commit ab39d2cab281b1b01855a959bc480f7a9f1e1c07 parent a7dcb2d752693fd90926d4c1802c51fd0b94b5af Author: Vincent Demeester <vincent@sbr.pm> Date: Wed, 9 Dec 2020 18:25:50 +0100 flake: starting refactoring the layout… … of the repository to fit into the "new" flake design. Signed-off-by: Vincent Demeester <vincent@sbr.pm> Diffstat:
M | README.md | | | 102 | ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------- |
M | README.org | | | 49 | ++++++++++++++++++++++++++++++++++++++++++++----- |
M | flake.nix | | | 18 | ++++++++++-------- |
M | systems.nix | | | 18 | +++++++++--------- |
D | systems/foo.nix | | | 100 | ------------------------------------------------------------------------------- |
D | systems/hokkaido.nix | | | 88 | ------------------------------------------------------------------------------- |
A | systems/hosts/foo.nix | | | 101 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | systems/hosts/hokkaido.nix | | | 88 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | systems/hosts/kerkouane.nix | | | 189 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | systems/hosts/naruhodo.nix | | | 102 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | systems/hosts/okinawa.nix | | | 105 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | systems/hosts/sakhalin.nix | | | 245 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | systems/hosts/wakasu.nix | | | 141 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
D | systems/kerkouane.nix | | | 189 | ------------------------------------------------------------------------------- |
A | systems/modules/buildkit.nix | | | 84 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | systems/modules/containerd.nix | | | 76 | ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | systems/modules/default.flake.nix | | | 10 | ++++++++++ |
M | systems/modules/profiles/containerd.nix | | | 2 | +- |
D | systems/modules/virtualisation/buildkit.nix | | | 102 | ------------------------------------------------------------------------------- |
D | systems/modules/virtualisation/containerd.nix | | | 99 | ------------------------------------------------------------------------------- |
M | systems/modules/virtualisation/default.nix | | | 5 | ++--- |
D | systems/naruhodo.home.nix | | | 35 | ----------------------------------- |
D | systems/naruhodo.nix | | | 102 | ------------------------------------------------------------------------------- |
D | systems/okinawa.nix | | | 105 | ------------------------------------------------------------------------------- |
D | systems/sakhalin.nix | | | 245 | ------------------------------------------------------------------------------- |
D | systems/wakasu.nix | | | 141 | ------------------------------------------------------------------------------- |
26 files changed, 1293 insertions(+), 1248 deletions(-)
diff --git a/README.md b/README.md @@ -1,18 +1,26 @@ # Table of Contents -1. [Highlights](#orge67da4f) - 1. [Systems](#orgb628628) - 2. [Tools](#orge70c52c) - 3. [User(s)](#org913c553) -2. [References](#org38a0a47) -3. [Licensing](#org8632b90) +1. [Highlights](#orge5f20f1) + 1. [`/systems`](#org25a7672) + 1. [`/hosts`](#orgbb234d3) + 2. [`/modules`](#org8f64aa6) + 3. [`/profiles`](#org46c952b) + 2. [`/home`](#orgf0bb072) + 1. [`/hosts`](#org65fb6a1) + 2. [`/modules`](#org2316502) + 3. [`/profiles`](#org48814c0) + 3. [`/nix`](#orgaf0439d) + 4. [`/tools`](#org6af22d2) + 5. [`/www`](#org1942cc5) +2. [References](#orgc09a499) +3. [Licensing](#orgfbd9526) `home` is the monorepo containing my personal tools and infrastructure. Everything in here should be built using [Nix](https://nixos.org/nix). -<a id="orge67da4f"></a> +<a id="orge5f20f1"></a> # Highlights @@ -24,30 +32,92 @@ This will be a all-time work-in-progress, so please beware that things might cha dramatically or even not working anymore 😛. -<a id="orgb628628"></a> +<a id="org25a7672"></a> -## Systems +## `/systems` This holds the configuration of my different systems. It is meant to be position-independent, meaning there is no moving around of `configuration.nix`. For the configurations' entry points see the individual [systems](systems), as well as [default.nix](default.nix). -<a id="orge70c52c"></a> +<a id="orgbb234d3"></a> -## Tools +### `/hosts` + +This is the configuration for each hosts. It should be as simple as enabling some profiles +and some ad-hoc very specific configuration. + + +<a id="org8f64aa6"></a> + +### `/modules` + +This is where all configuration that can be used across different system would lend. These +are not system dependent and should be configurable. + + +<a id="org46c952b"></a> + +### `/profiles` + +This is where profiles enable/disable and configure modules (defined in NixOS or in +here). Examples are \`developement\`, … + + +<a id="orgf0bb072"></a> + +## `/home` + +Users configuration, for [NixOS](https://nixos.org) or not and using home-manager. + + +<a id="org65fb6a1"></a> + +### `/hosts` + +This is the configuration for each hosts. It should be as simple as enabling some profiles +and some ad-hoc very specific configuration. + + +<a id="org2316502"></a> + +### `/modules` + +This is where all configuration that can be used across different system would lend. These +are not system dependent and should be configurable. + + +<a id="org48814c0"></a> + +### `/profiles` + +This is where profiles enable/disable and configure modules (defined in NixOS or in +here). Examples are \`developement\`, … + + +<a id="orgaf0439d"></a> + +## `/nix` + +Nix configurations, packages definitions, overlays. + + +<a id="org6af22d2"></a> + +## `/tools` Those are tools I have written for my personal usage. -<a id="org913c553"></a> +<a id="org1942cc5"></a> -## User(s) +## `/www` -Users configuration, for [NixOS](https://nixos.org) and using home-manager. +Website sources and builders/deployers. -<a id="org38a0a47"></a> +<a id="orgc09a499"></a> # References @@ -105,7 +175,7 @@ Old - <https://github.com/gvolpe/nix-config> -<a id="org8632b90"></a> +<a id="orgfbd9526"></a> # Licensing diff --git a/README.org b/README.org @@ -14,20 +14,59 @@ This will be a all-time work-in-progress, so please beware that things might change dramatically or even not working anymore 😛. -** Systems +** =/systems= This holds the configuration of my different systems. It is meant to be position-independent, meaning there is no moving around of ~configuration.nix~. For the configurations' entry points see the individual [[file:systems][systems]], as well as [[file:default.nix][default.nix]]. -** Tools +*** =/hosts= -Those are tools I have written for my personal usage. +This is the configuration for each hosts. It should be as simple as enabling some profiles +and some ad-hoc very specific configuration. + +*** =/modules= + +This is where all configuration that can be used across different system would lend. These +are not system dependent and should be configurable. + +*** =/profiles= + +This is where profiles enable/disable and configure modules (defined in NixOS or in +here). Examples are `developement`, … + +** =/home= + +Users configuration, for [[https://nixos.org][NixOS]] or not and using home-manager. + + + +*** =/hosts= -** User(s) +This is the configuration for each hosts. It should be as simple as enabling some profiles +and some ad-hoc very specific configuration. + +*** =/modules= + +This is where all configuration that can be used across different system would lend. These +are not system dependent and should be configurable. + +*** =/profiles= + +This is where profiles enable/disable and configure modules (defined in NixOS or in +here). Examples are `developement`, … + +** =/nix= + +Nix configurations, packages definitions, overlays. + +** =/tools= + +Those are tools I have written for my personal usage. -Users configuration, for [[https://nixos.org][NixOS]] and using home-manager. +** =/www= +Website sources and builders/deployers. * References diff --git a/flake.nix b/flake.nix @@ -128,7 +128,9 @@ }; }; }) - (import ./systems/modules) + # FIXME remove flake suffix once migrated + (import ./systems/modules/default.flake.nix) + (import ./systems/profiles) (import config) ]; specialArgs = { inherit name inputs; }; @@ -138,7 +140,6 @@ mkHomeManagerConfiguration = name: { system, config }: nameValuePair name ({ ... }: { imports = [ - (import ./home/configs) (import ./home/modules) (import ./home/profiles) (import config) @@ -215,18 +216,19 @@ # Attribute set of hostnames to be evaluated as NixOS configurations. Consumed by # `nixos-rebuild` on those hosts. nixosConfigurations = mapAttrs' mkNixOsConfiguration { - naruhodo = { pkgs = inputs.nixos-unstable; system = "x86_64-linux"; config = ./systems/naruhodo.nix; }; - wakasu = { pkgs = inputs.nixos-unstable; system = "x86_64-linux"; config = ./systems/naruhodo.nix; }; - okinawa = { pkgs = inputs.nixos; system = "x86_64-linux"; config = ./systems/okinawa.nix; }; - sakhalin = { pkgs = inputs.nixos; system = "x86_64-linux"; config = ./systems/sakhalin.nix; }; - kerkouane = { pkgs = inputs.nixos; system = "x86_64-linux"; config = ./systems/kerkouane.nix; }; + # FIXME remove .flake "suffix" once they all got migrated + naruhodo = { pkgs = inputs.nixos-unstable; system = "x86_64-linux"; config = ./systems/hosts/naruhodo.flake.nix; }; + wakasu = { pkgs = inputs.nixos-unstable; system = "x86_64-linux"; config = ./systems/hosts/waksu.flake.nix; }; + okinawa = { pkgs = inputs.nixos; system = "x86_64-linux"; config = ./systems/hosts/okinawa.flake.nix; }; + sakhalin = { pkgs = inputs.nixos; system = "x86_64-linux"; config = ./systems/hosts/sakhalin.flake.nix; }; + kerkouane = { pkgs = inputs.nixos; system = "x86_64-linux"; config = ./systems/hosts/kerkouane.flake.nix; }; # TODO raspberry pi 8G x 3 (name them too) + # TODO VMs }; # Import the modules exported by this flake. # containerd, buildkit are interesting module to export from here nixosModules = { - # FIXME move this to services containerd = import ./systems/modules/virtualisation/containerd.nix; buildkit = import ./systems/modules/virtualisation/buildkit.nix; }; diff --git a/systems.nix b/systems.nix @@ -7,19 +7,19 @@ with builtins; with lib; let /* - mkNixOS: make a nixos system build with the given name and cfg. + mkNixOS: make a nixos system build with the given name and cfg. - cfg is an attributeSet: - - arch is architecture - - type is weither we want to use nixos (stable) or nixos-unstable + cfg is an attributeSet: + - arch is architecture + - type is weither we want to use nixos (stable) or nixos-unstable - Example: - hokkaido = { arch = "x86_64-linux"; }; - honshu = { arch = "x86_64-linux"; type = "unstable"; }; - */ + Example: + hokkaido = { arch = "x86_64-linux"; }; + honshu = { arch = "x86_64-linux"; type = "unstable"; }; + */ mkNixOS = name: cfg: let - configuration = ./systems + "/${name}.nix"; + configuration = ./systems + "/hosts/${name}.nix"; system = cfg.arch; # If type == unstable, use nixos-unstable (pkgs-unstable) otherwise use nixos (pkgs) p = diff --git a/systems/foo.nix b/systems/foo.nix @@ -1,100 +0,0 @@ -{ pkgs, lib, ... }: - -with lib; -let - hostname = "foo"; - secretPath = ../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); -in -{ - imports = [ - ./modules - (import ../users).vincent - (import ../users).root - ]; - - nix.maxJobs = 2; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/884a3d57-f652-49b2-9c8b-f6eebd5edbeb"; - fsType = "ext4"; - }; - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/C036-34B9"; - fsType = "vfat"; - }; - swapDevices = [{ device = "/dev/disk/by-uuid/e1833693-77ac-4d52-bcc7-54d082788639"; }]; - - networking = { - hostName = hostname; - }; - - profiles = { - home = true; - avahi.enable = true; - git.enable = true; - ssh.enable = true; - dev.enable = true; - yubikey.enable = true; - }; - - services.xserver.enable = true; - services.xserver.layout = "fr"; - services.xserver.xkbVariant = "bepo"; - services.xserver.xkbOptions = "grp:menu_toggle,grp_led:caps,compose:caps"; - services.xserver.displayManager.gdm.enable = true; - services.xserver.desktopManager.gnome3.enable = true; - services.gnome3.chrome-gnome-shell.enable = true; - services.gnome3.core-shell.enable = true; - services.gnome3.core-os-services.enable = true; - services.gnome3.core-utilities.enable = true; - - fonts = { - enableFontDir = true; - enableGhostscriptFonts = true; - fonts = with pkgs; [ - corefonts - dejavu_fonts - emojione - feh - fira - fira-code - fira-code-symbols - fira-mono - hasklig - inconsolata - iosevka - noto-fonts - noto-fonts-cjk - noto-fonts-emoji - noto-fonts-extra - overpass - symbola - source-code-pro - twemoji-color-font - ubuntu_font_family - unifont - ]; - }; - /* - services.xserver.enable = true; - services.xserver.displayManager.xpra.enable = true; - services.xserver.displayManager.xpra.bindTcp = "0.0.0.0:10000"; - services.xserver.displayManager.xpra.pulseaudio = true; - */ - - virtualisation.containers = { - enable = true; - registries = { - search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ]; - }; - policy = { - default = [{ type = "insecureAcceptAnything"; }]; - transports = { - docker-daemon = { - "" = [{ type = "insecureAcceptAnything"; }]; - }; - }; - }; - }; -} diff --git a/systems/hokkaido.nix b/systems/hokkaido.nix @@ -1,88 +0,0 @@ -{ pkgs, lib, ... }: - -with lib; -let - hostname = "hokkaido"; - secretPath = ../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); - - ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; - ips = lists.optionals secretCondition ([ "${ip}/24" ]); - endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; - endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; - endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; -in -{ - imports = [ - ./hardware/dell-latitude-e6540.nix - ./modules - (import ../users).vincent - (import ../users).root - ]; - fileSystems."/" = - { - device = "/dev/disk/by-uuid/3e86d004-5554-4a90-b436-fcca63775f9d"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/D91F-14E8"; - fsType = "vfat"; - }; - - swapDevices = - [{ device = "/dev/disk/by-uuid/f065180d-8889-45ba-81d1-a67ac746dfeb"; }]; - - networking = { - hostName = hostname; - }; - - boot = { - tmpOnTmpfs = true; - plymouth.enable = true; - }; - - services.hardware.bolt.enable = true; - profiles = { - desktop.gnome.enable = true; - laptop.enable = true; - home = true; - ssh.enable = true; - dev.enable = true; - yubikey.enable = true; - virtualization = { enable = true; nested = true; }; - docker.enable = true; - redhat.enable = true; - }; - environment.systemPackages = with pkgs; [ virtmanager ]; - - services = { - # FIXME re-generate hokkaido key - /* - wireguard = { - enable = true; - ips = ips; - endpoint = endpointIP; - endpointPort = endpointPort; - endpointPublicKey = endpointPublicKey; - }; - */ - }; - - virtualisation.podman.enable = true; - virtualisation.containers = { - enable = true; - registries = { - search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ]; - }; - policy = { - default = [{ type = "insecureAcceptAnything"; }]; - transports = { - docker-daemon = { - "" = [{ type = "insecureAcceptAnything"; }]; - }; - }; - }; - }; -} diff --git a/systems/hosts/foo.nix b/systems/hosts/foo.nix @@ -0,0 +1,101 @@ +{ pkgs, lib, ... }: + +with lib; +let + hostname = "foo"; + secretPath = ../../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); +in +{ + imports = [ + ../modules + (import ../../users).vincent + (import ....//users + ).root + ]; + + nix.maxJobs = 2; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/884a3d57-f652-49b2-9c8b-f6eebd5edbeb"; + fsType = "ext4"; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/C036-34B9"; + fsType = "vfat"; + }; + swapDevices = [{ device = "/dev/disk/by-uuid/e1833693-77ac-4d52-bcc7-54d082788639"; }]; + + networking = { + hostName = hostname; + }; + + profiles = { + home = true; + avahi.enable = true; + git.enable = true; + ssh.enable = true; + dev.enable = true; + yubikey.enable = true; + }; + + services.xserver.enable = true; + services.xserver.layout = "fr"; + services.xserver.xkbVariant = "bepo"; + services.xserver.xkbOptions = "grp:menu_toggle,grp_led:caps,compose:caps"; + services.xserver.displayManager.gdm.enable = true; + services.xserver.desktopManager.gnome3.enable = true; + services.gnome3.chrome-gnome-shell.enable = true; + services.gnome3.core-shell.enable = true; + services.gnome3.core-os-services.enable = true; + services.gnome3.core-utilities.enable = true; + + fonts = { + enableFontDir = true; + enableGhostscriptFonts = true; + fonts = with pkgs; [ + corefonts + dejavu_fonts + emojione + feh + fira + fira-code + fira-code-symbols + fira-mono + hasklig + inconsolata + iosevka + noto-fonts + noto-fonts-cjk + noto-fonts-emoji + noto-fonts-extra + overpass + symbola + source-code-pro + twemoji-color-font + ubuntu_font_family + unifont + ]; + }; + /* + services.xserver.enable = true; + services.xserver.displayManager.xpra.enable = true; + services.xserver.displayManager.xpra.bindTcp = "0.0.0.0:10000"; + services.xserver.displayManager.xpra.pulseaudio = true; + */ + + virtualisation.containers = { + enable = true; + registries = { + search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ]; + }; + policy = { + default = [{ type = "insecureAcceptAnything"; }]; + transports = { + docker-daemon = { + "" = [{ type = "insecureAcceptAnything"; }]; + }; + }; + }; + }; +} diff --git a/systems/hosts/hokkaido.nix b/systems/hosts/hokkaido.nix @@ -0,0 +1,88 @@ +{ pkgs, lib, ... }: + +with lib; +let + hostname = "hokkaido"; + secretPath = ../../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + + ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; + ips = lists.optionals secretCondition ([ "${ip}/24" ]); + endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; + endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; + endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; +in +{ + imports = [ + ../hardware/dell-latitude-e6540.nix + ../modules + (import ../../users).vincent + (import ../../users).root + ]; + fileSystems."/" = + { + device = "/dev/disk/by-uuid/3e86d004-5554-4a90-b436-fcca63775f9d"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/D91F-14E8"; + fsType = "vfat"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/f065180d-8889-45ba-81d1-a67ac746dfeb"; }]; + + networking = { + hostName = hostname; + }; + + boot = { + tmpOnTmpfs = true; + plymouth.enable = true; + }; + + services.hardware.bolt.enable = true; + profiles = { + desktop.gnome.enable = true; + laptop.enable = true; + home = true; + ssh.enable = true; + dev.enable = true; + yubikey.enable = true; + virtualization = { enable = true; nested = true; }; + docker.enable = true; + redhat.enable = true; + }; + environment.systemPackages = with pkgs; [ virtmanager ]; + + services = { + # FIXME re-generate hokkaido key + /* + wireguard = { + enable = true; + ips = ips; + endpoint = endpointIP; + endpointPort = endpointPort; + endpointPublicKey = endpointPublicKey; + }; + */ + }; + + virtualisation.podman.enable = true; + virtualisation.containers = { + enable = true; + registries = { + search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ]; + }; + policy = { + default = [{ type = "insecureAcceptAnything"; }]; + transports = { + docker-daemon = { + "" = [{ type = "insecureAcceptAnything"; }]; + }; + }; + }; + }; +} diff --git a/systems/hosts/kerkouane.nix b/systems/hosts/kerkouane.nix @@ -0,0 +1,189 @@ +{ pkgs, lib, ... }: + +with lib; +let + hostname = "kerkouane"; + + networkingConfigPath = ../../networking.nix; + hasNetworkingConfig = (builtins.pathExists networkingConfigPath); + secretPath = ../../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + + sshPort = if secretCondition then (import secretPath).ssh.kerkouane.port else 22; + + nginxExtraConfig = '' + expires 31d; + add_header Cache-Control "public, max-age=604800, immutable"; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + add_header X-Content-Type-Options "nosniff"; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Security-Policy "default-src 'self' *.sbr.pm *.sbr.systems *.demeester.fr"; + add_header X-XSS-Protection "1; mode=block"; + ''; + + nginx = pkgs.nginxMainline.override (old: { + modules = with pkgs.nginxModules; [ + fancyindex + ]; + }); + + filesWWW = { + enableACME = true; + forceSSL = true; + root = "/home/vincent/desktop/sites/dl.sbr.pm"; + locations."/" = { + index = "index.html"; + extraConfig = '' + fancyindex on; + fancyindex_localtime on; + fancyindex_exact_size off; + fancyindex_header "/.fancyindex/header.html"; + fancyindex_footer "/.fancyindex/footer.html"; + # fancyindex_ignore "examplefile.html"; + fancyindex_ignore "README.md"; + fancyindex_ignore "HEADER.md"; + fancyindex_ignore ".fancyindex"; + fancyindex_name_length 255; + ''; + }; + locations."/private" = { + extraConfig = '' + auth_basic "Restricted"; + auth_basic_user_file /home/vincent/desktop/sites/dl.sbr.pm/private/.htpasswd; + ''; + }; + extraConfig = nginxExtraConfig; + }; + + sources = import ../nix/sources.nix; +in +{ + imports = [ + (sources.nixos + "/nixos/modules/profiles/qemu-guest.nix") + ../modules + (import ../../users).vincent + (import ../../users).root + ] + # digitalocean specifics + ++ optionals hasNetworkingConfig [ networkingConfigPath ]; + + networking.hostName = hostname; + + boot.loader.grub.device = "/dev/vda"; + boot.loader.grub.enable = lib.mkForce true; + boot.loader.systemd-boot.enable = lib.mkForce false; + fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; }; + swapDevices = [{ device = "/swapfile"; size = 1024; }]; + + core.nix = { + # FIXME move this away + localCaches = [ ]; + buildCores = 1; + }; + + profiles = { + git.enable = true; + ssh.enable = true; + syncthing.enable = true; + wireguard.server.enable = true; + }; + + networking.firewall.allowPing = true; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + security = { + acme = { + acceptTerms = true; + email = "vincent@sbr.pm"; + }; + #acme.certs = { + # "sbr.pm".email = "vincent@sbr.pm"; + #}; + }; + security.pam.enableSSHAgentAuth = true; + #systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/home/vincent/desktop/sites" ]; + systemd.services.nginx.serviceConfig.ProtectHome = lib.mkForce false; + services = { + govanityurl = { + enable = true; + user = "nginx"; + host = "go.sbr.pm"; + config = '' + paths: + /ape: + repo: https://git.sr.ht/~vdemeester/ape + /nr: + repo: https://git.sr.ht/~vdemeester/nr + /ram: + repo: https://git.sr.ht/~vdemeester/ram + /sec: + repo: https://git.sr.ht/~vdemeester/sec + ''; + }; + nginx = { + enable = true; + package = nginx; + recommendedGzipSettings = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + virtualHosts."dl.sbr.pm" = filesWWW; + virtualHosts."files.sbr.pm" = filesWWW; + virtualHosts."paste.sbr.pm" = { + enableACME = true; + forceSSL = true; + root = "/home/vincent/desktop/sites/paste.sbr.pm"; + locations."/" = { + index = "index.html"; + }; + extraConfig = nginxExtraConfig; + }; + virtualHosts."go.sbr.pm" = { + enableACME = true; + forceSSL = true; + locations."/" = { proxyPass = "http://127.0.0.1:8080"; }; + extraConfig = nginxExtraConfig; + }; + virtualHosts."sbr.pm" = { + enableACME = true; + forceSSL = true; + root = "/home/vincent/desktop/sites/sbr.pm"; + locations."/" = { + index = "index.html"; + }; + extraConfig = nginxExtraConfig; + }; + virtualHosts."sbr.systems" = { + enableACME = true; + forceSSL = true; + root = "/home/vincent/desktop/sites/sbr.systems"; + locations."/" = { + index = "index.html"; + }; + extraConfig = nginxExtraConfig; + }; + virtualHosts."vincent.demeester.fr" = { + enableACME = true; + forceSSL = true; + root = "/home/vincent/desktop/sites/vincent.demeester.fr"; + locations."/" = { + index = "index.html"; + extraConfig = '' + fancyindex on; + fancyindex_localtime on; + fancyindex_exact_size off; + fancyindex_header "/assets/.fancyindex/header.html"; + fancyindex_footer "/assets/.fancyindex/footer.html"; + # fancyindex_ignore "examplefile.html"; + fancyindex_ignore "README.md"; + fancyindex_ignore "HEADER.md"; + fancyindex_ignore ".fancyindex"; + fancyindex_name_length 255; + ''; + }; + extraConfig = nginxExtraConfig; + }; + }; + openssh.ports = [ sshPort ]; + openssh.permitRootLogin = "without-password"; + syncthing.guiAddress = "127.0.0.1:8384"; + }; +} diff --git a/systems/hosts/naruhodo.nix b/systems/hosts/naruhodo.nix @@ -0,0 +1,102 @@ +{ pkgs, lib, ... }: + +with lib; +let + hostname = "naruhodo"; + secretPath = ../../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + + ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; + ips = lists.optionals secretCondition ([ "${ip}/24" ]); + endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; + endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; + endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; +in +{ + imports = [ + ../hardware/thinkpad-t480s.nix + ../modules + (import ../../users).vincent + (import ../../users).root + ]; + + fileSystems."/" = + { + device = "/dev/mapper/root"; + fsType = "ext4"; + options = [ "noatime" "discard" ]; + }; + + boot.initrd.luks.devices = { + root = { + device = "/dev/disk/by-uuid/50d7faba-8923-4b30-88f7-40df26e02def"; + preLVM = true; + allowDiscards = true; + }; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/0101-68DE"; + fsType = "vfat"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/aff86817-55ae-47ed-876a-e5a027b560ba"; }]; + + networking = { + hostName = hostname; + }; + + boot = { + tmpOnTmpfs = true; + plymouth.enable = true; + extraModulePackages = with pkgs.linuxPackages; [ + v4l2loopback + ]; + kernelModules = [ "v4l2loopback" ]; + extraModprobeConfig = '' + options v4l2loopback exclusive_caps=1 + ''; + }; + + services.hardware.bolt.enable = true; + profiles = { + desktop.i3.enable = true; + laptop.enable = true; + home = true; + dev.enable = true; + yubikey.enable = true; + virtualization = { enable = true; nested = true; }; + docker.enable = true; + redhat.enable = true; + scanning.enable = true; + }; + environment.systemPackages = with pkgs; [ virtmanager ]; + + services = { + wireguard = { + enable = true; + ips = ips; + endpoint = endpointIP; + endpointPort = endpointPort; + endpointPublicKey = endpointPublicKey; + }; + }; + + virtualisation.podman.enable = true; + virtualisation.containers = { + enable = true; + registries = { + search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ]; + }; + policy = { + default = [{ type = "insecureAcceptAnything"; }]; + transports = { + docker-daemon = { + "" = [{ type = "insecureAcceptAnything"; }]; + }; + }; + }; + }; +} diff --git a/systems/hosts/okinawa.nix b/systems/hosts/okinawa.nix @@ -0,0 +1,105 @@ +{ pkgs, lib, ... }: + +with lib; +let + hostname = "okinawa"; + secretPath = ../../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + + ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; + ips = lists.optionals secretCondition ([ "${ip}/24" ]); + endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; + endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; + endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; +in +{ + imports = [ + ../hardware/gigabyte-brix.nix + ../modules + (import ../../users).vincent + (import ../../users).root + ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/f10a12e7-d711-4bec-8246-a063de66589a"; + fsType = "ext4"; + options = [ "noatime" "discard" ]; + }; + fileSystems."/home" = { + device = "/dev/disk/by-uuid/0cd32a1a-5eab-4cba-8c9c-de310645b8b1"; + fsType = "ext4"; + options = [ "noatime" "discard" ]; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/B89C-E217"; + fsType = "vfat"; + }; + fileSystems."/mnt/naha" = { + device = "/dev/disk/by-uuid/9e2c7dda-2469-4f28-8d64-b34a609e3136"; + fsType = "ext4"; + options = [ "noatime" ]; + }; + swapDevices = [{ device = "/dev/disk/by-uuid/de4449cb-a158-409f-9e22-32a7b2c98c86"; }]; + + networking = { + hostName = hostname; + firewall.enable = false; # we are in safe territory :D + bridges.br1.interfaces = [ "enp0s31f6" ]; + useDHCP = false; + interfaces.br1 = { + useDHCP = true; + }; + }; + + profiles = { + home = true; + avahi.enable = true; + ssh.enable = true; + syncthing.enable = true; + virtualization = { enable = true; nested = true; listenTCP = true; }; + }; + + services = { + bind = { + enable = true; + forwarders = [ "8.8.8.8" "8.8.4.4" ]; + cacheNetworks = [ "192.168.1.0/24" "127.0.0.0/8" "10.100.0.0/24" ]; + zones = [ + { + # home + name = "home"; + slaves = [ ]; + file = pkgs.mkSecret ../../secrets/db.home; + } + { + # home.reverse + name = "192.168.1.in-addr.arpa"; + slaves = [ ]; + file = pkgs.mkSecret ../../secrets/db.192.168.1; + } + { + # vpn + name = "vpn"; + slaves = [ ]; + file = pkgs.mkSecret ../../secrets/db.vpn; + } + { + # vpn.reverse + name = "10.100.0.in-addr.arpa"; + slaves = [ ]; + file = pkgs.mkSecret ../../secrets/db.10.100.0; + } + ]; + }; + syncthing.guiAddress = "0.0.0.0:8384"; + wireguard = { + enable = true; + ips = ips; + endpoint = endpointIP; + endpointPort = endpointPort; + endpointPublicKey = endpointPublicKey; + }; + }; + security.apparmor.enable = true; + security.pam.enableSSHAgentAuth = true; +} diff --git a/systems/hosts/sakhalin.nix b/systems/hosts/sakhalin.nix @@ -0,0 +1,245 @@ +{ pkgs, lib, ... }: + +with lib; +let + hostname = "sakhalin"; + secretPath = ../../../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + + ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; + ips = lists.optionals secretCondition ([ "${ip}/24" ]); + endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; + endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; + endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; +in +{ + imports = [ + ../hardware/gigabyte-brix.nix + ../modules + (import ../../users).vincent + (import ../../users).root + ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/92ce650d-873e-41c1-a44e-71c2b9191b9d"; + fsType = "ext4"; + options = [ "noatime" "discard" ]; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/B226-075A"; + fsType = "vfat"; + }; + fileSystems."/home" = { + device = "/dev/disk/by-uuid/4f614c00-d94d-42f9-8386-3ecd396aa246"; + fsType = "ext4"; + options = [ "noatime" "discard" ]; + }; + fileSystems."/mnt/gaia" = { + device = "/dev/disk/by-uuid/88d3d686-d451-4ba9-bd6e-373601ed2683"; + fsType = "ext4"; + options = [ "noatime" ]; + }; + fileSystems."/mnt/toshito" = { + device = "/dev/disk/by-uuid/3c7cf84e-2486-417d-9de8-4b7757d483e4"; + fsType = "ext4"; + options = [ "noatime" ]; + }; + swapDevices = [{ device = "/dev/disk/by-uuid/9eb067d1-b329-4fbb-ae27-38abfbe7c108"; }]; + + networking = { + hostName = hostname; + firewall.enable = false; # we are in safe territory :D + bridges.br1.interfaces = [ "enp0s31f6" ]; + useDHCP = false; + interfaces.br1 = { + useDHCP = true; + }; + }; + + profiles = { + home = true; + avahi.enable = true; + git.enable = true; + ssh.enable = true; + syncthing.enable = true; + virtualization = { enable = true; nested = true; listenTCP = true; }; + }; + + fileSystems."/export/gaia" = { device = "/mnt/gaia"; options = [ "bind" ]; }; + fileSystems."/export/toshito" = { device = "/mnt/toshito"; options = [ "bind" ]; }; + + services = { + tarsnap = { + enable = true; + archives = { + documents = { + directories = [ "/home/vincent/desktop/documents" ]; + period = "daily"; + keyfile = "/etc/nixos/assets/tarsnap.documents.key"; + }; + org = { + directories = [ "/home/vincent/desktop/org" ]; + period = "daily"; + keyfile = "/etc/nixos/assets/tarsnap.org.key"; + }; + sites = { + directories = [ "/home/vincent/desktop/sites" ]; + period = "daily"; + keyfile = "/etc/nixos/assets/tarsnap.sites.key"; + }; + }; + }; + nfs.server = { + enable = true; + exports = '' + /export 192.168.1.0/24(rw,fsid=0,no_subtree_check) 10.100.0.0/24(rw,fsid=0,no_subtree_check) + /export/gaia 192.168.1.0/24(rw,fsid=1,no_subtree_check) 10.100.0.0/24(rw,fsid=1,no_subtree_check) + /export/toshito 192.168.1.0/24(rw,fsid=2,no_subtree_check) 10.100.0.0/24(rw,fsid=2,no_subtree_check) + ''; + }; + nix-binary-cache = { + enable = true; + domain = "nix.cache.home"; + aliases = [ "cache.sakhalin.home" ]; + }; + dockerRegistry = { + enable = true; + listenAddress = "0.0.0.0"; + enableGarbageCollect = true; + }; + bind = { + enable = true; + forwarders = [ "8.8.8.8" "8.8.4.4" ]; + cacheNetworks = [ "192.168.1.0/24" "127.0.0.0/8" "10.100.0.0/24" ]; + zones = [ + { + # home + name = "home"; + slaves = [ ]; + file = pkgs.mkSecret ../../secrets/db.home; + } + { + # home.reverse + name = "192.168.1.in-addr.arpa"; + slaves = [ ]; + file = pkgs.mkSecret ../../secrets/db.192.168.1; + } + { + # vpn + name = "vpn"; + slaves = [ ]; + file = pkgs.mkSecret ../../secrets/db.vpn; + } + { + # vpn.reverse + name = "10.100.0.in-addr.arpa"; + slaves = [ ]; + file = pkgs.mkSecret ../../secrets/db.10.100.0; + } + ]; + }; + syncthing.guiAddress = "0.0.0.0:8384"; + wireguard = { + enable = true; + ips = ips; + endpoint = endpointIP; + endpointPort = endpointPort; + endpointPublicKey = endpointPublicKey; + }; + }; + security.apparmor.enable = true; + # ----------------------------------- + environment.etc."vrsync".text = '' + /home/vincent/desktop/pictures/screenshots/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/screenshots/ + /home/vincent/desktop/pictures/wallpapers/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/wallpapers/ + /home/vincent/desktop/documents/ vincent@synodine.home:/volume1/documents/ + /mnt/gaia/photos/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/photos/ + /mnt/gaia/music/ vincent@synodine.home:/volumeUSB2/usbshare/music/ + ''; + systemd.services.vrsync = { + description = "vrsync - sync folders to NAS"; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + unitConfig.X-StopOnRemoval = false; + restartIfChanged = false; + + path = with pkgs; [ rsync coreutils bash openssh ]; + script = '' + ${pkgs.vrsync}/bin/vrsync + ''; + + startAt = "hourly"; + serviceConfig = { + Type = "oneshot"; + OnFailure = "status-email-root@%n.service"; + }; + }; + environment.etc."secrets/srht-token".source = pkgs.mkSecret ../../secrets/token_srht; + # builds.sr.ht: daily builds + systemd.services.builds-srht = { + description = "Daily builds.sr.ht"; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + restartIfChanged = false; + unitConfig.X-StopOnRemoval = false; + + serviceConfig = { + Type = "oneshot"; + User = "vincent"; + OnFailure = "status-email-root@%n.service"; + }; + + script = "${pkgs.my.bus}/bin/bus"; + + startAt = "daily"; + }; + # ape – sync git mirrors + systemd.services.ape = { + description = "Ape - sync git mirrors"; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + restartIfChanged = false; + unitConfig.X-StopOnRemoval = false; + + serviceConfig = { + Type = "oneshot"; + User = "vincent"; + OnFailure = "status-email-root@%n.service"; + }; + + path = with pkgs; [ git ]; + script = '' + ${pkgs.my.ape}/bin/ape up /home/vincent/var/mirrors + ''; + + startAt = "hourly"; + }; + # mr -i u daily + systemd.services.mr = { + description = "Update configs daily"; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + restartIfChanged = false; + unitConfig.X-StopOnRemoval = false; + + serviceConfig = { + Type = "oneshot"; + User = "vincent"; + OnFailure = "status-email-root@%n.service"; + }; + + path = with pkgs; [ git mr ]; + script = '' + set -e + cd /mnt/gaia/src/configs/ + mr -t run git reset --hard + mr -t u + ''; + + startAt = "daily"; + }; +} diff --git a/systems/hosts/wakasu.nix b/systems/hosts/wakasu.nix @@ -0,0 +1,141 @@ +{ lib, pkgs, ... }: + +with lib; +let + hostname = "wakasu"; + secretPath = ../../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + + ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; + ips = lists.optionals secretCondition ([ "${ip}/24" ]); + endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; + endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; + endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; +in +{ + imports = [ + ../hardware/lenovo-p50.nix + ../modules + (import ../../users).vincent + (import ../../users).root + ]; + + networking = { + hostName = hostname; + bridges.br1.interfaces = [ "enp0s31f6" ]; + firewall.enable = false; # we are in safe territory :D + useDHCP = false; + interfaces.br1 = { + useDHCP = true; + }; + }; + + /* + Keep this for naruhodo. + boot.initrd.luks.devices = { + root = { + device = "/dev/disk/by-uuid/49167ed2-8411-4fa3-94cf-2f3cce05c940"; + preLVM = true; + allowDiscards = true; + keyFile = "/dev/disk/by-id/usb-_USB_DISK_2.0_070D375D84327E87-0:0"; + keyFileOffset = 30992883712; + keyFileSize = 4096; + fallbackToPassword = true; + }; + }; + */ + fileSystems."/" = { + device = "/dev/disk/by-uuid/6590b73d-72a4-4356-94b1-f56ac45c976d"; + fsType = "ext4"; + options = [ "noatime" "discard" ]; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/7FA5-145B"; + fsType = "vfat"; + }; + + swapDevices = [{ device = "/dev/disk/by-uuid/720200fc-8f27-49a7-85bb-a406b6119d31"; }]; + + profiles = { + home = true; + dev.enable = true; + desktop.enable = lib.mkForce false; + laptop.enable = true; + docker.enable = true; + avahi.enable = true; + syncthing.enable = true; + ssh = { enable = true; forwardX11 = true; }; + virtualization = { enable = true; nested = true; listenTCP = true; }; + kubernetes.enable = true; + openshift.enable = true; + tekton.enable = true; + yubikey.enable = true; + }; + virtualisation.podman.enable = true; + virtualisation.containers = { + enable = true; + registries = { + search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ]; + }; + policy = { + default = [{ type = "insecureAcceptAnything"; }]; + transports = { + docker-daemon = { + "" = [{ type = "insecureAcceptAnything"; }]; + }; + }; + }; + }; + security = { + sudo.extraConfig = '' + %users ALL = (root) NOPASSWD: /home/vincent/.nix-profile/bin/kubernix + ''; + pam.u2f.enable = true; + }; + services = { + xserver = { + enable = true; + displayManager.xpra = { + enable = true; + bindTcp = "0.0.0.0:10000"; + pulseaudio = true; + extraOptions = [ "--video-scaling=0" "--min-quality=85" "--desktop-scaling=off" ]; + }; + }; + logind.extraConfig = '' + HandleLidSwitch=ignore + HandleLidSwitchExternalPower=ignore + HandleLidSwitchDocked=ignore + ''; + #syncthing.guiAddress = "${wireguard.ips.wakasu}:8384"; + syncthing.guiAddress = "0.0.0.0:8384"; + smartd = { + enable = true; + devices = [{ device = "/dev/nvme0n1"; }]; + }; + wireguard = { + enable = true; + ips = ips; + endpoint = endpointIP; + endpointPort = endpointPort; + endpointPublicKey = endpointPublicKey; + }; + }; + /* + virtualisation.containers = { + enable = true; + registries = { + search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ]; + }; + policy = { + default = [{ type = "insecureAcceptAnything"; }]; + transports = { + docker-daemon = { + "" = [{ type = "insecureAcceptAnything"; }]; + }; + }; + }; + }; + */ +} diff --git a/systems/kerkouane.nix b/systems/kerkouane.nix @@ -1,189 +0,0 @@ -{ pkgs, lib, ... }: - -with lib; -let - hostname = "kerkouane"; - - networkingConfigPath = ../networking.nix; - hasNetworkingConfig = (builtins.pathExists networkingConfigPath); - secretPath = ../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); - - sshPort = if secretCondition then (import secretPath).ssh.kerkouane.port else 22; - - nginxExtraConfig = '' - expires 31d; - add_header Cache-Control "public, max-age=604800, immutable"; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; - add_header X-Content-Type-Options "nosniff"; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Content-Security-Policy "default-src 'self' *.sbr.pm *.sbr.systems *.demeester.fr"; - add_header X-XSS-Protection "1; mode=block"; - ''; - - nginx = pkgs.nginxMainline.override (old: { - modules = with pkgs.nginxModules; [ - fancyindex - ]; - }); - - filesWWW = { - enableACME = true; - forceSSL = true; - root = "/home/vincent/desktop/sites/dl.sbr.pm"; - locations."/" = { - index = "index.html"; - extraConfig = '' - fancyindex on; - fancyindex_localtime on; - fancyindex_exact_size off; - fancyindex_header "/.fancyindex/header.html"; - fancyindex_footer "/.fancyindex/footer.html"; - # fancyindex_ignore "examplefile.html"; - fancyindex_ignore "README.md"; - fancyindex_ignore "HEADER.md"; - fancyindex_ignore ".fancyindex"; - fancyindex_name_length 255; - ''; - }; - locations."/private" = { - extraConfig = '' - auth_basic "Restricted"; - auth_basic_user_file /home/vincent/desktop/sites/dl.sbr.pm/private/.htpasswd; - ''; - }; - extraConfig = nginxExtraConfig; - }; - - sources = import ../nix/sources.nix; -in -{ - imports = [ - (sources.nixos + "/nixos/modules/profiles/qemu-guest.nix") - ./modules - (import ../users).vincent - (import ../users).root - ] - # digitalocean specifics - ++ optionals hasNetworkingConfig [ networkingConfigPath ]; - - networking.hostName = hostname; - - boot.loader.grub.device = "/dev/vda"; - boot.loader.grub.enable = lib.mkForce true; - boot.loader.systemd-boot.enable = lib.mkForce false; - fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; }; - swapDevices = [{ device = "/swapfile"; size = 1024; }]; - - core.nix = { - # FIXME move this away - localCaches = [ ]; - buildCores = 1; - }; - - profiles = { - git.enable = true; - ssh.enable = true; - syncthing.enable = true; - wireguard.server.enable = true; - }; - - networking.firewall.allowPing = true; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - security = { - acme = { - acceptTerms = true; - email = "vincent@sbr.pm"; - }; - #acme.certs = { - # "sbr.pm".email = "vincent@sbr.pm"; - #}; - }; - security.pam.enableSSHAgentAuth = true; - #systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/home/vincent/desktop/sites" ]; - systemd.services.nginx.serviceConfig.ProtectHome = lib.mkForce false; - services = { - govanityurl = { - enable = true; - user = "nginx"; - host = "go.sbr.pm"; - config = '' - paths: - /ape: - repo: https://git.sr.ht/~vdemeester/ape - /nr: - repo: https://git.sr.ht/~vdemeester/nr - /ram: - repo: https://git.sr.ht/~vdemeester/ram - /sec: - repo: https://git.sr.ht/~vdemeester/sec - ''; - }; - nginx = { - enable = true; - package = nginx; - recommendedGzipSettings = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - virtualHosts."dl.sbr.pm" = filesWWW; - virtualHosts."files.sbr.pm" = filesWWW; - virtualHosts."paste.sbr.pm" = { - enableACME = true; - forceSSL = true; - root = "/home/vincent/desktop/sites/paste.sbr.pm"; - locations."/" = { - index = "index.html"; - }; - extraConfig = nginxExtraConfig; - }; - virtualHosts."go.sbr.pm" = { - enableACME = true; - forceSSL = true; - locations."/" = { proxyPass = "http://127.0.0.1:8080"; }; - extraConfig = nginxExtraConfig; - }; - virtualHosts."sbr.pm" = { - enableACME = true; - forceSSL = true; - root = "/home/vincent/desktop/sites/sbr.pm"; - locations."/" = { - index = "index.html"; - }; - extraConfig = nginxExtraConfig; - }; - virtualHosts."sbr.systems" = { - enableACME = true; - forceSSL = true; - root = "/home/vincent/desktop/sites/sbr.systems"; - locations."/" = { - index = "index.html"; - }; - extraConfig = nginxExtraConfig; - }; - virtualHosts."vincent.demeester.fr" = { - enableACME = true; - forceSSL = true; - root = "/home/vincent/desktop/sites/vincent.demeester.fr"; - locations."/" = { - index = "index.html"; - extraConfig = '' - fancyindex on; - fancyindex_localtime on; - fancyindex_exact_size off; - fancyindex_header "/assets/.fancyindex/header.html"; - fancyindex_footer "/assets/.fancyindex/footer.html"; - # fancyindex_ignore "examplefile.html"; - fancyindex_ignore "README.md"; - fancyindex_ignore "HEADER.md"; - fancyindex_ignore ".fancyindex"; - fancyindex_name_length 255; - ''; - }; - extraConfig = nginxExtraConfig; - }; - }; - openssh.ports = [ sshPort ]; - openssh.permitRootLogin = "without-password"; - syncthing.guiAddress = "127.0.0.1:8384"; - }; -} diff --git a/systems/modules/buildkit.nix b/systems/modules/buildkit.nix @@ -0,0 +1,84 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.virtualisation.buildkitd; + inherit (lib) mkOption mkIf types; +in +{ + options.virtualisation.buildkitd = { + enable = mkOption { + type = types.bool; + default = false; + description = + '' + This option enables buildkitd + ''; + }; + + package = mkOption { + default = pkgs.buildkit; + type = types.package; + example = pkgs.buildkit; + description = '' + Buildkitd package to be used in the module + ''; + }; + + packages = mkOption { + type = types.listOf types.package; + default = [ pkgs.runc pkgs.git ]; + description = "List of packages to be added to buildkitd service path"; + }; + + extraOptions = mkOption { + type = types.separatedString " "; + default = ""; + description = + '' + The extra command-line options to pass to + <command>buildkitd</command> daemon. + ''; + }; + }; + + config = mkIf cfg.enable { + users.groups = [ + { + name = "buildkit"; + gid = 350; + } + ]; + environment.systemPackages = [ cfg.package ]; + systemd.packages = [ cfg.package ]; + + systemd.services.buildkitd = { + wants = [ "containerd.service" ]; + after = [ "containerd.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = [ + "" + '' + ${cfg.package}/bin/buildkitd \ + ${cfg.extraOptions} + '' + ]; + }; + path = [ cfg.package ] ++ cfg.packages; + }; + + + systemd.sockets.buildkitd = { + description = "Buildkitd Socket for the API"; + wantedBy = [ "sockets.target" ]; + socketConfig = { + ListenStream = "/run/buildkitd/buildkitd.sock"; + SocketMode = "0660"; + SocketUser = "root"; + SocketGroup = "buildkit"; + }; + }; + + }; + + +} diff --git a/systems/modules/containerd.nix b/systems/modules/containerd.nix @@ -0,0 +1,76 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.virtualisation.containerd; + + inherit (lib) mkOption types mkIf; +in +{ + options.virtualisation.containerd = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + This option enables containerd, a daemon that manages linux containers. + ''; + }; + + package = mkOption { + default = pkgs.containerd; + type = types.package; + example = pkgs.containerd; + description = '' + Containerd package to be used in the module + ''; + }; + + extraPackages = mkOption { + type = types.listOf types.package; + default = [ pkgs.runc ]; + description = "List of packages to be added to containerd service path"; + }; + + extraOptions = mkOption { + type = types.separatedString " "; + default = ""; + description = + '' + The extra command-line options to pass to + <command>containerd</command> daemon. + ''; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + systemd.packages = [ cfg.package ]; + + systemd.services.containerd = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = [ + "" + '' + ${cfg.package}/bin/containerd \ + ${cfg.extraOptions} + '' + ]; + }; + path = [ cfg.package ] ++ cfg.extraPackages; + }; + + + systemd.sockets.containerd = { + description = "Containerd Socket for the API"; + wantedBy = [ "sockets.target" ]; + socketConfig = { + ListenStream = "/run/containerd/containerd.sock"; + SocketMode = "0660"; + SocketUser = "root"; + SocketGroup = "root"; + }; + }; + + }; + + +} diff --git a/systems/modules/default.flake.nix b/systems/modules/default.flake.nix @@ -0,0 +1,10 @@ +{ ... }: + +# This file just imports all the modules defined in this folder. + +{ + imports = [ + ./buildkit.nix + ./containerd.nix + ]; +} diff --git a/systems/modules/profiles/containerd.nix b/systems/modules/profiles/containerd.nix @@ -41,7 +41,7 @@ in containerd = { enable = true; package = cfg.package; - packages = [ cfg.runcPackage ]; + extraPackages = [ cfg.runcPackage ]; }; }; }; diff --git a/systems/modules/virtualisation/buildkit.nix b/systems/modules/virtualisation/buildkit.nix @@ -1,102 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - cfg = config.virtualisation.buildkitd; -in -{ - ###### interface - - options.virtualisation.buildkitd = { - enable = - mkOption { - type = types.bool; - default = false; - description = - '' - This option enables buildkitd - ''; - }; - - listenOptions = - mkOption { - type = types.listOf types.str; - default = [ "/run/buildkitd/buildkitd.sock" ]; - description = - '' - A list of unix and tcp buildkitd should listen to. The format follows - ListenStream as described in systemd.socket(5). - ''; - }; - - package = mkOption { - default = pkgs.buildkit; - type = types.package; - example = pkgs.buildkit; - description = '' - Buildkitd package to be used in the module - ''; - }; - - packages = mkOption { - type = types.listOf types.package; - default = [ pkgs.runc pkgs.git ]; - description = "List of packages to be added to buildkitd service path"; - }; - - extraOptions = - mkOption { - type = types.separatedString " "; - default = ""; - description = - '' - The extra command-line options to pass to - <command>buildkitd</command> daemon. - ''; - }; - }; - - ###### implementation - - config = mkIf cfg.enable { - users.groups = [ - { - name = "buildkit"; - gid = 350; - } - ]; - environment.systemPackages = [ cfg.package ]; - systemd.packages = [ cfg.package ]; - - systemd.services.buildkitd = { - wants = [ "containerd.service" ]; - after = [ "containerd.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - ExecStart = [ - "" - '' - ${cfg.package}/bin/buildkitd \ - ${cfg.extraOptions} - '' - ]; - }; - path = [ cfg.package ] ++ cfg.packages; - }; - - - systemd.sockets.buildkitd = { - description = "Buildkitd Socket for the API"; - wantedBy = [ "sockets.target" ]; - socketConfig = { - ListenStream = cfg.listenOptions; - SocketMode = "0660"; - SocketUser = "root"; - SocketGroup = "buildkit"; - }; - }; - - }; - - -} diff --git a/systems/modules/virtualisation/containerd.nix b/systems/modules/virtualisation/containerd.nix @@ -1,99 +0,0 @@ -# Systemd services for containerd. - -{ config, lib, pkgs, ... }: - -with lib; -let - - cfg = config.virtualisation.containerd; - -in -{ - ###### interface - - options.virtualisation.containerd = { - enable = - mkOption { - type = types.bool; - default = false; - description = - '' - This option enables containerd, a daemon that manages - linux containers. - ''; - }; - - listenOptions = - mkOption { - type = types.listOf types.str; - default = [ "/run/containerd/containerd.sock" ]; - description = - '' - A list of unix and tcp containerd should listen to. The format follows - ListenStream as described in systemd.socket(5). - ''; - }; - - package = mkOption { - default = pkgs.containerd; - type = types.package; - example = pkgs.containerd; - description = '' - Containerd package to be used in the module - ''; - }; - - packages = mkOption { - type = types.listOf types.package; - default = [ pkgs.runc ]; - description = "List of packages to be added to containerd service path"; - }; - - extraOptions = - mkOption { - type = types.separatedString " "; - default = ""; - description = - '' - The extra command-line options to pass to - <command>containerd</command> daemon. - ''; - }; - }; - - ###### implementation - - config = mkIf cfg.enable { - environment.systemPackages = [ cfg.package ]; - systemd.packages = [ cfg.package ]; - - systemd.services.containerd = { - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - ExecStart = [ - "" - '' - ${cfg.package}/bin/containerd \ - ${cfg.extraOptions} - '' - ]; - }; - path = [ cfg.package ] ++ cfg.packages; - }; - - - systemd.sockets.containerd = { - description = "Containerd Socket for the API"; - wantedBy = [ "sockets.target" ]; - socketConfig = { - ListenStream = cfg.listenOptions; - SocketMode = "0660"; - SocketUser = "root"; - SocketGroup = "root"; - }; - }; - - }; - - -} diff --git a/systems/modules/virtualisation/default.nix b/systems/modules/virtualisation/default.nix @@ -1,7 +1,6 @@ { imports = [ - # Remove "nixos" from here - ./buildkit.nix - ./containerd.nix + ../buildkit.nix + ../containerd.nix ]; } diff --git a/systems/naruhodo.home.nix b/systems/naruhodo.home.nix @@ -1,35 +0,0 @@ -{ pkgs, lib, ... }: - -with lib; -let - hostname = "hokkaido"; - secretPath = ../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); -in -{ - imports = [ - (import ../users/vincent/core) - # mails - (import ../users/vincent/mails { inherit hostname pkgs; }) - # dev - (import ../users/vincent/dev) - # containers - ../users/vincent/containers/kubernetes.nix - ../users/vincent/containers/openshift.nix - ]; - - home.extraOutputsToInstall = [ "man" ]; - home.file.".local/share/applications/redhat-vpn.desktop".source = ./naruhodo/redhat-vpn.desktop; - - programs.bash.enable = lib.mkForce false; - programs.man.enable = true; - - services = { - gpg-agent = { - enable = true; - enableSshSupport = true; - enableExtraSocket = true; - defaultCacheTtlSsh = 7200; - }; - }; -} diff --git a/systems/naruhodo.nix b/systems/naruhodo.nix @@ -1,102 +0,0 @@ -{ pkgs, lib, ... }: - -with lib; -let - hostname = "naruhodo"; - secretPath = ../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); - - ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; - ips = lists.optionals secretCondition ([ "${ip}/24" ]); - endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; - endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; - endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; -in -{ - imports = [ - ./hardware/thinkpad-t480s.nix - ./modules - (import ../users).vincent - (import ../users).root - ]; - - fileSystems."/" = - { - device = "/dev/mapper/root"; - fsType = "ext4"; - options = [ "noatime" "discard" ]; - }; - - boot.initrd.luks.devices = { - root = { - device = "/dev/disk/by-uuid/50d7faba-8923-4b30-88f7-40df26e02def"; - preLVM = true; - allowDiscards = true; - }; - }; - - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/0101-68DE"; - fsType = "vfat"; - }; - - swapDevices = - [{ device = "/dev/disk/by-uuid/aff86817-55ae-47ed-876a-e5a027b560ba"; }]; - - networking = { - hostName = hostname; - }; - - boot = { - tmpOnTmpfs = true; - plymouth.enable = true; - extraModulePackages = with pkgs.linuxPackages; [ - v4l2loopback - ]; - kernelModules = [ "v4l2loopback" ]; - extraModprobeConfig = '' - options v4l2loopback exclusive_caps=1 - ''; - }; - - services.hardware.bolt.enable = true; - profiles = { - desktop.i3.enable = true; - laptop.enable = true; - home = true; - dev.enable = true; - yubikey.enable = true; - virtualization = { enable = true; nested = true; }; - docker.enable = true; - redhat.enable = true; - scanning.enable = true; - }; - environment.systemPackages = with pkgs; [ virtmanager ]; - - services = { - wireguard = { - enable = true; - ips = ips; - endpoint = endpointIP; - endpointPort = endpointPort; - endpointPublicKey = endpointPublicKey; - }; - }; - - virtualisation.podman.enable = true; - virtualisation.containers = { - enable = true; - registries = { - search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ]; - }; - policy = { - default = [{ type = "insecureAcceptAnything"; }]; - transports = { - docker-daemon = { - "" = [{ type = "insecureAcceptAnything"; }]; - }; - }; - }; - }; -} diff --git a/systems/okinawa.nix b/systems/okinawa.nix @@ -1,105 +0,0 @@ -{ pkgs, lib, ... }: - -with lib; -let - hostname = "okinawa"; - secretPath = ../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); - - ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; - ips = lists.optionals secretCondition ([ "${ip}/24" ]); - endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; - endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; - endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; -in -{ - imports = [ - ./hardware/gigabyte-brix.nix - ./modules - (import ../users).vincent - (import ../users).root - ]; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/f10a12e7-d711-4bec-8246-a063de66589a"; - fsType = "ext4"; - options = [ "noatime" "discard" ]; - }; - fileSystems."/home" = { - device = "/dev/disk/by-uuid/0cd32a1a-5eab-4cba-8c9c-de310645b8b1"; - fsType = "ext4"; - options = [ "noatime" "discard" ]; - }; - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/B89C-E217"; - fsType = "vfat"; - }; - fileSystems."/mnt/naha" = { - device = "/dev/disk/by-uuid/9e2c7dda-2469-4f28-8d64-b34a609e3136"; - fsType = "ext4"; - options = [ "noatime" ]; - }; - swapDevices = [{ device = "/dev/disk/by-uuid/de4449cb-a158-409f-9e22-32a7b2c98c86"; }]; - - networking = { - hostName = hostname; - firewall.enable = false; # we are in safe territory :D - bridges.br1.interfaces = [ "enp0s31f6" ]; - useDHCP = false; - interfaces.br1 = { - useDHCP = true; - }; - }; - - profiles = { - home = true; - avahi.enable = true; - ssh.enable = true; - syncthing.enable = true; - virtualization = { enable = true; nested = true; listenTCP = true; }; - }; - - services = { - bind = { - enable = true; - forwarders = [ "8.8.8.8" "8.8.4.4" ]; - cacheNetworks = [ "192.168.1.0/24" "127.0.0.0/8" "10.100.0.0/24" ]; - zones = [ - { - # home - name = "home"; - slaves = [ ]; - file = pkgs.mkSecret ../secrets/db.home; - } - { - # home.reverse - name = "192.168.1.in-addr.arpa"; - slaves = [ ]; - file = pkgs.mkSecret ../secrets/db.192.168.1; - } - { - # vpn - name = "vpn"; - slaves = [ ]; - file = pkgs.mkSecret ../secrets/db.vpn; - } - { - # vpn.reverse - name = "10.100.0.in-addr.arpa"; - slaves = [ ]; - file = pkgs.mkSecret ../secrets/db.10.100.0; - } - ]; - }; - syncthing.guiAddress = "0.0.0.0:8384"; - wireguard = { - enable = true; - ips = ips; - endpoint = endpointIP; - endpointPort = endpointPort; - endpointPublicKey = endpointPublicKey; - }; - }; - security.apparmor.enable = true; - security.pam.enableSSHAgentAuth = true; -} diff --git a/systems/sakhalin.nix b/systems/sakhalin.nix @@ -1,245 +0,0 @@ -{ pkgs, lib, ... }: - -with lib; -let - hostname = "sakhalin"; - secretPath = ../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); - - ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; - ips = lists.optionals secretCondition ([ "${ip}/24" ]); - endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; - endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; - endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; -in -{ - imports = [ - ./hardware/gigabyte-brix.nix - ./modules - (import ../users).vincent - (import ../users).root - ]; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/92ce650d-873e-41c1-a44e-71c2b9191b9d"; - fsType = "ext4"; - options = [ "noatime" "discard" ]; - }; - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/B226-075A"; - fsType = "vfat"; - }; - fileSystems."/home" = { - device = "/dev/disk/by-uuid/4f614c00-d94d-42f9-8386-3ecd396aa246"; - fsType = "ext4"; - options = [ "noatime" "discard" ]; - }; - fileSystems."/mnt/gaia" = { - device = "/dev/disk/by-uuid/88d3d686-d451-4ba9-bd6e-373601ed2683"; - fsType = "ext4"; - options = [ "noatime" ]; - }; - fileSystems."/mnt/toshito" = { - device = "/dev/disk/by-uuid/3c7cf84e-2486-417d-9de8-4b7757d483e4"; - fsType = "ext4"; - options = [ "noatime" ]; - }; - swapDevices = [{ device = "/dev/disk/by-uuid/9eb067d1-b329-4fbb-ae27-38abfbe7c108"; }]; - - networking = { - hostName = hostname; - firewall.enable = false; # we are in safe territory :D - bridges.br1.interfaces = [ "enp0s31f6" ]; - useDHCP = false; - interfaces.br1 = { - useDHCP = true; - }; - }; - - profiles = { - home = true; - avahi.enable = true; - git.enable = true; - ssh.enable = true; - syncthing.enable = true; - virtualization = { enable = true; nested = true; listenTCP = true; }; - }; - - fileSystems."/export/gaia" = { device = "/mnt/gaia"; options = [ "bind" ]; }; - fileSystems."/export/toshito" = { device = "/mnt/toshito"; options = [ "bind" ]; }; - - services = { - tarsnap = { - enable = true; - archives = { - documents = { - directories = [ "/home/vincent/desktop/documents" ]; - period = "daily"; - keyfile = "/etc/nixos/assets/tarsnap.documents.key"; - }; - org = { - directories = [ "/home/vincent/desktop/org" ]; - period = "daily"; - keyfile = "/etc/nixos/assets/tarsnap.org.key"; - }; - sites = { - directories = [ "/home/vincent/desktop/sites" ]; - period = "daily"; - keyfile = "/etc/nixos/assets/tarsnap.sites.key"; - }; - }; - }; - nfs.server = { - enable = true; - exports = '' - /export 192.168.1.0/24(rw,fsid=0,no_subtree_check) 10.100.0.0/24(rw,fsid=0,no_subtree_check) - /export/gaia 192.168.1.0/24(rw,fsid=1,no_subtree_check) 10.100.0.0/24(rw,fsid=1,no_subtree_check) - /export/toshito 192.168.1.0/24(rw,fsid=2,no_subtree_check) 10.100.0.0/24(rw,fsid=2,no_subtree_check) - ''; - }; - nix-binary-cache = { - enable = true; - domain = "nix.cache.home"; - aliases = [ "cache.sakhalin.home" ]; - }; - dockerRegistry = { - enable = true; - listenAddress = "0.0.0.0"; - enableGarbageCollect = true; - }; - bind = { - enable = true; - forwarders = [ "8.8.8.8" "8.8.4.4" ]; - cacheNetworks = [ "192.168.1.0/24" "127.0.0.0/8" "10.100.0.0/24" ]; - zones = [ - { - # home - name = "home"; - slaves = [ ]; - file = pkgs.mkSecret ../secrets/db.home; - } - { - # home.reverse - name = "192.168.1.in-addr.arpa"; - slaves = [ ]; - file = pkgs.mkSecret ../secrets/db.192.168.1; - } - { - # vpn - name = "vpn"; - slaves = [ ]; - file = pkgs.mkSecret ../secrets/db.vpn; - } - { - # vpn.reverse - name = "10.100.0.in-addr.arpa"; - slaves = [ ]; - file = pkgs.mkSecret ../secrets/db.10.100.0; - } - ]; - }; - syncthing.guiAddress = "0.0.0.0:8384"; - wireguard = { - enable = true; - ips = ips; - endpoint = endpointIP; - endpointPort = endpointPort; - endpointPublicKey = endpointPublicKey; - }; - }; - security.apparmor.enable = true; - # ----------------------------------- - environment.etc."vrsync".text = '' - /home/vincent/desktop/pictures/screenshots/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/screenshots/ - /home/vincent/desktop/pictures/wallpapers/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/wallpapers/ - /home/vincent/desktop/documents/ vincent@synodine.home:/volume1/documents/ - /mnt/gaia/photos/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/photos/ - /mnt/gaia/music/ vincent@synodine.home:/volumeUSB2/usbshare/music/ - ''; - systemd.services.vrsync = { - description = "vrsync - sync folders to NAS"; - requires = [ "network-online.target" ]; - after = [ "network-online.target" ]; - - unitConfig.X-StopOnRemoval = false; - restartIfChanged = false; - - path = with pkgs; [ rsync coreutils bash openssh ]; - script = '' - ${pkgs.vrsync}/bin/vrsync - ''; - - startAt = "hourly"; - serviceConfig = { - Type = "oneshot"; - OnFailure = "status-email-root@%n.service"; - }; - }; - environment.etc."secrets/srht-token".source = pkgs.mkSecret ../secrets/token_srht; - # builds.sr.ht: daily builds - systemd.services.builds-srht = { - description = "Daily builds.sr.ht"; - requires = [ "network-online.target" ]; - after = [ "network-online.target" ]; - - restartIfChanged = false; - unitConfig.X-StopOnRemoval = false; - - serviceConfig = { - Type = "oneshot"; - User = "vincent"; - OnFailure = "status-email-root@%n.service"; - }; - - script = "${pkgs.my.bus}/bin/bus"; - - startAt = "daily"; - }; - # ape – sync git mirrors - systemd.services.ape = { - description = "Ape - sync git mirrors"; - requires = [ "network-online.target" ]; - after = [ "network-online.target" ]; - - restartIfChanged = false; - unitConfig.X-StopOnRemoval = false; - - serviceConfig = { - Type = "oneshot"; - User = "vincent"; - OnFailure = "status-email-root@%n.service"; - }; - - path = with pkgs; [ git ]; - script = '' - ${pkgs.my.ape}/bin/ape up /home/vincent/var/mirrors - ''; - - startAt = "hourly"; - }; - # mr -i u daily - systemd.services.mr = { - description = "Update configs daily"; - requires = [ "network-online.target" ]; - after = [ "network-online.target" ]; - - restartIfChanged = false; - unitConfig.X-StopOnRemoval = false; - - serviceConfig = { - Type = "oneshot"; - User = "vincent"; - OnFailure = "status-email-root@%n.service"; - }; - - path = with pkgs; [ git mr ]; - script = '' - set -e - cd /mnt/gaia/src/configs/ - mr -t run git reset --hard - mr -t u - ''; - - startAt = "daily"; - }; -} diff --git a/systems/wakasu.nix b/systems/wakasu.nix @@ -1,141 +0,0 @@ -{ lib, pkgs, ... }: - -with lib; -let - hostname = "wakasu"; - secretPath = ../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); - - ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; - ips = lists.optionals secretCondition ([ "${ip}/24" ]); - endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; - endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; - endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; -in -{ - imports = [ - ./hardware/lenovo-p50.nix - ./modules - (import ../users).vincent - (import ../users).root - ]; - - networking = { - hostName = hostname; - bridges.br1.interfaces = [ "enp0s31f6" ]; - firewall.enable = false; # we are in safe territory :D - useDHCP = false; - interfaces.br1 = { - useDHCP = true; - }; - }; - - /* - Keep this for naruhodo. - boot.initrd.luks.devices = { - root = { - device = "/dev/disk/by-uuid/49167ed2-8411-4fa3-94cf-2f3cce05c940"; - preLVM = true; - allowDiscards = true; - keyFile = "/dev/disk/by-id/usb-_USB_DISK_2.0_070D375D84327E87-0:0"; - keyFileOffset = 30992883712; - keyFileSize = 4096; - fallbackToPassword = true; - }; - }; - */ - fileSystems."/" = { - device = "/dev/disk/by-uuid/6590b73d-72a4-4356-94b1-f56ac45c976d"; - fsType = "ext4"; - options = [ "noatime" "discard" ]; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/7FA5-145B"; - fsType = "vfat"; - }; - - swapDevices = [{ device = "/dev/disk/by-uuid/720200fc-8f27-49a7-85bb-a406b6119d31"; }]; - - profiles = { - home = true; - dev.enable = true; - desktop.enable = lib.mkForce false; - laptop.enable = true; - docker.enable = true; - avahi.enable = true; - syncthing.enable = true; - ssh = { enable = true; forwardX11 = true; }; - virtualization = { enable = true; nested = true; listenTCP = true; }; - kubernetes.enable = true; - openshift.enable = true; - tekton.enable = true; - yubikey.enable = true; - }; - virtualisation.podman.enable = true; - virtualisation.containers = { - enable = true; - registries = { - search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ]; - }; - policy = { - default = [{ type = "insecureAcceptAnything"; }]; - transports = { - docker-daemon = { - "" = [{ type = "insecureAcceptAnything"; }]; - }; - }; - }; - }; - security = { - sudo.extraConfig = '' - %users ALL = (root) NOPASSWD: /home/vincent/.nix-profile/bin/kubernix - ''; - pam.u2f.enable = true; - }; - services = { - xserver = { - enable = true; - displayManager.xpra = { - enable = true; - bindTcp = "0.0.0.0:10000"; - pulseaudio = true; - extraOptions = [ "--video-scaling=0" "--min-quality=85" "--desktop-scaling=off" ]; - }; - }; - logind.extraConfig = '' - HandleLidSwitch=ignore - HandleLidSwitchExternalPower=ignore - HandleLidSwitchDocked=ignore - ''; - #syncthing.guiAddress = "${wireguard.ips.wakasu}:8384"; - syncthing.guiAddress = "0.0.0.0:8384"; - smartd = { - enable = true; - devices = [{ device = "/dev/nvme0n1"; }]; - }; - wireguard = { - enable = true; - ips = ips; - endpoint = endpointIP; - endpointPort = endpointPort; - endpointPublicKey = endpointPublicKey; - }; - }; - /* - virtualisation.containers = { - enable = true; - registries = { - search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ]; - }; - policy = { - default = [{ type = "insecureAcceptAnything"; }]; - transports = { - docker-daemon = { - "" = [{ type = "insecureAcceptAnything"; }]; - }; - }; - }; - }; - */ -}