From 0878012581203a2f1325e240139f97a4f7f6b6c1 Mon Sep 17 00:00:00 2001 From: hexchen Date: Fri, 27 Nov 2020 20:56:20 +0000 Subject: [PATCH] Initial Commit --- .gitignore | 3 + configuration/common/default.nix | 81 +++++++++ configuration/common/hexchen.nix | 71 ++++++++ configuration/common/pbb.nix | 13 ++ configuration/common/users.nix | 66 +++++++ configuration/desktop/default.nix | 43 +++++ configuration/desktop/gnome.nix | 14 ++ configuration/desktop/streaming.nix | 17 ++ configuration/desktop/sway.nix | 43 +++++ configuration/hosts/default.nix | 23 +++ configuration/hosts/hainich/configuration.nix | 103 +++++++++++ configuration/hosts/hainich/encboot.nix | 28 +++ configuration/hosts/hainich/hardware.nix | 42 +++++ configuration/hosts/hainich/k8s.nix | 125 +++++++++++++ .../hosts/hainich/services/codimd.nix | 79 ++++++++ .../hosts/hainich/services/docker.nix | 34 ++++ .../hosts/hainich/services/engelsystem.nix | 93 ++++++++++ configuration/hosts/hainich/services/mail.nix | 170 ++++++++++++++++++ .../hosts/hainich/services/murmur.nix | 24 +++ .../hosts/hainich/services/nginx.nix | 50 ++++++ .../hosts/hainich/services/rocket.nix | 35 ++++ configuration/hosts/hainich/wireguard.nix | 34 ++++ configuration/hosts/nixda/configuration.nix | 47 +++++ configuration/hosts/nixda/hardware-config.nix | 31 ++++ default.nix | 4 + lib/deploy.nix | 76 ++++++++ modules/default.nix | 6 + pkgs/default.nix | 22 +++ pkgs/fb_exporter/default.nix | 32 ++++ 29 files changed, 1409 insertions(+) create mode 100644 .gitignore create mode 100644 configuration/common/default.nix create mode 100644 configuration/common/hexchen.nix create mode 100644 configuration/common/pbb.nix create mode 100644 configuration/common/users.nix create mode 100644 configuration/desktop/default.nix create mode 100644 configuration/desktop/gnome.nix create mode 100644 configuration/desktop/streaming.nix create mode 100644 configuration/desktop/sway.nix create mode 100644 configuration/hosts/default.nix create mode 100644 configuration/hosts/hainich/configuration.nix create mode 100644 configuration/hosts/hainich/encboot.nix create mode 100644 configuration/hosts/hainich/hardware.nix create mode 100644 configuration/hosts/hainich/k8s.nix create mode 100644 configuration/hosts/hainich/services/codimd.nix create mode 100644 configuration/hosts/hainich/services/docker.nix create mode 100644 configuration/hosts/hainich/services/engelsystem.nix create mode 100644 configuration/hosts/hainich/services/mail.nix create mode 100644 configuration/hosts/hainich/services/murmur.nix create mode 100644 configuration/hosts/hainich/services/nginx.nix create mode 100644 configuration/hosts/hainich/services/rocket.nix create mode 100644 configuration/hosts/hainich/wireguard.nix create mode 100644 configuration/hosts/nixda/configuration.nix create mode 100644 configuration/hosts/nixda/hardware-config.nix create mode 100644 default.nix create mode 100644 lib/deploy.nix create mode 100644 modules/default.nix create mode 100644 pkgs/default.nix create mode 100644 pkgs/fb_exporter/default.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..67fb087 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +result +ecdsa_host +secrets/ diff --git a/configuration/common/default.nix b/configuration/common/default.nix new file mode 100644 index 0000000..3b3486c --- /dev/null +++ b/configuration/common/default.nix @@ -0,0 +1,81 @@ +{ config, lib, pkgs, ... }: + +let + home-manager = fetchGit { + url = "https://github.com/nix-community/home-manager"; + rev = "a98ec6ec158686387d66654ea96153ec06be33d7"; + }; +in { + imports = [ + ../../modules + "${home-manager}/nixos" + ./pbb.nix + ./users.nix + ]; + + nixpkgs.overlays = [ + (self: super: import ../../pkgs { nixpkgs = super.path; }) + ]; + + boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; + boot.kernelParams = [ "quiet" ]; + + networking.domain = lib.mkDefault "hacc.space"; + petabyte.nftables = { + enable = lib.mkDefault true; + }; + + services.journald.extraConfig = "SystemMaxUse=512M"; + nix.gc.automatic = lib.mkDefault true; + nix.gc.options = lib.mkDefault "--delete-older-than 1w"; + nix.trustedUsers = [ "root" "@wheel" ]; + environment.variables.EDITOR = "vim"; + + services.openssh.enable = true; + services.openssh.ports = lib.mkDefault [ 62954 ]; + services.openssh.passwordAuthentication = false; + services.openssh.challengeResponseAuthentication = false; + services.openssh.permitRootLogin = lib.mkDefault "prohibit-password"; + services.openssh.extraConfig = "StreamLocalBindUnlink yes"; + security.sudo.wheelNeedsPassword = lib.mkDefault false; + + i18n.defaultLocale = "en_IE.UTF-8"; + time.timeZone = "UTC"; + console = { + font = "Lat2-Terminus16"; + keyMap = "de"; + }; + programs.mtr.enable = true; + + environment.systemPackages = with pkgs; [ + smartmontools lm_sensors htop tcpdump nload iftop +# bottom + ripgrep + git wget + kitty.terminfo + rsync pv progress + parallel bc + usbutils pciutils + cryptsetup gptfdisk + zstd p7zip + file + whois + iperf + fd + exa + socat + tmux + gnupg + vim + patchelf + binutils + dnsutils + flashrom ifdtool cbfstool nvramtool + nmap + ]; + + petabyte.vnstat = { + enable = true; + nginx.enable = true; + }; +} diff --git a/configuration/common/hexchen.nix b/configuration/common/hexchen.nix new file mode 100644 index 0000000..ffaeb58 --- /dev/null +++ b/configuration/common/hexchen.nix @@ -0,0 +1,71 @@ +{config, lib, pkgs, ...}: + +{ + home-manager.users.hexchen = { + programs.direnv = { + enable = true; + enableFishIntegration = true; + enableNixDirenvIntegration = true; + }; + programs.fish = { + enable = true; + shellAliases = { + icat = "${pkgs.kitty}/bin/kitty +kitten icat"; + }; + plugins = [ + { + name = "bass"; + src = pkgs.fetchFromGitHub { + owner = "edc"; + repo = "bass"; + rev = "d63054b24c2f63aaa3a08fb9ec9d0da4c70ab922"; + sha256 = "0pwci5xxm8308nrb52s5nyxijk0svar8nqrdfvkk2y34z1cg319b"; + }; + } + ]; + }; + programs.vim = { + enable = true; + extraConfig = '' + set viminfo='20,<1000 + set mouse=a + ''; /* + set tabstop=2 + set shiftwidth=2 + set expandtab + '';*/ + }; + + programs.git = { + enable = true; + userName = "hexchen"; + userEmail = "hexchen@lilwit.ch"; + }; + + programs.bat.enable = true; + programs.jq.enable = true; + programs.tmux.enable = true; + programs.ssh = { + enable = true; + controlMaster = "auto"; + controlPersist = "10m"; + hashKnownHosts = true; + matchBlocks = let + hexchen = { + forwardAgent = true; + extraOptions = { + RemoteForward = "/run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra"; + }; + port = 62954; + }; + in { + "*.chaoswit.ch" = hexchen; + "*.copyonwit.ch" = hexchen; + "*.lilwit.ch" = hexchen; + "*.hxchn.de" = hexchen; + "*.hacc.space" = hexchen; + }; + }; + }; + +} diff --git a/configuration/common/pbb.nix b/configuration/common/pbb.nix new file mode 100644 index 0000000..4313a10 --- /dev/null +++ b/configuration/common/pbb.nix @@ -0,0 +1,13 @@ +let + pbbNixfiles = fetchGit { + url = "https://git.petabyte.dev/petabyteboy/nixfiles"; + rev = "fcfa9a150bdc0c36996db89d6cee07dd5db82373"; + }; +in { + imports = [ + "${pbbNixfiles}/modules" + ]; + nixpkgs.overlays = [ + (self: super: import "${pbbNixfiles}/pkgs" { nixpkgs = super.path; }) + ]; +} diff --git a/configuration/common/users.nix b/configuration/common/users.nix new file mode 100644 index 0000000..2104864 --- /dev/null +++ b/configuration/common/users.nix @@ -0,0 +1,66 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./hexchen.nix + ]; + + home-manager.useGlobalPkgs = true; + + users.users = { + root = { + openssh.authorizedKeys.keys = with pkgs.lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); + }; + + hexchen = { + uid = 1000; + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDNVUDKx9sukRkb6INny432+2HZBWx/qIEAOvngF1qcj hexchen@montasch" + ]; + shell = pkgs.fish; + packages = with pkgs; [ python38 go ]; + }; + + stuebinm = { + uid = 1001; + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQtJQ8fUfwsC9Q39sNpZ41RRbW91QXDLKltsYK+TLidQ5IJj2KsG/lkd433Tod6PzSvB2PcfIfnvUz7GQuS1UwXHMdLEy0/kqeYrSi6QlAxFyFBSTsUZ4d+HHwBBoXhu1Iaoch/FJNI0FhfBciIii05UyYuPj5zGgvWhnfD53Ll8HA6XVXhSK09+9GRGq57Mix5N9AkzfEF83aRUF9Qfl7Jl16rOjIgtS8hbL0kXIKUeCxZA2xi/lNHEQRriCiriPmPGOhiPcNXzbekw7IbFfE3If1CHnj7KA4KnafHAd+uHvQAce5Y4v2vMOPfGVh1cm84VTzdSPEW5V1hFjOlSnnuCQtAzkQLv8zed2NLj73GgFlcUrYKERcH84wydD0gEednNKsW8T2NzgO2eNCBf0LrcFp17qmWLv51A3jofEX5tQ3PZ7zbtR4DMUmrizrsBWDYiHJOMVeMs/9TnmIc3PL17qvVvFI7OcYxl+SPPpPtaBzxXZAMIvGFppzYxRylBcBhNvE+bXXgLFXh5cbUcwgXjvrX0y8Gv/5S4E55+i2rQMqC55+O48snoSeNlQDZV+B9setXoC93K9fBurmCX8ObnNRvvghcwUl9OBSW5K9TBdl6FF3+Z3gOCIxOMGQQKJUS5/g/eLFJ+13Y5qAPS49XJzaBiTmDrRi8x22p7sU1Q== stuebinm@in.tum.de" + ]; + }; + + octycs = { + uid = 1002; + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDobGLrA6YQAKdJkZMpAsqjlk744G/pCJEvAUNJDuT1Sr59BFKDchPT03exb0o39mjH4iqvw4JDI10RfylKbR1736Ji2yRLlbCzUdgv2CfZc28TAO0rscyT49RHJmzEEE5QD4Ge7MgvFBEmZKXAxntA8M8EbxxEVfzhWp3751BYkzrCbJiHMXcTb+BG9P6rmrraINmgUJxywym5PsMYt2sfHlVus3hSpWnCR/cu0nxmW9E6Tm6CzSkWOXOTdjVuc0Kgh5GXaKDROzJ9K7cJAhd5t8Yzqtpm2xfSU5FVVUH9i7PbXOo8FL82Xi6kWMgdFNLvKimxGqW+bCv3ROlyKWF4I+HQdfdL181KaOQ40jAvjmldrB/ZiEbuWYSBZ/XhxFkKrtBYPDFHq/a5lnH3OvcDm7+/LhwIKUnyZyQ2dXOLOTOEDsO/69xwNveCB8of9o/erDbOeb+d44cXUFpPMUTz4bHXEP6y+zz8TB8/aleGbLQCPUzRZfvazN95jGUDqkumi9B3Lf+W/KpjVUgu3NQsUuJn6khMYW9VefnJvHwzbWpqIzbzNePL4iZFECv4NHPQHO/katajnMbkCie9rfnLk1EjJnrSnZUInEygkW/7Eu4EQM2h7lU4HYfwP1c4ubCFdES0ELGqSuJRwd/ORDbgxbuKOQ7gZ3/lgHdr9KGqJQ== markus.amaseder@amaseder.de" + ]; + hashedPassword = "$6$qQEbD8Ejx/y$6/nkX8CmFBtAlUP/UbFKVMVlA.ZvVbjQZRABqXQjU11tKpY25ww.MCGGMEKFv.7I/UH/126/q0S3ROTqePUEc."; + }; + + zauberberg = { + uid = 1003; + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt34ou3NYWoUayWrJa5ISzihAAhFiwolJPmm2fF9llPUUA8DP3BQRiKeqDlkDzhWLwztb+dNIUuregiFJdRN5Q2JZBKlM7Gqb1QtPhtK+xe2pyZPX2SWKIsKA6j3VAThhXsQdj3slXu3dG8FF7j+IFg/eTgpeQIFQQkMIc204ha8OP2ASYAJqgJVbXq8Xh3KkAc1HSrjYJLntryvK10wyU8p3ug370dMu3vRUn44FEyDzXFM9rfsgysQTzVgp+sXdRfMLeyvf+SUrE8hiPjzevF2nsUP0Xf/rIaK5VayChPLXJkulognINzvuVWAdwNPDLpgGwkjglF2681Ag88bLX allesmoeglicheundvielmehr@hotmail.de" + ]; + packages = with pkgs; [ makemkv ]; + }; + + schweby = { + uid = 1004; + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6JWi0MBDz0Zy4zjauQv28xYmHyapb8D4zeesq91LLE schweby@txsbcct" + ]; + hashedPassword = "$6$zkAsaVdmIduqZxez$GY9aBlYeP41F0it/VbbZzLLLRQhHAbDdFsa3e/1GS9McTuSimMHODg6HqNVEH1zSqD3afhK/0UHfqbtF5qpi90"; + packages = with pkgs; [ makemkv ]; + }; + }; +} diff --git a/configuration/desktop/default.nix b/configuration/desktop/default.nix new file mode 100644 index 0000000..7854099 --- /dev/null +++ b/configuration/desktop/default.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +{ + boot.plymouth.enable = true; + nixpkgs.config = { + mumble.speechdSupport = true; + allowUnfree = true; + }; +# boot.plymouth.splashBeforeUnlock = true; + users.users.hexchen = { + packages = with pkgs; [ + pulsemixer pavucontrol + firefox git kitty j4-dmenu-desktop bemenu + breeze-qt5 mako + mpv youtube-dl + wl-clipboard mumble + xdg_utils + slurp grim libnotify + _1password-gui + # gnome3.nautilus + ]; + extraGroups = [ "video" ]; + }; + home-manager.users.hexchen = { + gtk = { + enable = true; + iconTheme = { + name = "Adwaita"; + package = pkgs.gnome3.adwaita-icon-theme; + }; + theme = { + name = "Adwaita"; + package = pkgs.gnome3.adwaita-icon-theme; + }; + }; + }; + + sound.enable = true; + hardware.pulseaudio.enable = true; + networking.useDHCP = lib.mkDefault true; + hardware.opengl.enable = true; + +} diff --git a/configuration/desktop/gnome.nix b/configuration/desktop/gnome.nix new file mode 100644 index 0000000..9a71fa3 --- /dev/null +++ b/configuration/desktop/gnome.nix @@ -0,0 +1,14 @@ +{config, lib, pkgs, ...}: + +{ + services.xserver.displayManager.lightdm = { + enable = true; + }; + services.xserver = { + enable = true; +# videoDrivers = [ "nvidia" ]; + }; +# hardware.nvidia.modesetting.enable = true; + +# services.xserver.desktopManager.gnome3.enable = true; +} diff --git a/configuration/desktop/streaming.nix b/configuration/desktop/streaming.nix new file mode 100644 index 0000000..16235e0 --- /dev/null +++ b/configuration/desktop/streaming.nix @@ -0,0 +1,17 @@ +{ config, pkgs, ...}: + +{ + boot = { + extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; + kernelModules = [ "v4l2loopback" ]; + }; + + home-manager.users.hexchen = { + programs.obs-studio = { + enable = true; + plugins = with pkgs; [ + obs-wlrobs obs-v4l2sink + ]; + }; + }; +} diff --git a/configuration/desktop/sway.nix b/configuration/desktop/sway.nix new file mode 100644 index 0000000..685f730 --- /dev/null +++ b/configuration/desktop/sway.nix @@ -0,0 +1,43 @@ +{ config, pkgs, lib, ... }: + +{ + + fonts.fonts = with pkgs; [ font-awesome nerdfonts ]; + users.users.hexchen.packages = with pkgs; [ ]; + home-manager.users.hexchen = { + programs.waybar = { + enable = true; + + settings = [{ + modules-left = [ "sway/workspaces" "sway/mode" ]; + modules-center = [ "sway/window" ]; + modules-right = [ "pulseaudio" "network" "cpu" "memory" "temperature" "battery" "clock" "tray" ]; + + modules = { + battery = { + states = { + good = 95; + warning = 30; + critical = 15; + }; + format = "{capacity}% {icon}"; + format-charging = "{capacity}% "; + format-plugged = "{capacity}% "; + format-alt = "{time} {icon}"; + format-icons = ["" "" "" "" ""]; + }; + network = { + format-wifi = "{essid} ({signalStrength}%) "; + format-ethernet = "{ifname}: {ipaddr}/{cidr} "; + format-linked = "{ifname} (No IP) "; + format-disconnected = "Disconnected ⚠"; + format-alt = "{ifname}: {ipaddr}/{cidr}"; + }; + }; + }]; + }; + }; + + programs.sway.enable = true; + +} diff --git a/configuration/hosts/default.nix b/configuration/hosts/default.nix new file mode 100644 index 0000000..0ecdbe5 --- /dev/null +++ b/configuration/hosts/default.nix @@ -0,0 +1,23 @@ +let + hosts = { + hainich = { + ssh.host = "hainich.hacc.space"; + channel = "nixos-unstable"; + groups = [ "server" "hacc" ]; + }; + nixda = { + ssh.host = "nixda.hacc.space"; + channel = "nixos-20.09"; + groups = [ "server" "hacc" "live" ]; + }; + }; + pkgs = import {}; + evalConfig = import ; + lib = pkgs.lib; +in lib.mapAttrs (name: host: host // { + config = if (host ? config) then host.config else (evalConfig { + modules = [ + (import "${toString ./.}/${name}/configuration.nix") + ]; + }).config; +}) hosts diff --git a/configuration/hosts/hainich/configuration.nix b/configuration/hosts/hainich/configuration.nix new file mode 100644 index 0000000..46531e7 --- /dev/null +++ b/configuration/hosts/hainich/configuration.nix @@ -0,0 +1,103 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + ../../common + ./encboot.nix + ./hardware.nix + ./services/murmur.nix + ./services/mail.nix +# ./services/engelsystem.nix + ./services/codimd.nix + ../../common + ./wireguard.nix + ./services/nginx.nix +# ./k8s.nix + ./services/docker.nix + ./services/rocket.nix + ]; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; + boot.supportedFilesystems = [ "zfs" ]; + + # networking + networking.hostName = "hainich"; + networking.hostId = "8a58cb2f"; + networking.useDHCP = true; + networking.interfaces.enp6s0.ipv4.addresses = [ + { + address = "46.4.63.148"; + prefixLength = 27; + } + + { + address = "46.4.63.158"; + prefixLength = 27; + } + ]; + networking.interfaces.enp6s0.ipv6.addresses = [ { + address = "2a01:4f8:140:84c9::1"; + prefixLength = 64; + } ]; + networking.defaultGateway = "46.4.63.129"; + networking.nameservers = [ + "1.1.1.1" "1.0.0.1" + "2606:4700:4700::1111" "2606:4700:4700::1001" + ]; +# networking.defaultGateway6 = { +# address = "fe80::1"; +# interface = "enp6s0"; +# }; + + networking.nat.enable = true; + networking.nat.internalInterfaces = ["ve-+"]; + networking.nat.externalInterface = "enp6s0"; + + + networking.firewall.allowedTCPPorts = [ 22 80 443 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # networking.firewall.enable = false; + + # misc + time.timeZone = "UTC"; + + environment.systemPackages = with pkgs; [ + wget vim git + ]; + + services.openssh.enable = true; + services.openssh.ports = [ 22 62954 ]; + + users.users.root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDNVUDKx9sukRkb6INny432+2HZBWx/qIEAOvngF1qcj hexchen@montasch" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvmrk3i04tXfrSlZtHFbG3o6lQgh3ODMWmGDING4TJ4ctidexmMNY15IjVjzXZgQSET1uKLDLITiaPsii8vaWERZfjm3jjub845mpKkKv48nYdM0eCbv7n604CA3lwoB5ebRgULg4oGTi60rQ4trFf3iTkJfmiLsieFBZz7l+DfgeDEjDNSJcrkOggGBrjE5vBXoDimdkNh8kBNwgMDj1kPR/FHDqybSd5hohCJ5FzQg9vzl/x/H1rzJJKYPO4svSgHkYNkeoL84IZNeHom+UEHX0rw2qAIEN6AiHvNUJR38relvQYxbVdDSlaGN3g26H2ehsmolf+U0uQlRAXTHo0NbXNVYOfijFKL/jWxNfH0aRycf09Lu60oY54gkqS/J0GoQe/OGNq1Zy72DI+zAwEzyCGfSDbAgVF7Y3mU2HqcqGqNzu7Ade5oCbLmkT7yzDM3x6IsmT1tO8dYiT8Qv+zFAECkRpw3yDkJkPOxNKg10oM318whMTtM3yqntE90hk= schweby@taxusbaccata" + ]; + initialHashedPassword = "$6$F316njEF2$GMF4OmPSF6QgZ3P/DblQ/UFMgoo98bztbdw7X0ygvBGC1UMMIc13Vtxjd/ZGRYW/pEHACZZ7sbRZ48t6xhvO7/"; +# shell = pkgs.fish; + }; + + # storage stuffs! + services.zfs = { + autoSnapshot = { + enable = true; + }; + autoScrub = { + enable = true; + }; + }; + + services.journald.extraConfig = '' + MaxFileSec=6h + MaxRetentionSec=72h + ''; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.03"; # Did you read the comment? +} diff --git a/configuration/hosts/hainich/encboot.nix b/configuration/hosts/hainich/encboot.nix new file mode 100644 index 0000000..505ebfb --- /dev/null +++ b/configuration/hosts/hainich/encboot.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +{ + boot.initrd.kernelModules = [ "r8169" ]; # add network card driver + boot.kernelParams = ["ip=:::::enp6s0:dhcp"]; # enable dhcp on primary network interface + boot.initrd.network = { + enable = true; + ssh = { + enable = true; + port = 2222; + # TODO: Modify system config so that this works +# authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); + authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys; + hostKeys = [ /run/keys/ecdsa_host ]; + }; + # TODO: curl some webhook here to alert? + # possibly quite hard to do, we only have limited wget or netcat available + # how this all works: + # when someone logs in via ssh, they are prompted to unlock the zfs volume + # afterwards zfs is killed in order for the boot to progress + # timeout of 120s still applies afaik + postCommands = '' + zpool import zroot + zpool import dpool + echo "zfs load-key -a; killall zfs && exit" >> /root/.profile + ''; + }; +} diff --git a/configuration/hosts/hainich/hardware.nix b/configuration/hosts/hainich/hardware.nix new file mode 100644 index 0000000..c2c9088 --- /dev/null +++ b/configuration/hosts/hainich/hardware.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, ... }: + +{ + boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "sd_mod" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "zroot/root/nixos"; + fsType = "zfs"; + }; + + fileSystems."/nix" = + { device = "zroot/root/nixos/nix"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "dpool/home"; + fsType = "zfs"; + }; + + fileSystems."/var/lib/containers" = + { device = "dpool/containers"; + fsType = "zfs"; + }; + + fileSystems."/data" = + { device = "dpool/data"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/40125f55-7fe8-4850-902e-b4d6e22f0335"; + fsType = "ext2"; + }; + + swapDevices = [ ]; + + nix.maxJobs = lib.mkDefault 12; + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +} diff --git a/configuration/hosts/hainich/k8s.nix b/configuration/hosts/hainich/k8s.nix new file mode 100644 index 0000000..025770b --- /dev/null +++ b/configuration/hosts/hainich/k8s.nix @@ -0,0 +1,125 @@ +{ config, pkgs, ... }: +{ + services.etcd = { + advertiseClientUrls = [ + "https://[2a0d:eb04:8:10::1]:2379" + ]; + listenClientUrls = [ + "https://[2a0d:eb04:8:10::1]:2379" + ]; + listenPeerUrls = [ + "https://[::1]:2380" + ]; + }; + services.kubernetes = { + roles = [ "master" "node" ]; + flannel.enable = false; + addons.dns = { + enable = true; + clusterIp = "2a0d:eb04:8:11::53"; + reconcileMode = "EnsureExists"; + }; + pki.cfsslAPIExtraSANs = [ "hainich.hacc.space" ]; + apiserver = { + advertiseAddress = "2a0d:eb04:8:10::1"; + extraSANs = [ + "2a0d:eb04:8:10::1" "2a0d:eb04:8:11::1" "hainich.hacc.space" + ]; + bindAddress = "::"; + insecureBindAddress = "::1"; + etcd = { + servers = [ "https://[2a0d:eb04:8:10::1]:2379" ]; + }; + serviceClusterIpRange = "2a0d:eb04:8:11::/120"; + extraOpts = "--allow-privileged=true"; + }; + controllerManager = { + bindAddress = "::"; + clusterCidr = "2a0d:eb04:8:12::/64"; + }; + kubelet = { + address = "::"; + clusterDns = "2a0d:eb04:8:11::53"; + }; + proxy = { + bindAddress = "::"; + }; + scheduler = { + address = "::1" ; + }; + apiserverAddress = "https://[2a0d:eb04:8:10::1]:6443"; + clusterCidr = "2a0d:eb04:8:12::/64"; + easyCerts = true; + masterAddress = "hainich.hacc.space"; + }; + + networking.firewall = { + allowedTCPPorts = [ 80 443 6443 ]; + trustedInterfaces = [ + "cbr0" "tunnat64" + ]; + extraCommands = '' + iptables -t nat -A POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158 + iptables -A FORWARD -i tunnat64 -j ACCEPT + + iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80 + iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443 + iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443 + + ip6tables -A FORWARD -i tunnat64 -j ACCEPT + ip6tables -A INPUT -i tunnat64 -j ACCEPT + ''; + extraStopCommands = '' + iptables -t nat -D POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158 + iptables -D FORWARD -i tunnat64 -j ACCEPT + + iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80 + iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443 + iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443 + + ip6tables -A FORWARD -i tunnat64 -j ACCEPT + ip6tables -A INPUT -i tunnat64 -j ACCEPT + ''; + }; + + systemd.services.tayga = (let + config = pkgs.writeText "tayga.conf" '' + tun-device tunnat64 + ipv4-addr 10.255.255.254 + prefix 2a0d:eb04:8:10:64::/96 + dynamic-pool 10.255.255.0/24 + map 10.255.255.1 2a0d:eb04:8:10::1 + map 10.255.255.2 2a0d:eb04:8:11::2 + strict-frag-hdr 1 + ''; + startScript = pkgs.writeScriptBin "tayga-start" '' + #! ${pkgs.runtimeShell} -e + ${pkgs.iproute}/bin/ip link set up tunnat64 || true + ${pkgs.iproute}/bin/ip route add 10.255.255.0/24 dev tunnat64 || true + ${pkgs.iproute}/bin/ip -6 route add 2a0d:eb04:8:10:64::/96 dev tunnat64 || true + ${pkgs.tayga}/bin/tayga -d --config ${config} + ''; + in { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + ExecStart = ''${startScript}/bin/tayga-start''; + }; + }); + + networking.interfaces.cbr0.ipv6.routes = [{ + address = "2a0d:eb04:8:10::"; + prefixLength = 60; + }]; + + networking.interfaces.tunnat64 = { + virtual = true; + }; + + # openebs expects some stuff to be there. + system.activationScripts.openebs = '' + mkdir -p /usr/lib /usr/sbin + ln -sf ${pkgs.zfs.lib}/lib/* /usr/lib/ + ln -sf ${pkgs.zfs}/bin/zfs /usr/sbin/ + ''; +} diff --git a/configuration/hosts/hainich/services/codimd.nix b/configuration/hosts/hainich/services/codimd.nix new file mode 100644 index 0000000..0b33e2d --- /dev/null +++ b/configuration/hosts/hainich/services/codimd.nix @@ -0,0 +1,79 @@ +{ config, lib, pkgs, ... }: + +{ + containers.codimd = { + privateNetwork = true; + hostAddress = "192.168.100.1"; + localAddress = "192.168.100.3"; + autoStart = true; + config = { config, lib, pkgs, ... }: { + networking.firewall.allowedTCPPorts = [ 3000 ]; + services.coredns = { + enable = true; + config = '' + .:53 { + forward . 1.1.1.1 + } + ''; + }; + services.codimd = { + enable = true; + configuration = { + allowAnonymous = true; + allowFreeURL = true; + allowGravatar = false; + allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ]; + dbURL = "postgres://codimd:codimd@localhost:5432/codimd"; + defaultPermission = "limited"; + domain = "pad.hacc.space"; + host = "0.0.0.0"; + protocolUseSSL = true; + hsts.preload = false; + email = false; + oauth2 = { + authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth"; + tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token"; + clientID = "codimd"; + clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62"; + }; + }; + }; + systemd.services.codimd.environment = { + "CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo"; + "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name"; + "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name"; + "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email"; + "CMD_OAUTH2_PROVIDERNAME" = "Infra4Future"; + }; + services.postgresql = { + enable = true; + ensureDatabases = [ "codimd" ]; + ensureUsers = [{ + name = "codimd"; + ensurePermissions = { + "DATABASE codimd" = "ALL PRIVILEGES"; + }; + }]; + }; + }; + }; + + services.nginx.virtualHosts."pad.hacc.space" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.100.3:3000"; + extraConfig = '' + proxy_pass_request_headers on; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + proxy_buffering off; + ''; + }; + }; +} diff --git a/configuration/hosts/hainich/services/docker.nix b/configuration/hosts/hainich/services/docker.nix new file mode 100644 index 0000000..5bc2aa0 --- /dev/null +++ b/configuration/hosts/hainich/services/docker.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, ... }: + +{ + # disable nftables since it breaks shit + petabyte.nftables.enable = false; + virtualisation.oci-containers.containers."ghost-waszumfff" = { + autoStart = true; + environment = { + url = "https://waszumfff.4future.dev"; + }; + image = "ghost:alpine"; + ports = [ "127.0.0.1:2368:2368" ]; + volumes = [ "/run/florinori:/var/lib/ghost/content" ]; + }; + + fileSystems."/run/florinori" = + { device = "dpool/k8s/florinori"; + fsType = "zfs"; + }; + + services.nginx.virtualHosts."waszumfff.4future.dev" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:2368"; + extraConfig = " + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + "; + }; + }; +} diff --git a/configuration/hosts/hainich/services/engelsystem.nix b/configuration/hosts/hainich/services/engelsystem.nix new file mode 100644 index 0000000..7190bf4 --- /dev/null +++ b/configuration/hosts/hainich/services/engelsystem.nix @@ -0,0 +1,93 @@ +{ config, lib, pkgs, ... }: + +# TODO: Make this confix nix-y, so it doesn't require a metric shitton of +# manual intervention to install +{ + containers.engelsystem = { + config = { pkgs, lib, config, ... }: + let + app = "engelsystem"; + domain = "himmel.hacc.earth"; + dataDir = "/srv/http/${domain}/public"; + engelport-py-pack = python-packages: with pkgs.python38Packages; [ + mysqlclient + ]; + engelport-py = pkgs.python38.withPackages engelport-py-pack; + in { + networking.firewall.enable = false; + networking.nameservers = ["1.1.1.1" "1.0.0.1"]; + networking.hosts."192.168.100.1" = [ "mail.hacc.space" ]; + services.phpfpm.pools.${app} = { + user = app; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + "php_admin_value[error_log]" = "stderr"; + "php_admin_flag[log_errors]" = true; + "catch_workers_output" = true; + }; + phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; + }; + services.nginx = { + enable = true; + virtualHosts.${domain}.locations = { + "/" = { + extraConfig = "rewrite ^ /index.php;"; + }; + "/assets" = { + root = dataDir; + }; + "/index.php" = { + root = dataDir; + extraConfig = '' + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_split_path_info ^(.+\.php)(\\/.*)$; + try_files $fastcgi_script_name =404; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_pass unix:${config.services.phpfpm.pools.${app}.socket}; + fastcgi_intercept_errors on; + ''; + }; + }; + }; + users.users.${app} = { + isSystemUser = true; + createHome = true; + home = dataDir; + group = app; + }; + users.groups.${app} = {}; + + services.mysql = { + enable = true; + ensureDatabases = [ "engelsystem" ]; + ensureUsers = [{ + name = "engelsystem"; + ensurePermissions."engelsystem.*" = "ALL PRIVILEGES"; + }]; + package = pkgs.mariadb; + }; + + environment.systemPackages = [ + pkgs.php pkgs.php74Packages.composer pkgs.yarn engelport-py + ]; + }; + privateNetwork = true; + hostAddress = "192.168.100.1"; + localAddress = "192.168.100.2"; + autoStart = true; + }; + services.nginx.virtualHosts."himmel.hacc.earth" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.100.2"; + extraConfig = "add_header Host himmel.hacc.earth;"; + }; + }; +} diff --git a/configuration/hosts/hainich/services/mail.nix b/configuration/hosts/hainich/services/mail.nix new file mode 100644 index 0000000..ac061d8 --- /dev/null +++ b/configuration/hosts/hainich/services/mail.nix @@ -0,0 +1,170 @@ +{ config, pkgs, lib, ... }: + +{ + imports = let commit = "02a45d9965133434c7b816cab2f47c8a7505e764"; in [ + (builtins.fetchTarball { + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${commit}/nixos-mailserver-${commit}.tar.gz"; + sha256 = "04v66z0ijjm8bqpiqmq1aqrqj6r6jjz591lgijmk4frz7lksnz8k"; + }) + ]; + + mailserver = { + mailDirectory = "/data/mail"; + enable = true; + fqdn = "mail.hacc.space"; + domains = [ "hacc.space" "hacc.earth" "4future.dev" "4futu.re" ]; + + loginAccounts = { + "hexchen@hacc.space" = { + hashedPassword = "$6$x9skYtRp4dgxC$1y8gPC2BuVqG3kJVSMGgzZv0Bg1T9qxcnBWLIDbANy1d//SQ23Y7s3IMYcEPd1/l/MYWD9Y/Qse6HbT5w5Xwq/"; + + aliases = [ + "postmaster@hacc.space" + "abuse@hacc.space" + ]; + }; + + "octycs@hacc.space" = { + hashedPassword = "$6$KceTivtJ$58jxhYF6ULfivNsb3Z0J7PnGea0Hs2wTWh3c9FrKRIAmuOD96u2IDgZRCn6P5NrXA0BL.n6HC2RS3r.4JnOmg."; + + aliases = [ + "markus@hacc.space" + ]; + }; + + "raphael@hacc.space" = { + hashedPassword = "$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/"; + }; + + "engelsystem@hacc.space" = { + hashedPassword = "$6$5cIAEhJ7af7M$eJBPQc3ONd.N3HKPFpxfG7liZbUXPvWuSpWVgeG7rmsG7f7.Zdxtodvt5VaXoA3AEiv3GqcY.gKHISK/Gg0ib/"; + }; + + "schweby@hacc.space" = { + hashedPassword = "$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1"; + }; + + "zauberberg@hacc.space" = { + hashedPassword = "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUTdxrxdtg9zuGOlBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0"; + aliases = [ + "lukas@hacc.space" + ]; + }; + + "talx@hacc.space" = { + hashedPassword = "$6$0hIKRoMJS./JSE$tXizRgphhNM3ZYx216VdRv1OiyZoYXsjGqSudTDu8vB8eZb03Axi31VKV87RXiEGGixdvTsHEKpx032aOzzt31"; + }; + + "unms@hacc.space" = { + hashedPassword = "$6$pYlNP37913$sGE3L722ceP.1Qm5lsffYUN919hPP1xRTrzco3ic3Op21iiknBkOY04eY2l3Um/Bpk/yV89aJD0eaB/5RCbWR1"; + }; + + "noreply@hacc.space" = { + hashedPassword = "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/"; + }; + "stuebinm@hacc.space" = { + hashedPassword = "$6$jNfYD91wf/$YvJqo0QLzbnHcKigzAYgsE1gCc/07DUbKuNwAYBCKpQeqhBlUWjijXBuMH9wl7xH/i5HwOIyYhg6zuvejlfDN."; + }; + }; + + extraVirtualAliases = { + # address = forward address; + "info@hacc.space" = [ + "hexchen@hacc.space" + "octycs@hacc.space" + "raphael@hacc.space" + "schweby@hacc.space" + "zauberberg@hacc.space" + "stuebinm@hacc.space" + ]; + "himmel@hacc.space" = [ + "hexchen@hacc.space" + "schweby@hacc.space" + "zauberberg@hacc.space" + ]; + "admin@hacc.space" = [ + "hexchen@hacc.space" + "schweby@hacc.space" + ]; + }; + + # Use Let's Encrypt certificates. Note that this needs to set up a stripped + # down nginx and opens port 80. + certificateScheme = 3; + + # Enable IMAP and POP3 + enableImap = true; + enablePop3 = true; + enableImapSsl = true; + enablePop3Ssl = true; + + # Enable the ManageSieve protocol + enableManageSieve = true; + + # whether to scan inbound emails for viruses (note that this requires at least + # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty) + virusScanning = false; + }; + services.postfix.submissionOptions.smtpd_sender_restrictions = "reject_non_fqdn_sender,reject_unknown_sender_domain,permit"; + services.postfix.virtual = ''@4future.dev @hacc.space +@4futu.re @hacc.space +@hacc.earth @hacc.space +contact@hacc.space info@hacc.space''; + + #mailman + services.postfix = { + relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"]; + config = { + transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"]; + local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"]; + inet_protocols = "ipv4, ipv6"; + }; + }; + + services.mailman = { + enable = true; + siteOwner = "admin@hacc.space"; + webUser = config.services.uwsgi.user; + hyperkitty.enable = true; + # Have mailman talk directly to hyperkitty, bypassing nginx: + hyperkitty.baseUrl = "http://localhost:33141/hyperkitty/"; + webHosts = [ "lists.hacc.space" ]; + }; + + systemd.services.uwsgi.restartTriggers = [ + config.environment.etc."mailman3/settings.py".source + ]; + + systemd.services.mailman-settings.script = '' + chmod o+x /var/lib/mailman-web + ''; + + services.uwsgi = { + enable = true; + plugins = ["python3"]; + instance = { + type = "normal"; + # uwsgi protocol socket for nginx + socket = "127.0.0.1:33140"; + pythonPackages = self: with self; [ mailman-web ]; + # http socket for mailman core to reach the hyperkitty API directly + http-socket = "127.0.0.1:33141"; + wsgi-file = "${pkgs.python3.pkgs.mailman-web}/lib/python3.8/site-packages/mailman_web/wsgi.py"; + chdir = "/var/lib/mailman-web"; + master = true; + processes = 4; + vacuum = true; + }; + }; + + services.nginx.virtualHosts."lists.hacc.space" = { + enableACME = true; + forceSSL = true; + locations."/static/".alias = "/var/lib/mailman-web-static/"; + locations."/".extraConfig = '' + uwsgi_pass 127.0.0.1:33140; + include ${config.services.nginx.package}/conf/uwsgi_params; + ''; + }; + +} diff --git a/configuration/hosts/hainich/services/murmur.nix b/configuration/hosts/hainich/services/murmur.nix new file mode 100644 index 0000000..a1230f8 --- /dev/null +++ b/configuration/hosts/hainich/services/murmur.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, ... }: + +{ + services.murmur = { + enable = false; + logDays = -1; + welcometext = "Welcome to mumble4future! Brought to you by infra4future"; + sslKey = "/var/lib/acme/mumble.hacc.space/key.pem"; + sslCert = "/var/lib/acme/mumble.hacc.space/fullchain.pem"; + }; + + networking.firewall.allowedTCPPorts = [ config.services.murmur.port ]; + networking.firewall.allowedUDPPorts = [ config.services.murmur.port ]; + + services.nginx.virtualHosts."mumble.hacc.space" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "https://stuebinm.4future.dev/mumble.infra4future.de/"; + }; + }; + # set ACLs so that the murmur user can read the certificates + security.acme.certs."mumble.hacc.space".postRun = "setfacl -Rm u:murmur:rX /var/lib/acme/mumble.hacc.space"; +} diff --git a/configuration/hosts/hainich/services/nginx.nix b/configuration/hosts/hainich/services/nginx.nix new file mode 100644 index 0000000..e2f40d9 --- /dev/null +++ b/configuration/hosts/hainich/services/nginx.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: + +{ + security.acme.acceptTerms = true; + security.acme.email = "info+acme@hacc.space"; + services.nginx.enable = true; + services.nginx.package = pkgs.nginx.override { + modules = [ pkgs.nginxModules.rtmp ]; + }; + services.nginx.virtualHosts = { + "hainich.chaoswit.ch" = { + enableACME = true; + forceSSL = true; + }; + "hainich.hacc.space" = { + enableACME = true; + forceSSL = true; + locations = { + "/" = { + return = "404"; + }; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 1935 ]; + services.nginx.appendConfig = '' + rtmp { + server { + listen 1935; + application cutiestream { + live on; + allow publish all; + allow play all; + } + application ingest { + live on; + + record all; + record_path /data/ingest; + record_unique on; + + include /var/secrets/ingest.conf; + } + } + } + ''; + + systemd.services.nginx.serviceConfig.ReadWriteDirectories = "/data/ingest /var/secrets"; +} diff --git a/configuration/hosts/hainich/services/rocket.nix b/configuration/hosts/hainich/services/rocket.nix new file mode 100644 index 0000000..aa84603 --- /dev/null +++ b/configuration/hosts/hainich/services/rocket.nix @@ -0,0 +1,35 @@ +{ config, lib, pkgs, ... }: + +{ + services.mongodb = { + enable = true; + extraConfig = '' + replication: + replSetName: "rs01" + ''; + }; + virtualisation.oci-containers.containers."rocketchat" = { + autoStart = true; + environment = { + ROOT_URL = "https://chat.uref.hacc.media"; + MONGO_URL = "mongodb://localhost:27017/rocketchat"; + MONGO_OPLOG_URL = "mongodb://localhost:27017/local"; + Accounts_UseDNSDomainCheck = "false"; + }; + image = "rocketchat/rocket.chat:3.1.1"; + extraOptions = [ "--network=host" ]; + }; + services.nginx.virtualHosts."chat.uref.hacc.media" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:3000"; + extraConfig = " + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + "; + }; + }; +} diff --git a/configuration/hosts/hainich/wireguard.nix b/configuration/hosts/hainich/wireguard.nix new file mode 100644 index 0000000..d8422d9 --- /dev/null +++ b/configuration/hosts/hainich/wireguard.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, ... }: +{ + systemd.services.wireguard-upstream = { + wants = [ "wg-upstream-key.service" ]; + after = [ "wg-upstream-key.service" ]; + }; + networking.wireguard.interfaces.upstream = { + ips = [ "2a0d:eb04:8:ffff:2::2/128" ]; + generatePrivateKeyFile = true; + privateKeyFile = "/etc/wireguard/upstream.key"; + listenPort = 51820; + peers = [ + { + allowedIPs = [ "::/0" ]; + endpoint = "103.105.50.220:51823"; + publicKey = "qL5xKnQ7xLbtTvu0VmLBwHExteJBhmCe5S/0ZoXBeXY="; + } + ]; + postSetup = '' + ${pkgs.iproute}/bin/ip addr del dev upstream 2a0d:eb04:8:ffff:2::2/128 + ${pkgs.iproute}/bin/ip addr add dev upstream 2a0d:eb04:8:ffff:2::2/128 peer 2a0d:eb04:8:ffff:2::1/128 + ''; + }; + networking.interfaces.lo.ipv6 = { + addresses = [{ + address = "2a0d:eb04:8:10::1"; + prefixLength = 128; + }]; + }; + networking.defaultGateway6 = { + address = "2a0d:eb04:8:ffff:2::1"; + interface = "upstream"; + }; +} diff --git a/configuration/hosts/nixda/configuration.nix b/configuration/hosts/nixda/configuration.nix new file mode 100644 index 0000000..3abcc0b --- /dev/null +++ b/configuration/hosts/nixda/configuration.nix @@ -0,0 +1,47 @@ +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-config.nix + ../../common + ../../desktop + ../../desktop/streaming.nix + ../../desktop/sway.nix + ../../desktop/gnome.nix + ]; + + boot.loader.grub ={ + enable = true; + version = 2; + efiSupport = true; + device = "nodev"; + }; + boot.loader.efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot"; + }; + +# hardware.decklink.enable = true; + + networking.hostName = "nixda"; # Define your hostname. + + boot.kernelModules = [ "blackmagic" "blackmagic-io" "snd_blackmagic-io" ]; + boot.extraModulePackages = [ config.boot.kernelPackages.decklink ]; + systemd.services."DecklinkVideoHelper" = { + after = [ "syslog.target" "local-fs.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = "${pkgs.blackmagicDesktopVideo}/bin/DesktopVideoHelper -n"; + }; + + environment.systemPackages = with pkgs; [ blackmagicDesktopVideo ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.09"; # Did you read the comment? + +} diff --git a/configuration/hosts/nixda/hardware-config.nix b/configuration/hosts/nixda/hardware-config.nix new file mode 100644 index 0000000..e019cc1 --- /dev/null +++ b/configuration/hosts/nixda/hardware-config.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/dfbfee26-c2c0-4c0c-b145-6362c7650ac9"; + fsType = "btrfs"; + options = [ "subvol=@nix" ]; + }; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/dfbfee26-c2c0-4c0c-b145-6362c7650ac9"; + fsType = "btrfs"; + options = [ "subvol=@home" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/A358-97BC"; + fsType = "vfat"; + }; + + swapDevices = [ ]; +} diff --git a/default.nix b/default.nix new file mode 100644 index 0000000..e85a023 --- /dev/null +++ b/default.nix @@ -0,0 +1,4 @@ +{ + inherit (import ./lib/deploy.nix) deploy; + pkgs = import ./pkgs; +} diff --git a/lib/deploy.nix b/lib/deploy.nix new file mode 100644 index 0000000..09d4350 --- /dev/null +++ b/lib/deploy.nix @@ -0,0 +1,76 @@ +let + pkgs = import {}; + lib = pkgs.lib; + + hosts = import ../configuration/hosts; + nixosHosts = lib.filterAttrs (name: host: host ? ssh) hosts; + + allGroups = lib.unique ( + lib.flatten ( + lib.mapAttrsToList ( + name: host: host.groups + ) hosts + ) + ); + + hostsInGroup = group: + lib.filterAttrs ( + k: v: builtins.elem group v.groups + ) hosts; + + hostsInAllGroups = lib.listToAttrs ( + map ( + group: lib.nameValuePair group ( + lib.attrNames (hostsInGroup group) + ) + ) allGroups ); + + mkDeploy = hostnames: pkgs.writeScript "deploy-${lib.concatStringsSep "-" hostnames}" '' + #!${pkgs.stdenv.shell} + set -e -o pipefail + export PATH=/run/wrappers/bin/:${with pkgs; lib.makeBinPath [ + coreutils + openssh + nix + gnutar + findutils + nettools + gzip + git + ]} + + MODE=$1 + shift || true + ARGS=$@ + + [ "$MODE" == "" ] && MODE="switch" + + ${lib.concatMapStrings (hostname: let + hostAttrs = nixosHosts.${hostname}; + nixosSystem = (import { + modules = [ + "${toString ../configuration}/hosts/${hostname}/configuration.nix" + ]; + system = if hostAttrs ? system then hostAttrs.system else "x86_64-linux"; + }).config.system.build.toplevel; + in '' + ( + echo "deploying ${hostname}..." + nix copy --no-check-sigs --to ssh://${hostAttrs.ssh.host} ${nixosSystem} + ssh $NIX_SSHOPTS ${hostAttrs.ssh.host} "sudo nix-env -p /nix/var/nix/profiles/system -i ${nixosSystem}" + ssh $NIX_SSHOPTS ${hostAttrs.ssh.host} "sudo /nix/var/nix/profiles/system/bin/switch-to-configuration $MODE $ARGS" + ) & + PID_LIST+=" $!" + '') hostnames} + + echo "deploys started, waiting for them to finish..." + + trap "kill $PID_LIST" SIGINT + wait $PID_LIST + ''; + +in { + deploy = (lib.mapAttrs (hostname: hostAttrs: mkDeploy [ hostname ]) nixosHosts) + // (lib.mapAttrs (group: hosts: mkDeploy hosts) hostsInAllGroups) + // { all = mkDeploy (lib.attrNames nixosHosts); }; +} diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..fca5958 --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,6 @@ +{ ... }: + +{ + imports = [ + ]; +} diff --git a/pkgs/default.nix b/pkgs/default.nix new file mode 100644 index 0000000..0eed995 --- /dev/null +++ b/pkgs/default.nix @@ -0,0 +1,22 @@ +{ nixpkgs ? , ... }: + +let + pkgs = import nixpkgs {}; + callPackage = pkgs.lib.callPackageWith (pkgs // newpkgs); + + shelfieSrc = fetchGit { + url = "https://github.com/spacekookie/shelfie"; + rev = "fb09d6d9ff94ea0679cf6406a3153735d49f38cd"; + }; + wasiSrc = fetchGit { + url = "https://gitlab.infra4future.de/wasi/wasi-rust"; + rev = "356dbc23a3683d134f13156af71baeaa06fb80d1"; + }; + + newpkgs = { + fb_exporter = callPackage ./fb_exporter {}; + shelfie = import shelfieSrc { inherit shelfieSrc; pkgs = pkgs // newpkgs; }; + wasi = import wasiSrc { inherit wasiSrc; pkgs = pkgs // newpkgs; }; + }; + +in newpkgs diff --git a/pkgs/fb_exporter/default.nix b/pkgs/fb_exporter/default.nix new file mode 100644 index 0000000..c211e1a --- /dev/null +++ b/pkgs/fb_exporter/default.nix @@ -0,0 +1,32 @@ +{ + pkgs ? import {} +}: + +with pkgs; + +stdenv.mkDerivation { + pname = "fb_exporter"; + version = "0.1.0"; + src = fetchgit { + url = "https://cgit.ctu.cx/fritzbox-exporter"; + rev = "fc7cb10f4673107c050b6d342e55b8838fe3a424"; + sha256 = "168r93l5sqvn6wp7jdyw1g9jz613iwd11pg4zrsnlmr6n466hqh8"; + }; + nativeBuildInputs = [ nim ]; + buildInputs = [ pcre openssl ]; + buildPhase = '' + runHook preBuild + nim c -d:release --nimcache:$PWD src/fb_exporter.nim + runHook postBuild + ''; + installPhase = '' + runHook preInstall + install -Dm755 src/fb_exporter $out/bin/fb_exporter + runHook postInstall + ''; + fixupPhase = '' + runHook preFixup + patchelf --set-rpath ${lib.makeLibraryPath [ pcre openssl ]} $out/bin/fb_exporter + runHook postFixup + ''; +}