motiejus/config
1
Fork 0
Code Packages Releases Activity

statix

Browse Source
This commit is contained in:
Motiejus Jakštys 2023-11-27 18:17:27 +02:00
parent 896c5086d0
commit 8e78a31f20
9 changed files with 532 additions and 666 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
flake.nix
View File

@ -10,23 +10,35 @@
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nur.url = "github:nix-community/NUR";
zigpkgs.url = "github:mitchellh/zig-overlay";
zigpkgs.inputs.nixpkgs.follows = "nixpkgs";
zigpkgs.inputs.flake-utils.follows = "flake-utils";
zigpkgs.inputs.flake-compat.follows = "flake-compat";
zigpkgs = {
url = "github:mitchellh/zig-overlay";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
flake-compat.follows = "flake-compat";
};
};
home-manager.url = "github:nix-community/home-manager/release-23.05";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
agenix.inputs.home-manager.follows = "home-manager";
agenix.inputs.darwin.follows = "";
agenix = {
url = "github:ryantm/agenix";
inputs = {
nixpkgs.follows = "nixpkgs";
home-manager.follows = "home-manager";
darwin.follows = "";
};
};
deploy-rs.url = "github:serokell/deploy-rs";
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
deploy-rs.inputs.flake-compat.follows = "flake-compat";
deploy-rs.inputs.utils.follows = "flake-utils";
deploy-rs = {
url = "github:serokell/deploy-rs";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-compat.follows = "flake-compat";
utils.follows = "flake-utils";
};
};
nix-index-database.url = "github:Mic92/nix-index-database";
nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
@ -34,12 +46,16 @@
gitignore.url = "github:hercules-ci/gitignore.nix";
gitignore.inputs.nixpkgs.follows = "nixpkgs";
pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix";
pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
pre-commit-hooks.inputs.nixpkgs-stable.follows = "nixpkgs";
pre-commit-hooks.inputs.flake-compat.follows = "flake-compat";
pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
pre-commit-hooks.inputs.gitignore.follows = "gitignore";
pre-commit-hooks = {
url = "github:cachix/pre-commit-hooks.nix";
inputs = {
nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs";
flake-compat.follows = "flake-compat";
flake-utils.follows = "flake-utils";
gitignore.follows = "gitignore";
};
};
};
nixConfig = {
@ -98,7 +114,8 @@
# specialArgs = {inherit myData;} // inputs;
#};
nixosConfigurations.vno1-oh2 = nixpkgs.lib.nixosSystem rec {
nixosConfigurations = {
vno1-oh2 = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
modules = [
{nixpkgs.overlays = mkOverlays system;}
@ -110,27 +127,29 @@
home-manager.nixosModules.home-manager
{
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
age.secrets.zfs-passphrase-fra1-a.file = ./secrets/fra1-a/zfs-passphrase.age;
age.secrets = {
motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
root-passwd-hash.file = ./secrets/root_passwd_hash.age;
zfs-passphrase-fra1-a.file = ./secrets/fra1-a/zfs-passphrase.age;
age.secrets.headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age;
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
age.secrets.borgbackup-password.file = ./secrets/vno1-oh2/borgbackup/password.age;
age.secrets.grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age;
age.secrets.letsencrypt-account-key.file = ./secrets/letsencrypt/account.key.age;
age.secrets.vaultwarden-secrets-env.file = ./secrets/vaultwarden/secrets.env.age;
headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age;
sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
borgbackup-password.file = ./secrets/vno1-oh2/borgbackup/password.age;
grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age;
letsencrypt-account-key.file = ./secrets/letsencrypt/account.key.age;
vaultwarden-secrets-env.file = ./secrets/vaultwarden/secrets.env.age;
age.secrets.synapse-jakstys-signing-key.file = ./secrets/synapse/jakstys_lt_signing_key.age;
age.secrets.synapse-registration-shared-secret.file = ./secrets/synapse/registration_shared_secret.age;
age.secrets.synapse-macaroon-secret-key.file = ./secrets/synapse/macaroon_secret_key.age;
synapse-jakstys-signing-key.file = ./secrets/synapse/jakstys_lt_signing_key.age;
synapse-registration-shared-secret.file = ./secrets/synapse/registration_shared_secret.age;
synapse-macaroon-secret-key.file = ./secrets/synapse/macaroon_secret_key.age;
};
}
];
specialArgs = {inherit myData;} // inputs;
};
nixosConfigurations.fwminex = nixpkgs.lib.nixosSystem rec {
fwminex = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
modules = [
{nixpkgs.overlays = mkOverlays system;}
@ -146,16 +165,18 @@
nix-index-database.nixosModules.nix-index
{
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
age.secrets = {
motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
root-passwd-hash.file = ./secrets/root_passwd_hash.age;
sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
};
}
];
specialArgs = {inherit myData;} // inputs;
};
nixosConfigurations.vno3-rp3b = nixpkgs.lib.nixosSystem rec {
vno3-rp3b = nixpkgs.lib.nixosSystem rec {
system = "aarch64-linux";
modules = [
{nixpkgs.overlays = mkOverlays system;}
@ -167,18 +188,20 @@
home-manager.nixosModules.home-manager
{
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
age.secrets = {
motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
root-passwd-hash.file = ./secrets/root_passwd_hash.age;
sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
age.secrets.datapool-passphrase.file = ./secrets/vno3-rp3b/datapool-passphrase.age;
datapool-passphrase.file = ./secrets/vno3-rp3b/datapool-passphrase.age;
};
}
];
specialArgs = {inherit myData;} // inputs;
};
nixosConfigurations.fra1-a = nixpkgs.lib.nixosSystem rec {
fra1-a = nixpkgs.lib.nixosSystem rec {
system = "aarch64-linux";
modules = [
{nixpkgs.overlays = mkOverlays system;}
@ -190,17 +213,21 @@
home-manager.nixosModules.home-manager
{
age.secrets.zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age;
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
age.secrets = {
zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age;
motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
root-passwd-hash.file = ./secrets/root_passwd_hash.age;
sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
};
}
];
specialArgs = {inherit myData;} // inputs;
};
};
deploy.nodes.vno1-oh2 = {
deploy.nodes = {
vno1-oh2 = {
hostname = myData.hosts."vno1-oh2.servers.jakst".jakstIP;
profiles = {
system = {
@ -212,7 +239,7 @@
};
};
deploy.nodes.fwminex = {
fwminex = {
hostname = myData.hosts."fwminex.motiejus.jakst".jakstIP;
profiles = {
system = {
@ -224,7 +251,7 @@
};
};
deploy.nodes.vno3-rp3b = {
vno3-rp3b = {
hostname = myData.hosts."vno3-rp3b.servers.jakst".jakstIP;
profiles = {
system = {
@ -236,7 +263,7 @@
};
};
deploy.nodes.fra1-a = {
fra1-a = {
hostname = myData.hosts."fra1-a.servers.jakst".jakstIP;
profiles = {
system = {
@ -247,6 +274,7 @@
};
};
};
};
checks =
builtins.mapAttrs (

26
hosts/vno1-oh2/configuration.nix
View File

@ -174,11 +174,13 @@
accountKey = config.age.secrets.letsencrypt-account-key.path;
in {
enable = true;
zones."irc.jakstys.lt".accountKey = accountKey;
zones."hdd.jakstys.lt".accountKey = accountKey;
zones."hass.jakstys.lt".accountKey = accountKey;
zones."grafana.jakstys.lt".accountKey = accountKey;
zones."bitwarden.jakstys.lt".accountKey = accountKey;
zones = {
"irc.jakstys.lt".accountKey = accountKey;
"hdd.jakstys.lt".accountKey = accountKey;
"hass.jakstys.lt".accountKey = accountKey;
"grafana.jakstys.lt".accountKey = accountKey;
"bitwarden.jakstys.lt".accountKey = accountKey;
};
};
deployerbot = {
@ -254,19 +256,20 @@
metrics
}
'';
virtualHosts."hass.jakstys.lt".extraConfig = ''
virtualHosts = {
"hass.jakstys.lt".extraConfig = ''
@denied not remote_ip ${myData.subnets.tailscale.cidr}
abort @denied
reverse_proxy 127.0.0.1:8123
tls {$CREDENTIALS_DIRECTORY}/hass.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/hass.jakstys.lt-key.pem
'';
virtualHosts."grafana.jakstys.lt".extraConfig = ''
"grafana.jakstys.lt".extraConfig = ''
@denied not remote_ip ${myData.subnets.tailscale.cidr}
abort @denied
reverse_proxy 127.0.0.1:3000
tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem
'';
virtualHosts."bitwarden.jakstys.lt".extraConfig = ''
"bitwarden.jakstys.lt".extraConfig = ''
@denied not remote_ip ${myData.subnets.tailscale.cidr}
abort @denied
tls {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-key.pem
@ -289,17 +292,17 @@
header_up X-Real-IP {remote_host}
}
'';
virtualHosts."www.jakstys.lt".extraConfig = ''
"www.jakstys.lt".extraConfig = ''
redir https://jakstys.lt
'';
virtualHosts."dl.jakstys.lt".extraConfig = ''
"dl.jakstys.lt".extraConfig = ''
root * /var/www/dl
file_server browse {
hide .stfolder
}
encode gzip
'';
virtualHosts."jakstys.lt" = {
"jakstys.lt" = {
logFormat = ''
output file ${config.services.caddy.logDir}/access-jakstys.lt.log {
roll_disabled
@ -336,6 +339,7 @@
'';
};
};
};
logrotate = {
settings = {

35
hosts/vno3-rp3b/configuration.nix
View File

@ -11,36 +11,43 @@
# imports = [(modulesPath + "/installer/scan/not-detected.nix")];
# as of 23.05 that is:
boot.initrd.availableKernelModules = ["usbhid"];
boot.initrd.kernelModules = ["vc4" "bcm2835_dma"];
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
boot.kernelModules = [];
boot.extraModulePackages = [];
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot = {
initrd = {
availableKernelModules = ["usbhid"];
kernelModules = ["vc4" "bcm2835_dma"];
};
loader = {
grub.enable = false;
generic-extlinux-compatible.enable = true;
};
boot.supportedFilesystems = ["zfs"];
boot.zfs.forceImportRoot = false;
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
kernelModules = [];
extraModulePackages = [];
supportedFilesystems = ["zfs"];
zfs.forceImportRoot = false;
};
powerManagement.cpuFreqGovernor = "ondemand";
fileSystems."/" = {
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
fsType = "ext4";
};
fileSystems."/data" = {
"/data" = {
device = "datapool/root";
fsType = "zfs";
};
fileSystems."/data/borg" = {
"/data/borg" = {
device = "datapool/root/borg";
fsType = "zfs";
};
fileSystems."/data/shared" = {
"/data/shared" = {
device = "datapool/root/shared";
fsType = "zfs";
};
};
swapDevices = [];

20
modules/profiles/desktop/default.nix
View File

@ -8,8 +8,10 @@
services.blueman.enable = true;
services.udev.packages = [pkgs.yubikey-personalization];
programs.firefox.enable = true;
programs.wireshark.enable = true;
programs = {
firefox.enable = true;
wireshark.enable = true;
};
mj.base.users.passwd.motiejus.extraGroups = ["adbusers" "networkmanager" "wireshark"];
@ -191,29 +193,31 @@
};
};
services.cbatticon.enable = true;
services.blueman-applet.enable = true;
services = {
cbatticon.enable = true;
blueman-applet.enable = true;
services.syncthing.tray = {
syncthing.tray = {
enable = true;
#extraOptions = ["--wait"];
};
services.pasystray = {
pasystray = {
enable = true;
extraOptions = ["--key-grabbing" "--notify=all"];
};
services.gpg-agent = {
gpg-agent = {
enable = true;
enableSshSupport = true;
};
services.screen-locker = {
screen-locker = {
enable = true;
xautolock.enable = false;
lockCmd = ''${pkgs.bash}/bin/bash -c "${pkgs.coreutils}/bin/sleep 0.2; ${pkgs.xorg.xset}/bin/xset dpms force off; /run/wrappers/bin/slock"'';
};
};
# https://github.com/nix-community/home-manager/issues/2064
systemd.user.targets.tray = {

8
modules/services/jakstpub/default.nix
View File

@ -16,7 +16,8 @@ in {
};
config = lib.mkIf cfg.enable {
services.caddy = {
services = {
caddy = {
enable = true;
virtualHosts.":80".extraConfig = with myData.subnets; ''
root * ${cfg.dataDir}
@ -28,7 +29,7 @@ in {
'';
};
services.samba = {
samba = {
# https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server
enable = true;
securityType = "user";
@ -67,10 +68,11 @@ in {
};
};
services.samba-wsdd = {
samba-wsdd = {
enable = true;
inherit (cfg) hostname;
};
};
users.users.jakstpub = {
description = "Jakstys Public";

8
modules/services/nsd-acme/default.nix
View File

@ -92,9 +92,10 @@ in {
zonefile: "/var/lib/nsd/acmezones/%s.zone"
'';
systemd.tmpfiles.rules = ["d /var/lib/nsd/acmezones 0755 nsd nsd -"];
systemd = {
tmpfiles.rules = ["d /var/lib/nsd/acmezones 0755 nsd nsd -"];
systemd.services =
services =
{
nsd-control-setup = {
requiredBy = ["nsd.service"];
@ -184,7 +185,7 @@ in {
)
cfg.zones;
systemd.timers =
timers =
lib.mapAttrs'
(
zone: _:
@ -198,6 +199,7 @@ in {
}
)
cfg.zones;
};
mj.base.unitstatus.units =
lib.mkIf config.mj.base.unitstatus.enable

2
modules/services/syncthing/default.nix
View File

@ -121,7 +121,6 @@ in {
in "${jakstIP}:${guiPortStr}";
extraOptions.gui.insecureAdminAccess = true;
devices =
{}
// (lib.optionalAttrs (config.networking.hostName == "vno1-oh2") {
@ -149,7 +148,6 @@ in {
;
})
// {};
folders = with folders;
{}
// (

13
shared/home/default.nix
View File

@ -40,9 +40,10 @@
else []
);
programs.direnv.enable = true;
programs = {
direnv.enable = true;
programs.neovim = lib.mkMerge [
neovim = lib.mkMerge [
{
enable = true;
vimAlias = true;
@ -82,8 +83,7 @@
})
];
programs.git = {
package = pkgs.pkgs-unstable.git;
git = {
enable = true;
userEmail = email;
userName = "Motiejus Jakštys";
@ -96,7 +96,7 @@
};
};
programs.gpg = {
gpg = {
enable = true;
mutableKeys = false;
mutableTrust = false;
@ -108,7 +108,7 @@
];
};
programs.tmux = {
tmux = {
enable = true;
keyMode = "vi";
historyLimit = 1000000;
@ -118,4 +118,5 @@
bind '"' split-window -v -c "#{pane_current_path}"
'';
};
};
}

180
yubikey-installer.nix
View File

@ -1,180 +0,0 @@
let
configuration = {
config,
lib,
pkgs,
...
}:
with pkgs; let
src = fetchGit "https://github.com/drduh/YubiKey-Guide";
guide = "${src}/README.md";
contrib = "${src}/contrib";
drduhConfig = fetchGit "https://github.com/drduh/config";
gpg-conf = "${drduhConfig}/gpg.conf";
xserverCfg = config.services.xserver;
pinentryFlavour =
if xserverCfg.desktopManager.lxqt.enable || xserverCfg.desktopManager.plasma5.enable
then "qt"
else if xserverCfg.desktopManager.xfce.enable
then "gtk2"
else if xserverCfg.enable || config.programs.sway.enable
then "gnome3"
else "curses";
# Instead of hard-coding the pinentry program, chose the appropriate one
# based on the environment of the image the user has chosen to build.
gpg-agent-conf = runCommand "gpg-agent.conf" {} ''
sed '/pinentry-program/d' ${drduhConfig}/gpg-agent.conf > $out
echo "pinentry-program ${pinentry.${pinentryFlavour}}/bin/pinentry" >> $out
'';
view-yubikey-guide = writeShellScriptBin "view-yubikey-guide" ''
viewer="$(type -P xdg-open || true)"
if [ -z "$viewer" ]; then
viewer="${glow}/bin/glow -p"
fi
exec $viewer "${guide}"
'';
shortcut = makeDesktopItem {
name = "yubikey-guide";
icon = "${yubikey-manager-qt}/share/ykman-gui/icons/ykman.png";
desktopName = "drduh's YubiKey Guide";
genericName = "Guide to using YubiKey for GPG and SSH";
comment = "Open the guide in a reader program";
categories = ["Documentation"];
exec = "${view-yubikey-guide}/bin/view-yubikey-guide";
};
yubikey-guide = symlinkJoin {
name = "yubikey-guide";
paths = [view-yubikey-guide shortcut];
};
in {
nixpkgs.config = {allowBroken = true;};
isoImage.isoBaseName = lib.mkForce "nixos-yubikey";
# Uncomment this to disable compression and speed up image creation time
isoImage.squashfsCompression = "gzip -Xcompression-level 1";
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
# Always copytoram so that, if the image is booted from, e.g., a
# USB stick, nothing is mistakenly written to persistent storage.
boot.kernelParams = ["copytoram"];
# Secure defaults
boot.cleanTmpDir = true;
boot.kernel.sysctl = {"kernel.unprivileged_bpf_disabled" = 1;};
services.pcscd.enable = true;
services.udev.packages = [yubikey-personalization];
programs = {
ssh.startAgent = false;
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
};
environment.systemPackages = [
# Tools for backing up keys
paperkey
pgpdump
parted
cryptsetup
# Yubico's official tools
yubikey-manager
yubikey-manager-qt
yubikey-personalization
yubikey-personalization-gui
yubico-piv-tool
yubioath-flutter
# Testing
ent
# does not compile as of 2023-07-20
#(haskell.lib.justStaticExecutables haskellPackages.hopenpgp-tools)
# Password generation tools
diceware
pwgen
# Miscellaneous tools that might be useful beyond the scope of the guide
cfssl
pcsctools
# This guide itself (run `view-yubikey-guide` on the terminal to open it
# in a non-graphical environment).
yubikey-guide
# motiejus addons
rage
sops
tmux
ssh-to-age
age-plugin-yubikey
];
# Disable networking so the system is air-gapped
# Comment all of these lines out if you'll need internet access
boot.initrd.network.enable = false;
networking.dhcpcd.enable = false;
networking.dhcpcd.allowInterfaces = [];
networking.interfaces = {};
networking.firewall.enable = true;
networking.useDHCP = false;
networking.useNetworkd = false;
networking.wireless.enable = false;
networking.networkmanager.enable = lib.mkForce false;
# Unset history so it's never stored
# Set GNUPGHOME to an ephemeral location and configure GPG with the
# guide's recommended settings.
environment.interactiveShellInit = ''
unset HISTFILE
export GNUPGHOME="/run/user/$(id -u)/gnupg"
if [ ! -d "$GNUPGHOME" ]; then
echo "Creating \$GNUPGHOME"
install --verbose -m=0700 --directory="$GNUPGHOME"
fi
[ ! -f "$GNUPGHOME/gpg.conf" ] && cp --verbose ${gpg-conf} "$GNUPGHOME/gpg.conf"
[ ! -f "$GNUPGHOME/gpg-agent.conf" ] && cp --verbose ${gpg-agent-conf} "$GNUPGHOME/gpg-agent.conf"
echo "\$GNUPGHOME is \"$GNUPGHOME\""
'';
# Copy the contents of contrib to the home directory, add a shortcut to
# the guide on the desktop, and link to the whole repo in the documents
# folder.
system.activationScripts.yubikeyGuide = let
homeDir = "/home/nixos/";
desktopDir = homeDir + "Desktop/";
documentsDir = homeDir + "Documents/";
in ''
mkdir -p ${desktopDir} ${documentsDir}
chown nixos ${homeDir} ${desktopDir} ${documentsDir}
cp -R ${contrib}/* ${homeDir}
ln -sf ${yubikey-guide}/share/applications/yubikey-guide.desktop ${desktopDir}
ln -sfT ${src} ${documentsDir}/YubiKey-Guide
'';
};
nixos = import <nixpkgs/nixos/release.nix> {
inherit configuration;
supportedSystems = ["x86_64-linux"];
};
# Choose the one you like:
#nixos-yubikey = nixos.iso_minimal; # No graphical environment
#nixos-yubikey = nixos.iso_gnome;
nixos-yubikey = nixos.iso_plasma5;
in {
inherit nixos-yubikey;
}