From 7a6a22200c0715a311886943a0b53467a151bb57 Mon Sep 17 00:00:00 2001 From: System administrator Date: Sat, 23 Apr 2022 03:01:00 +0200 Subject: [PATCH] some light refactoring --- flake.lock | 16 ++--- flake.nix | 8 +-- hosts/dark-firepit/authorizedKeys.nix | 14 ++++ hosts/{firepit => dark-firepit}/default.nix | 28 +++++--- .../hardware-configuration.nix | 24 +++---- hosts/dark-firepit/secrets/secrets.nix | 1 + .../webapps}/default.nix | 1 - hosts/dark-firepit/wireguardInterface.nix | 17 +++++ hosts/firepit/secrets/secrets.nix | 14 ---- modules/dev/python.nix | 21 ++++++ modules/hardware/fs.nix | 8 +++ modules/security.nix | 5 +- modules/services/phpfpm.nix | 8 +++ modules/services/ssh.nix | 7 +- modules/services/webapps.nix | 64 +++++++++++++++++ modules/services/wiregaurd.nix | 47 ------------ modules/services/wireguard.nix | 71 +++++++++++++++++++ result | 1 + 18 files changed, 257 insertions(+), 98 deletions(-) create mode 100644 hosts/dark-firepit/authorizedKeys.nix rename hosts/{firepit => dark-firepit}/default.nix (59%) rename hosts/{firepit => dark-firepit}/hardware-configuration.nix (57%) create mode 100644 hosts/dark-firepit/secrets/secrets.nix rename hosts/{firepit/interfaces => dark-firepit/webapps}/default.nix (80%) create mode 100644 hosts/dark-firepit/wireguardInterface.nix delete mode 100644 hosts/firepit/secrets/secrets.nix create mode 100644 modules/dev/python.nix create mode 100644 modules/services/phpfpm.nix create mode 100644 modules/services/webapps.nix delete mode 100644 modules/services/wiregaurd.nix create mode 100644 modules/services/wireguard.nix create mode 120000 result diff --git a/flake.lock b/flake.lock index 3b3278e..bcaaf6a 100755 --- a/flake.lock +++ b/flake.lock @@ -58,16 +58,16 @@ ] }, "locked": { - "lastModified": 1641459437, - "narHash": "sha256-z0IOcc6LLbVhyri/aTyWzRqJs3p1pBK9idOiMwCWiqs=", + "lastModified": 1649887911, + "narHash": "sha256-Af0Ppb1RZ7HWuxUvF0/O7h3cy8tqU2eKFyVwyA1ZD+w=", "owner": "nix-community", "repo": "home-manager", - "rev": "c751aeb19e84a0a777f36fd5ea73482a066bb406", + "rev": "7244c6715cb8f741f3b3e1220a9279e97b2ed8f5", "type": "github" }, "original": { "owner": "nix-community", - "ref": "master", + "ref": "release-21.11", "repo": "home-manager", "type": "github" } @@ -105,16 +105,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1641528457, - "narHash": "sha256-FyU9E63n1W7Ql4pMnhW2/rO9OftWZ37pLppn/c1aisY=", + "lastModified": 1650501692, + "narHash": "sha256-ApKf0/dc0SyB7zZ6yiiOQgcXAhCXxbSDyihHfRDIzx0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ff377a78794d412a35245e05428c8f95fef3951f", + "rev": "9887f024766aa27704d1f89f623efd1d063da92a", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-unstable", + "ref": "nixos-21.11", "type": "indirect" } }, diff --git a/flake.nix b/flake.nix index 4cad7bc..0a72188 100755 --- a/flake.nix +++ b/flake.nix @@ -3,13 +3,13 @@ inputs = { # NixOS unstable - nixpkgs.url = "nixpkgs/nixos-unstable"; -# nixpkgs.url = "nixpkgs/nixos-21.05"; +# nixpkgs.url = "nixpkgs/nixos-unstable"; + nixpkgs.url = "nixpkgs/nixos-21.11"; nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; # home-manager - home-manager.url = "github:nix-community/home-manager/master"; -# home-manager.url = "github:nix-community/home-manager/release-21.05"; +# home-manager.url = "github:nix-community/home-manager/master"; + home-manager.url = "github:nix-community/home-manager/release-21.11"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; # agenix - age-encrypted secrets diff --git a/hosts/dark-firepit/authorizedKeys.nix b/hosts/dark-firepit/authorizedKeys.nix new file mode 100644 index 0000000..3f39166 --- /dev/null +++ b/hosts/dark-firepit/authorizedKeys.nix @@ -0,0 +1,14 @@ +{ + "aether@subsurface" = { + ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4lh7dN9Ohh2/WoGiZ4WlpVb01YPNto/9ungOAk6TH+65wkxMjY4a+1OsO8Znguj46tXVErn8xv2ZVX0K7ql0hzypPkP2Dvvim99tz6FKSf9Nwj6RRtIKPoYkJjtGYAqLJl8JPy50HkFXkDVQ/z4d4iwpneSODIJdkUFSzZR91jz9FX+4t2h+2xtuuRDI43+gHRqvwPP8XaE0srtMzZoQDUBKhwOynoo2vZnyd3O7kkpD9T+jzYEeLKppHdaoYN5UxZ4L0xnig0WFZiBH36/YGXA8gT56FHRw5GKhwWwfSvliEw63/6IxiVZBuM1Mj7syg2Ndhhmmay05QqvyTrdHA9veyzJG5l0HlnCmXe7ss9lVQnxxPfbHbnDZUhH1ax01sQUeTK3Bs3AvbsTLyXBbd4NCY5ovz85MqzM/Q84B1zX1i8KbFEBh0xkumNsPAXzY8ar+tq5rFa23bY9qF4s6CMv++JEXSJJufcf3BS2dBlw0lTGBn7UEO9FHHsU3xKCc= aether@subsurface"; + wg = "XEVSwNNPR7RTt/O0ihYmv3nopbPmqkCMGrVRCixnPWw=" + }; + "oatmealine@beppy" = { + ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDbJDo79TD9RV77MnArQwS94wzBo+6l6dYQnaNdPk2xo019+tc7GyuQ+GHyh4qewIUQOwe3Ddj4YxJN9IS3E360/6RdaNDxn3hUp2jh/x9SOjh0W86FJfdHEQViNeFVSXJv+QBZT9ibR9IbOHYezhD6gtz15pNhEqhQyqw2hJuQzxLvnictTc4lPQnWN9I8ga+OVSh7Uauu5OKbUOyRRj1Er/hasNviCaGBJnLDYjSqTDRvEbdYlfuhrYITJ+viZOQq7Nczs6dbsl627FCvhr5vQi+/vvpx9DKHDvpGvbEglOmOwgffSkaOIIx/pNHTsRccX7c3/im6z4pCDj4bEuiqqawv2C6DV0aM01bW8cchOJrmSQGTygTrJuuVPHp4IRIZNvQGS+97j4u+d7ofricLR1RoxJcQibvRA9rhhYI2FhwrAweuuLktjSj5RkQnypd9kjOuH+nhgLZunreNoyPNDCmcOBA7BA0rD2pCIKB9SzlelMjVuvy0PA8uWfNFfxGU+m3BH7lQS/A6V+NeYrMGiZ+u+t9Pgr6kAoR7mAUO+obIdMM/lOp1/zGBY8lk2Aq3GQcyGVNi18VR0uA+NMaJYXA1JzSiPCz7cQn1pKIAKiDEnzicf5MxDHIi5F1iQ/Lc+NftgmDXZEAHDY1bQepScOttaOZQZLpYP/eWwlEQJQ== oatmealine@beppy"; + wg = "533BncNpHKzJVx5lwdxBg+aUfLGqea9uUYz70C6wxyg="; + }; + "skye@DESKTOP-VB4940J" = { + ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGPFAyr1zYL5+/VIUVhT5sIfikhlj37tuTHVSfW/xbHfBqvR/Ga21j2k6HAa6acpHBa3+Ri1DZIjIkzjco447ZP7ahwOF3Ci6Cv9oSXxmw43hUMypfMTLu9+v9sjFJFPg7F39X2ngZzzLxO1/fPMuQm3kK6T3WyVqpNUMaenXhnT2i641lo2tRjs1LeGIk6h3Ermp4V3WQo+exbf+nc1Lqt5Yos/jWn1HnsjxI2N1SQDiT9J+MpNN7wUz4Q57+aDKeXH2oBsnRjNGU90qudwZIdUUJunfVaFXZHuVopLv1DlY1rcjtTP/8P9WcFXsnqb4yiA4uon0fbo7IZISt+ffw+TDjPaDH/8TsfgeT36Dd2mKZ/Z9XdzdWiez4fZxExR9MZcJafxnnw6Bfsfb4sSw52VRE2R65apasDTHTE3toRr7JWDNOg35ULDuGiQMnWhbr1c/0aHOtxoIIjOTtWUAl1LqemAELq/sJhKc/B/ywN1421FCcyivn8meZUII0Ccc= skye@DESKTOP-VB4940J"; + wg = ""; + }; +} diff --git a/hosts/firepit/default.nix b/hosts/dark-firepit/default.nix similarity index 59% rename from hosts/firepit/default.nix rename to hosts/dark-firepit/default.nix index 0d915f5..29c9370 100644 --- a/hosts/firepit/default.nix +++ b/hosts/dark-firepit/default.nix @@ -1,12 +1,15 @@ { pkgs, inputs, lib, ... }: -{ +let + keys = import ./authorizedKeys; +in { imports = [ ./hardware-configuration.nix ]; user = { packages = with pkgs; [ + git curl ]; }; @@ -16,16 +19,22 @@ packages = [ ]; shell = "fish"; extraGroups = [ "wheel" ]; + initialHashedPassword = "!"; + openssh.authorizedKeys.keys = [ keys."aether@subsurface".ssh ]; }; oatmealine = { packages = [ ]; shell = "zsh"; extraGroups = [ "wheel" ]; + initialHashedPassword = "!"; + openssh.authorizedKeys.keys = [ keys."oatmealine@beppy".shh ]; }; skye = { packages = [ ]; shell = "fish"; extraGroups = [ "wheel" ]; + initialHashedPassword = "!"; + openssh.authorizedKeys.keys = [ keys."skye@DESKTOP-VB4940J".shh ]; }; }; @@ -57,17 +66,18 @@ wireguard = { enable = true; server = true; - interfaces = mkMerge (import ./interfaces); + externalInterface = "eno1"; + interfaces."wg0" = import ./wireguardInterface.nix; }; + webapps = lib.mkMerge (import ./webapps); }; }; - time.timeZone = "Europe/Frankfurt"; - - programs.ssh.startAgent = true; - services.openssh.startWhenNeeded = true; - - networking = { - hostName = "firepit"; + security.doas = { + extraRules = [ + { users = [ "aether" "oatmealine" "skye" ]; noPass = false; keepEnv = true; } + ]; }; + + time.timeZone = "Europe/Amsterdam"; } diff --git a/hosts/firepit/hardware-configuration.nix b/hosts/dark-firepit/hardware-configuration.nix similarity index 57% rename from hosts/firepit/hardware-configuration.nix rename to hosts/dark-firepit/hardware-configuration.nix index 0a460ea..8b869b3 100644 --- a/hosts/firepit/hardware-configuration.nix +++ b/hosts/dark-firepit/hardware-configuration.nix @@ -22,26 +22,26 @@ modules.hardware.fs = { enable = true; ssd.enable = true; + xfs.enable = true; }; - extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; - fileSystems = { "/" = { - device = "/dev/disk/by-uuid/?"; - fsType = "?"; - options = [ "defaults" "noatime" "nodiratime" ]; - }; - - "/etc/dotfiles" = { - device = "/dev/disk/by-uuid/?"; - fsType = "f2fs"; - options = [ "defaults" "noatime" "nodiratime" ]; + device = "/dev/disk/by-uuid/819f03bb-73d2-4ae1-9fd2-01099e8efae6"; + fsType = "xfs"; }; "/boot" = { - device = "/dev/disk/by-uuid/?"; + device = "/dev/disk/by-uuid/D018-F9AF"; fsType = "vfat"; }; }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/01ba93e4-71e3-404d-9549-351e22130185"; } + { device = "/dev/disk/by-uuid/dee63218-1666-4035-8d63-b9e0e0b2cd28"; } + ]; + + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/hosts/dark-firepit/secrets/secrets.nix b/hosts/dark-firepit/secrets/secrets.nix new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/hosts/dark-firepit/secrets/secrets.nix @@ -0,0 +1 @@ +{} diff --git a/hosts/firepit/interfaces/default.nix b/hosts/dark-firepit/webapps/default.nix similarity index 80% rename from hosts/firepit/interfaces/default.nix rename to hosts/dark-firepit/webapps/default.nix index 41b42e6..0d4f101 100644 --- a/hosts/firepit/interfaces/default.nix +++ b/hosts/dark-firepit/webapps/default.nix @@ -1,3 +1,2 @@ [ - ] diff --git a/hosts/dark-firepit/wireguardInterface.nix b/hosts/dark-firepit/wireguardInterface.nix new file mode 100644 index 0000000..f05d1ad --- /dev/null +++ b/hosts/dark-firepit/wireguardInterface.nix @@ -0,0 +1,17 @@ +{ lib, pkgs, config, ... }: + +with lib; +let + peerKeys = import ../authorizedKeys.nix; +in { + ips = [ "10.100.0.1/24" ]; + + privateKeyFile = readFile "/etc/wg0.keys/wg0"; + + listenPort = 51820; + + peers = genList (n: { + publicKey = elemAt (attrValues peerKeys) n; + allowedIPs = [ "10.100.0.${n+2}/32" ]; + }) (length (attrValues peerKeys)); +} diff --git a/hosts/firepit/secrets/secrets.nix b/hosts/firepit/secrets/secrets.nix deleted file mode 100644 index f91db83..0000000 --- a/hosts/firepit/secrets/secrets.nix +++ /dev/null @@ -1,14 +0,0 @@ -let - subsurface.Access = "<...>"; - void-defragmented.Access = "<...>"; - userSkye.Access = "<...>"; -in { - "subsurface.age".publicKeys = attrValues subsurface; - "subsurface.age".owner = "aether"; - - "void-defragmented.age".publicKeys = attrValues void-defragmented; - "void-defragmented.age".owner = "oatmealine"; - - "skye.age".publicKeys = attrValues userSkye; - "skye.age".owner = "skye"; -} diff --git a/modules/dev/python.nix b/modules/dev/python.nix new file mode 100644 index 0000000..7188ec5 --- /dev/null +++ b/modules/dev/python.nix @@ -0,0 +1,21 @@ +{ pkgs, lib, options, config, ... }: + +with lib; +let + cfg = config.modules.dev.python; +in { + options.modules.dev.python = { + enable = mkOption { + type = types.bool; + default = false; + }; + packages = mkOption { + type = types.listOf types.package; + default = []; + }; + }; + + config = mkIf cfg.enable { + # TODO + }; +} diff --git a/modules/hardware/fs.nix b/modules/hardware/fs.nix index 2d15edb..366b1ae 100644 --- a/modules/hardware/fs.nix +++ b/modules/hardware/fs.nix @@ -13,6 +13,10 @@ in { type = types.bool; default = false; }; + xfs.enable = mkOption { + type = types.bool; + default = false; + }; }; config = mkIf cfg.enable (mkMerge [ @@ -28,5 +32,9 @@ in { nvme-cli ]; }) + + (mkIf cfg.xfs.enable { + boot.supportedFilesystems = [ "xfs" ]; + }) ]); } diff --git a/modules/security.nix b/modules/security.nix index 6c905f4..27094f1 100644 --- a/modules/security.nix +++ b/modules/security.nix @@ -35,6 +35,9 @@ in { } ]; + boot.tmpOnTmpfs = lib.mkDefault true; + boot.cleanTmpDir = lib.mkDefault (!config.boot.tmpOnTmpfs); + security.rtkit.enable = true; boot.loader.systemd-boot.editor = false; @@ -48,7 +51,7 @@ in { security.sudo.enable = false; security.doas = { enable = true; - extraRules = if cfg.isLocalMachine then [{ users = builtins.attrNames config.defaultUsers; }] else []; + extraRules = if cfg.isLocalMachine then [{ users = builtins.attrNames config.defaultUsers; keepEnv = true; noPass = true; }] else []; }; boot.kernel.sysctl = { diff --git a/modules/services/phpfpm.nix b/modules/services/phpfpm.nix new file mode 100644 index 0000000..edf9519 --- /dev/null +++ b/modules/services/phpfpm.nix @@ -0,0 +1,8 @@ +{ pkgs, config, lib, options, ... }: + +with lib; +let + cfg = config.modules.services.phpfpm; +in { + +} diff --git a/modules/services/ssh.nix b/modules/services/ssh.nix index a76e706..5d64bc1 100644 --- a/modules/services/ssh.nix +++ b/modules/services/ssh.nix @@ -14,7 +14,10 @@ in { }; config = mkIf cfg.enable { - services.openssh.enable = true; -# services.sshd.enable = true; + services.openssh = { + enable = true; + passwordAuthentication = false; + permitRootLogin = "no"; + }; }; } diff --git a/modules/services/webapps.nix b/modules/services/webapps.nix new file mode 100644 index 0000000..96a9e4d --- /dev/null +++ b/modules/services/webapps.nix @@ -0,0 +1,64 @@ +{ pkgs, lib, config, options, ... }: + +with lib; +let + cfg = config.modules.services.webapps; +in { + options.modules.services.webapps = mkOption { + type = types.attrsOf types.attrs; + default = {}; + }; + + config = mkMerge ( +/* + [{ services.nginx.enable = true; }] ++ + + # Generic configuration + (mapAttrsToList (appName: app: let username = lib.intersperse "-" (lib.splitString "." appName); in mkMerge [ + { + assertions = [{ + assertion = (types.enum ["generic" "phpfpm"]).check app.platform; + description = "Please specify a webapp platform for ${appName}. The possible platforms are: \"generic\", \"phpfpm\""; + }]; + + users.users.${username} = mkMerge [ + { + isSystemUser = true; + group = appName; + } + (mkIf (app.root != null) { + createHome = true; + home = app.root; + }) + ]; + + users.groups.${username} = username; + + services.nginx.virtualHosts."${appName}" = app.nginx; + } + + # phpfpm-specific configuration + (mkIf (app.platform == "phpfpm") { + modules.dev.php.enable = true; + + services.phpfpm.pools.${appName} = { + user = appName; + settings = mkMerge [{ + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 16; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 1; + "pm.max_spare_servers" = 3; + "php_admin_value[error_log]" = "${app.root}/log"; + "php_admin_flag[log_errors]" = true; + "catch_workers_output" = true; + } app.phpfpm]; + phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; + }; + }) + ]) cfg) +*/[] + ); +} diff --git a/modules/services/wiregaurd.nix b/modules/services/wiregaurd.nix deleted file mode 100644 index ac38216..0000000 --- a/modules/services/wiregaurd.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ config, lib, pkgs, options, ... }: - -with lib; -let - cfg = config.modules.services.wireguard; - opt = options.modules.services.wireguard; -in { - options.modules.services.wireguard = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enables the wiregyard VPN service."; - }; - server = mkOption { - type = types.bool; - default = false; - description = "Configures this module to allow wireguard to act as a VPN provider on this host."; - }; - interfaces = mkOption { - type = types.attrs; - default = {}; - description = "Which interfaces wireguard should atach itself to. The first one is prioritized over all others."; - }; - port = mkOption { - type = types.int; - default = 51820; - description = "The default listen port."; - }; - }; - - config = mkIf cfg.enable (mkMerge [ - { - networking.firewall.allowedUDPPorts = [ cfg.port ]; - - networking.wireguard.interfaces = mapAttrs (i: c: mkMerge [c { - listenPort = cfg.port; - }]) (mkAliasDefinitions options.modules.services.wireguard.interfaces); - } - (mkIf cfg.server { - networking.nat = { - enable = true; -# externalInterfaces = head cfg.interfaces; -# internalInterfaces = cfg.interfaces; - }; - }) - ]); -} diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix new file mode 100644 index 0000000..6204a8b --- /dev/null +++ b/modules/services/wireguard.nix @@ -0,0 +1,71 @@ +{ config, lib, pkgs, options, ... }: + +with lib; +let + cfg = config.modules.services.wireguard; +in { + options.modules.services.wireguard = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enables the wiregyard VPN service."; + }; + + server = mkOption { + type = types.bool; + default = false; + description = "Configures this module to allow wireguard to act as a VPN provider on this host."; + }; + + externalInterface = mkOption { + type = types.str; + default = null; + description = ""; + }; + + interfaces = mkOption { + type = options.networking.wireguard.interfaces.type; + default = {}; + description = "Which interfaces wireguard should attach itself to."; + }; + }; + + config = mkIf cfg.enable (mkMerge [ + (mkIf cfg.server { + assertions = [ + { assertion = cfg.externalInterface != null; + description = "External interface must be set if wiregaurd is to be setup as a server."; + } + ]; + + networking = mkMerge ( + [{ + nat.enable = true; + nat.externalInterface = cfg.externalInterface; + nat.internalInterfaces = filter (i: i != cfg.externalInterface) (attrNames cfg.interfaces); + }] ++ + + (mapAttrsToList (iname: iattrs: { + firewall.allowedUDPPorts = iattrs.listenPort; + + wireguard.interfaces.${iname} = mkMerge [ iattrs { + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + }]; + }) cfg.interfaces) + ); + }) + +/* + (mkIf (!cfg.server) (mkMerge [ + { networking.wireguard.interfaces = cfg.interfaces; } + (mapAttrs (_: iattrs: { networking.firewall.allowedUDPPorts = iattrs.listenPort; }) cfg.interfaces) + ])) +*/ + ]); +} diff --git a/result b/result new file mode 120000 index 0000000..ea01ca8 --- /dev/null +++ b/result @@ -0,0 +1 @@ +/nix/store/53jxaagbfh45fzhwbdj0wyv9wvc8g94q-nixos-system-dark-firepit-21.11.20220421.9887f02 \ No newline at end of file