forked from hacc/haccfiles
Initial Commit
This commit is contained in:
commit
0878012581
29 changed files with 1409 additions and 0 deletions
3
.gitignore
vendored
Normal file
3
.gitignore
vendored
Normal file
|
@ -0,0 +1,3 @@
|
|||
result
|
||||
ecdsa_host
|
||||
secrets/
|
81
configuration/common/default.nix
Normal file
81
configuration/common/default.nix
Normal file
|
@ -0,0 +1,81 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
home-manager = fetchGit {
|
||||
url = "https://github.com/nix-community/home-manager";
|
||||
rev = "a98ec6ec158686387d66654ea96153ec06be33d7";
|
||||
};
|
||||
in {
|
||||
imports = [
|
||||
../../modules
|
||||
"${home-manager}/nixos"
|
||||
./pbb.nix
|
||||
./users.nix
|
||||
];
|
||||
|
||||
nixpkgs.overlays = [
|
||||
(self: super: import ../../pkgs { nixpkgs = super.path; })
|
||||
];
|
||||
|
||||
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
|
||||
boot.kernelParams = [ "quiet" ];
|
||||
|
||||
networking.domain = lib.mkDefault "hacc.space";
|
||||
petabyte.nftables = {
|
||||
enable = lib.mkDefault true;
|
||||
};
|
||||
|
||||
services.journald.extraConfig = "SystemMaxUse=512M";
|
||||
nix.gc.automatic = lib.mkDefault true;
|
||||
nix.gc.options = lib.mkDefault "--delete-older-than 1w";
|
||||
nix.trustedUsers = [ "root" "@wheel" ];
|
||||
environment.variables.EDITOR = "vim";
|
||||
|
||||
services.openssh.enable = true;
|
||||
services.openssh.ports = lib.mkDefault [ 62954 ];
|
||||
services.openssh.passwordAuthentication = false;
|
||||
services.openssh.challengeResponseAuthentication = false;
|
||||
services.openssh.permitRootLogin = lib.mkDefault "prohibit-password";
|
||||
services.openssh.extraConfig = "StreamLocalBindUnlink yes";
|
||||
security.sudo.wheelNeedsPassword = lib.mkDefault false;
|
||||
|
||||
i18n.defaultLocale = "en_IE.UTF-8";
|
||||
time.timeZone = "UTC";
|
||||
console = {
|
||||
font = "Lat2-Terminus16";
|
||||
keyMap = "de";
|
||||
};
|
||||
programs.mtr.enable = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
smartmontools lm_sensors htop tcpdump nload iftop
|
||||
# bottom
|
||||
ripgrep
|
||||
git wget
|
||||
kitty.terminfo
|
||||
rsync pv progress
|
||||
parallel bc
|
||||
usbutils pciutils
|
||||
cryptsetup gptfdisk
|
||||
zstd p7zip
|
||||
file
|
||||
whois
|
||||
iperf
|
||||
fd
|
||||
exa
|
||||
socat
|
||||
tmux
|
||||
gnupg
|
||||
vim
|
||||
patchelf
|
||||
binutils
|
||||
dnsutils
|
||||
flashrom ifdtool cbfstool nvramtool
|
||||
nmap
|
||||
];
|
||||
|
||||
petabyte.vnstat = {
|
||||
enable = true;
|
||||
nginx.enable = true;
|
||||
};
|
||||
}
|
71
configuration/common/hexchen.nix
Normal file
71
configuration/common/hexchen.nix
Normal file
|
@ -0,0 +1,71 @@
|
|||
{config, lib, pkgs, ...}:
|
||||
|
||||
{
|
||||
home-manager.users.hexchen = {
|
||||
programs.direnv = {
|
||||
enable = true;
|
||||
enableFishIntegration = true;
|
||||
enableNixDirenvIntegration = true;
|
||||
};
|
||||
programs.fish = {
|
||||
enable = true;
|
||||
shellAliases = {
|
||||
icat = "${pkgs.kitty}/bin/kitty +kitten icat";
|
||||
};
|
||||
plugins = [
|
||||
{
|
||||
name = "bass";
|
||||
src = pkgs.fetchFromGitHub {
|
||||
owner = "edc";
|
||||
repo = "bass";
|
||||
rev = "d63054b24c2f63aaa3a08fb9ec9d0da4c70ab922";
|
||||
sha256 = "0pwci5xxm8308nrb52s5nyxijk0svar8nqrdfvkk2y34z1cg319b";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
programs.vim = {
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
set viminfo='20,<1000
|
||||
set mouse=a
|
||||
''; /*
|
||||
set tabstop=2
|
||||
set shiftwidth=2
|
||||
set expandtab
|
||||
'';*/
|
||||
};
|
||||
|
||||
programs.git = {
|
||||
enable = true;
|
||||
userName = "hexchen";
|
||||
userEmail = "hexchen@lilwit.ch";
|
||||
};
|
||||
|
||||
programs.bat.enable = true;
|
||||
programs.jq.enable = true;
|
||||
programs.tmux.enable = true;
|
||||
programs.ssh = {
|
||||
enable = true;
|
||||
controlMaster = "auto";
|
||||
controlPersist = "10m";
|
||||
hashKnownHosts = true;
|
||||
matchBlocks = let
|
||||
hexchen = {
|
||||
forwardAgent = true;
|
||||
extraOptions = {
|
||||
RemoteForward = "/run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra";
|
||||
};
|
||||
port = 62954;
|
||||
};
|
||||
in {
|
||||
"*.chaoswit.ch" = hexchen;
|
||||
"*.copyonwit.ch" = hexchen;
|
||||
"*.lilwit.ch" = hexchen;
|
||||
"*.hxchn.de" = hexchen;
|
||||
"*.hacc.space" = hexchen;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
}
|
13
configuration/common/pbb.nix
Normal file
13
configuration/common/pbb.nix
Normal file
|
@ -0,0 +1,13 @@
|
|||
let
|
||||
pbbNixfiles = fetchGit {
|
||||
url = "https://git.petabyte.dev/petabyteboy/nixfiles";
|
||||
rev = "fcfa9a150bdc0c36996db89d6cee07dd5db82373";
|
||||
};
|
||||
in {
|
||||
imports = [
|
||||
"${pbbNixfiles}/modules"
|
||||
];
|
||||
nixpkgs.overlays = [
|
||||
(self: super: import "${pbbNixfiles}/pkgs" { nixpkgs = super.path; })
|
||||
];
|
||||
}
|
66
configuration/common/users.nix
Normal file
66
configuration/common/users.nix
Normal file
|
@ -0,0 +1,66 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hexchen.nix
|
||||
];
|
||||
|
||||
home-manager.useGlobalPkgs = true;
|
||||
|
||||
users.users = {
|
||||
root = {
|
||||
openssh.authorizedKeys.keys = with pkgs.lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
|
||||
};
|
||||
|
||||
hexchen = {
|
||||
uid = 1000;
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDNVUDKx9sukRkb6INny432+2HZBWx/qIEAOvngF1qcj hexchen@montasch"
|
||||
];
|
||||
shell = pkgs.fish;
|
||||
packages = with pkgs; [ python38 go ];
|
||||
};
|
||||
|
||||
stuebinm = {
|
||||
uid = 1001;
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQtJQ8fUfwsC9Q39sNpZ41RRbW91QXDLKltsYK+TLidQ5IJj2KsG/lkd433Tod6PzSvB2PcfIfnvUz7GQuS1UwXHMdLEy0/kqeYrSi6QlAxFyFBSTsUZ4d+HHwBBoXhu1Iaoch/FJNI0FhfBciIii05UyYuPj5zGgvWhnfD53Ll8HA6XVXhSK09+9GRGq57Mix5N9AkzfEF83aRUF9Qfl7Jl16rOjIgtS8hbL0kXIKUeCxZA2xi/lNHEQRriCiriPmPGOhiPcNXzbekw7IbFfE3If1CHnj7KA4KnafHAd+uHvQAce5Y4v2vMOPfGVh1cm84VTzdSPEW5V1hFjOlSnnuCQtAzkQLv8zed2NLj73GgFlcUrYKERcH84wydD0gEednNKsW8T2NzgO2eNCBf0LrcFp17qmWLv51A3jofEX5tQ3PZ7zbtR4DMUmrizrsBWDYiHJOMVeMs/9TnmIc3PL17qvVvFI7OcYxl+SPPpPtaBzxXZAMIvGFppzYxRylBcBhNvE+bXXgLFXh5cbUcwgXjvrX0y8Gv/5S4E55+i2rQMqC55+O48snoSeNlQDZV+B9setXoC93K9fBurmCX8ObnNRvvghcwUl9OBSW5K9TBdl6FF3+Z3gOCIxOMGQQKJUS5/g/eLFJ+13Y5qAPS49XJzaBiTmDrRi8x22p7sU1Q== stuebinm@in.tum.de"
|
||||
];
|
||||
};
|
||||
|
||||
octycs = {
|
||||
uid = 1002;
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDobGLrA6YQAKdJkZMpAsqjlk744G/pCJEvAUNJDuT1Sr59BFKDchPT03exb0o39mjH4iqvw4JDI10RfylKbR1736Ji2yRLlbCzUdgv2CfZc28TAO0rscyT49RHJmzEEE5QD4Ge7MgvFBEmZKXAxntA8M8EbxxEVfzhWp3751BYkzrCbJiHMXcTb+BG9P6rmrraINmgUJxywym5PsMYt2sfHlVus3hSpWnCR/cu0nxmW9E6Tm6CzSkWOXOTdjVuc0Kgh5GXaKDROzJ9K7cJAhd5t8Yzqtpm2xfSU5FVVUH9i7PbXOo8FL82Xi6kWMgdFNLvKimxGqW+bCv3ROlyKWF4I+HQdfdL181KaOQ40jAvjmldrB/ZiEbuWYSBZ/XhxFkKrtBYPDFHq/a5lnH3OvcDm7+/LhwIKUnyZyQ2dXOLOTOEDsO/69xwNveCB8of9o/erDbOeb+d44cXUFpPMUTz4bHXEP6y+zz8TB8/aleGbLQCPUzRZfvazN95jGUDqkumi9B3Lf+W/KpjVUgu3NQsUuJn6khMYW9VefnJvHwzbWpqIzbzNePL4iZFECv4NHPQHO/katajnMbkCie9rfnLk1EjJnrSnZUInEygkW/7Eu4EQM2h7lU4HYfwP1c4ubCFdES0ELGqSuJRwd/ORDbgxbuKOQ7gZ3/lgHdr9KGqJQ== markus.amaseder@amaseder.de"
|
||||
];
|
||||
hashedPassword = "$6$qQEbD8Ejx/y$6/nkX8CmFBtAlUP/UbFKVMVlA.ZvVbjQZRABqXQjU11tKpY25ww.MCGGMEKFv.7I/UH/126/q0S3ROTqePUEc.";
|
||||
};
|
||||
|
||||
zauberberg = {
|
||||
uid = 1003;
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt34ou3NYWoUayWrJa5ISzihAAhFiwolJPmm2fF9llPUUA8DP3BQRiKeqDlkDzhWLwztb+dNIUuregiFJdRN5Q2JZBKlM7Gqb1QtPhtK+xe2pyZPX2SWKIsKA6j3VAThhXsQdj3slXu3dG8FF7j+IFg/eTgpeQIFQQkMIc204ha8OP2ASYAJqgJVbXq8Xh3KkAc1HSrjYJLntryvK10wyU8p3ug370dMu3vRUn44FEyDzXFM9rfsgysQTzVgp+sXdRfMLeyvf+SUrE8hiPjzevF2nsUP0Xf/rIaK5VayChPLXJkulognINzvuVWAdwNPDLpgGwkjglF2681Ag88bLX allesmoeglicheundvielmehr@hotmail.de"
|
||||
];
|
||||
packages = with pkgs; [ makemkv ];
|
||||
};
|
||||
|
||||
schweby = {
|
||||
uid = 1004;
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6JWi0MBDz0Zy4zjauQv28xYmHyapb8D4zeesq91LLE schweby@txsbcct"
|
||||
];
|
||||
hashedPassword = "$6$zkAsaVdmIduqZxez$GY9aBlYeP41F0it/VbbZzLLLRQhHAbDdFsa3e/1GS9McTuSimMHODg6HqNVEH1zSqD3afhK/0UHfqbtF5qpi90";
|
||||
packages = with pkgs; [ makemkv ];
|
||||
};
|
||||
};
|
||||
}
|
43
configuration/desktop/default.nix
Normal file
43
configuration/desktop/default.nix
Normal file
|
@ -0,0 +1,43 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
boot.plymouth.enable = true;
|
||||
nixpkgs.config = {
|
||||
mumble.speechdSupport = true;
|
||||
allowUnfree = true;
|
||||
};
|
||||
# boot.plymouth.splashBeforeUnlock = true;
|
||||
users.users.hexchen = {
|
||||
packages = with pkgs; [
|
||||
pulsemixer pavucontrol
|
||||
firefox git kitty j4-dmenu-desktop bemenu
|
||||
breeze-qt5 mako
|
||||
mpv youtube-dl
|
||||
wl-clipboard mumble
|
||||
xdg_utils
|
||||
slurp grim libnotify
|
||||
_1password-gui
|
||||
# gnome3.nautilus
|
||||
];
|
||||
extraGroups = [ "video" ];
|
||||
};
|
||||
home-manager.users.hexchen = {
|
||||
gtk = {
|
||||
enable = true;
|
||||
iconTheme = {
|
||||
name = "Adwaita";
|
||||
package = pkgs.gnome3.adwaita-icon-theme;
|
||||
};
|
||||
theme = {
|
||||
name = "Adwaita";
|
||||
package = pkgs.gnome3.adwaita-icon-theme;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
sound.enable = true;
|
||||
hardware.pulseaudio.enable = true;
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
hardware.opengl.enable = true;
|
||||
|
||||
}
|
14
configuration/desktop/gnome.nix
Normal file
14
configuration/desktop/gnome.nix
Normal file
|
@ -0,0 +1,14 @@
|
|||
{config, lib, pkgs, ...}:
|
||||
|
||||
{
|
||||
services.xserver.displayManager.lightdm = {
|
||||
enable = true;
|
||||
};
|
||||
services.xserver = {
|
||||
enable = true;
|
||||
# videoDrivers = [ "nvidia" ];
|
||||
};
|
||||
# hardware.nvidia.modesetting.enable = true;
|
||||
|
||||
# services.xserver.desktopManager.gnome3.enable = true;
|
||||
}
|
17
configuration/desktop/streaming.nix
Normal file
17
configuration/desktop/streaming.nix
Normal file
|
@ -0,0 +1,17 @@
|
|||
{ config, pkgs, ...}:
|
||||
|
||||
{
|
||||
boot = {
|
||||
extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
|
||||
kernelModules = [ "v4l2loopback" ];
|
||||
};
|
||||
|
||||
home-manager.users.hexchen = {
|
||||
programs.obs-studio = {
|
||||
enable = true;
|
||||
plugins = with pkgs; [
|
||||
obs-wlrobs obs-v4l2sink
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
43
configuration/desktop/sway.nix
Normal file
43
configuration/desktop/sway.nix
Normal file
|
@ -0,0 +1,43 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
|
||||
fonts.fonts = with pkgs; [ font-awesome nerdfonts ];
|
||||
users.users.hexchen.packages = with pkgs; [ ];
|
||||
home-manager.users.hexchen = {
|
||||
programs.waybar = {
|
||||
enable = true;
|
||||
|
||||
settings = [{
|
||||
modules-left = [ "sway/workspaces" "sway/mode" ];
|
||||
modules-center = [ "sway/window" ];
|
||||
modules-right = [ "pulseaudio" "network" "cpu" "memory" "temperature" "battery" "clock" "tray" ];
|
||||
|
||||
modules = {
|
||||
battery = {
|
||||
states = {
|
||||
good = 95;
|
||||
warning = 30;
|
||||
critical = 15;
|
||||
};
|
||||
format = "{capacity}% {icon}";
|
||||
format-charging = "{capacity}% ";
|
||||
format-plugged = "{capacity}% ";
|
||||
format-alt = "{time} {icon}";
|
||||
format-icons = ["" "" "" "" ""];
|
||||
};
|
||||
network = {
|
||||
format-wifi = "{essid} ({signalStrength}%) ";
|
||||
format-ethernet = "{ifname}: {ipaddr}/{cidr} ";
|
||||
format-linked = "{ifname} (No IP) ";
|
||||
format-disconnected = "Disconnected ⚠";
|
||||
format-alt = "{ifname}: {ipaddr}/{cidr}";
|
||||
};
|
||||
};
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
||||
programs.sway.enable = true;
|
||||
|
||||
}
|
23
configuration/hosts/default.nix
Normal file
23
configuration/hosts/default.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
let
|
||||
hosts = {
|
||||
hainich = {
|
||||
ssh.host = "hainich.hacc.space";
|
||||
channel = "nixos-unstable";
|
||||
groups = [ "server" "hacc" ];
|
||||
};
|
||||
nixda = {
|
||||
ssh.host = "nixda.hacc.space";
|
||||
channel = "nixos-20.09";
|
||||
groups = [ "server" "hacc" "live" ];
|
||||
};
|
||||
};
|
||||
pkgs = import <nixpkgs> {};
|
||||
evalConfig = import <nixpkgs/nixos/lib/eval-config.nix>;
|
||||
lib = pkgs.lib;
|
||||
in lib.mapAttrs (name: host: host // {
|
||||
config = if (host ? config) then host.config else (evalConfig {
|
||||
modules = [
|
||||
(import "${toString ./.}/${name}/configuration.nix")
|
||||
];
|
||||
}).config;
|
||||
}) hosts
|
103
configuration/hosts/hainich/configuration.nix
Normal file
103
configuration/hosts/hainich/configuration.nix
Normal file
|
@ -0,0 +1,103 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../common
|
||||
./encboot.nix
|
||||
./hardware.nix
|
||||
./services/murmur.nix
|
||||
./services/mail.nix
|
||||
# ./services/engelsystem.nix
|
||||
./services/codimd.nix
|
||||
../../common
|
||||
./wireguard.nix
|
||||
./services/nginx.nix
|
||||
# ./k8s.nix
|
||||
./services/docker.nix
|
||||
./services/rocket.nix
|
||||
];
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
||||
# networking
|
||||
networking.hostName = "hainich";
|
||||
networking.hostId = "8a58cb2f";
|
||||
networking.useDHCP = true;
|
||||
networking.interfaces.enp6s0.ipv4.addresses = [
|
||||
{
|
||||
address = "46.4.63.148";
|
||||
prefixLength = 27;
|
||||
}
|
||||
|
||||
{
|
||||
address = "46.4.63.158";
|
||||
prefixLength = 27;
|
||||
}
|
||||
];
|
||||
networking.interfaces.enp6s0.ipv6.addresses = [ {
|
||||
address = "2a01:4f8:140:84c9::1";
|
||||
prefixLength = 64;
|
||||
} ];
|
||||
networking.defaultGateway = "46.4.63.129";
|
||||
networking.nameservers = [
|
||||
"1.1.1.1" "1.0.0.1"
|
||||
"2606:4700:4700::1111" "2606:4700:4700::1001"
|
||||
];
|
||||
# networking.defaultGateway6 = {
|
||||
# address = "fe80::1";
|
||||
# interface = "enp6s0";
|
||||
# };
|
||||
|
||||
networking.nat.enable = true;
|
||||
networking.nat.internalInterfaces = ["ve-+"];
|
||||
networking.nat.externalInterface = "enp6s0";
|
||||
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# networking.firewall.enable = false;
|
||||
|
||||
# misc
|
||||
time.timeZone = "UTC";
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
wget vim git
|
||||
];
|
||||
|
||||
services.openssh.enable = true;
|
||||
services.openssh.ports = [ 22 62954 ];
|
||||
|
||||
users.users.root = {
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDNVUDKx9sukRkb6INny432+2HZBWx/qIEAOvngF1qcj hexchen@montasch"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvmrk3i04tXfrSlZtHFbG3o6lQgh3ODMWmGDING4TJ4ctidexmMNY15IjVjzXZgQSET1uKLDLITiaPsii8vaWERZfjm3jjub845mpKkKv48nYdM0eCbv7n604CA3lwoB5ebRgULg4oGTi60rQ4trFf3iTkJfmiLsieFBZz7l+DfgeDEjDNSJcrkOggGBrjE5vBXoDimdkNh8kBNwgMDj1kPR/FHDqybSd5hohCJ5FzQg9vzl/x/H1rzJJKYPO4svSgHkYNkeoL84IZNeHom+UEHX0rw2qAIEN6AiHvNUJR38relvQYxbVdDSlaGN3g26H2ehsmolf+U0uQlRAXTHo0NbXNVYOfijFKL/jWxNfH0aRycf09Lu60oY54gkqS/J0GoQe/OGNq1Zy72DI+zAwEzyCGfSDbAgVF7Y3mU2HqcqGqNzu7Ade5oCbLmkT7yzDM3x6IsmT1tO8dYiT8Qv+zFAECkRpw3yDkJkPOxNKg10oM318whMTtM3yqntE90hk= schweby@taxusbaccata"
|
||||
];
|
||||
initialHashedPassword = "$6$F316njEF2$GMF4OmPSF6QgZ3P/DblQ/UFMgoo98bztbdw7X0ygvBGC1UMMIc13Vtxjd/ZGRYW/pEHACZZ7sbRZ48t6xhvO7/";
|
||||
# shell = pkgs.fish;
|
||||
};
|
||||
|
||||
# storage stuffs!
|
||||
services.zfs = {
|
||||
autoSnapshot = {
|
||||
enable = true;
|
||||
};
|
||||
autoScrub = {
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
services.journald.extraConfig = ''
|
||||
MaxFileSec=6h
|
||||
MaxRetentionSec=72h
|
||||
'';
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "20.03"; # Did you read the comment?
|
||||
}
|
28
configuration/hosts/hainich/encboot.nix
Normal file
28
configuration/hosts/hainich/encboot.nix
Normal file
|
@ -0,0 +1,28 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
boot.initrd.kernelModules = [ "r8169" ]; # add network card driver
|
||||
boot.kernelParams = ["ip=:::::enp6s0:dhcp"]; # enable dhcp on primary network interface
|
||||
boot.initrd.network = {
|
||||
enable = true;
|
||||
ssh = {
|
||||
enable = true;
|
||||
port = 2222;
|
||||
# TODO: Modify system config so that this works
|
||||
# authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
|
||||
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
||||
hostKeys = [ /run/keys/ecdsa_host ];
|
||||
};
|
||||
# TODO: curl some webhook here to alert?
|
||||
# possibly quite hard to do, we only have limited wget or netcat available
|
||||
# how this all works:
|
||||
# when someone logs in via ssh, they are prompted to unlock the zfs volume
|
||||
# afterwards zfs is killed in order for the boot to progress
|
||||
# timeout of 120s still applies afaik
|
||||
postCommands = ''
|
||||
zpool import zroot
|
||||
zpool import dpool
|
||||
echo "zfs load-key -a; killall zfs && exit" >> /root/.profile
|
||||
'';
|
||||
};
|
||||
}
|
42
configuration/hosts/hainich/hardware.nix
Normal file
42
configuration/hosts/hainich/hardware.nix
Normal file
|
@ -0,0 +1,42 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "sd_mod" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "zroot/root/nixos";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nix" =
|
||||
{ device = "zroot/root/nixos/nix";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/home" =
|
||||
{ device = "dpool/home";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/containers" =
|
||||
{ device = "dpool/containers";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/data" =
|
||||
{ device = "dpool/data";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/40125f55-7fe8-4850-902e-b4d6e22f0335";
|
||||
fsType = "ext2";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 12;
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
|
||||
}
|
125
configuration/hosts/hainich/k8s.nix
Normal file
125
configuration/hosts/hainich/k8s.nix
Normal file
|
@ -0,0 +1,125 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
services.etcd = {
|
||||
advertiseClientUrls = [
|
||||
"https://[2a0d:eb04:8:10::1]:2379"
|
||||
];
|
||||
listenClientUrls = [
|
||||
"https://[2a0d:eb04:8:10::1]:2379"
|
||||
];
|
||||
listenPeerUrls = [
|
||||
"https://[::1]:2380"
|
||||
];
|
||||
};
|
||||
services.kubernetes = {
|
||||
roles = [ "master" "node" ];
|
||||
flannel.enable = false;
|
||||
addons.dns = {
|
||||
enable = true;
|
||||
clusterIp = "2a0d:eb04:8:11::53";
|
||||
reconcileMode = "EnsureExists";
|
||||
};
|
||||
pki.cfsslAPIExtraSANs = [ "hainich.hacc.space" ];
|
||||
apiserver = {
|
||||
advertiseAddress = "2a0d:eb04:8:10::1";
|
||||
extraSANs = [
|
||||
"2a0d:eb04:8:10::1" "2a0d:eb04:8:11::1" "hainich.hacc.space"
|
||||
];
|
||||
bindAddress = "::";
|
||||
insecureBindAddress = "::1";
|
||||
etcd = {
|
||||
servers = [ "https://[2a0d:eb04:8:10::1]:2379" ];
|
||||
};
|
||||
serviceClusterIpRange = "2a0d:eb04:8:11::/120";
|
||||
extraOpts = "--allow-privileged=true";
|
||||
};
|
||||
controllerManager = {
|
||||
bindAddress = "::";
|
||||
clusterCidr = "2a0d:eb04:8:12::/64";
|
||||
};
|
||||
kubelet = {
|
||||
address = "::";
|
||||
clusterDns = "2a0d:eb04:8:11::53";
|
||||
};
|
||||
proxy = {
|
||||
bindAddress = "::";
|
||||
};
|
||||
scheduler = {
|
||||
address = "::1" ;
|
||||
};
|
||||
apiserverAddress = "https://[2a0d:eb04:8:10::1]:6443";
|
||||
clusterCidr = "2a0d:eb04:8:12::/64";
|
||||
easyCerts = true;
|
||||
masterAddress = "hainich.hacc.space";
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [ 80 443 6443 ];
|
||||
trustedInterfaces = [
|
||||
"cbr0" "tunnat64"
|
||||
];
|
||||
extraCommands = ''
|
||||
iptables -t nat -A POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158
|
||||
iptables -A FORWARD -i tunnat64 -j ACCEPT
|
||||
|
||||
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80
|
||||
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443
|
||||
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443
|
||||
|
||||
ip6tables -A FORWARD -i tunnat64 -j ACCEPT
|
||||
ip6tables -A INPUT -i tunnat64 -j ACCEPT
|
||||
'';
|
||||
extraStopCommands = ''
|
||||
iptables -t nat -D POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158
|
||||
iptables -D FORWARD -i tunnat64 -j ACCEPT
|
||||
|
||||
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80
|
||||
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443
|
||||
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443
|
||||
|
||||
ip6tables -A FORWARD -i tunnat64 -j ACCEPT
|
||||
ip6tables -A INPUT -i tunnat64 -j ACCEPT
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.tayga = (let
|
||||
config = pkgs.writeText "tayga.conf" ''
|
||||
tun-device tunnat64
|
||||
ipv4-addr 10.255.255.254
|
||||
prefix 2a0d:eb04:8:10:64::/96
|
||||
dynamic-pool 10.255.255.0/24
|
||||
map 10.255.255.1 2a0d:eb04:8:10::1
|
||||
map 10.255.255.2 2a0d:eb04:8:11::2
|
||||
strict-frag-hdr 1
|
||||
'';
|
||||
startScript = pkgs.writeScriptBin "tayga-start" ''
|
||||
#! ${pkgs.runtimeShell} -e
|
||||
${pkgs.iproute}/bin/ip link set up tunnat64 || true
|
||||
${pkgs.iproute}/bin/ip route add 10.255.255.0/24 dev tunnat64 || true
|
||||
${pkgs.iproute}/bin/ip -6 route add 2a0d:eb04:8:10:64::/96 dev tunnat64 || true
|
||||
${pkgs.tayga}/bin/tayga -d --config ${config}
|
||||
'';
|
||||
in {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = ''${startScript}/bin/tayga-start'';
|
||||
};
|
||||
});
|
||||
|
||||
networking.interfaces.cbr0.ipv6.routes = [{
|
||||
address = "2a0d:eb04:8:10::";
|
||||
prefixLength = 60;
|
||||
}];
|
||||
|
||||
networking.interfaces.tunnat64 = {
|
||||
virtual = true;
|
||||
};
|
||||
|
||||
# openebs expects some stuff to be there.
|
||||
system.activationScripts.openebs = ''
|
||||
mkdir -p /usr/lib /usr/sbin
|
||||
ln -sf ${pkgs.zfs.lib}/lib/* /usr/lib/
|
||||
ln -sf ${pkgs.zfs}/bin/zfs /usr/sbin/
|
||||
'';
|
||||
}
|
79
configuration/hosts/hainich/services/codimd.nix
Normal file
79
configuration/hosts/hainich/services/codimd.nix
Normal file
|
@ -0,0 +1,79 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
containers.codimd = {
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.3";
|
||||
autoStart = true;
|
||||
config = { config, lib, pkgs, ... }: {
|
||||
networking.firewall.allowedTCPPorts = [ 3000 ];
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
.:53 {
|
||||
forward . 1.1.1.1
|
||||
}
|
||||
'';
|
||||
};
|
||||
services.codimd = {
|
||||
enable = true;
|
||||
configuration = {
|
||||
allowAnonymous = true;
|
||||
allowFreeURL = true;
|
||||
allowGravatar = false;
|
||||
allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ];
|
||||
dbURL = "postgres://codimd:codimd@localhost:5432/codimd";
|
||||
defaultPermission = "limited";
|
||||
domain = "pad.hacc.space";
|
||||
host = "0.0.0.0";
|
||||
protocolUseSSL = true;
|
||||
hsts.preload = false;
|
||||
email = false;
|
||||
oauth2 = {
|
||||
authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
||||
tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
||||
clientID = "codimd";
|
||||
clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
|
||||
};
|
||||
};
|
||||
};
|
||||
systemd.services.codimd.environment = {
|
||||
"CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
|
||||
"CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name";
|
||||
"CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name";
|
||||
"CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
|
||||
"CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
|
||||
};
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "codimd" ];
|
||||
ensureUsers = [{
|
||||
name = "codimd";
|
||||
ensurePermissions = {
|
||||
"DATABASE codimd" = "ALL PRIVILEGES";
|
||||
};
|
||||
}];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."pad.hacc.space" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://192.168.100.3:3000";
|
||||
extraConfig = ''
|
||||
proxy_pass_request_headers on;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $http_connection;
|
||||
proxy_buffering off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
34
configuration/hosts/hainich/services/docker.nix
Normal file
34
configuration/hosts/hainich/services/docker.nix
Normal file
|
@ -0,0 +1,34 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
# disable nftables since it breaks shit
|
||||
petabyte.nftables.enable = false;
|
||||
virtualisation.oci-containers.containers."ghost-waszumfff" = {
|
||||
autoStart = true;
|
||||
environment = {
|
||||
url = "https://waszumfff.4future.dev";
|
||||
};
|
||||
image = "ghost:alpine";
|
||||
ports = [ "127.0.0.1:2368:2368" ];
|
||||
volumes = [ "/run/florinori:/var/lib/ghost/content" ];
|
||||
};
|
||||
|
||||
fileSystems."/run/florinori" =
|
||||
{ device = "dpool/k8s/florinori";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."waszumfff.4future.dev" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:2368";
|
||||
extraConfig = "
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
";
|
||||
};
|
||||
};
|
||||
}
|
93
configuration/hosts/hainich/services/engelsystem.nix
Normal file
93
configuration/hosts/hainich/services/engelsystem.nix
Normal file
|
@ -0,0 +1,93 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
# TODO: Make this confix nix-y, so it doesn't require a metric shitton of
|
||||
# manual intervention to install
|
||||
{
|
||||
containers.engelsystem = {
|
||||
config = { pkgs, lib, config, ... }:
|
||||
let
|
||||
app = "engelsystem";
|
||||
domain = "himmel.hacc.earth";
|
||||
dataDir = "/srv/http/${domain}/public";
|
||||
engelport-py-pack = python-packages: with pkgs.python38Packages; [
|
||||
mysqlclient
|
||||
];
|
||||
engelport-py = pkgs.python38.withPackages engelport-py-pack;
|
||||
in {
|
||||
networking.firewall.enable = false;
|
||||
networking.nameservers = ["1.1.1.1" "1.0.0.1"];
|
||||
networking.hosts."192.168.100.1" = [ "mail.hacc.space" ];
|
||||
services.phpfpm.pools.${app} = {
|
||||
user = app;
|
||||
settings = {
|
||||
"listen.owner" = config.services.nginx.user;
|
||||
"pm" = "dynamic";
|
||||
"pm.max_children" = 32;
|
||||
"pm.max_requests" = 500;
|
||||
"pm.start_servers" = 2;
|
||||
"pm.min_spare_servers" = 2;
|
||||
"pm.max_spare_servers" = 5;
|
||||
"php_admin_value[error_log]" = "stderr";
|
||||
"php_admin_flag[log_errors]" = true;
|
||||
"catch_workers_output" = true;
|
||||
};
|
||||
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
|
||||
};
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts.${domain}.locations = {
|
||||
"/" = {
|
||||
extraConfig = "rewrite ^ /index.php;";
|
||||
};
|
||||
"/assets" = {
|
||||
root = dataDir;
|
||||
};
|
||||
"/index.php" = {
|
||||
root = dataDir;
|
||||
extraConfig = ''
|
||||
include ${pkgs.nginx}/conf/fastcgi.conf;
|
||||
fastcgi_split_path_info ^(.+\.php)(\\/.*)$;
|
||||
try_files $fastcgi_script_name =404;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
fastcgi_pass unix:${config.services.phpfpm.pools.${app}.socket};
|
||||
fastcgi_intercept_errors on;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
users.users.${app} = {
|
||||
isSystemUser = true;
|
||||
createHome = true;
|
||||
home = dataDir;
|
||||
group = app;
|
||||
};
|
||||
users.groups.${app} = {};
|
||||
|
||||
services.mysql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "engelsystem" ];
|
||||
ensureUsers = [{
|
||||
name = "engelsystem";
|
||||
ensurePermissions."engelsystem.*" = "ALL PRIVILEGES";
|
||||
}];
|
||||
package = pkgs.mariadb;
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.php pkgs.php74Packages.composer pkgs.yarn engelport-py
|
||||
];
|
||||
};
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.2";
|
||||
autoStart = true;
|
||||
};
|
||||
services.nginx.virtualHosts."himmel.hacc.earth" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://192.168.100.2";
|
||||
extraConfig = "add_header Host himmel.hacc.earth;";
|
||||
};
|
||||
};
|
||||
}
|
170
configuration/hosts/hainich/services/mail.nix
Normal file
170
configuration/hosts/hainich/services/mail.nix
Normal file
|
@ -0,0 +1,170 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = let commit = "02a45d9965133434c7b816cab2f47c8a7505e764"; in [
|
||||
(builtins.fetchTarball {
|
||||
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${commit}/nixos-mailserver-${commit}.tar.gz";
|
||||
sha256 = "04v66z0ijjm8bqpiqmq1aqrqj6r6jjz591lgijmk4frz7lksnz8k";
|
||||
})
|
||||
];
|
||||
|
||||
mailserver = {
|
||||
mailDirectory = "/data/mail";
|
||||
enable = true;
|
||||
fqdn = "mail.hacc.space";
|
||||
domains = [ "hacc.space" "hacc.earth" "4future.dev" "4futu.re" ];
|
||||
|
||||
loginAccounts = {
|
||||
"hexchen@hacc.space" = {
|
||||
hashedPassword = "$6$x9skYtRp4dgxC$1y8gPC2BuVqG3kJVSMGgzZv0Bg1T9qxcnBWLIDbANy1d//SQ23Y7s3IMYcEPd1/l/MYWD9Y/Qse6HbT5w5Xwq/";
|
||||
|
||||
aliases = [
|
||||
"postmaster@hacc.space"
|
||||
"abuse@hacc.space"
|
||||
];
|
||||
};
|
||||
|
||||
"octycs@hacc.space" = {
|
||||
hashedPassword = "$6$KceTivtJ$58jxhYF6ULfivNsb3Z0J7PnGea0Hs2wTWh3c9FrKRIAmuOD96u2IDgZRCn6P5NrXA0BL.n6HC2RS3r.4JnOmg.";
|
||||
|
||||
aliases = [
|
||||
"markus@hacc.space"
|
||||
];
|
||||
};
|
||||
|
||||
"raphael@hacc.space" = {
|
||||
hashedPassword = "$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/";
|
||||
};
|
||||
|
||||
"engelsystem@hacc.space" = {
|
||||
hashedPassword = "$6$5cIAEhJ7af7M$eJBPQc3ONd.N3HKPFpxfG7liZbUXPvWuSpWVgeG7rmsG7f7.Zdxtodvt5VaXoA3AEiv3GqcY.gKHISK/Gg0ib/";
|
||||
};
|
||||
|
||||
"schweby@hacc.space" = {
|
||||
hashedPassword = "$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1";
|
||||
};
|
||||
|
||||
"zauberberg@hacc.space" = {
|
||||
hashedPassword = "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUTdxrxdtg9zuGOlBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0";
|
||||
aliases = [
|
||||
"lukas@hacc.space"
|
||||
];
|
||||
};
|
||||
|
||||
"talx@hacc.space" = {
|
||||
hashedPassword = "$6$0hIKRoMJS./JSE$tXizRgphhNM3ZYx216VdRv1OiyZoYXsjGqSudTDu8vB8eZb03Axi31VKV87RXiEGGixdvTsHEKpx032aOzzt31";
|
||||
};
|
||||
|
||||
"unms@hacc.space" = {
|
||||
hashedPassword = "$6$pYlNP37913$sGE3L722ceP.1Qm5lsffYUN919hPP1xRTrzco3ic3Op21iiknBkOY04eY2l3Um/Bpk/yV89aJD0eaB/5RCbWR1";
|
||||
};
|
||||
|
||||
"noreply@hacc.space" = {
|
||||
hashedPassword = "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/";
|
||||
};
|
||||
"stuebinm@hacc.space" = {
|
||||
hashedPassword = "$6$jNfYD91wf/$YvJqo0QLzbnHcKigzAYgsE1gCc/07DUbKuNwAYBCKpQeqhBlUWjijXBuMH9wl7xH/i5HwOIyYhg6zuvejlfDN.";
|
||||
};
|
||||
};
|
||||
|
||||
extraVirtualAliases = {
|
||||
# address = forward address;
|
||||
"info@hacc.space" = [
|
||||
"hexchen@hacc.space"
|
||||
"octycs@hacc.space"
|
||||
"raphael@hacc.space"
|
||||
"schweby@hacc.space"
|
||||
"zauberberg@hacc.space"
|
||||
"stuebinm@hacc.space"
|
||||
];
|
||||
"himmel@hacc.space" = [
|
||||
"hexchen@hacc.space"
|
||||
"schweby@hacc.space"
|
||||
"zauberberg@hacc.space"
|
||||
];
|
||||
"admin@hacc.space" = [
|
||||
"hexchen@hacc.space"
|
||||
"schweby@hacc.space"
|
||||
];
|
||||
};
|
||||
|
||||
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
|
||||
# down nginx and opens port 80.
|
||||
certificateScheme = 3;
|
||||
|
||||
# Enable IMAP and POP3
|
||||
enableImap = true;
|
||||
enablePop3 = true;
|
||||
enableImapSsl = true;
|
||||
enablePop3Ssl = true;
|
||||
|
||||
# Enable the ManageSieve protocol
|
||||
enableManageSieve = true;
|
||||
|
||||
# whether to scan inbound emails for viruses (note that this requires at least
|
||||
# 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
|
||||
virusScanning = false;
|
||||
};
|
||||
services.postfix.submissionOptions.smtpd_sender_restrictions = "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
|
||||
services.postfix.virtual = ''@4future.dev @hacc.space
|
||||
@4futu.re @hacc.space
|
||||
@hacc.earth @hacc.space
|
||||
contact@hacc.space info@hacc.space'';
|
||||
|
||||
#mailman
|
||||
services.postfix = {
|
||||
relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
|
||||
config = {
|
||||
transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
||||
local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
||||
inet_protocols = "ipv4, ipv6";
|
||||
};
|
||||
};
|
||||
|
||||
services.mailman = {
|
||||
enable = true;
|
||||
siteOwner = "admin@hacc.space";
|
||||
webUser = config.services.uwsgi.user;
|
||||
hyperkitty.enable = true;
|
||||
# Have mailman talk directly to hyperkitty, bypassing nginx:
|
||||
hyperkitty.baseUrl = "http://localhost:33141/hyperkitty/";
|
||||
webHosts = [ "lists.hacc.space" ];
|
||||
};
|
||||
|
||||
systemd.services.uwsgi.restartTriggers = [
|
||||
config.environment.etc."mailman3/settings.py".source
|
||||
];
|
||||
|
||||
systemd.services.mailman-settings.script = ''
|
||||
chmod o+x /var/lib/mailman-web
|
||||
'';
|
||||
|
||||
services.uwsgi = {
|
||||
enable = true;
|
||||
plugins = ["python3"];
|
||||
instance = {
|
||||
type = "normal";
|
||||
# uwsgi protocol socket for nginx
|
||||
socket = "127.0.0.1:33140";
|
||||
pythonPackages = self: with self; [ mailman-web ];
|
||||
# http socket for mailman core to reach the hyperkitty API directly
|
||||
http-socket = "127.0.0.1:33141";
|
||||
wsgi-file = "${pkgs.python3.pkgs.mailman-web}/lib/python3.8/site-packages/mailman_web/wsgi.py";
|
||||
chdir = "/var/lib/mailman-web";
|
||||
master = true;
|
||||
processes = 4;
|
||||
vacuum = true;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."lists.hacc.space" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/static/".alias = "/var/lib/mailman-web-static/";
|
||||
locations."/".extraConfig = ''
|
||||
uwsgi_pass 127.0.0.1:33140;
|
||||
include ${config.services.nginx.package}/conf/uwsgi_params;
|
||||
'';
|
||||
};
|
||||
|
||||
}
|
24
configuration/hosts/hainich/services/murmur.nix
Normal file
24
configuration/hosts/hainich/services/murmur.nix
Normal file
|
@ -0,0 +1,24 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
services.murmur = {
|
||||
enable = false;
|
||||
logDays = -1;
|
||||
welcometext = "Welcome to mumble4future! Brought to you by infra4future";
|
||||
sslKey = "/var/lib/acme/mumble.hacc.space/key.pem";
|
||||
sslCert = "/var/lib/acme/mumble.hacc.space/fullchain.pem";
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
|
||||
networking.firewall.allowedUDPPorts = [ config.services.murmur.port ];
|
||||
|
||||
services.nginx.virtualHosts."mumble.hacc.space" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "https://stuebinm.4future.dev/mumble.infra4future.de/";
|
||||
};
|
||||
};
|
||||
# set ACLs so that the murmur user can read the certificates
|
||||
security.acme.certs."mumble.hacc.space".postRun = "setfacl -Rm u:murmur:rX /var/lib/acme/mumble.hacc.space";
|
||||
}
|
50
configuration/hosts/hainich/services/nginx.nix
Normal file
50
configuration/hosts/hainich/services/nginx.nix
Normal file
|
@ -0,0 +1,50 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.email = "info+acme@hacc.space";
|
||||
services.nginx.enable = true;
|
||||
services.nginx.package = pkgs.nginx.override {
|
||||
modules = [ pkgs.nginxModules.rtmp ];
|
||||
};
|
||||
services.nginx.virtualHosts = {
|
||||
"hainich.chaoswit.ch" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
"hainich.hacc.space" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations = {
|
||||
"/" = {
|
||||
return = "404";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 1935 ];
|
||||
services.nginx.appendConfig = ''
|
||||
rtmp {
|
||||
server {
|
||||
listen 1935;
|
||||
application cutiestream {
|
||||
live on;
|
||||
allow publish all;
|
||||
allow play all;
|
||||
}
|
||||
application ingest {
|
||||
live on;
|
||||
|
||||
record all;
|
||||
record_path /data/ingest;
|
||||
record_unique on;
|
||||
|
||||
include /var/secrets/ingest.conf;
|
||||
}
|
||||
}
|
||||
}
|
||||
'';
|
||||
|
||||
systemd.services.nginx.serviceConfig.ReadWriteDirectories = "/data/ingest /var/secrets";
|
||||
}
|
35
configuration/hosts/hainich/services/rocket.nix
Normal file
35
configuration/hosts/hainich/services/rocket.nix
Normal file
|
@ -0,0 +1,35 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
services.mongodb = {
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
replication:
|
||||
replSetName: "rs01"
|
||||
'';
|
||||
};
|
||||
virtualisation.oci-containers.containers."rocketchat" = {
|
||||
autoStart = true;
|
||||
environment = {
|
||||
ROOT_URL = "https://chat.uref.hacc.media";
|
||||
MONGO_URL = "mongodb://localhost:27017/rocketchat";
|
||||
MONGO_OPLOG_URL = "mongodb://localhost:27017/local";
|
||||
Accounts_UseDNSDomainCheck = "false";
|
||||
};
|
||||
image = "rocketchat/rocket.chat:3.1.1";
|
||||
extraOptions = [ "--network=host" ];
|
||||
};
|
||||
services.nginx.virtualHosts."chat.uref.hacc.media" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:3000";
|
||||
extraConfig = "
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
";
|
||||
};
|
||||
};
|
||||
}
|
34
configuration/hosts/hainich/wireguard.nix
Normal file
34
configuration/hosts/hainich/wireguard.nix
Normal file
|
@ -0,0 +1,34 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
systemd.services.wireguard-upstream = {
|
||||
wants = [ "wg-upstream-key.service" ];
|
||||
after = [ "wg-upstream-key.service" ];
|
||||
};
|
||||
networking.wireguard.interfaces.upstream = {
|
||||
ips = [ "2a0d:eb04:8:ffff:2::2/128" ];
|
||||
generatePrivateKeyFile = true;
|
||||
privateKeyFile = "/etc/wireguard/upstream.key";
|
||||
listenPort = 51820;
|
||||
peers = [
|
||||
{
|
||||
allowedIPs = [ "::/0" ];
|
||||
endpoint = "103.105.50.220:51823";
|
||||
publicKey = "qL5xKnQ7xLbtTvu0VmLBwHExteJBhmCe5S/0ZoXBeXY=";
|
||||
}
|
||||
];
|
||||
postSetup = ''
|
||||
${pkgs.iproute}/bin/ip addr del dev upstream 2a0d:eb04:8:ffff:2::2/128
|
||||
${pkgs.iproute}/bin/ip addr add dev upstream 2a0d:eb04:8:ffff:2::2/128 peer 2a0d:eb04:8:ffff:2::1/128
|
||||
'';
|
||||
};
|
||||
networking.interfaces.lo.ipv6 = {
|
||||
addresses = [{
|
||||
address = "2a0d:eb04:8:10::1";
|
||||
prefixLength = 128;
|
||||
}];
|
||||
};
|
||||
networking.defaultGateway6 = {
|
||||
address = "2a0d:eb04:8:ffff:2::1";
|
||||
interface = "upstream";
|
||||
};
|
||||
}
|
47
configuration/hosts/nixda/configuration.nix
Normal file
47
configuration/hosts/nixda/configuration.nix
Normal file
|
@ -0,0 +1,47 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware-config.nix
|
||||
../../common
|
||||
../../desktop
|
||||
../../desktop/streaming.nix
|
||||
../../desktop/sway.nix
|
||||
../../desktop/gnome.nix
|
||||
];
|
||||
|
||||
boot.loader.grub ={
|
||||
enable = true;
|
||||
version = 2;
|
||||
efiSupport = true;
|
||||
device = "nodev";
|
||||
};
|
||||
boot.loader.efi = {
|
||||
canTouchEfiVariables = true;
|
||||
efiSysMountPoint = "/boot";
|
||||
};
|
||||
|
||||
# hardware.decklink.enable = true;
|
||||
|
||||
networking.hostName = "nixda"; # Define your hostname.
|
||||
|
||||
boot.kernelModules = [ "blackmagic" "blackmagic-io" "snd_blackmagic-io" ];
|
||||
boot.extraModulePackages = [ config.boot.kernelPackages.decklink ];
|
||||
systemd.services."DecklinkVideoHelper" = {
|
||||
after = [ "syslog.target" "local-fs.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig.ExecStart = "${pkgs.blackmagicDesktopVideo}/bin/DesktopVideoHelper -n";
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [ blackmagicDesktopVideo ];
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "20.09"; # Did you read the comment?
|
||||
|
||||
}
|
31
configuration/hosts/nixda/hardware-config.nix
Normal file
31
configuration/hosts/nixda/hardware-config.nix
Normal file
|
@ -0,0 +1,31 @@
|
|||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/dfbfee26-c2c0-4c0c-b145-6362c7650ac9";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=@nix" ];
|
||||
};
|
||||
|
||||
fileSystems."/home" =
|
||||
{ device = "/dev/disk/by-uuid/dfbfee26-c2c0-4c0c-b145-6362c7650ac9";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=@home" ];
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/A358-97BC";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
}
|
4
default.nix
Normal file
4
default.nix
Normal file
|
@ -0,0 +1,4 @@
|
|||
{
|
||||
inherit (import ./lib/deploy.nix) deploy;
|
||||
pkgs = import ./pkgs;
|
||||
}
|
76
lib/deploy.nix
Normal file
76
lib/deploy.nix
Normal file
|
@ -0,0 +1,76 @@
|
|||
let
|
||||
pkgs = import <nixpkgs> {};
|
||||
lib = pkgs.lib;
|
||||
|
||||
hosts = import ../configuration/hosts;
|
||||
nixosHosts = lib.filterAttrs (name: host: host ? ssh) hosts;
|
||||
|
||||
allGroups = lib.unique (
|
||||
lib.flatten (
|
||||
lib.mapAttrsToList (
|
||||
name: host: host.groups
|
||||
) hosts
|
||||
)
|
||||
);
|
||||
|
||||
hostsInGroup = group:
|
||||
lib.filterAttrs (
|
||||
k: v: builtins.elem group v.groups
|
||||
) hosts;
|
||||
|
||||
hostsInAllGroups = lib.listToAttrs (
|
||||
map (
|
||||
group: lib.nameValuePair group (
|
||||
lib.attrNames (hostsInGroup group)
|
||||
)
|
||||
) allGroups );
|
||||
|
||||
mkDeploy = hostnames: pkgs.writeScript "deploy-${lib.concatStringsSep "-" hostnames}" ''
|
||||
#!${pkgs.stdenv.shell}
|
||||
set -e -o pipefail
|
||||
export PATH=/run/wrappers/bin/:${with pkgs; lib.makeBinPath [
|
||||
coreutils
|
||||
openssh
|
||||
nix
|
||||
gnutar
|
||||
findutils
|
||||
nettools
|
||||
gzip
|
||||
git
|
||||
]}
|
||||
|
||||
MODE=$1
|
||||
shift || true
|
||||
ARGS=$@
|
||||
|
||||
[ "$MODE" == "" ] && MODE="switch"
|
||||
|
||||
${lib.concatMapStrings (hostname: let
|
||||
hostAttrs = nixosHosts.${hostname};
|
||||
nixosSystem = (import <nixpkgs/nixos/lib/eval-config.nix> {
|
||||
modules = [
|
||||
"${toString ../configuration}/hosts/${hostname}/configuration.nix"
|
||||
];
|
||||
system = if hostAttrs ? system then hostAttrs.system else "x86_64-linux";
|
||||
}).config.system.build.toplevel;
|
||||
in ''
|
||||
(
|
||||
echo "deploying ${hostname}..."
|
||||
nix copy --no-check-sigs --to ssh://${hostAttrs.ssh.host} ${nixosSystem}
|
||||
ssh $NIX_SSHOPTS ${hostAttrs.ssh.host} "sudo nix-env -p /nix/var/nix/profiles/system -i ${nixosSystem}"
|
||||
ssh $NIX_SSHOPTS ${hostAttrs.ssh.host} "sudo /nix/var/nix/profiles/system/bin/switch-to-configuration $MODE $ARGS"
|
||||
) &
|
||||
PID_LIST+=" $!"
|
||||
'') hostnames}
|
||||
|
||||
echo "deploys started, waiting for them to finish..."
|
||||
|
||||
trap "kill $PID_LIST" SIGINT
|
||||
wait $PID_LIST
|
||||
'';
|
||||
|
||||
in {
|
||||
deploy = (lib.mapAttrs (hostname: hostAttrs: mkDeploy [ hostname ]) nixosHosts)
|
||||
// (lib.mapAttrs (group: hosts: mkDeploy hosts) hostsInAllGroups)
|
||||
// { all = mkDeploy (lib.attrNames nixosHosts); };
|
||||
}
|
6
modules/default.nix
Normal file
6
modules/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
];
|
||||
}
|
22
pkgs/default.nix
Normal file
22
pkgs/default.nix
Normal file
|
@ -0,0 +1,22 @@
|
|||
{ nixpkgs ? <nixpkgs>, ... }:
|
||||
|
||||
let
|
||||
pkgs = import nixpkgs {};
|
||||
callPackage = pkgs.lib.callPackageWith (pkgs // newpkgs);
|
||||
|
||||
shelfieSrc = fetchGit {
|
||||
url = "https://github.com/spacekookie/shelfie";
|
||||
rev = "fb09d6d9ff94ea0679cf6406a3153735d49f38cd";
|
||||
};
|
||||
wasiSrc = fetchGit {
|
||||
url = "https://gitlab.infra4future.de/wasi/wasi-rust";
|
||||
rev = "356dbc23a3683d134f13156af71baeaa06fb80d1";
|
||||
};
|
||||
|
||||
newpkgs = {
|
||||
fb_exporter = callPackage ./fb_exporter {};
|
||||
shelfie = import shelfieSrc { inherit shelfieSrc; pkgs = pkgs // newpkgs; };
|
||||
wasi = import wasiSrc { inherit wasiSrc; pkgs = pkgs // newpkgs; };
|
||||
};
|
||||
|
||||
in newpkgs
|
32
pkgs/fb_exporter/default.nix
Normal file
32
pkgs/fb_exporter/default.nix
Normal file
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
pkgs ? import <nixpkgs> {}
|
||||
}:
|
||||
|
||||
with pkgs;
|
||||
|
||||
stdenv.mkDerivation {
|
||||
pname = "fb_exporter";
|
||||
version = "0.1.0";
|
||||
src = fetchgit {
|
||||
url = "https://cgit.ctu.cx/fritzbox-exporter";
|
||||
rev = "fc7cb10f4673107c050b6d342e55b8838fe3a424";
|
||||
sha256 = "168r93l5sqvn6wp7jdyw1g9jz613iwd11pg4zrsnlmr6n466hqh8";
|
||||
};
|
||||
nativeBuildInputs = [ nim ];
|
||||
buildInputs = [ pcre openssl ];
|
||||
buildPhase = ''
|
||||
runHook preBuild
|
||||
nim c -d:release --nimcache:$PWD src/fb_exporter.nim
|
||||
runHook postBuild
|
||||
'';
|
||||
installPhase = ''
|
||||
runHook preInstall
|
||||
install -Dm755 src/fb_exporter $out/bin/fb_exporter
|
||||
runHook postInstall
|
||||
'';
|
||||
fixupPhase = ''
|
||||
runHook preFixup
|
||||
patchelf --set-rpath ${lib.makeLibraryPath [ pcre openssl ]} $out/bin/fb_exporter
|
||||
runHook postFixup
|
||||
'';
|
||||
}
|
Loading…
Reference in a new issue