This commit is contained in:
Motiejus Jakštys 2023-11-27 18:17:27 +02:00
parent 896c5086d0
commit 8e78a31f20
9 changed files with 532 additions and 666 deletions

294
flake.nix
View File

@ -10,23 +10,35 @@
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nur.url = "github:nix-community/NUR";
zigpkgs.url = "github:mitchellh/zig-overlay";
zigpkgs.inputs.nixpkgs.follows = "nixpkgs";
zigpkgs.inputs.flake-utils.follows = "flake-utils";
zigpkgs.inputs.flake-compat.follows = "flake-compat";
zigpkgs = {
url = "github:mitchellh/zig-overlay";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
flake-compat.follows = "flake-compat";
};
};
home-manager.url = "github:nix-community/home-manager/release-23.05";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
agenix.inputs.home-manager.follows = "home-manager";
agenix.inputs.darwin.follows = "";
agenix = {
url = "github:ryantm/agenix";
inputs = {
nixpkgs.follows = "nixpkgs";
home-manager.follows = "home-manager";
darwin.follows = "";
};
};
deploy-rs.url = "github:serokell/deploy-rs";
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
deploy-rs.inputs.flake-compat.follows = "flake-compat";
deploy-rs.inputs.utils.follows = "flake-utils";
deploy-rs = {
url = "github:serokell/deploy-rs";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-compat.follows = "flake-compat";
utils.follows = "flake-utils";
};
};
nix-index-database.url = "github:Mic92/nix-index-database";
nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
@ -34,12 +46,16 @@
gitignore.url = "github:hercules-ci/gitignore.nix";
gitignore.inputs.nixpkgs.follows = "nixpkgs";
pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix";
pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
pre-commit-hooks.inputs.nixpkgs-stable.follows = "nixpkgs";
pre-commit-hooks.inputs.flake-compat.follows = "flake-compat";
pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
pre-commit-hooks.inputs.gitignore.follows = "gitignore";
pre-commit-hooks = {
url = "github:cachix/pre-commit-hooks.nix";
inputs = {
nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs";
flake-compat.follows = "flake-compat";
flake-utils.follows = "flake-utils";
gitignore.follows = "gitignore";
};
};
};
nixConfig = {
@ -98,152 +114,164 @@
# specialArgs = {inherit myData;} // inputs;
#};
nixosConfigurations.vno1-oh2 = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
modules = [
{nixpkgs.overlays = mkOverlays system;}
./hosts/vno1-oh2/configuration.nix
nixosConfigurations = {
vno1-oh2 = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
modules = [
{nixpkgs.overlays = mkOverlays system;}
./hosts/vno1-oh2/configuration.nix
./modules
./modules
agenix.nixosModules.default
home-manager.nixosModules.home-manager
agenix.nixosModules.default
home-manager.nixosModules.home-manager
{
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
age.secrets.zfs-passphrase-fra1-a.file = ./secrets/fra1-a/zfs-passphrase.age;
{
age.secrets = {
motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
root-passwd-hash.file = ./secrets/root_passwd_hash.age;
zfs-passphrase-fra1-a.file = ./secrets/fra1-a/zfs-passphrase.age;
age.secrets.headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age;
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
age.secrets.borgbackup-password.file = ./secrets/vno1-oh2/borgbackup/password.age;
age.secrets.grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age;
age.secrets.letsencrypt-account-key.file = ./secrets/letsencrypt/account.key.age;
age.secrets.vaultwarden-secrets-env.file = ./secrets/vaultwarden/secrets.env.age;
headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age;
sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
borgbackup-password.file = ./secrets/vno1-oh2/borgbackup/password.age;
grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age;
letsencrypt-account-key.file = ./secrets/letsencrypt/account.key.age;
vaultwarden-secrets-env.file = ./secrets/vaultwarden/secrets.env.age;
age.secrets.synapse-jakstys-signing-key.file = ./secrets/synapse/jakstys_lt_signing_key.age;
age.secrets.synapse-registration-shared-secret.file = ./secrets/synapse/registration_shared_secret.age;
age.secrets.synapse-macaroon-secret-key.file = ./secrets/synapse/macaroon_secret_key.age;
}
];
synapse-jakstys-signing-key.file = ./secrets/synapse/jakstys_lt_signing_key.age;
synapse-registration-shared-secret.file = ./secrets/synapse/registration_shared_secret.age;
synapse-macaroon-secret-key.file = ./secrets/synapse/macaroon_secret_key.age;
};
}
];
specialArgs = {inherit myData;} // inputs;
};
specialArgs = {inherit myData;} // inputs;
};
nixosConfigurations.fwminex = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
modules = [
{nixpkgs.overlays = mkOverlays system;}
./hosts/fwminex/configuration.nix
fwminex = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
modules = [
{nixpkgs.overlays = mkOverlays system;}
./hosts/fwminex/configuration.nix
./modules
./modules/profiles/desktop
./modules
./modules/profiles/desktop
nur.nixosModules.nur
agenix.nixosModules.default
home-manager.nixosModules.home-manager
nixos-hardware.nixosModules.framework-12th-gen-intel
nix-index-database.nixosModules.nix-index
nur.nixosModules.nur
agenix.nixosModules.default
home-manager.nixosModules.home-manager
nixos-hardware.nixosModules.framework-12th-gen-intel
nix-index-database.nixosModules.nix-index
{
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
}
];
{
age.secrets = {
motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
root-passwd-hash.file = ./secrets/root_passwd_hash.age;
sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
};
}
];
specialArgs = {inherit myData;} // inputs;
};
specialArgs = {inherit myData;} // inputs;
};
nixosConfigurations.vno3-rp3b = nixpkgs.lib.nixosSystem rec {
system = "aarch64-linux";
modules = [
{nixpkgs.overlays = mkOverlays system;}
./hosts/vno3-rp3b/configuration.nix
vno3-rp3b = nixpkgs.lib.nixosSystem rec {
system = "aarch64-linux";
modules = [
{nixpkgs.overlays = mkOverlays system;}
./hosts/vno3-rp3b/configuration.nix
./modules
./modules
agenix.nixosModules.default
home-manager.nixosModules.home-manager
agenix.nixosModules.default
home-manager.nixosModules.home-manager
{
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
{
age.secrets = {
motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
root-passwd-hash.file = ./secrets/root_passwd_hash.age;
sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
age.secrets.datapool-passphrase.file = ./secrets/vno3-rp3b/datapool-passphrase.age;
}
];
datapool-passphrase.file = ./secrets/vno3-rp3b/datapool-passphrase.age;
};
}
];
specialArgs = {inherit myData;} // inputs;
};
specialArgs = {inherit myData;} // inputs;
};
nixosConfigurations.fra1-a = nixpkgs.lib.nixosSystem rec {
system = "aarch64-linux";
modules = [
{nixpkgs.overlays = mkOverlays system;}
./hosts/fra1-a/configuration.nix
fra1-a = nixpkgs.lib.nixosSystem rec {
system = "aarch64-linux";
modules = [
{nixpkgs.overlays = mkOverlays system;}
./hosts/fra1-a/configuration.nix
./modules
./modules
agenix.nixosModules.default
home-manager.nixosModules.home-manager
agenix.nixosModules.default
home-manager.nixosModules.home-manager
{
age.secrets.zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age;
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
}
];
{
age.secrets = {
zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age;
motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
root-passwd-hash.file = ./secrets/root_passwd_hash.age;
sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
};
}
];
specialArgs = {inherit myData;} // inputs;
};
deploy.nodes.vno1-oh2 = {
hostname = myData.hosts."vno1-oh2.servers.jakst".jakstIP;
profiles = {
system = {
sshUser = "motiejus";
path =
deployPkgsIA64.deploy-rs.lib.activate.nixos self.nixosConfigurations.vno1-oh2;
user = "root";
};
specialArgs = {inherit myData;} // inputs;
};
};
deploy.nodes.fwminex = {
hostname = myData.hosts."fwminex.motiejus.jakst".jakstIP;
profiles = {
system = {
sshUser = "motiejus";
path =
deployPkgsIA64.deploy-rs.lib.activate.nixos self.nixosConfigurations.fwminex;
user = "root";
deploy.nodes = {
vno1-oh2 = {
hostname = myData.hosts."vno1-oh2.servers.jakst".jakstIP;
profiles = {
system = {
sshUser = "motiejus";
path =
deployPkgsIA64.deploy-rs.lib.activate.nixos self.nixosConfigurations.vno1-oh2;
user = "root";
};
};
};
};
deploy.nodes.vno3-rp3b = {
hostname = myData.hosts."vno3-rp3b.servers.jakst".jakstIP;
profiles = {
system = {
sshUser = "motiejus";
path =
deployPkgsArm64.deploy-rs.lib.activate.nixos self.nixosConfigurations.vno3-rp3b;
user = "root";
fwminex = {
hostname = myData.hosts."fwminex.motiejus.jakst".jakstIP;
profiles = {
system = {
sshUser = "motiejus";
path =
deployPkgsIA64.deploy-rs.lib.activate.nixos self.nixosConfigurations.fwminex;
user = "root";
};
};
};
};
deploy.nodes.fra1-a = {
hostname = myData.hosts."fra1-a.servers.jakst".jakstIP;
profiles = {
system = {
sshUser = "motiejus";
path =
deployPkgsArm64.deploy-rs.lib.activate.nixos self.nixosConfigurations.fra1-a;
user = "root";
vno3-rp3b = {
hostname = myData.hosts."vno3-rp3b.servers.jakst".jakstIP;
profiles = {
system = {
sshUser = "motiejus";
path =
deployPkgsArm64.deploy-rs.lib.activate.nixos self.nixosConfigurations.vno3-rp3b;
user = "root";
};
};
};
fra1-a = {
hostname = myData.hosts."fra1-a.servers.jakst".jakstIP;
profiles = {
system = {
sshUser = "motiejus";
path =
deployPkgsArm64.deploy-rs.lib.activate.nixos self.nixosConfigurations.fra1-a;
user = "root";
};
};
};
};

View File

@ -174,11 +174,13 @@
accountKey = config.age.secrets.letsencrypt-account-key.path;
in {
enable = true;
zones."irc.jakstys.lt".accountKey = accountKey;
zones."hdd.jakstys.lt".accountKey = accountKey;
zones."hass.jakstys.lt".accountKey = accountKey;
zones."grafana.jakstys.lt".accountKey = accountKey;
zones."bitwarden.jakstys.lt".accountKey = accountKey;
zones = {
"irc.jakstys.lt".accountKey = accountKey;
"hdd.jakstys.lt".accountKey = accountKey;
"hass.jakstys.lt".accountKey = accountKey;
"grafana.jakstys.lt".accountKey = accountKey;
"bitwarden.jakstys.lt".accountKey = accountKey;
};
};
deployerbot = {
@ -254,86 +256,88 @@
metrics
}
'';
virtualHosts."hass.jakstys.lt".extraConfig = ''
@denied not remote_ip ${myData.subnets.tailscale.cidr}
abort @denied
reverse_proxy 127.0.0.1:8123
tls {$CREDENTIALS_DIRECTORY}/hass.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/hass.jakstys.lt-key.pem
'';
virtualHosts."grafana.jakstys.lt".extraConfig = ''
@denied not remote_ip ${myData.subnets.tailscale.cidr}
abort @denied
reverse_proxy 127.0.0.1:3000
tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem
'';
virtualHosts."bitwarden.jakstys.lt".extraConfig = ''
@denied not remote_ip ${myData.subnets.tailscale.cidr}
abort @denied
tls {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-key.pem
virtualHosts = {
"hass.jakstys.lt".extraConfig = ''
@denied not remote_ip ${myData.subnets.tailscale.cidr}
abort @denied
reverse_proxy 127.0.0.1:8123
tls {$CREDENTIALS_DIRECTORY}/hass.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/hass.jakstys.lt-key.pem
'';
"grafana.jakstys.lt".extraConfig = ''
@denied not remote_ip ${myData.subnets.tailscale.cidr}
abort @denied
reverse_proxy 127.0.0.1:3000
tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem
'';
"bitwarden.jakstys.lt".extraConfig = ''
@denied not remote_ip ${myData.subnets.tailscale.cidr}
abort @denied
tls {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-key.pem
# from https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
encode gzip
header {
# Enable HTTP Strict Transport Security (HSTS)
Strict-Transport-Security "max-age=31536000;"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "SAMEORIGIN"
}
# from https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
encode gzip
header {
# Enable HTTP Strict Transport Security (HSTS)
Strict-Transport-Security "max-age=31536000;"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "SAMEORIGIN"
}
# deprecated from vaultwarden 1.29.0
reverse_proxy /notifications/hub 127.0.0.1:${toString myData.ports.vaultwarden_ws}
# deprecated from vaultwarden 1.29.0
reverse_proxy /notifications/hub 127.0.0.1:${toString myData.ports.vaultwarden_ws}
reverse_proxy 127.0.0.1:${toString myData.ports.vaultwarden} {
header_up X-Real-IP {remote_host}
}
'';
virtualHosts."www.jakstys.lt".extraConfig = ''
redir https://jakstys.lt
'';
virtualHosts."dl.jakstys.lt".extraConfig = ''
root * /var/www/dl
file_server browse {
hide .stfolder
}
encode gzip
'';
virtualHosts."jakstys.lt" = {
logFormat = ''
output file ${config.services.caddy.logDir}/access-jakstys.lt.log {
roll_disabled
reverse_proxy 127.0.0.1:${toString myData.ports.vaultwarden} {
header_up X-Real-IP {remote_host}
}
'';
extraConfig = ''
header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
header /_/* Cache-Control "public, max-age=31536000, immutable"
root * /var/www/jakstys.lt
file_server {
precompressed br gzip
}
@matrixMatch {
path /.well-known/matrix/client
path /.well-known/matrix/server
}
header @matrixMatch Content-Type application/json
header @matrixMatch Access-Control-Allow-Origin *
header @matrixMatch Cache-Control "public, max-age=3600, immutable"
handle /.well-known/matrix/client {
respond "{\"m.homeserver\": {\"base_url\": \"https://jakstys.lt\"}}" 200
}
handle /.well-known/matrix/server {
respond "{\"m.server\": \"jakstys.lt:443\"}" 200
}
handle /_matrix/* {
reverse_proxy http://127.0.0.1:${toString myData.ports.matrix-synapse}
}
"www.jakstys.lt".extraConfig = ''
redir https://jakstys.lt
'';
"dl.jakstys.lt".extraConfig = ''
root * /var/www/dl
file_server browse {
hide .stfolder
}
encode gzip
'';
"jakstys.lt" = {
logFormat = ''
output file ${config.services.caddy.logDir}/access-jakstys.lt.log {
roll_disabled
}
'';
extraConfig = ''
header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
header /_/* Cache-Control "public, max-age=31536000, immutable"
root * /var/www/jakstys.lt
file_server {
precompressed br gzip
}
@matrixMatch {
path /.well-known/matrix/client
path /.well-known/matrix/server
}
header @matrixMatch Content-Type application/json
header @matrixMatch Access-Control-Allow-Origin *
header @matrixMatch Cache-Control "public, max-age=3600, immutable"
handle /.well-known/matrix/client {
respond "{\"m.homeserver\": {\"base_url\": \"https://jakstys.lt\"}}" 200
}
handle /.well-known/matrix/server {
respond "{\"m.server\": \"jakstys.lt:443\"}" 200
}
handle /_matrix/* {
reverse_proxy http://127.0.0.1:${toString myData.ports.matrix-synapse}
}
'';
};
};
};

View File

@ -11,35 +11,42 @@
# imports = [(modulesPath + "/installer/scan/not-detected.nix")];
# as of 23.05 that is:
boot.initrd.availableKernelModules = ["usbhid"];
boot.initrd.kernelModules = ["vc4" "bcm2835_dma"];
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
boot.kernelModules = [];
boot.extraModulePackages = [];
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot = {
initrd = {
availableKernelModules = ["usbhid"];
kernelModules = ["vc4" "bcm2835_dma"];
};
loader = {
grub.enable = false;
generic-extlinux-compatible.enable = true;
};
boot.supportedFilesystems = ["zfs"];
boot.zfs.forceImportRoot = false;
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
kernelModules = [];
extraModulePackages = [];
supportedFilesystems = ["zfs"];
zfs.forceImportRoot = false;
};
powerManagement.cpuFreqGovernor = "ondemand";
fileSystems."/" = {
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
fsType = "ext4";
};
fileSystems."/data" = {
device = "datapool/root";
fsType = "zfs";
};
fileSystems."/data/borg" = {
device = "datapool/root/borg";
fsType = "zfs";
};
fileSystems."/data/shared" = {
device = "datapool/root/shared";
fsType = "zfs";
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
fsType = "ext4";
};
"/data" = {
device = "datapool/root";
fsType = "zfs";
};
"/data/borg" = {
device = "datapool/root/borg";
fsType = "zfs";
};
"/data/shared" = {
device = "datapool/root/shared";
fsType = "zfs";
};
};
swapDevices = [];

View File

@ -8,8 +8,10 @@
services.blueman.enable = true;
services.udev.packages = [pkgs.yubikey-personalization];
programs.firefox.enable = true;
programs.wireshark.enable = true;
programs = {
firefox.enable = true;
wireshark.enable = true;
};
mj.base.users.passwd.motiejus.extraGroups = ["adbusers" "networkmanager" "wireshark"];
@ -191,28 +193,30 @@
};
};
services.cbatticon.enable = true;
services.blueman-applet.enable = true;
services = {
cbatticon.enable = true;
blueman-applet.enable = true;
services.syncthing.tray = {
enable = true;
#extraOptions = ["--wait"];
};
syncthing.tray = {
enable = true;
#extraOptions = ["--wait"];
};
services.pasystray = {
enable = true;
extraOptions = ["--key-grabbing" "--notify=all"];
};
pasystray = {
enable = true;
extraOptions = ["--key-grabbing" "--notify=all"];
};
services.gpg-agent = {
enable = true;
enableSshSupport = true;
};
gpg-agent = {
enable = true;
enableSshSupport = true;
};
services.screen-locker = {
enable = true;
xautolock.enable = false;
lockCmd = ''${pkgs.bash}/bin/bash -c "${pkgs.coreutils}/bin/sleep 0.2; ${pkgs.xorg.xset}/bin/xset dpms force off; /run/wrappers/bin/slock"'';
screen-locker = {
enable = true;
xautolock.enable = false;
lockCmd = ''${pkgs.bash}/bin/bash -c "${pkgs.coreutils}/bin/sleep 0.2; ${pkgs.xorg.xset}/bin/xset dpms force off; /run/wrappers/bin/slock"'';
};
};
# https://github.com/nix-community/home-manager/issues/2064

View File

@ -16,60 +16,62 @@ in {
};
config = lib.mkIf cfg.enable {
services.caddy = {
enable = true;
virtualHosts.":80".extraConfig = with myData.subnets; ''
root * ${cfg.dataDir}
@denied not remote_ip ${vno1.cidr} ${vno3.cidr} ${tailscale.cidr}
file_server browse {
hide .stfolder
}
encode gzip
'';
};
services.samba = {
# https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server
enable = true;
securityType = "user";
enableNmbd = false;
enableWinbindd = false;
extraConfig = ''
map to guest = Bad User
guest account = jakstpub
server role = standalone server
'';
shares = let
defaults = {
"public" = "yes";
"mangled names" = "no";
"guest ok" = "yes";
"force user" = "jakstpub";
"force group" = "jakstpub";
};
in {
public =
defaults
// {
"path" = cfg.dataDir;
"writeable" = "yes";
"read only" = "no";
"create mask" = "0664";
"directory mask" = "0775";
};
snapshots =
defaults
// {
"path" = cfg.dataDir + "/.zfs/snapshot";
"writeable" = "no";
"read only" = "yes";
};
services = {
caddy = {
enable = true;
virtualHosts.":80".extraConfig = with myData.subnets; ''
root * ${cfg.dataDir}
@denied not remote_ip ${vno1.cidr} ${vno3.cidr} ${tailscale.cidr}
file_server browse {
hide .stfolder
}
encode gzip
'';
};
};
services.samba-wsdd = {
enable = true;
inherit (cfg) hostname;
samba = {
# https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server
enable = true;
securityType = "user";
enableNmbd = false;
enableWinbindd = false;
extraConfig = ''
map to guest = Bad User
guest account = jakstpub
server role = standalone server
'';
shares = let
defaults = {
"public" = "yes";
"mangled names" = "no";
"guest ok" = "yes";
"force user" = "jakstpub";
"force group" = "jakstpub";
};
in {
public =
defaults
// {
"path" = cfg.dataDir;
"writeable" = "yes";
"read only" = "no";
"create mask" = "0664";
"directory mask" = "0775";
};
snapshots =
defaults
// {
"path" = cfg.dataDir + "/.zfs/snapshot";
"writeable" = "no";
"read only" = "yes";
};
};
};
samba-wsdd = {
enable = true;
inherit (cfg) hostname;
};
};
users.users.jakstpub = {

View File

@ -92,112 +92,114 @@ in {
zonefile: "/var/lib/nsd/acmezones/%s.zone"
'';
systemd.tmpfiles.rules = ["d /var/lib/nsd/acmezones 0755 nsd nsd -"];
systemd = {
tmpfiles.rules = ["d /var/lib/nsd/acmezones 0755 nsd nsd -"];
systemd.services =
{
nsd-control-setup = {
requiredBy = ["nsd.service"];
before = ["nsd.service"];
unitConfig.ConditionPathExists = let
rc = config.services.nsd.remoteControl;
in [
"|!${rc.controlKeyFile}"
"|!${rc.controlCertFile}"
"|!${rc.serverKeyFile}"
"|!${rc.serverCertFile}"
];
serviceConfig = {
Type = "oneshot";
UMask = 0077;
};
script = ''
${pkgs.nsd}/bin/nsd-control-setup
chown nsd:nsd /etc/nsd/nsd_{control,server}.{key,pem}
'';
path = [pkgs.openssl];
};
}
// lib.mapAttrs'
(
zone: cfg:
lib.nameValuePair "nsd-acme-${zone}" {
description = "dns-01 acme update for ${zone}";
path = [pkgs.openssh pkgs.nsd];
preStart = ''
mkdir -p "$STATE_DIRECTORY/private"
ln -sf "$CREDENTIALS_DIRECTORY/letsencrypt-account-key" \
"$STATE_DIRECTORY/private/key.pem"
'';
services =
{
nsd-control-setup = {
requiredBy = ["nsd.service"];
before = ["nsd.service"];
unitConfig.ConditionPathExists = let
rc = config.services.nsd.remoteControl;
in [
"|!${rc.controlKeyFile}"
"|!${rc.controlCertFile}"
"|!${rc.serverKeyFile}"
"|!${rc.serverCertFile}"
];
serviceConfig = {
ExecStart = let
hook = mkHook zone;
days = builtins.toString cfg.days;
in "${pkgs.uacme}/bin/uacme -c \${STATE_DIRECTORY} --verbose --days ${days} --hook ${hook} ${lib.optionalString cfg.staging "--staging"} issue ${zone}";
UMask = "0022";
User = "nsd";
Group = "nsd";
StateDirectory = "nsd-acme/${zone}";
LoadCredential = ["letsencrypt-account-key:${cfg.accountKey}"];
ReadWritePaths = ["/var/lib/nsd/acmezones"];
SuccessExitStatus = [0 1];
# from nixos/modules/security/acme/default.nix
ProtectSystem = "strict";
PrivateTmp = true;
CapabilityBoundingSet = [""];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RemoveIPC = true;
# "cannot get devices"
#RestrictAddressFamilies = [
# "AF_INET"
# "AF_INET6"
#];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
# 1. allow a reasonable set of syscalls
"@system-service @resources"
# 2. and deny unreasonable ones
"~@privileged"
# 3. then allow the required subset within denied groups
"@chown"
];
Type = "oneshot";
UMask = 0077;
};
}
)
cfg.zones;
script = ''
${pkgs.nsd}/bin/nsd-control-setup
chown nsd:nsd /etc/nsd/nsd_{control,server}.{key,pem}
'';
path = [pkgs.openssl];
};
}
// lib.mapAttrs'
(
zone: cfg:
lib.nameValuePair "nsd-acme-${zone}" {
description = "dns-01 acme update for ${zone}";
path = [pkgs.openssh pkgs.nsd];
preStart = ''
mkdir -p "$STATE_DIRECTORY/private"
ln -sf "$CREDENTIALS_DIRECTORY/letsencrypt-account-key" \
"$STATE_DIRECTORY/private/key.pem"
'';
serviceConfig = {
ExecStart = let
hook = mkHook zone;
days = builtins.toString cfg.days;
in "${pkgs.uacme}/bin/uacme -c \${STATE_DIRECTORY} --verbose --days ${days} --hook ${hook} ${lib.optionalString cfg.staging "--staging"} issue ${zone}";
systemd.timers =
lib.mapAttrs'
(
zone: _:
lib.nameValuePair "nsd-acme-${zone}" {
description = "nsd-acme for zone ${zone}";
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "*-*-* 01:30";
};
after = ["network-online.target"];
}
)
cfg.zones;
UMask = "0022";
User = "nsd";
Group = "nsd";
StateDirectory = "nsd-acme/${zone}";
LoadCredential = ["letsencrypt-account-key:${cfg.accountKey}"];
ReadWritePaths = ["/var/lib/nsd/acmezones"];
SuccessExitStatus = [0 1];
# from nixos/modules/security/acme/default.nix
ProtectSystem = "strict";
PrivateTmp = true;
CapabilityBoundingSet = [""];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RemoveIPC = true;
# "cannot get devices"
#RestrictAddressFamilies = [
# "AF_INET"
# "AF_INET6"
#];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
# 1. allow a reasonable set of syscalls
"@system-service @resources"
# 2. and deny unreasonable ones
"~@privileged"
# 3. then allow the required subset within denied groups
"@chown"
];
};
}
)
cfg.zones;
timers =
lib.mapAttrs'
(
zone: _:
lib.nameValuePair "nsd-acme-${zone}" {
description = "nsd-acme for zone ${zone}";
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "*-*-* 01:30";
};
after = ["network-online.target"];
}
)
cfg.zones;
};
mj.base.unitstatus.units =
lib.mkIf config.mj.base.unitstatus.enable

View File

@ -121,7 +121,6 @@ in {
in "${jakstIP}:${guiPortStr}";
extraOptions.gui.insecureAdminAccess = true;
devices =
{}
// (lib.optionalAttrs (config.networking.hostName == "vno1-oh2") {
@ -149,7 +148,6 @@ in {
;
})
// {};
folders = with folders;
{}
// (

View File

@ -40,82 +40,83 @@
else []
);
programs.direnv.enable = true;
programs = {
direnv.enable = true;
programs.neovim = lib.mkMerge [
{
enable = true;
vimAlias = true;
vimdiffAlias = true;
defaultEditor = true;
plugins = with pkgs.vimPlugins;
[
fugitive
]
++ (
if devEnvironment
then [
vim-go
zig-vim
vim-vsnip
cmp-nvim-lsp
nvim-cmp
nvim-metals
plenary-nvim
neovim = lib.mkMerge [
{
enable = true;
vimAlias = true;
vimdiffAlias = true;
defaultEditor = true;
plugins = with pkgs.vimPlugins;
[
fugitive
]
else []
);
extraConfig = builtins.readFile ./vimrc;
}
(lib.mkIf devEnvironment {
extraLuaConfig =
builtins.readFile
(pkgs.substituteAll {
src = ./dev.lua;
javaHome = pkgs.jdk.home;
inherit (pkgs) metals;
inherit (pkgs) gotools;
})
.outPath;
})
];
++ (
if devEnvironment
then [
vim-go
programs.git = {
package = pkgs.pkgs-unstable.git;
enable = true;
userEmail = email;
userName = "Motiejus Jakštys";
aliases.yolo = "commit --amend --no-edit -a";
extraConfig = {
rerere.enabled = true;
pull.ff = "only";
merge.conflictstyle = "diff3";
init.defaultBranch = "main";
zig-vim
vim-vsnip
cmp-nvim-lsp
nvim-cmp
nvim-metals
plenary-nvim
]
else []
);
extraConfig = builtins.readFile ./vimrc;
}
(lib.mkIf devEnvironment {
extraLuaConfig =
builtins.readFile
(pkgs.substituteAll {
src = ./dev.lua;
javaHome = pkgs.jdk.home;
inherit (pkgs) metals;
inherit (pkgs) gotools;
})
.outPath;
})
];
git = {
enable = true;
userEmail = email;
userName = "Motiejus Jakštys";
aliases.yolo = "commit --amend --no-edit -a";
extraConfig = {
rerere.enabled = true;
pull.ff = "only";
merge.conflictstyle = "diff3";
init.defaultBranch = "main";
};
};
gpg = {
enable = true;
mutableKeys = false;
mutableTrust = false;
publicKeys = [
{
source = ./motiejus-gpg.txt;
trust = "ultimate";
}
];
};
tmux = {
enable = true;
keyMode = "vi";
historyLimit = 1000000;
extraConfig = ''
bind c new-window -c "#{pane_current_path}"
bind % split-window -h -c "#{pane_current_path}"
bind '"' split-window -v -c "#{pane_current_path}"
'';
};
};
programs.gpg = {
enable = true;
mutableKeys = false;
mutableTrust = false;
publicKeys = [
{
source = ./motiejus-gpg.txt;
trust = "ultimate";
}
];
};
programs.tmux = {
enable = true;
keyMode = "vi";
historyLimit = 1000000;
extraConfig = ''
bind c new-window -c "#{pane_current_path}"
bind % split-window -h -c "#{pane_current_path}"
bind '"' split-window -v -c "#{pane_current_path}"
'';
};
}

View File

@ -1,180 +0,0 @@
let
configuration = {
config,
lib,
pkgs,
...
}:
with pkgs; let
src = fetchGit "https://github.com/drduh/YubiKey-Guide";
guide = "${src}/README.md";
contrib = "${src}/contrib";
drduhConfig = fetchGit "https://github.com/drduh/config";
gpg-conf = "${drduhConfig}/gpg.conf";
xserverCfg = config.services.xserver;
pinentryFlavour =
if xserverCfg.desktopManager.lxqt.enable || xserverCfg.desktopManager.plasma5.enable
then "qt"
else if xserverCfg.desktopManager.xfce.enable
then "gtk2"
else if xserverCfg.enable || config.programs.sway.enable
then "gnome3"
else "curses";
# Instead of hard-coding the pinentry program, chose the appropriate one
# based on the environment of the image the user has chosen to build.
gpg-agent-conf = runCommand "gpg-agent.conf" {} ''
sed '/pinentry-program/d' ${drduhConfig}/gpg-agent.conf > $out
echo "pinentry-program ${pinentry.${pinentryFlavour}}/bin/pinentry" >> $out
'';
view-yubikey-guide = writeShellScriptBin "view-yubikey-guide" ''
viewer="$(type -P xdg-open || true)"
if [ -z "$viewer" ]; then
viewer="${glow}/bin/glow -p"
fi
exec $viewer "${guide}"
'';
shortcut = makeDesktopItem {
name = "yubikey-guide";
icon = "${yubikey-manager-qt}/share/ykman-gui/icons/ykman.png";
desktopName = "drduh's YubiKey Guide";
genericName = "Guide to using YubiKey for GPG and SSH";
comment = "Open the guide in a reader program";
categories = ["Documentation"];
exec = "${view-yubikey-guide}/bin/view-yubikey-guide";
};
yubikey-guide = symlinkJoin {
name = "yubikey-guide";
paths = [view-yubikey-guide shortcut];
};
in {
nixpkgs.config = {allowBroken = true;};
isoImage.isoBaseName = lib.mkForce "nixos-yubikey";
# Uncomment this to disable compression and speed up image creation time
isoImage.squashfsCompression = "gzip -Xcompression-level 1";
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
# Always copytoram so that, if the image is booted from, e.g., a
# USB stick, nothing is mistakenly written to persistent storage.
boot.kernelParams = ["copytoram"];
# Secure defaults
boot.cleanTmpDir = true;
boot.kernel.sysctl = {"kernel.unprivileged_bpf_disabled" = 1;};
services.pcscd.enable = true;
services.udev.packages = [yubikey-personalization];
programs = {
ssh.startAgent = false;
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
};
environment.systemPackages = [
# Tools for backing up keys
paperkey
pgpdump
parted
cryptsetup
# Yubico's official tools
yubikey-manager
yubikey-manager-qt
yubikey-personalization
yubikey-personalization-gui
yubico-piv-tool
yubioath-flutter
# Testing
ent
# does not compile as of 2023-07-20
#(haskell.lib.justStaticExecutables haskellPackages.hopenpgp-tools)
# Password generation tools
diceware
pwgen
# Miscellaneous tools that might be useful beyond the scope of the guide
cfssl
pcsctools
# This guide itself (run `view-yubikey-guide` on the terminal to open it
# in a non-graphical environment).
yubikey-guide
# motiejus addons
rage
sops
tmux
ssh-to-age
age-plugin-yubikey
];
# Disable networking so the system is air-gapped
# Comment all of these lines out if you'll need internet access
boot.initrd.network.enable = false;
networking.dhcpcd.enable = false;
networking.dhcpcd.allowInterfaces = [];
networking.interfaces = {};
networking.firewall.enable = true;
networking.useDHCP = false;
networking.useNetworkd = false;
networking.wireless.enable = false;
networking.networkmanager.enable = lib.mkForce false;
# Unset history so it's never stored
# Set GNUPGHOME to an ephemeral location and configure GPG with the
# guide's recommended settings.
environment.interactiveShellInit = ''
unset HISTFILE
export GNUPGHOME="/run/user/$(id -