From a4ba216d71243af43b1f5fc54c8f4bbbfbac1de8 Mon Sep 17 00:00:00 2001 From: niten Date: Wed, 1 Jun 2022 13:57:58 -0700 Subject: [PATCH] Upgrade to 22.05 (and much else) --- config/host-config/lambda.nix | 110 ++++----- config/host-config/legatus.nix | 14 +- config/host-config/nostromo.nix | 32 +-- config/host-config/procul.nix | 24 +- config/host-config/wormhole0.nix | 53 ++++- .../wormhole0/converters/AQSZB-110.js | 11 + config/profile-config/common-ui.nix | 6 + config/profile-config/desktop.nix | 3 +- config/profile-config/server.nix | 13 +- config/service/chat.nix | 149 +++++++++++++ config/services.nix | 1 + config/site-config/seattle.nix | 183 +++++++-------- config/users.nix | 22 +- configuration.nix | 3 +- flake.lock | 82 +++---- flake.nix | 210 ++++++++---------- 16 files changed, 548 insertions(+), 368 deletions(-) create mode 100644 config/host-config/wormhole0/converters/AQSZB-110.js create mode 100644 config/service/chat.nix diff --git a/config/host-config/lambda.nix b/config/host-config/lambda.nix index b022c7d..73f7c2c 100644 --- a/config/host-config/lambda.nix +++ b/config/host-config/lambda.nix @@ -84,65 +84,65 @@ in { Defaults lecture = never ''; - services.nginx = { - enable = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedGzipSettings = true; + # services.nginx = { + # enable = true; + # recommendedOptimisation = true; + # recommendedProxySettings = true; + # recommendedGzipSettings = true; - virtualHosts."home.sea.fudo.org" = { - locations."/" = { - proxyPass = "http://localhost:${toString home-assistant-port}"; - proxyWebsockets = true; - }; - }; - }; + # virtualHosts."home.sea.fudo.org" = { + # locations."/" = { + # proxyPass = "http://localhost:${toString home-assistant-port}"; + # proxyWebsockets = true; + # }; + # }; + # }; - virtualisation = { - docker = { - enable = true; - enableOnBoot = true; - autoPrune = { enable = true; }; - }; + # virtualisation = { + # docker = { + # enable = true; + # enableOnBoot = true; + # autoPrune = { enable = true; }; + # }; - oci-containers = { - backend = "docker"; - containers = { - home-assistant = { - image = "homeassistant/home-assistant:stable"; - autoStart = true; - environment.TZ = config.time.timeZone; - # ports = [ "${toString home-assistant-port}:8123" ]; - volumes = [ "/state/services/home-assistant:/config" ]; - extraOptions = [ "--network=host" "--device=/dev/ttyACM0" ]; - }; + # oci-containers = { + # backend = "docker"; + # containers = { + # home-assistant = { + # image = "homeassistant/home-assistant:stable"; + # autoStart = true; + # environment.TZ = config.time.timeZone; + # # ports = [ "${toString home-assistant-port}:8123" ]; + # volumes = [ "/state/services/home-assistant:/config" ]; + # extraOptions = [ "--network=host" "--device=/dev/ttyACM0" ]; + # }; - # shinobi = { - # image = "shinobisystems/shinobi:latest"; - # ports = [ "${shinobi-port}:8080" ]; - # volumes = [ - # "/state/shinobi/plugins:/home/Shinobi/plugins" - # "/state/shinobi/config:/home/Shinobi/config" - # "/state/shinobi/videos:/home/Shinobi/videos" - # "/state/shinobi/db-data:/var/lib/mysql" - # "/etc/localtime:/etc/localtime:ro" - # ]; - # }; + # # shinobi = { + # # image = "shinobisystems/shinobi:latest"; + # # ports = [ "${shinobi-port}:8080" ]; + # # volumes = [ + # # "/state/shinobi/plugins:/home/Shinobi/plugins" + # # "/state/shinobi/config:/home/Shinobi/config" + # # "/state/shinobi/videos:/home/Shinobi/videos" + # # "/state/shinobi/db-data:/var/lib/mysql" + # # "/etc/localtime:/etc/localtime:ro" + # # ]; + # # }; - # shinobi-od = { - # image = "shinobisystems/shinobi-tensorflow:latest"; - # volumes = - # [ "/srv/shinobi/od-config:/home/Shinobi/docker-plugins/tensorflow" ]; - # ports = [ "${shinobi-od-port}:8082" ]; - # environment = { - # PLUGIN_HOST = "panopticon.sea.fudo.org"; - # PLUGIN_PORT = shinobi-port; - # PLUGIN_KEY = "30sWllylOxsDcE4vQXEPaXNfe5DiB3"; - # }; - # }; + # # shinobi-od = { + # # image = "shinobisystems/shinobi-tensorflow:latest"; + # # volumes = + # # [ "/srv/shinobi/od-config:/home/Shinobi/docker-plugins/tensorflow" ]; + # # ports = [ "${shinobi-od-port}:8082" ]; + # # environment = { + # # PLUGIN_HOST = "panopticon.sea.fudo.org"; + # # PLUGIN_PORT = shinobi-port; + # # PLUGIN_KEY = "30sWllylOxsDcE4vQXEPaXNfe5DiB3"; + # # }; + # # }; - # photoprism = { image = "photoprism/photoprism"; }; - }; - }; - }; + # # photoprism = { image = "photoprism/photoprism"; }; + # }; + # }; + # }; } diff --git a/config/host-config/legatus.nix b/config/host-config/legatus.nix index e4e3b8c..a16dc0c 100644 --- a/config/host-config/legatus.nix +++ b/config/host-config/legatus.nix @@ -31,9 +31,7 @@ in { security.acme.email = "admin@legatus.fudo.org"; - systemd.tmpfiles.rules = [ - "L /etc/adjtime - - - - /state/etc/adjtime" - ]; + systemd.tmpfiles.rules = [ "L /etc/adjtime - - - - /state/etc/adjtime" ]; environment.systemPackages = local-packages; @@ -57,7 +55,7 @@ in { # # }; # }; - fudo = { + fudo = { hosts.legatus.external-interfaces = [ "extif0" ]; services = { @@ -69,10 +67,14 @@ in { ipropd-keytab = host-secrets.heimdal-ipropd-keytab.target-file; }; }; + + chat = { + state-directory = "/state/services/chat"; + external-interface = "extif0"; + }; }; - secrets.host-secrets.legatus = let - files = config.fudo.secrets.files; + secrets.host-secrets.legatus = let files = config.fudo.secrets.files; in { # postgres-keytab = { # source-file = files.service-keytabs.procul.postgres; diff --git a/config/host-config/nostromo.nix b/config/host-config/nostromo.nix index 5259e51..8a78ae3 100644 --- a/config/host-config/nostromo.nix +++ b/config/host-config/nostromo.nix @@ -24,20 +24,24 @@ in { # Hopefully this'll help with NFS... boot.kernelModules = [ "rpcsec_gss_krb5" ]; - services.nfs = { - # See ../user-config.nix for the user@REALM -> user mapping - server = { - enable = true; - createMountPoints = false; - exports = let - exportList = [ - "/export/documents 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=10,sec=krb5p)" - "/export/downloads 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=11,sec=krb5i)" - "/export/projects 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=12,sec=krb5p)" - ]; - in '' - ${concatStringsSep "\n" exportList} - ''; + services = { + murmur.enable = true; + + nfs = { + # See ../user-config.nix for the user@REALM -> user mapping + server = { + enable = true; + createMountPoints = false; + exports = let + exportList = [ + "/export/documents 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=10,sec=krb5p)" + "/export/downloads 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=11,sec=krb5i)" + "/export/projects 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=12,sec=krb5p)" + ]; + in '' + ${concatStringsSep "\n" exportList} + ''; + }; }; }; diff --git a/config/host-config/procul.nix b/config/host-config/procul.nix index b0c8154..0865c8f 100644 --- a/config/host-config/procul.nix +++ b/config/host-config/procul.nix @@ -12,8 +12,7 @@ let site = config.fudo.sites.${site-name}; host-fqdn = "${hostname}.${domain-name}"; - local-networks = - domain.local-networks ++ site.local-networks; + local-networks = domain.local-networks ++ site.local-networks; local-packages = with pkgs; [ ldns.examples ]; @@ -23,10 +22,9 @@ let host-certs = config.fudo.acme.host-domains.${hostname}; - grafana-database-password = - pkgs.lib.passwd.stablerandom-passwd-file - "grafana-database-password-${hostname}" - "grafana-database-password-${hostname}-${config.instance.build-seed}"; + grafana-database-password = pkgs.lib.passwd.stablerandom-passwd-file + "grafana-database-password-${hostname}" + "grafana-database-password-${hostname}-${config.instance.build-seed}"; in { networking = { @@ -136,8 +134,7 @@ in { # }; }; - secrets.host-secrets.procul = let - files = config.fudo.secrets.files; + secrets.host-secrets.procul = let files = config.fudo.secrets.files; in { # postgres-keytab = { # source-file = files.service-keytabs.procul.postgres; @@ -199,9 +196,7 @@ in { allowed-networks = [ "1.1.1.1/32" "1.0.0.1/32" "localhost" "link-local" ]; }; - services.mail-server = { - state-directory = "/srv/mailserver"; - }; + services.mail-server = { state-directory = "/srv/mailserver"; }; # mail-server = { # enable = true; @@ -257,6 +252,7 @@ in { state-directory = "/var/lib/kerberos"; master-key-file = host-secrets.heimdal-master-key.target-file; }; + ldap.state-directory = "/state/services/ldap"; }; dns.zones."informis.land" = { enable = true; @@ -303,8 +299,7 @@ in { }; gituser = { - password-file = - host-secrets.postgres-gitea-password.target-file; + password-file = host-secrets.postgres-gitea-password.target-file; databases = { git = { access = "CONNECT"; @@ -332,8 +327,7 @@ in { state-dir = "/srv/git/state"; database = { user = "gituser"; - password-file = - host-secrets.gitea-database-password.target-file; + password-file = host-secrets.gitea-database-password.target-file; hostname = "127.0.0.1"; name = "git"; }; diff --git a/config/host-config/wormhole0.nix b/config/host-config/wormhole0.nix index 42924f0..8fb58b1 100644 --- a/config/host-config/wormhole0.nix +++ b/config/host-config/wormhole0.nix @@ -2,6 +2,7 @@ with lib; let + hostname = "wormhole0"; primary-ip = "10.0.0.3"; state-dir = "/state"; zigbee2mqtt-statedir = "${state-dir}/services/zigbee2mqtt"; @@ -13,19 +14,17 @@ let mosquitto-user = config.systemd.services.mosquitto.serviceConfig.User; zigbee2mqtt-passwd-file = - pkgs.lib.passwd.random-passwd-file "zigbee2mqtt-passwd" 20; - - home-assistant-passwd-file = - pkgs.lib.passwd.stablerandom-passwd-file "home-assistant-passwd" + pkgs.lib.passwd.stablerandom-passwd-file "zigbee2mqtt-passwd" config.instance.build-seed; - host-secrets = config.fudo.secrets.host-secrets.wormhole0; + host-secrets = config.fudo.secrets.host-secrets.${hostname}; + host-passwds = config.fudo.secrets.files.service-passwords.${hostname}; in { boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; }; networking = { - hostName = "wormhole0"; + hostName = hostname; firewall.enable = false; @@ -55,17 +54,27 @@ in { dhcpcd.extraConfig = concatStringsSep "\n" [ "nogateway" ]; }; - fudo.secrets.host-secrets.wormhole0 = { + fudo.secrets.host-secrets.${hostname} = { mosquitto-zigbee2mqtt-passwd = { source-file = zigbee2mqtt-passwd-file; target-file = "/run/mosquitto-secrets/zigbee2mqtt.passwd"; user = mosquitto-user; }; mosquitto-home-assistant-passwd = { - source-file = home-assistant-passwd-file; + source-file = host-passwds.mosquitto-home-assistant; target-file = "/run/mosquitto-secrets/home-assistant.passwd"; user = mosquitto-user; }; + mosquitto-niten-passwd = { + source-file = host-passwds.mosquitto-niten; + target-file = "/run/mosquitto-secrets/niten.passwd"; + user = mosquitto-user; + }; + mosquitto-xiaoxuan-passwd = { + source-file = host-passwds.mosquitto-xiaoxuan; + target-file = "/run/mosquitto-secrets/xiaoxuan.passwd"; + user = mosquitto-user; + }; }; systemd = { @@ -82,9 +91,14 @@ in { }; }; - zigbee2mqtt.after = - [ config.fudo.secrets.secret-target "mosquitto.service" ]; - mosquitto.after = [ config.fudo.secrets.secret-target ]; + zigbee2mqtt = { + after = [ config.fudo.secrets.secret-target "mosquitto.service" ]; + restartIfChanged = true; + }; + mosquitto = { + after = [ config.fudo.secrets.secret-target ]; + restartIfChanged = true; + }; }; tmpfiles.rules = [ @@ -104,7 +118,6 @@ in { in { dialout.members = [ zigbee2mqtt-user ]; }; services = { - blueman.enable = true; openssh.hostKeys = [ { path = "${state-dir}/ssh/ssh_host_rsa_key"; @@ -148,6 +161,14 @@ in { host-secrets.mosquitto-home-assistant-passwd.target-file; acl = [ "readwrite #" ]; }; + niten = { + passwordFile = host-secrets.mosquitto-niten-passwd.target-file; + acl = [ "readwrite #" ]; + }; + xiaoxuan = { + passwordFile = host-secrets.mosquitto-xiaoxuan-passwd.target-file; + acl = [ "readwrite #" ]; + }; }; }]; }; @@ -155,6 +176,7 @@ in { zigbee2mqtt = { enable = true; dataDir = zigbee2mqtt-statedir; + package = pkgs.pkgsUnstable.zigbee2mqtt; settings = { homeassistant = true; permit_join = true; @@ -167,8 +189,15 @@ in { # described https://www.zigbee2mqtt.io/guide/configuration/mqtt.html#server-connection # Weird, though. }; + advanced.log_level = "debug"; }; }; + + avahi = { + enable = true; + reflector = true; + interfaces = [ "intif0" "worm0" ]; + }; }; virtualisation = { diff --git a/config/host-config/wormhole0/converters/AQSZB-110.js b/config/host-config/wormhole0/converters/AQSZB-110.js new file mode 100644 index 0000000..1b7b946 --- /dev/null +++ b/config/host-config/wormhole0/converters/AQSZB-110.js @@ -0,0 +1,11 @@ +const definition = { + zigbeeModel: ['AQSZB-110'], + model: 'AQSZB-110', + vendor: 'Frient', + description: 'Frient Air Quarity Sensor', + fromZigbee: [fz.temperature], + toZigbee: [], + exposes: [e.battery(), e.temperature(), e.humidity()], +}; + +module.exports = definition; diff --git a/config/profile-config/common-ui.nix b/config/profile-config/common-ui.nix index 1656f79..d321c6c 100644 --- a/config/profile-config/common-ui.nix +++ b/config/profile-config/common-ui.nix @@ -51,7 +51,13 @@ in { }; pulse.enable = true; jack.enable = true; + media-session = { + enable = true; + config.alsa-monitor = { api.alsa.headroom = 1024; }; + }; }; + + udev.packages = with pkgs; [ via ]; }; security = { diff --git a/config/profile-config/desktop.nix b/config/profile-config/desktop.nix index f3adc22..628dcd8 100644 --- a/config/profile-config/desktop.nix +++ b/config/profile-config/desktop.nix @@ -1,7 +1,6 @@ { config, lib, pkgs, ... }: -with lib; -{ +with lib; { imports = [ ./common-ui.nix ]; networking.networkmanager.enable = mkForce false; diff --git a/config/profile-config/server.nix b/config/profile-config/server.nix index 720ed0a..3d61704 100644 --- a/config/profile-config/server.nix +++ b/config/profile-config/server.nix @@ -47,13 +47,20 @@ in { config = { environment = { - systemPackages = with pkgs; - [ emacs-nox reboot-if-necessary test-config ]; + systemPackages = with pkgs; [ emacs-nox reboot-if-necessary test-config ]; }; networking.networkmanager.enable = mkForce false; - services.xserver.enable = false; + services = { + nginx = { + recommendedProxySettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedTlsSettings = true; + }; + xserver.enable = false; + }; sound.enable = false; hardware.pulseaudio.enable = false; diff --git a/config/service/chat.nix b/config/service/chat.nix new file mode 100644 index 0000000..4d0ebd7 --- /dev/null +++ b/config/service/chat.nix @@ -0,0 +1,149 @@ +{ config, lib, pkgs, ... }@toplevel: + +with lib; +let + cfg = config.fudo.services.chat; + + hostname = config.instance.hostname; + domain-name = config.instance.local-domain; + domain = config.fudo.domains.${domain-name}; + chat-server = domain.chat-server; + isChatServer = hostname == chat-server; + chat-fqdn = "${cfg.host-alias}.${domain-name}"; + mail-server = "mail.${domain-name}"; + + host-ip = "192.168.19.1"; + container-ip = "192.168.19.2"; + + host-secrets = config.fudo.secrets.host-secrets.${hostname}; + + seed = config.instance.build-seed; + + mattermost-mail-passwd-file = + pkgs.lib.passwd.stablerandom-passwd-file "mattermost-email" seed; + +in { + options.fudo.services.chat = with types; { + host-alias = mkOption { + type = str; + description = "CNAME to use for the chat server."; + default = "chat"; + }; + + site-name = mkOption { + type = str; + description = "Name of the chat site."; + default = "Fudo Chat"; + }; + + state-directory = mkOption { + type = str; + description = + "Path at which to store chat server state. Must be persistent."; + }; + + external-interface = mkOption { + type = str; + description = "Public-facing external interface, for outgoing traffic."; + }; + }; + + config = mkIf (chat-server != null) { + networking.nat = mkIf isChatServer { + enable = true; + internalInterfaces = [ "ve-fudo-chat" ]; + externalInterface = cfg.external-interface; + }; + + fudo = { + users.chat = { + uid = 20001; + primary-group = "fudo"; + common-name = cfg.site-name; + ldap-hashed-passwd = pkgs.lib.passwd.hash-ldap-passwd "mattermost-chat" + mattermost-mail-passwd-file; + }; + + zones.${domain.zone}.aliases.chat = + pkgs.lib.network.host-fqdn config chat-server; + }; + + systemd.tmpfiles.rules = mkIf isChatServer [ + "d ${cfg.state-directory}/mattermost 0700 - - - -" + "d ${cfg.state-directory}/postgresql 0700 - - - -" + ]; + + services.nginx = mkIf isChatServer { + enable = true; + recommendedProxySettings = true; + virtualHosts."${chat-fqdn}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://${container-ip}:1234"; + proxyWebsockets = true; + }; + }; + }; + + containers.fudo-chat = mkIf isChatServer { + ephemeral = true; + privateNetwork = true; + hostAddress = host-ip; + localAddress = container-ip; + autoStart = true; + + bindMounts = { + "/var/lib/mattermost" = { + hostPath = "${cfg.state-directory}/mattermost"; + isReadOnly = false; + }; + "/var/lib/postgresql" = { + hostPath = "${cfg.state-directory}/postgresql"; + isReadOnly = false; + }; + }; + + config = { config, lib, ... }: { + networking = { + defaultGateway = host-ip; + firewall.enable = false; + }; + + systemd.tmpfiles.rules = [ + "d /var/lib/mattermost 700 ${config.services.mattermost.user} - - -" + "d /var/lib/postgresql 700 ${config.systemd.services.postgresql.serviceConfig.User} - - -" + ]; + + services = { + postgresql.dataDir = "/var/lib/postgresql"; + + mattermost = { + enable = true; + siteUrl = "https://${chat-fqdn}"; + siteName = cfg.site-name; + statePath = "/var/lib/mattermost"; + listenAddress = "${container-ip}:1234"; + localDatabaseCreate = true; + extraConfig = { + EmailSettings = { + RequireEmailVerification = true; + SMTPServer = mail-server; + SMTPPort = "587"; + ConnectionSecurity = "STARTTLS"; + EnableSMTPAuth = true; + SMTPUsername = "chat"; + # TODO: Ugh + SMTPPassword = readFile mattermost-mail-passwd-file; + SendEmailNotifications = true; + FeedbackEmail = "chat@${domain-name}"; + FeedbackName = cfg.site-name; + }; + EnableEmailNotifications = true; + }; + }; + }; + }; + }; + }; +} diff --git a/config/services.nix b/config/services.nix index 3ac9723..5d11550 100644 --- a/config/services.nix +++ b/config/services.nix @@ -3,6 +3,7 @@ { imports = [ ./service/backplane.nix + ./service/chat.nix ./service/chute.nix ./service/dns.nix ./service/fudo-auth.nix diff --git a/config/site-config/seattle.nix b/config/site-config/seattle.nix index 1afa97a..13b3b0f 100644 --- a/config/site-config/seattle.nix +++ b/config/site-config/seattle.nix @@ -77,110 +77,97 @@ in { }; }; - systemd = { - # paths.host-keytab-modified = { - # wantedBy = [ "multi-user.target" ]; - # pathConfig = { - # PathChanged = "/etc/krb5.keytab"; - # Unit = "host-keytab-modified.service"; - # }; - # }; - - # services.host-keytab-modified = { - # description = "Operations to execute when keytab is changed."; - # script = "${pkgs.systemd}/bin/systemctl restart rpc-gssd.service"; - # }; - - services = { - # host-keytab-watcher = { - # wantedBy = [ "rpc-gssd.service" "rpc-svcgssd.service" ]; - # before = [ "rpc-gssd.service" "rpc-svcgssd.service" ]; - # serviceConfig = { - # ExecStart = "${pkgs.coreutils}/bin/sleep 500"; - # TimeoutStartSec = "3600"; - # RemainAfterExit = true; - # }; - # }; - - rpc-gssd = { - after = [ config.fudo.secrets.secret-target ]; - unitConfig = { ConditionPathExists = mkForce [ ]; }; + systemd.services = { + host-keytab-watcher = { + wantedBy = [ + "rpc-gssd-override.service" + "rpc-svcgssd-override.service" + "auth-rpcgss-module.service" + ]; + before = [ + "rpc-gssd-override.service" + "rpc-svcgssd-override.service" + "auth-rpcgss-module.service" + ]; + after = [ config.fudo.secrets.secret-target ]; + serviceConfig = { + ExecStartPre = "${pkgs.coreutils}/bin/test -f /etc/krb5.keytab"; + ExecStart = "${pkgs.coreutils}/bin/true"; + TimeoutStartSec = "360"; + RemainAfterExit = true; + Restart = "on-failure"; + RestartSec = "2"; }; - rpc-svcgssd = { - after = [ config.fudo.secrets.secret-target ]; - unitConfig = { ConditionPathExists = mkForce [ ]; }; + }; + + auth-rpcgss-module.enable = false; + rpc-gssd.enable = false; + rpc-svcgssd.enable = false; + + auth-rpcgss-module-override = { + description = "Kernel Module supporting RPCSEC_GSS"; + before = [ + "gssproxy.service" + "rpc-svcgssd-override.service" + "rpc-gssd-override.service" + ]; + wantedBy = [ "nfs-client.target" "nfs-server.target" ]; + wants = [ + "gssproxy.service" + "rpc-svcgssd-override.service" + "rpc-gssd-override.service" + "host-keytab-watcher.service" + ]; + after = [ "host-keytab-watcher.service" ]; + partOf = [ "nfs-utils.service" "nfs-server.service" ]; + unitConfig = { + DefaultDependencies = false; + ConditionPathExists = + [ "|!/run/gssproxy.pid" "|!/proc/net/rpc/use-gss-proxy" ]; + }; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.kmod}/bin/modprobe -q auth_rpcgss"; + RemainAfterExit = true; + }; + }; + + rpc-gssd-override = { + description = "RPC security service for NFS client and server"; + wantedBy = [ "auth-rpcgss-module.service" ]; + conflicts = [ "umount.target" ]; + after = [ "host-keytab-watcher.service" "rpc_pipefs.target" ]; + wants = [ "host-keytab-watcher.service" ]; + requires = [ "rpc_pipefs.target" ]; + partOf = [ "nfs-utils.service" ]; + unitConfig.DefaultDependencies = false; + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.nfs-utils}/bin/rpc.gssd"; + }; + }; + + rpc-svcgssd-override = { + description = "RPC security service for NFS server"; + wantedBy = [ "auth-rpcgss-module.service" ]; + after = + [ "host-keytab-watcher.service" "local-fs.target" "gssproxy.service" ]; + wants = [ "host-keytab-watcher.service" ]; + partOf = [ "nfs-utils.service" "nfs-server.service" ]; + unitConfig = { + DefaultDependencies = false; + ConditionPathExists = + [ "|!/run/gssproxy.pid" "|!/proc/net/rpc/use-gss-proxy" ]; + }; + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.nfs-utils}/bin/rpc.svcgssd"; }; }; }; - # systemd = { - # ## This fails if the filesystems already exist - # # tmpfiles.rules = [ - # # "d /net/documents - root sea-documents - -" - # # "d /net/downloads - root sea-downloads - -" - # # "d /net/projects - root sea-projects - -" - # # ]; - - # mounts = let - # mkOpts = - # concatStringsSep ","; - # in [ - # { - # enable = true; - # what = "nostromo.${local-domain}:/export/documents"; - # where = "/net/documents"; - # type = "nfs"; - # options = mkOpts [ - # "vers=4" - # "minorversion=2" - # "sec=krb5p" - # "x-systemd.automount" - # "proto=tcp" - # ]; - # description = "sea-store documents on encrypted filesysem."; - # } - # { - # enable = true; - # what = "nostromo.${local-domain}:/export/downloads"; - # where = "/net/downloads"; - # type = "nfs"; - # options = mkOpts [ - # "vers=4" - # "minorversion=2" - # "sec=krb5i" - # "x-systemd.automount" - # "proto=tcp" - # ]; - # description = "sea-store downloads on encrypted filesysem."; - # } - # { - # enable = true; - # what = "nostromo.${local-domain}:/export/projects"; - # where = "/net/projects"; - # type = "nfs"; - # options = mkOpts [ - # "vers=4" - # "minorversion=2" - # "sec=krb5p" - # "x-systemd.automount" - # "proto=tcp" - # ]; - # description = "sea-store projects on encrypted filesysem."; - # } - # ]; - # }; - services.printing = { enable = true; - drivers = [ - # pkgs.brlaser - # pkgs.brgenml1lpr - pkgs.brgenml1cupswrapper - # pkgs.hll2380dw-cups - - # pkgs.hll2380dw-lpr - ]; + drivers = [ pkgs.brgenml1cupswrapper ]; }; - - # environment.systemPackages = with pkgs; [ hll2380dw-cups ]; } diff --git a/config/users.nix b/config/users.nix index cabed99..2573088 100644 --- a/config/users.nix +++ b/config/users.nix @@ -470,12 +470,12 @@ }; # Used to send messages from the chat server - chat = { - uid = 10111; - primary-group = "fudo"; - common-name = "Fudo Chat"; - ldap-hashed-passwd = "{SSHA}XDYAM2JE4PXssywRzO4tVSbn5lUZOgg7"; - }; + # chat = { + # uid = 10111; + # primary-group = "fudo"; + # common-name = "Fudo Chat"; + # ldap-hashed-passwd = "{SSHA}XDYAM2JE4PXssywRzO4tVSbn5lUZOgg7"; + # }; kevinyinjunjie = { uid = 10112; @@ -507,5 +507,15 @@ "$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/"; email = "viator@informis.land"; }; + + jasper = { + uid = 10116; + primary-group = "selby"; + common-name = "Jasper"; + login-hashed-passwd = + "$6$ggREeoA2HUmXDDbh$zPEyroAAiSPKseTb.qt4ByLaYBhV08x0hqOz4dnt4wEqcaWtOpBt3UoTpHxyDc2/inMzkRggBwfr.Zm0vI7mp1"; + ldap-hashed-passwd = "{SSHA}5OCmPaKrkEG3Q4DOWibsPweuBShsMAz2"; + email = "jasper@selby.ca"; + }; }; } diff --git a/configuration.nix b/configuration.nix index e8e6b69..4ed8b18 100644 --- a/configuration.nix +++ b/configuration.nix @@ -7,9 +7,8 @@ let in { imports = [ (initialize { - hostname = local.hostname; + inherit (local) pkgs hostname; home-manager-package = ; - pkgs = pkgs; include-secrets = false; }) ]; diff --git a/flake.lock b/flake.lock index c592826..c99ff8b 100644 --- a/flake.lock +++ b/flake.lock @@ -162,11 +162,11 @@ "rotate-text": "rotate-text" }, "locked": { - "lastModified": 1645751511, - "narHash": "sha256-i3cMaHdaxwfeJEKVgk3Sxx/IRfjwNcThaCMcq4uv9jg=", + "lastModified": 1649509049, + "narHash": "sha256-gLmRO2gPqjLPmFBhgFkl1nbBzJlNV0lmXMzapbw9qac=", "owner": "nix-community", "repo": "nix-doom-emacs", - "rev": "ef434602f6f2a8b469d1b01f9edff4f5b6d7f555", + "rev": "f3f40f333c3214c9614c23b6abd1ae498af3e5b5", "type": "github" }, "original": { @@ -195,11 +195,11 @@ "doom-snippets": { "flake": false, "locked": { - "lastModified": 1645652740, - "narHash": "sha256-ci5QsTkzmfSd7Pfoe+RActuSOmMY2TvJL7f2giCwNEI=", + "lastModified": 1646222996, + "narHash": "sha256-YhOnoNSpmcKNJg+aS/829zqXStMkKWXWf1pulHEBcpQ=", "owner": "hlissner", "repo": "doom-snippets", - "rev": "02aca23fef94fc7a58836fd1812d62e731249fa3", + "rev": "f61c23ece1ad47c0522059ac45085fd283ce4452", "type": "github" }, "original": { @@ -211,11 +211,11 @@ "emacs-overlay": { "flake": false, "locked": { - "lastModified": 1645953123, - "narHash": "sha256-Be06ikbfQTuRwsU6nxNbMSvSUOzmGzDOLBKXFMekrcA=", + "lastModified": 1649586061, + "narHash": "sha256-gFAHrrY0i71WIP16FGo3pgNKTZ5m5L6FtQsOYpne9gk=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "058e38892484c1ab517c890b0aaee5d53565a494", + "rev": "16262a84ef07fb0e8cfc592b65d786b086840065", "type": "github" }, "original": { @@ -388,11 +388,11 @@ ] }, "locked": { - "lastModified": 1649111994, - "narHash": "sha256-KVRN3pahTca8gCcppDgr+hY+6xeCL0nQUpLT/l2uGS8=", + "lastModified": 1653253887, + "narHash": "sha256-Z88Ck6nCW+zOfsxtHa+7hB2uPPuHotAkpRZqE2KoyF8=", "ref": "master", - "rev": "1e478f59eaadd1b3e857045ad812b45c9bad238f", - "revCount": 89, + "rev": "52b7da1ceccb919787685875a21a1d2356c6cc1f", + "revCount": 93, "type": "git", "url": "https://git.fudo.org/fudo-nix/entities.git" }, @@ -413,11 +413,11 @@ ] }, "locked": { - "lastModified": 1649445221, - "narHash": "sha256-g2QZSTNDv42oxFI1+zt/rGIvPHM52RZ8olPFru/7Mnc=", + "lastModified": 1654020774, + "narHash": "sha256-iOdg/2Jl3Mh1UiJF8vLvW5KnJ5osGJIukmL/7F6RQ3k=", "ref": "master", - "rev": "8d94134bff85ed39d371b7dd895a9265c5b161b2", - "revCount": 138, + "rev": "b9db0696c37275021c3fcbf810cd42522ebc405b", + "revCount": 160, "type": "git", "url": "https://git.fudo.org/fudo-nix/home.git" }, @@ -443,7 +443,7 @@ }, "fudo-lib_2": { "locked": { - "narHash": "sha256-fBiGlPgqsl5t08IlV1sehtAaOAI2eJqCXKQgdnwMzy0=", + "narHash": "sha256-IZsP2NrqUbz0p3KeTnT7U8RjvSkHODmJTePBSGNmlxw=", "path": "/state/fudo-lib", "type": "path" }, @@ -454,11 +454,11 @@ }, "fudo-pkgs": { "locked": { - "lastModified": 1643841844, - "narHash": "sha256-rmTIL94RQQaFhMHCopmeFUVAoP71nSA6sB46riDq2Ik=", + "lastModified": 1648662131, + "narHash": "sha256-wOJyR8xFQQhZ7gjK+sj3rJND8ORIHPuINNfQsdjM0BE=", "ref": "master", - "rev": "7e02ad0e7d9ac42605ed318e9d76364ec1d339ec", - "revCount": 41, + "rev": "c5180cbacd66673a3e8fcd0ce2c4abff119bbe93", + "revCount": 54, "type": "git", "url": "https://git.fudo.org/fudo-nix/pkgs.git" }, @@ -497,7 +497,7 @@ "ssh-keypairs": "ssh-keypairs" }, "locked": { - "narHash": "sha256-sDzbS0AnaNCrdiYR3oEsFljzxw128JsVx4exBNAjZo0=", + "narHash": "sha256-N3N5RSPFSF/+tA3uqnBkhiiSNzBqsWsUBLXAqG1YS7c=", "path": "/state/secrets", "type": "path" }, @@ -556,11 +556,11 @@ ] }, "locked": { - "lastModified": 1643933536, - "narHash": "sha256-yRmsWAG4DnLxLIUtlaZsl0kH7rN5xSoyNRlf0YZrcH4=", + "lastModified": 1648834319, + "narHash": "sha256-i5Aj4Aw64D/A0X6XW5LxSS4XBnYj7gMz+kN4dpsbdk8=", "owner": "nix-community", "repo": "home-manager", - "rev": "2860d7e3bb350f18f7477858f3513f9798896831", + "rev": "0bdbdea2e26c984b096f4f7d10e3c88536a980b0", "type": "github" }, "original": { @@ -585,11 +585,11 @@ "niten-doom-config": { "flake": false, "locked": { - "lastModified": 1640017877, - "narHash": "sha256-9twZfDxSjX87NHzuEQXkm1Q037YS98jPQv3Hw4Uktiw=", + "lastModified": 1649611838, + "narHash": "sha256-O8+LwXi52WZHQrZRfjW+QwI99ppBiBpYQcWYNgqY+iU=", "ref": "master", - "rev": "3d990cdf82fc7d5a6c8fd033e8bcf460fb27df1b", - "revCount": 37, + "rev": "c45feb7fd8acb0730dfc76ddd993773da5411b82", + "revCount": 38, "type": "git", "url": "https://git.fudo.org/niten/doom-emacs.git" }, @@ -631,11 +631,11 @@ }, "nixpkgsUnstable": { "locked": { - "lastModified": 1649225869, - "narHash": "sha256-u1zLtPmQzhT9mNXyM8Ey9pk7orDrIKdwooeGDEXm5xM=", + "lastModified": 1653931853, + "narHash": "sha256-O3wncIouj9x7gBPntzHeK/Hkmm9M1SGlYq7JI7saTAE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b6966d911da89e5a7301aaef8b4f0a44c77e103c", + "rev": "f1c167688a6f81f4a51ab542e5f476c8c595e457", "type": "github" }, "original": { @@ -739,11 +739,11 @@ "org": { "flake": false, "locked": { - "lastModified": 1645557265, - "narHash": "sha256-vBOWOOfdUbvpTkqs2Lx+OCPfUdZdzAOdGxzHBSAslmo=", + "lastModified": 1646280299, + "narHash": "sha256-ZNkOfB8o2OHTh2t/ci8uv8aoV3I5IfAgIIOP3azD6eU=", "owner": "emacs-straight", "repo": "org-mode", - "rev": "282a01f22159b4855071ffd54a9ae6ce681c3690", + "rev": "91681fc03334285dc0879fcb9a27583bd7ab9782", "type": "github" }, "original": { @@ -815,11 +815,11 @@ "revealjs": { "flake": false, "locked": { - "lastModified": 1645450091, - "narHash": "sha256-3fM1hKCbuIy8HzBv9JjjZW/RwE1CKeq++delBhbSvys=", + "lastModified": 1646820626, + "narHash": "sha256-J3bcoO/42FcPIqCU7ORiV7dcvJDKtEHG8N7/stEQqDg=", "owner": "hakimel", "repo": "reveal.js", - "rev": "5e12c6aeb7a37acca7ca22c0bd29548f9ff282ea", + "rev": "37861335a225a3cc9f67e98977aceda3c2a9eca9", "type": "github" }, "original": { @@ -872,7 +872,7 @@ "service-passwords": { "flake": false, "locked": { - "narHash": "sha256-4xEJlPU+KeBtQuFqRlB1bzJMXUQ6a+DT2v3OptaHyTg=", + "narHash": "sha256-vnxG3as7SVq0yIXKsf3qHM58Sv6Dcm7NPg+kLg4QtNs=", "path": "/state/secrets/service-passwords", "type": "path" }, @@ -896,7 +896,7 @@ "ssh-keypairs": { "flake": false, "locked": { - "narHash": "sha256-TlRfaYFuJxLUCarxZ1XYnW8PruKyYO5RErVGo5hTgo4=", + "narHash": "sha256-pla2J8HmPHBVDp/2m/22lctwd6VvmJ2cik5n68jf3VY=", "path": "/state/secrets/ssh-keypairs", "type": "path" }, diff --git a/flake.nix b/flake.nix index 619a679..dd7b9e4 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,7 @@ description = "Fudo Host Configuration"; inputs = { - nixpkgs.url = "nixpkgs/nixos-21.05"; + nixpkgs.url = "nixpkgs/nixos-22.05"; fudo-home = { url = "git+https://git.fudo.org/fudo-nix/home.git"; @@ -30,140 +30,122 @@ chuteUnstable.url = "git+https://git.fudo.org/chute/chute.git?ref=master"; nixpkgsUnstable.url = "nixpkgs/nixos-unstable"; + + # zigbee2mqtt-converters.url = "path:/net/projects/niten/zigbee2mqtt-converters"; }; - outputs = { self, - nixpkgs, - fudo-home, - fudo-lib, - fudo-entities, - fudo-pkgs, - fudo-secrets, - chute, - chuteUnstable, - nixpkgsUnstable, - ... } @ inputs: + outputs = { self, nixpkgs, fudo-home, fudo-lib, fudo-entities, fudo-pkgs + , fudo-secrets, chute, chuteUnstable, nixpkgsUnstable, + # zigbee2mqtt-converters, + ... }@inputs: with nixpkgs.lib; let - fudo-nixos-hosts = filterAttrs - (hostname: hostOpts: hostOpts.nixos-system) - (fudo-entities.entities.hosts); + fudo-nixos-hosts = filterAttrs (hostname: hostOpts: hostOpts.nixos-system) + fudo-entities.entities.hosts; fudo-networks = fudo-entities.entities.networks; - unstable-for = arch: import nixpkgsUnstable { - system = arch; - config = { - allowUnfree = true; - permittedInsecurePackages = [ - "openssh-with-gssapi-8.4p1" + unstable-for = arch: + import nixpkgsUnstable { + system = arch; + config = { + allowUnfree = true; + permittedInsecurePackages = [ "openssh-with-gssapi-8.4p1" ]; + }; + }; + + pkgs-for = arch: + let unstable = unstable-for arch; + in import nixpkgs { + system = arch; + config = { + allowUnfree = true; + permittedInsecurePackages = [ "openssh-with-gssapi-8.4p1" ]; + }; + overlays = [ + fudo-lib.overlay + fudo-pkgs.overlay + (final: prev: { + chute = chute.packages.${arch}.chute; + chuteUnstable = chuteUnstable.packages.${arch}.chute; + }) + (final: prev: { pkgsUnstable = unstable; }) + (final: prev: { nyxt = unstable.nyxt; }) ]; }; - }; - pkgs-for = arch: let - unstable = unstable-for arch; - in import nixpkgs { - system = arch; - config = { - allowUnfree = true; - permittedInsecurePackages = [ - "openssh-with-gssapi-8.4p1" + latest-modified-timestamp = head (sort (a: b: a > b) + (map (input: toInt input.lastModifiedDate) + (filter (input: hasAttr "lastModifiedDate" input) + (attrValues inputs)))); + + concat-timestamp = timestamp: toInt (substring 0 10 (toString timestamp)); + + common-host-config = hostname: hostOpts: + let + config-dir = ./config; + build-timestamp = concat-timestamp latest-modified-timestamp; + in { config, ... }: { + imports = [ + fudo-home.nixosModule + fudo-secrets.nixosModule + fudo-lib.nixosModule + fudo-entities.nixosModule + + # zigbee2mqtt-converters.nixosModule + + ./config + (config-dir + "/hardware/${hostname}.nix") + (config-dir + "/host-config/${hostname}.nix") + (config-dir + "/profile-config/${hostOpts.profile}.nix") + (config-dir + "/domain-config/${hostOpts.domain}.nix") + (config-dir + "/site-config/${hostOpts.site}.nix") ]; - }; - overlays = [ - fudo-lib.overlay - fudo-pkgs.overlay - (final: prev: { - chute = chute.packages.${arch}.chute; - chuteUnstable = chuteUnstable.packages.${arch}.chute; - }) - (final: prev: { - nyxt = unstable.nyxt; - }) - ]; - }; - latest-modified-timestamp = head - (sort (a: b: a > b) - (map (input: toInt input.lastModifiedDate) - (filter (input: hasAttr "lastModifiedDate" input) - (attrValues inputs)))); - - concat-timestamp = timestamp: - toInt (substring 0 10 (toString timestamp)); - - common-host-config = hostname: hostOpts: let - config-dir = ./config; - build-timestamp = - concat-timestamp latest-modified-timestamp; - in { config, ... }: { - imports = [ - fudo-home.nixosModule - fudo-secrets.nixosModule - fudo-lib.nixosModule - fudo-entities.nixosModule - - ./config - (config-dir + /hardware/${hostname}.nix) - (config-dir + /host-config/${hostname}.nix) - (config-dir + /profile-config/${hostOpts.profile}.nix) - (config-dir + /domain-config/${hostOpts.domain}.nix) - (config-dir + /site-config/${hostOpts.site}.nix) - ]; - - config = let - pkgs = pkgs-for hostOpts.arch; - in { - instance = let - build-seed = builtins.readFile - config.fudo.secrets.files.build-seed; + config = let pkgs = pkgs-for hostOpts.arch; in { - inherit hostname build-timestamp build-seed; - }; + instance = let + build-seed = + builtins.readFile config.fudo.secrets.files.build-seed; + in { inherit hostname build-timestamp build-seed; }; - environment.etc.nixos-live.source = ./.; + environment.etc.nixos-live.source = ./.; - nix = { - registry = { - nixpkgs.flake = nixpkgs; - fudo-nixos.flake = self; - fudo-entities.flake = fudo-entities; - fudo-lib.flake = fudo-lib; - fudo-pkgs.flake = fudo-pkgs; + nix = { + registry = { + nixpkgs.flake = nixpkgs; + fudo-nixos.flake = self; + fudo-entities.flake = fudo-entities; + fudo-lib.flake = fudo-lib; + fudo-pkgs.flake = fudo-pkgs; + }; + nixPath = let lib = nixpkgs.lib; + in lib.mkDefault (lib.mkBefore [ "nixpkgs=${nixpkgs}" ]); }; - nixPath = let - lib = nixpkgs.lib; - in lib.mkDefault (lib.mkBefore [ - "nixpkgs=${nixpkgs}" - ]); + + nixpkgs.pkgs = pkgs; }; - - nixpkgs.pkgs = pkgs; }; - }; - nixos-host-config = hostname: hostOpts: let - system = hostOpts.arch; - in nixosSystem { - inherit system; - modules = [ - (common-host-config hostname hostOpts) - ]; - }; + nixos-host-config = hostname: hostOpts: + let system = hostOpts.arch; + in nixosSystem { + inherit system; + modules = [ (common-host-config hostname hostOpts) ]; + }; - nixops-host-config = hostname: hostOpts: let - zone-hosts = fudo-entities.entities.zones.${hostOpts.domain}.hosts; - in { - imports = [ - (common-host-config hostname hostOpts) + nixops-host-config = hostname: hostOpts: + let zone-hosts = fudo-entities.entities.zones.${hostOpts.domain}.hosts; + in { + imports = [ + (common-host-config hostname hostOpts) - ({ ... }: { - config.deployment.targetHost = - zone-hosts.${hostname}.ipv4-address; - }) - ]; - }; + (_: { + config.deployment.targetHost = + zone-hosts.${hostname}.ipv4-address; + }) + ]; + }; in { nixosConfigurations = mapAttrs nixos-host-config fudo-nixos-hosts;