyFile = "/var/lib/wireguard/wg0-key";
+      ips = [ "fd42:dead:beef:1337::0/64" ];
+      listenPort = 51234;
+      peers = map
+        (peer: (
+          {
+            allowedIPs = [ "fd42:dead:beef:1337::${peer.id}/128" ];
+            publicKey = peer.key;
+          }))
+        (attrValues cfg.peers);
+    };
+  };
+}

nixos/modules/weechat.nix

@@ -0,0 +1,58 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  cfg = config.dadada.weechat;
+in
+{
+  options.dadada.weechat = {
+    enable = mkEnableOption "Enable weechat relay";
+  };
+  config = mkIf cfg.enable {
+    services.weechat = {
+      enable = true;
+      sessionName = "weechat-dadada";
+    };
+
+    services.nginx.enable = true;
+
+    services.nginx.virtualHosts."webchat.dadada.li" = {
+      enableACME = true;
+      forceSSL = true;
+
+      root = pkgs.glowing-bear;
+
+      locations = {
+        "/robots.txt" = {
+          extraConfig = ''
+            add_header Content-Type text/plain;
+            return 200 "User-agent: *\nDisallow: /\n";
+          '';
+        };
+      };
+    };
+    services.nginx.virtualHosts."weechat.dadada.li" = {
+      useACMEHost = "webchat.dadada.li";
+      forceSSL = true;
+
+      root = "${pkgs.nginx}/html";
+      locations = {
+        "/weechat" = {
+          extraConfig = ''
+            proxy_pass http://localhost:9001;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_read_timeout 8h;
+          '';
+        };
+        "/robots.txt" = {
+          extraConfig = ''
+            add_header Content-Type text/plain;
+            return 200 "User-agent: *\nDisallow: /\n";
+          '';
+        };
+      };
+    };
+  };
+}

nixos/modules/zsh.nix

@@ -0,0 +1,14 @@
+{ config, pkgs, lib, ... }:
+{
+  programs.zsh = {
+    enable = true;
+    autosuggestions.enable = true;
+    enableCompletion = true;
+    histSize = 100000;
+    vteIntegration = true;
+    syntaxHighlighting = {
+      enable = true;
+      highlighters = [ "main" "brackets" "pattern" "root" "line" ];
+    };
+  };
+}