This commit is contained in:
Motiejus Jakštys 2023-11-27 18:17:27 +02:00
parent 896c5086d0
commit 8e78a31f20
9 changed files with 532 additions and 666 deletions

294
flake.nix
View File

@ -10,23 +10,35 @@
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nur.url = "github:nix-community/NUR"; nur.url = "github:nix-community/NUR";
zigpkgs.url = "github:mitchellh/zig-overlay"; zigpkgs = {
zigpkgs.inputs.nixpkgs.follows = "nixpkgs"; url = "github:mitchellh/zig-overlay";
zigpkgs.inputs.flake-utils.follows = "flake-utils"; inputs = {
zigpkgs.inputs.flake-compat.follows = "flake-compat"; nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
flake-compat.follows = "flake-compat";
};
};
home-manager.url = "github:nix-community/home-manager/release-23.05"; home-manager.url = "github:nix-community/home-manager/release-23.05";
home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix"; agenix = {
agenix.inputs.nixpkgs.follows = "nixpkgs"; url = "github:ryantm/agenix";
agenix.inputs.home-manager.follows = "home-manager"; inputs = {
agenix.inputs.darwin.follows = ""; nixpkgs.follows = "nixpkgs";
home-manager.follows = "home-manager";
darwin.follows = "";
};
};
deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs = {
deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; url = "github:serokell/deploy-rs";
deploy-rs.inputs.flake-compat.follows = "flake-compat"; inputs = {
deploy-rs.inputs.utils.follows = "flake-utils"; nixpkgs.follows = "nixpkgs";
flake-compat.follows = "flake-compat";
utils.follows = "flake-utils";
};
};
nix-index-database.url = "github:Mic92/nix-index-database"; nix-index-database.url = "github:Mic92/nix-index-database";
nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
@ -34,12 +46,16 @@
gitignore.url = "github:hercules-ci/gitignore.nix"; gitignore.url = "github:hercules-ci/gitignore.nix";
gitignore.inputs.nixpkgs.follows = "nixpkgs"; gitignore.inputs.nixpkgs.follows = "nixpkgs";
pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix"; pre-commit-hooks = {
pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs"; url = "github:cachix/pre-commit-hooks.nix";
pre-commit-hooks.inputs.nixpkgs-stable.follows = "nixpkgs"; inputs = {
pre-commit-hooks.inputs.flake-compat.follows = "flake-compat"; nixpkgs.follows = "nixpkgs";
pre-commit-hooks.inputs.flake-utils.follows = "flake-utils"; nixpkgs-stable.follows = "nixpkgs";
pre-commit-hooks.inputs.gitignore.follows = "gitignore"; flake-compat.follows = "flake-compat";
flake-utils.follows = "flake-utils";
gitignore.follows = "gitignore";
};
};
}; };
nixConfig = { nixConfig = {
@ -98,152 +114,164 @@
# specialArgs = {inherit myData;} // inputs; # specialArgs = {inherit myData;} // inputs;
#}; #};
nixosConfigurations.vno1-oh2 = nixpkgs.lib.nixosSystem rec { nixosConfigurations = {
system = "x86_64-linux"; vno1-oh2 = nixpkgs.lib.nixosSystem rec {
modules = [ system = "x86_64-linux";
{nixpkgs.overlays = mkOverlays system;} modules = [
./hosts/vno1-oh2/configuration.nix {nixpkgs.overlays = mkOverlays system;}
./hosts/vno1-oh2/configuration.nix
./modules ./modules
agenix.nixosModules.default agenix.nixosModules.default
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
{ {
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; age.secrets = {
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age; motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
age.secrets.zfs-passphrase-fra1-a.file = ./secrets/fra1-a/zfs-passphrase.age; root-passwd-hash.file = ./secrets/root_passwd_hash.age;
zfs-passphrase-fra1-a.file = ./secrets/fra1-a/zfs-passphrase.age;
age.secrets.headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age; headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age;
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
age.secrets.borgbackup-password.file = ./secrets/vno1-oh2/borgbackup/password.age; borgbackup-password.file = ./secrets/vno1-oh2/borgbackup/password.age;
age.secrets.grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age; grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age;
age.secrets.letsencrypt-account-key.file = ./secrets/letsencrypt/account.key.age; letsencrypt-account-key.file = ./secrets/letsencrypt/account.key.age;
age.secrets.vaultwarden-secrets-env.file = ./secrets/vaultwarden/secrets.env.age; vaultwarden-secrets-env.file = ./secrets/vaultwarden/secrets.env.age;
age.secrets.synapse-jakstys-signing-key.file = ./secrets/synapse/jakstys_lt_signing_key.age; synapse-jakstys-signing-key.file = ./secrets/synapse/jakstys_lt_signing_key.age;
age.secrets.synapse-registration-shared-secret.file = ./secrets/synapse/registration_shared_secret.age; synapse-registration-shared-secret.file = ./secrets/synapse/registration_shared_secret.age;
age.secrets.synapse-macaroon-secret-key.file = ./secrets/synapse/macaroon_secret_key.age; synapse-macaroon-secret-key.file = ./secrets/synapse/macaroon_secret_key.age;
} };
]; }
];
specialArgs = {inherit myData;} // inputs; specialArgs = {inherit myData;} // inputs;
}; };
nixosConfigurations.fwminex = nixpkgs.lib.nixosSystem rec { fwminex = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
{nixpkgs.overlays = mkOverlays system;} {nixpkgs.overlays = mkOverlays system;}
./hosts/fwminex/configuration.nix ./hosts/fwminex/configuration.nix
./modules ./modules
./modules/profiles/desktop ./modules/profiles/desktop
nur.nixosModules.nur nur.nixosModules.nur
agenix.nixosModules.default agenix.nixosModules.default
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
nixos-hardware.nixosModules.framework-12th-gen-intel nixos-hardware.nixosModules.framework-12th-gen-intel
nix-index-database.nixosModules.nix-index nix-index-database.nixosModules.nix-index
{ {
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; age.secrets = {
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age; motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; root-passwd-hash.file = ./secrets/root_passwd_hash.age;
} sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
]; };
}
];
specialArgs = {inherit myData;} // inputs; specialArgs = {inherit myData;} // inputs;
}; };
nixosConfigurations.vno3-rp3b = nixpkgs.lib.nixosSystem rec { vno3-rp3b = nixpkgs.lib.nixosSystem rec {
system = "aarch64-linux"; system = "aarch64-linux";
modules = [ modules = [
{nixpkgs.overlays = mkOverlays system;} {nixpkgs.overlays = mkOverlays system;}
./hosts/vno3-rp3b/configuration.nix ./hosts/vno3-rp3b/configuration.nix
./modules ./modules
agenix.nixosModules.default agenix.nixosModules.default
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
{ {
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; age.secrets = {
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age; motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; root-passwd-hash.file = ./secrets/root_passwd_hash.age;
sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
age.secrets.datapool-passphrase.file = ./secrets/vno3-rp3b/datapool-passphrase.age; datapool-passphrase.file = ./secrets/vno3-rp3b/datapool-passphrase.age;
} };
]; }
];
specialArgs = {inherit myData;} // inputs; specialArgs = {inherit myData;} // inputs;
}; };
nixosConfigurations.fra1-a = nixpkgs.lib.nixosSystem rec { fra1-a = nixpkgs.lib.nixosSystem rec {
system = "aarch64-linux"; system = "aarch64-linux";
modules = [ modules = [
{nixpkgs.overlays = mkOverlays system;} {nixpkgs.overlays = mkOverlays system;}
./hosts/fra1-a/configuration.nix ./hosts/fra1-a/configuration.nix
./modules ./modules
agenix.nixosModules.default agenix.nixosModules.default
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
{ {
age.secrets.zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age; age.secrets = {
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age;
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age; motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; root-passwd-hash.file = ./secrets/root_passwd_hash.age;
} sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
]; };
}
];
specialArgs = {inherit myData;} // inputs; specialArgs = {inherit myData;} // inputs;
};
deploy.nodes.vno1-oh2 = {
hostname = myData.hosts."vno1-oh2.servers.jakst".jakstIP;
profiles = {
system = {
sshUser = "motiejus";
path =
deployPkgsIA64.deploy-rs.lib.activate.nixos self.nixosConfigurations.vno1-oh2;
user = "root";
};
}; };
}; };
deploy.nodes.fwminex = { deploy.nodes = {
hostname = myData.hosts."fwminex.motiejus.jakst".jakstIP; vno1-oh2 = {
profiles = { hostname = myData.hosts."vno1-oh2.servers.jakst".jakstIP;
system = { profiles = {
sshUser = "motiejus"; system = {
path = sshUser = "motiejus";
deployPkgsIA64.deploy-rs.lib.activate.nixos self.nixosConfigurations.fwminex; path =
user = "root"; deployPkgsIA64.deploy-rs.lib.activate.nixos self.nixosConfigurations.vno1-oh2;
user = "root";
};
}; };
}; };
};
deploy.nodes.vno3-rp3b = { fwminex = {
hostname = myData.hosts."vno3-rp3b.servers.jakst".jakstIP; hostname = myData.hosts."fwminex.motiejus.jakst".jakstIP;
profiles = { profiles = {
system = { system = {
sshUser = "motiejus"; sshUser = "motiejus";
path = path =
deployPkgsArm64.deploy-rs.lib.activate.nixos self.nixosConfigurations.vno3-rp3b; deployPkgsIA64.deploy-rs.lib.activate.nixos self.nixosConfigurations.fwminex;
user = "root"; user = "root";
};
}; };
}; };
};
deploy.nodes.fra1-a = { vno3-rp3b = {
hostname = myData.hosts."fra1-a.servers.jakst".jakstIP; hostname = myData.hosts."vno3-rp3b.servers.jakst".jakstIP;
profiles = { profiles = {
system = { system = {
sshUser = "motiejus"; sshUser = "motiejus";
path = path =
deployPkgsArm64.deploy-rs.lib.activate.nixos self.nixosConfigurations.fra1-a; deployPkgsArm64.deploy-rs.lib.activate.nixos self.nixosConfigurations.vno3-rp3b;
user = "root"; user = "root";
};
};
};
fra1-a = {
hostname = myData.hosts."fra1-a.servers.jakst".jakstIP;
profiles = {
system = {
sshUser = "motiejus";
path =
deployPkgsArm64.deploy-rs.lib.activate.nixos self.nixosConfigurations.fra1-a;
user = "root";
};
}; };
}; };
}; };

View File

@ -174,11 +174,13 @@
accountKey = config.age.secrets.letsencrypt-account-key.path; accountKey = config.age.secrets.letsencrypt-account-key.path;
in { in {
enable = true; enable = true;
zones."irc.jakstys.lt".accountKey = accountKey; zones = {
zones."hdd.jakstys.lt".accountKey = accountKey; "irc.jakstys.lt".accountKey = accountKey;
zones."hass.jakstys.lt".accountKey = accountKey; "hdd.jakstys.lt".accountKey = accountKey;
zones."grafana.jakstys.lt".accountKey = accountKey; "hass.jakstys.lt".accountKey = accountKey;
zones."bitwarden.jakstys.lt".accountKey = accountKey; "grafana.jakstys.lt".accountKey = accountKey;
"bitwarden.jakstys.lt".accountKey = accountKey;
};
}; };
deployerbot = { deployerbot = {
@ -254,86 +256,88 @@
metrics metrics
} }
''; '';
virtualHosts."hass.jakstys.lt".extraConfig = '' virtualHosts = {
@denied not remote_ip ${myData.subnets.tailscale.cidr} "hass.jakstys.lt".extraConfig = ''
abort @denied @denied not remote_ip ${myData.subnets.tailscale.cidr}
reverse_proxy 127.0.0.1:8123 abort @denied
tls {$CREDENTIALS_DIRECTORY}/hass.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/hass.jakstys.lt-key.pem reverse_proxy 127.0.0.1:8123
''; tls {$CREDENTIALS_DIRECTORY}/hass.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/hass.jakstys.lt-key.pem
virtualHosts."grafana.jakstys.lt".extraConfig = '' '';
@denied not remote_ip ${myData.subnets.tailscale.cidr} "grafana.jakstys.lt".extraConfig = ''
abort @denied @denied not remote_ip ${myData.subnets.tailscale.cidr}
reverse_proxy 127.0.0.1:3000 abort @denied
tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem reverse_proxy 127.0.0.1:3000
''; tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem
virtualHosts."bitwarden.jakstys.lt".extraConfig = '' '';
@denied not remote_ip ${myData.subnets.tailscale.cidr} "bitwarden.jakstys.lt".extraConfig = ''
abort @denied @denied not remote_ip ${myData.subnets.tailscale.cidr}
tls {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-key.pem abort @denied
tls {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-key.pem
# from https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples # from https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
encode gzip encode gzip
header { header {
# Enable HTTP Strict Transport Security (HSTS) # Enable HTTP Strict Transport Security (HSTS)
Strict-Transport-Security "max-age=31536000;" Strict-Transport-Security "max-age=31536000;"
# Enable cross-site filter (XSS) and tell browser to block detected attacks # Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block" X-XSS-Protection "1; mode=block"
# Disallow the site to be rendered within a frame (clickjacking protection) # Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "SAMEORIGIN" X-Frame-Options "SAMEORIGIN"
} }
# deprecated from vaultwarden 1.29.0 # deprecated from vaultwarden 1.29.0
reverse_proxy /notifications/hub 127.0.0.1:${toString myData.ports.vaultwarden_ws} reverse_proxy /notifications/hub 127.0.0.1:${toString myData.ports.vaultwarden_ws}
reverse_proxy 127.0.0.1:${toString myData.ports.vaultwarden} { reverse_proxy 127.0.0.1:${toString myData.ports.vaultwarden} {
header_up X-Real-IP {remote_host} header_up X-Real-IP {remote_host}
}
'';
virtualHosts."www.jakstys.lt".extraConfig = ''
redir https://jakstys.lt
'';
virtualHosts."dl.jakstys.lt".extraConfig = ''
root * /var/www/dl
file_server browse {
hide .stfolder
}
encode gzip
'';
virtualHosts."jakstys.lt" = {
logFormat = ''
output file ${config.services.caddy.logDir}/access-jakstys.lt.log {
roll_disabled
} }
''; '';
extraConfig = '' "www.jakstys.lt".extraConfig = ''
header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" redir https://jakstys.lt
header /_/* Cache-Control "public, max-age=31536000, immutable"
root * /var/www/jakstys.lt
file_server {
precompressed br gzip
}
@matrixMatch {
path /.well-known/matrix/client
path /.well-known/matrix/server
}
header @matrixMatch Content-Type application/json
header @matrixMatch Access-Control-Allow-Origin *
header @matrixMatch Cache-Control "public, max-age=3600, immutable"
handle /.well-known/matrix/client {
respond "{\"m.homeserver\": {\"base_url\": \"https://jakstys.lt\"}}" 200
}
handle /.well-known/matrix/server {
respond "{\"m.server\": \"jakstys.lt:443\"}" 200
}
handle /_matrix/* {
reverse_proxy http://127.0.0.1:${toString myData.ports.matrix-synapse}
}
''; '';
"dl.jakstys.lt".extraConfig = ''
root * /var/www/dl
file_server browse {
hide .stfolder
}
encode gzip
'';
"jakstys.lt" = {
logFormat = ''
output file ${config.services.caddy.logDir}/access-jakstys.lt.log {
roll_disabled
}
'';
extraConfig = ''
header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
header /_/* Cache-Control "public, max-age=31536000, immutable"
root * /var/www/jakstys.lt
file_server {
precompressed br gzip
}
@matrixMatch {
path /.well-known/matrix/client
path /.well-known/matrix/server
}
header @matrixMatch Content-Type application/json
header @matrixMatch Access-Control-Allow-Origin *
header @matrixMatch Cache-Control "public, max-age=3600, immutable"
handle /.well-known/matrix/client {
respond "{\"m.homeserver\": {\"base_url\": \"https://jakstys.lt\"}}" 200
}
handle /.well-known/matrix/server {
respond "{\"m.server\": \"jakstys.lt:443\"}" 200
}
handle /_matrix/* {
reverse_proxy http://127.0.0.1:${toString myData.ports.matrix-synapse}
}
'';
};
}; };
}; };

View File

@ -11,35 +11,42 @@
# imports = [(modulesPath + "/installer/scan/not-detected.nix")]; # imports = [(modulesPath + "/installer/scan/not-detected.nix")];
# as of 23.05 that is: # as of 23.05 that is:
boot.initrd.availableKernelModules = ["usbhid"]; boot = {
boot.initrd.kernelModules = ["vc4" "bcm2835_dma"]; initrd = {
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; availableKernelModules = ["usbhid"];
boot.kernelModules = []; kernelModules = ["vc4" "bcm2835_dma"];
boot.extraModulePackages = []; };
boot.loader.grub.enable = false; loader = {
boot.loader.generic-extlinux-compatible.enable = true; grub.enable = false;
generic-extlinux-compatible.enable = true;
};
boot.supportedFilesystems = ["zfs"]; kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
boot.zfs.forceImportRoot = false; kernelModules = [];
extraModulePackages = [];
supportedFilesystems = ["zfs"];
zfs.forceImportRoot = false;
};
powerManagement.cpuFreqGovernor = "ondemand"; powerManagement.cpuFreqGovernor = "ondemand";
fileSystems."/" = { fileSystems = {
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; "/" = {
fsType = "ext4"; device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
}; fsType = "ext4";
};
fileSystems."/data" = { "/data" = {
device = "datapool/root"; device = "datapool/root";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/data/borg" = { "/data/borg" = {
device = "datapool/root/borg"; device = "datapool/root/borg";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/data/shared" = { "/data/shared" = {
device = "datapool/root/shared"; device = "datapool/root/shared";
fsType = "zfs"; fsType = "zfs";
};
}; };
swapDevices = []; swapDevices = [];

View File

@ -8,8 +8,10 @@
services.blueman.enable = true; services.blueman.enable = true;
services.udev.packages = [pkgs.yubikey-personalization]; services.udev.packages = [pkgs.yubikey-personalization];
programs.firefox.enable = true; programs = {
programs.wireshark.enable = true; firefox.enable = true;
wireshark.enable = true;
};
mj.base.users.passwd.motiejus.extraGroups = ["adbusers" "networkmanager" "wireshark"]; mj.base.users.passwd.motiejus.extraGroups = ["adbusers" "networkmanager" "wireshark"];
@ -191,28 +193,30 @@
}; };
}; };
services.cbatticon.enable = true; services = {
services.blueman-applet.enable = true; cbatticon.enable = true;
blueman-applet.enable = true;
services.syncthing.tray = { syncthing.tray = {
enable = true; enable = true;
#extraOptions = ["--wait"]; #extraOptions = ["--wait"];
}; };
services.pasystray = { pasystray = {
enable = true; enable = true;
extraOptions = ["--key-grabbing" "--notify=all"]; extraOptions = ["--key-grabbing" "--notify=all"];
}; };
services.gpg-agent = { gpg-agent = {
enable = true; enable = true;
enableSshSupport = true; enableSshSupport = true;
}; };
services.screen-locker = { screen-locker = {
enable = true; enable = true;
xautolock.enable = false; xautolock.enable = false;
lockCmd = ''${pkgs.bash}/bin/bash -c "${pkgs.coreutils}/bin/sleep 0.2; ${pkgs.xorg.xset}/bin/xset dpms force off; /run/wrappers/bin/slock"''; lockCmd = ''${pkgs.bash}/bin/bash -c "${pkgs.coreutils}/bin/sleep 0.2; ${pkgs.xorg.xset}/bin/xset dpms force off; /run/wrappers/bin/slock"'';
};
}; };
# https://github.com/nix-community/home-manager/issues/2064 # https://github.com/nix-community/home-manager/issues/2064

View File

@ -16,60 +16,62 @@ in {
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.caddy = { services = {
enable = true; caddy = {
virtualHosts.":80".extraConfig = with myData.subnets; '' enable = true;
root * ${cfg.dataDir} virtualHosts.":80".extraConfig = with myData.subnets; ''
@denied not remote_ip ${vno1.cidr} ${vno3.cidr} ${tailscale.cidr} root * ${cfg.dataDir}
file_server browse { @denied not remote_ip ${vno1.cidr} ${vno3.cidr} ${tailscale.cidr}
hide .stfolder file_server browse {
} hide .stfolder
encode gzip }
''; encode gzip
}; '';
services.samba = {
# https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server
enable = true;
securityType = "user";
enableNmbd = false;
enableWinbindd = false;
extraConfig = ''
map to guest = Bad User
guest account = jakstpub
server role = standalone server
'';
shares = let
defaults = {
"public" = "yes";
"mangled names" = "no";
"guest ok" = "yes";
"force user" = "jakstpub";
"force group" = "jakstpub";
};
in {
public =
defaults
// {
"path" = cfg.dataDir;
"writeable" = "yes";
"read only" = "no";
"create mask" = "0664";
"directory mask" = "0775";
};
snapshots =
defaults
// {
"path" = cfg.dataDir + "/.zfs/snapshot";
"writeable" = "no";
"read only" = "yes";
};
}; };
};
services.samba-wsdd = { samba = {
enable = true; # https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server
inherit (cfg) hostname; enable = true;
securityType = "user";
enableNmbd = false;
enableWinbindd = false;
extraConfig = ''
map to guest = Bad User
guest account = jakstpub
server role = standalone server
'';
shares = let
defaults = {
"public" = "yes";
"mangled names" = "no";
"guest ok" = "yes";
"force user" = "jakstpub";
"force group" = "jakstpub";
};
in {
public =
defaults
// {
"path" = cfg.dataDir;
"writeable" = "yes";
"read only" = "no";
"create mask" = "0664";
"directory mask" = "0775";
};
snapshots =
defaults
// {
"path" = cfg.dataDir + "/.zfs/snapshot";
"writeable" = "no";
"read only" = "yes";
};
};
};
samba-wsdd = {
enable = true;
inherit (cfg) hostname;
};
}; };
users.users.jakstpub = { users.users.jakstpub = {

View File

@ -92,112 +92,114 @@ in {
zonefile: "/var/lib/nsd/acmezones/%s.zone" zonefile: "/var/lib/nsd/acmezones/%s.zone"
''; '';
systemd.tmpfiles.rules = ["d /var/lib/nsd/acmezones 0755 nsd nsd -"]; systemd = {
tmpfiles.rules = ["d /var/lib/nsd/acmezones 0755 nsd nsd -"];
systemd.services = services =
{ {
nsd-control-setup = { nsd-control-setup = {
requiredBy = ["nsd.service"]; requiredBy = ["nsd.service"];
before = ["nsd.service"]; before = ["nsd.service"];
unitConfig.ConditionPathExists = let unitConfig.ConditionPathExists = let
rc = config.services.nsd.remoteControl; rc = config.services.nsd.remoteControl;
in [ in [
"|!${rc.controlKeyFile}" "|!${rc.controlKeyFile}"
"|!${rc.controlCertFile}" "|!${rc.controlCertFile}"
"|!${rc.serverKeyFile}" "|!${rc.serverKeyFile}"
"|!${rc.serverCertFile}" "|!${rc.serverCertFile}"
]; ];
serviceConfig = {
Type = "oneshot";
UMask = 0077;
};
script = ''
${pkgs.nsd}/bin/nsd-control-setup
chown nsd:nsd /etc/nsd/nsd_{control,server}.{key,pem}
'';
path = [pkgs.openssl];
};
}
// lib.mapAttrs'
(
zone: cfg:
lib.nameValuePair "nsd-acme-${zone}" {
description = "dns-01 acme update for ${zone}";
path = [pkgs.openssh pkgs.nsd];
preStart = ''
mkdir -p "$STATE_DIRECTORY/private"
ln -sf "$CREDENTIALS_DIRECTORY/letsencrypt-account-key" \
"$STATE_DIRECTORY/private/key.pem"
'';
serviceConfig = { serviceConfig = {
ExecStart = let Type = "oneshot";
hook = mkHook zone; UMask = 0077;
days = builtins.toString cfg.days;
in "${pkgs.uacme}/bin/uacme -c \${STATE_DIRECTORY} --verbose --days ${days} --hook ${hook} ${lib.optionalString cfg.staging "--staging"} issue ${zone}";
UMask = "0022";
User = "nsd";
Group = "nsd";
StateDirectory = "nsd-acme/${zone}";
LoadCredential = ["letsencrypt-account-key:${cfg.accountKey}"];
ReadWritePaths = ["/var/lib/nsd/acmezones"];
SuccessExitStatus = [0 1];
# from nixos/modules/security/acme/default.nix
ProtectSystem = "strict";
PrivateTmp = true;
CapabilityBoundingSet = [""];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RemoveIPC = true;
# "cannot get devices"
#RestrictAddressFamilies = [
# "AF_INET"
# "AF_INET6"
#];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
# 1. allow a reasonable set of syscalls
"@system-service @resources"
# 2. and deny unreasonable ones
"~@privileged"
# 3. then allow the required subset within denied groups
"@chown"
];
}; };
} script = ''
) ${pkgs.nsd}/bin/nsd-control-setup
cfg.zones; chown nsd:nsd /etc/nsd/nsd_{control,server}.{key,pem}
'';
path = [pkgs.openssl];
};
}
// lib.mapAttrs'
(
zone: cfg:
lib.nameValuePair "nsd-acme-${zone}" {
description = "dns-01 acme update for ${zone}";
path = [pkgs.openssh pkgs.nsd];
preStart = ''
mkdir -p "$STATE_DIRECTORY/private"
ln -sf "$CREDENTIALS_DIRECTORY/letsencrypt-account-key" \
"$STATE_DIRECTORY/private/key.pem"
'';
serviceConfig = {
ExecStart = let
hook = mkHook zone;
days = builtins.toString cfg.days;
in "${pkgs.uacme}/bin/uacme -c \${STATE_DIRECTORY} --verbose --days ${days} --hook ${hook} ${lib.optionalString cfg.staging "--staging"} issue ${zone}";
systemd.timers = UMask = "0022";
lib.mapAttrs' User = "nsd";
( Group = "nsd";
zone: _: StateDirectory = "nsd-acme/${zone}";
lib.nameValuePair "nsd-acme-${zone}" { LoadCredential = ["letsencrypt-account-key:${cfg.accountKey}"];
description = "nsd-acme for zone ${zone}"; ReadWritePaths = ["/var/lib/nsd/acmezones"];
wantedBy = ["timers.target"]; SuccessExitStatus = [0 1];
timerConfig = {
OnCalendar = "*-*-* 01:30"; # from nixos/modules/security/acme/default.nix
}; ProtectSystem = "strict";
after = ["network-online.target"]; PrivateTmp = true;
} CapabilityBoundingSet = [""];
) DevicePolicy = "closed";
cfg.zones; LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RemoveIPC = true;
# "cannot get devices"
#RestrictAddressFamilies = [
# "AF_INET"
# "AF_INET6"
#];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
# 1. allow a reasonable set of syscalls
"@system-service @resources"
# 2. and deny unreasonable ones
"~@privileged"
# 3. then allow the required subset within denied groups
"@chown"
];
};
}
)
cfg.zones;
timers =
lib.mapAttrs'
(
zone: _:
lib.nameValuePair "nsd-acme-${zone}" {
description = "nsd-acme for zone ${zone}";
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "*-*-* 01:30";
};
after = ["network-online.target"];
}
)
cfg.zones;
};
mj.base.unitstatus.units = mj.base.unitstatus.units =
lib.mkIf config.mj.base.unitstatus.enable lib.mkIf config.mj.base.unitstatus.enable

View File

@ -121,7 +121,6 @@ in {
in "${jakstIP}:${guiPortStr}"; in "${jakstIP}:${guiPortStr}";
extraOptions.gui.insecureAdminAccess = true; extraOptions.gui.insecureAdminAccess = true;
devices = devices =
{} {}
// (lib.optionalAttrs (config.networking.hostName == "vno1-oh2") { // (lib.optionalAttrs (config.networking.hostName == "vno1-oh2") {
@ -149,7 +148,6 @@ in {
; ;
}) })
// {}; // {};
folders = with folders; folders = with folders;
{} {}
// ( // (

View File

@ -40,82 +40,83 @@
else [] else []
); );
programs.direnv.enable = true; programs = {
direnv.enable = true;
programs.neovim = lib.mkMerge [ neovim = lib.mkMerge [
{ {
enable = true; enable = true;
vimAlias = true; vimAlias = true;
vimdiffAlias = true; vimdiffAlias = true;
defaultEditor = true; defaultEditor = true;
plugins = with pkgs.vimPlugins; plugins = with pkgs.vimPlugins;
[ [
fugitive fugitive
]
++ (
if devEnvironment
then [
vim-go
zig-vim
vim-vsnip
cmp-nvim-lsp
nvim-cmp
nvim-metals
plenary-nvim
] ]
else [] ++ (
); if devEnvironment
extraConfig = builtins.readFile ./vimrc; then [
} vim-go
(lib.mkIf devEnvironment {
extraLuaConfig =
builtins.readFile
(pkgs.substituteAll {
src = ./dev.lua;
javaHome = pkgs.jdk.home;
inherit (pkgs) metals;
inherit (pkgs) gotools;
})
.outPath;
})
];
programs.git = { zig-vim
package = pkgs.pkgs-unstable.git;
enable = true; vim-vsnip
userEmail = email; cmp-nvim-lsp
userName = "Motiejus Jakštys"; nvim-cmp
aliases.yolo = "commit --amend --no-edit -a"; nvim-metals
extraConfig = { plenary-nvim
rerere.enabled = true; ]
pull.ff = "only"; else []
merge.conflictstyle = "diff3"; );
init.defaultBranch = "main"; extraConfig = builtins.readFile ./vimrc;
}
(lib.mkIf devEnvironment {
extraLuaConfig =
builtins.readFile
(pkgs.substituteAll {
src = ./dev.lua;
javaHome = pkgs.jdk.home;
inherit (pkgs) metals;
inherit (pkgs) gotools;
})
.outPath;
})
];
git = {
enable = true;
userEmail = email;
userName = "Motiejus Jakštys";
aliases.yolo = "commit --amend --no-edit -a";
extraConfig = {
rerere.enabled = true;
pull.ff = "only";
merge.conflictstyle = "diff3";
init.defaultBranch = "main";
};
};
gpg = {
enable = true;
mutableKeys = false;
mutableTrust = false;
publicKeys = [
{
source = ./motiejus-gpg.txt;
trust = "ultimate";
}
];
};
tmux = {
enable = true;
keyMode = "vi";
historyLimit = 1000000;
extraConfig = ''
bind c new-window -c "#{pane_current_path}"
bind % split-window -h -c "#{pane_current_path}"
bind '"' split-window -v -c "#{pane_current_path}"
'';
}; };
}; };
programs.gpg = {
enable = true;
mutableKeys = false;
mutableTrust = false;
publicKeys = [
{
source = ./motiejus-gpg.txt;
trust = "ultimate";
}
];
};
programs.tmux = {
enable = true;
keyMode = "vi";
historyLimit = 1000000;
extraConfig = ''
bind c new-window -c "#{pane_current_path}"
bind % split-window -h -c "#{pane_current_path}"
bind '"' split-window -v -c "#{pane_current_path}"
'';
};
} }

View File

@ -1,180 +0,0 @@
let
configuration = {
config,
lib,
pkgs,
...
}:
with pkgs; let
src = fetchGit "https://github.com/drduh/YubiKey-Guide";
guide = "${src}/README.md";
contrib = "${src}/contrib";
drduhConfig = fetchGit "https://github.com/drduh/config";
gpg-conf = "${drduhConfig}/gpg.conf";
xserverCfg = config.services.xserver;
pinentryFlavour =
if xserverCfg.desktopManager.lxqt.enable || xserverCfg.desktopManager.plasma5.enable
then "qt"
else if xserverCfg.desktopManager.xfce.enable
then "gtk2"
else if xserverCfg.enable || config.programs.sway.enable
then "gnome3"
else "curses";
# Instead of hard-coding the pinentry program, chose the appropriate one
# based on the environment of the image the user has chosen to build.
gpg-agent-conf = runCommand "gpg-agent.conf" {} ''
sed '/pinentry-program/d' ${drduhConfig}/gpg-agent.conf > $out
echo "pinentry-program ${pinentry.${pinentryFlavour}}/bin/pinentry" >> $out
'';
view-yubikey-guide = writeShellScriptBin "view-yubikey-guide" ''
viewer="$(type -P xdg-open || true)"
if [ -z "$viewer" ]; then
viewer="${glow}/bin/glow -p"
fi
exec $viewer "${guide}"
'';
shortcut = makeDesktopItem {
name = "yubikey-guide";
icon = "${yubikey-manager-qt}/share/ykman-gui/icons/ykman.png";
desktopName = "drduh's YubiKey Guide";
genericName = "Guide to using YubiKey for GPG and SSH";
comment = "Open the guide in a reader program";
categories = ["Documentation"];
exec = "${view-yubikey-guide}/bin/view-yubikey-guide";
};
yubikey-guide = symlinkJoin {
name = "yubikey-guide";
paths = [view-yubikey-guide shortcut];
};
in {
nixpkgs.config = {allowBroken = true;};
isoImage.isoBaseName = lib.mkForce "nixos-yubikey";
# Uncomment this to disable compression and speed up image creation time
isoImage.squashfsCompression = "gzip -Xcompression-level 1";
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
# Always copytoram so that, if the image is booted from, e.g., a
# USB stick, nothing is mistakenly written to persistent storage.
boot.kernelParams = ["copytoram"];
# Secure defaults
boot.cleanTmpDir = true;
boot.kernel.sysctl = {"kernel.unprivileged_bpf_disabled" = 1;};
services.pcscd.enable = true;
services.udev.packages = [yubikey-personalization];
programs = {
ssh.startAgent = false;
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
};
environment.systemPackages = [
# Tools for backing up keys
paperkey
pgpdump
parted
cryptsetup
# Yubico's official tools
yubikey-manager
yubikey-manager-qt
yubikey-personalization
yubikey-personalization-gui
yubico-piv-tool
yubioath-flutter
# Testing
ent
# does not compile as of 2023-07-20
#(haskell.lib.justStaticExecutables haskellPackages.hopenpgp-tools)
# Password generation tools
diceware
pwgen
# Miscellaneous tools that might be useful beyond the scope of the guide
cfssl
pcsctools
# This guide itself (run `view-yubikey-guide` on the terminal to open it
# in a non-graphical environment).
yubikey-guide
# motiejus addons
rage
sops
tmux
ssh-to-age
age-plugin-yubikey
];
# Disable networking so the system is air-gapped
# Comment all of these lines out if you'll need internet access
boot.initrd.network.enable = false;
networking.dhcpcd.enable = false;
networking.dhcpcd.allowInterfaces = [];
networking.interfaces = {};
networking.firewall.enable = true;
networking.useDHCP = false;
networking.useNetworkd = false;
networking.wireless.enable = false;
networking.networkmanager.enable = lib.mkForce false;
# Unset history so it's never stored
# Set GNUPGHOME to an ephemeral location and configure GPG with the
# guide's recommended settings.
environment.interactiveShellInit = ''
unset HISTFILE
export GNUPGHOME="/run/user/$(id -u)/gnupg"
if [ ! -d "$GNUPGHOME" ]; then
echo "Creating \$GNUPGHOME"
install --verbose -m=0700 --directory="$GNUPGHOME"
fi
[ ! -f "$GNUPGHOME/gpg.conf" ] && cp --verbose ${gpg-conf} "$GNUPGHOME/gpg.conf"
[ ! -f "$GNUPGHOME/gpg-agent.conf" ] && cp --verbose ${gpg-agent-conf} "$GNUPGHOME/gpg-agent.conf"
echo "\$GNUPGHOME is \"$GNUPGHOME\""
'';
# Copy the contents of contrib to the home directory, add a shortcut to
# the guide on the desktop, and link to the whole repo in the documents
# folder.
system.activationScripts.yubikeyGuide = let
homeDir = "/home/nixos/";
desktopDir = homeDir + "Desktop/";
documentsDir = homeDir + "Documents/";
in ''
mkdir -p ${desktopDir} ${documentsDir}
chown nixos ${homeDir} ${desktopDir} ${documentsDir}
cp -R ${contrib}/* ${homeDir}
ln -sf ${yubikey-guide}/share/applications/yubikey-guide.desktop ${desktopDir}
ln -sfT ${src} ${documentsDir}/YubiKey-Guide
'';
};
nixos = import <nixpkgs/nixos/release.nix> {
inherit configuration;
supportedSystems = ["x86_64-linux"];
};
# Choose the one you like:
#nixos-yubikey = nixos.iso_minimal; # No graphical environment
#nixos-yubikey = nixos.iso_gnome;
nixos-yubikey = nixos.iso_plasma5;
in {
inherit nixos-yubikey;
}