dark-firepit
/
dotfiles
5
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

some light refactoring

This commit is contained in:
Aether 2022-04-23 03:01:00 +02:00
parent affdf52f23
commit 7a6a22200c
18 changed files with 257 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
flake.lock
View File

@ -58,16 +58,16 @@
]
},
"locked": {
"lastModified": 1641459437,
"narHash": "sha256-z0IOcc6LLbVhyri/aTyWzRqJs3p1pBK9idOiMwCWiqs=",
"lastModified": 1649887911,
"narHash": "sha256-Af0Ppb1RZ7HWuxUvF0/O7h3cy8tqU2eKFyVwyA1ZD+w=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "c751aeb19e84a0a777f36fd5ea73482a066bb406",
"rev": "7244c6715cb8f741f3b3e1220a9279e97b2ed8f5",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "master",
"ref": "release-21.11",
"repo": "home-manager",
"type": "github"
}
@ -105,16 +105,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1641528457,
"narHash": "sha256-FyU9E63n1W7Ql4pMnhW2/rO9OftWZ37pLppn/c1aisY=",
"lastModified": 1650501692,
"narHash": "sha256-ApKf0/dc0SyB7zZ6yiiOQgcXAhCXxbSDyihHfRDIzx0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ff377a78794d412a35245e05428c8f95fef3951f",
"rev": "9887f024766aa27704d1f89f623efd1d063da92a",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"ref": "nixos-21.11",
"type": "indirect"
}
},

8
flake.nix
View File

@ -3,13 +3,13 @@
inputs = {
# NixOS unstable
nixpkgs.url = "nixpkgs/nixos-unstable";
# nixpkgs.url = "nixpkgs/nixos-21.05";
# nixpkgs.url = "nixpkgs/nixos-unstable";
nixpkgs.url = "nixpkgs/nixos-21.11";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
# home-manager
home-manager.url = "github:nix-community/home-manager/master";
# home-manager.url = "github:nix-community/home-manager/release-21.05";
# home-manager.url = "github:nix-community/home-manager/master";
home-manager.url = "github:nix-community/home-manager/release-21.11";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
# agenix - age-encrypted secrets

14
hosts/dark-firepit/authorizedKeys.nix Normal file
View File

@ -0,0 +1,14 @@
{
"aether@subsurface" = {
ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4lh7dN9Ohh2/WoGiZ4WlpVb01YPNto/9ungOAk6TH+65wkxMjY4a+1OsO8Znguj46tXVErn8xv2ZVX0K7ql0hzypPkP2Dvvim99tz6FKSf9Nwj6RRtIKPoYkJjtGYAqLJl8JPy50HkFXkDVQ/z4d4iwpneSODIJdkUFSzZR91jz9FX+4t2h+2xtuuRDI43+gHRqvwPP8XaE0srtMzZoQDUBKhwOynoo2vZnyd3O7kkpD9T+jzYEeLKppHdaoYN5UxZ4L0xnig0WFZiBH36/YGXA8gT56FHRw5GKhwWwfSvliEw63/6IxiVZBuM1Mj7syg2Ndhhmmay05QqvyTrdHA9veyzJG5l0HlnCmXe7ss9lVQnxxPfbHbnDZUhH1ax01sQUeTK3Bs3AvbsTLyXBbd4NCY5ovz85MqzM/Q84B1zX1i8KbFEBh0xkumNsPAXzY8ar+tq5rFa23bY9qF4s6CMv++JEXSJJufcf3BS2dBlw0lTGBn7UEO9FHHsU3xKCc= aether@subsurface";
wg = "XEVSwNNPR7RTt/O0ihYmv3nopbPmqkCMGrVRCixnPWw="
};
"oatmealine@beppy" = {
ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDbJDo79TD9RV77MnArQwS94wzBo+6l6dYQnaNdPk2xo019+tc7GyuQ+GHyh4qewIUQOwe3Ddj4YxJN9IS3E360/6RdaNDxn3hUp2jh/x9SOjh0W86FJfdHEQViNeFVSXJv+QBZT9ibR9IbOHYezhD6gtz15pNhEqhQyqw2hJuQzxLvnictTc4lPQnWN9I8ga+OVSh7Uauu5OKbUOyRRj1Er/hasNviCaGBJnLDYjSqTDRvEbdYlfuhrYITJ+viZOQq7Nczs6dbsl627FCvhr5vQi+/vvpx9DKHDvpGvbEglOmOwgffSkaOIIx/pNHTsRccX7c3/im6z4pCDj4bEuiqqawv2C6DV0aM01bW8cchOJrmSQGTygTrJuuVPHp4IRIZNvQGS+97j4u+d7ofricLR1RoxJcQibvRA9rhhYI2FhwrAweuuLktjSj5RkQnypd9kjOuH+nhgLZunreNoyPNDCmcOBA7BA0rD2pCIKB9SzlelMjVuvy0PA8uWfNFfxGU+m3BH7lQS/A6V+NeYrMGiZ+u+t9Pgr6kAoR7mAUO+obIdMM/lOp1/zGBY8lk2Aq3GQcyGVNi18VR0uA+NMaJYXA1JzSiPCz7cQn1pKIAKiDEnzicf5MxDHIi5F1iQ/Lc+NftgmDXZEAHDY1bQepScOttaOZQZLpYP/eWwlEQJQ== oatmealine@beppy";
wg = "533BncNpHKzJVx5lwdxBg+aUfLGqea9uUYz70C6wxyg=";
};
"skye@DESKTOP-VB4940J" = {
ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGPFAyr1zYL5+/VIUVhT5sIfikhlj37tuTHVSfW/xbHfBqvR/Ga21j2k6HAa6acpHBa3+Ri1DZIjIkzjco447ZP7ahwOF3Ci6Cv9oSXxmw43hUMypfMTLu9+v9sjFJFPg7F39X2ngZzzLxO1/fPMuQm3kK6T3WyVqpNUMaenXhnT2i641lo2tRjs1LeGIk6h3Ermp4V3WQo+exbf+nc1Lqt5Yos/jWn1HnsjxI2N1SQDiT9J+MpNN7wUz4Q57+aDKeXH2oBsnRjNGU90qudwZIdUUJunfVaFXZHuVopLv1DlY1rcjtTP/8P9WcFXsnqb4yiA4uon0fbo7IZISt+ffw+TDjPaDH/8TsfgeT36Dd2mKZ/Z9XdzdWiez4fZxExR9MZcJafxnnw6Bfsfb4sSw52VRE2R65apasDTHTE3toRr7JWDNOg35ULDuGiQMnWhbr1c/0aHOtxoIIjOTtWUAl1LqemAELq/sJhKc/B/ywN1421FCcyivn8meZUII0Ccc= skye@DESKTOP-VB4940J";
wg = "";
};
}

28
hosts/firepit/default.nix → hosts/dark-firepit/default.nix
View File

@ -1,12 +1,15 @@
{ pkgs, inputs, lib, ... }:
{
let
keys = import ./authorizedKeys;
in {
imports = [
./hardware-configuration.nix
];
user = {
packages = with pkgs; [
git
curl
];
};
@ -16,16 +19,22 @@
packages = [ ];
shell = "fish";
extraGroups = [ "wheel" ];
initialHashedPassword = "!";
openssh.authorizedKeys.keys = [ keys."aether@subsurface".ssh ];
};
oatmealine = {
packages = [ ];
shell = "zsh";
extraGroups = [ "wheel" ];
initialHashedPassword = "!";
openssh.authorizedKeys.keys = [ keys."oatmealine@beppy".shh ];
};
skye = {
packages = [ ];
shell = "fish";
extraGroups = [ "wheel" ];
initialHashedPassword = "!";
openssh.authorizedKeys.keys = [ keys."skye@DESKTOP-VB4940J".shh ];
};
};
@ -57,17 +66,18 @@
wireguard = {
enable = true;
server = true;
interfaces = mkMerge (import ./interfaces);
externalInterface = "eno1";
interfaces."wg0" = import ./wireguardInterface.nix;
};
webapps = lib.mkMerge (import ./webapps);
};
};
time.timeZone = "Europe/Frankfurt";
programs.ssh.startAgent = true;
services.openssh.startWhenNeeded = true;
networking = {
hostName = "firepit";
security.doas = {
extraRules = [
{ users = [ "aether" "oatmealine" "skye" ]; noPass = false; keepEnv = true; }
];
};
time.timeZone = "Europe/Amsterdam";
}

24
hosts/firepit/hardware-configuration.nix → hosts/dark-firepit/hardware-configuration.nix
View File

@ -22,26 +22,26 @@
modules.hardware.fs = {
enable = true;
ssd.enable = true;
xfs.enable = true;
};
extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/?";
fsType = "?";
options = [ "defaults" "noatime" "nodiratime" ];
};
"/etc/dotfiles" = {
device = "/dev/disk/by-uuid/?";
fsType = "f2fs";
options = [ "defaults" "noatime" "nodiratime" ];
device = "/dev/disk/by-uuid/819f03bb-73d2-4ae1-9fd2-01099e8efae6";
fsType = "xfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/?";
device = "/dev/disk/by-uuid/D018-F9AF";
fsType = "vfat";
};
};
swapDevices = [
{ device = "/dev/disk/by-uuid/01ba93e4-71e3-404d-9549-351e22130185"; }
{ device = "/dev/disk/by-uuid/dee63218-1666-4035-8d63-b9e0e0b2cd28"; }
];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

1
hosts/dark-firepit/secrets/secrets.nix Normal file
View File

@ -0,0 +1 @@
{}

1
hosts/firepit/interfaces/default.nix → hosts/dark-firepit/webapps/default.nix
View File

@ -1,3 +1,2 @@
[
]

17
hosts/dark-firepit/wireguardInterface.nix Normal file
View File

@ -0,0 +1,17 @@
{ lib, pkgs, config, ... }:
with lib;
let
peerKeys = import ../authorizedKeys.nix;
in {
ips = [ "10.100.0.1/24" ];
privateKeyFile = readFile "/etc/wg0.keys/wg0";
listenPort = 51820;
peers = genList (n: {
publicKey = elemAt (attrValues peerKeys) n;
allowedIPs = [ "10.100.0.${n+2}/32" ];
}) (length (attrValues peerKeys));
}

14
hosts/firepit/secrets/secrets.nix
View File

@ -1,14 +0,0 @@
let
subsurface.Access = "<...>";
void-defragmented.Access = "<...>";
userSkye.Access = "<...>";
in {
"subsurface.age".publicKeys = attrValues subsurface;
"subsurface.age".owner = "aether";
"void-defragmented.age".publicKeys = attrValues void-defragmented;
"void-defragmented.age".owner = "oatmealine";
"skye.age".publicKeys = attrValues userSkye;
"skye.age".owner = "skye";
}

21
modules/dev/python.nix Normal file
View File

@ -0,0 +1,21 @@
{ pkgs, lib, options, config, ... }:
with lib;
let
cfg = config.modules.dev.python;
in {
options.modules.dev.python = {
enable = mkOption {
type = types.bool;
default = false;
};
packages = mkOption {
type = types.listOf types.package;
default = [];
};
};
config = mkIf cfg.enable {
# TODO
};
}

8
modules/hardware/fs.nix
View File

@ -13,6 +13,10 @@ in {
type = types.bool;
default = false;
};
xfs.enable = mkOption {
type = types.bool;
default = false;
};
};
config = mkIf cfg.enable (mkMerge [
@ -28,5 +32,9 @@ in {
nvme-cli
];
})
(mkIf cfg.xfs.enable {
boot.supportedFilesystems = [ "xfs" ];
})
]);
}

5
modules/security.nix
View File

@ -35,6 +35,9 @@ in {
}
];
boot.tmpOnTmpfs = lib.mkDefault true;
boot.cleanTmpDir = lib.mkDefault (!config.boot.tmpOnTmpfs);
security.rtkit.enable = true;
boot.loader.systemd-boot.editor = false;
@ -48,7 +51,7 @@ in {
security.sudo.enable = false;
security.doas = {
enable = true;
extraRules = if cfg.isLocalMachine then [{ users = builtins.attrNames config.defaultUsers; }] else [];
extraRules = if cfg.isLocalMachine then [{ users = builtins.attrNames config.defaultUsers; keepEnv = true; noPass = true; }] else [];
};
boot.kernel.sysctl = {

8
modules/services/phpfpm.nix Normal file
View File

@ -0,0 +1,8 @@
{ pkgs, config, lib, options, ... }:
with lib;
let
cfg = config.modules.services.phpfpm;
in {
}

7
modules/services/ssh.nix
View File

@ -14,7 +14,10 @@ in {
};
config = mkIf cfg.enable {
services.openssh.enable = true;
# services.sshd.enable = true;
services.openssh = {
enable = true;
passwordAuthentication = false;
permitRootLogin = "no";
};
};
}

64
modules/services/webapps.nix Normal file
View File

@ -0,0 +1,64 @@
{ pkgs, lib, config, options, ... }:
with lib;
let
cfg = config.modules.services.webapps;
in {
options.modules.services.webapps = mkOption {
type = types.attrsOf types.attrs;
default = {};
};
config = mkMerge (
/*
[{ services.nginx.enable = true; }] ++
# Generic configuration
(mapAttrsToList (appName: app: let username = lib.intersperse "-" (lib.splitString "." appName); in mkMerge [
{
assertions = [{
assertion = (types.enum ["generic" "phpfpm"]).check app.platform;
description = "Please specify a webapp platform for ${appName}. The possible platforms are: \"generic\", \"phpfpm\"";
}];
users.users.${username} = mkMerge [
{
isSystemUser = true;
group = appName;
}
(mkIf (app.root != null) {
createHome = true;
home = app.root;
})
];
users.groups.${username} = username;
services.nginx.virtualHosts."${appName}" = app.nginx;
}
# phpfpm-specific configuration
(mkIf (app.platform == "phpfpm") {
modules.dev.php.enable = true;
services.phpfpm.pools.${appName} = {
user = appName;
settings = mkMerge [{
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 16;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
"php_admin_value[error_log]" = "${app.root}/log";
"php_admin_flag[log_errors]" = true;
"catch_workers_output" = true;
} app.phpfpm];
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
};
})
]) cfg)
*/[]
);
}

47
modules/services/wiregaurd.nix
View File

@ -1,47 +0,0 @@
{ config, lib, pkgs, options, ... }:
with lib;
let
cfg = config.modules.services.wireguard;
opt = options.modules.services.wireguard;
in {
options.modules.services.wireguard = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enables the wiregyard VPN service.";
};
server = mkOption {
type = types.bool;
default = false;
description = "Configures this module to allow wireguard to act as a VPN provider on this host.";
};
interfaces = mkOption {
type = types.attrs;
default = {};
description = "Which interfaces wireguard should atach itself to. The first one is prioritized over all others.";
};
port = mkOption {
type = types.int;
default = 51820;
description = "The default listen port.";
};
};
config = mkIf cfg.enable (mkMerge [
{
networking.firewall.allowedUDPPorts = [ cfg.port ];
networking.wireguard.interfaces = mapAttrs (i: c: mkMerge [c {
listenPort = cfg.port;
}]) (mkAliasDefinitions options.modules.services.wireguard.interfaces);
}
(mkIf cfg.server {
networking.nat = {
enable = true;
# externalInterfaces = head cfg.interfaces;
# internalInterfaces = cfg.interfaces;
};
})
]);
}

71
modules/services/wireguard.nix Normal file
View File

@ -0,0 +1,71 @@
{ config, lib, pkgs, options, ... }:
with lib;
let
cfg = config.modules.services.wireguard;
in {
options.modules.services.wireguard = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enables the wiregyard VPN service.";
};
server = mkOption {
type = types.bool;
default = false;
description = "Configures this module to allow wireguard to act as a VPN provider on this host.";
};
externalInterface = mkOption {
type = types.str;
default = null;
description = "";
};
interfaces = mkOption {
type = options.networking.wireguard.interfaces.type;
default = {};
description = "Which interfaces wireguard should attach itself to.";
};
};
config = mkIf cfg.enable (mkMerge [
(mkIf cfg.server {
assertions = [
{ assertion = cfg.externalInterface != null;
description = "External interface must be set if wiregaurd is to be setup as a server.";
}
];
networking = mkMerge (
[{
nat.enable = true;
nat.externalInterface = cfg.externalInterface;
nat.internalInterfaces = filter (i: i != cfg.externalInterface) (attrNames cfg.interfaces);
}] ++
(mapAttrsToList (iname: iattrs: {
firewall.allowedUDPPorts = iattrs.listenPort;
wireguard.interfaces.${iname} = mkMerge [ iattrs {
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
}];
}) cfg.interfaces)
);
})
/*
(mkIf (!cfg.server) (mkMerge [
{ networking.wireguard.interfaces = cfg.interfaces; }
(mapAttrs (_: iattrs: { networking.firewall.allowedUDPPorts = iattrs.listenPort; }) cfg.interfaces)
]))
*/
]);
}

1
result Symbolic link
View File

@ -0,0 +1 @@
/nix/store/53jxaagbfh45fzhwbdj0wyv9wvc8g94q-nixos-system-dark-firepit-21.11.20220421.9887f02