Initial Commit

.gitignore

@@ -0,0 +1,3 @@
+result
+ecdsa_host
+secrets/

configuration/common/default.nix

@@ -0,0 +1,81 @@
+{ config, lib, pkgs, ... }:
+
+let 
+  home-manager = fetchGit {
+    url = "https://github.com/nix-community/home-manager";
+    rev = "a98ec6ec158686387d66654ea96153ec06be33d7";
+  };
+in {
+  imports = [
+    ../../modules
+    "${home-manager}/nixos"
+    ./pbb.nix
+    ./users.nix
+  ];
+
+  nixpkgs.overlays = [
+    (self: super: import ../../pkgs { nixpkgs = super.path; })
+  ];
+
+  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
+  boot.kernelParams = [ "quiet" ];
+
+  networking.domain = lib.mkDefault "hacc.space";
+  petabyte.nftables = {
+    enable = lib.mkDefault true;
+  };
+
+  services.journald.extraConfig = "SystemMaxUse=512M";
+  nix.gc.automatic = lib.mkDefault true;
+  nix.gc.options = lib.mkDefault "--delete-older-than 1w";
+  nix.trustedUsers = [ "root" "@wheel" ];
+  environment.variables.EDITOR = "vim";
+
+  services.openssh.enable = true;
+  services.openssh.ports = lib.mkDefault [ 62954 ];
+  services.openssh.passwordAuthentication = false;
+  services.openssh.challengeResponseAuthentication = false;
+  services.openssh.permitRootLogin = lib.mkDefault "prohibit-password";
+  services.openssh.extraConfig = "StreamLocalBindUnlink yes";
+  security.sudo.wheelNeedsPassword = lib.mkDefault false;
+
+  i18n.defaultLocale = "en_IE.UTF-8";
+  time.timeZone = "UTC";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "de";
+  };
+  programs.mtr.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    smartmontools lm_sensors htop tcpdump nload iftop
+#   bottom 
+    ripgrep
+    git wget
+    kitty.terminfo
+    rsync pv progress
+    parallel bc
+    usbutils pciutils
+    cryptsetup gptfdisk
+    zstd p7zip
+    file
+    whois
+    iperf
+    fd
+    exa
+    socat
+    tmux
+    gnupg
+    vim
+    patchelf
+    binutils
+    dnsutils
+    flashrom ifdtool cbfstool nvramtool
+    nmap
+  ];
+
+  petabyte.vnstat = {
+    enable = true;
+    nginx.enable = true;
+  };
+}

configuration/common/hexchen.nix

@@ -0,0 +1,71 @@
+{config, lib, pkgs, ...}: 
+
+{
+  home-manager.users.hexchen = {
+    programs.direnv = {
+      enable = true;
+      enableFishIntegration = true;
+      enableNixDirenvIntegration = true;
+    };
+    programs.fish = {
+      enable = true;
+      shellAliases = {
+        icat = "${pkgs.kitty}/bin/kitty +kitten icat";
+      };
+      plugins = [
+        {
+          name = "bass";
+          src = pkgs.fetchFromGitHub {
+            owner = "edc";
+            repo = "bass";
+            rev = "d63054b24c2f63aaa3a08fb9ec9d0da4c70ab922";
+            sha256 = "0pwci5xxm8308nrb52s5nyxijk0svar8nqrdfvkk2y34z1cg319b";
+          };
+        }
+      ];
+    };
+    programs.vim = {
+      enable = true;
+      extraConfig = ''
+        set viminfo='20,<1000
+        set mouse=a
+      ''; /*
+        set tabstop=2
+        set shiftwidth=2
+        set expandtab
+      '';*/
+    };
+
+    programs.git = {
+      enable = true;
+      userName = "hexchen";
+      userEmail = "hexchen@lilwit.ch";
+    };
+
+    programs.bat.enable = true;
+    programs.jq.enable = true;
+    programs.tmux.enable = true;
+    programs.ssh = {
+      enable = true;
+      controlMaster = "auto";
+      controlPersist = "10m";
+      hashKnownHosts = true;
+      matchBlocks = let
+        hexchen = {
+          forwardAgent = true;
+          extraOptions = {
+            RemoteForward = "/run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra";
+          };
+          port = 62954;
+        };
+      in {
+	"*.chaoswit.ch" = hexchen;
+	"*.copyonwit.ch" = hexchen;
+	"*.lilwit.ch" = hexchen;
+	"*.hxchn.de" = hexchen;
+        "*.hacc.space" = hexchen;
+      };
+    };
+  };
+
+}

configuration/common/pbb.nix

@@ -0,0 +1,13 @@
+let
+  pbbNixfiles = fetchGit {
+    url = "https://git.petabyte.dev/petabyteboy/nixfiles";
+    rev = "fcfa9a150bdc0c36996db89d6cee07dd5db82373";
+  };
+in {
+  imports = [
+    "${pbbNixfiles}/modules"
+  ];
+  nixpkgs.overlays = [
+    (self: super: import "${pbbNixfiles}/pkgs" { nixpkgs = super.path; })
+  ];
+}

configuration/common/users.nix

@@ -0,0 +1,66 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./hexchen.nix
+  ];
+
+  home-manager.useGlobalPkgs = true;
+
+  users.users = {
+    root = {
+      openssh.authorizedKeys.keys = with pkgs.lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
+    };
+
+    hexchen = {
+      uid = 1000;
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDNVUDKx9sukRkb6INny432+2HZBWx/qIEAOvngF1qcj hexchen@montasch"
+      ];
+      shell = pkgs.fish;
+      packages = with pkgs; [ python38 go ];
+    };
+
+    stuebinm = {
+      uid = 1001;
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQtJQ8fUfwsC9Q39sNpZ41RRbW91QXDLKltsYK+TLidQ5IJj2KsG/lkd433Tod6PzSvB2PcfIfnvUz7GQuS1UwXHMdLEy0/kqeYrSi6QlAxFyFBSTsUZ4d+HHwBBoXhu1Iaoch/FJNI0FhfBciIii05UyYuPj5zGgvWhnfD53Ll8HA6XVXhSK09+9GRGq57Mix5N9AkzfEF83aRUF9Qfl7Jl16rOjIgtS8hbL0kXIKUeCxZA2xi/lNHEQRriCiriPmPGOhiPcNXzbekw7IbFfE3If1CHnj7KA4KnafHAd+uHvQAce5Y4v2vMOPfGVh1cm84VTzdSPEW5V1hFjOlSnnuCQtAzkQLv8zed2NLj73GgFlcUrYKERcH84wydD0gEednNKsW8T2NzgO2eNCBf0LrcFp17qmWLv51A3jofEX5tQ3PZ7zbtR4DMUmrizrsBWDYiHJOMVeMs/9TnmIc3PL17qvVvFI7OcYxl+SPPpPtaBzxXZAMIvGFppzYxRylBcBhNvE+bXXgLFXh5cbUcwgXjvrX0y8Gv/5S4E55+i2rQMqC55+O48snoSeNlQDZV+B9setXoC93K9fBurmCX8ObnNRvvghcwUl9OBSW5K9TBdl6FF3+Z3gOCIxOMGQQKJUS5/g/eLFJ+13Y5qAPS49XJzaBiTmDrRi8x22p7sU1Q== stuebinm@in.tum.de"
+      ];
+    };
+
+    octycs = {
+      uid = 1002;
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDobGLrA6YQAKdJkZMpAsqjlk744G/pCJEvAUNJDuT1Sr59BFKDchPT03exb0o39mjH4iqvw4JDI10RfylKbR1736Ji2yRLlbCzUdgv2CfZc28TAO0rscyT49RHJmzEEE5QD4Ge7MgvFBEmZKXAxntA8M8EbxxEVfzhWp3751BYkzrCbJiHMXcTb+BG9P6rmrraINmgUJxywym5PsMYt2sfHlVus3hSpWnCR/cu0nxmW9E6Tm6CzSkWOXOTdjVuc0Kgh5GXaKDROzJ9K7cJAhd5t8Yzqtpm2xfSU5FVVUH9i7PbXOo8FL82Xi6kWMgdFNLvKimxGqW+bCv3ROlyKWF4I+HQdfdL181KaOQ40jAvjmldrB/ZiEbuWYSBZ/XhxFkKrtBYPDFHq/a5lnH3OvcDm7+/LhwIKUnyZyQ2dXOLOTOEDsO/69xwNveCB8of9o/erDbOeb+d44cXUFpPMUTz4bHXEP6y+zz8TB8/aleGbLQCPUzRZfvazN95jGUDqkumi9B3Lf+W/KpjVUgu3NQsUuJn6khMYW9VefnJvHwzbWpqIzbzNePL4iZFECv4NHPQHO/katajnMbkCie9rfnLk1EjJnrSnZUInEygkW/7Eu4EQM2h7lU4HYfwP1c4ubCFdES0ELGqSuJRwd/ORDbgxbuKOQ7gZ3/lgHdr9KGqJQ== markus.amaseder@amaseder.de"
+      ];
+      hashedPassword = "$6$qQEbD8Ejx/y$6/nkX8CmFBtAlUP/UbFKVMVlA.ZvVbjQZRABqXQjU11tKpY25ww.MCGGMEKFv.7I/UH/126/q0S3ROTqePUEc.";
+    };
+
+    zauberberg = {
+      uid = 1003;
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt34ou3NYWoUayWrJa5ISzihAAhFiwolJPmm2fF9llPUUA8DP3BQRiKeqDlkDzhWLwztb+dNIUuregiFJdRN5Q2JZBKlM7Gqb1QtPhtK+xe2pyZPX2SWKIsKA6j3VAThhXsQdj3slXu3dG8FF7j+IFg/eTgpeQIFQQkMIc204ha8OP2ASYAJqgJVbXq8Xh3KkAc1HSrjYJLntryvK10wyU8p3ug370dMu3vRUn44FEyDzXFM9rfsgysQTzVgp+sXdRfMLeyvf+SUrE8hiPjzevF2nsUP0Xf/rIaK5VayChPLXJkulognINzvuVWAdwNPDLpgGwkjglF2681Ag88bLX allesmoeglicheundvielmehr@hotmail.de"
+      ];
+      packages = with pkgs; [ makemkv ];
+    };
+
+    schweby = {
+      uid = 1004;
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6JWi0MBDz0Zy4zjauQv28xYmHyapb8D4zeesq91LLE schweby@txsbcct"
+      ];
+      hashedPassword = "$6$zkAsaVdmIduqZxez$GY9aBlYeP41F0it/VbbZzLLLRQhHAbDdFsa3e/1GS9McTuSimMHODg6HqNVEH1zSqD3afhK/0UHfqbtF5qpi90";
+      packages = with pkgs; [ makemkv ];
+    };
+  };
+}

configuration/desktop/default.nix

@@ -0,0 +1,43 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot.plymouth.enable = true;
+  nixpkgs.config = {
+    mumble.speechdSupport = true;
+    allowUnfree = true;
+  };
+# boot.plymouth.splashBeforeUnlock = true;
+  users.users.hexchen = {
+    packages = with pkgs; [
+      pulsemixer pavucontrol
+      firefox git kitty j4-dmenu-desktop bemenu
+      breeze-qt5 mako
+      mpv youtube-dl
+      wl-clipboard mumble
+      xdg_utils
+      slurp grim libnotify
+      _1password-gui
+      # gnome3.nautilus
+    ];
+    extraGroups = [ "video" ];
+  };
+  home-manager.users.hexchen = {
+    gtk = {
+      enable = true;
+      iconTheme = {
+        name = "Adwaita";
+        package = pkgs.gnome3.adwaita-icon-theme;
+      };
+      theme = {
+        name = "Adwaita";
+        package = pkgs.gnome3.adwaita-icon-theme;
+      };
+    };
+  };
+
+  sound.enable = true;
+  hardware.pulseaudio.enable = true;
+  networking.useDHCP = lib.mkDefault true;
+  hardware.opengl.enable = true;
+
+}

configuration/desktop/gnome.nix

@@ -0,0 +1,14 @@
+{config, lib, pkgs, ...}:
+
+{
+  services.xserver.displayManager.lightdm = {
+    enable = true;
+  };
+  services.xserver = {
+    enable = true;
+#   videoDrivers = [ "nvidia" ];
+  };
+# hardware.nvidia.modesetting.enable = true;
+
+# services.xserver.desktopManager.gnome3.enable = true;
+}

configuration/desktop/streaming.nix

@@ -0,0 +1,17 @@
+{ config, pkgs, ...}:
+
+{
+  boot = {
+    extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
+    kernelModules = [ "v4l2loopback" ];
+  };
+
+  home-manager.users.hexchen = {
+    programs.obs-studio = {
+      enable = true;
+      plugins = with pkgs; [
+        obs-wlrobs obs-v4l2sink
+      ];
+    };
+  };
+}

configuration/desktop/sway.nix

@@ -0,0 +1,43 @@
+{ config, pkgs, lib, ... }:
+
+{
+
+  fonts.fonts = with pkgs; [ font-awesome nerdfonts ];
+  users.users.hexchen.packages = with pkgs; [ ];
+  home-manager.users.hexchen = {
+    programs.waybar = {
+      enable = true;
+
+      settings = [{
+        modules-left = [ "sway/workspaces" "sway/mode" ];
+        modules-center = [ "sway/window" ];
+        modules-right = [ "pulseaudio" "network" "cpu" "memory" "temperature" "battery" "clock" "tray" ];
+
+        modules = {
+          battery = {
+            states = {
+              good = 95;
+              warning = 30;
+              critical = 15;
+            };
+            format = "{capacity}% {icon}";
+            format-charging = "{capacity}% ";
+            format-plugged = "{capacity}% ";
+            format-alt = "{time} {icon}";
+            format-icons = ["" "" "" "" ""];
+          };
+          network = {
+            format-wifi = "{essid} ({signalStrength}%) ";
+            format-ethernet = "{ifname}: {ipaddr}/{cidr} ";
+            format-linked = "{ifname} (No IP) ";
+            format-disconnected = "Disconnected ⚠";
+            format-alt = "{ifname}: {ipaddr}/{cidr}";
+          };
+        };
+      }];
+    };
+  };
+
+  programs.sway.enable = true;
+
+}

configuration/hosts/default.nix

@@ -0,0 +1,23 @@
+let
+  hosts = {
+    hainich = {
+      ssh.host = "hainich.hacc.space";
+      channel = "nixos-unstable";
+      groups = [ "server" "hacc" ];
+    };
+    nixda = {
+      ssh.host = "nixda.hacc.space";
+      channel = "nixos-20.09";
+      groups = [ "server" "hacc" "live" ];
+    };
+  };
+  pkgs = import <nixpkgs> {};
+  evalConfig = import <nixpkgs/nixos/lib/eval-config.nix>;
+  lib = pkgs.lib;
+in lib.mapAttrs (name: host: host // {
+  config = if (host ? config) then host.config else (evalConfig {
+    modules = [
+      (import "${toString ./.}/${name}/configuration.nix")
+    ];
+  }).config;
+}) hosts

configuration/hosts/hainich/configuration.nix

@@ -0,0 +1,103 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ../../common
+    ./encboot.nix
+    ./hardware.nix
+    ./services/murmur.nix
+    ./services/mail.nix
+#   ./services/engelsystem.nix
+    ./services/codimd.nix
+    ../../common
+    ./wireguard.nix
+    ./services/nginx.nix
+#   ./k8s.nix
+    ./services/docker.nix
+    ./services/rocket.nix
+  ];
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+  boot.supportedFilesystems = [ "zfs" ];
+
+  # networking
+  networking.hostName = "hainich";
+  networking.hostId = "8a58cb2f";
+  networking.useDHCP = true;
+  networking.interfaces.enp6s0.ipv4.addresses = [
+    {
+      address = "46.4.63.148";
+      prefixLength = 27;
+    }
+
+    {
+      address = "46.4.63.158";
+      prefixLength = 27;
+    }
+  ];
+  networking.interfaces.enp6s0.ipv6.addresses = [ {
+    address = "2a01:4f8:140:84c9::1";
+    prefixLength = 64;
+  } ];
+  networking.defaultGateway = "46.4.63.129";
+  networking.nameservers = [
+    "1.1.1.1" "1.0.0.1"
+    "2606:4700:4700::1111" "2606:4700:4700::1001"
+  ];
+# networking.defaultGateway6 = {
+#   address = "fe80::1";
+#   interface = "enp6s0";
+# };
+
+  networking.nat.enable = true;
+  networking.nat.internalInterfaces = ["ve-+"];
+  networking.nat.externalInterface = "enp6s0";
+
+
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # networking.firewall.enable = false;
+
+  # misc
+  time.timeZone = "UTC";
+
+  environment.systemPackages = with pkgs; [
+    wget vim git
+  ];
+
+  services.openssh.enable = true;
+  services.openssh.ports = [ 22 62954 ];
+
+  users.users.root = {
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDNVUDKx9sukRkb6INny432+2HZBWx/qIEAOvngF1qcj hexchen@montasch"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvmrk3i04tXfrSlZtHFbG3o6lQgh3ODMWmGDING4TJ4ctidexmMNY15IjVjzXZgQSET1uKLDLITiaPsii8vaWERZfjm3jjub845mpKkKv48nYdM0eCbv7n604CA3lwoB5ebRgULg4oGTi60rQ4trFf3iTkJfmiLsieFBZz7l+DfgeDEjDNSJcrkOggGBrjE5vBXoDimdkNh8kBNwgMDj1kPR/FHDqybSd5hohCJ5FzQg9vzl/x/H1rzJJKYPO4svSgHkYNkeoL84IZNeHom+UEHX0rw2qAIEN6AiHvNUJR38relvQYxbVdDSlaGN3g26H2ehsmolf+U0uQlRAXTHo0NbXNVYOfijFKL/jWxNfH0aRycf09Lu60oY54gkqS/J0GoQe/OGNq1Zy72DI+zAwEzyCGfSDbAgVF7Y3mU2HqcqGqNzu7Ade5oCbLmkT7yzDM3x6IsmT1tO8dYiT8Qv+zFAECkRpw3yDkJkPOxNKg10oM318whMTtM3yqntE90hk= schweby@taxusbaccata"
+    ];
+    initialHashedPassword = "$6$F316njEF2$GMF4OmPSF6QgZ3P/DblQ/UFMgoo98bztbdw7X0ygvBGC1UMMIc13Vtxjd/ZGRYW/pEHACZZ7sbRZ48t6xhvO7/";
+#   shell = pkgs.fish;
+  };
+
+  # storage stuffs!
+  services.zfs = {
+    autoSnapshot = {
+      enable = true;
+    };
+    autoScrub = {
+      enable = true;
+    };
+  };
+
+  services.journald.extraConfig = ''
+  MaxFileSec=6h
+  MaxRetentionSec=72h
+  '';
+ 
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "20.03"; # Did you read the comment?
+}

configuration/hosts/hainich/encboot.nix

@@ -0,0 +1,28 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot.initrd.kernelModules = [ "r8169" ]; # add network card driver
+  boot.kernelParams = ["ip=:::::enp6s0:dhcp"]; # enable dhcp on primary network interface
+  boot.initrd.network = {
+    enable = true;
+    ssh = {
+      enable = true;
+      port = 2222;
+      # TODO: Modify system config so that this works
+#     authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
+      authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
+      hostKeys = [ /run/keys/ecdsa_host ];
+    };
+    # TODO: curl some webhook here to alert?
+    #       possibly quite hard to do, we only have limited wget or netcat available
+    # how this all works:
+    #       when someone logs in via ssh, they are prompted to unlock the zfs volume
+    #       afterwards zfs is killed in order for the boot to progress
+    #       timeout of 120s still applies afaik
+    postCommands = ''
+      zpool import zroot
+      zpool import dpool
+      echo "zfs load-key -a; killall zfs && exit" >> /root/.profile
+    '';
+  };
+}

configuration/hosts/hainich/hardware.nix

@@ -0,0 +1,42 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "sd_mod" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "zroot/root/nixos";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "zroot/root/nixos/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home" =
+    { device = "dpool/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/containers" =
+    { device = "dpool/containers";
+      fsType = "zfs";
+    };
+
+  fileSystems."/data" =
+    { device = "dpool/data";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/40125f55-7fe8-4850-902e-b4d6e22f0335";
+      fsType = "ext2";
+    };
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 12;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}

configuration/hosts/hainich/k8s.nix

@@ -0,0 +1,125 @@
+{ config, pkgs, ... }:
+{
+  services.etcd = {
+    advertiseClientUrls = [
+      "https://[2a0d:eb04:8:10::1]:2379"
+    ];
+    listenClientUrls = [
+      "https://[2a0d:eb04:8:10::1]:2379"
+    ];
+    listenPeerUrls = [
+      "https://[::1]:2380"
+    ];
+  };
+  services.kubernetes = {
+    roles = [ "master" "node" ];
+    flannel.enable = false;
+    addons.dns = {
+      enable = true;
+      clusterIp = "2a0d:eb04:8:11::53";
+      reconcileMode = "EnsureExists";
+    };
+    pki.cfsslAPIExtraSANs = [ "hainich.hacc.space" ];
+    apiserver = {
+      advertiseAddress = "2a0d:eb04:8:10::1";
+      extraSANs = [
+        "2a0d:eb04:8:10::1" "2a0d:eb04:8:11::1" "hainich.hacc.space"
+      ];
+      bindAddress = "::";
+      insecureBindAddress = "::1";
+      etcd = {
+        servers = [ "https://[2a0d:eb04:8:10::1]:2379" ];
+      };
+      serviceClusterIpRange = "2a0d:eb04:8:11::/120";
+      extraOpts = "--allow-privileged=true";
+    };
+    controllerManager = {
+      bindAddress = "::";
+      clusterCidr = "2a0d:eb04:8:12::/64";
+    };
+    kubelet = {
+      address = "::";
+      clusterDns = "2a0d:eb04:8:11::53";
+    };
+    proxy = {
+      bindAddress = "::";
+    };
+    scheduler = {
+      address = "::1" ;
+    };
+    apiserverAddress = "https://[2a0d:eb04:8:10::1]:6443";
+    clusterCidr = "2a0d:eb04:8:12::/64";
+    easyCerts = true;
+    masterAddress = "hainich.hacc.space";
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 80 443 6443 ];
+    trustedInterfaces = [
+      "cbr0" "tunnat64"
+    ];
+    extraCommands = ''
+      iptables -t nat -A POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158
+      iptables -A FORWARD -i tunnat64 -j ACCEPT
+
+      iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80
+      iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443
+      iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443
+
+      ip6tables -A FORWARD -i tunnat64 -j ACCEPT
+      ip6tables -A INPUT -i tunnat64 -j ACCEPT
+    '';
+    extraStopCommands = ''
+      iptables -t nat -D POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158
+      iptables -D FORWARD -i tunnat64 -j ACCEPT
+
+      iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80
+      iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443
+      iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443
+
+      ip6tables -A FORWARD -i tunnat64 -j ACCEPT
+      ip6tables -A INPUT -i tunnat64 -j ACCEPT
+    '';
+  };
+
+  systemd.services.tayga = (let
+    config = pkgs.writeText "tayga.conf" ''
+        tun-device tunnat64
+        ipv4-addr 10.255.255.254
+        prefix 2a0d:eb04:8:10:64::/96
+        dynamic-pool 10.255.255.0/24
+        map 10.255.255.1 2a0d:eb04:8:10::1
+        map 10.255.255.2 2a0d:eb04:8:11::2
+        strict-frag-hdr 1
+      '';
+    startScript = pkgs.writeScriptBin "tayga-start" ''
+        #! ${pkgs.runtimeShell} -e
+        ${pkgs.iproute}/bin/ip link set up tunnat64 || true
+        ${pkgs.iproute}/bin/ip route add 10.255.255.0/24 dev tunnat64 || true
+        ${pkgs.iproute}/bin/ip -6 route add 2a0d:eb04:8:10:64::/96 dev tunnat64 || true
+        ${pkgs.tayga}/bin/tayga -d --config ${config}
+      '';
+  in {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    serviceConfig = {
+      ExecStart = ''${startScript}/bin/tayga-start'';
+    };
+  });
+
+  networking.interfaces.cbr0.ipv6.routes = [{
+    address = "2a0d:eb04:8:10::";
+    prefixLength = 60;
+  }];
+
+  networking.interfaces.tunnat64 = {
+    virtual = true;
+  };
+
+  # openebs expects some stuff to be there.
+  system.activationScripts.openebs = ''
+    mkdir -p /usr/lib /usr/sbin
+    ln -sf ${pkgs.zfs.lib}/lib/* /usr/lib/
+    ln -sf ${pkgs.zfs}/bin/zfs /usr/sbin/
+  '';
+}

configuration/hosts/hainich/services/codimd.nix

@@ -0,0 +1,79 @@
+{ config, lib, pkgs, ... }:
+
+{
+  containers.codimd = {
+    privateNetwork = true;
+    hostAddress = "192.168.100.1";
+    localAddress = "192.168.100.3";
+    autoStart = true;
+    config = { config, lib, pkgs, ... }: {
+      networking.firewall.allowedTCPPorts = [ 3000 ];
+      services.coredns = {
+        enable = true;
+        config = ''
+        .:53 {
+          forward . 1.1.1.1
+        }
+        '';
+      };
+      services.codimd = {
+        enable = true;
+        configuration = {
+          allowAnonymous = true;
+          allowFreeURL = true;
+          allowGravatar = false;
+          allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ];
+          dbURL = "postgres://codimd:codimd@localhost:5432/codimd";
+          defaultPermission = "limited";
+          domain  = "pad.hacc.space";
+          host = "0.0.0.0";
+          protocolUseSSL = true;
+          hsts.preload = false;
+          email = false;
+          oauth2 = {
+            authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
+            tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
+            clientID = "codimd";
+            clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
+          };
+        };
+      };
+      systemd.services.codimd.environment = {
+        "CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
+        "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name";
+        "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name";
+        "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
+        "CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
+      };
+      services.postgresql = {
+        enable = true;
+        ensureDatabases = [ "codimd" ];
+        ensureUsers = [{
+          name = "codimd";
+          ensurePermissions = {
+            "DATABASE codimd" = "ALL PRIVILEGES";
+          };
+        }];
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."pad.hacc.space" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://192.168.100.3:3000";
+      extraConfig = ''
+        proxy_pass_request_headers on;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_buffering off;
+      '';
+    };
+  };
+}

configuration/hosts/hainich/services/docker.nix

@@ -0,0 +1,34 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # disable nftables since it breaks shit
+  petabyte.nftables.enable = false;
+  virtualisation.oci-containers.containers."ghost-waszumfff" = {
+    autoStart = true;
+    environment = {
+      url = "https://waszumfff.4future.dev";
+    };
+    image = "ghost:alpine";
+    ports = [ "127.0.0.1:2368:2368" ];
+    volumes = [ "/run/florinori:/var/lib/ghost/content" ];
+  };
+
+  fileSystems."/run/florinori" =
+    { device = "dpool/k8s/florinori";
+      fsType = "zfs";
+    };
+
+  services.nginx.virtualHosts."waszumfff.4future.dev" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:2368";
+      extraConfig = "
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+      ";
+    };
+  };
+}

configuration/hosts/hainich/services/engelsystem.nix

@@ -0,0 +1,93 @@
+{ config, lib, pkgs, ... }:
+
+# TODO: Make this confix nix-y, so it doesn't require a metric shitton of
+# manual intervention to install
+{
+  containers.engelsystem = {
+    config = { pkgs, lib, config, ... }:
+      let
+        app = "engelsystem";
+        domain = "himmel.hacc.earth";
+        dataDir = "/srv/http/${domain}/public";
+        engelport-py-pack = python-packages: with pkgs.python38Packages; [
+          mysqlclient
+        ];
+        engelport-py = pkgs.python38.withPackages engelport-py-pack;
+      in {
+        networking.firewall.enable = false;
+        networking.nameservers = ["1.1.1.1" "1.0.0.1"];
+        networking.hosts."192.168.100.1" = [ "mail.hacc.space" ];
+        services.phpfpm.pools.${app} = {
+          user = app;
+          settings = {
+            "listen.owner" = config.services.nginx.user;
+            "pm" = "dynamic";
+            "pm.max_children" = 32;
+            "pm.max_requests" = 500;
+            "pm.start_servers" = 2;
+            "pm.min_spare_servers" = 2;
+            "pm.max_spare_servers" = 5;
+            "php_admin_value[error_log]" = "stderr";
+            "php_admin_flag[log_errors]" = true;
+            "catch_workers_output" = true;
+          };
+          phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
+        };
+        services.nginx = {
+          enable = true;
+          virtualHosts.${domain}.locations = {
+            "/" = {
+              extraConfig = "rewrite ^ /index.php;";
+            };
+            "/assets" = {
+              root = dataDir;
+            };
+            "/index.php" = {
+              root = dataDir;
+              extraConfig = ''
+                include ${pkgs.nginx}/conf/fastcgi.conf;
+                fastcgi_split_path_info ^(.+\.php)(\\/.*)$;
+                try_files $fastcgi_script_name =404;
+                fastcgi_param PATH_INFO $fastcgi_path_info;
+                fastcgi_pass unix:${config.services.phpfpm.pools.${app}.socket};
+                fastcgi_intercept_errors on;
+              '';
+            };
+          };
+        };
+        users.users.${app} = {
+          isSystemUser = true;
+          createHome = true;
+          home = dataDir;
+          group  = app;
+        };
+        users.groups.${app} = {};
+
+        services.mysql = {
+          enable = true;
+          ensureDatabases = [ "engelsystem" ];
+          ensureUsers = [{
+            name = "engelsystem";
+            ensurePermissions."engelsystem.*" = "ALL PRIVILEGES";
+          }];
+          package = pkgs.mariadb;
+        };
+
+        environment.systemPackages = [
+          pkgs.php pkgs.php74Packages.composer pkgs.yarn engelport-py
+        ];
+      };
+    privateNetwork = true;
+    hostAddress = "192.168.100.1";
+    localAddress = "192.168.100.2";
+    autoStart = true;
+  };
+  services.nginx.virtualHosts."himmel.hacc.earth" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://192.168.100.2";
+      extraConfig = "add_header Host himmel.hacc.earth;";
+    };
+  };
+}

configuration/hosts/hainich/services/mail.nix

@@ -0,0 +1,170 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = let commit = "02a45d9965133434c7b816cab2f47c8a7505e764"; in [
+    (builtins.fetchTarball {
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${commit}/nixos-mailserver-${commit}.tar.gz";
+      sha256 = "04v66z0ijjm8bqpiqmq1aqrqj6r6jjz591lgijmk4frz7lksnz8k";
+    })
+  ];
+
+  mailserver = {
+    mailDirectory = "/data/mail";
+    enable = true;
+    fqdn = "mail.hacc.space";
+    domains = [ "hacc.space" "hacc.earth" "4future.dev" "4futu.re" ];
+
+    loginAccounts = {
+        "hexchen@hacc.space" = {
+            hashedPassword = "$6$x9skYtRp4dgxC$1y8gPC2BuVqG3kJVSMGgzZv0Bg1T9qxcnBWLIDbANy1d//SQ23Y7s3IMYcEPd1/l/MYWD9Y/Qse6HbT5w5Xwq/";
+
+            aliases = [
+                "postmaster@hacc.space"
+                "abuse@hacc.space"
+            ];
+        };
+
+        "octycs@hacc.space" = {
+            hashedPassword = "$6$KceTivtJ$58jxhYF6ULfivNsb3Z0J7PnGea0Hs2wTWh3c9FrKRIAmuOD96u2IDgZRCn6P5NrXA0BL.n6HC2RS3r.4JnOmg.";
+
+            aliases = [
+                "markus@hacc.space"
+            ];
+        };
+
+        "raphael@hacc.space" = {
+            hashedPassword = "$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/";
+        };
+
+        "engelsystem@hacc.space" = {
+            hashedPassword = "$6$5cIAEhJ7af7M$eJBPQc3ONd.N3HKPFpxfG7liZbUXPvWuSpWVgeG7rmsG7f7.Zdxtodvt5VaXoA3AEiv3GqcY.gKHISK/Gg0ib/";
+        };
+
+        "schweby@hacc.space" = {
+            hashedPassword = "$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1";
+        };
+
+        "zauberberg@hacc.space" = {
+            hashedPassword = "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUTdxrxdtg9zuGOlBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0";
+            aliases = [
+                "lukas@hacc.space"
+            ];
+        };
+
+        "talx@hacc.space" = {
+            hashedPassword = "$6$0hIKRoMJS./JSE$tXizRgphhNM3ZYx216VdRv1OiyZoYXsjGqSudTDu8vB8eZb03Axi31VKV87RXiEGGixdvTsHEKpx032aOzzt31";
+        };
+
+        "unms@hacc.space" = {
+            hashedPassword = "$6$pYlNP37913$sGE3L722ceP.1Qm5lsffYUN919hPP1xRTrzco3ic3Op21iiknBkOY04eY2l3Um/Bpk/yV89aJD0eaB/5RCbWR1";
+        };
+
+        "noreply@hacc.space" = {
+            hashedPassword = "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/";
+        };
+        "stuebinm@hacc.space" = {
+            hashedPassword = "$6$jNfYD91wf/$YvJqo0QLzbnHcKigzAYgsE1gCc/07DUbKuNwAYBCKpQeqhBlUWjijXBuMH9wl7xH/i5HwOIyYhg6zuvejlfDN.";
+        };
+    };
+
+    extraVirtualAliases = {
+        # address = forward address;
+        "info@hacc.space" = [
+            "hexchen@hacc.space"
+            "octycs@hacc.space"
+            "raphael@hacc.space"
+            "schweby@hacc.space"
+            "zauberberg@hacc.space"
+            "stuebinm@hacc.space"
+        ];
+        "himmel@hacc.space" = [
+            "hexchen@hacc.space"
+            "schweby@hacc.space"
+            "zauberberg@hacc.space"
+        ];
+        "admin@hacc.space" = [
+            "hexchen@hacc.space"
+            "schweby@hacc.space"
+        ];
+    };
+
+    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
+    # down nginx and opens port 80.
+    certificateScheme = 3;
+
+    # Enable IMAP and POP3
+    enableImap = true;
+    enablePop3 = true;
+    enableImapSsl = true;
+    enablePop3Ssl = true;
+
+    # Enable the ManageSieve protocol
+    enableManageSieve = true;
+
+    # whether to scan inbound emails for viruses (note that this requires at least
+    # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
+    virusScanning = false;
+  };
+  services.postfix.submissionOptions.smtpd_sender_restrictions = "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
+  services.postfix.virtual = ''@4future.dev @hacc.space
+@4futu.re @hacc.space
+@hacc.earth @hacc.space
+contact@hacc.space info@hacc.space'';
+
+  #mailman
+  services.postfix = {
+    relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
+    config = {
+      transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
+      local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
+      inet_protocols = "ipv4, ipv6";
+    };
+  };
+
+  services.mailman = {
+    enable = true;
+    siteOwner = "admin@hacc.space";
+    webUser = config.services.uwsgi.user;
+    hyperkitty.enable = true;
+    # Have mailman talk directly to hyperkitty, bypassing nginx:
+    hyperkitty.baseUrl = "http://localhost:33141/hyperkitty/";
+    webHosts = [ "lists.hacc.space" ];
+  };
+
+  systemd.services.uwsgi.restartTriggers = [
+    config.environment.etc."mailman3/settings.py".source
+  ];
+
+  systemd.services.mailman-settings.script = ''
+    chmod o+x /var/lib/mailman-web
+  '';
+
+  services.uwsgi = {
+    enable = true;
+    plugins = ["python3"];
+    instance = {
+      type = "normal";
+      # uwsgi protocol socket for nginx
+      socket = "127.0.0.1:33140";
+      pythonPackages = self: with self; [ mailman-web ];
+      # http socket for mailman core to reach the hyperkitty API directly
+      http-socket = "127.0.0.1:33141";
+      wsgi-file = "${pkgs.python3.pkgs.mailman-web}/lib/python3.8/site-packages/mailman_web/wsgi.py";
+      chdir = "/var/lib/mailman-web";
+      master = true;
+      processes = 4;
+      vacuum = true;
+    };
+  };
+
+  services.nginx.virtualHosts."lists.hacc.space" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/static/".alias = "/var/lib/mailman-web-static/";
+    locations."/".extraConfig = ''
+    uwsgi_pass 127.0.0.1:33140;
+    include ${config.services.nginx.package}/conf/uwsgi_params;
+    '';
+  };
+
+}

configuration/hosts/hainich/services/murmur.nix

@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.murmur = {
+    enable = false;
+    logDays = -1;
+    welcometext = "Welcome to mumble4future! Brought to you by infra4future";
+    sslKey = "/var/lib/acme/mumble.hacc.space/key.pem";
+    sslCert = "/var/lib/acme/mumble.hacc.space/fullchain.pem";
+  };
+
+  networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
+  networking.firewall.allowedUDPPorts = [ config.services.murmur.port ];
+
+  services.nginx.virtualHosts."mumble.hacc.space" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "https://stuebinm.4future.dev/mumble.infra4future.de/";
+    };
+  };
+  # set ACLs so that the murmur user can read the certificates
+  security.acme.certs."mumble.hacc.space".postRun = "setfacl -Rm u:murmur:rX /var/lib/acme/mumble.hacc.space";
+}

configuration/hosts/hainich/services/nginx.nix

@@ -0,0 +1,50 @@
+{ config, lib, pkgs