diff --git a/common/boot/bios.nix b/common/boot/bios.nix index 163b160..2b3670a 100644 --- a/common/boot/bios.nix +++ b/common/boot/bios.nix @@ -1,12 +1,28 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: -{ - # Use GRUB 2 for BIOS - boot.loader.grub = { - enable = true; - version = 2; - useOSProber = true; - configurationLimit = 20; - theme = pkgs.nixos-grub2-theme; +with lib; +let + cfg = config.bios; +in { + options.bios = { + enable = mkEnableOption "enable bios boot"; + device = mkOption { + type = types.str; + }; + }; + + config = mkIf cfg.enable { + # Use GRUB 2 for BIOS + boot.loader = { + timeout = 2; + grub = { + enable = true; + device = cfg.device; + version = 2; + useOSProber = true; + configurationLimit = 20; + theme = pkgs.nixos-grub2-theme; + }; + }; }; } \ No newline at end of file diff --git a/common/boot/efi.nix b/common/boot/efi.nix index 440bef7..60fd64b 100644 --- a/common/boot/efi.nix +++ b/common/boot/efi.nix @@ -1,18 +1,28 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: -{ - # Use GRUB2 for EFI - boot.loader = { - efi.canTouchEfiVariables = true; - grub = { - enable = true; - device = "nodev"; - version = 2; - efiSupport = true; - useOSProber = true; -# memtest86.enable = true; - configurationLimit = 20; - theme = pkgs.nixos-grub2-theme; +with lib; +let + cfg = config.efi; +in { + options.efi = { + enable = mkEnableOption "enable efi boot"; + }; + + config = mkIf cfg.enable { + # Use GRUB2 for EFI + boot.loader = { + efi.canTouchEfiVariables = true; + timeout = 2; + grub = { + enable = true; + device = "nodev"; + version = 2; + efiSupport = true; + useOSProber = true; +# memtest86.enable = true; + configurationLimit = 20; + theme = pkgs.nixos-grub2-theme; + }; }; }; } diff --git a/common/boot/luks.nix b/common/boot/luks.nix index a9d9222..cbf1c7b 100644 --- a/common/boot/luks.nix +++ b/common/boot/luks.nix @@ -1,59 +1,101 @@ { config, pkgs, lib, ... }: -{ - # Unlock LUKS disk over ssh - boot.initrd.network.enable = true; - boot.initrd.kernelModules = [ "e1000" "e1000e" "virtio_pci" "r8169" ]; - boot.initrd.network.ssh = { - enable = true; - port = 22; - hostKeys = [ - "/secret/ssh_host_rsa_key" - "/secret/ssh_host_ed25519_key" - ]; - authorizedKeys = config.users.users.googlebot.openssh.authorizedKeys.keys; +let + cfg = config.luks; +in { + options.luks = { + enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor"; + device = { + name = lib.mkOption { + type = lib.types.str; + default = "enc-pv"; + }; + path = lib.mkOption { + type = lib.types.either lib.types.str lib.types.path; + }; + allowDiscards = lib.mkOption { + type = lib.types.bool; + default = false; + }; + }; + sshHostKeys = lib.mkOption { + type = lib.types.listOf (lib.types.either lib.types.str lib.types.path); + default = [ + "/secret/ssh_host_rsa_key" + "/secret/ssh_host_ed25519_key" + ]; + }; + sshAuthorizedKeys = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = config.users.users.googlebot.openssh.authorizedKeys.keys; + }; + onionConfig = lib.mkOption { + type = lib.types.path; + default = /secret/onion; + }; + kernelModules = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ "e1000" "e1000e" "virtio_pci" "r8169" ]; + }; }; - boot.initrd.postDeviceCommands = '' - echo 'waiting for root device to be opened...' - mkfifo /crypt-ramfs/passphrase - echo /crypt-ramfs/passphrase >> /dev/null - ''; + config = lib.mkIf cfg.enable { + boot.initrd.luks.devices.${cfg.device.name} = { + device = cfg.device.path; + allowDiscards = cfg.device.allowDiscards; + }; - # Make machine accessable over tor for boot unlock - boot.initrd.secrets = { - "/etc/tor/onion/bootup" = /secret/onion; + # Unlock LUKS disk over ssh + boot.initrd.network.enable = true; + boot.initrd.kernelModules = cfg.kernelModules; + boot.initrd.network.ssh = { + enable = true; + port = 22; + hostKeys = cfg.sshHostKeys; + authorizedKeys = cfg.sshAuthorizedKeys; + }; + + boot.initrd.postDeviceCommands = '' + echo 'waiting for root device to be opened...' + mkfifo /crypt-ramfs/passphrase + echo /crypt-ramfs/passphrase >> /dev/null + ''; + + # Make machine accessable over tor for boot unlock + boot.initrd.secrets = { + "/etc/tor/onion/bootup" = cfg.onionConfig; + }; + boot.initrd.extraUtilsCommands = '' + copy_bin_and_libs ${pkgs.tor}/bin/tor + copy_bin_and_libs ${pkgs.haveged}/bin/haveged + ''; + # start tor during boot process + boot.initrd.network.postCommands = let + torRc = (pkgs.writeText "tor.rc" '' + DataDirectory /etc/tor + SOCKSPort 127.0.0.1:9050 IsolateDestAddr + SOCKSPort 127.0.0.1:9063 + HiddenServiceDir /etc/tor/onion/bootup + HiddenServicePort 22 127.0.0.1:22 + ''); + in '' + # Add nice prompt for giving LUKS passphrase over ssh + echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile + + echo "tor: preparing onion folder" + # have to do this otherwise tor does not want to start + chmod -R 700 /etc/tor + + echo "make sure localhost is up" + ip a a 127.0.0.1/8 dev lo + ip link set lo up + + echo "haveged: starting haveged" + haveged -F & + + echo "tor: starting tor" + tor -f ${torRc} --verify-config + tor -f ${torRc} & + ''; }; - boot.initrd.extraUtilsCommands = '' - copy_bin_and_libs ${pkgs.tor}/bin/tor - copy_bin_and_libs ${pkgs.haveged}/bin/haveged - ''; - # start tor during boot process - boot.initrd.network.postCommands = let - torRc = (pkgs.writeText "tor.rc" '' - DataDirectory /etc/tor - SOCKSPort 127.0.0.1:9050 IsolateDestAddr - SOCKSPort 127.0.0.1:9063 - HiddenServiceDir /etc/tor/onion/bootup - HiddenServicePort 22 127.0.0.1:22 - ''); - in '' - # Add nice prompt for giving LUKS passphrase over ssh - echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile - - echo "tor: preparing onion folder" - # have to do this otherwise tor does not want to start - chmod -R 700 /etc/tor - - echo "make sure localhost is up" - ip a a 127.0.0.1/8 dev lo - ip link set lo up - - echo "haveged: starting haveged" - haveged -F & - - echo "tor: starting tor" - tor -f ${torRc} --verify-config - tor -f ${torRc} & - ''; } diff --git a/common/common.nix b/common/common.nix index cda3fff..938b882 100644 --- a/common/common.nix +++ b/common/common.nix @@ -4,11 +4,18 @@ imports = [ ./flakes.nix ./boot/firmware.nix + ./boot/efi.nix + ./boot/bios.nix + ./boot/luks.nix + ./server/nginx.nix + ./server/thelounge.nix + ./server/mumble.nix + ./pc/de.nix ]; system.stateVersion = "20.09"; - boot.loader.timeout = 2; + networking.useDHCP = false; time.timeZone = "America/New_York"; i18n.defaultLocale = "en_US.UTF-8"; diff --git a/common/pc/audio.nix b/common/pc/audio.nix index 3f5881b..41085ed 100644 --- a/common/pc/audio.nix +++ b/common/pc/audio.nix @@ -1,28 +1,32 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: -{ - # Audio - sound.enable = true; +let + cfg = config.de; +in { + config = lib.mkIf cfg.enable { + # Audio + sound.enable = true; - # enable pulseaudio support for packages - nixpkgs.config.pulseaudio = true; + # enable pulseaudio support for packages + nixpkgs.config.pulseaudio = true; - # realtime pulseaudio - security.rtkit.enable = true; + # realtime pulseaudio + security.rtkit.enable = true; - hardware.pulseaudio = { - enable = true; - support32Bit = true; - package = pkgs.pulseaudioFull; # bt headset support + hardware.pulseaudio = { + enable = true; + support32Bit = true; + package = pkgs.pulseaudioFull; # bt headset support - # TODO: switch on connect isn't working for some reason (at least when in kde) - extraConfig = " - load-module module-switch-on-connect - load-module module-switch-on-connect ignore_virtual=no - "; + # TODO: switch on connect isn't working for some reason (at least when in kde) + extraConfig = " + load-module module-switch-on-connect + load-module module-switch-on-connect ignore_virtual=no + "; + }; + users.users.googlebot.extraGroups = [ "audio" ]; + + # bt headset support + hardware.bluetooth.enable = true; }; - users.users.googlebot.extraGroups = [ "audio" ]; - - # bt headset support - hardware.bluetooth.enable = true; } diff --git a/common/pc/chromium.nix b/common/pc/chromium.nix index 7b867ef..7961fb4 100644 --- a/common/pc/chromium.nix +++ b/common/pc/chromium.nix @@ -1,40 +1,44 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: -{ - # chromium with specific extensions + settings - programs.chromium = { - enable = true; - extensions = [ - "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin - "gcbommkclmclpchllfjekcdonpmejbdp" # https everywhere - "oboonakemofpalcgghocfoadofidjkkk" # keepassxc plugin - "cimiefiiaegbelhefglklhhakcgmhkai" # plasma integration - "hkgfoiooedgoejojocmhlaklaeopbecg" # picture in picture - ]; - extraOpts = { - "BrowserSignin" = 0; - "SyncDisabled" = true; - "PasswordManagerEnabled" = false; - "SpellcheckEnabled" = true; - "SpellcheckLanguage" = [ "en-US" ]; +let + cfg = config.de; +in { + config = lib.mkIf cfg.enable { + # chromium with specific extensions + settings + programs.chromium = { + enable = true; + extensions = [ + "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin + "gcbommkclmclpchllfjekcdonpmejbdp" # https everywhere + "oboonakemofpalcgghocfoadofidjkkk" # keepassxc plugin + "cimiefiiaegbelhefglklhhakcgmhkai" # plasma integration + "hkgfoiooedgoejojocmhlaklaeopbecg" # picture in picture + ]; + extraOpts = { + "BrowserSignin" = 0; + "SyncDisabled" = true; + "PasswordManagerEnabled" = false; + "SpellcheckEnabled" = true; + "SpellcheckLanguage" = [ "en-US" ]; + }; + defaultSearchProviderSuggestURL = null; + defaultSearchProviderSearchURL = " https://duckduckgo.com/?q={searchTerms}&kp=-1&kl=us-en"; }; - defaultSearchProviderSuggestURL = null; - defaultSearchProviderSearchURL = " https://duckduckgo.com/?q={searchTerms}&kp=-1&kl=us-en"; - }; - # hardware accelerated video playback (on intel) - nixpkgs.config.packageOverrides = pkgs: { - vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; - chromium = pkgs.chromium.override { enableVaapi = true; }; + # hardware accelerated video playback (on intel) + nixpkgs.config.packageOverrides = pkgs: { + vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; + chromium = pkgs.chromium.override { enableVaapi = true; }; + }; + hardware.opengl = { + enable = true; + extraPackages = with pkgs; [ + intel-media-driver # LIBVA_DRIVER_NAME=iHD + vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) + vaapiVdpau + libvdpau-va-gl + ]; + extraPackages32 = with pkgs.pkgsi686Linux; [ vaapiIntel ]; + }; }; - hardware.opengl = { - enable = true; - extraPackages = with pkgs; [ - intel-media-driver # LIBVA_DRIVER_NAME=iHD - vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) - vaapiVdpau - libvdpau-va-gl - ]; - extraPackages32 = with pkgs.pkgsi686Linux; [ vaapiIntel ]; - }; } diff --git a/common/pc/de.nix b/common/pc/de.nix index 54f1003..fbeb213 100644 --- a/common/pc/de.nix +++ b/common/pc/de.nix @@ -1,7 +1,8 @@ { config, pkgs, lib, ... }: -{ - # General +let + cfg = config.de; +in { imports = [ ./kde.nix ./xfce.nix @@ -14,32 +15,39 @@ ./vscodium.nix ./discord.nix ./steam.nix + ./touchpad.nix ]; - # allow specific unfree packages - nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ - "tigervnc" "font-bh-lucidatypewriter" # tigervnc - "steam" "steam-original" "steam-runtime" # TODO move to steam.nix - "discord" # TODO move to discord.nix - ]; + options.de = { + enable = lib.mkEnableOption "enable desktop environment"; + }; - # vulkan - hardware.opengl.driSupport = true; - hardware.opengl.driSupport32Bit = true; + config = lib.mkIf cfg.enable { + # allow specific unfree packages + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ + "tigervnc" "font-bh-lucidatypewriter" # tigervnc + "steam" "steam-original" "steam-runtime" # TODO move to steam.nix + "discord" # TODO move to discord.nix + ]; - # Applications - users.users.googlebot.packages = with pkgs; [ - chromium keepassxc mumble tigervnc bluez-tools vscodium element-desktop mpv - ]; + # vulkan + hardware.opengl.driSupport = true; + hardware.opengl.driSupport32Bit = true; - # Networking - networking.networkmanager.enable = true; - users.users.googlebot.extraGroups = [ "networkmanager" ]; + # Applications + users.users.googlebot.packages = with pkgs; [ + chromium keepassxc mumble tigervnc bluez-tools vscodium element-desktop mpv + ]; - # Printing - services.printing.enable = true; + # Networking + networking.networkmanager.enable = true; + users.users.googlebot.extraGroups = [ "networkmanager" ]; - # Security - services.gnome3.gnome-keyring.enable = true; - security.pam.services.googlebot.enableGnomeKeyring = true; + # Printing + services.printing.enable = true; + + # Security + services.gnome3.gnome-keyring.enable = true; + security.pam.services.googlebot.enableGnomeKeyring = true; + }; } diff --git a/common/pc/discord.nix b/common/pc/discord.nix index 49c2d39..f77dbc1 100644 --- a/common/pc/discord.nix +++ b/common/pc/discord.nix @@ -1,7 +1,11 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: -{ - users.users.googlebot.packages = [ - pkgs.discord - ]; +let + cfg = config.de; +in { + config = lib.mkIf cfg.enable { + users.users.googlebot.packages = [ + pkgs.discord + ]; + }; } \ No newline at end of file diff --git a/common/pc/firefox.nix b/common/pc/firefox.nix index 80c13b6..b42aafb 100644 --- a/common/pc/firefox.nix +++ b/common/pc/firefox.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: # # Sort of private firefox @@ -12,6 +12,8 @@ # let + cfg = config.de; + somewhatPrivateFF = pkgs.firefox-unwrapped.override { privacySupport = true; webrtcSupport = true; # mostly private ;) @@ -87,5 +89,7 @@ let }; in { - users.users.googlebot.packages = [ firefox ]; + config = lib.mkIf cfg.enable { + users.users.googlebot.packages = [ firefox ]; + }; } \ No newline at end of file diff --git a/common/pc/kde.nix b/common/pc/kde.nix index 1c55938..d03cce2 100644 --- a/common/pc/kde.nix +++ b/common/pc/kde.nix @@ -1,16 +1,20 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: -{ - # kde plasma - services.xserver = { - enable = true; - desktopManager.plasma5.enable = true; - displayManager.sddm.enable = true; - }; +let + cfg = config.de; +in { + config = lib.mkIf cfg.enable { + # kde plasma + services.xserver = { + enable = true; + desktopManager.plasma5.enable = true; + displayManager.sddm.enable = true; + }; - # kde apps - nixpkgs.config.firefox.enablePlasmaBrowserIntegration = true; - users.users.googlebot.packages = with pkgs; [ - akonadi kmail plasma5Packages.kmail-account-wizard - ]; + # kde apps + nixpkgs.config.firefox.enablePlasmaBrowserIntegration = true; + users.users.googlebot.packages = with pkgs; [ + akonadi kmail plasma5Packages.kmail-account-wizard + ]; + }; } diff --git a/common/pc/pithos.nix b/common/pc/pithos.nix index 2946d1f..53526b9 100644 --- a/common/pc/pithos.nix +++ b/common/pc/pithos.nix @@ -1,22 +1,26 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: -{ - nixpkgs.overlays = [ - (self: super: { - pithos = super.pithos.overrideAttrs (old: rec { - pname = "pithos"; - version = "1.5.1"; - src = super.fetchFromGitHub { - owner = pname; - repo = pname; - rev = version; - sha256 = "il7OAALpHFZ6wjco9Asp04zWHCD8Ni+iBdiJWcMiQA4="; - }; - }); - }) - ]; +let + cfg = config.de; +in { + config = lib.mkIf cfg.enable { + nixpkgs.overlays = [ + (self: super: { + pithos = super.pithos.overrideAttrs (old: rec { + pname = "pithos"; + version = "1.5.1"; + src = super.fetchFromGitHub { + owner = pname; + repo = pname; + rev = version; + sha256 = "il7OAALpHFZ6wjco9Asp04zWHCD8Ni+iBdiJWcMiQA4="; + }; + }); + }) + ]; - users.users.googlebot.packages = with pkgs; [ - pithos - ]; + users.users.googlebot.packages = with pkgs; [ + pithos + ]; + }; } diff --git a/common/pc/steam.nix b/common/pc/steam.nix index 950f906..2f6b067 100644 --- a/common/pc/steam.nix +++ b/common/pc/steam.nix @@ -1,10 +1,14 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: -{ - programs.steam.enable = true; - hardware.steam-hardware.enable = true; # steam controller +let + cfg = config.de; +in { + config = lib.mkIf cfg.enable { + programs.steam.enable = true; + hardware.steam-hardware.enable = true; # steam controller - users.users.googlebot.packages = [ - pkgs.steam - ]; + users.users.googlebot.packages = [ + pkgs.steam + ]; + }; } \ No newline at end of file diff --git a/common/pc/torbrowser.nix b/common/pc/torbrowser.nix index c3de457..f85304a 100644 --- a/common/pc/torbrowser.nix +++ b/common/pc/torbrowser.nix @@ -1,20 +1,24 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: -{ - nixpkgs.overlays = [ - (self: super: { - tor-browser-bundle-bin = super.tor-browser-bundle-bin.overrideAttrs (old: rec { - version = "10.0.10"; - lang = "en-US"; - src = pkgs.fetchurl { - url = "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux64-${version}_${lang}.tar.xz"; - sha256 = "vYWZ+NsGN8YH5O61+zrUjlFv3rieaBqjBQ+a18sQcZg="; - }; - }); - }) - ]; +let + cfg = config.de; +in { + config = lib.mkIf cfg.enable { + nixpkgs.overlays = [ + (self: super: { + tor-browser-bundle-bin = super.tor-browser-bundle-bin.overrideAttrs (old: rec { + version = "10.0.10"; + lang = "en-US"; + src = pkgs.fetchurl { + url = "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux64-${version}_${lang}.tar.xz"; + sha256 = "vYWZ+NsGN8YH5O61+zrUjlFv3rieaBqjBQ+a18sQcZg="; + }; + }); + }) + ]; - users.users.googlebot.packages = with pkgs; [ - tor-browser-bundle-bin - ]; + users.users.googlebot.packages = with pkgs; [ + tor-browser-bundle-bin + ]; + }; } diff --git a/common/pc/touchpad.nix b/common/pc/touchpad.nix index d90775b..92f6bb4 100644 --- a/common/pc/touchpad.nix +++ b/common/pc/touchpad.nix @@ -1,6 +1,14 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: -{ - services.xserver.libinput.enable = true; - services.xserver.libinput.touchpad.naturalScrolling = true; +let + cfg = config.de.touchpad; +in { + options.de.touchpad = { + enable = lib.mkEnableOption "enable touchpad"; + }; + + config = lib.mkIf cfg.enable { + services.xserver.libinput.enable = true; + services.xserver.libinput.touchpad.naturalScrolling = true; + }; } diff --git a/common/pc/vscodium.nix b/common/pc/vscodium.nix index e8a0bf2..37618c4 100644 --- a/common/pc/vscodium.nix +++ b/common/pc/vscodium.nix @@ -1,6 +1,8 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: let + cfg = config.de; + extensions = with pkgs.vscode-extensions; [ bbenoist.Nix # nix syntax support # arrterian.nix-env-selector # nix dev envs @@ -12,7 +14,9 @@ let }; in { - users.users.googlebot.packages = [ - vscodium-with-extensions - ]; + config = lib.mkIf cfg.enable { + users.users.googlebot.packages = [ + vscodium-with-extensions + ]; + }; } diff --git a/common/pc/xfce.nix b/common/pc/xfce.nix index fd3d6b0..c8ddf70 100644 --- a/common/pc/xfce.nix +++ b/common/pc/xfce.nix @@ -1,16 +1,20 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: -{ - services.xserver = { - enable = true; - desktopManager = { - xterm.enable = false; - xfce.enable = true; +let + cfg = config.de; +in { + config = lib.mkIf cfg.enable { + services.xserver = { + enable = true; + desktopManager = { + xterm.enable = false; + xfce.enable = true; + }; + displayManager.sddm.enable = true; }; - displayManager.sddm.enable = true; - }; - # xfce apps - users.users.googlebot.packages = with pkgs; [ - ]; + # xfce apps + users.users.googlebot.packages = with pkgs; [ + ]; + }; } diff --git a/common/pc/yubikey.nix b/common/pc/yubikey.nix index d141b31..02f420c 100644 --- a/common/pc/yubikey.nix +++ b/common/pc/yubikey.nix @@ -1,7 +1,11 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: -{ - # yubikey - services.pcscd.enable = true; - services.udev.packages = [ pkgs.yubikey-personalization ]; +let + cfg = config.de; +in { + config = lib.mkIf cfg.enable { + # yubikey + services.pcscd.enable = true; + services.udev.packages = [ pkgs.yubikey-personalization ]; + }; } diff --git a/common/server/mumble.nix b/common/server/mumble.nix index 7dcec97..257ca72 100644 --- a/common/server/mumble.nix +++ b/common/server/mumble.nix @@ -1,31 +1,34 @@ -{ config, ... }: +{ lib, config, ... }: -let - murmurPort = 23563; - domain = "voice.neet.space"; +let + cfg = config.services.murmur; certs = config.security.acme.certs; in { - config.networking.firewall.allowedTCPPorts = [ murmurPort ]; - config.networking.firewall.allowedUDPPorts = [ murmurPort ]; - - config.services.murmur = { - enable = true; - port = murmurPort; - sslCa = "${certs.${domain}.directory}/chain.pem"; - sslKey = "${certs.${domain}.directory}/key.pem"; - sslCert = "${certs.${domain}.directory}/fullchain.pem"; - welcometext = "Welcome to ${domain}"; + options.services.murmur.domain = lib.mkOption { + type = lib.types.str; }; - config.services.nginx.virtualHosts."${domain}" = { - enableACME = true; - forceSSL = true; - }; + config = lib.mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ cfg.port ]; + networking.firewall.allowedUDPPorts = [ cfg.port ]; - # give mumble access to acme certs - config.security.acme.certs.${domain} = { - group = "murmur"; - postRun = "systemctl reload-or-restart murmur"; + services.murmur = { + sslCa = "${certs.${cfg.domain}.directory}/chain.pem"; + sslKey = "${certs.${cfg.domain}.directory}/key.pem"; + sslCert = "${certs.${cfg.domain}.directory}/fullchain.pem"; + welcometext = "Welcome to ${cfg.domain}"; + }; + + services.nginx.virtualHosts."${cfg.domain}" = { + enableACME = true; + forceSSL = true; + }; + + # give mumble access to acme certs + security.acme.certs.${cfg.domain} = { + group = "murmur"; + postRun = "systemctl reload-or-restart murmur"; + }; + users.users.nginx.extraGroups = [ "murmur" ]; }; - config.users.users.nginx.extraGroups = [ "murmur" ]; } diff --git a/common/server/nginx.nix b/common/server/nginx.nix index a511c97..a2ee97b 100644 --- a/common/server/nginx.nix +++ b/common/server/nginx.nix @@ -1,14 +1,15 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: { - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - }; + config = lib.mkIf config.services.nginx.enable { + services.nginx = { + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 80 443 ]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ 80 443 ]; + }; } \ No newline at end of file diff --git a/common/server/nsd.nix b/common/server/nsd.nix deleted file mode 100644 index 00f7272..0000000 --- a/common/server/nsd.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ config, ... }: - -{ - services.nsd = let - self = "142.4.210.222"; - secondary = "167.114.154.31"; - in { - enable = true; - interfaces = [ "0.0.0.0" ]; - roundRobin = true; - ipTransparent = true; - zones.neet = rec { - provideXFR = [ "${secondary} NOKEY" ]; - notify = provideXFR; - children = { - "neet.dev.".data = '' -$TTL 300 -@ IN SOA ns1.neet.dev. contact.neet.dev. ( - 2011072000 ;Serial - 300 ;Refresh - 300 ;Retry - 604800 ;Expire - 300 ;Minimum TTL -) - -@ IN NS ns1.neet.dev. -@ IN NS ns2.neet.dev. - -@ IN A ${self} -www IN A ${self} -irc IN A ${self} -wiki IN A ${self} -ns1 IN A ${self} -ns2 IN A 167.114.154.31 -ragnarok IN A 155.138.219.146 -coder IN A ${self} -git IN A ${self} - -@ IN TXT "rizon_vhost=Googlebot" -ownercheck IN TXT "dc97b3fd" - ''; - "neet.space.".data = '' -$TTL 300 -@ IN SOA ns1.neet.dev. contact.neet.dev. ( - 2011071017 ;Serial - 300 ;Refresh - 300 ;Retry - 604800 ;Expire - 300 ;Minimum TTL -) - -@ IN NS ns1.neet.dev. -@ IN NS ns2.neet.dev. - -@ IN A ${self} -www IN A ${self} -voice IN A ${self} -stream IN A ${self} -radio IN A ${self} -tube IN A ${self} -sock.tube IN A ${self} -mural IN A ${self} - -_minecraft._tcp IN SRV 0 5 23589 neet.space. -_mumble._tcp IN SRV 0 5 23563 voice.neet.space. -_mumble._tcp.voice IN SRV 0 5 23563 voice.neet.space. - -@ IN TXT "rizon_vhost=Googlebot" -ownercheck IN TXT "dc97b3fd" - ''; - "neet.cloud.".data = '' -$TTL 300 -@ IN SOA ns1.neet.dev. contact.neet.dev. ( - 2011071011 ;Serial - 300 ;Refresh - 300 ;Retry - 604800 ;Expire - 300 ;Minimum TTL -) - -@ IN NS ns1.neet.dev. -@ IN NS ns2.neet.dev. - -@ IN A ${self} -www IN A ${self} -paste IN A ${self} -globie-info IN A ${self} -files IN A ${self} - -ownercheck IN TXT "dc97b3fd" - ''; - }; - }; - }; -} diff --git a/common/server/thelounge.nix b/common/server/thelounge.nix index 510dc40..155d423 100644 --- a/common/server/thelounge.nix +++ b/common/server/thelounge.nix @@ -1,44 +1,64 @@ -{ config, ... }: +{ lib, config, ... }: -{ - services.thelounge = { - enable = true; - port = 9000; - private = true; - extraConfig = { - reverseProxy = true; - maxHistory = -1; - https.enable = false; -# theme = "thelounge-theme-solarized"; - prefetch = false; - prefetchStorage = false; - fileUpload = { - enable = true; - maxFileSize = -1; - baseUrl = "https://files.neet.cloud/irc/"; +let + cfg = config.services.thelounge; +in { + options.services.thelounge = { + fileUploadBaseUrl = lib.mkOption { + type = lib.types.str; + }; + host = lib.mkOption { + type = lib.types.str; + example = "example.com"; + }; + fileHost = { + host = lib.mkOption { + type = lib.types.str; + }; + path = lib.mkOption { + type = lib.types.str; }; - transports = [ "websocket" "polling" ]; - leaveMessage = "leaving"; - messageStorage = [ "sqlite" "text" ]; }; }; - # the lounge client - services.nginx.virtualHosts."irc.neet.dev" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://localhost:${toString config.services.thelounge.port}"; - proxyWebsockets = true; + config = lib.mkIf cfg.enable { + services.thelounge = { + private = true; + extraConfig = { + reverseProxy = true; + maxHistory = -1; + https.enable = false; + # theme = "thelounge-theme-solarized"; + prefetch = false; + prefetchStorage = false; + fileUpload = { + enable = true; + maxFileSize = -1; + baseUrl = cfg.fileUploadBaseUrl; + }; + transports = [ "websocket" "polling" ]; + leaveMessage = "leaving"; + messageStorage = [ "sqlite" "text" ]; + }; }; - }; - # the lounge files - services.nginx.virtualHosts."files.neet.cloud" = { - enableACME = true; - forceSSL = true; - locations."/irc" = { - proxyPass = "http://localhost:${toString config.services.thelounge.port}/uploads"; + # the lounge client + services.nginx.virtualHosts.${cfg.host} = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.thelounge.port}"; + proxyWebsockets = true; + }; + }; + + # the lounge files + services.nginx.virtualHosts.${cfg.fileHost.host} = { + enableACME = true; + forceSSL = true; + locations.${cfg.fileHost.path} = { + proxyPass = "http://localhost:${toString config.services.thelounge.port}/uploads"; + }; }; }; } diff --git a/machines/mitty/configuration.nix b/machines/mitty/configuration.nix index da38ea2..414eba1 100644 --- a/machines/mitty/configuration.nix +++ b/machines/mitty/configuration.nix @@ -4,23 +4,27 @@ imports =[ ./hardware-configuration.nix ../../common/common.nix - ../../common/boot/bios.nix - ../../common/boot/luks.nix - ../../common/server/nginx.nix ]; # cuxhh3ei2djpgf2zdkboceuhaxavgr3ipu3d7a2swx4giy2wosfxspyd.onion - boot.loader.grub.device = "/dev/vda"; - networking.hostName = "mitty"; - boot.initrd.luks.devices.enc-pv.device = "/dev/disk/by-uuid/6dcf23ea-cb5e-4329-a88b-832209918c40"; + nix.flakes.enable = true; + + bios = { + enable = true; + device = "/dev/vda"; + }; + + luks = { + enable = true; + device.path = "/dev/disk/by-uuid/6dcf23ea-cb5e-4329-a88b-832209918c40"; + }; + + networking.hostName = "mitty"; - networking.wireless.enable = false; - networking.useDHCP = false; networking.interfaces.ens3.useDHCP = true; security.acme.acceptTerms = true; security.acme.email = "letsencrypt+5@tar.ninja"; - nix.flakes.enable = true; } diff --git a/machines/nanachi/configuration.nix b/machines/nanachi/configuration.nix index fb0ab35..b012246 100644 --- a/machines/nanachi/configuration.nix +++ b/machines/nanachi/configuration.nix @@ -4,26 +4,30 @@ imports =[ ./hardware-configuration.nix ../../common/common.nix - ../../common/boot/bios.nix - ../../common/boot/luks.nix - ../../common/server/nginx.nix ]; # uxzq63kr2uuwutpaqjna2sg4gnk3p65e5bkvedzx5dsxx2mvxhjm7fid.onion - boot.loader.grub.device = "/dev/vda"; - networking.hostName = "nanachi"; - boot.initrd.luks.devices.enc-pv.device = "/dev/disk/by-uuid/e57ac752-bd99-421f-a3b9-0cfa9608a54e"; + nix.flakes.enable = true; + + bios = { + enable = true; + device = "/dev/vda"; + }; + + luks = { + enable = true; + device.path = "/dev/disk/by-uuid/e57ac752-bd99-421f-a3b9-0cfa9608a54e"; + }; + + networking.hostName = "nanachi"; - networking.wireless.enable = false; - networking.useDHCP = false; networking.interfaces.ens3.useDHCP = true; security.acme.acceptTerms = true; security.acme.email = "letsencrypt+5@tar.ninja"; - nix.flakes.enable = true; - + services.nginx.enable = true; services.nginx.virtualHosts."nanachi.neet.dev" = { enableACME = true; forceSSL = true; diff --git a/machines/neet.dev/configuration.nix b/machines/neet.dev/configuration.nix index df920f2..8bb66b7 100644 --- a/machines/neet.dev/configuration.nix +++ b/machines/neet.dev/configuration.nix @@ -4,12 +4,6 @@ imports =[ ./hardware-configuration.nix ../../common/common.nix - ../../common/boot/bios.nix - ../../common/boot/luks.nix -# ../../common/server/nsd.nix - ../../common/server/nginx.nix - ../../common/server/thelounge.nix - ../../common/server/mumble.nix ../../common/server/gitlab.nix ../../common/server/video-stream.nix ../../common/server/hydra.nix @@ -17,30 +11,47 @@ # wt6nczjfvtba6pvjt2qtevwjpq4gcbz46bwjz4hboehgecyqmzqgwnqd.onion - boot.loader.grub.device = "/dev/sda"; - networking.hostName = "neetdev"; - boot.initrd.luks.devices.enc-pv.device = "/dev/disk/by-uuid/06f6b0bf-fe79-4b89-a549-b464c2b162a1"; - - networking.wireless.enable = false; - networking.useDHCP = false; - networking.interfaces.eno1.useDHCP = true; - - security.acme.acceptTerms = true; - security.acme.email = "letsencrypt+5@tar.ninja"; - nix.flakes.enable = true; - # tmp - services.nginx.virtualHosts."tmp.neet.space" = { - enableACME = true; - forceSSL = true; - root = "/var/www/tmp"; + bios = { + enable = true; + device = "/dev/sda"; }; + luks = { + enable = true; + device.path = "/dev/disk/by-uuid/06f6b0bf-fe79-4b89-a549-b464c2b162a1"; + }; + + networking.hostName = "neetdev"; + + networking.interfaces.eno1.useDHCP = true; + + services.nginx.enable = true; + security.acme.acceptTerms = true; + security.acme.email = "letsencrypt+5@tar.ninja"; + # placeholder services.nginx.virtualHosts."radio.neet.space" = { enableACME = true; forceSSL = true; }; + + services.thelounge = { + enable = true; + port = 9000; + fileUploadBaseUrl = "https://files.neet.cloud/irc/"; + host = "irc.neet.dev"; + fileHost = { + host = "files.neet.cloud"; + path = "/irc"; + }; + }; + + config.services.murmur = { + enable = true; + port = 23563; + domain = "voice.neet.space"; + }; } diff --git a/machines/reg/configuration.nix b/machines/reg/configuration.nix index 83cbd06..75519c5 100644 --- a/machines/reg/configuration.nix +++ b/machines/reg/configuration.nix @@ -4,25 +4,27 @@ imports = [ ./hardware-configuration.nix ../../common/common.nix - ../../common/boot/efi.nix - ../../common/boot/luks.nix - ../../common/pc/de.nix - ../../common/pc/touchpad.nix ]; # smcxui7kwoyxpswwage4fkcppxnqzpw33xcmxmlhxvk5gcp5s6lrtfad.onion - networking.hostName = "reg"; - boot.initrd.luks.devices.enc-pv = { - device = "/dev/disk/by-uuid/975d8427-2c6a-440d-a1d2-18dd15ba5bc2"; - allowDiscards = true; - }; - nix.flakes.enable = true; - networking.useDHCP = false; + efi.enable = true; + + luks = { + enable = true; + device = { + path = "/dev/disk/by-uuid/975d8427-2c6a-440d-a1d2-18dd15ba5bc2"; + allowDiscards = true; + }; + }; + + networking.hostName = "reg"; + + de.enable = true; + de.touchpad.enable = true; + networking.interfaces.enp57s0f1.useDHCP = true; - networking.interfaces.wlp0s20f3.useDHCP = true; - networking.interfaces.wwp0s20f0u2i12.useDHCP = true; }