steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

feat: start migrating steveej-t14 and sj-vps-htz-0 to sops

Browse source
This commit is contained in:
steveej 2023-07-05 15:55:04 +02:00
parent 6587a914e4
commit b481126ae2
55 changed files with 877 additions and 452 deletions
Download patch file Download diff file Expand all files Collapse all files

43
nix/os/containers/mailserver.nix
View file

@ -1,4 +1,5 @@
{
repoFlake,
hostAddress,
localAddress,
imapsPort ? 993,
@ -7,10 +8,34 @@
}: let
passwords = import ../../variables/passwords.crypt.nix;
in {
config = {pkgs, ...}: {
config = {
pkgs,
config,
...
}: {
system.stateVersion = "21.11"; # Did you read the comment?
imports = [../profiles/containers/configuration.nix ../profiles/common/user.nix];
imports = [
../profiles/containers/configuration.nix
repoFlake.inputs.sops-nix.nixosModules.sops
../profiles/common/user.nix
];
# sops.defaultSopsFile = ./mailserver_secrets.yaml;
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sops.secrets.email_mailStefanjunkerDe = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.steveej.name;
};
sops.secrets.email_schtifATwebDe = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.steveej.name;
};
sops.secrets.email_dovecot_steveej = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.dovecot2.name;
};
networking.firewall.enable = false;
@ -54,9 +79,10 @@ in {
'';
};
environment.etc."dovecot/users".text = ''
steveej:${passwords.email.steveej}
'';
# environment.etc."dovecot/users".text = ''
# steveej:${passwords.email.steveej}
# '';
environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path;
systemd.services.steveej-getmail-stefanjunker = {
enable = true;
@ -79,7 +105,7 @@ in {
server = ssl0.ovh.net
port = 993
username = mail@stefanjunker.de
password = ${passwords.email.mailStefanjunkerDe}
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}")
mailboxes = ('INBOX',)
[destination]
@ -112,7 +138,7 @@ in {
server = imap.web.de
port = 993
username = schtif
password = ${passwords.email.schtifATwebDe}
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}")
mailboxes = ('INBOX',)
[destination]
@ -128,6 +154,9 @@ in {
inherit autoStart;
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
"/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;
"/etc/secrets/" = {
hostPath = "/var/lib/container-volumes/mailserver/etc-secrets";
isReadOnly = false;

38
nix/os/containers/mailserver_secrets.yaml Normal file
View file

@ -0,0 +1,38 @@
email_mailStefanjunkerDe: ENC[AES256_GCM,data:DsPwNMahaSKFF8mof2qGxj6cIdYZeL6uRr4=,iv:2lamFXYKrGkHey5QCXBlEODYksDuJDyW3MYpz/7qj7s=,tag:2L34qD0XSbfsl0djvgYJYw==,type:str]
email_schtifATwebDe: ENC[AES256_GCM,data:OOmxkHcM25A+rSmPE1lmvUylv0TT2qWWeA==,iv:ysnRyv4WwbnovgEZcwmk1Rdo6U7gBWDFvGIxgF/m/5A=,tag:9b7q+mceiDx5y8qVVHjBhw==,type:str]
email_dovecot_steveej: ENC[AES256_GCM,data:nZJX2ZIe2pJTzBIU/XRZaiiy9NmUtJydaOvSAQT3icCEeLTvgah48mgrz14eGPuOEupVqKII5jpHw3Xid+QWzdIels0B9M4+GgVT85yVAaPQKw==,iv:vb2bKtgeJI4fvRfKoR8AoBpv9WOkAAKQ3DzMInGF4SA=,tag:p6q0rfyG0g1hF8PR476TZQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn
R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2
dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj
bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl
T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-02T21:16:00Z"
mac: ENC[AES256_GCM,data:bDHu/9Hz2lyzoA92yA4K9/oaO6gxDjog8OSoEduE4Q8KE6VObzkHHvMwsPR46LE74dtRy9LNEXcMTWQzJBYoaKGi+wz0IJ/wy8Japrbu0Kiwx3dIeY0mg/OvBGlsAybvbDpfSjCsxVpgg7g1jQNntejljv1WHp4zD0hKn9hdYm0=,iv:MUaGwoPaHEZQgoTHXxkhMHdTGaIgk0UYx9qwfpt4Uds=,tag:qLa2QBTFbs/BdOH8TJWVxw==,type:str]
pgp:
- created_at: "2023-07-02T20:30:30Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds
0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf
SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb
5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc
Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc
RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx
44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5
uGcEfsNiUXPngkNrh/Nvhh9w
=yHDZ
-----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted
version: 3.7.3

2
nix/os/devices/default.nix
View file

@ -1,7 +1,7 @@
{
dir,
pkgs ? import <channels-nixos-stable> {},
ownLib ? import ../lib/default.nix {},
ownLib ? import ../lib/default.nix {inherit (pkgs) lib;},
gitRoot ? "$(git rev-parse --show-toplevel)",
# FIXME: why do these need explicit mentioning?
moreargs ? "",

2
nix/os/devices/elias-e525/default.nix
View file

@ -1,4 +1,4 @@
{repoFlake}: let
{repoFlake, ...}: let
nodeName = "elias-e525";
system = "x86_64-linux";

3
nix/os/devices/elias-e525/user.nix
View file

@ -1,11 +1,12 @@
{
config,
pkgs,
lib,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
users.extraUsers.elias = mkUser {
uid = 1001;

2
nix/os/devices/fwhost2/user.nix
View file

@ -5,7 +5,7 @@
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
# users.extraUsers.steveej2 = mkUser {
# uid = 1001;

2
nix/os/devices/justyna-p300/default.nix
View file

@ -1,4 +1,4 @@
{repoFlake}: let
{repoFlake, ...}: let
nodeName = "justyna-p300";
# system = "i686-linux";
system = "x86_64-linux";

2
nix/os/devices/justyna-p300/user.nix
View file

@ -5,7 +5,7 @@
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
users.extraUsers.elias = mkUser {
uid = 1001;

36
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/versions.nix
View file

@ -1,36 +0,0 @@
let
nixpkgs = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-22.11";
rev = ''
a7cc81913bb3cd1ef05ed0ece048b773e1839e51'';
};
in {
inherit nixpkgs;
nixos = nixpkgs // {suffix = "/nixos";};
"channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-unstable";
rev = ''
c707238dc262923da5a53a5a11914117caac07a2'';
};
"channels-nixos-unstable-small" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-unstable-small";
rev = ''
09c509a5075931382582dee69f3e44bf1535c092'';
};
"nixpkgs-master" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "master";
rev = ''
3d57138bd9abe31bae25704cebaab7527010cc5e'';
};
"home-manager-module" = {
url = "https://github.com/nix-community/home-manager";
ref = "release-22.11";
rev = ''
b0be47978de5cfd729a79c3f57ace4c86364ff45'';
};
}

41
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/versions.tmpl.nix
View file

@ -1,41 +0,0 @@
let
nixpkgs = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-22.11";
rev = ''
<% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d '
' -%>'';
};
in {
inherit nixpkgs;
nixos = nixpkgs // {suffix = "/nixos";};
"channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-unstable";
rev = ''
<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '
' -%>'';
};
"channels-nixos-unstable-small" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-unstable-small";
rev = ''
<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable-small | awk '{ print $1 }' | tr -d '
' -%>'';
};
"nixpkgs-master" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "master";
rev = ''
<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '
' -%>'';
};
"home-manager-module" = {
url = "https://github.com/nix-community/home-manager";
ref = "release-22.11";
rev = ''
<% git ls-remote https://github.com/nix-community/home-manager.git release-22.11 | awk '{ print $1 }' | tr -d '
' -%>'';
};
}

0
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/README.md → nix/os/devices/sj-vps-htz0/README.md
View file

0
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/boot.nix → nix/os/devices/sj-vps-htz0/boot.nix
View file

0
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/configuration.nix → nix/os/devices/sj-vps-htz0/configuration.nix
View file

20
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/default.nix → nix/os/devices/sj-vps-htz0/default.nix
View file

@ -1,11 +1,13 @@
{repoFlake}: let
nodeName = "sj-vps-htz0.infra.stefanjunker.de";
{
nodeName,
repoFlake,
nodeFlake,
...
}: let
system = "x86_64-linux";
nodeFlake = repoFlake.inputs.get-flake ./.;
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit nodeName nodeFlake;
inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system};
};
@ -14,13 +16,13 @@ in {
};
${nodeName} = {
deployment.targetHost = nodeName;
deployment.replaceUnknownProfiles = true;
deployment.targetHost = "${nodeName}.infra.stefanjunker.de";
deployment.replaceUnknownProfiles = false;
imports = [
(repoFlake + "/nix/os/devices/${nodeName}/configuration.nix")
nodeFlake.inputs.home-manager.nixosModules.home-manager
./configuration.nix
];
};
}

46
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/flake.lock → nix/os/devices/sj-vps-htz0/flake.lock generated
View file

@ -4,47 +4,46 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
]
},
"locked": {
"lastModified": 1681092193,
"narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
"lastModified": 1687871164,
"narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
"rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-22.11",
"ref": "release-23.05",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1681759395,
"narHash": "sha256-7aaRtLxLAy8qFVIA26ulB+Q5nDVzuQ71qi0s0wMjAws=",
"lastModified": 1688109178,
"narHash": "sha256-BSdeYp331G4b1yc7GIRgAnfUyaktW2nl7k0C577Tttk=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "cd749f58ba83f7155b7062dd49d08e5e47e44d50",
"rev": "b72aa95f7f096382bff3aea5f8fde645bca07422",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-22.11",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-master": {
"locked": {
"lastModified": 1681895322,
"narHash": "sha256-dtduardGFljEIh0Whlnhzda7Au0s1WnnSdzh2ZhCu9c=",
"lastModified": 1688246754,
"narHash": "sha256-OuUvCCMrJgN9K/L1j2ADMxu/nuJhplFjIZFFtelnymc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "57aad37a2eab85fb5522cbc8568fe27872071a1c",
"rev": "b9b176f8b8155c122e01a336b439ce57b2485b40",
"type": "github"
},
"original": {
@ -56,11 +55,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1681770396,
"narHash": "sha256-tq+GZOkRA3uF3I/jIzuBGfnTRQFT4QnnRCWJ8DKSaMg=",
"lastModified": 1688180391,
"narHash": "sha256-oTUSZepWQ7AYQKvNPkf8QyxkfoVpEhGioVji0hd3p8U=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "4df48038a44e9f3a3da8e9b42ca182726b743de4",
"rev": "1353de5923daba8462cfc3624d8c2d70cbafafcd",
"type": "github"
},
"original": {
@ -77,21 +76,6 @@
"nixpkgs-master": "nixpkgs-master",
"nixpkgs-unstable": "nixpkgs-unstable"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

4
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/flake.nix → nix/os/devices/sj-vps-htz0/flake.nix
View file

@ -1,10 +1,10 @@
{
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master";
inputs.home-manager = {
url = "github:nix-community/home-manager/release-22.11";
url = "github:nix-community/home-manager/release-23.05";
inputs.nixpkgs.follows = "nixpkgs";
};

0
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/hw.nix → nix/os/devices/sj-vps-htz0/hw.nix
View file

0
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/pkg.nix → nix/os/devices/sj-vps-htz0/pkg.nix
View file

11
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/system.nix → nix/os/devices/sj-vps-htz0/system.nix
View file

@ -2,10 +2,9 @@
pkgs,
lib,
config,
repoFlake,
...
}: let
keys = import ../../../variables/keys.nix;
in {
}: {
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [
# iperf3
@ -58,12 +57,10 @@ in {
nix.gc = {automatic = true;};
# networking.useHostResolvConf = true;
services.openssh.forwardX11 = true;
containers = {
mailserver = import ../../containers/mailserver.nix {
inherit repoFlake;
autoStart = true;
hostAddress = "192.168.100.10";

2
nix/os/devices/steveej-nuc7pjyh-work/user.nix
View file

@ -5,7 +5,7 @@
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
users.extraUsers.sjunker = mkUser {
uid = 1001;

2
nix/os/devices/steveej-pa600/user.nix
View file

@ -5,7 +5,7 @@
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
users.extraUsers.steveej2 = mkUser {
uid = 1001;

3
nix/os/devices/steveej-t14/boot.nix
View file

@ -8,7 +8,8 @@
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
# boot.tmpOnTmpfs = lib.mkForce false;
boot.tmpOnTmpfsSize = "100%";
boot.tmp.tmpfsSize = "100%";
# TODO: make this work
# systemd.tmpfiles.rules = lib.mkForce [ "d /tmp 1777 root root 1d" ];
}

1
nix/os/devices/steveej-t14/configuration.nix
View file

@ -10,5 +10,6 @@
./pkg.nix
./user.nix
./boot.nix
./secrets.nix
];
}

11
nix/os/devices/steveej-t14/default.nix
View file

@ -1,12 +1,15 @@
{repoFlake}: let
nodeName = "steveej-t14";
{
nodeName,
repoFlake,
repoFlakeWithSystem,
nodeFlake,
}: let
system = "x86_64-linux";
nodeFlake = repoFlake.inputs.get-flake ./.;
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system};
repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs');
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {

44
nix/os/devices/steveej-t14/hw.nix
View file

@ -20,48 +20,47 @@ in {
services.tlp = {
enable = true;
settings = {
CPU_SCALING_GOVERNOR_ON_AC = "schedutil";
# CPU_SCALING_GOVERNOR_ON_AC = "schedutil";
CPU_SCALING_GOVERNOR_ON_BAT = "schedutil";
CPU_ENERGY_PERF_POLICY_ON_AC="balance_power";
# CPU_ENERGY_PERF_POLICY_ON_AC="balance_power";
CPU_ENERGY_PERF_POLICY_ON_BAT="power";
SCHED_POWERSAVE_ON_AC="1";
# SCHED_POWERSAVE_ON_AC="1";
SCHED_POWERSAVE_ON_BAT="1";
CPU_BOOST_ON_AC="0";
CPU_BOOST_ON_BAT="0";
RADEON_DPM_PERF_LEVEL_ON_AC="auto";
# RADEON_DPM_PERF_LEVEL_ON_AC="auto";
RADEON_DPM_PERF_LEVEL_ON_BAT="low";
RADEON_DPM_STATE_ON_AC="balanced";
# RADEON_DPM_STATE_ON_AC="balanced";
RADEON_DPM_STATE_ON_BAT="battery";
SOUND_POWER_SAVE_ON_AC="1";
# SOUND_POWER_SAVE_ON_AC="1";
SOUND_POWER_SAVE_ON_BAT="1";
# PLATFORM_PROFILE_ON_AC="low-power";
# PLATFORM_PROFILE_ON_BAT="low-power";
PLATFORM_PROFILE_ON_AC="balanced";
# # PLATFORM_PROFILE_ON_AC="low-power";
# # PLATFORM_PROFILE_ON_BAT="low-power";
# PLATFORM_PROFILE_ON_AC="balanced";
PLATFORM_PROFILE_ON_BAT="low-power";
RUNTIME_PM_ON_AC = "auto";
# RUNTIME_PM_ON_AC = "auto";
RUNTIME_PM_ON_BAT = "auto";
PCIE_ASPM_ON_AC="default";
# PCIE_ASPM_ON_AC="default";
PCIE_ASPM_ON_BAT="powersave";
START_CHARGE_THRESH_BAT0 = "75";
STOP_CHARGE_THRESH_BAT0 = "80";
WOL_DISABLE="Y";
WIFI_PWR_ON_AC="on";
# WIFI_PWR_ON_AC="on";
WIFI_PWR_ON_BAT="on";
DEVICES_TO_DISABLE_ON_STARTUP="wwan";
#DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan";
#DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan";
#DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi";
# #DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan";
# #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan";
# #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi";
};
};
@ -71,12 +70,13 @@ in {
[0 0 55]
[1 55 65]
[1 65 75]
[3 75 78]
[4 78 80]
[5 80 82]
[6 82 84]
[7 84 86]
["level full-speed" 86 999]
[2 75 78]
[3 78 80]
[4 80 82]
[5 82 84]
[6 84 86]
[7 86 88]
["level full-speed" 88 999]
];
};

3
nix/os/devices/steveej-t14/pkg.nix
View file

@ -9,6 +9,9 @@
];
})
];
home.sessionVariables = {
};
};
# TODO: fix the following errors with regreet

7
nix/os/devices/steveej-t14/secrets.nix Normal file
View file

@ -0,0 +1,7 @@
{config, ...}: {
sops.secrets.radicale_htpasswd = {
sopsFile = ../../../../secrets/steveej-t14/radicale_htpasswd;
format = "binary";
owner = config.users.users.steveej.name;
};
}

79
nix/os/devices/steveej-t14/system.nix
View file

@ -3,6 +3,7 @@
lib,
config,
nodeName,
repoFlake,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
@ -10,18 +11,37 @@ in {
nix.settings = {
substituters = [
"https://holochain-ci.cachix.org"
# "https://cache.holo.host/"
"https://cache.holo.host/"
];
trusted-public-keys = [
"holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8="
# "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE="
# "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ="
"cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE="
"cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ="
];
extra-experimental-features = ["impure-derivations"];
system-features = ["recursive-nix" "big-parallel"];
};
networking.extraHosts = ''
# qemu box
172.24.40.13 steveej-qemu.infra.holochain.org
172.24.40.13 steveej-qemu.d.dweb.city
# bare metal
192.168.14.117 steveej-hw1.infra.holochain.org
192.168.14.117 steveej-hw1.d.dweb.city
192.168.14.117 steveej-hw2.infra.holochain.org
192.168.14.117 steveej-hw2.d.dweb.city
192.168.14.117 steveej-hw3.infra.holochain.org
192.168.14.117 steveej-hw3.d.dweb.city
192.168.14.117 steveej-hw4.infra.holochain.org
192.168.14.117 steveej-hw4.d.dweb.city
172.24.135.11 emerge3.d.dweb.city
172.24.74.194 emerge4.d.dweb.city
'';
networking.bridges."virbr1".interfaces = [];
networking.interfaces."virbr1".ipv4.addresses = [
{
@ -35,7 +55,7 @@ in {
# TODO: upstream feature for inverse rule to work: `! --in-interface zt+`
networking.firewall.interfaces."eth+".allowedTCPPorts = [
22
22
# syncthing
22000
@ -43,9 +63,10 @@ in {
# iperf3
5201
];
networking.firewall.interfaces."eth+".allowedUDPPorts = [
networking.firewall.interfaces."eth+".allowedUDPPorts = [
# syncthing
22000 21027
22000
21027
];
networking.firewall.logRefusedConnections = false;
@ -96,8 +117,50 @@ in {
services.zerotierone = {
enable = true;
joinNetworks = [
"93afae5963c547f1"
passwords.zerotier.dweb2023.networkId
# moved to the service below as it's now secret
];
};
systemd.services.zerotieroneSecretNetworks = {
enable = true;
requiredBy = ["zerotierone.service"];
partOf = ["zerotierone.service"];
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
script = let
secret = config.sops.secrets.zerotieroneNetworks;
in ''
# include the secret's hash to trigger a restart on change
# ${builtins.hashString "sha256" (builtins.toJSON secret)}
${config.systemd.services.zerotierone.preStart}
rm -rf /var/lib/zerotier-one/networks.d/*.conf
for network in `grep -v '#' ${secret.path}`; do
touch /var/lib/zerotier-one/networks.d/''${network}.conf
done
'';
};
sops.secrets.zerotieroneNetworks = {
sopsFile = ../../../../secrets/zerotierone.txt;
format = "binary";
};
sops.secrets.nomad-holochain-agent-ca = {
sopsFile = ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml;
owner = config.users.extraUsers.steveej.name;
};
sops.secrets.nomad-holochain-cli-cert = {
sopsFile = ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml;
owner = config.users.extraUsers.steveej.name;
};
sops.secrets.nomad-holochain-cli-key = {
sopsFile = ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml;
owner = config.users.extraUsers.steveej.name;
};
}

5
nix/os/devices/steveej-t14/user.nix
View file

@ -1,15 +1,16 @@
{
config,
pkgs,
lib,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
users.extraUsers.steveej2 = mkUser {
uid = 1001;
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
passwordFile = config.sops.secrets.sharedUsers-steveej.path;
};
nix.settings.trusted-users = ["steveej"];

2
nix/os/devices/vmd102066.contaboserver.net/default.nix
View file

@ -1,4 +1,4 @@
{repoFlake}: let
{repoFlake, ...}: let
nodeName = "vmd102066.contaboserver.net";
system = "x86_64-linux";

21
nix/os/lib/default.nix
View file

@ -1,21 +1,9 @@
{
lib,
keys ? import ../../variables/keys.nix,
passwords ? import ../../variables/passwords.crypt.nix,
}: {
mkRoot = {} @ args:
{
hashedPassword = passwords.users.root;
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
}
// args;
mkUser = {
uid,
hashedPassword ? passwords.users.steveej,
...
} @ args:
{
inherit uid hashedPassword;
mkUser = args: (
lib.attrsets.recursiveUpdate {
isNormalUser = true;
extraGroups = [
"docker"
@ -32,7 +20,8 @@
];
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
}
// args;
args
);
disk = rec {
# TODO: verify the GPT PARTLABEL cap at 36 chars

9
nix/os/modules/ddclient-ovh.nix
View file

@ -4,8 +4,7 @@
...
}: let
cfg = config.services.ddclientovh;
passwords = import ../../variables/passwords.crypt.nix;
# passwords = import ../../variables/passwords.crypt.nix;
in {
options.services.ddclientovh = with lib; {
enable = mkEnableOption "Enable ddclient-ovh";
@ -20,10 +19,8 @@ in {
ssl = true;
domains = [cfg.domain];
use = "web";
inherit (passwords.dyndns.${cfg.domain}) username;
passwordFile =
builtins.toFile passwords.dyndns._filename
passwords.dyndns.${cfg.domain}.password;
# inherit (passwords.dyndns.${cfg.domain}) username;
# passwordFile = config.sops.secrets."dyndns_${cfg.domain}".path;
};
};
}

2
nix/os/modules/opinionatedDisk.nix
View file

@ -5,7 +5,7 @@
}:
with lib; let
cfg = config.hardware.opinionatedDisk;
ownLib = import ../lib/default.nix {};
ownLib = import ../lib/default.nix {inherit lib;};
in {
options.hardware.opinionatedDisk = {
enable = mkEnableOption "Enable opinionated filesystem layout";

3
nix/os/profiles/common/boot.nix
View file

@ -4,12 +4,11 @@
enable = true;
efiSupport = true;
efiInstallAsRemovable = false;
version = 2;
};
boot.loader.systemd-boot.enable = false;
boot.loader.efi.canTouchEfiVariables = true;
boot.tmpOnTmpfs = true;
boot.tmp.useTmpfs = true;
# Workaround for nm-pptp to enforce module load
boot.kernelModules = ["nf_conntrack_proto_gre" "nf_conntrack_pptp"];

18
nix/os/profiles/common/configuration.nix
View file

@ -1,3 +1,17 @@
{...}: {
imports = [./boot.nix ./pkg.nix ./user.nix ./system.nix ./hw.nix];
{
config,
pkgs,
repoFlake,
...
}: {
imports = [
./boot.nix
./pkg.nix
./system.nix
./hw.nix
./user.nix
repoFlake.inputs.sops-nix.nixosModules.sops
];
}

5
nix/os/profiles/common/pkg.nix
View file

@ -1,7 +1,9 @@
{
config,
pkgs,
# these come in via nodeSpecialArgs and are expected to be defined for every node
repoFlake,
repoFlakeInputs',
nodeFlake,
packages',
...
@ -20,9 +22,12 @@
home-manager.extraSpecialArgs = {
inherit
repoFlake
repoFlakeInputs'
packages'
nodeFlake
;
osConfig = config;
};
nixpkgs.config = {

26
nix/os/profiles/common/user.nix
View file

@ -3,13 +3,31 @@
pkgs,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
inherit (import ../../lib/default.nix {}) mkUser mkRoot;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
sops.secrets.sharedUsers-root = {
sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true;
};
sops.secrets.sharedUsers-steveej = {
sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true;
format = "yaml";
};
users.mutableUsers = false;
users.extraUsers.root = mkRoot {};
users.extraUsers.steveej = mkUser {uid = 1000;};
users.extraUsers.root = {
passwordFile = config.sops.secrets.sharedUsers-root.path;
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
};
users.extraUsers.steveej = mkUser {
uid = 1000;
passwordFile = config.sops.secrets.sharedUsers-steveej.path;
};
security.pam.u2f.enable = true;
security.pam.services.steveej.u2fAuth = true;

2
nix/os/profiles/graphical/system.nix
View file

@ -21,7 +21,7 @@
# hardware related services
services.illum.enable = true;
services.pcscd.enable = false;
services.pcscd.enable = true;
hardware.opengl.enable = true;
hardware.bluetooth.enable = true;
# required for running blueman-applet in user sessions