From 8e78a31f2046ed617a930894b24a85e06099a664 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Mon, 27 Nov 2023 18:17:27 +0200 Subject: [PATCH] statix --- flake.nix | 294 ++++++++++++++----------- hosts/vno1-oh2/configuration.nix | 162 +++++++------- hosts/vno3-rp3b/configuration.nix | 57 ++--- modules/profiles/desktop/default.nix | 44 ++-- modules/services/jakstpub/default.nix | 106 ++++----- modules/services/nsd-acme/default.nix | 206 ++++++++--------- modules/services/syncthing/default.nix | 2 - shared/home/default.nix | 147 +++++++------ yubikey-installer.nix | 180 --------------- 9 files changed, 532 insertions(+), 666 deletions(-) delete mode 100644 yubikey-installer.nix diff --git a/flake.nix b/flake.nix index a09f947..7f0c22e 100644 --- a/flake.nix +++ b/flake.nix @@ -10,23 +10,35 @@ nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nur.url = "github:nix-community/NUR"; - zigpkgs.url = "github:mitchellh/zig-overlay"; - zigpkgs.inputs.nixpkgs.follows = "nixpkgs"; - zigpkgs.inputs.flake-utils.follows = "flake-utils"; - zigpkgs.inputs.flake-compat.follows = "flake-compat"; + zigpkgs = { + url = "github:mitchellh/zig-overlay"; + inputs = { + nixpkgs.follows = "nixpkgs"; + flake-utils.follows = "flake-utils"; + flake-compat.follows = "flake-compat"; + }; + }; home-manager.url = "github:nix-community/home-manager/release-23.05"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; - agenix.url = "github:ryantm/agenix"; - agenix.inputs.nixpkgs.follows = "nixpkgs"; - agenix.inputs.home-manager.follows = "home-manager"; - agenix.inputs.darwin.follows = ""; + agenix = { + url = "github:ryantm/agenix"; + inputs = { + nixpkgs.follows = "nixpkgs"; + home-manager.follows = "home-manager"; + darwin.follows = ""; + }; + }; - deploy-rs.url = "github:serokell/deploy-rs"; - deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; - deploy-rs.inputs.flake-compat.follows = "flake-compat"; - deploy-rs.inputs.utils.follows = "flake-utils"; + deploy-rs = { + url = "github:serokell/deploy-rs"; + inputs = { + nixpkgs.follows = "nixpkgs"; + flake-compat.follows = "flake-compat"; + utils.follows = "flake-utils"; + }; + }; nix-index-database.url = "github:Mic92/nix-index-database"; nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; @@ -34,12 +46,16 @@ gitignore.url = "github:hercules-ci/gitignore.nix"; gitignore.inputs.nixpkgs.follows = "nixpkgs"; - pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix"; - pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs"; - pre-commit-hooks.inputs.nixpkgs-stable.follows = "nixpkgs"; - pre-commit-hooks.inputs.flake-compat.follows = "flake-compat"; - pre-commit-hooks.inputs.flake-utils.follows = "flake-utils"; - pre-commit-hooks.inputs.gitignore.follows = "gitignore"; + pre-commit-hooks = { + url = "github:cachix/pre-commit-hooks.nix"; + inputs = { + nixpkgs.follows = "nixpkgs"; + nixpkgs-stable.follows = "nixpkgs"; + flake-compat.follows = "flake-compat"; + flake-utils.follows = "flake-utils"; + gitignore.follows = "gitignore"; + }; + }; }; nixConfig = { @@ -98,152 +114,164 @@ # specialArgs = {inherit myData;} // inputs; #}; - nixosConfigurations.vno1-oh2 = nixpkgs.lib.nixosSystem rec { - system = "x86_64-linux"; - modules = [ - {nixpkgs.overlays = mkOverlays system;} - ./hosts/vno1-oh2/configuration.nix + nixosConfigurations = { + vno1-oh2 = nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + modules = [ + {nixpkgs.overlays = mkOverlays system;} + ./hosts/vno1-oh2/configuration.nix - ./modules + ./modules - agenix.nixosModules.default - home-manager.nixosModules.home-manager + agenix.nixosModules.default + home-manager.nixosModules.home-manager - { - age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; - age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age; - age.secrets.zfs-passphrase-fra1-a.file = ./secrets/fra1-a/zfs-passphrase.age; + { + age.secrets = { + motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; + root-passwd-hash.file = ./secrets/root_passwd_hash.age; + zfs-passphrase-fra1-a.file = ./secrets/fra1-a/zfs-passphrase.age; - age.secrets.headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age; - age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; - age.secrets.borgbackup-password.file = ./secrets/vno1-oh2/borgbackup/password.age; - age.secrets.grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age; - age.secrets.letsencrypt-account-key.file = ./secrets/letsencrypt/account.key.age; - age.secrets.vaultwarden-secrets-env.file = ./secrets/vaultwarden/secrets.env.age; + headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age; + sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; + borgbackup-password.file = ./secrets/vno1-oh2/borgbackup/password.age; + grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age; + letsencrypt-account-key.file = ./secrets/letsencrypt/account.key.age; + vaultwarden-secrets-env.file = ./secrets/vaultwarden/secrets.env.age; - age.secrets.synapse-jakstys-signing-key.file = ./secrets/synapse/jakstys_lt_signing_key.age; - age.secrets.synapse-registration-shared-secret.file = ./secrets/synapse/registration_shared_secret.age; - age.secrets.synapse-macaroon-secret-key.file = ./secrets/synapse/macaroon_secret_key.age; - } - ]; + synapse-jakstys-signing-key.file = ./secrets/synapse/jakstys_lt_signing_key.age; + synapse-registration-shared-secret.file = ./secrets/synapse/registration_shared_secret.age; + synapse-macaroon-secret-key.file = ./secrets/synapse/macaroon_secret_key.age; + }; + } + ]; - specialArgs = {inherit myData;} // inputs; - }; + specialArgs = {inherit myData;} // inputs; + }; - nixosConfigurations.fwminex = nixpkgs.lib.nixosSystem rec { - system = "x86_64-linux"; - modules = [ - {nixpkgs.overlays = mkOverlays system;} - ./hosts/fwminex/configuration.nix + fwminex = nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + modules = [ + {nixpkgs.overlays = mkOverlays system;} + ./hosts/fwminex/configuration.nix - ./modules - ./modules/profiles/desktop + ./modules + ./modules/profiles/desktop - nur.nixosModules.nur - agenix.nixosModules.default - home-manager.nixosModules.home-manager - nixos-hardware.nixosModules.framework-12th-gen-intel - nix-index-database.nixosModules.nix-index + nur.nixosModules.nur + agenix.nixosModules.default + home-manager.nixosModules.home-manager + nixos-hardware.nixosModules.framework-12th-gen-intel + nix-index-database.nixosModules.nix-index - { - age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; - age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age; - age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; - } - ]; + { + age.secrets = { + motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; + root-passwd-hash.file = ./secrets/root_passwd_hash.age; + sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; + }; + } + ]; - specialArgs = {inherit myData;} // inputs; - }; + specialArgs = {inherit myData;} // inputs; + }; - nixosConfigurations.vno3-rp3b = nixpkgs.lib.nixosSystem rec { - system = "aarch64-linux"; - modules = [ - {nixpkgs.overlays = mkOverlays system;} - ./hosts/vno3-rp3b/configuration.nix + vno3-rp3b = nixpkgs.lib.nixosSystem rec { + system = "aarch64-linux"; + modules = [ + {nixpkgs.overlays = mkOverlays system;} + ./hosts/vno3-rp3b/configuration.nix - ./modules + ./modules - agenix.nixosModules.default - home-manager.nixosModules.home-manager + agenix.nixosModules.default + home-manager.nixosModules.home-manager - { - age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; - age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age; - age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; + { + age.secrets = { + motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; + root-passwd-hash.file = ./secrets/root_passwd_hash.age; + sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; - age.secrets.datapool-passphrase.file = ./secrets/vno3-rp3b/datapool-passphrase.age; - } - ]; + datapool-passphrase.file = ./secrets/vno3-rp3b/datapool-passphrase.age; + }; + } + ]; - specialArgs = {inherit myData;} // inputs; - }; + specialArgs = {inherit myData;} // inputs; + }; - nixosConfigurations.fra1-a = nixpkgs.lib.nixosSystem rec { - system = "aarch64-linux"; - modules = [ - {nixpkgs.overlays = mkOverlays system;} - ./hosts/fra1-a/configuration.nix + fra1-a = nixpkgs.lib.nixosSystem rec { + system = "aarch64-linux"; + modules = [ + {nixpkgs.overlays = mkOverlays system;} + ./hosts/fra1-a/configuration.nix - ./modules + ./modules - agenix.nixosModules.default - home-manager.nixosModules.home-manager + agenix.nixosModules.default + home-manager.nixosModules.home-manager - { - age.secrets.zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age; - age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; - age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age; - age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; - } - ]; + { + age.secrets = { + zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age; + motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; + root-passwd-hash.file = ./secrets/root_passwd_hash.age; + sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; + }; + } + ]; - specialArgs = {inherit myData;} // inputs; - }; - - deploy.nodes.vno1-oh2 = { - hostname = myData.hosts."vno1-oh2.servers.jakst".jakstIP; - profiles = { - system = { - sshUser = "motiejus"; - path = - deployPkgsIA64.deploy-rs.lib.activate.nixos self.nixosConfigurations.vno1-oh2; - user = "root"; - }; + specialArgs = {inherit myData;} // inputs; }; }; - deploy.nodes.fwminex = { - hostname = myData.hosts."fwminex.motiejus.jakst".jakstIP; - profiles = { - system = { - sshUser = "motiejus"; - path = - deployPkgsIA64.deploy-rs.lib.activate.nixos self.nixosConfigurations.fwminex; - user = "root"; + deploy.nodes = { + vno1-oh2 = { + hostname = myData.hosts."vno1-oh2.servers.jakst".jakstIP; + profiles = { + system = { + sshUser = "motiejus"; + path = + deployPkgsIA64.deploy-rs.lib.activate.nixos self.nixosConfigurations.vno1-oh2; + user = "root"; + }; }; }; - }; - deploy.nodes.vno3-rp3b = { - hostname = myData.hosts."vno3-rp3b.servers.jakst".jakstIP; - profiles = { - system = { - sshUser = "motiejus"; - path = - deployPkgsArm64.deploy-rs.lib.activate.nixos self.nixosConfigurations.vno3-rp3b; - user = "root"; + fwminex = { + hostname = myData.hosts."fwminex.motiejus.jakst".jakstIP; + profiles = { + system = { + sshUser = "motiejus"; + path = + deployPkgsIA64.deploy-rs.lib.activate.nixos self.nixosConfigurations.fwminex; + user = "root"; + }; }; }; - }; - deploy.nodes.fra1-a = { - hostname = myData.hosts."fra1-a.servers.jakst".jakstIP; - profiles = { - system = { - sshUser = "motiejus"; - path = - deployPkgsArm64.deploy-rs.lib.activate.nixos self.nixosConfigurations.fra1-a; - user = "root"; + vno3-rp3b = { + hostname = myData.hosts."vno3-rp3b.servers.jakst".jakstIP; + profiles = { + system = { + sshUser = "motiejus"; + path = + deployPkgsArm64.deploy-rs.lib.activate.nixos self.nixosConfigurations.vno3-rp3b; + user = "root"; + }; + }; + }; + + fra1-a = { + hostname = myData.hosts."fra1-a.servers.jakst".jakstIP; + profiles = { + system = { + sshUser = "motiejus"; + path = + deployPkgsArm64.deploy-rs.lib.activate.nixos self.nixosConfigurations.fra1-a; + user = "root"; + }; }; }; }; diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix index 7027e5c..ba7211b 100644 --- a/hosts/vno1-oh2/configuration.nix +++ b/hosts/vno1-oh2/configuration.nix @@ -174,11 +174,13 @@ accountKey = config.age.secrets.letsencrypt-account-key.path; in { enable = true; - zones."irc.jakstys.lt".accountKey = accountKey; - zones."hdd.jakstys.lt".accountKey = accountKey; - zones."hass.jakstys.lt".accountKey = accountKey; - zones."grafana.jakstys.lt".accountKey = accountKey; - zones."bitwarden.jakstys.lt".accountKey = accountKey; + zones = { + "irc.jakstys.lt".accountKey = accountKey; + "hdd.jakstys.lt".accountKey = accountKey; + "hass.jakstys.lt".accountKey = accountKey; + "grafana.jakstys.lt".accountKey = accountKey; + "bitwarden.jakstys.lt".accountKey = accountKey; + }; }; deployerbot = { @@ -254,86 +256,88 @@ metrics } ''; - virtualHosts."hass.jakstys.lt".extraConfig = '' - @denied not remote_ip ${myData.subnets.tailscale.cidr} - abort @denied - reverse_proxy 127.0.0.1:8123 - tls {$CREDENTIALS_DIRECTORY}/hass.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/hass.jakstys.lt-key.pem - ''; - virtualHosts."grafana.jakstys.lt".extraConfig = '' - @denied not remote_ip ${myData.subnets.tailscale.cidr} - abort @denied - reverse_proxy 127.0.0.1:3000 - tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem - ''; - virtualHosts."bitwarden.jakstys.lt".extraConfig = '' - @denied not remote_ip ${myData.subnets.tailscale.cidr} - abort @denied - tls {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-key.pem + virtualHosts = { + "hass.jakstys.lt".extraConfig = '' + @denied not remote_ip ${myData.subnets.tailscale.cidr} + abort @denied + reverse_proxy 127.0.0.1:8123 + tls {$CREDENTIALS_DIRECTORY}/hass.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/hass.jakstys.lt-key.pem + ''; + "grafana.jakstys.lt".extraConfig = '' + @denied not remote_ip ${myData.subnets.tailscale.cidr} + abort @denied + reverse_proxy 127.0.0.1:3000 + tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem + ''; + "bitwarden.jakstys.lt".extraConfig = '' + @denied not remote_ip ${myData.subnets.tailscale.cidr} + abort @denied + tls {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-key.pem - # from https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples - encode gzip - header { - # Enable HTTP Strict Transport Security (HSTS) - Strict-Transport-Security "max-age=31536000;" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "SAMEORIGIN" - } + # from https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples + encode gzip + header { + # Enable HTTP Strict Transport Security (HSTS) + Strict-Transport-Security "max-age=31536000;" + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "SAMEORIGIN" + } - # deprecated from vaultwarden 1.29.0 - reverse_proxy /notifications/hub 127.0.0.1:${toString myData.ports.vaultwarden_ws} + # deprecated from vaultwarden 1.29.0 + reverse_proxy /notifications/hub 127.0.0.1:${toString myData.ports.vaultwarden_ws} - reverse_proxy 127.0.0.1:${toString myData.ports.vaultwarden} { - header_up X-Real-IP {remote_host} - } - ''; - virtualHosts."www.jakstys.lt".extraConfig = '' - redir https://jakstys.lt - ''; - virtualHosts."dl.jakstys.lt".extraConfig = '' - root * /var/www/dl - file_server browse { - hide .stfolder - } - encode gzip - ''; - virtualHosts."jakstys.lt" = { - logFormat = '' - output file ${config.services.caddy.logDir}/access-jakstys.lt.log { - roll_disabled + reverse_proxy 127.0.0.1:${toString myData.ports.vaultwarden} { + header_up X-Real-IP {remote_host} } ''; - extraConfig = '' - header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - - header /_/* Cache-Control "public, max-age=31536000, immutable" - - root * /var/www/jakstys.lt - file_server { - precompressed br gzip - } - - @matrixMatch { - path /.well-known/matrix/client - path /.well-known/matrix/server - } - header @matrixMatch Content-Type application/json - header @matrixMatch Access-Control-Allow-Origin * - header @matrixMatch Cache-Control "public, max-age=3600, immutable" - - handle /.well-known/matrix/client { - respond "{\"m.homeserver\": {\"base_url\": \"https://jakstys.lt\"}}" 200 - } - handle /.well-known/matrix/server { - respond "{\"m.server\": \"jakstys.lt:443\"}" 200 - } - - handle /_matrix/* { - reverse_proxy http://127.0.0.1:${toString myData.ports.matrix-synapse} - } + "www.jakstys.lt".extraConfig = '' + redir https://jakstys.lt ''; + "dl.jakstys.lt".extraConfig = '' + root * /var/www/dl + file_server browse { + hide .stfolder + } + encode gzip + ''; + "jakstys.lt" = { + logFormat = '' + output file ${config.services.caddy.logDir}/access-jakstys.lt.log { + roll_disabled + } + ''; + extraConfig = '' + header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + + header /_/* Cache-Control "public, max-age=31536000, immutable" + + root * /var/www/jakstys.lt + file_server { + precompressed br gzip + } + + @matrixMatch { + path /.well-known/matrix/client + path /.well-known/matrix/server + } + header @matrixMatch Content-Type application/json + header @matrixMatch Access-Control-Allow-Origin * + header @matrixMatch Cache-Control "public, max-age=3600, immutable" + + handle /.well-known/matrix/client { + respond "{\"m.homeserver\": {\"base_url\": \"https://jakstys.lt\"}}" 200 + } + handle /.well-known/matrix/server { + respond "{\"m.server\": \"jakstys.lt:443\"}" 200 + } + + handle /_matrix/* { + reverse_proxy http://127.0.0.1:${toString myData.ports.matrix-synapse} + } + ''; + }; }; }; diff --git a/hosts/vno3-rp3b/configuration.nix b/hosts/vno3-rp3b/configuration.nix index bb3c3b9..9932fa8 100644 --- a/hosts/vno3-rp3b/configuration.nix +++ b/hosts/vno3-rp3b/configuration.nix @@ -11,35 +11,42 @@ # imports = [(modulesPath + "/installer/scan/not-detected.nix")]; # as of 23.05 that is: - boot.initrd.availableKernelModules = ["usbhid"]; - boot.initrd.kernelModules = ["vc4" "bcm2835_dma"]; - boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; - boot.kernelModules = []; - boot.extraModulePackages = []; - boot.loader.grub.enable = false; - boot.loader.generic-extlinux-compatible.enable = true; + boot = { + initrd = { + availableKernelModules = ["usbhid"]; + kernelModules = ["vc4" "bcm2835_dma"]; + }; + loader = { + grub.enable = false; + generic-extlinux-compatible.enable = true; + }; - boot.supportedFilesystems = ["zfs"]; - boot.zfs.forceImportRoot = false; + kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + kernelModules = []; + extraModulePackages = []; + supportedFilesystems = ["zfs"]; + zfs.forceImportRoot = false; + }; powerManagement.cpuFreqGovernor = "ondemand"; - fileSystems."/" = { - device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; - fsType = "ext4"; - }; - - fileSystems."/data" = { - device = "datapool/root"; - fsType = "zfs"; - }; - fileSystems."/data/borg" = { - device = "datapool/root/borg"; - fsType = "zfs"; - }; - fileSystems."/data/shared" = { - device = "datapool/root/shared"; - fsType = "zfs"; + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; + fsType = "ext4"; + }; + "/data" = { + device = "datapool/root"; + fsType = "zfs"; + }; + "/data/borg" = { + device = "datapool/root/borg"; + fsType = "zfs"; + }; + "/data/shared" = { + device = "datapool/root/shared"; + fsType = "zfs"; + }; }; swapDevices = []; diff --git a/modules/profiles/desktop/default.nix b/modules/profiles/desktop/default.nix index d16e7be..b997e68 100644 --- a/modules/profiles/desktop/default.nix +++ b/modules/profiles/desktop/default.nix @@ -8,8 +8,10 @@ services.blueman.enable = true; services.udev.packages = [pkgs.yubikey-personalization]; - programs.firefox.enable = true; - programs.wireshark.enable = true; + programs = { + firefox.enable = true; + wireshark.enable = true; + }; mj.base.users.passwd.motiejus.extraGroups = ["adbusers" "networkmanager" "wireshark"]; @@ -191,28 +193,30 @@ }; }; - services.cbatticon.enable = true; - services.blueman-applet.enable = true; + services = { + cbatticon.enable = true; + blueman-applet.enable = true; - services.syncthing.tray = { - enable = true; - #extraOptions = ["--wait"]; - }; + syncthing.tray = { + enable = true; + #extraOptions = ["--wait"]; + }; - services.pasystray = { - enable = true; - extraOptions = ["--key-grabbing" "--notify=all"]; - }; + pasystray = { + enable = true; + extraOptions = ["--key-grabbing" "--notify=all"]; + }; - services.gpg-agent = { - enable = true; - enableSshSupport = true; - }; + gpg-agent = { + enable = true; + enableSshSupport = true; + }; - services.screen-locker = { - enable = true; - xautolock.enable = false; - lockCmd = ''${pkgs.bash}/bin/bash -c "${pkgs.coreutils}/bin/sleep 0.2; ${pkgs.xorg.xset}/bin/xset dpms force off; /run/wrappers/bin/slock"''; + screen-locker = { + enable = true; + xautolock.enable = false; + lockCmd = ''${pkgs.bash}/bin/bash -c "${pkgs.coreutils}/bin/sleep 0.2; ${pkgs.xorg.xset}/bin/xset dpms force off; /run/wrappers/bin/slock"''; + }; }; # https://github.com/nix-community/home-manager/issues/2064 diff --git a/modules/services/jakstpub/default.nix b/modules/services/jakstpub/default.nix index f22d037..b3cb2ee 100644 --- a/modules/services/jakstpub/default.nix +++ b/modules/services/jakstpub/default.nix @@ -16,60 +16,62 @@ in { }; config = lib.mkIf cfg.enable { - services.caddy = { - enable = true; - virtualHosts.":80".extraConfig = with myData.subnets; '' - root * ${cfg.dataDir} - @denied not remote_ip ${vno1.cidr} ${vno3.cidr} ${tailscale.cidr} - file_server browse { - hide .stfolder - } - encode gzip - ''; - }; - - services.samba = { - # https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server - enable = true; - securityType = "user"; - enableNmbd = false; - enableWinbindd = false; - extraConfig = '' - map to guest = Bad User - guest account = jakstpub - server role = standalone server - ''; - shares = let - defaults = { - "public" = "yes"; - "mangled names" = "no"; - "guest ok" = "yes"; - "force user" = "jakstpub"; - "force group" = "jakstpub"; - }; - in { - public = - defaults - // { - "path" = cfg.dataDir; - "writeable" = "yes"; - "read only" = "no"; - "create mask" = "0664"; - "directory mask" = "0775"; - }; - snapshots = - defaults - // { - "path" = cfg.dataDir + "/.zfs/snapshot"; - "writeable" = "no"; - "read only" = "yes"; - }; + services = { + caddy = { + enable = true; + virtualHosts.":80".extraConfig = with myData.subnets; '' + root * ${cfg.dataDir} + @denied not remote_ip ${vno1.cidr} ${vno3.cidr} ${tailscale.cidr} + file_server browse { + hide .stfolder + } + encode gzip + ''; }; - }; - services.samba-wsdd = { - enable = true; - inherit (cfg) hostname; + samba = { + # https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server + enable = true; + securityType = "user"; + enableNmbd = false; + enableWinbindd = false; + extraConfig = '' + map to guest = Bad User + guest account = jakstpub + server role = standalone server + ''; + shares = let + defaults = { + "public" = "yes"; + "mangled names" = "no"; + "guest ok" = "yes"; + "force user" = "jakstpub"; + "force group" = "jakstpub"; + }; + in { + public = + defaults + // { + "path" = cfg.dataDir; + "writeable" = "yes"; + "read only" = "no"; + "create mask" = "0664"; + "directory mask" = "0775"; + }; + snapshots = + defaults + // { + "path" = cfg.dataDir + "/.zfs/snapshot"; + "writeable" = "no"; + "read only" = "yes"; + }; + }; + }; + + samba-wsdd = { + enable = true; + inherit (cfg) hostname; + }; }; users.users.jakstpub = { diff --git a/modules/services/nsd-acme/default.nix b/modules/services/nsd-acme/default.nix index 2b41d8b..f4ffdf9 100644 --- a/modules/services/nsd-acme/default.nix +++ b/modules/services/nsd-acme/default.nix @@ -92,112 +92,114 @@ in { zonefile: "/var/lib/nsd/acmezones/%s.zone" ''; - systemd.tmpfiles.rules = ["d /var/lib/nsd/acmezones 0755 nsd nsd -"]; + systemd = { + tmpfiles.rules = ["d /var/lib/nsd/acmezones 0755 nsd nsd -"]; - systemd.services = - { - nsd-control-setup = { - requiredBy = ["nsd.service"]; - before = ["nsd.service"]; - unitConfig.ConditionPathExists = let - rc = config.services.nsd.remoteControl; - in [ - "|!${rc.controlKeyFile}" - "|!${rc.controlCertFile}" - "|!${rc.serverKeyFile}" - "|!${rc.serverCertFile}" - ]; - serviceConfig = { - Type = "oneshot"; - UMask = 0077; - }; - script = '' - ${pkgs.nsd}/bin/nsd-control-setup - chown nsd:nsd /etc/nsd/nsd_{control,server}.{key,pem} - ''; - path = [pkgs.openssl]; - }; - } - // lib.mapAttrs' - ( - zone: cfg: - lib.nameValuePair "nsd-acme-${zone}" { - description = "dns-01 acme update for ${zone}"; - path = [pkgs.openssh pkgs.nsd]; - preStart = '' - mkdir -p "$STATE_DIRECTORY/private" - ln -sf "$CREDENTIALS_DIRECTORY/letsencrypt-account-key" \ - "$STATE_DIRECTORY/private/key.pem" - ''; + services = + { + nsd-control-setup = { + requiredBy = ["nsd.service"]; + before = ["nsd.service"]; + unitConfig.ConditionPathExists = let + rc = config.services.nsd.remoteControl; + in [ + "|!${rc.controlKeyFile}" + "|!${rc.controlCertFile}" + "|!${rc.serverKeyFile}" + "|!${rc.serverCertFile}" + ]; serviceConfig = { - ExecStart = let - hook = mkHook zone; - days = builtins.toString cfg.days; - in "${pkgs.uacme}/bin/uacme -c \${STATE_DIRECTORY} --verbose --days ${days} --hook ${hook} ${lib.optionalString cfg.staging "--staging"} issue ${zone}"; - - UMask = "0022"; - User = "nsd"; - Group = "nsd"; - StateDirectory = "nsd-acme/${zone}"; - LoadCredential = ["letsencrypt-account-key:${cfg.accountKey}"]; - ReadWritePaths = ["/var/lib/nsd/acmezones"]; - SuccessExitStatus = [0 1]; - - # from nixos/modules/security/acme/default.nix - ProtectSystem = "strict"; - PrivateTmp = true; - CapabilityBoundingSet = [""]; - DevicePolicy = "closed"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = true; - ProtectClock = true; - ProtectHome = true; - ProtectHostname = true; - ProtectControlGroups = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - RemoveIPC = true; - # "cannot get devices" - #RestrictAddressFamilies = [ - # "AF_INET" - # "AF_INET6" - #]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - # 1. allow a reasonable set of syscalls - "@system-service @resources" - # 2. and deny unreasonable ones - "~@privileged" - # 3. then allow the required subset within denied groups - "@chown" - ]; + Type = "oneshot"; + UMask = 0077; }; - } - ) - cfg.zones; + script = '' + ${pkgs.nsd}/bin/nsd-control-setup + chown nsd:nsd /etc/nsd/nsd_{control,server}.{key,pem} + ''; + path = [pkgs.openssl]; + }; + } + // lib.mapAttrs' + ( + zone: cfg: + lib.nameValuePair "nsd-acme-${zone}" { + description = "dns-01 acme update for ${zone}"; + path = [pkgs.openssh pkgs.nsd]; + preStart = '' + mkdir -p "$STATE_DIRECTORY/private" + ln -sf "$CREDENTIALS_DIRECTORY/letsencrypt-account-key" \ + "$STATE_DIRECTORY/private/key.pem" + ''; + serviceConfig = { + ExecStart = let + hook = mkHook zone; + days = builtins.toString cfg.days; + in "${pkgs.uacme}/bin/uacme -c \${STATE_DIRECTORY} --verbose --days ${days} --hook ${hook} ${lib.optionalString cfg.staging "--staging"} issue ${zone}"; - systemd.timers = - lib.mapAttrs' - ( - zone: _: - lib.nameValuePair "nsd-acme-${zone}" { - description = "nsd-acme for zone ${zone}"; - wantedBy = ["timers.target"]; - timerConfig = { - OnCalendar = "*-*-* 01:30"; - }; - after = ["network-online.target"]; - } - ) - cfg.zones; + UMask = "0022"; + User = "nsd"; + Group = "nsd"; + StateDirectory = "nsd-acme/${zone}"; + LoadCredential = ["letsencrypt-account-key:${cfg.accountKey}"]; + ReadWritePaths = ["/var/lib/nsd/acmezones"]; + SuccessExitStatus = [0 1]; + + # from nixos/modules/security/acme/default.nix + ProtectSystem = "strict"; + PrivateTmp = true; + CapabilityBoundingSet = [""]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + ProtectClock = true; + ProtectHome = true; + ProtectHostname = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RemoveIPC = true; + # "cannot get devices" + #RestrictAddressFamilies = [ + # "AF_INET" + # "AF_INET6" + #]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + # 1. allow a reasonable set of syscalls + "@system-service @resources" + # 2. and deny unreasonable ones + "~@privileged" + # 3. then allow the required subset within denied groups + "@chown" + ]; + }; + } + ) + cfg.zones; + + timers = + lib.mapAttrs' + ( + zone: _: + lib.nameValuePair "nsd-acme-${zone}" { + description = "nsd-acme for zone ${zone}"; + wantedBy = ["timers.target"]; + timerConfig = { + OnCalendar = "*-*-* 01:30"; + }; + after = ["network-online.target"]; + } + ) + cfg.zones; + }; mj.base.unitstatus.units = lib.mkIf config.mj.base.unitstatus.enable diff --git a/modules/services/syncthing/default.nix b/modules/services/syncthing/default.nix index afe6688..cd1849a 100644 --- a/modules/services/syncthing/default.nix +++ b/modules/services/syncthing/default.nix @@ -121,7 +121,6 @@ in { in "${jakstIP}:${guiPortStr}"; extraOptions.gui.insecureAdminAccess = true; - devices = {} // (lib.optionalAttrs (config.networking.hostName == "vno1-oh2") { @@ -149,7 +148,6 @@ in { ; }) // {}; - folders = with folders; {} // ( diff --git a/shared/home/default.nix b/shared/home/default.nix index 4062c0e..8907570 100644 --- a/shared/home/default.nix +++ b/shared/home/default.nix @@ -40,82 +40,83 @@ else [] ); - programs.direnv.enable = true; + programs = { + direnv.enable = true; - programs.neovim = lib.mkMerge [ - { - enable = true; - vimAlias = true; - vimdiffAlias = true; - defaultEditor = true; - plugins = with pkgs.vimPlugins; - [ - fugitive - ] - ++ ( - if devEnvironment - then [ - vim-go - - zig-vim - - vim-vsnip - cmp-nvim-lsp - nvim-cmp - nvim-metals - plenary-nvim + neovim = lib.mkMerge [ + { + enable = true; + vimAlias = true; + vimdiffAlias = true; + defaultEditor = true; + plugins = with pkgs.vimPlugins; + [ + fugitive ] - else [] - ); - extraConfig = builtins.readFile ./vimrc; - } - (lib.mkIf devEnvironment { - extraLuaConfig = - builtins.readFile - (pkgs.substituteAll { - src = ./dev.lua; - javaHome = pkgs.jdk.home; - inherit (pkgs) metals; - inherit (pkgs) gotools; - }) - .outPath; - }) - ]; + ++ ( + if devEnvironment + then [ + vim-go - programs.git = { - package = pkgs.pkgs-unstable.git; - enable = true; - userEmail = email; - userName = "Motiejus Jakštys"; - aliases.yolo = "commit --amend --no-edit -a"; - extraConfig = { - rerere.enabled = true; - pull.ff = "only"; - merge.conflictstyle = "diff3"; - init.defaultBranch = "main"; + zig-vim + + vim-vsnip + cmp-nvim-lsp + nvim-cmp + nvim-metals + plenary-nvim + ] + else [] + ); + extraConfig = builtins.readFile ./vimrc; + } + (lib.mkIf devEnvironment { + extraLuaConfig = + builtins.readFile + (pkgs.substituteAll { + src = ./dev.lua; + javaHome = pkgs.jdk.home; + inherit (pkgs) metals; + inherit (pkgs) gotools; + }) + .outPath; + }) + ]; + + git = { + enable = true; + userEmail = email; + userName = "Motiejus Jakštys"; + aliases.yolo = "commit --amend --no-edit -a"; + extraConfig = { + rerere.enabled = true; + pull.ff = "only"; + merge.conflictstyle = "diff3"; + init.defaultBranch = "main"; + }; + }; + + gpg = { + enable = true; + mutableKeys = false; + mutableTrust = false; + publicKeys = [ + { + source = ./motiejus-gpg.txt; + trust = "ultimate"; + } + ]; + }; + + tmux = { + enable = true; + keyMode = "vi"; + historyLimit = 1000000; + extraConfig = '' + bind c new-window -c "#{pane_current_path}" + bind % split-window -h -c "#{pane_current_path}" + bind '"' split-window -v -c "#{pane_current_path}" + ''; }; }; - - programs.gpg = { - enable = true; - mutableKeys = false; - mutableTrust = false; - publicKeys = [ - { - source = ./motiejus-gpg.txt; - trust = "ultimate"; - } - ]; - }; - - programs.tmux = { - enable = true; - keyMode = "vi"; - historyLimit = 1000000; - extraConfig = '' - bind c new-window -c "#{pane_current_path}" - bind % split-window -h -c "#{pane_current_path}" - bind '"' split-window -v -c "#{pane_current_path}" - ''; - }; } diff --git a/yubikey-installer.nix b/yubikey-installer.nix deleted file mode 100644 index a6f8ef0..0000000 --- a/yubikey-installer.nix +++ /dev/null @@ -1,180 +0,0 @@ -let - configuration = { - config, - lib, - pkgs, - ... - }: - with pkgs; let - src = fetchGit "https://github.com/drduh/YubiKey-Guide"; - - guide = "${src}/README.md"; - - contrib = "${src}/contrib"; - - drduhConfig = fetchGit "https://github.com/drduh/config"; - - gpg-conf = "${drduhConfig}/gpg.conf"; - - xserverCfg = config.services.xserver; - - pinentryFlavour = - if xserverCfg.desktopManager.lxqt.enable || xserverCfg.desktopManager.plasma5.enable - then "qt" - else if xserverCfg.desktopManager.xfce.enable - then "gtk2" - else if xserverCfg.enable || config.programs.sway.enable - then "gnome3" - else "curses"; - - # Instead of hard-coding the pinentry program, chose the appropriate one - # based on the environment of the image the user has chosen to build. - gpg-agent-conf = runCommand "gpg-agent.conf" {} '' - sed '/pinentry-program/d' ${drduhConfig}/gpg-agent.conf > $out - echo "pinentry-program ${pinentry.${pinentryFlavour}}/bin/pinentry" >> $out - ''; - - view-yubikey-guide = writeShellScriptBin "view-yubikey-guide" '' - viewer="$(type -P xdg-open || true)" - if [ -z "$viewer" ]; then - viewer="${glow}/bin/glow -p" - fi - exec $viewer "${guide}" - ''; - - shortcut = makeDesktopItem { - name = "yubikey-guide"; - icon = "${yubikey-manager-qt}/share/ykman-gui/icons/ykman.png"; - desktopName = "drduh's YubiKey Guide"; - genericName = "Guide to using YubiKey for GPG and SSH"; - comment = "Open the guide in a reader program"; - categories = ["Documentation"]; - exec = "${view-yubikey-guide}/bin/view-yubikey-guide"; - }; - - yubikey-guide = symlinkJoin { - name = "yubikey-guide"; - paths = [view-yubikey-guide shortcut]; - }; - in { - nixpkgs.config = {allowBroken = true;}; - - isoImage.isoBaseName = lib.mkForce "nixos-yubikey"; - # Uncomment this to disable compression and speed up image creation time - isoImage.squashfsCompression = "gzip -Xcompression-level 1"; - - boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; - # Always copytoram so that, if the image is booted from, e.g., a - # USB stick, nothing is mistakenly written to persistent storage. - boot.kernelParams = ["copytoram"]; - # Secure defaults - boot.cleanTmpDir = true; - boot.kernel.sysctl = {"kernel.unprivileged_bpf_disabled" = 1;}; - - services.pcscd.enable = true; - services.udev.packages = [yubikey-personalization]; - - programs = { - ssh.startAgent = false; - gnupg.agent = { - enable = true; - enableSSHSupport = true; - }; - }; - - environment.systemPackages = [ - # Tools for backing up keys - paperkey - pgpdump - parted - cryptsetup - - # Yubico's official tools - yubikey-manager - yubikey-manager-qt - yubikey-personalization - yubikey-personalization-gui - yubico-piv-tool - yubioath-flutter - - # Testing - ent - # does not compile as of 2023-07-20 - #(haskell.lib.justStaticExecutables haskellPackages.hopenpgp-tools) - - # Password generation tools - diceware - pwgen - - # Miscellaneous tools that might be useful beyond the scope of the guide - cfssl - pcsctools - - # This guide itself (run `view-yubikey-guide` on the terminal to open it - # in a non-graphical environment). - yubikey-guide - - # motiejus addons - rage - sops - tmux - ssh-to-age - age-plugin-yubikey - ]; - - # Disable networking so the system is air-gapped - # Comment all of these lines out if you'll need internet access - boot.initrd.network.enable = false; - networking.dhcpcd.enable = false; - networking.dhcpcd.allowInterfaces = []; - networking.interfaces = {}; - networking.firewall.enable = true; - networking.useDHCP = false; - networking.useNetworkd = false; - networking.wireless.enable = false; - networking.networkmanager.enable = lib.mkForce false; - - # Unset history so it's never stored - # Set GNUPGHOME to an ephemeral location and configure GPG with the - # guide's recommended settings. - environment.interactiveShellInit = '' - unset HISTFILE - export GNUPGHOME="/run/user/$(id -u)/gnupg" - if [ ! -d "$GNUPGHOME" ]; then - echo "Creating \$GNUPGHOME…" - install --verbose -m=0700 --directory="$GNUPGHOME" - fi - [ ! -f "$GNUPGHOME/gpg.conf" ] && cp --verbose ${gpg-conf} "$GNUPGHOME/gpg.conf" - [ ! -f "$GNUPGHOME/gpg-agent.conf" ] && cp --verbose ${gpg-agent-conf} "$GNUPGHOME/gpg-agent.conf" - echo "\$GNUPGHOME is \"$GNUPGHOME\"" - ''; - - # Copy the contents of contrib to the home directory, add a shortcut to - # the guide on the desktop, and link to the whole repo in the documents - # folder. - system.activationScripts.yubikeyGuide = let - homeDir = "/home/nixos/"; - desktopDir = homeDir + "Desktop/"; - documentsDir = homeDir + "Documents/"; - in '' - mkdir -p ${desktopDir} ${documentsDir} - chown nixos ${homeDir} ${desktopDir} ${documentsDir} - - cp -R ${contrib}/* ${homeDir} - ln -sf ${yubikey-guide}/share/applications/yubikey-guide.desktop ${desktopDir} - ln -sfT ${src} ${documentsDir}/YubiKey-Guide - ''; - }; - - nixos = import { - inherit configuration; - supportedSystems = ["x86_64-linux"]; - }; - - # Choose the one you like: - #nixos-yubikey = nixos.iso_minimal; # No graphical environment - #nixos-yubikey = nixos.iso_gnome; - nixos-yubikey = nixos.iso_plasma5; -in { - inherit nixos-yubikey; -}