zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Cleanup

Browse Source
This commit is contained in:
Zuckerberg 2022-04-07 12:23:21 -04:00
parent 74c7f696d8
commit c5efc2db4d
10 changed files with 71 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
common/default.nix
View File

@ -11,6 +11,8 @@
./pc ./pc
]; ];
nix.flakes.enable = true;
system.stateVersion = "21.11"; system.stateVersion = "21.11";
networking.useDHCP = false; networking.useDHCP = false;

2
common/pia.nix
View File

@ -85,7 +85,7 @@ YDQ8z9v+DMO6iwyIDRiU
</ca> </ca>
disable-occ disable-occ
auth-user-pass /run/secrets/pia-login.conf auth-user-pass /run/agenix/pia-login.conf
''; '';
autoStart = true; autoStart = true;
# up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev"; # up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";

49
flake.nix
View File

@ -36,11 +36,8 @@
nixosConfigurations = nixosConfigurations =
let let
nixpkgs = inputs.nixpkgs; nixpkgs = inputs.nixpkgs;
mkSystem = system: nixpkgs: path:
nixpkgs.lib.nixosSystem {
inherit system;
modules = [ modules = [
path
./common ./common
inputs.simple-nixos-mailserver.nixosModule inputs.simple-nixos-mailserver.nixosModule
inputs.agenix.nixosModule inputs.agenix.nixosModule
@ -54,7 +51,49 @@
options.currentSystem = lib.mkOption { default = system; }; options.currentSystem = lib.mkOption { default = system; };
}) })
]; ];
# specialArgs = {};
mkVpnContainer = container_config: {
ephemeral = true;
autoStart = true;
bindMounts = {
"/var/lib" = {
hostPath = "/var/lib/";
isReadOnly = false;
};
"/run/agenix" = {
hostPath = "/run/agenix";
isReadOnly = true;
};
"/dev/fuse" = {
hostPath = "/dev/fuse";
isReadOnly = false;
};
};
enableTun = true;
privateNetwork = true;
hostAddress = "172.16.100.1";
localAddress = "172.16.100.2";
config = { config, pkgs, lib, ... }: {
imports = modules ++ [container_config];
networking.firewall.enable = lib.mkForce false;
pia.enable = true;
# run it's own DNS resolver
networking.useHostResolvConf = false;
services.resolved.enable = true;
};
};
mkSystem = system: nixpkgs: path:
nixpkgs.lib.nixosSystem {
inherit system;
modules = [path] ++ modules;
specialArgs = {
inherit mkVpnContainer;
};
}; };
in in
{ {

2
machines/compute/common.nix
View File

@ -13,8 +13,6 @@
}; };
}; };
nix.flakes.enable = true;
system.autoUpgrade.enable = true; system.autoUpgrade.enable = true;
networking.interfaces.eth0.useDHCP = true; networking.interfaces.eth0.useDHCP = true;

67
machines/liza/configuration.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, mkVpnContainer, ... }:
let let
mta-sts-web = { mta-sts-web = {
@ -18,8 +18,6 @@ in {
# 5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion # 5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion
nix.flakes.enable = true;
firmware.x86_64.enable = true; firmware.x86_64.enable = true;
bios = { bios = {
enable = true; enable = true;
@ -50,19 +48,19 @@ in {
listenWeb = 443; listenWeb = 443;
enableWebHttps = true; enableWebHttps = true;
# dataDirs # dataDirs
serviceEnvironmentFile = "/run/secrets/peertube-init"; serviceEnvironmentFile = "/run/agenix/peertube-init";
# settings # settings
database = { database = {
createLocally = true; createLocally = true;
passwordFile = "/run/secrets/peertube-db-pw"; passwordFile = "/run/agenix/peertube-db-pw";
}; };
redis = { redis = {
createLocally = true; createLocally = true;
passwordFile = "/run/secrets/peertube-redis-pw"; passwordFile = "/run/agenix/peertube-redis-pw";
}; };
smtp = { smtp = {
createLocally = false; createLocally = false;
passwordFile = "/run/secrets/peertube-smtp"; passwordFile = "/run/agenix/peertube-smtp";
}; };
}; };
services.nginx.virtualHosts."tube.neet.space" = { services.nginx.virtualHosts."tube.neet.space" = {
@ -81,7 +79,7 @@ in {
services.searx = { services.searx = {
enable = true; enable = true;
environmentFile = "/run/secrets/searx"; environmentFile = "/run/agenix/searx";
settings = { settings = {
server.port = 43254; server.port = 43254;
server.secret_key = "@SEARX_SECRET_KEY@"; server.secret_key = "@SEARX_SECRET_KEY@";
@ -123,57 +121,12 @@ in {
}; };
# wrap radio in a VPN # wrap radio in a VPN
containers.vpn-continer = { containers.vpn-container = mkVpnContainer {
ephemeral = true;
autoStart = true;
bindMounts = {
"/var/lib" = {
hostPath = "/var/lib/";
isReadOnly = false;
};
"/run/secrets" = {
hostPath = "/run/secrets";
isReadOnly = true;
};
"/dev/fuse" = {
hostPath = "/dev/fuse";
isReadOnly = false;
};
};
enableTun = true;
privateNetwork = true;
hostAddress = "172.16.100.1";
localAddress = "172.16.100.2";
config = {
imports = [
../../common
config.inputs.agenix.nixosModules.age
];
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
options.inputs = lib.mkOption { default = config.inputs; };
options.currentSystem = lib.mkOption { default = config.currentSystem; };
config = {
pia.enable = true;
nixpkgs.pkgs = pkgs;
networking.firewall.enable = false;
# run it's own DNS resolver
networking.useHostResolvConf = false;
services.resolved.enable = true;
services.radio = { services.radio = {
enable = true; enable = true;
host = "radio.neet.space"; host = "radio.neet.space";
}; };
}; };
};
};
# load the secret on behalf of the container
age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
services.drastikbot = { services.drastikbot = {
enable = true; enable = true;
@ -250,7 +203,7 @@ in {
]; ];
loginAccounts = { loginAccounts = {
"jeremy@runyan.org" = { "jeremy@runyan.org" = {
hashedPasswordFile = "/run/secrets/email-pw"; hashedPasswordFile = "/run/agenix/email-pw";
aliases = [ aliases = [
"@neet.space" "@neet.cloud" "@neet.dev" "@neet.space" "@neet.cloud" "@neet.dev"
"@runyan.org" "@runyan.rocks" "@runyan.org" "@runyan.rocks"
@ -283,7 +236,7 @@ in {
hostName = "neet.cloud"; hostName = "neet.cloud";
config.dbtype = "sqlite"; config.dbtype = "sqlite";
config.adminuser = "jeremy"; config.adminuser = "jeremy";
config.adminpassFile = "/run/secrets/nextcloud-pw"; config.adminpassFile = "/run/agenix/nextcloud-pw";
autoUpdateApps.enable = true; autoUpdateApps.enable = true;
}; };
age.secrets.nextcloud-pw = { age.secrets.nextcloud-pw = {
@ -300,7 +253,7 @@ in {
enable = true; enable = true;
ip = "192.168.99.1"; ip = "192.168.99.1";
domain = "tun.neet.dev"; domain = "tun.neet.dev";
passwordFile = "/run/secrets/iodine"; passwordFile = "/run/agenix/iodine";
}; };
age.secrets.iodine.file = ../../secrets/iodine.age; age.secrets.iodine.file = ../../secrets/iodine.age;
networking.firewall.allowedUDPPorts = [ 53 ]; networking.firewall.allowedUDPPorts = [ 53 ];

2
machines/nat/configuration.nix
View File

@ -5,8 +5,6 @@
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
nix.flakes.enable = true;
efi.enable = true; efi.enable = true;
networking.hostName = "nat"; networking.hostName = "nat";

2
machines/neet.dev/configuration.nix
View File

@ -7,8 +7,6 @@
# wt6nczjfvtba6pvjt2qtevwjpq4gcbz46bwjz4hboehgecyqmzqgwnqd.onion # wt6nczjfvtba6pvjt2qtevwjpq4gcbz46bwjz4hboehgecyqmzqgwnqd.onion
nix.flakes.enable = true;
firmware.x86_64.enable = true; firmware.x86_64.enable = true;
bios = { bios = {
enable = true; enable = true;

2
machines/ray/configuration.nix
View File

@ -9,8 +9,6 @@
./nvidia.nix ./nvidia.nix
]; ];
nix.flakes.enable = true;
firmware.x86_64.enable = true; firmware.x86_64.enable = true;
efi.enable = true; efi.enable = true;

2
machines/reg/configuration.nix
View File

@ -9,8 +9,6 @@
boot.kernelPackages = pkgs.linuxPackages_5_12; boot.kernelPackages = pkgs.linuxPackages_5_12;
nix.flakes.enable = true;
firmware.x86_64.enable = true; firmware.x86_64.enable = true;
efi.enable = true; efi.enable = true;

2
machines/storage/s0/configuration.nix
View File

@ -8,8 +8,6 @@
# nsw2zwifzyl42mbhabayjo42b2kkq3wd3dqyl6efxsz6pvmgm5cup5ad.onion # nsw2zwifzyl42mbhabayjo42b2kkq3wd3dqyl6efxsz6pvmgm5cup5ad.onion
nix.flakes.enable = true;
networking.hostName = "s0"; networking.hostName = "s0";
boot.loader.grub.enable = false; boot.loader.grub.enable = false;