combine config

2021-02-22 23:57:05 -05:00 · 2021-02-22 23:57:05 -05:00 · 36b6081783
commit 36b6081783
parent 7f0b25c0b6
23 changed files with 18 additions and 106 deletions
--- a/common/common.nix
+++ b/common/common.nix
--- a/common/efi.nix
+++ b/common/efi.nix
--- a/neet.dev/flakes.nix
+++ b/neet.dev/flakes.nix
--- a/common/luks.nix
+++ b/common/luks.nix
--- a/common/pc/audio.nix
+++ b/common/pc/audio.nix
@ -10,6 +10,7 @@
    package = pkgs.pulseaudioFull; # bt headset support
    extraConfig = "
      load-module module-switch-on-connect
      load-module module-switch-on-connect ignore_virtual=no
    ";
  };
  hardware.bluetooth.enable = true;
--- a/common/pc/chromium.nix
+++ b/common/pc/chromium.nix
--- a/common/pc/de.nix
+++ b/common/pc/de.nix
--- a/common/pc/kde.nix
+++ b/common/pc/kde.nix
--- a/common/pc/pithos.nix
+++ b/common/pc/pithos.nix
--- a/common/pc/torbrowser.nix
+++ b/common/pc/torbrowser.nix
--- a/common/pc/touchpad.nix
+++ b/common/pc/touchpad.nix
--- a/common/pc/vscodium.nix
+++ b/common/pc/vscodium.nix
--- a/common/pc/xfce.nix
+++ b/common/pc/xfce.nix
--- a/common/pc/yubikey.nix
+++ b/common/pc/yubikey.nix
--- a/common/server/gitlab.nix
+++ b/common/server/gitlab.nix
--- a/common/server/mumble.nix
+++ b/common/server/mumble.nix
--- a/common/server/nsd.nix
+++ b/common/server/nsd.nix
--- a/common/server/thelounge.nix
+++ b/common/server/thelounge.nix
--- a/common/server/video-stream.nix
+++ b/common/server/video-stream.nix
--- a/common/server/zerobin.nix
+++ b/common/server/zerobin.nix
--- a/neet.dev/configuration.nix
+++ b/neet.dev/configuration.nix
@ -1,15 +1,15 @@
 { config, pkgs, lib, ... }:
 {
-  imports =
+  imports =[
    [
      ./flakes.nix
    ./hardware-configuration.nix
-#      ./nsd.nix
+    ../common/common.nix
-      ./thelounge.nix
+    ../common/luks.nix
-      ./mumble.nix
+#   ../common/server/nsd.nix
-      ./gitlab.nix
+    ../common/server/thelounge.nix
-      ./video-stream.nix
+    ../common/server/mumble.nix
    ../common/server/gitlab.nix
    ../common/server/video-stream.nix
  ];
  # Use the GRUB 2 boot loader.
@ -20,31 +20,9 @@
  networking.hostName = "neetdev";
  networking.wireless.enable = false;
  # Set your time zone.
  time.timeZone = "America/New_York";
  networking.useDHCP = true; # just in case... (todo ensure false doesn't fuck up initrd)
  networking.interfaces.eno1.useDHCP = true;
  i18n.defaultLocale = "en_US.UTF-8";
  users.users.googlebot = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0VFnn3+Mh0nWeN92jov81qNE9fpzTAHYBphNoY7HUx"
    ];
  };
  environment.systemPackages = with pkgs; [
    wget kakoune
  ];
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
  security.acme.acceptTerms = true;
  security.acme.email = "letsencrypt+5@tar.ninja";
  security.acme.certs = {
@ -65,69 +43,12 @@
  };
  # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [ 22 53 80 443 4444 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
-  networking.firewall.allowedUDPPorts = [ 53 80 443 4444 ];
+  networking.firewall.allowedUDPPorts = [ 80 443 ];
  # LUKS
  boot.initrd.luks.devices.enc-pv.device = "/dev/disk/by-uuid/06f6b0bf-fe79-4b89-a549-b464c2b162a1";
  # Unlock LUKS disk over ssh
  boot.initrd.network.enable = true;
  boot.initrd.kernelModules = [ "e1000" "e1000e" "virtio_pci" ];
  boot.initrd.network.ssh = {
    enable = true;
    port = 22;
    hostKeys = [
      "/secret/ssh_host_rsa_key"
      "/secret/ssh_host_ed25519_key"
    ];
    authorizedKeys = config.users.users.googlebot.openssh.authorizedKeys.keys;
  };
  # TODO is this needed?
  boot.initrd.postDeviceCommands = ''
    echo 'waiting for root device to be opened...'
    mkfifo /crypt-ramfs/passphrase
    echo /crypt-ramfs/passphrase >> /dev/null
  '';
  # Make machine accessable over tor for boot unlock
  boot.initrd.secrets = {
    "/etc/tor/onion/bootup" = /secret/onion;
  };
  boot.initrd.extraUtilsCommands = ''
    copy_bin_and_libs ${pkgs.tor}/bin/tor
    copy_bin_and_libs ${pkgs.haveged}/bin/haveged
  '';
  # start tor during boot process
  boot.initrd.network.postCommands = let
    torRc = (pkgs.writeText "tor.rc" ''
      DataDirectory /etc/tor
      SOCKSPort 127.0.0.1:9050 IsolateDestAddr
      SOCKSPort 127.0.0.1:9063
      HiddenServiceDir /etc/tor/onion/bootup
      HiddenServicePort 22 127.0.0.1:22
    '');
  in ''
    # Add nice prompt for giving LUKS passphrase over ssh
    echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
    echo "tor: preparing onion folder"
    # have to do this otherwise tor does not want to start
    chmod -R 700 /etc/tor
    echo "make sure localhost is up"
    ip a a 127.0.0.1/8 dev lo
    ip link set lo up
    echo "haveged: starting haveged"
    haveged -F &
    echo "tor: starting tor"
    tor -f ${torRc} --verify-config
    tor -f ${torRc} &
  '';
  system.stateVersion = "20.09";
 }
--- a/reg/configuration.nix
+++ b/reg/configuration.nix
@ -3,11 +3,11 @@
 {
  imports = [
    ./hardware-configuration.nix
-    ./efi.nix
+    ../common/common.nix
-    ./common.nix
+    ../common/efi.nix
-    ./luks.nix
+    ../common/luks.nix
-    ./touchpad.nix
+    ../common/pc/de.nix
-    ./de.nix
+    ../common/pc/touchpad.nix
  ];
  networking.hostName = "reg";
--- a/reg/flakes.nix
+++ b/reg/flakes.nix
@ -1,10 +0,0 @@
 { pkgs, ... }:
 {
  nix = {
    package = pkgs.nixFlakes;
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
  };
 }