zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:pia-client
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client
..
compare: zuckerberg:f90b9f85fd6045d4a4a1d5f306e0fa7b36981e75
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client

72 Commits
pia-client ... f90b9f85fd

Author SHA1 Message Date
Zuckerberg
f90b9f85fd try out appvm 2023-04-18 23:15:21 -06:00
Zuckerberg
5b084fffcc moonlander 2023-04-18 23:15:03 -06:00
Zuckerberg
4dd6401f8c update TODOs 2023-04-18 23:14:49 -06:00
Zuckerberg
260bbc1ffd Use doas instead of sudo 2023-04-10 22:03:57 -06:00
Zuckerberg
c8132a67d0 Use lf as terminal file explorer 2023-04-10 22:03:29 -06:00
Zuckerberg
3412d5caf9 Use hashed passwordfile just to be safe 2023-04-09 23:00:10 -06:00
Zuckerberg
1065cc4b59 Enable gitea email notifications 2023-04-09 22:05:23 -06:00
Zuckerberg
154b37879b Cross off finished TODOs 2023-04-09 22:04:51 -06:00
Zuckerberg
a34238b3a9 Easily run restic commands on a backup group 2023-04-09 13:06:15 -06:00
Zuckerberg
42e2ebd294 Allow marking folders as omitted from backup 2023-04-09 12:35:20 -06:00
Zuckerberg
378cf47683 restic backups 2023-04-08 21:25:55 -06:00
Zuckerberg
f68a4f4431 nixpkgs-fmt everything 2023-04-04 23:30:28 -06:00
Zuckerberg
3c683e7b9e NixOS router is now in active use :) 2023-04-04 20:53:38 -06:00
Zuckerberg
68bd70b525 Basic router working using the wip hostapd module from upstream 2023-04-04 12:57:16 -06:00
Zuckerberg
2189ab9a1b Improve cifs mounts. Newer protocol version, helpful commands, better network connection resiliency. 2023-03-31 11:43:12 -06:00
Zuckerberg
acbbb8a37a encrypted samba vault with gocryptfs 2023-03-25 15:49:07 -06:00
Zuckerberg
d1e6d21d66 iperf server 2023-03-25 15:48:39 -06:00
Zuckerberg
1a98e039fe Cleanup fio tests 2023-03-25 15:48:24 -06:00
Zuckerberg
3459ce5058 Add joplin 2023-03-18 22:04:31 -06:00
Zuckerberg
c48b1995f8 Remove zerotier 2023-03-18 20:41:09 -06:00
Zuckerberg
53c0e7ba1f Add Webmail 2023-03-14 23:28:07 -06:00
Zuckerberg
820cd392f1 Choose random PIA server in a specified region instead of hardcoded. And more TODOs addressed. 2023-03-12 22:55:46 -06:00
Zuckerberg
759fe04185 with lib; 2023-03-12 21:50:46 -06:00
Zuckerberg
db441fcf98 Add ability to refuse PIA ports 2023-03-12 21:46:36 -06:00
Zuckerberg
83e9280bb4 Use the NixOS firewall instead to block unwanted PIA VPN traffic 2023-03-12 20:49:39 -06:00
Zuckerberg
478235fe32 Enable firewall for PIA VPN wireguard interface 2023-03-12 20:29:20 -06:00
Zuckerberg
440401a391 Add ponyo to deploy-rs config 2023-03-12 19:50:55 -06:00
Zuckerberg
42c0dcae2d Port forwarding for transmission 2023-03-12 19:50:29 -06:00
Zuckerberg
7159868b57 update todo's 2023-03-12 19:46:51 -06:00
Zuckerberg
ab2cc0cc0a Cleanup services 2023-03-12 17:51:10 -06:00
Zuckerberg
aaa1800d0c Cleanup mail domains 2023-03-12 13:29:12 -06:00
Zuckerberg
a795c65c32 Cleanup mail domains 2023-03-12 13:25:34 -06:00
Zuckerberg
5ed02e924d Remove liza 2023-03-12 00:15:06 -07:00
Zuckerberg
1d620372b8 Remove leftovers of removed compute nodes 2023-03-12 00:14:49 -07:00
Zuckerberg
9684a975e2 Migrate nextcloud to ponyo 2023-03-12 00:10:14 -07:00
Zuckerberg
c3c3a9e77f disable searx for now 2023-03-12 00:09:40 -07:00
Zuckerberg
ecb6d1ef63 Migrate mailserver to ponyo 2023-03-11 23:40:36 -07:00
Zuckerberg
a5f7bb8a22 Fix vpn systemd service restart issues 2023-03-09 13:07:20 -07:00
Zuckerberg
cea9b9452b Initial prototype for Wireguard based PIA VPN - not quite 'ready' yet 2023-03-08 23:49:02 -07:00
Zuckerberg
8fb45a7ee5 Turn off howdy 2023-03-08 23:47:11 -07:00
Zuckerberg
b53f03bb7d Fix typo 2023-03-08 23:45:49 -07:00
Zuckerberg
dee0243268 Peer to peer connection keepalive task 2023-03-07 22:55:37 -07:00
Zuckerberg
8b6bc354bd Peer to peer connection keepalive task 2023-03-07 22:54:26 -07:00
Zuckerberg
aff5611cdb Update renamed nixos options 2023-03-07 22:52:31 -07:00
Zuckerberg
c5e7d8b2fe Allow easy patching of nixpkgs 2023-03-03 23:24:33 -07:00
Zuckerberg
90a3549237 use comma and pregenerated nix-index 2023-03-03 00:18:20 -07:00
Zuckerberg
63f2a82ad1 ignore lid close for NAS 2023-03-03 00:16:57 -07:00
Zuckerberg
0cc39bfbe0 deploy-rs initial PoC 2023-03-03 00:16:23 -07:00
Zuckerberg
ec54b27d67 fix router serial 2023-03-03 00:14:22 -07:00
Zuckerberg
bba4f27465 add picocom for serial 2023-03-03 00:12:35 -07:00
Zuckerberg
b5c77611d7 remove unused compute nodes 2023-03-03 00:12:16 -07:00
Zuckerberg
987919417d allow root login over ssh using trusted key 2023-02-11 23:07:48 -07:00
Zuckerberg
d8dbb12959 grow disk for ponyo 2023-02-11 19:01:42 -07:00
Zuckerberg
3e0cde40b8 Cleanup remote LUKS unlock 2023-02-11 18:40:08 -07:00
Zuckerberg
2c8576a295 Hardware accelerated encoding for jellyfin 2023-02-11 16:10:19 -07:00
Zuckerberg
8aecc04d01 config cleanup 2023-02-11 16:10:10 -07:00
Zuckerberg
9bcf7cc50d VPN using its own DNS resolver is unstable 2023-02-11 16:09:02 -07:00
Zuckerberg
cb2ac1c1ba Use x86 machine for NAS 2023-02-11 16:08:48 -07:00
Zuckerberg
7f1e304012 Remove stale secrets 2023-02-11 15:19:35 -07:00
Zuckerberg
9e3dae4b16 Rekey secrets 2023-02-11 15:07:08 -07:00
Zuckerberg
c649b04bdd Update ssh keys and allow easy ssh LUKS unlocking 2023-02-11 15:05:20 -07:00
Zuckerberg
6fce2e1116 Allow unlocking over tor 2023-02-11 13:38:54 -07:00
Zuckerberg
3e192b3321 Hardware config should be in hardware config 2023-02-11 13:35:46 -07:00
Zuckerberg
bc863de165 Hardware config should be in hardware config 2023-02-11 09:48:25 -07:00
Zuckerberg
cfa5c9428e Remove reg 2023-02-11 09:46:05 -07:00
Zuckerberg
abddc5a680 Razer keyboard 2023-02-11 00:32:36 -07:00
Zuckerberg
577dc4faaa Add initial configuration for APU2E4 router 2023-02-10 20:51:10 -07:00
Zuckerberg
a8b0385c6d more ephemeral options 2023-02-08 22:27:54 -07:00
Zuckerberg
fc85627bd6 use unstable for ephemeral os config 2023-02-08 22:26:04 -07:00
Zuckerberg
f9cadba3eb improve ephemeral os config 2023-02-08 22:25:09 -07:00
Zuckerberg
c192c2d52f enable spotify 2023-02-08 18:48:08 -07:00
Zuckerberg
04c7a9ea51 Update tz 2023-02-08 18:47:58 -07:00
127 changed files with 2443 additions and 2118 deletions
Expand all files Collapse all files

2
README.md
View File

@@ -3,7 +3,7 @@
### Source Layout ### Source Layout
- `/common` - common configuration imported into all `/machines` - `/common` - common configuration imported into all `/machines`
- `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor - `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor
- `/network` - config for tailscale, zeroteir, and NixOS container with automatic vpn tunneling via PIA - `/network` - config for tailscale, and NixOS container with automatic vpn tunneling via PIA
- `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing. - `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing.
- `/server` - config that creates new nixos services or extends existing ones to meet my needs - `/server` - config that creates new nixos services or extends existing ones to meet my needs
- `/ssh.nix` - all ssh public host and user keys for all `/machines` - `/ssh.nix` - all ssh public host and user keys for all `/machines`

49
TODO.md
View File

@@ -10,24 +10,12 @@
- https://nixos.wiki/wiki/Comparison_of_NixOS_setups - https://nixos.wiki/wiki/Comparison_of_NixOS_setups
### Housekeeping ### Housekeeping
- Format everything here using nixfmt
- Cleanup the line between hardware-configuration.nix and configuration.nix in machine config - Cleanup the line between hardware-configuration.nix and configuration.nix in machine config
- CI https://gvolpe.com/blog/nixos-binary-cache-ci/
- remove `options.currentSystem` - remove `options.currentSystem`
- allow `hostname` option for webservices to be null to disable configuring nginx - allow `hostname` option for webservices to be null to disable configuring nginx
### NAS ### NAS
- helios64 extra led lights
- safely turn off NAS on power disconnect - safely turn off NAS on power disconnect
- hardware de/encoding for rk3399 helios64 https://forum.pine64.org/showthread.php?tid=14018
- tor unlock
### bcachefs
- bcachefs health alerts via email
- bcachefs periodic snapshotting
- use mount.bcachefs command for mounting
- bcachefs native encryption
- just need a kernel module? https://github.com/firestack/bcachefs-tools-flake/blob/kf/dev/mvp/nixos/module/bcachefs.nix#L40
### Shell Comands ### Shell Comands
- tailexitnode = `sudo tailscale up --exit-node=<exit-node-ip> --exit-node-allow-lan-access=true` - tailexitnode = `sudo tailscale up --exit-node=<exit-node-ip> --exit-node-allow-lan-access=true`
@@ -52,21 +40,7 @@
- https://ampache.org/ - https://ampache.org/
- replace nextcloud with seafile - replace nextcloud with seafile
### VPN container
- use wireguard for vpn
- https://github.com/triffid/pia-wg/blob/master/pia-wg.sh
- https://github.com/pia-foss/manual-connections
- port forwarding for vpn
- transmission using forwarded port
- https://www.wireguard.com/netns/
- one way firewall for vpn container
### Networking
- tailscale for p2p connections
- remove all use of zerotier
### Archive ### Archive
- https://www.backblaze.com/b2/cloud-storage.html
- email - email
- https://github.com/Disassembler0/dovecot-archive/blob/main/src/dovecot_archive.py - https://github.com/Disassembler0/dovecot-archive/blob/main/src/dovecot_archive.py
- http://kb.unixservertech.com/software/dovecot/archiveserver - http://kb.unixservertech.com/software/dovecot/archiveserver
@@ -75,6 +49,29 @@
- https://christine.website/blog/paranoid-nixos-2021-07-18 - https://christine.website/blog/paranoid-nixos-2021-07-18
- https://nixos.wiki/wiki/Impermanence - https://nixos.wiki/wiki/Impermanence
# Setup CI
- CI
- hydra
- https://docs.cachix.org/continuous-integration-setup/
- Binary Cache
- Maybe use cachix https://gvolpe.com/blog/nixos-binary-cache-ci/
- Self hosted binary cache? https://www.tweag.io/blog/2019-11-21-untrusted-ci/
- https://github.com/edolstra/nix-serve
- https://nixos.wiki/wiki/Binary_Cache
- https://discourse.nixos.org/t/introducing-attic-a-self-hostable-nix-binary-cache-server/24343
- Both
- https://garnix.io/
- https://nixbuild.net
# Secrets
- consider using headscale
- Replace luks over tor for remote unlock with luks over tailscale using ephemeral keys
- Rollover luks FDE passwords
- /secrets on personal computers should only be readable using a trusted ssh key, preferably requiring a yubikey
- Rollover shared yubikey secrets
- offsite backup yubikey, pw db, and ssh key with /secrets access
### Misc ### Misc
- https://github.com/pop-os/system76-scheduler - https://github.com/pop-os/system76-scheduler
- improve email a little bit https://helloinbox.email - improve email a little bit https://helloinbox.email

3
common/auto-update.nix
View File

@@ -4,7 +4,8 @@
let let
cfg = config.system.autoUpgrade; cfg = config.system.autoUpgrade;
in { in
{
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
system.autoUpgrade = { system.autoUpgrade = {
flake = "git+https://git.neet.dev/zuckerberg/nix-config.git"; flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";

78
common/backups.nix Normal file
View File

@@ -0,0 +1,78 @@
{ config, lib, pkgs, ... }:
let
cfg = config.backup;
hostname = config.networking.hostName;
mkRespository = group: "s3:s3.us-west-004.backblazeb2.com/D22TgIt0-main-backup/${group}";
mkBackup = group: paths: {
repository = mkRespository group;
inherit paths;
initialize = true;
timerConfig = {
OnCalendar = "daily";
RandomizedDelaySec = "1h";
};
extraBackupArgs = [
''--exclude-if-present ".nobackup"''
];
pruneOpts = [
"--keep-daily 7" # one backup for each of the last n days
"--keep-weekly 5" # one backup for each of the last n weeks
"--keep-monthly 12" # one backup for each of the last n months
"--keep-yearly 75" # one backup for each of the last n years
];
environmentFile = "/run/agenix/backblaze-s3-backups";
passwordFile = "/run/agenix/restic-password";
};
# example usage: "sudo restic_samba unlock" (removes lockfile)
mkResticGroupCmd = group: pkgs.writeShellScriptBin "restic_${group}" ''
if [ "$EUID" -ne 0 ]
then echo "Run as root"
exit
fi
. /run/agenix/backblaze-s3-backups
export AWS_SECRET_ACCESS_KEY
export AWS_ACCESS_KEY_ID
export RESTIC_PASSWORD_FILE=/run/agenix/restic-password
export RESTIC_REPOSITORY="${mkRespository group}"
exec ${pkgs.restic}/bin/restic "$@"
'';
in
{
options.backup = {
group = lib.mkOption {
default = null;
type = lib.types.nullOr (lib.types.attrsOf (lib.types.submodule {
options = {
paths = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
Paths to backup
'';
};
};
}));
};
};
config = lib.mkIf (cfg.group != null) {
services.restic.backups = lib.concatMapAttrs
(group: groupCfg: {
${group} = mkBackup group groupCfg.paths;
})
cfg.group;
age.secrets.backblaze-s3-backups.file = ../secrets/backblaze-s3-backups.age;
age.secrets.restic-password.file = ../secrets/restic-password.age;
environment.systemPackages = map mkResticGroupCmd (builtins.attrNames cfg.group);
};
}

3
common/boot/bios.nix
View File

@@ -3,7 +3,8 @@
with lib; with lib;
let let
cfg = config.bios; cfg = config.bios;
in { in
{
options.bios = { options.bios = {
enable = mkEnableOption "enable bios boot"; enable = mkEnableOption "enable bios boot";
device = mkOption { device = mkOption {

2
common/boot/default.nix
View File

@@ -5,6 +5,6 @@
./firmware.nix ./firmware.nix
./efi.nix ./efi.nix
./bios.nix ./bios.nix
./luks.nix ./remote-luks-unlock.nix
]; ];
} }

5
common/boot/efi.nix
View File

@@ -3,7 +3,8 @@
with lib; with lib;
let let
cfg = config.efi; cfg = config.efi;
in { in
{
options.efi = { options.efi = {
enable = mkEnableOption "enable efi boot"; enable = mkEnableOption "enable efi boot";
}; };
@@ -19,7 +20,7 @@ in {
version = 2; version = 2;
efiSupport = true; efiSupport = true;
useOSProber = true; useOSProber = true;
# memtest86.enable = true; # memtest86.enable = true;
configurationLimit = 20; configurationLimit = 20;
theme = pkgs.nixos-grub2-theme; theme = pkgs.nixos-grub2-theme;
}; };

3
common/boot/firmware.nix
View File

@@ -3,7 +3,8 @@
with lib; with lib;
let let
cfg = config.firmware; cfg = config.firmware;
in { in
{
options.firmware.x86_64 = { options.firmware.x86_64 = {
enable = mkEnableOption "enable x86_64 firmware"; enable = mkEnableOption "enable x86_64 firmware";
}; };

101
common/boot/luks.nix
View File

@@ -1,101 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.luks;
in {
options.luks = {
enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor";
device = {
name = lib.mkOption {
type = lib.types.str;
default = "enc-pv";
};
path = lib.mkOption {
type = lib.types.either lib.types.str lib.types.path;
};
allowDiscards = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
sshHostKeys = lib.mkOption {
type = lib.types.listOf (lib.types.either lib.types.str lib.types.path);
default = [
"/secret/ssh_host_rsa_key"
"/secret/ssh_host_ed25519_key"
];
};
sshAuthorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = config.users.users.googlebot.openssh.authorizedKeys.keys;
};
onionConfig = lib.mkOption {
type = lib.types.path;
default = /secret/onion;
};
kernelModules = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ "e1000" "e1000e" "virtio_pci" "r8169" ];
};
};
config = lib.mkIf cfg.enable {
boot.initrd.luks.devices.${cfg.device.name} = {
device = cfg.device.path;
allowDiscards = cfg.device.allowDiscards;
};
# Unlock LUKS disk over ssh
boot.initrd.network.enable = true;
boot.initrd.kernelModules = cfg.kernelModules;
boot.initrd.network.ssh = {
enable = true;
port = 22;
hostKeys = cfg.sshHostKeys;
authorizedKeys = cfg.sshAuthorizedKeys;
};
boot.initrd.postDeviceCommands = ''
echo 'waiting for root device to be opened...'
mkfifo /crypt-ramfs/passphrase
echo /crypt-ramfs/passphrase >> /dev/null
'';
# Make machine accessable over tor for boot unlock
boot.initrd.secrets = {
"/etc/tor/onion/bootup" = cfg.onionConfig;
};
boot.initrd.extraUtilsCommands = ''
copy_bin_and_libs ${pkgs.tor}/bin/tor
copy_bin_and_libs ${pkgs.haveged}/bin/haveged
'';
# start tor during boot process
boot.initrd.network.postCommands = let
torRc = (pkgs.writeText "tor.rc" ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 22 127.0.0.1:22
'');
in ''
# Add nice prompt for giving LUKS passphrase over ssh
echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor
echo "make sure localhost is up"
ip a a 127.0.0.1/8 dev lo
ip link set lo up
echo "haveged: starting haveged"
haveged -F &
echo "tor: starting tor"
tor -f ${torRc} --verify-config
tor -f ${torRc} &
'';
};
}

99
common/boot/remote-luks-unlock.nix Normal file
View File

@@ -0,0 +1,99 @@
{ config, pkgs, lib, ... }:
let
cfg = config.remoteLuksUnlock;
in
{
options.remoteLuksUnlock = {
enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor";
enableTorUnlock = lib.mkOption {
type = lib.types.bool;
default = cfg.enable;
description = "Make machine accessable over tor for ssh boot unlock";
};
sshHostKeys = lib.mkOption {
type = lib.types.listOf (lib.types.either lib.types.str lib.types.path);
default = [
"/secret/ssh_host_rsa_key"
"/secret/ssh_host_ed25519_key"
];
};
sshAuthorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = config.users.users.googlebot.openssh.authorizedKeys.keys;
};
onionConfig = lib.mkOption {
type = lib.types.path;
default = /secret/onion;
};
kernelModules = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ "e1000" "e1000e" "virtio_pci" "r8169" ];
};
};
config = lib.mkIf cfg.enable {
# boot.initrd.luks.devices.${cfg.device.name} = {
# device = cfg.device.path;
# allowDiscards = cfg.device.allowDiscards;
# };
# Unlock LUKS disk over ssh
boot.initrd.network.enable = true;
boot.initrd.kernelModules = cfg.kernelModules;
boot.initrd.network.ssh = {
enable = true;
port = 22;
hostKeys = cfg.sshHostKeys;
authorizedKeys = cfg.sshAuthorizedKeys;
};
boot.initrd.postDeviceCommands = ''
echo 'waiting for root device to be opened...'
mkfifo /crypt-ramfs/passphrase
echo /crypt-ramfs/passphrase >> /dev/null
'';
boot.initrd.secrets = lib.mkIf cfg.enableTorUnlock {
"/etc/tor/onion/bootup" = cfg.onionConfig;
};
boot.initrd.extraUtilsCommands = lib.mkIf cfg.enableTorUnlock ''
copy_bin_and_libs ${pkgs.tor}/bin/tor
copy_bin_and_libs ${pkgs.haveged}/bin/haveged
'';
boot.initrd.network.postCommands = lib.mkMerge [
(
''
# Add nice prompt for giving LUKS passphrase over ssh
echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
''
)
(
let torRc = (pkgs.writeText "tor.rc" ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 22 127.0.0.1:22
''); in
lib.mkIf cfg.enableTorUnlock ''
echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor
echo "make sure localhost is up"
ip a a 127.0.0.1/8 dev lo
ip link set lo up
echo "haveged: starting haveged"
haveged -F &
echo "tor: starting tor"
tor -f ${torRc} --verify-config
tor -f ${torRc} &
''
)
];
};
}

37
common/default.nix
View File

@@ -1,7 +1,13 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let
ssh = import ./ssh.nix;
sshUserKeys = ssh.users;
sshHigherTrustKeys = ssh.higherTrustUserKeys;
in
{ {
imports = [ imports = [
./backups.nix
./flakes.nix ./flakes.nix
./auto-update.nix ./auto-update.nix
./shell.nix ./shell.nix
@@ -20,17 +26,23 @@
networking.firewall.enable = true; networking.firewall.enable = true;
networking.firewall.allowPing = true; networking.firewall.allowPing = true;
time.timeZone = "America/New_York"; time.timeZone = "America/Denver";
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";
services.openssh.enable = true; services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
};
};
programs.mosh.enable = true; programs.mosh.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
wget wget
kakoune kakoune
htop htop
git git-lfs git
git-lfs
dnsutils dnsutils
tmux tmux
nethogs nethogs
@@ -42,6 +54,8 @@
micro micro
helix helix
lm_sensors lm_sensors
picocom
lf
]; ];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
@@ -54,11 +68,24 @@
"dialout" # serial "dialout" # serial
]; ];
shell = pkgs.fish; shell = pkgs.fish;
openssh.authorizedKeys.keys = (import ./ssh.nix).users; openssh.authorizedKeys.keys = sshUserKeys;
hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/"; hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
uid = 1000; uid = 1000;
}; };
nix.trustedUsers = [ "root" "googlebot" ]; users.users.root = {
openssh.authorizedKeys.keys = sshHigherTrustKeys;
};
nix.settings = {
trusted-users = [ "root" "googlebot" ];
};
# don't use sudo
security.doas.enable = true;
security.sudo.enable = false;
security.doas.extraRules = [
# don't ask for password every time
{ groups = [ "wheel" ]; persist = true; }
];
nix.gc.automatic = true; nix.gc.automatic = true;

3
common/flakes.nix
View File

@@ -2,7 +2,8 @@
with lib; with lib;
let let
cfg = config.nix.flakes; cfg = config.nix.flakes;
in { in
{
options.nix.flakes = { options.nix.flakes = {
enable = mkEnableOption "use nix flakes"; enable = mkEnableOption "use nix flakes";
}; };

0
machines/ray/ca.rsa.4096.crt → common/network/ca.rsa.4096.crt
View File

3
common/network/default.nix
View File

@@ -9,9 +9,10 @@ in
imports = [ imports = [
./hosts.nix ./hosts.nix
./pia-openvpn.nix ./pia-openvpn.nix
./pia-wireguard.nix
./ping.nix
./tailscale.nix ./tailscale.nix
./vpn.nix ./vpn.nix
./zerotier.nix
]; ];
options.networking.ip_forward = mkEnableOption "Enable ip forwarding"; options.networking.ip_forward = mkEnableOption "Enable ip forwarding";

76
common/network/hosts.nix
View File

@@ -2,62 +2,56 @@
let let
system = (import ../ssh.nix).system; system = (import ../ssh.nix).system;
in {
networking.hosts = { # hostnames that resolve on clearnet for LUKS unlocking
# some DNS providers filter local ip results from DNS request unlock-clearnet-hosts = {
"172.30.145.180" = [ "s0.zt.neet.dev" ]; ponyo = "unlock.ponyo.neet.dev";
"172.30.109.9" = [ "ponyo.zt.neet.dev" ]; s0 = "s0";
"172.30.189.212" = [ "ray.zt.neet.dev" ];
}; };
# hostnames that resolve on tor for LUKS unlocking
unlock-onion-hosts = {
liza = "5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion";
router = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion";
ponyo = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion";
s0 = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
};
in
{
programs.ssh.knownHosts = { programs.ssh.knownHosts = {
liza = {
hostNames = [ "liza" "liza.neet.dev" ];
publicKey = system.liza;
};
ponyo = { ponyo = {
hostNames = [ "ponyo" "ponyo.neet.dev" "ponyo.zt.neet.dev" "git.neet.dev" ]; hostNames = [ "ponyo" "ponyo.neet.dev" "git.neet.dev" ];
publicKey = system.ponyo; publicKey = system.ponyo;
}; };
ponyo-unlock = { ponyo-unlock = {
hostNames = [ "unlock.ponyo.neet.dev" "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion" ]; hostNames = [ unlock-clearnet-hosts.ponyo unlock-onion-hosts.ponyo ];
publicKey = system.ponyo-unlock; publicKey = system.ponyo-unlock;
}; };
router = {
hostNames = [ "router" "192.168.1.228" ];
publicKey = system.router;
};
router-unlock = {
hostNames = [ unlock-onion-hosts.router ];
publicKey = system.router-unlock;
};
ray = { ray = {
hostNames = [ "ray" "ray.zt.neet.dev" ]; hostNames = [ "ray" ];
publicKey = system.ray; publicKey = system.ray;
}; };
s0 = { s0 = {
hostNames = [ "s0" "s0.zt.neet.dev" ]; hostNames = [ "s0" ];
publicKey = system.s0; publicKey = system.s0;
}; };
n1 = { s0-unlock = {
hostNames = [ "n1" ]; hostNames = [ unlock-onion-hosts.s0 ];
publicKey = system.n1; publicKey = system.s0-unlock;
};
n2 = {
hostNames = [ "n2" ];
publicKey = system.n2;
};
n3 = {
hostNames = [ "n3" ];
publicKey = system.n3;
};
n4 = {
hostNames = [ "n4" ];
publicKey = system.n4;
};
n5 = {
hostNames = [ "n5" ];
publicKey = system.n5;
};
n6 = {
hostNames = [ "n6" ];
publicKey = system.n6;
};
n7 = {
hostNames = [ "n7" ];
publicKey = system.n7;
}; };
}; };
# prebuilt cmds for easy ssh LUKS unlock
environment.shellAliases =
lib.concatMapAttrs (host: addr: { "unlock-over-tor_${host}" = "torsocks ssh root@${addr}"; }) unlock-onion-hosts
//
lib.concatMapAttrs (host: addr: { "unlock_${host}" = "ssh root@${addr}"; }) unlock-clearnet-hosts;
} }

4
common/network/pia-openvpn.nix
View File

@@ -1,7 +1,7 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
cfg = config.pia; cfg = config.pia.openvpn;
vpnfailsafe = pkgs.stdenv.mkDerivation { vpnfailsafe = pkgs.stdenv.mkDerivation {
pname = "vpnfailsafe"; pname = "vpnfailsafe";
version = "0.0.1"; version = "0.0.1";
@@ -14,7 +14,7 @@ let
}; };
in in
{ {
options.pia = { options.pia.openvpn = {
enable = lib.mkEnableOption "Enable private internet access"; enable = lib.mkEnableOption "Enable private internet access";
server = lib.mkOption { server = lib.mkOption {
type = lib.types.str; type = lib.types.str;

357
common/network/pia-wireguard.nix Normal file
View File

@@ -0,0 +1,357 @@
{ config, lib, pkgs, ... }:
# Server list:
# https://serverlist.piaservers.net/vpninfo/servers/v6
# Reference materials:
# https://github.com/pia-foss/manual-connections
# https://github.com/thrnz/docker-wireguard-pia/blob/master/extra/wg-gen.sh
# TODO handle potential errors (or at least print status, success, and failures to the console)
# TODO parameterize names of systemd services so that multiple wg VPNs could coexist in theory easier
# TODO implement this module such that the wireguard VPN doesn't have to live in a container
# TODO don't add forward rules if the PIA port is the same as cfg.forwardedPort
# TODO verify signatures of PIA responses
with builtins;
with lib;
let
cfg = config.pia.wireguard;
getPIAToken = ''
PIA_USER=`sed '1q;d' /run/agenix/pia-login.conf`
PIA_PASS=`sed '2q;d' /run/agenix/pia-login.conf`
# PIA_TOKEN only lasts 24hrs
PIA_TOKEN=`curl -s -u "$PIA_USER:$PIA_PASS" https://www.privateinternetaccess.com/gtoken/generateToken | jq -r '.token'`
'';
chooseWireguardServer = ''
servers=$(mktemp)
servers_json=$(mktemp)
curl -s "https://serverlist.piaservers.net/vpninfo/servers/v6" > "$servers"
# extract json part only
head -n 1 "$servers" | tr -d '\n' > "$servers_json"
echo "Available location ids:" && jq '.regions | .[] | {name, id, port_forward}' "$servers_json"
# Some locations have multiple servers available. Pick a random one.
totalservers=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | length' "$servers_json")
if ! [[ "$totalservers" =~ ^[0-9]+$ ]] || [ "$totalservers" -eq 0 ] 2>/dev/null; then
echo "Location \"${cfg.serverLocation}\" not found."
exit 1
fi
serverindex=$(( RANDOM % totalservers))
WG_HOSTNAME=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | .['$serverindex'].cn' "$servers_json")
WG_SERVER_IP=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | .['$serverindex'].ip' "$servers_json")
WG_SERVER_PORT=$(jq -r '.groups.wg | .[0] | .ports | .[0]' "$servers_json")
# write chosen server
rm -f /tmp/${cfg.interfaceName}-server.conf
touch /tmp/${cfg.interfaceName}-server.conf
chmod 700 /tmp/${cfg.interfaceName}-server.conf
echo "$WG_HOSTNAME" >> /tmp/${cfg.interfaceName}-server.conf
echo "$WG_SERVER_IP" >> /tmp/${cfg.interfaceName}-server.conf
echo "$WG_SERVER_PORT" >> /tmp/${cfg.interfaceName}-server.conf
rm $servers_json $servers
'';
getChosenWireguardServer = ''
WG_HOSTNAME=`sed '1q;d' /tmp/${cfg.interfaceName}-server.conf`
WG_SERVER_IP=`sed '2q;d' /tmp/${cfg.interfaceName}-server.conf`
WG_SERVER_PORT=`sed '3q;d' /tmp/${cfg.interfaceName}-server.conf`
'';
refreshPIAPort = ''
${getChosenWireguardServer}
signature=`sed '1q;d' /tmp/${cfg.interfaceName}-port-renewal`
payload=`sed '2q;d' /tmp/${cfg.interfaceName}-port-renewal`
bind_port_response=`curl -Gs -m 5 --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "payload=$payload" --data-urlencode "signature=$signature" "https://$WG_HOSTNAME:19999/bindPort"`
'';
portForwarding = cfg.forwardPortForTransmission || cfg.forwardedPort != null;
containerServiceName = "container@${config.vpn-container.containerName}.service";
in
{
options.pia.wireguard = {
enable = mkEnableOption "Enable private internet access";
badPortForwardPorts = mkOption {
type = types.listOf types.port;
description = ''
Ports that will not be accepted from PIA.
If PIA assigns a port from this list, the connection is aborted since we cannot ask for a different port.
This is used to guarantee we are not assigned a port that is used by a service we do not want exposed.
'';
};
wireguardListenPort = mkOption {
type = types.port;
description = "The port wireguard listens on for this VPN connection";
default = 51820;
};
serverLocation = mkOption {
type = types.str;
default = "swiss";
};
interfaceName = mkOption {
type = types.str;
default = "piaw";
};
forwardedPort = mkOption {
type = types.nullOr types.port;
description = "The port to redirect port forwarded TCP VPN traffic too";
default = null;
};
forwardPortForTransmission = mkEnableOption "PIA port forwarding for transmission should be performed.";
};
config = mkIf cfg.enable {
assertions = [
{
assertion = cfg.forwardPortForTransmission != (cfg.forwardedPort != null);
message = ''
The PIA forwarded port cannot simultaneously be used by transmission and redirected to another port.
'';
}
];
# mounts used to pass the connection parameters to the container
# the container doesn't have internet until it uses these parameters so it cannot fetch them itself
vpn-container.mounts = [
"/tmp/${cfg.interfaceName}.conf"
"/tmp/${cfg.interfaceName}-server.conf"
"/tmp/${cfg.interfaceName}-address.conf"
];
# The container takes ownership of the wireguard interface on its startup
containers.vpn.interfaces = [ cfg.interfaceName ];
# TODO: while this is much better than "loose" networking, it seems to have issues with firewall restarts
# allow traffic for wireguard interface to pass since wireguard trips up rpfilter
# networking.firewall = {
# extraCommands = ''
# ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.wireguardListenPort} -j RETURN
# ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.wireguardListenPort} -j RETURN
# '';
# extraStopCommands = ''
# ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.wireguardListenPort} -j RETURN || true
# ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.wireguardListenPort} -j RETURN || true
# '';
# };
networking.firewall.checkReversePath = "loose";
systemd.services.pia-vpn-wireguard-init = {
description = "Creates PIA VPN Wireguard Interface";
requires = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
before = [ containerServiceName ];
requiredBy = [ containerServiceName ];
partOf = [ containerServiceName ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ wireguard-tools jq curl iproute ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
# restart once a month; PIA forwarded port expires after two months
# because the container is "PartOf" this unit, it gets restarted too
RuntimeMaxSec = "30d";
};
script = ''
# Prepare to connect by generating wg secrets and auth'ing with PIA since the container
# cannot do without internet to start with. NAT'ing the host's internet would address this
# issue but is not ideal because then leaking network outside of the VPN is more likely.
${chooseWireguardServer}
${getPIAToken}
# generate wireguard keys
privKey=$(wg genkey)
pubKey=$(echo "$privKey" | wg pubkey)
# authorize our WG keys with the PIA server we are about to connect to
wireguard_json=`curl -s -G --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "pt=$PIA_TOKEN" --data-urlencode "pubkey=$pubKey" https://$WG_HOSTNAME:$WG_SERVER_PORT/addKey`
# create wg-quick config file
rm -f /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
touch /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
chmod 700 /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
echo "
[Interface]
# Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
PrivateKey = $privKey
ListenPort = ${toString cfg.wireguardListenPort}
[Peer]
PersistentKeepalive = 25
PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
AllowedIPs = 0.0.0.0/0
Endpoint = $WG_SERVER_IP:$(echo "$wireguard_json" | jq -r '.server_port')
" >> /tmp/${cfg.interfaceName}.conf
# create file storing the VPN ip address PIA assigned to us
echo "$wireguard_json" | jq -r '.peer_ip' >> /tmp/${cfg.interfaceName}-address.conf
# Create wg interface now so it inherits from the namespace with internet access
# the container will handle actually connecting the interface since that info is
# not preserved upon moving into the container's networking namespace
# Roughly following this guide https://www.wireguard.com/netns/#ordinary-containerization
[[ -z $(ip link show dev ${cfg.interfaceName} 2>/dev/null) ]] || exit
ip link add ${cfg.interfaceName} type wireguard
'';
preStop = ''
# cleanup wireguard interface
ip link del ${cfg.interfaceName}
rm -f /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
'';
};
vpn-container.config.systemd.services.pia-vpn-wireguard = {
description = "Initializes the PIA VPN WireGuard Tunnel";
requires = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ wireguard-tools iproute curl jq iptables ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
# pseudo calls wg-quick
# Near equivalent of "wg-quick up /tmp/${cfg.interfaceName}.conf"
# cannot actually call wg-quick because the interface has to be already
# created before the container taken ownership of the interface
# Thus, assumes wg interface was already created:
# ip link add ${cfg.interfaceName} type wireguard
${getChosenWireguardServer}
myaddress=`cat /tmp/${cfg.interfaceName}-address.conf`
wg setconf ${cfg.interfaceName} /tmp/${cfg.interfaceName}.conf
ip -4 address add $myaddress dev ${cfg.interfaceName}
ip link set mtu 1420 up dev ${cfg.interfaceName}
wg set ${cfg.interfaceName} fwmark ${toString cfg.wireguardListenPort}
ip -4 route add 0.0.0.0/0 dev ${cfg.interfaceName} table ${toString cfg.wireguardListenPort}
# TODO is this needed?
ip -4 rule add not fwmark ${toString cfg.wireguardListenPort} table ${toString cfg.wireguardListenPort}
ip -4 rule add table main suppress_prefixlength 0
# The rest of the script is only for only for port forwarding skip if not needed
if [ ${boolToString portForwarding} == false ]; then exit 0; fi
# Reserve port
${getPIAToken}
payload_and_signature=`curl -s -m 5 --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" -G --data-urlencode "token=$PIA_TOKEN" "https://$WG_HOSTNAME:19999/getSignature"`
signature=$(echo "$payload_and_signature" | jq -r '.signature')
payload=$(echo "$payload_and_signature" | jq -r '.payload')
port=$(echo "$payload" | base64 -d | jq -r '.port')
# Check if the port is acceptable
notallowed=(${concatStringsSep " " (map toString cfg.badPortForwardPorts)})
if [[ " ''${notallowed[*]} " =~ " $port " ]]; then
# the port PIA assigned is not allowed, kill the connection
wg-quick down /tmp/${cfg.interfaceName}.conf
exit 1
fi
# write reserved port to file readable for all users
echo $port > /tmp/${cfg.interfaceName}-port
chmod 644 /tmp/${cfg.interfaceName}-port
# write payload and signature info needed to allow refreshing allocated forwarded port
rm -f /tmp/${cfg.interfaceName}-port-renewal
touch /tmp/${cfg.interfaceName}-port-renewal
chmod 700 /tmp/${cfg.interfaceName}-port-renewal
echo $signature >> /tmp/${cfg.interfaceName}-port-renewal
echo $payload >> /tmp/${cfg.interfaceName}-port-renewal
# Block all traffic from VPN interface except for traffic that is from the forwarded port
iptables -I nixos-fw -p tcp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
iptables -I nixos-fw -p udp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
# The first port refresh triggers the port to be actually allocated
${refreshPIAPort}
${optionalString (cfg.forwardedPort != null) ''
# redirect the fowarded port
iptables -A INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
iptables -A INPUT -i ${cfg.interfaceName} -p udp --dport $port -j ACCEPT
iptables -A INPUT -i ${cfg.interfaceName} -p tcp --dport ${toString cfg.forwardedPort} -j ACCEPT
iptables -A INPUT -i ${cfg.interfaceName} -p udp --dport ${toString cfg.forwardedPort} -j ACCEPT
iptables -A PREROUTING -t nat -i ${cfg.interfaceName} -p tcp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
iptables -A PREROUTING -t nat -i ${cfg.interfaceName} -p udp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
''}
${optionalString cfg.forwardPortForTransmission ''
# assumes no auth needed for transmission
curlout=$(curl localhost:9091/transmission/rpc 2>/dev/null)
regex='X-Transmission-Session-Id\: (\w*)'
if [[ $curlout =~ $regex ]]; then
sessionId=''${BASH_REMATCH[1]}
else
exit 1
fi
# set the port in transmission
data='{"method": "session-set", "arguments": { "peer-port" :'$port' } }'
curl http://localhost:9091/transmission/rpc -d "$data" -H "X-Transmission-Session-Id: $sessionId"
''}
'';
preStop = ''
wg-quick down /tmp/${cfg.interfaceName}.conf
# The rest of the script is only for only for port forwarding skip if not needed
if [ ${boolToString portForwarding} == false ]; then exit 0; fi
${optionalString (cfg.forwardedPort != null) ''
# stop redirecting the forwarded port
iptables -D INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
iptables -D INPUT -i ${cfg.interfaceName} -p udp --dport $port -j ACCEPT
iptables -D INPUT -i ${cfg.interfaceName} -p tcp --dport ${toString cfg.forwardedPort} -j ACCEPT
iptables -D INPUT -i ${cfg.interfaceName} -p udp --dport ${toString cfg.forwardedPort} -j ACCEPT
iptables -D PREROUTING -t nat -i ${cfg.interfaceName} -p tcp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
iptables -D PREROUTING -t nat -i ${cfg.interfaceName} -p udp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
''}
'';
};
vpn-container.config.systemd.services.pia-vpn-wireguard-forward-port = {
enable = portForwarding;
description = "PIA VPN WireGuard Tunnel Port Forwarding";
after = [ "pia-vpn-wireguard.service" ];
requires = [ "pia-vpn-wireguard.service" ];
path = with pkgs; [ curl ];
serviceConfig = {
Type = "oneshot";
};
script = refreshPIAPort;
};
vpn-container.config.systemd.timers.pia-vpn-wireguard-forward-port = {
enable = portForwarding;
partOf = [ "pia-vpn-wireguard-forward-port.service" ];
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*:0/10"; # 10 minutes
RandomizedDelaySec = "1m"; # vary by 1 min to give PIA servers some relief
};
};
age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
};
}

59
common/network/ping.nix Normal file
View File

@@ -0,0 +1,59 @@
{ config, pkgs, lib, ... }:
# keeps peer to peer connections alive with a periodic ping
with lib;
with builtins;
# todo auto restart
let
cfg = config.keepalive-ping;
serviceTemplate = host:
{
"keepalive-ping@${host}" = {
description = "Periodic ping keep alive for ${host} connection";
requires = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Restart = "always";
path = with pkgs; [ iputils ];
script = ''
ping -i ${cfg.delay} ${host} &>/dev/null
'';
};
};
combineAttrs = foldl recursiveUpdate { };
serviceList = map serviceTemplate cfg.hosts;
services = combineAttrs serviceList;
in
{
options.keepalive-ping = {
enable = mkEnableOption "Enable keep alive ping task";
hosts = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
Hosts to ping periodically
'';
};
delay = mkOption {
type = types.str;
default = "60";
description = ''
Ping interval in seconds of periodic ping per host being pinged
'';
};
};
config = mkIf cfg.enable {
systemd.services = services;
};
}

6
common/network/tailscale.nix
View File

@@ -8,7 +8,11 @@ in
{ {
options.services.tailscale.exitNode = mkEnableOption "Enable exit node support"; options.services.tailscale.exitNode = mkEnableOption "Enable exit node support";
config.services.tailscale.enable = !config.boot.isContainer; config.services.tailscale.enable = mkDefault (!config.boot.isContainer);
# MagicDNS
config.networking.nameservers = mkIf cfg.enable [ "1.1.1.1" "8.8.8.8" ];
config.networking.search = mkIf cfg.enable [ "koi-bebop.ts.net" ];
# exit node # exit node
config.networking.firewall.checkReversePath = mkIf cfg.exitNode "loose"; config.networking.firewall.checkReversePath = mkIf cfg.exitNode "loose";

34
common/network/vpn.nix
View File

@@ -26,9 +26,11 @@ in
''; '';
}; };
useOpenVPN = mkEnableOption "Uses OpenVPN instead of wireguard for PIA VPN connection";
config = mkOption { config = mkOption {
type = types.anything; type = types.anything;
default = {}; default = { };
example = '' example = ''
{ {
services.nginx.enable = true; services.nginx.enable = true;
@@ -41,6 +43,9 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
pia.wireguard.enable = !cfg.useOpenVPN;
pia.wireguard.forwardPortForTransmission = !cfg.useOpenVPN;
containers.${cfg.containerName} = { containers.${cfg.containerName} = {
ephemeral = true; ephemeral = true;
autoStart = true; autoStart = true;
@@ -59,36 +64,43 @@ in
} }
))); )));
enableTun = true; enableTun = cfg.useOpenVPN;
privateNetwork = true; privateNetwork = true;
hostAddress = "172.16.100.1"; hostAddress = "172.16.100.1";
localAddress = "172.16.100.2"; localAddress = "172.16.100.2";
config = { config = {
imports = allModules ++ [cfg.config]; imports = allModules ++ [ cfg.config ];
# speeds up evaluation
nixpkgs.pkgs = pkgs; nixpkgs.pkgs = pkgs;
networking.firewall.enable = mkForce false; # networking.firewall.enable = mkForce false;
networking.firewall.trustedInterfaces = [
# completely trust internal interface to host
"eth0"
];
pia.enable = true; pia.openvpn.enable = cfg.useOpenVPN;
pia.server = "swiss.privacy.network"; # swiss vpn pia.openvpn.server = "swiss.privacy.network"; # swiss vpn
# TODO fix so it does run it's own resolver again
# run it's own DNS resolver # run it's own DNS resolver
networking.useHostResolvConf = false; networking.useHostResolvConf = false;
services.resolved.enable = true; # services.resolved.enable = true;
networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
}; };
}; };
# load secrets the container needs # load secrets the container needs
age.secrets = config.containers.${cfg.containerName}.config.age.secrets; age.secrets = config.containers.${cfg.containerName}.config.age.secrets;
# forwarding for vpn container # forwarding for vpn container (only for OpenVPN)
networking.nat.enable = true; networking.nat.enable = mkIf cfg.useOpenVPN true;
networking.nat.internalInterfaces = [ networking.nat.internalInterfaces = mkIf cfg.useOpenVPN [
"ve-${cfg.containerName}" "ve-${cfg.containerName}"
]; ];
networking.ip_forward = true; networking.ip_forward = mkIf cfg.useOpenVPN true;
# assumes only one potential interface # assumes only one potential interface
networking.usePredictableInterfaceNames = false; networking.usePredictableInterfaceNames = false;

14
common/network/zerotier.nix
View File

@@ -1,14 +0,0 @@
{ lib, config, ... }:
let
cfg = config.services.zerotierone;
in {
config = lib.mkIf cfg.enable {
services.zerotierone.joinNetworks = [
"565799d8f6d654c0"
];
networking.firewall.allowedUDPPorts = [
9993
];
};
}

25
common/pc/audio.nix
View File

@@ -2,7 +2,8 @@
let let
cfg = config.de; cfg = config.de;
in { in
{
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# enable pulseaudio support for packages # enable pulseaudio support for packages
nixpkgs.config.pulseaudio = true; nixpkgs.config.pulseaudio = true;
@@ -28,29 +29,29 @@ in {
# properyty when no other driver is currently active. JACK clients need this. # properyty when no other driver is currently active. JACK clients need this.
factory = "spa-node-factory"; factory = "spa-node-factory";
args = { args = {
"factory.name" = "support.node.driver"; "factory.name" = "support.node.driver";
"node.name" = "Dummy-Driver"; "node.name" = "Dummy-Driver";
"priority.driver" = 8000; "priority.driver" = 8000;
}; };
} }
{ {
factory = "adapter"; factory = "adapter";
args = { args = {
"factory.name" = "support.null-audio-sink"; "factory.name" = "support.null-audio-sink";
"node.name" = "Microphone-Proxy"; "node.name" = "Microphone-Proxy";
"node.description" = "Microphone"; "node.description" = "Microphone";
"media.class" = "Audio/Source/Virtual"; "media.class" = "Audio/Source/Virtual";
"audio.position" = "MONO"; "audio.position" = "MONO";
}; };
} }
{ {
factory = "adapter"; factory = "adapter";
args = { args = {
"factory.name" = "support.null-audio-sink"; "factory.name" = "support.null-audio-sink";
"node.name" = "Main-Output-Proxy"; "node.name" = "Main-Output-Proxy";
"node.description" = "Main Output"; "node.description" = "Main Output";
"media.class" = "Audio/Sink"; "media.class" = "Audio/Sink";
"audio.position" = "FL,FR"; "audio.position" = "FL,FR";
}; };
} }
]; ];

5
common/pc/chromium.nix
View File

@@ -49,7 +49,8 @@ let
]; ];
}; };
in { in
{
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# chromium with specific extensions + settings # chromium with specific extensions + settings
programs.chromium = { programs.chromium = {
@@ -92,7 +93,7 @@ in {
enable = true; enable = true;
extraPackages = with pkgs; [ extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD intel-media-driver # LIBVA_DRIVER_NAME=iHD
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
# vaapiVdpau # vaapiVdpau
libvdpau-va-gl libvdpau-va-gl
nvidia-vaapi-driver nvidia-vaapi-driver

13
common/pc/default.nix
View File

@@ -2,15 +2,16 @@
let let
cfg = config.de; cfg = config.de;
in { in
{
imports = [ imports = [
./kde.nix ./kde.nix
./xfce.nix ./xfce.nix
./yubikey.nix ./yubikey.nix
./chromium.nix ./chromium.nix
# ./firefox.nix # ./firefox.nix
./audio.nix ./audio.nix
# ./torbrowser.nix # ./torbrowser.nix
./pithos.nix ./pithos.nix
./spotify.nix ./spotify.nix
./vscodium.nix ./vscodium.nix
@@ -50,6 +51,12 @@ in {
arduino arduino
yt-dlp yt-dlp
jellyfin-media-player jellyfin-media-player
joplin-desktop
config.inputs.deploy-rs.packages.${config.currentSystem}.deploy-rs
# For Nix IDE
nixpkgs-fmt
rnix-lsp
]; ];
# Networking # Networking

3
common/pc/discord.nix
View File

@@ -2,7 +2,8 @@
let let
cfg = config.de; cfg = config.de;
in { in
{
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
users.users.googlebot.packages = [ users.users.googlebot.packages = [
pkgs.discord pkgs.discord

6
common/pc/firefox.nix
View File

@@ -20,7 +20,7 @@ let
}; };
firefox = pkgs.wrapFirefox somewhatPrivateFF { firefox = pkgs.wrapFirefox somewhatPrivateFF {
desktopName = "Sneed Browser"; desktopName = "Sneed Browser";
nixExtensions = [ nixExtensions = [
(pkgs.fetchFirefoxAddon { (pkgs.fetchFirefoxAddon {
@@ -71,8 +71,8 @@ let
TopSites = false; TopSites = false;
}; };
UserMessaging = { UserMessaging = {
ExtensionRecommendations = false; ExtensionRecommendations = false;
SkipOnboarding = true; SkipOnboarding = true;
}; };
WebsiteFilter = { WebsiteFilter = {
Block = [ Block = [

3
common/pc/kde.nix
View File

@@ -2,7 +2,8 @@
let let
cfg = config.de; cfg = config.de;
in { in
{
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# kde plasma # kde plasma
services.xserver = { services.xserver = {

42
common/pc/mount-samba.nix
View File

@@ -1,36 +1,48 @@
# mounts the samba share on s0 over zeroteir # mounts the samba share on s0 over tailscale
{ config, lib, ... }: { config, lib, pkgs, ... }:
let let
cfg = config.services.mount-samba; cfg = config.services.mount-samba;
# prevents hanging on network split # prevents hanging on network split and other similar niceties to ensure a stable connection
network_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,nostrictsync,cache=loose,handlecache,handletimeout=30000,rwpidforward,mapposix,soft,resilienthandles,echo_interval=10,noblocksend"; network_opts = "nostrictsync,cache=strict,handlecache,handletimeout=30000,rwpidforward,mapposix,soft,resilienthandles,echo_interval=10,noblocksend,fsc";
systemd_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
user_opts = "uid=${toString config.users.users.googlebot.uid},file_mode=0660,dir_mode=0770,user"; user_opts = "uid=${toString config.users.users.googlebot.uid},file_mode=0660,dir_mode=0770,user";
auth_opts = "credentials=/run/agenix/smb-secrets"; auth_opts = "sec=ntlmv2i,credentials=/run/agenix/smb-secrets";
version_opts = "vers=2.1"; version_opts = "vers=3.1.1";
opts = "${network_opts},${user_opts},${version_opts},${auth_opts}"; opts = "${systemd_opts},${network_opts},${user_opts},${version_opts},${auth_opts}";
in { in
{
options.services.mount-samba = { options.services.mount-samba = {
enable = lib.mkEnableOption "enable mounting samba shares"; enable = lib.mkEnableOption "enable mounting samba shares";
}; };
config = lib.mkIf (cfg.enable && config.services.zerotierone.enable) { config = lib.mkIf (cfg.enable && config.services.tailscale.enable) {
fileSystems."/mnt/public" = { fileSystems."/mnt/public" = {
device = "//s0.zt.neet.dev/public"; device = "//s0.koi-bebop.ts.net/public";
fsType = "cifs"; fsType = "cifs";
options = [ opts ]; options = [ opts ];
}; };
fileSystems."/mnt/private" = { fileSystems."/mnt/private" = {
device = "//s0.zt.neet.dev/googlebot"; device = "//s0.koi-bebop.ts.net/googlebot";
fsType = "cifs"; fsType = "cifs";
options = [ opts ]; options = [ opts ];
}; };
age.secrets.smb-secrets.file = ../../secrets/smb-secrets.age; age.secrets.smb-secrets.file = ../../secrets/smb-secrets.age;
environment.shellAliases = {
# remount storage
remount_public = "sudo systemctl restart mnt-public.mount";
remount_private = "sudo systemctl restart mnt-private.mount";
# Encrypted Vault
vault_unlock = "${pkgs.gocryptfs}/bin/gocryptfs /mnt/private/.vault/ /mnt/vault/";
vault_lock = "umount /mnt/vault/";
};
}; };
} }

76
common/pc/pia/default.nix
View File

@@ -1,76 +0,0 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.services.pia;
in {
imports = [
./pia.nix
];
options.services.pia = {
enable = lib.mkEnableOption "Enable PIA Client";
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/pia";
description = ''
Path to the pia data directory
'';
};
user = lib.mkOption {
type = lib.types.str;
default = "root";
description = ''
The user pia should run as
'';
};
group = lib.mkOption {
type = lib.types.str;
default = "piagrp";
description = ''
The group pia should run as
'';
};
users = mkOption {
type = with types; listOf str;
default = [];
description = ''
Usernames to be added to the "spotifyd" group, so that they
can start and interact with the userspace daemon.
'';
};
};
config = mkIf cfg.enable {
# users.users.${cfg.user} =
# if cfg.user == "pia" then {
# isSystemUser = true;
# group = cfg.group;
# home = cfg.dataDir;
# createHome = true;
# }
# else {};
users.groups.${cfg.group}.members = cfg.users;
systemd.services.pia-daemon = {
enable = true;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${pkgs.pia-daemon}/bin/pia-daemon";
serviceConfig.PrivateTmp="yes";
serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group;
preStart = ''
mkdir -p ${cfg.dataDir}
chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
'';
};
};
}

147
common/pc/pia/fix-pia.patch
View File

@@ -1,147 +0,0 @@
diff --git a/Rakefile b/Rakefile
index fa6d771..bcd6fb1 100644
--- a/Rakefile
+++ b/Rakefile
@@ -151,41 +151,6 @@ end
# Install LICENSE.txt
stage.install('LICENSE.txt', :res)
-# Download server lists to ship preloaded copies with the app. These tasks
-# depend on version.txt so they're refreshed periodically (whenver a new commit
-# is made), but not for every build.
-#
-# SERVER_DATA_DIR can be set to use existing files instead of downloading them;
-# this is primarily intended for reproducing a build.
-#
-# Create a probe for SERVER_DATA_DIR so these are updated if it changes.
-serverDataProbe = Probe.new('serverdata')
-serverDataProbe.file('serverdata.txt', "#{ENV['SERVER_DATA_DIR']}")
-# JSON resource build directory
-jsonFetched = Build.new('json-fetched')
-# These are the assets we need to fetch and the URIs we get them from
-{
- 'modern_shadowsocks.json': 'https://serverlist.piaservers.net/shadow_socks',
- 'modern_servers.json': 'https://serverlist.piaservers.net/vpninfo/servers/v6',
- 'modern_region_meta.json': 'https://serverlist.piaservers.net/vpninfo/regions/v2'
-}.each do |k, v|
- fetchedFile = jsonFetched.artifact(k.to_s)
- serverDataDir = ENV['SERVER_DATA_DIR']
- file fetchedFile => [version.artifact('version.txt'),
- serverDataProbe.artifact('serverdata.txt'),
- jsonFetched.componentDir] do |t|
- if(serverDataDir)
- # Use the copy provided instead of fetching (for reproducing a build)
- File.copy(File.join(serverDataDir, k), fetchedFile)
- else
- # Fetch from the web API (write with "binary" mode so LF is not
- # converted to CRLF on Windows)
- File.binwrite(t.name, Net::HTTP.get(URI(v)))
- end
- end
- stage.install(fetchedFile, :res)
-end
-
# Install version/brand/arch info in case an upgrade needs to know what is
# currently installed
stage.install(version.artifact('version.txt'), :res)
diff --git a/common/src/posix/unixsignalhandler.cpp b/common/src/posix/unixsignalhandler.cpp
index f820a6d..e1b6c33 100644
--- a/common/src/posix/unixsignalhandler.cpp
+++ b/common/src/posix/unixsignalhandler.cpp
@@ -132,7 +132,7 @@ void UnixSignalHandler::_signalHandler(int, siginfo_t *info, void *)
// we checked it, we can't even log because the logger is not reentrant.
auto pThis = instance();
if(pThis)
- ::write(pThis->_sigFd[0], info, sizeof(siginfo_t));
+ auto _ = ::write(pThis->_sigFd[0], info, sizeof(siginfo_t));
}
template<int Signal>
void UnixSignalHandler::setAbortAction()
diff --git a/daemon/src/linux/linux_nl.cpp b/daemon/src/linux/linux_nl.cpp
index fd3aced..2367a5e 100644
--- a/daemon/src/linux/linux_nl.cpp
+++ b/daemon/src/linux/linux_nl.cpp
@@ -642,6 +642,6 @@ LinuxNl::~LinuxNl()
unsigned char term = 0;
PosixFd killSocket = _workerKillSocket.get();
if(killSocket)
- ::write(killSocket.get(), &term, sizeof(term));
+ auto _ = ::write(killSocket.get(), &term, sizeof(term));
_workerThread.join();
}
diff --git a/extras/support-tool/launcher/linux-launcher.cpp b/extras/support-tool/launcher/linux-launcher.cpp
index 3f63ac2..420d54d 100644
--- a/extras/support-tool/launcher/linux-launcher.cpp
+++ b/extras/support-tool/launcher/linux-launcher.cpp
@@ -48,7 +48,7 @@ int fork_execv(gid_t gid, char *filename, char *const argv[])
if(forkResult == 0)
{
// Apply gid as both real and effective
- setregid(gid, gid);
+ auto _ = setregid(gid, gid);
int execErr = execv(filename, argv);
std::cerr << "exec err: " << execErr << " / " << errno << " - "
diff --git a/rake/model/qt.rb b/rake/model/qt.rb
index c8cd362..a6abe59 100644
--- a/rake/model/qt.rb
+++ b/rake/model/qt.rb
@@ -171,12 +171,7 @@ class Qt
end
def getQtRoot(qtVersion, arch)
- qtToolchainPtns = getQtToolchainPatterns(arch)
- qtRoots = FileList[*Util.joinPaths([[qtVersion], qtToolchainPtns])]
- # Explicitly filter for existing paths - if the pattern has wildcards
- # we only get existing directories, but if the patterns are just
- # alternates with no wildcards, we can get directories that don't exist
- qtRoots.find_all { |r| File.exist?(r) }.max
+ ENV['QTROOT']
end
def getQtVersionScore(minor, patch)
@@ -192,12 +187,7 @@ class Qt
end
def getQtPathVersion(path)
- verMatch = path.match('^.*/Qt[^/]*/5\.(\d+)\.?(\d*)$')
- if(verMatch == nil)
- nil
- else
- [verMatch[1].to_i, verMatch[2].to_i]
- end
+ [ENV['QT_MAJOR'].to_i, ENV['QT_MINOR'].to_i]
end
# Build a component definition with the defaults. The "Core" component will
diff --git a/rake/product/linux.rb b/rake/product/linux.rb
index f43fb3e..83505af 100644
--- a/rake/product/linux.rb
+++ b/rake/product/linux.rb
@@ -18,8 +18,7 @@ module PiaLinux
QT_BINARIES = %w(pia-client pia-daemon piactl pia-support-tool)
# Version of libicu (needed to determine lib*.so.## file names in deployment)
- ICU_VERSION = FileList[File.join(Executable::Qt.targetQtRoot, 'lib', 'libicudata.so.*')]
- .first.match(/libicudata\.so\.(\d+)(\..*|)/)[1]
+ ICU_VERSION = ENV['ICU_MAJOR'].to_i;
# Copy a directory recursively, excluding *.debug files (debugging symbols)
def self.copyWithoutDebug(sourceDir, destDir)
@@ -220,16 +219,5 @@ module PiaLinux
# Since these are just development workflow tools, they can be skipped if
# specific dependencies are not available.
def self.defineTools(toolsStage)
- # Test if we have libthai-dev, for the Thai word breaking utility
- if(Executable::Tc.sysHeaderAvailable?('thai/thwbrk.h'))
- Executable.new('thaibreak')
- .source('tools/thaibreak')
- .lib('thai')
- .install(toolsStage, :bin)
- toolsStage.install('tools/thaibreak/thai_ts.sh', :bin)
- toolsStage.install('tools/onesky_import/import_translations.sh', :bin)
- else
- puts "skipping thaibreak utility, install libthai-dev to build thaibreak"
- end
end
end

139
common/pc/pia/pia.nix
View File

@@ -1,139 +0,0 @@
{ pkgs, lib, config, ... }:
{
nixpkgs.overlays = [
(self: super:
with self;
let
# arch = builtins.elemAt (lib.strings.splitString "-" builtins.currentSystem) 0;
arch = "x86_64";
pia-desktop = clangStdenv.mkDerivation rec {
pname = "pia-desktop";
version = "3.3.0";
src = fetchgit {
url = "https://github.com/pia-foss/desktop";
rev = version;
fetchLFS = true;
sha256 = "D9txL5MUWyRYTnsnhlQdYT4dGVpj8PFsVa5hkrb36cw=";
};
patches = [
./fix-pia.patch
];
nativeBuildInputs = [
cmake
rake
];
prePatch = ''
sed -i 's|/usr/include/libnl3|${libnl.dev}/include/libnl3|' Rakefile
'';
installPhase = ''
mkdir -p $out/bin $out/lib $out/share
cp -r ../out/pia_release_${arch}/stage/bin $out
cp -r ../out/pia_release_${arch}/stage/lib $out
cp -r ../out/pia_release_${arch}/stage/share $out
'';
cmakeFlags = [
"-DCMAKE_BUILD_TYPE=Release"
];
QTROOT = "${qt5.full}";
QT_MAJOR = lib.versions.minor (lib.strings.parseDrvName qt5.full.name).version;
QT_MINOR = lib.versions.patch (lib.strings.parseDrvName qt5.full.name).version;
ICU_MAJOR = lib.versions.major (lib.strings.parseDrvName icu.name).version;
buildInputs = [
mesa
libsForQt5.qt5.qtquickcontrols
libsForQt5.qt5.qtquickcontrols2
icu
libnl
];
dontWrapQtApps = true;
};
in rec {
openvpn-updown = buildFHSUserEnv {
name = "openvpn-updown";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "openvpn-updown.sh";
};
pia-client = buildFHSUserEnv {
name = "pia-client";
targetPkgs = pkgs: (with pkgs; [
pia-desktop
xorg.libXau
xorg.libXdmcp
]);
runScript = "pia-client";
};
piactl = buildFHSUserEnv {
name = "piactl";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "piactl";
};
pia-daemon = buildFHSUserEnv {
name = "pia-daemon";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-daemon";
};
pia-hnsd = buildFHSUserEnv {
name = "pia-hnsd";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-hnsd";
};
pia-openvpn = buildFHSUserEnv {
name = "pia-openvpn";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-openvpn";
};
pia-ss-local = buildFHSUserEnv {
name = "pia-ss-local";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-ss-local";
};
pia-support-tool = buildFHSUserEnv {
name = "pia-support-tool";
targetPkgs = pkgs: (with pkgs; [
pia-desktop
xorg.libXau
xorg.libXdmcp
]);
runScript = "pia-support-tool";
};
pia-unbound = buildFHSUserEnv {
name = "pia-unbound";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-unbound";
};
pia-wireguard-go = buildFHSUserEnv {
name = "pia-wireguard-go";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-wireguard-go";
};
support-tool-launcher = buildFHSUserEnv {
name = "support-tool-launcher";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "support-tool-launcher";
};
})
];
}

5
common/pc/pithos.nix
View File

@@ -2,7 +2,8 @@
let let
cfg = config.de; cfg = config.de;
in { in
{
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
nixpkgs.overlays = [ nixpkgs.overlays = [
(self: super: { (self: super: {
@@ -11,7 +12,7 @@ in {
version = "1.5.1"; version = "1.5.1";
src = super.fetchFromGitHub { src = super.fetchFromGitHub {
owner = pname; owner = pname;
repo = pname; repo = pname;
rev = version; rev = version;
sha256 = "il7OAALpHFZ6wjco9Asp04zWHCD8Ni+iBdiJWcMiQA4="; sha256 = "il7OAALpHFZ6wjco9Asp04zWHCD8Ni+iBdiJWcMiQA4=";
}; };

6
common/pc/spotify.nix
View File

@@ -4,7 +4,7 @@ with lib;
let let
cfg = config.services.spotifyd; cfg = config.services.spotifyd;
toml = pkgs.formats.toml {}; toml = pkgs.formats.toml { };
spotifydConf = toml.generate "spotify.conf" cfg.settings; spotifydConf = toml.generate "spotify.conf" cfg.settings;
in in
{ {
@@ -17,7 +17,7 @@ in
enable = mkEnableOption "spotifyd, a Spotify playing daemon"; enable = mkEnableOption "spotifyd, a Spotify playing daemon";
settings = mkOption { settings = mkOption {
default = {}; default = { };
type = toml.type; type = toml.type;
example = { global.bitrate = 320; }; example = { global.bitrate = 320; };
description = '' description = ''
@@ -28,7 +28,7 @@ in
users = mkOption { users = mkOption {
type = with types; listOf str; type = with types; listOf str;
default = []; default = [ ];
description = '' description = ''
Usernames to be added to the "spotifyd" group, so that they Usernames to be added to the "spotifyd" group, so that they
can start and interact with the userspace daemon. can start and interact with the userspace daemon.

3
common/pc/steam.nix
View File

@@ -2,7 +2,8 @@
let let
cfg = config.de; cfg = config.de;
in { in
{
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
programs.steam.enable = true; programs.steam.enable = true;
hardware.steam-hardware.enable = true; # steam controller hardware.steam-hardware.enable = true; # steam controller

3
common/pc/torbrowser.nix
View File

@@ -2,7 +2,8 @@
let let
cfg = config.de; cfg = config.de;
in { in
{
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
nixpkgs.overlays = [ nixpkgs.overlays = [
(self: super: { (self: super: {

3
common/pc/touchpad.nix
View File

@@ -2,7 +2,8 @@
let let
cfg = config.de.touchpad; cfg = config.de.touchpad;
in { in
{
options.de.touchpad = { options.de.touchpad = {
enable = lib.mkEnableOption "enable touchpad"; enable = lib.mkEnableOption "enable touchpad";
}; };

4
common/pc/vscodium.nix
View File

@@ -4,8 +4,8 @@ let
cfg = config.de; cfg = config.de;
extensions = with pkgs.vscode-extensions; [ extensions = with pkgs.vscode-extensions; [
# bbenoist.Nix # nix syntax support # bbenoist.Nix # nix syntax support
# arrterian.nix-env-selector # nix dev envs # arrterian.nix-env-selector # nix dev envs
]; ];
vscodium-with-extensions = pkgs.vscode-with-extensions.override { vscodium-with-extensions = pkgs.vscode-with-extensions.override {

3
common/pc/xfce.nix
View File

@@ -2,7 +2,8 @@
let let
cfg = config.de; cfg = config.de;
in { in
{
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.xserver = { services.xserver = {
enable = true; enable = true;

3
common/pc/yubikey.nix
View File

@@ -2,7 +2,8 @@
let let
cfg = config.de; cfg = config.de;
in { in
{
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# yubikey # yubikey
services.pcscd.enable = true; services.pcscd.enable = true;

6
common/server/ceph.nix
View File

@@ -3,9 +3,9 @@
with lib; with lib;
let let
cfg = config.ceph; cfg = config.ceph;
in { in
options.ceph = { {
}; options.ceph = { };
config = mkIf cfg.enable { config = mkIf cfg.enable {
# ceph.enable = true; # ceph.enable = true;

4
common/server/default.nix
View File

@@ -14,5 +14,9 @@
./radio.nix ./radio.nix
./samba.nix ./samba.nix
./owncast.nix ./owncast.nix
./mailserver.nix
./nextcloud.nix
./iodine.nix
./searx.nix
]; ];
} }

36
common/server/gitea.nix
View File

@@ -1,8 +1,9 @@
{ lib, config, ... }: { lib, pkgs, config, ... }:
let let
cfg = config.services.gitea; cfg = config.services.gitea;
in { in
{
options.services.gitea = { options.services.gitea = {
hostname = lib.mkOption { hostname = lib.mkOption {
type = lib.types.str; type = lib.types.str;
@@ -14,11 +15,8 @@ in {
domain = cfg.hostname; domain = cfg.hostname;
rootUrl = "https://${cfg.hostname}/"; rootUrl = "https://${cfg.hostname}/";
appName = cfg.hostname; appName = cfg.hostname;
ssh.enable = true;
# lfs.enable = true; # lfs.enable = true;
dump.enable = true; # dump.enable = true;
cookieSecure = true;
disableRegistration = true;
settings = { settings = {
other = { other = {
SHOW_FOOTER_VERSION = false; SHOW_FOOTER_VERSION = false;
@@ -26,8 +24,34 @@ in {
ui = { ui = {
DEFAULT_THEME = "arc-green"; DEFAULT_THEME = "arc-green";
}; };
service = {
DISABLE_REGISTRATION = true;
};
session = {
COOKIE_SECURE = true;
};
mailer = {
ENABLED = true;
MAILER_TYPE = "smtp";
SMTP_ADDR = "mail.neet.dev";
SMTP_PORT = "465";
IS_TLS_ENABLED = true;
USER = "robot@runyan.org";
FROM = "no-reply@neet.dev";
};
}; };
mailerPasswordFile = "/run/agenix/robots-email-pw";
}; };
age.secrets.robots-email-pw = {
file = ../../secrets/robots-email-pw.age;
owner = config.services.gitea.user;
};
# backups
backup.group."gitea".paths = [
config.services.gitea.stateDir
];
services.nginx.enable = true; services.nginx.enable = true;
services.nginx.virtualHosts.${cfg.hostname} = { services.nginx.virtualHosts.${cfg.hostname} = {
enableACME = true; enableACME = true;

2
common/server/hydra.nix
View File

@@ -20,6 +20,6 @@ in
hydraURL = "https://${domain}"; hydraURL = "https://${domain}";
useSubstitutes = true; useSubstitutes = true;
notificationSender = notifyEmail; notificationSender = notifyEmail;
buildMachinesFiles = []; buildMachinesFiles = [ ];
}; };
} }

3
common/server/icecast.nix
View File

@@ -7,7 +7,8 @@
let let
cfg = config.services.icecast; cfg = config.services.icecast;
in { in
{
options.services.icecast = { options.services.icecast = {
mount = lib.mkOption { mount = lib.mkOption {
type = lib.types.str; type = lib.types.str;

21
common/server/iodine.nix Normal file
View File

@@ -0,0 +1,21 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.iodine.server;
in
{
config = lib.mkIf cfg.enable {
# iodine DNS-based vpn
services.iodine.server = {
ip = "192.168.99.1";
domain = "tun.neet.dev";
passwordFile = "/run/agenix/iodine";
};
age.secrets.iodine.file = ../../secrets/iodine.age;
networking.firewall.allowedUDPPorts = [ 53 ];
networking.nat.internalInterfaces = [
"dns0" # iodine
];
};
}

100
common/server/mailserver.nix Normal file
View File

@@ -0,0 +1,100 @@
{ config, pkgs, lib, ... }:
with builtins;
let
cfg = config.mailserver;
domains = [
"neet.space"
"neet.dev"
"neet.cloud"
"runyan.org"
"runyan.rocks"
"thunderhex.com"
"tar.ninja"
"bsd.ninja"
"bsd.rocks"
];
in
{
config = lib.mkIf cfg.enable {
# kresd doesn't work with tailscale MagicDNS
mailserver.localDnsResolver = false;
services.resolved.enable = true;
mailserver = {
fqdn = "mail.neet.dev";
dkimKeyBits = 2048;
indexDir = "/var/lib/mailindex";
enableManageSieve = true;
fullTextSearch.enable = true;
fullTextSearch.indexAttachments = true;
fullTextSearch.memoryLimit = 500;
inherit domains;
loginAccounts = {
"jeremy@runyan.org" = {
hashedPasswordFile = "/run/agenix/email-pw";
# catchall for all domains
aliases = map (domain: "@${domain}") domains;
};
"robot@runyan.org" = {
aliases = [
"no-reply@neet.dev"
"robot@neet.dev"
];
sendOnly = true;
hashedPasswordFile = "/run/agenix/hashed-robots-email-pw";
};
};
rejectRecipients = [
"george@runyan.org"
"joslyn@runyan.org"
"damon@runyan.org"
"jonas@runyan.org"
];
certificateScheme = 3; # use let's encrypt for certs
};
age.secrets.email-pw.file = ../../secrets/email-pw.age;
age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age;
# sendmail to use xxx@domain instead of xxx@mail.domain
services.postfix.origin = "$mydomain";
# relay sent mail through mailgun
# https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
services.postfix.config = {
smtp_sasl_auth_enable = "yes";
smtp_sasl_security_options = "noanonymous";
smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
smtp_use_tls = "yes";
sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
smtp_sender_dependent_authentication = "yes";
};
services.postfix.mapFiles.sender_relay =
let
relayHost = "[smtp.mailgun.org]:587";
in
pkgs.writeText "sender_relay"
(concatStringsSep "\n" (map (domain: "@${domain} ${relayHost}") domains));
services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
# webmail
services.nginx.enable = true;
services.roundcube = {
enable = true;
hostName = config.mailserver.fqdn;
extraConfig = ''
# starttls needed for authentication, so the fqdn required to match the certificate
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'';
};
# backups
backup.group."email".paths = [
config.mailserver.mailDirectory
];
};
}

18
common/server/matrix.nix
View File

@@ -3,7 +3,8 @@
let let
cfg = config.services.matrix; cfg = config.services.matrix;
certs = config.security.acme.certs; certs = config.security.acme.certs;
in { in
{
options.services.matrix = { options.services.matrix = {
enable = lib.mkEnableOption "enable matrix"; enable = lib.mkEnableOption "enable matrix";
element-web = { element-web = {
@@ -62,15 +63,15 @@ in {
settings = { settings = {
server_name = cfg.host; server_name = cfg.host;
enable_registration = cfg.enable_registration; enable_registration = cfg.enable_registration;
listeners = [ { listeners = [{
bind_addresses = ["127.0.0.1"]; bind_addresses = [ "127.0.0.1" ];
port = cfg.port; port = cfg.port;
tls = false; tls = false;
resources = [ { resources = [{
compress = true; compress = true;
names = [ "client" "federation" ]; names = [ "client" "federation" ];
} ]; }];
} ]; }];
turn_uris = [ turn_uris = [
"turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=udp" "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=udp"
"turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=tcp" "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=tcp"
@@ -120,7 +121,7 @@ in {
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts.${cfg.host} = { virtualHosts.${cfg.host} = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
listen = [ listen = [
@@ -137,7 +138,8 @@ in {
]; ];
locations."/".proxyPass = "http://localhost:${toString cfg.port}"; locations."/".proxyPass = "http://localhost:${toString cfg.port}";
}; };
virtualHosts.${cfg.turn.host} = { # get TLS cert for TURN server virtualHosts.${cfg.turn.host} = {
# get TLS cert for TURN server
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
}; };

3
common/server/mumble.nix
View File

@@ -3,7 +3,8 @@
let let
cfg = config.services.murmur; cfg = config.services.murmur;
certs = config.security.acme.certs; certs = config.security.acme.certs;
in { in
{
options.services.murmur.domain = lib.mkOption { options.services.murmur.domain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
}; };

34
common/server/nextcloud.nix Normal file
View File

@@ -0,0 +1,34 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.nextcloud;
in
{
config = lib.mkIf cfg.enable {
services.nextcloud = {
https = true;
package = pkgs.nextcloud25;
hostName = "neet.cloud";
config.dbtype = "sqlite";
config.adminuser = "jeremy";
config.adminpassFile = "/run/agenix/nextcloud-pw";
autoUpdateApps.enable = true;
enableBrokenCiphersForSSE = false;
};
age.secrets.nextcloud-pw = {
file = ../../secrets/nextcloud-pw.age;
owner = "nextcloud";
};
# backups
backup.group."nextcloud".paths = [
config.services.nextcloud.home
];
services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
enableACME = true;
forceSSL = true;
};
};
}

3
common/server/nginx-stream.nix
View File

@@ -5,7 +5,8 @@ let
nginxWithRTMP = pkgs.nginx.override { nginxWithRTMP = pkgs.nginx.override {
modules = [ pkgs.nginxModules.rtmp ]; modules = [ pkgs.nginxModules.rtmp ];
}; };
in { in
{
options.services.nginx.stream = { options.services.nginx.stream = {
enable = lib.mkEnableOption "enable nginx rtmp/hls/dash video streaming"; enable = lib.mkEnableOption "enable nginx rtmp/hls/dash video streaming";
port = lib.mkOption { port = lib.mkOption {

3
common/server/nginx.nix
View File

@@ -2,7 +2,8 @@
let let
cfg = config.services.nginx; cfg = config.services.nginx;
in { in
{
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.nginx = { services.nginx = {
recommendedGzipSettings = true; recommendedGzipSettings = true;

3
common/server/owncast.nix
View File

@@ -4,7 +4,8 @@ with lib;
let let
cfg = config.services.owncast; cfg = config.services.owncast;
in { in
{
options.services.owncast = { options.services.owncast = {
hostname = lib.mkOption { hostname = lib.mkOption {
type = types.str; type = types.str;

5
common/server/privatebin/privatebin.nix
View File

@@ -14,7 +14,8 @@ let
cp -ar $src $out cp -ar $src $out
''; '';
}; };
in { in
{
options.services.privatebin = { options.services.privatebin = {
enable = lib.mkEnableOption "enable privatebin"; enable = lib.mkEnableOption "enable privatebin";
host = lib.mkOption { host = lib.mkOption {
@@ -30,7 +31,7 @@ in {
group = "privatebin"; group = "privatebin";
isSystemUser = true; isSystemUser = true;
}; };
users.groups.privatebin = {}; users.groups.privatebin = { };
services.nginx.enable = true; services.nginx.enable = true;
services.nginx.virtualHosts.${cfg.host} = { services.nginx.virtualHosts.${cfg.host} = {

9
common/server/radio.nix
View File

@@ -3,7 +3,8 @@
let let
cfg = config.services.radio; cfg = config.services.radio;
radioPackage = config.inputs.radio.packages.${config.currentSystem}.radio; radioPackage = config.inputs.radio.packages.${config.currentSystem}.radio;
in { in
{
options.services.radio = { options.services.radio = {
enable = lib.mkEnableOption "enable radio"; enable = lib.mkEnableOption "enable radio";
user = lib.mkOption { user = lib.mkOption {
@@ -56,11 +57,11 @@ in {
home = cfg.dataDir; home = cfg.dataDir;
createHome = true; createHome = true;
}; };
users.groups.${cfg.group} = {}; users.groups.${cfg.group} = { };
systemd.services.radio = { systemd.services.radio = {
enable = true; enable = true;
after = ["network.target"]; after = [ "network.target" ];
wantedBy = ["multi-user.target"]; wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${radioPackage}/bin/radio ${config.services.icecast.listen.address}:${toString config.services.icecast.listen.port} ${config.services.icecast.mount} 5500"; serviceConfig.ExecStart = "${radioPackage}/bin/radio ${config.services.icecast.listen.address}:${toString config.services.icecast.listen.port} ${config.services.icecast.mount} 5500";
serviceConfig.User = cfg.user; serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group; serviceConfig.Group = cfg.group;

13
common/server/samba.nix
View File

@@ -25,9 +25,7 @@
printing = cups printing = cups
printcap name = cups printcap name = cups
# horrible files hide files = /.nobackup/.DS_Store/._.DS_Store/
veto files = /._*/.DS_Store/ /._*/._.DS_Store/
delete veto files = yes
''; '';
shares = { shares = {
@@ -77,6 +75,13 @@
}; };
}; };
# backups
backup.group."samba".paths = [
config.services.samba.shares.googlebot.path
config.services.samba.shares.cris.path
config.services.samba.shares.public.path
];
# Windows discovery of samba server # Windows discovery of samba server
services.samba-wsdd = { services.samba-wsdd = {
enable = true; enable = true;
@@ -110,6 +115,6 @@
# samba user for share # samba user for share
users.users.cris.isSystemUser = true; users.users.cris.isSystemUser = true;
users.users.cris.group = "cris"; users.users.cris.group = "cris";
users.groups.cris = {}; users.groups.cris = { };
}; };
} }

30
common/server/searx.nix Normal file
View File

@@ -0,0 +1,30 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.searx;
in
{
config = lib.mkIf cfg.enable {
services.searx = {
environmentFile = "/run/agenix/searx";
settings = {
server.port = 43254;
server.secret_key = "@SEARX_SECRET_KEY@";
engines = [{
name = "wolframalpha";
shortcut = "wa";
api_key = "@WOLFRAM_API_KEY@";
engine = "wolframalpha_api";
}];
};
};
services.nginx.virtualHosts."search.neet.space" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
};
};
age.secrets.searx.file = ../../secrets/searx.age;
};
}

9
common/server/thelounge.nix
View File

@@ -2,7 +2,8 @@
let let
cfg = config.services.thelounge; cfg = config.services.thelounge;
in { in
{
options.services.thelounge = { options.services.thelounge = {
fileUploadBaseUrl = lib.mkOption { fileUploadBaseUrl = lib.mkOption {
type = lib.types.str; type = lib.types.str;
@@ -28,7 +29,7 @@ in {
reverseProxy = true; reverseProxy = true;
maxHistory = -1; maxHistory = -1;
https.enable = false; https.enable = false;
# theme = "thelounge-theme-solarized"; # theme = "thelounge-theme-solarized";
prefetch = false; prefetch = false;
prefetchStorage = false; prefetchStorage = false;
fileUpload = { fileUpload = {
@@ -42,6 +43,10 @@ in {
}; };
}; };
backup.group."thelounge".paths = [
"/var/lib/thelounge/"
];
# the lounge client # the lounge client
services.nginx.virtualHosts.${cfg.host} = { services.nginx.virtualHosts.${cfg.host} = {
enableACME = true; enableACME = true;

51
common/server/video-stream.nix
View File

@@ -15,14 +15,14 @@ let
in in
{ {
networking.firewall.allowedUDPPorts = [ rtp-port ]; networking.firewall.allowedUDPPorts = [ rtp-port ];
networking.firewall.allowedTCPPortRanges = [ { networking.firewall.allowedTCPPortRanges = [{
from = webrtc-peer-lower-port; from = webrtc-peer-lower-port;
to = webrtc-peer-upper-port; to = webrtc-peer-upper-port;
} ]; }];
networking.firewall.allowedUDPPortRanges = [ { networking.firewall.allowedUDPPortRanges = [{
from = webrtc-peer-lower-port; from = webrtc-peer-lower-port;
to = webrtc-peer-upper-port; to = webrtc-peer-upper-port;
} ]; }];
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
@@ -49,12 +49,12 @@ in
ports = [ ports = [
"${toStr ingest-port}:8084" "${toStr ingest-port}:8084"
]; ];
# imageFile = pkgs.dockerTools.pullImage { # imageFile = pkgs.dockerTools.pullImage {
# imageName = "projectlightspeed/ingest"; # imageName = "projectlightspeed/ingest";
# finalImageTag = "version-0.1.4"; # finalImageTag = "version-0.1.4";
# imageDigest = "sha256:9fc51833b7c27a76d26e40f092b9cec1ac1c4bfebe452e94ad3269f1f73ff2fc"; # imageDigest = "sha256:9fc51833b7c27a76d26e40f092b9cec1ac1c4bfebe452e94ad3269f1f73ff2fc";
# sha256 = "19kxl02x0a3i6hlnsfcm49hl6qxnq2f3hfmyv1v8qdaz58f35kd5"; # sha256 = "19kxl02x0a3i6hlnsfcm49hl6qxnq2f3hfmyv1v8qdaz58f35kd5";
# }; # };
}; };
"lightspeed-react" = { "lightspeed-react" = {
workdir = "/var/lib/lightspeed-react"; workdir = "/var/lib/lightspeed-react";
@@ -62,12 +62,12 @@ in
ports = [ ports = [
"${toStr web-port}:80" "${toStr web-port}:80"
]; ];
# imageFile = pkgs.dockerTools.pullImage { # imageFile = pkgs.dockerTools.pullImage {
# imageName = "projectlightspeed/react"; # imageName = "projectlightspeed/react";
# finalImageTag = "version-0.1.3"; # finalImageTag = "version-0.1.3";
# imageDigest = "sha256:b7c58425f1593f7b4304726b57aa399b6e216e55af9c0962c5c19333fae638b6"; # imageDigest = "sha256:b7c58425f1593f7b4304726b57aa399b6e216e55af9c0962c5c19333fae638b6";
# sha256 = "0d2jh7mr20h7dxgsp7ml7cw2qd4m8ja9rj75dpy59zyb6v0bn7js"; # sha256 = "0d2jh7mr20h7dxgsp7ml7cw2qd4m8ja9rj75dpy59zyb6v0bn7js";
# }; # };
}; };
"lightspeed-webrtc" = { "lightspeed-webrtc" = {
workdir = "/var/lib/lightspeed-webrtc"; workdir = "/var/lib/lightspeed-webrtc";
@@ -79,15 +79,18 @@ in
"${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}:${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}/udp" "${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}:${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}/udp"
]; ];
cmd = [ cmd = [
"lightspeed-webrtc" "--addr=0.0.0.0" "--ip=${domain}" "lightspeed-webrtc"
"--ports=${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}" "run" "--addr=0.0.0.0"
"--ip=${domain}"
"--ports=${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}"
"run"
]; ];
# imageFile = pkgs.dockerTools.pullImage { # imageFile = pkgs.dockerTools.pullImage {
# imageName = "projectlightspeed/webrtc"; # imageName = "projectlightspeed/webrtc";
# finalImageTag = "version-0.1.2"; # finalImageTag = "version-0.1.2";
# imageDigest = "sha256:ddf8b3dd294485529ec11d1234a3fc38e365a53c4738998c6bc2c6930be45ecf"; # imageDigest = "sha256:ddf8b3dd294485529ec11d1234a3fc38e365a53c4738998c6bc2c6930be45ecf";
# sha256 = "1bdy4ak99fjdphj5bsk8rp13xxmbqdhfyfab14drbyffivg9ad2i"; # sha256 = "1bdy4ak99fjdphj5bsk8rp13xxmbqdhfyfab14drbyffivg9ad2i";
# }; # };
}; };
}; };
}; };

12
common/server/vscode/modules/vscode-server/default.nix
View File

@@ -1,8 +1,8 @@
import ./module.nix ({ name, description, serviceConfig }: import ./module.nix ({ name, description, serviceConfig }:
{ {
systemd.user.services.${name} = { systemd.user.services.${name} = {
inherit description serviceConfig; inherit description serviceConfig;
wantedBy = [ "default.target" ]; wantedBy = [ "default.target" ];
}; };
}) })

20
common/server/vscode/modules/vscode-server/home.nix
View File

@@ -1,15 +1,15 @@
import ./module.nix ({ name, description, serviceConfig }: import ./module.nix ({ name, description, serviceConfig }:
{ {
systemd.user.services.${name} = { systemd.user.services.${name} = {
Unit = { Unit = {
Description = description; Description = description;
}; };
Service = serviceConfig; Service = serviceConfig;
Install = { Install = {
WantedBy = [ "default.target" ]; WantedBy = [ "default.target" ];
};
}; };
}; })
})

3
common/server/zerobin.nix
View File

@@ -2,7 +2,8 @@
let let
cfg = config.services.zerobin; cfg = config.services.zerobin;
in { in
{
options.services.zerobin = { options.services.zerobin = {
host = lib.mkOption { host = lib.mkOption {
type = lib.types.str; type = lib.types.str;

56
common/shell.nix
View File

@@ -1,36 +1,28 @@
{ config, pkgs, ... }: { config, lib, pkgs, ... }:
# Improvements to the default shell # Improvements to the default shell
# - use nix-locate for command-not-found # - use nix-index for command-not-found
# - disable fish's annoying greeting message # - disable fish's annoying greeting message
# - add some handy shell commands # - add some handy shell commands
let {
nix-locate = config.inputs.nix-locate.packages.${config.currentSystem}.default; environment.systemPackages = with pkgs; [
in { comma
programs.command-not-found.enable = false;
environment.systemPackages = [
nix-locate
]; ];
# nix-index
programs.nix-index.enable = true;
programs.nix-index.enableFishIntegration = true;
programs.command-not-found.enable = false;
programs.fish = { programs.fish = {
enable = true; enable = true;
shellInit = let shellInit = ''
wrapper = pkgs.writeScript "command-not-found" ''
#!${pkgs.bash}/bin/bash
source ${nix-locate}/etc/profile.d/command-not-found.sh
command_not_found_handle "$@"
'';
in ''
# use nix-locate for command-not-found functionality
function __fish_command_not_found_handler --on-event fish_command_not_found
${wrapper} $argv
end
# disable annoying fish shell greeting # disable annoying fish shell greeting
set fish_greeting set fish_greeting
alias sudo="doas"
''; '';
}; };
@@ -38,9 +30,23 @@ in {
myip = "dig +short myip.opendns.com @resolver1.opendns.com"; myip = "dig +short myip.opendns.com @resolver1.opendns.com";
# https://linuxreviews.org/HOWTO_Test_Disk_I/O_Performance # https://linuxreviews.org/HOWTO_Test_Disk_I/O_Performance
io_seq_read = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=read --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file"; io_seq_read = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=read --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
io_seq_write = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file"; io_seq_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
io_rand_read = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting; rm temp.file"; io_rand_read = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting; rm temp.file";
io_rand_write = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file"; io_rand_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
}; };
nixpkgs.overlays = [
(final: prev: {
# comma uses the "nix-index" package built into nixpkgs by default.
# That package doesn't use the prebuilt nix-index database so it needs to be changed.
comma = prev.comma.overrideAttrs (old: {
postInstall = ''
wrapProgram $out/bin/comma \
--prefix PATH : ${lib.makeBinPath [ prev.fzy config.programs.nix-index.package ]}
ln -s $out/bin/comma $out/bin/,
'';
});
})
];
} }

43
common/ssh.nix
View File

@@ -2,62 +2,37 @@ rec {
users = [ users = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0VFnn3+Mh0nWeN92jov81qNE9fpzTAHYBphNoY7HUx" # reg
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP" # ray "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP" # ray
]; ];
system = { system = {
liza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDY/pNyWedEfU7Tq9ikGbriRuF1ZWkHhegGS17L0Vcdl";
ponyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN"; ponyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
ponyo-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi"; ponyo-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB"; ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL";
router-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c";
s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q"; s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt"; s0-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH";
n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr";
n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5";
n4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINYm2ROIfCeGz6QtDwqAmcj2DX9tq2CZn0eLhskdvB4Z";
n5 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5Qhvwq3PiHEKf+2/4w5ZJkSMNzFLhIRrPOR98m7wW4";
n6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/P/pa9+qhKAPfvvd8xSO2komJqDW0M1nCK7ZrP6PO7";
n7 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtOlOvTlMX2mxPaXDJ6VlMe5rmroUXpKmJVNxgV32xL";
}; };
higherTrustUserKeys = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEaGIwLiUa6wQLlEF+keQOIYy/tCmJvV6eENzUQjSqW2AAAABHNzaDo=" # ray fido
];
# groups # groups
systems = with system; [ systems = with system; [
liza
ponyo ponyo
ray ray
router
s0 s0
n1
n2
n3
n4
n5
n6
n7
]; ];
personal = with system; [ personal = with system; [
ray ray
]; ];
servers = with system; [ servers = with system; [
liza
ponyo ponyo
router
s0 s0
n1
n2
n3
n4
n5
n6
n7
];
compute = with system; [
n1
n2
n3
n4
n5
n6
n7
]; ];
storage = with system; [ storage = with system; [
s0 s0

73
flake.lock generated
View File

@@ -105,6 +105,31 @@
"type": "github" "type": "github"
} }
}, },
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
],
"utils": [
"simple-nixos-mailserver",
"utils"
]
},
"locked": {
"lastModified": 1674127017,
"narHash": "sha256-QO1xF7stu5ZMDLbHN30LFolMAwY6TVlzYvQoUs1RD68=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "8c9ea9605eed20528bf60fae35a2b613b901fd77",
"type": "github"
},
"original": {
"owner": "serokell",
"repo": "deploy-rs",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -136,39 +161,38 @@
"type": "github" "type": "github"
} }
}, },
"nix-locate": { "nix-index-database": {
"inputs": { "inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1673969751, "lastModified": 1677382901,
"narHash": "sha256-U6aYz3lqZ4NVEGEWiti1i0FyqEo4bUjnTAnA73DPnNU=", "narHash": "sha256-2idFWlTVG+qUZkU2/W50amGSIxmN56igIkMAXKbv4S4=",
"owner": "bennofs", "owner": "Mic92",
"repo": "nix-index", "repo": "nix-index-database",
"rev": "5f98881b1ed27ab6656e6d71b534f88430f6823a", "rev": "4306fa7c12e098360439faac1a2e6b8e509ec97c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "bennofs", "owner": "Mic92",
"repo": "nix-index", "repo": "nix-index-database",
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1672580127, "lastModified": 1677823547,
"narHash": "sha256-3lW3xZslREhJogoOkjeZtlBtvFMyxHku7I/9IVehhT8=", "narHash": "sha256-xD2qco8Pw8HAXgjf9OSi2H2N20WaTrtvgcl21525kVE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "0874168639713f547c05947c76124f78441ea46c", "rev": "78c4d33c16092e535bc4ba1284ba49e3e138483a",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-22.05", "ref": "master",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@@ -188,20 +212,16 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-unstable": { "nixpkgs-hostapd-pr": {
"flake": false,
"locked": { "locked": {
"lastModified": 1675835843, "narHash": "sha256-1rGQKcB1jeRPc1n021ulyOVkA6L6xmNYKmeqQ94+iRc=",
"narHash": "sha256-y1dSCQPcof4CWzRYRqDj4qZzbBl+raVPAko5Prdil28=", "type": "file",
"owner": "NixOS", "url": "https://github.com/NixOS/nixpkgs/pull/222536.patch"
"repo": "nixpkgs",
"rev": "32f914af34f126f54b45e482fb2da4ae78f3095f",
"type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "type": "file",
"ref": "master", "url": "https://github.com/NixOS/nixpkgs/pull/222536.patch"
"repo": "nixpkgs",
"type": "github"
} }
}, },
"radio": { "radio": {
@@ -250,10 +270,11 @@
"agenix": "agenix", "agenix": "agenix",
"archivebox": "archivebox", "archivebox": "archivebox",
"dailybuild_modules": "dailybuild_modules", "dailybuild_modules": "dailybuild_modules",
"deploy-rs": "deploy-rs",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nix-locate": "nix-locate", "nix-index-database": "nix-index-database",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-hostapd-pr": "nixpkgs-hostapd-pr",
"radio": "radio", "radio": "radio",
"radio-web": "radio-web", "radio-web": "radio-web",
"simple-nixos-mailserver": "simple-nixos-mailserver" "simple-nixos-mailserver": "simple-nixos-mailserver"

163
flake.nix
View File

@@ -1,13 +1,11 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05"; nixpkgs.url = "github:NixOS/nixpkgs/master";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/master"; # nixpkgs-patch-howdy.url = "https://github.com/NixOS/nixpkgs/pull/216245.diff";
# nixpkgs-patch-howdy.flake = false;
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
nix-locate.url = "github:bennofs/nix-index";
nix-locate.inputs.nixpkgs.follows = "nixpkgs";
# mail server # mail server
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05"; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05";
simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs"; simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
@@ -32,73 +30,110 @@
archivebox.url = "git+https://git.neet.dev/zuckerberg/archivebox.git"; archivebox.url = "git+https://git.neet.dev/zuckerberg/archivebox.git";
archivebox.inputs.nixpkgs.follows = "nixpkgs"; archivebox.inputs.nixpkgs.follows = "nixpkgs";
archivebox.inputs.flake-utils.follows = "flake-utils"; archivebox.inputs.flake-utils.follows = "flake-utils";
# nixos config deployment
deploy-rs.url = "github:serokell/deploy-rs";
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
deploy-rs.inputs.utils.follows = "simple-nixos-mailserver/utils";
# prebuilt nix-index database
nix-index-database.url = "github:Mic92/nix-index-database";
nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
nixpkgs-hostapd-pr.url = "https://github.com/NixOS/nixpkgs/pull/222536.patch";
nixpkgs-hostapd-pr.flake = false;
}; };
outputs = { self, nixpkgs, nixpkgs-unstable, ... }@inputs: { outputs = { self, nixpkgs, ... }@inputs: {
nixosConfigurations = nixosConfigurations =
let let
modules = system: [ modules = system: with inputs; [
./common ./common
inputs.simple-nixos-mailserver.nixosModule simple-nixos-mailserver.nixosModule
inputs.agenix.nixosModules.default agenix.nixosModules.default
inputs.dailybuild_modules.nixosModule dailybuild_modules.nixosModule
inputs.archivebox.nixosModule archivebox.nixosModule
({ lib, ... }: { nix-index-database.nixosModules.nix-index
config.environment.systemPackages = [ ({ lib, ... }: {
inputs.agenix.packages.${system}.agenix config.environment.systemPackages = [
]; agenix.packages.${system}.agenix
];
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
options.inputs = lib.mkOption { default = inputs; }; options.inputs = lib.mkOption { default = inputs; };
options.currentSystem = lib.mkOption { default = system; }; options.currentSystem = lib.mkOption { default = system; };
}) })
]; ];
mkSystem = system: nixpkgs: path: mkSystem = system: nixpkgs: path:
let let
allModules = modules system; allModules = modules system;
in nixpkgs.lib.nixosSystem {
inherit system;
modules = allModules ++ [path];
specialArgs = { # allow patching nixpkgs, remove this hack once this is solved: https://github.com/NixOS/nix/issues/3920
inherit allModules; patchedNixpkgsSrc = nixpkgs.legacyPackages.${system}.applyPatches {
name = "nixpkgs-patched";
src = nixpkgs;
patches = [
inputs.nixpkgs-hostapd-pr
];
};
patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });
in
patchedNixpkgs.lib.nixosSystem {
inherit system;
modules = allModules ++ [ path ];
specialArgs = {
inherit allModules;
};
}; };
}; in
in {
{ "ray" = mkSystem "x86_64-linux" nixpkgs ./machines/ray/configuration.nix;
"reg" = mkSystem "x86_64-linux" nixpkgs ./machines/reg/configuration.nix; # "nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix;
"ray" = mkSystem "x86_64-linux" nixpkgs-unstable ./machines/ray/configuration.nix; "ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix;
"nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix; "router" = mkSystem "x86_64-linux" nixpkgs ./machines/router/configuration.nix;
"liza" = mkSystem "x86_64-linux" nixpkgs ./machines/liza/configuration.nix; "s0" = mkSystem "x86_64-linux" nixpkgs ./machines/storage/s0/configuration.nix;
"ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix; };
"s0" = mkSystem "aarch64-linux" nixpkgs-unstable ./machines/storage/s0/configuration.nix;
"n1" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n1/configuration.nix;
"n2" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n2/configuration.nix;
"n3" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n3/configuration.nix;
"n4" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n4/configuration.nix;
"n5" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n5/configuration.nix;
"n6" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n6/configuration.nix;
"n7" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n7/configuration.nix;
};
packages = let packages =
mkKexec = system: let
(nixpkgs.lib.nixosSystem { mkKexec = system:
inherit system; (nixpkgs.lib.nixosSystem {
modules = [ ./machines/ephemeral/kexec.nix ]; inherit system;
}).config.system.build.kexec_tarball; modules = [ ./machines/ephemeral/kexec.nix ];
mkIso = system: }).config.system.build.kexec_tarball;
(nixpkgs.lib.nixosSystem { mkIso = system:
inherit system; (nixpkgs.lib.nixosSystem {
modules = [ ./machines/ephemeral/iso.nix ]; inherit system;
}).config.system.build.isoImage; modules = [ ./machines/ephemeral/iso.nix ];
in { }).config.system.build.isoImage;
"x86_64-linux"."kexec" = mkKexec "x86_64-linux"; in
"x86_64-linux"."iso" = mkIso "x86_64-linux"; {
"aarch64-linux"."kexec" = mkKexec "aarch64-linux"; "x86_64-linux"."kexec" = mkKexec "x86_64-linux";
"aarch64-linux"."iso" = mkIso "aarch64-linux"; "x86_64-linux"."iso" = mkIso "x86_64-linux";
}; "aarch64-linux"."kexec" = mkKexec "aarch64-linux";
"aarch64-linux"."iso" = mkIso "aarch64-linux";
};
deploy.nodes =
let
mkDeploy = configName: hostname: {
inherit hostname;
magicRollback = false;
sshUser = "root";
profiles.system.path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${configName};
};
in
{
s0 = mkDeploy "s0" "s0";
router = mkDeploy "router" "router";
ponyo = mkDeploy "ponyo" "ponyo.neet.dev";
};
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
}; };
} }

24
machines/compute/common.nix
View File

@@ -1,24 +0,0 @@
{ config, ... }:
{
# NixOS wants to enable GRUB by default
boot.loader.grub.enable = false;
# Enables the generation of /boot/extlinux/extlinux.conf
boot.loader.generic-extlinux-compatible.enable = true;
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
};
system.autoUpgrade.enable = true;
networking.interfaces.eth0.useDHCP = true;
hardware.deviceTree.enable = true;
hardware.deviceTree.overlays = [
./sopine-baseboard-ethernet.dtbo # fix pine64 clusterboard ethernet
];
}

9
machines/compute/n1/configuration.nix
View File

@@ -1,9 +0,0 @@
{ config, ... }:
{
imports = [
../common.nix
];
networking.hostName = "n1";
}

9
machines/compute/n2/configuration.nix
View File

@@ -1,9 +0,0 @@
{ config, ... }:
{
imports = [
../common.nix
];
networking.hostName = "n2";
}

9
machines/compute/n3/configuration.nix
View File

@@ -1,9 +0,0 @@
{ config, ... }:
{
imports = [
../common.nix
];
networking.hostName = "n3";
}

9
machines/compute/n4/configuration.nix
View File

@@ -1,9 +0,0 @@
{ config, ... }:
{
imports = [
../common.nix
];
networking.hostName = "n4";
}

9
machines/compute/n5/configuration.nix
View File

@@ -1,9 +0,0 @@
{ config, ... }:
{
imports = [
../common.nix
];
networking.hostName = "n5";
}

9
machines/compute/n6/configuration.nix
View File

@@ -1,9 +0,0 @@
{ config, ... }:
{
imports = [
../common.nix
];
networking.hostName = "n6";
}

9
machines/compute/n7/configuration.nix
View File

@@ -1,9 +0,0 @@
{ config, ... }:
{
imports = [
../common.nix
];
networking.hostName = "n7";
}

BIN
machines/compute/sopine-baseboard-ethernet.dtbo
View File

Binary file not shown.

15
machines/compute/sopine-baseboard-ethernet.dts
View File

@@ -1,15 +0,0 @@
/dts-v1/;
/ {
model = "SoPine with baseboard";
compatible = "pine64,sopine-baseboard\0pine64,sopine\0allwinner,sun50i-a64";
fragment@0 {
/* target = <&ethernet@1c30000>; */
target-path = "/soc/ethernet@1c30000";
__overlay__ {
allwinner,tx-delay-ps = <500>;
};
};
};

27
machines/ephemeral/minimal.nix
View File

@@ -1,18 +1,37 @@
{ pkgs, ... }: { pkgs, modulesPath, ... }:
{ {
imports = [
(modulesPath + "/installer/cd-dvd/channel.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ]; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
boot.kernelParams = [ boot.kernelParams = [
"panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues "panic=30"
"console=ttyS0" # enable serial console "boot.panic_on_fail" # reboot the machine upon fatal boot issues
"console=ttyS0,115200" # enable serial console
"console=tty1" "console=tty1"
]; ];
boot.kernel.sysctl."vm.overcommit_memory" = "1"; boot.kernel.sysctl."vm.overcommit_memory" = "1";
boot.kernelPackages = pkgs.linuxPackages_latest;
# hardware.enableAllFirmware = true;
# nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
cryptsetup cryptsetup
btrfs-progs btrfs-progs
git
git-lfs
wget
htop
dnsutils
pciutils
usbutils
lm_sensors
]; ];
environment.variables.GC_INITIAL_HEAP_SIZE = "1M"; environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
networking.useDHCP = true; networking.useDHCP = true;
@@ -24,5 +43,5 @@
}; };
services.getty.autologinUser = "root"; services.getty.autologinUser = "root";
users.users.root.openssh.authorizedKeys.keys = (import ../common/ssh.nix).users; users.users.root.openssh.authorizedKeys.keys = (import ../../common/ssh.nix).users;
} }

110
machines/liza/configuration.nix
View File

@@ -1,110 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =[
./hardware-configuration.nix
];
# 5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion
firmware.x86_64.enable = true;
bios = {
enable = true;
device = "/dev/sda";
};
luks = {
enable = true;
device.path = "/dev/disk/by-uuid/2f736fba-8a0c-4fb5-8041-c849fb5e1297";
};
system.autoUpgrade.enable = true;
networking.hostName = "liza";
networking.interfaces.enp1s0.useDHCP = true;
mailserver = {
enable = true;
fqdn = "mail.neet.dev";
dkimKeyBits = 2048;
indexDir = "/var/lib/mailindex";
enableManageSieve = true;
fullTextSearch.enable = true;
fullTextSearch.indexAttachments = true;
fullTextSearch.memoryLimit = 500;
domains = [
"neet.space" "neet.dev" "neet.cloud"
"runyan.org" "runyan.rocks"
"thunderhex.com" "tar.ninja"
"bsd.ninja" "bsd.rocks"
];
loginAccounts = {
"jeremy@runyan.org" = {
hashedPasswordFile = "/run/agenix/email-pw";
aliases = [
"@neet.space" "@neet.cloud" "@neet.dev"
"@runyan.org" "@runyan.rocks"
"@thunderhex.com" "@tar.ninja"
"@bsd.ninja" "@bsd.rocks"
];
};
};
rejectRecipients = [
"george@runyan.org"
"joslyn@runyan.org"
"damon@runyan.org"
"jonas@runyan.org"
];
certificateScheme = 3; # use let's encrypt for certs
};
age.secrets.email-pw.file = ../../secrets/email-pw.age;
# sendmail to use xxx@domain instead of xxx@mail.domain
services.postfix.origin = "$mydomain";
# relay sent mail through mailgun
# https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
services.postfix.config = {
smtp_sasl_auth_enable = "yes";
smtp_sasl_security_options = "noanonymous";
smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
smtp_use_tls = "yes";
sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
smtp_sender_dependent_authentication = "yes";
};
services.postfix.mapFiles.sender_relay = let
relayHost = "[smtp.mailgun.org]:587";
in pkgs.writeText "sender_relay" ''
@neet.space ${relayHost}
@neet.cloud ${relayHost}
@neet.dev ${relayHost}
@runyan.org ${relayHost}
@runyan.rocks ${relayHost}
@thunderhex.com ${relayHost}
@tar.ninja ${relayHost}
@bsd.ninja ${relayHost}
@bsd.rocks ${relayHost}
'';
services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
services.nextcloud = {
enable = true;
https = true;
package = pkgs.nextcloud22;
hostName = "neet.cloud";
config.dbtype = "sqlite";
config.adminuser = "jeremy";
config.adminpassFile = "/run/agenix/nextcloud-pw";
autoUpdateApps.enable = true;
};
age.secrets.nextcloud-pw = {
file = ../../secrets/nextcloud-pw.age;
owner = "nextcloud";
};
services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
enableACME = true;
forceSSL = true;
};
}

36
machines/liza/hardware-configuration.nix
View File

@@ -1,36 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "floppy" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/b90eaf3c-2f91-499a-a066-861e0f4478df";
fsType = "btrfs";
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/b90eaf3c-2f91-499a-a066-861e0f4478df";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/2b8f6f6d-9358-4d30-8341-7426574e0819";
fsType = "ext3";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/ef7a83db-4b33-41d1-85fc-cff69e480352"; }
];
}

2
machines/nat/configuration.nix
View File

@@ -10,8 +10,6 @@
networking.hostName = "nat"; networking.hostName = "nat";
networking.interfaces.ens160.useDHCP = true; networking.interfaces.ens160.useDHCP = true;
services.zerotierone.enable = true;
de.enable = true; de.enable = true;
de.touchpad.enable = true; de.touchpad.enable = true;
} }

6
machines/nat/hardware-configuration.nix
View File

@@ -12,12 +12,14 @@
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/02a8c0c7-fd4e-4443-a83c-2d0b63848779"; {
device = "/dev/disk/by-uuid/02a8c0c7-fd4e-4443-a83c-2d0b63848779";
fsType = "btrfs"; fsType = "btrfs";
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0C95-1290"; {
device = "/dev/disk/by-uuid/0C95-1290";
fsType = "vfat"; fsType = "vfat";
}; };

85
machines/ponyo/configuration.nix
View File

@@ -1,33 +1,30 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
imports =[ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
networking.hostName = "ponyo"; networking.hostName = "ponyo";
firmware.x86_64.enable = true;
bios = {
enable = true;
device = "/dev/sda";
};
luks = {
enable = true;
device.path = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2";
};
system.autoUpgrade.enable = true; system.autoUpgrade.enable = true;
services.zerotierone.enable = true; # p2p mesh network
services.tailscale.exitNode = true;
# email server
mailserver.enable = true;
# nextcloud
services.nextcloud.enable = true;
# git
services.gitea = { services.gitea = {
enable = true; enable = true;
hostname = "git.neet.dev"; hostname = "git.neet.dev";
disableRegistration = true;
}; };
# IRC
services.thelounge = { services.thelounge = {
enable = true; enable = true;
port = 9000; port = 9000;
@@ -39,12 +36,14 @@
}; };
}; };
# mumble
services.murmur = { services.murmur = {
enable = true; enable = true;
port = 23563; port = 23563;
domain = "voice.neet.space"; domain = "voice.neet.space";
}; };
# IRC bot
services.drastikbot = { services.drastikbot = {
enable = true; enable = true;
wolframAppIdFile = "/run/agenix/wolframalpha"; wolframAppIdFile = "/run/agenix/wolframalpha";
@@ -53,8 +52,11 @@
file = ../../secrets/wolframalpha.age; file = ../../secrets/wolframalpha.age;
owner = config.services.drastikbot.user; owner = config.services.drastikbot.user;
}; };
backup.group."dailybot".paths = [
config.services.drastikbot.dataDir
];
# wrap radio in a VPN # music radio
vpn-container.enable = true; vpn-container.enable = true;
vpn-container.config = { vpn-container.config = {
services.radio = { services.radio = {
@@ -62,11 +64,7 @@
host = "radio.runyan.org"; host = "radio.runyan.org";
}; };
}; };
pia.wireguard.badPortForwardPorts = [ ];
# tailscale
services.tailscale.exitNode = true;
# icecast endpoint + website
services.nginx.virtualHosts."radio.runyan.org" = { services.nginx.virtualHosts."radio.runyan.org" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@@ -81,6 +79,7 @@
}; };
}; };
# matrix home server
services.matrix = { services.matrix = {
enable = true; enable = true;
host = "neet.space"; host = "neet.space";
@@ -98,67 +97,36 @@
secret = "a8369a0e96922abf72494bb888c85831b"; secret = "a8369a0e96922abf72494bb888c85831b";
}; };
}; };
# pin postgresql for matrix (will need to migrate eventually)
services.postgresql.package = pkgs.postgresql_11; services.postgresql.package = pkgs.postgresql_11;
services.searx = {
enable = true;
environmentFile = "/run/agenix/searx";
settings = {
server.port = 43254;
server.secret_key = "@SEARX_SECRET_KEY@";
engines = [ {
name = "wolframalpha";
shortcut = "wa";
api_key = "@WOLFRAM_API_KEY@";
engine = "wolframalpha_api";
} ];
};
};
services.nginx.virtualHosts."search.neet.space" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
};
};
age.secrets.searx.file = ../../secrets/searx.age;
# iodine DNS-based vpn # iodine DNS-based vpn
services.iodine.server = { services.iodine.server.enable = true;
enable = true;
ip = "192.168.99.1";
domain = "tun.neet.dev";
passwordFile = "/run/agenix/iodine";
};
age.secrets.iodine.file = ../../secrets/iodine.age;
networking.firewall.allowedUDPPorts = [ 53 ];
networking.nat.internalInterfaces = [
"dns0" # iodine
];
# proxied web services
services.nginx.enable = true; services.nginx.enable = true;
services.nginx.virtualHosts."jellyfin.neet.cloud" = { services.nginx.virtualHosts."jellyfin.neet.cloud" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://s0.zt.neet.dev"; proxyPass = "http://s0.koi-bebop.ts.net";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
services.nginx.virtualHosts."navidrome.neet.cloud" = { services.nginx.virtualHosts."navidrome.neet.cloud" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://s0.zt.neet.dev:4533"; locations."/".proxyPass = "http://s0.koi-bebop.ts.net:4533";
}; };
# TODO replace with a proper file hosting service
services.nginx.virtualHosts."tmp.neet.dev" = { services.nginx.virtualHosts."tmp.neet.dev" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
root = "/var/www/tmp"; root = "/var/www/tmp";
}; };
# redirect to github # redirect runyan.org to github
services.nginx.virtualHosts."runyan.org" = { services.nginx.virtualHosts."runyan.org" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@@ -167,6 +135,7 @@
''; '';
}; };
# owncast live streaming
services.owncast.enable = true; services.owncast.enable = true;
services.owncast.hostname = "live.neet.dev"; services.owncast.hostname = "live.neet.dev";
} }

28
machines/ponyo/hardware-configuration.nix
View File

@@ -2,7 +2,8 @@
{ {
imports = imports =
[ (modulesPath + "/profiles/qemu-guest.nix") [
(modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
@@ -10,13 +11,26 @@
boot.kernelModules = [ "kvm-intel" "nvme" ]; boot.kernelModules = [ "kvm-intel" "nvme" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
firmware.x86_64.enable = true;
bios = {
enable = true;
device = "/dev/sda";
};
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2";
boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/e52b01b3-81c8-4bb2-ae7e-a3d9c793cb00"; # expanded disk
fileSystems."/" = fileSystems."/" =
{ device = "/dev/mapper/enc-pv"; {
device = "/dev/mapper/enc-pv";
fsType = "btrfs"; fsType = "btrfs";
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/d3a3777d-1e70-47fa-a274-804dc70ee7fd"; {
device = "/dev/disk/by-uuid/d3a3777d-1e70-47fa-a274-804dc70ee7fd";
fsType = "ext4"; fsType = "ext4";
}; };
@@ -27,11 +41,5 @@
} }
]; ];
# The global useDHCP flag is deprecated, therefore explicitly set to false here. networking.interfaces.eth0.useDHCP = true;
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = lib.mkDefault false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

112
machines/ray/configuration.nix
View File

@@ -5,35 +5,32 @@
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
firmware.x86_64.enable = true;
efi.enable = true;
boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce";
allowDiscards = true;
};
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking.hostName = "ray"; networking.hostName = "ray";
hardware.enableAllFirmware = true; # for luks onlock over tor
services.tor.enable = true;
services.tor.client.enable = true;
# services.howdy.enable = true;
hardware.openrazer.enable = true;
hardware.openrazer.users = [ "googlebot" ];
hardware.openrazer.devicesOffOnScreensaver = false;
users.users.googlebot.packages = [ pkgs.polychromatic ];
# depthai
services.udev.extraRules = '' services.udev.extraRules = ''
# depthai
SUBSYSTEM=="usb", ATTRS{idVendor}=="03e7", MODE="0666" SUBSYSTEM=="usb", ATTRS{idVendor}=="03e7", MODE="0666"
'';
# gpu # Moonlander
services.xserver.videoDrivers = [ "nvidia" ]; # Rules for Oryx web flashing and live training
hardware.nvidia = { KERNEL=="hidraw*", ATTRS{idVendor}=="16c0", MODE="0664", GROUP="plugdev"
modesetting.enable = true; # for nvidia-vaapi-driver KERNEL=="hidraw*", ATTRS{idVendor}=="3297", MODE="0664", GROUP="plugdev"
prime = { # Wally Flashing rules for the Moonlander and Planck EZ
reverseSync.enable = true; SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE:="0666", SYMLINK+="stm32_dfu"
offload.enableOffloadCmd = true; '';
nvidiaBusId = "PCI:1:0:0"; users.groups.plugdev = {
amdgpuBusId = "PCI:4:0:0"; members = [ "googlebot" ];
};
}; };
# virt-manager # virt-manager
@@ -43,74 +40,15 @@
environment.systemPackages = with pkgs; [ virt-manager ]; environment.systemPackages = with pkgs; [ virt-manager ];
users.users.googlebot.extraGroups = [ "libvirtd" ]; users.users.googlebot.extraGroups = [ "libvirtd" ];
# vpn-container.enable = true; # allow building ARM derivations
# containers.vpn.interfaces = [ "piaw" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
# allow traffic for wireguard interface to pass services.spotifyd.enable = true;
# networking.firewall = {
# # wireguard trips rpfilter up
# extraCommands = ''
# ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
# ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
# '';
# extraStopCommands = ''
# ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
# ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
# '';
# };
# systemd.services.pia-vpn-wireguard = {
# enable = true;
# description = "PIA VPN WireGuard Tunnel";
# requires = [ "network-online.target" ];
# after = [ "network.target" "network-online.target" ];
# wantedBy = [ "multi-user.target" ];
# environment.DEVICE = "piaw";
# path = with pkgs; [ kmod wireguard-tools jq curl ];
# serviceConfig = {
# Type = "oneshot";
# RemainAfterExit = true;
# };
# script = ''
# WG_HOSTNAME=zurich406
# WG_SERVER_IP=156.146.62.153
# PIA_USER=`sed '1q;d' /run/agenix/pia-login.conf`
# PIA_PASS=`sed '2q;d' /run/agenix/pia-login.conf`
# PIA_TOKEN=`curl -s -u "$PIA_USER:$PIA_PASS" https://www.privateinternetaccess.com/gtoken/generateToken | jq -r '.token'`
# privKey=$(wg genkey)
# pubKey=$(echo "$privKey" | wg pubkey)
# wireguard_json=`curl -s -G --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "pt=$PIA_TOKEN" --data-urlencode "pubkey=$pubKey" https://$WG_HOSTNAME:1337/addKey`
# echo "
# [Interface]
# Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
# PrivateKey = $privKey
# ListenPort = 51820
# [Peer]
# PersistentKeepalive = 25
# PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
# AllowedIPs = 0.0.0.0/0
# Endpoint = $WG_SERVER_IP:$(echo "$wireguard_json" | jq -r '.server_port')
# " > /tmp/piaw.conf
# # TODO make /tmp/piaw.conf ro to root
# ${lib.optionalString (!config.boot.isContainer) "modprobe wireguard"}
# wg-quick up /tmp/piaw.conf
# '';
# preStop = ''
# wg-quick down /tmp/piaw.conf
# '';
# };
# age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
services.zerotierone.enable = true; virtualisation.appvm.enable = true;
virtualisation.appvm.user = "googlebot";
services.mount-samba.enable = true; services.mount-samba.enable = true;

46
machines/ray/hardware-configuration.nix
View File

@@ -5,36 +5,60 @@
{ {
imports = imports =
[ (modulesPath + "/installer/scan/not-detected.nix") [
(modulesPath + "/installer/scan/not-detected.nix")
]; ];
# boot
efi.enable = true;
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = [ "dm-snapshot" ];
# kernel
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
# firmware
firmware.x86_64.enable = true;
hardware.enableAllFirmware = true;
# gpu
services.xserver.videoDrivers = [ "nvidia" ];
hardware.nvidia = {
modesetting.enable = true; # for nvidia-vaapi-driver
prime = {
reverseSync.enable = true;
offload.enableOffloadCmd = true;
nvidiaBusId = "PCI:1:0:0";
amdgpuBusId = "PCI:4:0:0";
};
};
# disks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce";
allowDiscards = true;
};
fileSystems."/" = fileSystems."/" =
{ device = "/dev/vg/root"; {
device = "/dev/vg/root";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=root" ]; options = [ "subvol=root" ];
}; };
fileSystems."/home" = fileSystems."/home" =
{ device = "/dev/vg/root"; {
device = "/dev/vg/root";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=home" ]; options = [ "subvol=home" ];
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/2C85-2B59"; {
device = "/dev/disk/by-uuid/2C85-2B59";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices =
[ { device = "/dev/vg/swap"; } [{ device = "/dev/vg/swap"; }];
];
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# high-resolution display # high-resolution display
hardware.video.hidpi.enable = lib.mkDefault true; hardware.video.hidpi.enable = lib.mkDefault true;

35
machines/reg/configuration.nix
View File

@@ -1,35 +0,0 @@
{ config, pkgs, fetchurl, ... }:
{
imports = [
./hardware-configuration.nix
];
# smcxui7kwoyxpswwage4fkcppxnqzpw33xcmxmlhxvk5gcp5s6lrtfad.onion
boot.kernelPackages = pkgs.linuxPackages_5_12;
firmware.x86_64.enable = true;
efi.enable = true;
luks = {
enable = true;
device = {
path = "/dev/disk/by-uuid/975d8427-2c6a-440d-a1d2-18dd15ba5bc2";
allowDiscards = true;
};
};
networking.hostName = "reg";
de.enable = true;
de.touchpad.enable = true;
services.zerotierone.enable = true;
# VNC
networking.firewall.allowedTCPPorts = [ 5900 ];
networking.interfaces.enp57s0f1.useDHCP = true;
}

38
machines/reg/hardware-configuration.nix
View File

@@ -1,38 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/b3a2906b-e9a5-45bd-aac5-960297437fe9";
fsType = "btrfs";
options = [ "subvol=root" "noatime" "nodiratime" "discard" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/b3a2906b-e9a5-45bd-aac5-960297437fe9";
fsType = "btrfs";
options = [ "subvol=home" "noatime" "nodiratime" "discard" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/6C41-24A0";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/34ec322f-79c3-4993-a073-ef1da3c6ef51"; }
];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

40
machines/router/configuration.nix Normal file
View File

@@ -0,0 +1,40 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
./router.nix
];
# https://dataswamp.org/~solene/2022-08-03-nixos-with-live-usb-router.html
# https://github.com/mdlayher/homelab/blob/391cfc0de06434e4dee0abe2bec7a2f0637345ac/nixos/routnerr-2/configuration.nix
# https://github.com/skogsbrus/os/blob/master/sys/router.nix
# http://trac.gateworks.com/wiki/wireless/wifi
networking.hostName = "router";
system.autoUpgrade.enable = true;
services.tailscale.exitNode = true;
router.enable = true;
router.privateSubnet = "192.168.3";
services.iperf3.enable = true;
# networking.useDHCP = lib.mkForce true;
# TODO
# networking.usePredictableInterfaceNames = true;
powerManagement.cpuFreqGovernor = "ondemand";
services.irqbalance.enable = true;
# services.miniupnpd = {
# enable = true;
# externalInterface = "eth0";
# internalIPs = [ "br0" ];
# };
}

BIN
machines/router/firmware/mediatek/mt7916_eeprom.bin Normal file
View File

Binary file not shown.

BIN
machines/router/firmware/mediatek/mt7916_rom_patch.bin Normal file
View File

Binary file not shown.

BIN
machines/router/firmware/mediatek/mt7916_wa.bin Normal file
View File

Binary file not shown.

BIN
machines/router/firmware/mediatek/mt7916_wm.bin Normal file
View File

Binary file not shown.

223
machines/router/generate_hostapd_config.sh Executable file
View File

@@ -0,0 +1,223 @@
#!/bin/sh
# TODO allow adding custom parameters to ht_capab, vht_capab
# TODO detect bad channel numbers (preferably not at runtime)
# TODO error if 160mhz is not supported
# TODO 'b' only goes up to 40mhz
# gets the phy number using the input interface
# Ex: get_phy_number("wlan0") -> "1"
get_phy_number() {
local interface=$1
phy=$(iw dev "$interface" info | awk '/phy/ {gsub(/#/,"");print $2}')
if [[ -z "$phy" ]]; then
echo "Error: interface not found" >&2
exit 1
fi
phy=phy$phy
}
get_ht_cap_mask() {
ht_cap_mask=0
for cap in $(iw phy "$phy" info | grep 'Capabilities:' | cut -d: -f2); do
ht_cap_mask="$(($ht_cap_mask | $cap))"
done
local cap_rx_stbc
cap_rx_stbc=$((($ht_cap_mask >> 8) & 3))
ht_cap_mask="$(( ($ht_cap_mask & ~(0x300)) | ($cap_rx_stbc << 8) ))"
}
get_vht_cap_mask() {
vht_cap_mask=0
for cap in $(iw phy "$phy" info | awk -F "[()]" '/VHT Capabilities/ { print $2 }'); do
vht_cap_mask="$(($vht_cap_mask | $cap))"
done
local cap_rx_stbc
cap_rx_stbc=$((($vht_cap_mask >> 8) & 7))
vht_cap_mask="$(( ($vht_cap_mask & ~(0x700)) | ($cap_rx_stbc << 8) ))"
}
mac80211_add_capabilities() {
local __var="$1"; shift
local __mask="$1"; shift
local __out= oifs
oifs="$IFS"
IFS=:
for capab in "$@"; do
set -- $capab
[ "$(($4))" -gt 0 ] || continue
[ "$(($__mask & $2))" -eq "$((${3:-$2}))" ] || continue
__out="$__out[$1]"
done
IFS="$oifs"
export -n -- "$__var=$__out"
}
add_special_ht_capabilities() {
case "$hwmode" in
a)
case "$(( ($channel / 4) % 2 ))" in
1) ht_capab="$ht_capab[HT40+]";;
0) ht_capab="$ht_capab[HT40-]";;
esac
;;
*)
if [ "$channel" -lt 7 ]; then
ht_capab="$ht_capab[HT40+]"
else
ht_capab="$ht_capab[HT40-]"
fi
;;
esac
}
add_special_vht_capabilities() {
local cap_ant
[ "$(($vht_cap_mask & 0x800))" -gt 0 ] && {
cap_ant="$(( ( ($vht_cap_mask >> 16) & 3 ) + 1 ))"
[ "$cap_ant" -gt 1 ] && vht_capab="$vht_capab[SOUNDING-DIMENSION-$cap_ant]"
}
[ "$(($vht_cap_mask & 0x1000))" -gt 0 ] && {
cap_ant="$(( ( ($vht_cap_mask >> 13) & 3 ) + 1 ))"
[ "$cap_ant" -gt 1 ] && vht_capab="$vht_capab[BF-ANTENNA-$cap_ant]"
}
if [ "$(($vht_cap_mask & 12))" -eq 4 ]; then
vht_capab="$vht_capab[VHT160]"
fi
local vht_max_mpdu_hw=3895
[ "$(($vht_cap_mask & 3))" -ge 1 ] && \
vht_max_mpdu_hw=7991
[ "$(($vht_cap_mask & 3))" -ge 2 ] && \
vht_max_mpdu_hw=11454
[ "$vht_max_mpdu_hw" != 3895 ] && \
vht_capab="$vht_capab[MAX-MPDU-$vht_max_mpdu_hw]"
# maximum A-MPDU length exponent
local vht_max_a_mpdu_len_exp_hw=0
[ "$(($vht_cap_mask & 58720256))" -ge 8388608 ] && \
vht_max_a_mpdu_len_exp_hw=1
[ "$(($vht_cap_mask & 58720256))" -ge 16777216 ] && \
vht_max_a_mpdu_len_exp_hw=2
[ "$(($vht_cap_mask & 58720256))" -ge 25165824 ] && \
vht_max_a_mpdu_len_exp_hw=3
[ "$(($vht_cap_mask & 58720256))" -ge 33554432 ] && \
vht_max_a_mpdu_len_exp_hw=4
[ "$(($vht_cap_mask & 58720256))" -ge 41943040 ] && \
vht_max_a_mpdu_len_exp_hw=5
[ "$(($vht_cap_mask & 58720256))" -ge 50331648 ] && \
vht_max_a_mpdu_len_exp_hw=6
[ "$(($vht_cap_mask & 58720256))" -ge 58720256 ] && \
vht_max_a_mpdu_len_exp_hw=7
vht_capab="$vht_capab[MAX-A-MPDU-LEN-EXP$vht_max_a_mpdu_len_exp_hw]"
local vht_link_adapt_hw=0
[ "$(($vht_cap_mask & 201326592))" -ge 134217728 ] && \
vht_link_adapt_hw=2
[ "$(($vht_cap_mask & 201326592))" -ge 201326592 ] && \
vht_link_adapt_hw=3
[ "$vht_link_adapt_hw" != 0 ] && \
vht_capab="$vht_capab[VHT-LINK-ADAPT-$vht_link_adapt_hw]"
}
calculate_channel_offsets() {
vht_oper_chwidth=0
vht_oper_centr_freq_seg0_idx=
local idx="$channel"
case "$channelWidth" in
40)
case "$(( ($channel / 4) % 2 ))" in
1) idx=$(($channel + 2));;
0) idx=$(($channel - 2));;
esac
vht_oper_centr_freq_seg0_idx=$idx
;;
80)
case "$(( ($channel / 4) % 4 ))" in
1) idx=$(($channel + 6));;
2) idx=$(($channel + 2));;
3) idx=$(($channel - 2));;
0) idx=$(($channel - 6));;
esac
vht_oper_chwidth=1
vht_oper_centr_freq_seg0_idx=$idx
;;
160)
case "$channel" in
36|40|44|48|52|56|60|64) idx=50;;
100|104|108|112|116|120|124|128) idx=114;;
esac
vht_oper_chwidth=2
vht_oper_centr_freq_seg0_idx=$idx
;;
esac
he_oper_chwidth=$vht_oper_chwidth
he_oper_centr_freq_seg0_idx=$vht_oper_centr_freq_seg0_idx
}
interface=$1
channel=$2
hwmode=$3
channelWidth=$4
get_phy_number $interface
get_ht_cap_mask
get_vht_cap_mask
mac80211_add_capabilities vht_capab $vht_cap_mask \
RXLDPC:0x10::1 \
SHORT-GI-80:0x20::1 \
SHORT-GI-160:0x40::1 \
TX-STBC-2BY1:0x80::1 \
SU-BEAMFORMER:0x800::1 \
SU-BEAMFORMEE:0x1000::1 \
MU-BEAMFORMER:0x80000::1 \
MU-BEAMFORMEE:0x100000::1 \
VHT-TXOP-PS:0x200000::1 \
HTC-VHT:0x400000::1 \
RX-ANTENNA-PATTERN:0x10000000::1 \
TX-ANTENNA-PATTERN:0x20000000::1 \
RX-STBC-1:0x700:0x100:1 \
RX-STBC-12:0x700:0x200:1 \
RX-STBC-123:0x700:0x300:1 \
RX-STBC-1234:0x700:0x400:1 \
mac80211_add_capabilities ht_capab $ht_cap_mask \
LDPC:0x1::1 \
GF:0x10::1 \
SHORT-GI-20:0x20::1 \
SHORT-GI-40:0x40::1 \
TX-STBC:0x80::1 \
RX-STBC1:0x300::1 \
MAX-AMSDU-7935:0x800::1 \
# TODO this is active when the driver doesn't support it?
# DSSS_CCK-40:0x1000::1 \
# TODO these are active when the driver doesn't support them?
# RX-STBC1:0x300:0x100:1 \
# RX-STBC12:0x300:0x200:1 \
# RX-STBC123:0x300:0x300:1 \
add_special_ht_capabilities
add_special_vht_capabilities
echo ht_capab=$ht_capab
echo vht_capab=$vht_capab
if [ "$channelWidth" != "20" ]; then
calculate_channel_offsets
echo he_oper_chwidth=$he_oper_chwidth
echo vht_oper_chwidth=$vht_oper_chwidth
echo he_oper_centr_freq_seg0_idx=$he_oper_centr_freq_seg0_idx
echo vht_oper_centr_freq_seg0_idx=$vht_oper_centr_freq_seg0_idx
fi

50
machines/router/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,50 @@
{ config, pkgs, ... }:
{
# kernel
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.initrd.availableKernelModules = [ "igb" "mt7915e" "xhci_pci" "ahci" "ehci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
# Enable serial output
boot.kernelParams = [
"panic=30"
"boot.panic_on_fail" # reboot the machine upon fatal boot issues
"console=ttyS0,115200n8" # enable serial console
];
boot.loader.grub.extraConfig = "
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
terminal_input serial
terminal_output serial
";
# firmware
firmware.x86_64.enable = true;
nixpkgs.config.allowUnfree = true;
# boot
bios = {
enable = true;
device = "/dev/sda";
};
# disks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c";
fileSystems."/" =
{
device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce";
fsType = "btrfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/d97f324f-3a2e-4b84-ae2a-4b3d1209c689";
fsType = "ext3";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/45bf58dd-67eb-45e4-9a98-246e23fa7abd"; }];
nixpkgs.hostPlatform = "x86_64-linux";
}

205
machines/router/router.nix Normal file
View File

@@ -0,0 +1,205 @@
{ config, pkgs, lib, ... }:
let
cfg = config.router;
inherit (lib) mapAttrs' genAttrs nameValuePair mkOption types mkIf mkEnableOption;
in
{
options.router = {
enable = mkEnableOption "router";
privateSubnet = mkOption {
type = types.str;
default = "192.168.1";
description = "IP block (/24) to use for the private subnet";
};
};
config = mkIf cfg.enable {
networking.ip_forward = true;
networking.interfaces.enp1s0.useDHCP = true;
networking.nat = {
enable = true;
internalInterfaces = [
"br0"
];
externalInterface = "enp1s0";
};
networking.bridges = {
br0 = {
interfaces = [
"enp2s0"
"wlp4s0"
"wlan1"
];
};
};
networking.interfaces = {
br0 = {
useDHCP = false;
ipv4.addresses = [
{
address = "${cfg.privateSubnet}.1";
prefixLength = 24;
}
];
};
};
networking.firewall = {
enable = true;
trustedInterfaces = [ "br0" "tailscale0" ];
interfaces = {
enp1s0 = {
allowedTCPPorts = [ ];
allowedUDPPorts = [ ];
};
};
};
services.dnsmasq = {
enable = true;
extraConfig = ''
# sensible behaviours
domain-needed
bogus-priv
no-resolv
# upstream name servers
server=1.1.1.1
server=8.8.8.8
# local domains
expand-hosts
domain=home
local=/home/
# Interfaces to use DNS on
interface=br0
# subnet IP blocks to use DHCP on
dhcp-range=${cfg.privateSubnet}.10,${cfg.privateSubnet}.254,24h
'';
};
services.hostapd = {
enable = true;
radios = {
# 2.4GHz
wlp4s0 = {
hwMode = "g";
noScan = true;
channel = 6;
countryCode = "US";
wifi4 = {
capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40+" ];
};
wifi5 = {
operatingChannelWidth = "20or40";
capabilities = [ "MAX-A-MPDU-LEN-EXP0" ];
};
wifi6 = {
enable = true;
singleUserBeamformer = true;
singleUserBeamformee = true;
multiUserBeamformer = true;
operatingChannelWidth = "20or40";
};
networks = {
wlp4s0 = {
ssid = "CXNK00BF9176";
authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
};
# wlp4s0-1 = {
# ssid = "- Experimental 5G Tower by AT&T";
# authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# };
# wlp4s0-2 = {
# ssid = "FBI Surveillance Van 2";
# authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# };
};
extraConfig = ''
he_oper_centr_freq_seg0_idx=8
vht_oper_centr_freq_seg0_idx=8
'';
};
# 5GHz
wlan1 = {
hwMode = "a";
noScan = true;
channel = 128;
countryCode = "US";
wifi4 = {
capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40-" ];
};
wifi5 = {
operatingChannelWidth = "160";
capabilities = [ "RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-3" "BF-ANTENNA-3" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7" ];
};
wifi6 = {
enable = true;
singleUserBeamformer = true;
singleUserBeamformee = true;
multiUserBeamformer = true;
operatingChannelWidth = "160";
};
networks = {
wlan1 = {
ssid = "CXNK00BF9176";
authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
};
# wlan1-1 = {
# ssid = "- Experimental 5G Tower by AT&T";
# authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# };
# wlan1-2 = {
# ssid = "FBI Surveillance Van 5";
# authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
# };
};
extraConfig = ''
vht_oper_centr_freq_seg0_idx=114
he_oper_centr_freq_seg0_idx=114
'';
};
};
};
age.secrets.hostapd-pw-experimental-tower.file = ../../secrets/hostapd-pw-experimental-tower.age;
age.secrets.hostapd-pw-CXNK00BF9176.file = ../../secrets/hostapd-pw-CXNK00BF9176.age;
hardware.firmware = [
pkgs.mt7916-firmware
];
nixpkgs.overlays = [
(self: super: {
mt7916-firmware = pkgs.stdenvNoCC.mkDerivation {
pname = "mt7916-firmware";
version = "custom-feb-02-23";
src = ./firmware/mediatek; # from here https://github.com/openwrt/mt76/issues/720#issuecomment-1413537674
dontBuild = true;
installPhase = ''
for i in \
mt7916_eeprom.bin \
mt7916_rom_patch.bin \
mt7916_wa.bin \
mt7916_wm.bin;
do
install -D -pm644 $i $out/lib/firmware/mediatek/$i
done
'';
meta = with lib; {
license = licenses.unfreeRedistributableFirmware;
};
};
})
];
};
}

108
machines/storage/s0/configuration.nix
View File

@@ -1,51 +1,49 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
imports =[ imports = [
./helios64
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
# nsw2zwifzyl42mbhabayjo42b2kkq3wd3dqyl6efxsz6pvmgm5cup5ad.onion
networking.hostName = "s0"; networking.hostName = "s0";
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
system.autoUpgrade.enable = true; system.autoUpgrade.enable = true;
boot.supportedFilesystems = [ "bcachefs" ]; services.iperf3.enable = true;
services.iperf3.openFirewall = true;
services.zerotierone.enable = true; # p2p mesh network
services.tailscale.exitNode = true;
# for education purposes only # for education purposes only
services.pykms.enable = true; services.pykms.enable = true;
services.pykms.openFirewallPort = true; services.pykms.openFirewallPort = true;
users.users.googlebot.packages = with pkgs; [ # samba
bcachefs-tools
];
services.samba.enable = true; services.samba.enable = true;
# disable suspend on lid close
services.logind.lidSwitch = "ignore";
# navidrome
services.navidrome = { services.navidrome = {
enable = true; enable = true;
settings = { settings = {
Address = "0.0.0.0"; Address = "0.0.0.0";
Port = 4533; Port = 4533;
MusicFolder = "/data/samba/Public/Plex/Music"; MusicFolder = "/data/samba/Public/Media/Music";
}; };
}; };
networking.firewall.allowedTCPPorts = [ config.services.navidrome.settings.Port ]; networking.firewall.allowedTCPPorts = [ config.services.navidrome.settings.Port ];
# allow access to transmisson data
users.users.googlebot.extraGroups = [ "transmission" ]; users.users.googlebot.extraGroups = [ "transmission" ];
users.groups.transmission.gid = config.ids.gids.transmission; users.groups.transmission.gid = config.ids.gids.transmission;
vpn-container.enable = true; vpn-container.enable = true;
vpn-container.mounts = [ vpn-container.mounts = [
"/var/lib" "/var/lib"
"/data/samba/Public/Plex" "/data/samba/Public"
]; ];
vpn-container.config = { vpn-container.config = {
# servarr services # servarr services
@@ -63,9 +61,6 @@
services.lidarr.user = "public_data"; services.lidarr.user = "public_data";
services.lidarr.group = "public_data"; services.lidarr.group = "public_data";
services.jellyfin.enable = true;
users.users.${config.services.jellyfin.user}.extraGroups = [ "public_data" ];
services.transmission = { services.transmission = {
enable = true; enable = true;
performanceNetParameters = true; performanceNetParameters = true;
@@ -75,7 +70,7 @@
/* directory settings */ /* directory settings */
# "watch-dir" = "/srv/storage/Transmission/To-Download"; # "watch-dir" = "/srv/storage/Transmission/To-Download";
# "watch-dir-enabled" = true; # "watch-dir-enabled" = true;
"download-dir" = "/data/samba/Public/Plex/Transmission"; "download-dir" = "/data/samba/Public/Media/Transmission";
"incomplete-dir" = "/var/lib/transmission/.incomplete"; "incomplete-dir" = "/var/lib/transmission/.incomplete";
"incomplete-dir-enabled" = true; "incomplete-dir-enabled" = true;
@@ -121,10 +116,35 @@
uid = 994; uid = 994;
}; };
}; };
pia.wireguard.badPortForwardPorts = [
9696 # prowlarr
8989 # sonarr
6767 # bazarr
7878 # radarr
8686 # lidarr
9091 # transmission web
];
# unpackerr # jellyfin
# flaresolverr # jellyfin cannot run in the vpn container and use hardware encoding
# I could not figure out how to allow the container to access the encoder
services.jellyfin.enable = true;
users.users.${config.services.jellyfin.user}.extraGroups = [ "public_data" ];
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
vaapiIntel
vaapiVdpau
libvdpau-va-gl
intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
];
};
# nginx
services.nginx.enable = true; services.nginx.enable = true;
services.nginx.virtualHosts."bazarr.s0".locations."/".proxyPass = "http://vpn.containers:6767"; services.nginx.virtualHosts."bazarr.s0".locations."/".proxyPass = "http://vpn.containers:6767";
services.nginx.virtualHosts."radarr.s0".locations."/".proxyPass = "http://vpn.containers:7878"; services.nginx.virtualHosts."radarr.s0".locations."/".proxyPass = "http://vpn.containers:7878";
@@ -133,57 +153,15 @@
services.nginx.virtualHosts."prowlarr.s0".locations."/".proxyPass = "http://vpn.containers:9696"; services.nginx.virtualHosts."prowlarr.s0".locations."/".proxyPass = "http://vpn.containers:9696";
services.nginx.virtualHosts."music.s0".locations."/".proxyPass = "http://localhost:4533"; services.nginx.virtualHosts."music.s0".locations."/".proxyPass = "http://localhost:4533";
services.nginx.virtualHosts."jellyfin.s0".locations."/" = { services.nginx.virtualHosts."jellyfin.s0".locations."/" = {
proxyPass = "http://vpn.containers:8096"; proxyPass = "http://localhost:8096";
proxyWebsockets = true; proxyWebsockets = true;
}; };
services.nginx.virtualHosts."jellyfin.neet.cloud".locations."/" = { services.nginx.virtualHosts."jellyfin.neet.cloud".locations."/" = {
proxyPass = "http://vpn.containers:8096"; proxyPass = "http://localhost:8096";
proxyWebsockets = true; proxyWebsockets = true;
}; };
services.nginx.virtualHosts."transmission.s0".locations."/" = { services.nginx.virtualHosts."transmission.s0".locations."/" = {
proxyPass = "http://vpn.containers:9091"; proxyPass = "http://vpn.containers:9091";
proxyWebsockets = true; proxyWebsockets = true;
}; };
# tailscale
services.tailscale.exitNode = true;
nixpkgs.overlays = [
(final: prev: {
radarr = prev.radarr.overrideAttrs (old: rec {
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,share/${old.pname}-${old.version}}
cp -r * $out/share/${old.pname}-${old.version}/.
makeWrapper "${final.dotnet-runtime}/bin/dotnet" $out/bin/Radarr \
--add-flags "$out/share/${old.pname}-${old.version}/Radarr.dll" \
--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [
final.curl final.sqlite final.libmediainfo final.mono final.openssl final.icu final.zlib ]}
runHook postInstall
'';
});
prowlarr = prev.prowlarr.overrideAttrs (old: {
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,share/${old.pname}-${old.version}}
cp -r * $out/share/${old.pname}-${old.version}/.
makeWrapper "${final.dotnet-runtime}/bin/dotnet" $out/bin/Prowlarr \
--add-flags "$out/share/${old.pname}-${old.version}/Prowlarr.dll" \
--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [
final.curl final.sqlite final.libmediainfo final.mono final.openssl final.icu final.zlib ]}
runHook postInstall
'';
});
pykms = prev.pykms.overrideAttrs (old: {
src = pkgs.fetchFromGitHub {
owner = "Py-KMS-Organization";
repo = "py-kms";
rev = "7bea3a2cb03c4c3666ff41185ace9f7ea2a07b99";
sha256 = "90DqMqPjfqfyRq86UzG9B/TjY+yclJBlggw+eIDgRe0=";
};
});
})
];
} }

95
machines/storage/s0/hardware-configuration.nix
View File

@@ -1,58 +1,75 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports =
[ (modulesPath + "/installer/scan/not-detected.nix") [
(modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ # boot
"ahci" efi.enable = true;
"usb_storage" boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "uas" "sd_mod" "rtsx_pci_sdmmc" ];
"bcache"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
boot.initrd.luks.devices."enc-pv1" = { # firmware
device = "/dev/disk/by-uuid/e3b588b6-d07f-4221-a194-e1e900299752"; firmware.x86_64.enable = true;
allowDiscards = true; # SSD
};
boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/514231c1-5934-401f-80e1-e3b6b62dc9d5";
boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/f45abe73-d0c6-446f-b28c-7a96a3f87851";
boot.initrd.luks.devices."enc-pv4".device = "/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc";
boot.initrd.luks.devices."enc-pv5".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38";
boot.initrd.luks.devices."enc-pvUSB" = {
device = "/dev/disk/by-uuid/c8e18f86-a950-4e4e-8f3c-366cc78db29b";
allowDiscards = true; # SSD
};
### disks ###
# zfs
networking.hostId = "5e6791f0";
boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
# luks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv1".device = "/dev/disk/by-uuid/d52e99a9-8825-4d0a-afc1-8edbef7e0a86";
boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/f7275585-7760-4230-97de-36704b9a2aa3";
boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38";
boot.initrd.luks.devices."enc-pv4".device = "/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc";
# mounts
fileSystems."/" = fileSystems."/" =
{ device = "/dev/mapper/enc-pv1:/dev/mapper/enc-pv2:/dev/mapper/enc-pv3:/dev/mapper/enc-pv4:/dev/mapper/enc-pv5:/dev/mapper/enc-pvUSB"; {
fsType = "bcachefs"; device = "rpool/nixos/root";
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/home" =
{
device = "rpool/nixos/home";
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/var/lib" =
{
device = "rpool/nixos/var/lib";
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/var/log" =
{
device = "rpool/nixos/var/log";
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
}; };
fileSystems."/data" =
{
device = "rpool/nixos/data";
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/8F7E-53C4"; {
device = "/dev/disk/by-uuid/4FB4-738E";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ ];
swapDevices = [ networking.interfaces.eth0.useDHCP = true;
{
device = "/dev/mmcblk1p2";
randomEncryption.enable = true;
}
];
# The global useDHCP flag is deprecated, therefore explicitly set to false here. powerManagement.cpuFreqGovernor = "powersave";
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = lib.mkDefault false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
networking.interfaces.eth1.useDHCP = lib.mkDefault true;
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
} }

62
machines/storage/s0/helios64/README.md
View File

@@ -1,62 +0,0 @@
Kobol Helios64
==============
The `default.nix` module provides the required setup for the system to work.
The `recommended.nix` module adds recommended settings for the system.
Status
------
### Works
- SATA hard drives
- Ethernet (1gbps)
- Serial through USB type-c (`ttyS2`)
### Untested
- Ethernet (2.5gbps)
- DP video out
- UPS behaviour
- `rootfs` on SATA drives
### Disabled
Due to misbehaviour, `ttyS0` (`&uart0`, `serial@ff180000`) has been disabled
via a kernel patch.
Without this change, using, or attempting to use `ttyS0` will break serial
output from `ttyS2`.
Kernel
------
Only Linux 5.10 (LTS) is supported, using the patch set derived from Armbian.
Requirements
------------
A *platform firmware* needs to be provided out of band for the system.
The author recommends Tow-Boot, for which a [draft pull request](https://github.com/Tow-Boot/Tow-Boot/pull/54)
adds support for the Helios64.
Any other supported *platform firmware* should work too.
> **NOTE**: at the time of writing (2021-10-10) the *platform firmware*
> **must** make use of the proprietary ram training. The open source equivalent
> will make the system unstable, and worse, will cause silent memory
> corruption, in addition to loud memory corruption.
Notes
-----
### Baud rate
The serial baud rate is configured for `115200`, which is a more common default
than the usual for Rockchip at `1500000`. See [the rationale for the decision](https://github.com/Tow-Boot/Tow-Boot/pull/33).

27
machines/storage/s0/helios64/default.nix
View File

@@ -1,27 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports = [
./modules/fancontrol.nix
./modules/heartbeat.nix
./modules/ups.nix
];
boot.kernelParams = lib.mkAfter [
"console=ttyS2,115200n8"
"earlycon=uart8250,mmio32,0xff1a0000"
];
# Required for rootfs on sata
boot.initrd.availableKernelModules = [
"pcie-rockchip-host" # required for rootfs on pcie sata disks
"phy-rockchip-pcie" # required for rootfs on pcie sata disks
"phy-rockchip-usb" # maybe not needed
"uas" # required for rootfs on USB 3.0 sata disks
];
# bcachefs kernel is 5.15. but need patches that are only in 5.16+
# Patch the device tree to add support for getting the cpu thermal temp
hardware.deviceTree.enable = true;
hardware.deviceTree.kernelPackage = pkgs.linux_latest;
}

23
machines/storage/s0/helios64/modules/bsp/90-helios64-hwmon.rules
View File

@@ -1,23 +0,0 @@
# Helios64 persistent hwmon
ACTION=="remove", GOTO="helios64_hwmon_end"
#
KERNELS=="fan1", SUBSYSTEMS=="platform", ENV{_HELIOS64_FAN_}="p6", ENV{_IS_HELIOS64_FAN_}="1", ENV{IS_HELIOS64_HWMON}="1"
KERNELS=="fan2", SUBSYSTEMS=="platform", ENV{_HELIOS64_FAN_}="p7", ENV{_IS_HELIOS64_FAN_}="1", ENV{IS_HELIOS64_HWMON}="1"
KERNELS=="2-004c", SUBSYSTEMS=="i2c", DRIVERS=="lm75", ENV{IS_HELIOS64_HWMON}="1"
SUBSYSTEM!="hwmon", GOTO="helios64_hwmon_end"
ENV{HWMON_PATH}="/sys%p"
#
ATTR{name}=="cpu_thermal", ENV{IS_HELIOS64_HWMON}="1", ENV{HELIOS64_SYMLINK}="/dev/thermal-cpu"
#
ENV{IS_HELIOS64_HWMON}=="1", ATTR{name}=="lm75", ENV{HELIOS64_SYMLINK}="/dev/thermal-board"
ENV{_IS_HELIOS64_FAN_}=="1", ENV{HELIOS64_SYMLINK}="/dev/fan-$env{_HELIOS64_FAN_}"
#
ENV{IS_HELIOS64_HWMON}=="1", RUN+="/bin/ln -sf $env{HWMON_PATH} $env{HELIOS64_SYMLINK}"
LABEL="helios64_hwmon_end"

11
machines/storage/s0/helios64/modules/bsp/90-helios64-ups.rules
View File

@@ -1,11 +0,0 @@
ACTION=="add", GOTO="helios64_ups_end"
ACTION=="remove", GOTO="helios64_ups_end"
# Power loss event
ACTION=="change", SUBSYSTEM=="power_supply", ATTR{type}=="Mains", ATTRS{online}=="0", RUN+="/usr/bin/systemctl start helios64-ups.timer"
# Power restore event
ACTION=="change", SUBSYSTEM=="power_supply", ATTR{type}=="Mains", ATTRS{online}=="1", RUN+="/usr/bin/systemctl stop helios64-ups.timer"
LABEL="helios64_ups_end"

Some files were not shown because too many files have changed in this diff Show More