some light refactoring
This commit is contained in:
parent
affdf52f23
commit
7a6a22200c
16
flake.lock
16
flake.lock
|
@ -58,16 +58,16 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1641459437,
|
||||
"narHash": "sha256-z0IOcc6LLbVhyri/aTyWzRqJs3p1pBK9idOiMwCWiqs=",
|
||||
"lastModified": 1649887911,
|
||||
"narHash": "sha256-Af0Ppb1RZ7HWuxUvF0/O7h3cy8tqU2eKFyVwyA1ZD+w=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "c751aeb19e84a0a777f36fd5ea73482a066bb406",
|
||||
"rev": "7244c6715cb8f741f3b3e1220a9279e97b2ed8f5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"ref": "master",
|
||||
"ref": "release-21.11",
|
||||
"repo": "home-manager",
|
||||
"type": "github"
|
||||
}
|
||||
|
@ -105,16 +105,16 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1641528457,
|
||||
"narHash": "sha256-FyU9E63n1W7Ql4pMnhW2/rO9OftWZ37pLppn/c1aisY=",
|
||||
"lastModified": 1650501692,
|
||||
"narHash": "sha256-ApKf0/dc0SyB7zZ6yiiOQgcXAhCXxbSDyihHfRDIzx0=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "ff377a78794d412a35245e05428c8f95fef3951f",
|
||||
"rev": "9887f024766aa27704d1f89f623efd1d063da92a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-unstable",
|
||||
"ref": "nixos-21.11",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
|
|
|
@ -3,13 +3,13 @@
|
|||
|
||||
inputs = {
|
||||
# NixOS unstable
|
||||
nixpkgs.url = "nixpkgs/nixos-unstable";
|
||||
# nixpkgs.url = "nixpkgs/nixos-21.05";
|
||||
# nixpkgs.url = "nixpkgs/nixos-unstable";
|
||||
nixpkgs.url = "nixpkgs/nixos-21.11";
|
||||
nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
|
||||
|
||||
# home-manager
|
||||
home-manager.url = "github:nix-community/home-manager/master";
|
||||
# home-manager.url = "github:nix-community/home-manager/release-21.05";
|
||||
# home-manager.url = "github:nix-community/home-manager/master";
|
||||
home-manager.url = "github:nix-community/home-manager/release-21.11";
|
||||
home-manager.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
# agenix - age-encrypted secrets
|
||||
|
|
|
@ -0,0 +1,14 @@
|
|||
{
|
||||
"aether@subsurface" = {
|
||||
ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4lh7dN9Ohh2/WoGiZ4WlpVb01YPNto/9ungOAk6TH+65wkxMjY4a+1OsO8Znguj46tXVErn8xv2ZVX0K7ql0hzypPkP2Dvvim99tz6FKSf9Nwj6RRtIKPoYkJjtGYAqLJl8JPy50HkFXkDVQ/z4d4iwpneSODIJdkUFSzZR91jz9FX+4t2h+2xtuuRDI43+gHRqvwPP8XaE0srtMzZoQDUBKhwOynoo2vZnyd3O7kkpD9T+jzYEeLKppHdaoYN5UxZ4L0xnig0WFZiBH36/YGXA8gT56FHRw5GKhwWwfSvliEw63/6IxiVZBuM1Mj7syg2Ndhhmmay05QqvyTrdHA9veyzJG5l0HlnCmXe7ss9lVQnxxPfbHbnDZUhH1ax01sQUeTK3Bs3AvbsTLyXBbd4NCY5ovz85MqzM/Q84B1zX1i8KbFEBh0xkumNsPAXzY8ar+tq5rFa23bY9qF4s6CMv++JEXSJJufcf3BS2dBlw0lTGBn7UEO9FHHsU3xKCc= aether@subsurface";
|
||||
wg = "XEVSwNNPR7RTt/O0ihYmv3nopbPmqkCMGrVRCixnPWw="
|
||||
};
|
||||
"oatmealine@beppy" = {
|
||||
ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDbJDo79TD9RV77MnArQwS94wzBo+6l6dYQnaNdPk2xo019+tc7GyuQ+GHyh4qewIUQOwe3Ddj4YxJN9IS3E360/6RdaNDxn3hUp2jh/x9SOjh0W86FJfdHEQViNeFVSXJv+QBZT9ibR9IbOHYezhD6gtz15pNhEqhQyqw2hJuQzxLvnictTc4lPQnWN9I8ga+OVSh7Uauu5OKbUOyRRj1Er/hasNviCaGBJnLDYjSqTDRvEbdYlfuhrYITJ+viZOQq7Nczs6dbsl627FCvhr5vQi+/vvpx9DKHDvpGvbEglOmOwgffSkaOIIx/pNHTsRccX7c3/im6z4pCDj4bEuiqqawv2C6DV0aM01bW8cchOJrmSQGTygTrJuuVPHp4IRIZNvQGS+97j4u+d7ofricLR1RoxJcQibvRA9rhhYI2FhwrAweuuLktjSj5RkQnypd9kjOuH+nhgLZunreNoyPNDCmcOBA7BA0rD2pCIKB9SzlelMjVuvy0PA8uWfNFfxGU+m3BH7lQS/A6V+NeYrMGiZ+u+t9Pgr6kAoR7mAUO+obIdMM/lOp1/zGBY8lk2Aq3GQcyGVNi18VR0uA+NMaJYXA1JzSiPCz7cQn1pKIAKiDEnzicf5MxDHIi5F1iQ/Lc+NftgmDXZEAHDY1bQepScOttaOZQZLpYP/eWwlEQJQ== oatmealine@beppy";
|
||||
wg = "533BncNpHKzJVx5lwdxBg+aUfLGqea9uUYz70C6wxyg=";
|
||||
};
|
||||
"skye@DESKTOP-VB4940J" = {
|
||||
ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGPFAyr1zYL5+/VIUVhT5sIfikhlj37tuTHVSfW/xbHfBqvR/Ga21j2k6HAa6acpHBa3+Ri1DZIjIkzjco447ZP7ahwOF3Ci6Cv9oSXxmw43hUMypfMTLu9+v9sjFJFPg7F39X2ngZzzLxO1/fPMuQm3kK6T3WyVqpNUMaenXhnT2i641lo2tRjs1LeGIk6h3Ermp4V3WQo+exbf+nc1Lqt5Yos/jWn1HnsjxI2N1SQDiT9J+MpNN7wUz4Q57+aDKeXH2oBsnRjNGU90qudwZIdUUJunfVaFXZHuVopLv1DlY1rcjtTP/8P9WcFXsnqb4yiA4uon0fbo7IZISt+ffw+TDjPaDH/8TsfgeT36Dd2mKZ/Z9XdzdWiez4fZxExR9MZcJafxnnw6Bfsfb4sSw52VRE2R65apasDTHTE3toRr7JWDNOg35ULDuGiQMnWhbr1c/0aHOtxoIIjOTtWUAl1LqemAELq/sJhKc/B/ywN1421FCcyivn8meZUII0Ccc= skye@DESKTOP-VB4940J";
|
||||
wg = "";
|
||||
};
|
||||
}
|
|
@ -1,12 +1,15 @@
|
|||
{ pkgs, inputs, lib, ... }:
|
||||
|
||||
{
|
||||
let
|
||||
keys = import ./authorizedKeys;
|
||||
in {
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
user = {
|
||||
packages = with pkgs; [
|
||||
git
|
||||
curl
|
||||
];
|
||||
};
|
||||
|
@ -16,16 +19,22 @@
|
|||
packages = [ ];
|
||||
shell = "fish";
|
||||
extraGroups = [ "wheel" ];
|
||||
initialHashedPassword = "!";
|
||||
openssh.authorizedKeys.keys = [ keys."aether@subsurface".ssh ];
|
||||
};
|
||||
oatmealine = {
|
||||
packages = [ ];
|
||||
shell = "zsh";
|
||||
extraGroups = [ "wheel" ];
|
||||
initialHashedPassword = "!";
|
||||
openssh.authorizedKeys.keys = [ keys."oatmealine@beppy".shh ];
|
||||
};
|
||||
skye = {
|
||||
packages = [ ];
|
||||
shell = "fish";
|
||||
extraGroups = [ "wheel" ];
|
||||
initialHashedPassword = "!";
|
||||
openssh.authorizedKeys.keys = [ keys."skye@DESKTOP-VB4940J".shh ];
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -57,17 +66,18 @@
|
|||
wireguard = {
|
||||
enable = true;
|
||||
server = true;
|
||||
interfaces = mkMerge (import ./interfaces);
|
||||
externalInterface = "eno1";
|
||||
interfaces."wg0" = import ./wireguardInterface.nix;
|
||||
};
|
||||
webapps = lib.mkMerge (import ./webapps);
|
||||
};
|
||||
};
|
||||
|
||||
time.timeZone = "Europe/Frankfurt";
|
||||
|
||||
programs.ssh.startAgent = true;
|
||||
services.openssh.startWhenNeeded = true;
|
||||
|
||||
networking = {
|
||||
hostName = "firepit";
|
||||
security.doas = {
|
||||
extraRules = [
|
||||
{ users = [ "aether" "oatmealine" "skye" ]; noPass = false; keepEnv = true; }
|
||||
];
|
||||
};
|
||||
|
||||
time.timeZone = "Europe/Amsterdam";
|
||||
}
|
|
@ -22,26 +22,26 @@
|
|||
modules.hardware.fs = {
|
||||
enable = true;
|
||||
ssd.enable = true;
|
||||
xfs.enable = true;
|
||||
};
|
||||
|
||||
extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/disk/by-uuid/?";
|
||||
fsType = "?";
|
||||
options = [ "defaults" "noatime" "nodiratime" ];
|
||||
};
|
||||
|
||||
"/etc/dotfiles" = {
|
||||
device = "/dev/disk/by-uuid/?";
|
||||
fsType = "f2fs";
|
||||
options = [ "defaults" "noatime" "nodiratime" ];
|
||||
device = "/dev/disk/by-uuid/819f03bb-73d2-4ae1-9fd2-01099e8efae6";
|
||||
fsType = "xfs";
|
||||
};
|
||||
|
||||
"/boot" = {
|
||||
device = "/dev/disk/by-uuid/?";
|
||||
device = "/dev/disk/by-uuid/D018-F9AF";
|
||||
fsType = "vfat";
|
||||
};
|
||||
};
|
||||
|
||||
swapDevices = [
|
||||
{ device = "/dev/disk/by-uuid/01ba93e4-71e3-404d-9549-351e22130185"; }
|
||||
{ device = "/dev/disk/by-uuid/dee63218-1666-4035-8d63-b9e0e0b2cd28"; }
|
||||
];
|
||||
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
{}
|
|
@ -1,3 +1,2 @@
|
|||
[
|
||||
|
||||
]
|
|
@ -0,0 +1,17 @@
|
|||
{ lib, pkgs, config, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
peerKeys = import ../authorizedKeys.nix;
|
||||
in {
|
||||
ips = [ "10.100.0.1/24" ];
|
||||
|
||||
privateKeyFile = readFile "/etc/wg0.keys/wg0";
|
||||
|
||||
listenPort = 51820;
|
||||
|
||||
peers = genList (n: {
|
||||
publicKey = elemAt (attrValues peerKeys) n;
|
||||
allowedIPs = [ "10.100.0.${n+2}/32" ];
|
||||
}) (length (attrValues peerKeys));
|
||||
}
|
|
@ -1,14 +0,0 @@
|
|||
let
|
||||
subsurface.Access = "<...>";
|
||||
void-defragmented.Access = "<...>";
|
||||
userSkye.Access = "<...>";
|
||||
in {
|
||||
"subsurface.age".publicKeys = attrValues subsurface;
|
||||
"subsurface.age".owner = "aether";
|
||||
|
||||
"void-defragmented.age".publicKeys = attrValues void-defragmented;
|
||||
"void-defragmented.age".owner = "oatmealine";
|
||||
|
||||
"skye.age".publicKeys = attrValues userSkye;
|
||||
"skye.age".owner = "skye";
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
{ pkgs, lib, options, config, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.modules.dev.python;
|
||||
in {
|
||||
options.modules.dev.python = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
packages = mkOption {
|
||||
type = types.listOf types.package;
|
||||
default = [];
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# TODO
|
||||
};
|
||||
}
|
|
@ -13,6 +13,10 @@ in {
|
|||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
xfs.enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable (mkMerge [
|
||||
|
@ -28,5 +32,9 @@ in {
|
|||
nvme-cli
|
||||
];
|
||||
})
|
||||
|
||||
(mkIf cfg.xfs.enable {
|
||||
boot.supportedFilesystems = [ "xfs" ];
|
||||
})
|
||||
]);
|
||||
}
|
||||
|
|
|
@ -35,6 +35,9 @@ in {
|
|||
}
|
||||
];
|
||||
|
||||
boot.tmpOnTmpfs = lib.mkDefault true;
|
||||
boot.cleanTmpDir = lib.mkDefault (!config.boot.tmpOnTmpfs);
|
||||
|
||||
security.rtkit.enable = true;
|
||||
|
||||
boot.loader.systemd-boot.editor = false;
|
||||
|
@ -48,7 +51,7 @@ in {
|
|||
security.sudo.enable = false;
|
||||
security.doas = {
|
||||
enable = true;
|
||||
extraRules = if cfg.isLocalMachine then [{ users = builtins.attrNames config.defaultUsers; }] else [];
|
||||
extraRules = if cfg.isLocalMachine then [{ users = builtins.attrNames config.defaultUsers; keepEnv = true; noPass = true; }] else [];
|
||||
};
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
{ pkgs, config, lib, options, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.modules.services.phpfpm;
|
||||
in {
|
||||
|
||||
}
|
|
@ -14,7 +14,10 @@ in {
|
|||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.openssh.enable = true;
|
||||
# services.sshd.enable = true;
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
passwordAuthentication = false;
|
||||
permitRootLogin = "no";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -0,0 +1,64 @@
|
|||
{ pkgs, lib, config, options, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.modules.services.webapps;
|
||||
in {
|
||||
options.modules.services.webapps = mkOption {
|
||||
type = types.attrsOf types.attrs;
|
||||
default = {};
|
||||
};
|
||||
|
||||
config = mkMerge (
|
||||
/*
|
||||
[{ services.nginx.enable = true; }] ++
|
||||
|
||||
# Generic configuration
|
||||
(mapAttrsToList (appName: app: let username = lib.intersperse "-" (lib.splitString "." appName); in mkMerge [
|
||||
{
|
||||
assertions = [{
|
||||
assertion = (types.enum ["generic" "phpfpm"]).check app.platform;
|
||||
description = "Please specify a webapp platform for ${appName}. The possible platforms are: \"generic\", \"phpfpm\"";
|
||||
}];
|
||||
|
||||
users.users.${username} = mkMerge [
|
||||
{
|
||||
isSystemUser = true;
|
||||
group = appName;
|
||||
}
|
||||
(mkIf (app.root != null) {
|
||||
createHome = true;
|
||||
home = app.root;
|
||||
})
|
||||
];
|
||||
|
||||
users.groups.${username} = username;
|
||||
|
||||
services.nginx.virtualHosts."${appName}" = app.nginx;
|
||||
}
|
||||
|
||||
# phpfpm-specific configuration
|
||||
(mkIf (app.platform == "phpfpm") {
|
||||
modules.dev.php.enable = true;
|
||||
|
||||
services.phpfpm.pools.${appName} = {
|
||||
user = appName;
|
||||
settings = mkMerge [{
|
||||
"listen.owner" = config.services.nginx.user;
|
||||
"pm" = "dynamic";
|
||||
"pm.max_children" = 16;
|
||||
"pm.max_requests" = 500;
|
||||
"pm.start_servers" = 2;
|
||||
"pm.min_spare_servers" = 1;
|
||||
"pm.max_spare_servers" = 3;
|
||||
"php_admin_value[error_log]" = "${app.root}/log";
|
||||
"php_admin_flag[log_errors]" = true;
|
||||
"catch_workers_output" = true;
|
||||
} app.phpfpm];
|
||||
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
|
||||
};
|
||||
})
|
||||
]) cfg)
|
||||
*/[]
|
||||
);
|
||||
}
|
|
@ -1,47 +0,0 @@
|
|||
{ config, lib, pkgs, options, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.modules.services.wireguard;
|
||||
opt = options.modules.services.wireguard;
|
||||
in {
|
||||
options.modules.services.wireguard = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Enables the wiregyard VPN service.";
|
||||
};
|
||||
server = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Configures this module to allow wireguard to act as a VPN provider on this host.";
|
||||
};
|
||||
interfaces = mkOption {
|
||||
type = types.attrs;
|
||||
default = {};
|
||||
description = "Which interfaces wireguard should atach itself to. The first one is prioritized over all others.";
|
||||
};
|
||||
port = mkOption {
|
||||
type = types.int;
|
||||
default = 51820;
|
||||
description = "The default listen port.";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable (mkMerge [
|
||||
{
|
||||
networking.firewall.allowedUDPPorts = [ cfg.port ];
|
||||
|
||||
networking.wireguard.interfaces = mapAttrs (i: c: mkMerge [c {
|
||||
listenPort = cfg.port;
|
||||
}]) (mkAliasDefinitions options.modules.services.wireguard.interfaces);
|
||||
}
|
||||
(mkIf cfg.server {
|
||||
networking.nat = {
|
||||
enable = true;
|
||||
# externalInterfaces = head cfg.interfaces;
|
||||
# internalInterfaces = cfg.interfaces;
|
||||
};
|
||||
})
|
||||
]);
|
||||
}
|
|
@ -0,0 +1,71 @@
|
|||
{ config, lib, pkgs, options, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.modules.services.wireguard;
|
||||
in {
|
||||
options.modules.services.wireguard = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Enables the wiregyard VPN service.";
|
||||
};
|
||||
|
||||
server = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Configures this module to allow wireguard to act as a VPN provider on this host.";
|
||||
};
|
||||
|
||||
externalInterface = mkOption {
|
||||
type = types.str;
|
||||
default = null;
|
||||
description = "";
|
||||
};
|
||||
|
||||
interfaces = mkOption {
|
||||
type = options.networking.wireguard.interfaces.type;
|
||||
default = {};
|
||||
description = "Which interfaces wireguard should attach itself to.";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable (mkMerge [
|
||||
(mkIf cfg.server {
|
||||
assertions = [
|
||||
{ assertion = cfg.externalInterface != null;
|
||||
description = "External interface must be set if wiregaurd is to be setup as a server.";
|
||||
}
|
||||
];
|
||||
|
||||
networking = mkMerge (
|
||||
[{
|
||||
nat.enable = true;
|
||||
nat.externalInterface = cfg.externalInterface;
|
||||
nat.internalInterfaces = filter (i: i != cfg.externalInterface) (attrNames cfg.interfaces);
|
||||
}] ++
|
||||
|
||||
(mapAttrsToList (iname: iattrs: {
|
||||
firewall.allowedUDPPorts = iattrs.listenPort;
|
||||
|
||||
wireguard.interfaces.${iname} = mkMerge [ iattrs {
|
||||
postSetup = ''
|
||||
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
|
||||
'';
|
||||
|
||||
postShutdown = ''
|
||||
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
|
||||
'';
|
||||
}];
|
||||
}) cfg.interfaces)
|
||||
);
|
||||
})
|
||||
|
||||
/*
|
||||
(mkIf (!cfg.server) (mkMerge [
|
||||
{ networking.wireguard.interfaces = cfg.interfaces; }
|
||||
(mapAttrs (_: iattrs: { networking.firewall.allowedUDPPorts = iattrs.listenPort; }) cfg.interfaces)
|
||||
]))
|
||||
*/
|
||||
]);
|
||||
}
|
Loading…
Reference in New Issue