nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgrade to 22.05 (and much else)

This commit is contained in:
niten 2022-06-01 13:57:58 -07:00
parent e9e61e24d4
commit a4ba216d71
16 changed files with 548 additions and 368 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
config/host-config/lambda.nix
View File

@ -84,65 +84,65 @@ in {
Defaults lecture = never Defaults lecture = never
''; '';
services.nginx = { # services.nginx = {
enable = true; # enable = true;
recommendedOptimisation = true; # recommendedOptimisation = true;
recommendedProxySettings = true; # recommendedProxySettings = true;
recommendedGzipSettings = true; # recommendedGzipSettings = true;
virtualHosts."home.sea.fudo.org" = { # virtualHosts."home.sea.fudo.org" = {
locations."/" = { # locations."/" = {
proxyPass = "http://localhost:${toString home-assistant-port}"; # proxyPass = "http://localhost:${toString home-assistant-port}";
proxyWebsockets = true; # proxyWebsockets = true;
}; # };
}; # };
}; # };
virtualisation = { # virtualisation = {
docker = { # docker = {
enable = true; # enable = true;
enableOnBoot = true; # enableOnBoot = true;
autoPrune = { enable = true; }; # autoPrune = { enable = true; };
}; # };
oci-containers = { # oci-containers = {
backend = "docker"; # backend = "docker";
containers = { # containers = {
home-assistant = { # home-assistant = {
image = "homeassistant/home-assistant:stable"; # image = "homeassistant/home-assistant:stable";
autoStart = true; # autoStart = true;
environment.TZ = config.time.timeZone; # environment.TZ = config.time.timeZone;
# ports = [ "${toString home-assistant-port}:8123" ]; # # ports = [ "${toString home-assistant-port}:8123" ];
volumes = [ "/state/services/home-assistant:/config" ]; # volumes = [ "/state/services/home-assistant:/config" ];
extraOptions = [ "--network=host" "--device=/dev/ttyACM0" ]; # extraOptions = [ "--network=host" "--device=/dev/ttyACM0" ];
}; # };
# shinobi = { # # shinobi = {
# image = "shinobisystems/shinobi:latest"; # # image = "shinobisystems/shinobi:latest";
# ports = [ "${shinobi-port}:8080" ]; # # ports = [ "${shinobi-port}:8080" ];
# volumes = [ # # volumes = [
# "/state/shinobi/plugins:/home/Shinobi/plugins" # # "/state/shinobi/plugins:/home/Shinobi/plugins"
# "/state/shinobi/config:/home/Shinobi/config" # # "/state/shinobi/config:/home/Shinobi/config"
# "/state/shinobi/videos:/home/Shinobi/videos" # # "/state/shinobi/videos:/home/Shinobi/videos"
# "/state/shinobi/db-data:/var/lib/mysql" # # "/state/shinobi/db-data:/var/lib/mysql"
# "/etc/localtime:/etc/localtime:ro" # # "/etc/localtime:/etc/localtime:ro"
# ]; # # ];
# }; # # };
# shinobi-od = { # # shinobi-od = {
# image = "shinobisystems/shinobi-tensorflow:latest"; # # image = "shinobisystems/shinobi-tensorflow:latest";
# volumes = # # volumes =
# [ "/srv/shinobi/od-config:/home/Shinobi/docker-plugins/tensorflow" ]; # # [ "/srv/shinobi/od-config:/home/Shinobi/docker-plugins/tensorflow" ];
# ports = [ "${shinobi-od-port}:8082" ]; # # ports = [ "${shinobi-od-port}:8082" ];
# environment = { # # environment = {
# PLUGIN_HOST = "panopticon.sea.fudo.org"; # # PLUGIN_HOST = "panopticon.sea.fudo.org";
# PLUGIN_PORT = shinobi-port; # # PLUGIN_PORT = shinobi-port;
# PLUGIN_KEY = "30sWllylOxsDcE4vQXEPaXNfe5DiB3"; # # PLUGIN_KEY = "30sWllylOxsDcE4vQXEPaXNfe5DiB3";
# }; # # };
# }; # # };
# photoprism = { image = "photoprism/photoprism"; }; # # photoprism = { image = "photoprism/photoprism"; };
}; # };
}; # };
}; # };
} }

14
config/host-config/legatus.nix
View File

@ -31,9 +31,7 @@ in {
security.acme.email = "admin@legatus.fudo.org"; security.acme.email = "admin@legatus.fudo.org";
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [ "L /etc/adjtime - - - - /state/etc/adjtime" ];
"L /etc/adjtime - - - - /state/etc/adjtime"
];
environment.systemPackages = local-packages; environment.systemPackages = local-packages;
@ -57,7 +55,7 @@ in {
# # }; # # };
# }; # };
fudo = { fudo = {
hosts.legatus.external-interfaces = [ "extif0" ]; hosts.legatus.external-interfaces = [ "extif0" ];
services = { services = {
@ -69,10 +67,14 @@ in {
ipropd-keytab = host-secrets.heimdal-ipropd-keytab.target-file; ipropd-keytab = host-secrets.heimdal-ipropd-keytab.target-file;
}; };
}; };
chat = {
state-directory = "/state/services/chat";
external-interface = "extif0";
};
}; };
secrets.host-secrets.legatus = let secrets.host-secrets.legatus = let files = config.fudo.secrets.files;
files = config.fudo.secrets.files;
in { in {
# postgres-keytab = { # postgres-keytab = {
# source-file = files.service-keytabs.procul.postgres; # source-file = files.service-keytabs.procul.postgres;

32
config/host-config/nostromo.nix
View File

@ -24,20 +24,24 @@ in {
# Hopefully this'll help with NFS... # Hopefully this'll help with NFS...
boot.kernelModules = [ "rpcsec_gss_krb5" ]; boot.kernelModules = [ "rpcsec_gss_krb5" ];
services.nfs = { services = {
# See ../user-config.nix for the user@REALM -> user mapping murmur.enable = true;
server = {
enable = true; nfs = {
createMountPoints = false; # See ../user-config.nix for the user@REALM -> user mapping
exports = let server = {
exportList = [ enable = true;
"/export/documents 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=10,sec=krb5p)" createMountPoints = false;
"/export/downloads 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=11,sec=krb5i)" exports = let
"/export/projects 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=12,sec=krb5p)" exportList = [
]; "/export/documents 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=10,sec=krb5p)"
in '' "/export/downloads 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=11,sec=krb5i)"
${concatStringsSep "\n" exportList} "/export/projects 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=12,sec=krb5p)"
''; ];
in ''
${concatStringsSep "\n" exportList}
'';
};
}; };
}; };

24
config/host-config/procul.nix
View File

@ -12,8 +12,7 @@ let
site = config.fudo.sites.${site-name}; site = config.fudo.sites.${site-name};
host-fqdn = "${hostname}.${domain-name}"; host-fqdn = "${hostname}.${domain-name}";
local-networks = local-networks = domain.local-networks ++ site.local-networks;
domain.local-networks ++ site.local-networks;
local-packages = with pkgs; [ ldns.examples ]; local-packages = with pkgs; [ ldns.examples ];
@ -23,10 +22,9 @@ let
host-certs = config.fudo.acme.host-domains.${hostname}; host-certs = config.fudo.acme.host-domains.${hostname};
grafana-database-password = grafana-database-password = pkgs.lib.passwd.stablerandom-passwd-file
pkgs.lib.passwd.stablerandom-passwd-file "grafana-database-password-${hostname}"
"grafana-database-password-${hostname}" "grafana-database-password-${hostname}-${config.instance.build-seed}";
"grafana-database-password-${hostname}-${config.instance.build-seed}";
in { in {
networking = { networking = {
@ -136,8 +134,7 @@ in {
# }; # };
}; };
secrets.host-secrets.procul = let secrets.host-secrets.procul = let files = config.fudo.secrets.files;
files = config.fudo.secrets.files;
in { in {
# postgres-keytab = { # postgres-keytab = {
# source-file = files.service-keytabs.procul.postgres; # source-file = files.service-keytabs.procul.postgres;
@ -199,9 +196,7 @@ in {
allowed-networks = [ "1.1.1.1/32" "1.0.0.1/32" "localhost" "link-local" ]; allowed-networks = [ "1.1.1.1/32" "1.0.0.1/32" "localhost" "link-local" ];
}; };
services.mail-server = { services.mail-server = { state-directory = "/srv/mailserver"; };
state-directory = "/srv/mailserver";
};
# mail-server = { # mail-server = {
# enable = true; # enable = true;
@ -257,6 +252,7 @@ in {
state-directory = "/var/lib/kerberos"; state-directory = "/var/lib/kerberos";
master-key-file = host-secrets.heimdal-master-key.target-file; master-key-file = host-secrets.heimdal-master-key.target-file;
}; };
ldap.state-directory = "/state/services/ldap";
}; };
dns.zones."informis.land" = { dns.zones."informis.land" = {
enable = true; enable = true;
@ -303,8 +299,7 @@ in {
}; };
gituser = { gituser = {
password-file = password-file = host-secrets.postgres-gitea-password.target-file;
host-secrets.postgres-gitea-password.target-file;
databases = { databases = {
git = { git = {
access = "CONNECT"; access = "CONNECT";
@ -332,8 +327,7 @@ in {
state-dir = "/srv/git/state"; state-dir = "/srv/git/state";
database = { database = {
user = "gituser"; user = "gituser";
password-file = password-file = host-secrets.gitea-database-password.target-file;
host-secrets.gitea-database-password.target-file;
hostname = "127.0.0.1"; hostname = "127.0.0.1";
name = "git"; name = "git";
}; };

53
config/host-config/wormhole0.nix
View File

@ -2,6 +2,7 @@
with lib; with lib;
let let
hostname = "wormhole0";
primary-ip = "10.0.0.3"; primary-ip = "10.0.0.3";
state-dir = "/state"; state-dir = "/state";
zigbee2mqtt-statedir = "${state-dir}/services/zigbee2mqtt"; zigbee2mqtt-statedir = "${state-dir}/services/zigbee2mqtt";
@ -13,19 +14,17 @@ let
mosquitto-user = config.systemd.services.mosquitto.serviceConfig.User; mosquitto-user = config.systemd.services.mosquitto.serviceConfig.User;
zigbee2mqtt-passwd-file = zigbee2mqtt-passwd-file =
pkgs.lib.passwd.random-passwd-file "zigbee2mqtt-passwd" 20; pkgs.lib.passwd.stablerandom-passwd-file "zigbee2mqtt-passwd"
home-assistant-passwd-file =
pkgs.lib.passwd.stablerandom-passwd-file "home-assistant-passwd"
config.instance.build-seed; config.instance.build-seed;
host-secrets = config.fudo.secrets.host-secrets.wormhole0; host-secrets = config.fudo.secrets.host-secrets.${hostname};
host-passwds = config.fudo.secrets.files.service-passwords.${hostname};
in { in {
boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; }; boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; };
networking = { networking = {
hostName = "wormhole0"; hostName = hostname;
firewall.enable = false; firewall.enable = false;
@ -55,17 +54,27 @@ in {
dhcpcd.extraConfig = concatStringsSep "\n" [ "nogateway" ]; dhcpcd.extraConfig = concatStringsSep "\n" [ "nogateway" ];
}; };
fudo.secrets.host-secrets.wormhole0 = { fudo.secrets.host-secrets.${hostname} = {
mosquitto-zigbee2mqtt-passwd = { mosquitto-zigbee2mqtt-passwd = {
source-file = zigbee2mqtt-passwd-file; source-file = zigbee2mqtt-passwd-file;
target-file = "/run/mosquitto-secrets/zigbee2mqtt.passwd"; target-file = "/run/mosquitto-secrets/zigbee2mqtt.passwd";
user = mosquitto-user; user = mosquitto-user;
}; };
mosquitto-home-assistant-passwd = { mosquitto-home-assistant-passwd = {
source-file = home-assistant-passwd-file; source-file = host-passwds.mosquitto-home-assistant;
target-file = "/run/mosquitto-secrets/home-assistant.passwd"; target-file = "/run/mosquitto-secrets/home-assistant.passwd";
user = mosquitto-user; user = mosquitto-user;
}; };
mosquitto-niten-passwd = {
source-file = host-passwds.mosquitto-niten;
target-file = "/run/mosquitto-secrets/niten.passwd";
user = mosquitto-user;
};
mosquitto-xiaoxuan-passwd = {
source-file = host-passwds.mosquitto-xiaoxuan;
target-file = "/run/mosquitto-secrets/xiaoxuan.passwd";
user = mosquitto-user;
};
}; };
systemd = { systemd = {
@ -82,9 +91,14 @@ in {
}; };
}; };
zigbee2mqtt.after = zigbee2mqtt = {
[ config.fudo.secrets.secret-target "mosquitto.service" ]; after = [ config.fudo.secrets.secret-target "mosquitto.service" ];
mosquitto.after = [ config.fudo.secrets.secret-target ]; restartIfChanged = true;
};
mosquitto = {
after = [ config.fudo.secrets.secret-target ];
restartIfChanged = true;
};
}; };
tmpfiles.rules = [ tmpfiles.rules = [
@ -104,7 +118,6 @@ in {
in { dialout.members = [ zigbee2mqtt-user ]; }; in { dialout.members = [ zigbee2mqtt-user ]; };
services = { services = {
blueman.enable = true;
openssh.hostKeys = [ openssh.hostKeys = [
{ {
path = "${state-dir}/ssh/ssh_host_rsa_key"; path = "${state-dir}/ssh/ssh_host_rsa_key";
@ -148,6 +161,14 @@ in {
host-secrets.mosquitto-home-assistant-passwd.target-file; host-secrets.mosquitto-home-assistant-passwd.target-file;
acl = [ "readwrite #" ]; acl = [ "readwrite #" ];
}; };
niten = {
passwordFile = host-secrets.mosquitto-niten-passwd.target-file;
acl = [ "readwrite #" ];
};
xiaoxuan = {
passwordFile = host-secrets.mosquitto-xiaoxuan-passwd.target-file;
acl = [ "readwrite #" ];
};
}; };
}]; }];
}; };
@ -155,6 +176,7 @@ in {
zigbee2mqtt = { zigbee2mqtt = {
enable = true; enable = true;
dataDir = zigbee2mqtt-statedir; dataDir = zigbee2mqtt-statedir;
package = pkgs.pkgsUnstable.zigbee2mqtt;
settings = { settings = {
homeassistant = true; homeassistant = true;
permit_join = true; permit_join = true;
@ -167,8 +189,15 @@ in {
# described https://www.zigbee2mqtt.io/guide/configuration/mqtt.html#server-connection # described https://www.zigbee2mqtt.io/guide/configuration/mqtt.html#server-connection
# Weird, though. # Weird, though.
}; };
advanced.log_level = "debug";
}; };
}; };
avahi = {
enable = true;
reflector = true;
interfaces = [ "intif0" "worm0" ];
};
}; };
virtualisation = { virtualisation = {

11
config/host-config/wormhole0/converters/AQSZB-110.js Normal file
View File

@ -0,0 +1,11 @@
const definition = {
zigbeeModel: ['AQSZB-110'],
model: 'AQSZB-110',
vendor: 'Frient',
description: 'Frient Air Quarity Sensor',
fromZigbee: [fz.temperature],
toZigbee: [],
exposes: [e.battery(), e.temperature(), e.humidity()],
};
module.exports = definition;

6
config/profile-config/common-ui.nix
View File

@ -51,7 +51,13 @@ in {
}; };
pulse.enable = true; pulse.enable = true;
jack.enable = true; jack.enable = true;
media-session = {
enable = true;
config.alsa-monitor = { api.alsa.headroom = 1024; };
};
}; };
udev.packages = with pkgs; [ via ];
}; };
security = { security = {

3
config/profile-config/desktop.nix
View File

@ -1,7 +1,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib; with lib; {
{
imports = [ ./common-ui.nix ]; imports = [ ./common-ui.nix ];
networking.networkmanager.enable = mkForce false; networking.networkmanager.enable = mkForce false;

13
config/profile-config/server.nix
View File

@ -47,13 +47,20 @@ in {
config = { config = {
environment = { environment = {
systemPackages = with pkgs; systemPackages = with pkgs; [ emacs-nox reboot-if-necessary test-config ];
[ emacs-nox reboot-if-necessary test-config ];
}; };
networking.networkmanager.enable = mkForce false; networking.networkmanager.enable = mkForce false;
services.xserver.enable = false; services = {
nginx = {
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedTlsSettings = true;
};
xserver.enable = false;
};
sound.enable = false; sound.enable = false;
hardware.pulseaudio.enable = false; hardware.pulseaudio.enable = false;

149
config/service/chat.nix Normal file
View File

@ -0,0 +1,149 @@
{ config, lib, pkgs, ... }@toplevel:
with lib;
let
cfg = config.fudo.services.chat;
hostname = config.instance.hostname;
domain-name = config.instance.local-domain;
domain = config.fudo.domains.${domain-name};
chat-server = domain.chat-server;
isChatServer = hostname == chat-server;
chat-fqdn = "${cfg.host-alias}.${domain-name}";
mail-server = "mail.${domain-name}";
host-ip = "192.168.19.1";
container-ip = "192.168.19.2";
host-secrets = config.fudo.secrets.host-secrets.${hostname};
seed = config.instance.build-seed;
mattermost-mail-passwd-file =
pkgs.lib.passwd.stablerandom-passwd-file "mattermost-email" seed;
in {
options.fudo.services.chat = with types; {
host-alias = mkOption {
type = str;
description = "CNAME to use for the chat server.";
default = "chat";
};
site-name = mkOption {
type = str;
description = "Name of the chat site.";
default = "Fudo Chat";
};
state-directory = mkOption {
type = str;
description =
"Path at which to store chat server state. Must be persistent.";
};
external-interface = mkOption {
type = str;
description = "Public-facing external interface, for outgoing traffic.";
};
};
config = mkIf (chat-server != null) {
networking.nat = mkIf isChatServer {
enable = true;
internalInterfaces = [ "ve-fudo-chat" ];
externalInterface = cfg.external-interface;
};
fudo = {
users.chat = {
uid = 20001;
primary-group = "fudo";
common-name = cfg.site-name;
ldap-hashed-passwd = pkgs.lib.passwd.hash-ldap-passwd "mattermost-chat"
mattermost-mail-passwd-file;
};
zones.${domain.zone}.aliases.chat =
pkgs.lib.network.host-fqdn config chat-server;
};
systemd.tmpfiles.rules = mkIf isChatServer [
"d ${cfg.state-directory}/mattermost 0700 - - - -"
"d ${cfg.state-directory}/postgresql 0700 - - - -"
];
services.nginx = mkIf isChatServer {
enable = true;
recommendedProxySettings = true;
virtualHosts."${chat-fqdn}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${container-ip}:1234";
proxyWebsockets = true;
};
};
};
containers.fudo-chat = mkIf isChatServer {
ephemeral = true;
privateNetwork = true;
hostAddress = host-ip;
localAddress = container-ip;
autoStart = true;
bindMounts = {
"/var/lib/mattermost" = {
hostPath = "${cfg.state-directory}/mattermost";
isReadOnly = false;
};
"/var/lib/postgresql" = {
hostPath = "${cfg.state-directory}/postgresql";
isReadOnly = false;
};
};
config = { config, lib, ... }: {
networking = {
defaultGateway = host-ip;
firewall.enable = false;
};
systemd.tmpfiles.rules = [
"d /var/lib/mattermost 700 ${config.services.mattermost.user} - - -"
"d /var/lib/postgresql 700 ${config.systemd.services.postgresql.serviceConfig.User} - - -"
];
services = {
postgresql.dataDir = "/var/lib/postgresql";
mattermost = {
enable = true;
siteUrl = "https://${chat-fqdn}";
siteName = cfg.site-name;
statePath = "/var/lib/mattermost";
listenAddress = "${container-ip}:1234";
localDatabaseCreate = true;
extraConfig = {
EmailSettings = {
RequireEmailVerification = true;
SMTPServer = mail-server;
SMTPPort = "587";
ConnectionSecurity = "STARTTLS";
EnableSMTPAuth = true;
SMTPUsername = "chat";
# TODO: Ugh
SMTPPassword = readFile mattermost-mail-passwd-file;
SendEmailNotifications = true;
FeedbackEmail = "chat@${domain-name}";
FeedbackName = cfg.site-name;
};
EnableEmailNotifications = true;
};
};
};
};
};
};
}

1
config/services.nix
View File

@ -3,6 +3,7 @@
{ {
imports = [ imports = [
./service/backplane.nix ./service/backplane.nix
./service/chat.nix
./service/chute.nix ./service/chute.nix
./service/dns.nix ./service/dns.nix
./service/fudo-auth.nix ./service/fudo-auth.nix

183
config/site-config/seattle.nix
View File

@ -77,110 +77,97 @@ in {
}; };
}; };
systemd = { systemd.services = {
# paths.host-keytab-modified = { host-keytab-watcher = {
# wantedBy = [ "multi-user.target" ]; wantedBy = [
# pathConfig = { "rpc-gssd-override.service"
# PathChanged = "/etc/krb5.keytab"; "rpc-svcgssd-override.service"
# Unit = "host-keytab-modified.service"; "auth-rpcgss-module.service"
# }; ];
# }; before = [
"rpc-gssd-override.service"
# services.host-keytab-modified = { "rpc-svcgssd-override.service"
# description = "Operations to execute when keytab is changed."; "auth-rpcgss-module.service"
# script = "${pkgs.systemd}/bin/systemctl restart rpc-gssd.service"; ];
# }; after = [ config.fudo.secrets.secret-target ];
serviceConfig = {
services = { ExecStartPre = "${pkgs.coreutils}/bin/test -f /etc/krb5.keytab";
# host-keytab-watcher = { ExecStart = "${pkgs.coreutils}/bin/true";
# wantedBy = [ "rpc-gssd.service" "rpc-svcgssd.service" ]; TimeoutStartSec = "360";
# before = [ "rpc-gssd.service" "rpc-svcgssd.service" ]; RemainAfterExit = true;
# serviceConfig = { Restart = "on-failure";
# ExecStart = "${pkgs.coreutils}/bin/sleep 500"; RestartSec = "2";
# TimeoutStartSec = "3600";
# RemainAfterExit = true;
# };
# };
rpc-gssd = {
after = [ config.fudo.secrets.secret-target ];
unitConfig = { ConditionPathExists = mkForce [ ]; };
}; };
rpc-svcgssd = { };
after = [ config.fudo.secrets.secret-target ];
unitConfig = { ConditionPathExists = mkForce [ ]; }; auth-rpcgss-module.enable = false;
rpc-gssd.enable = false;
rpc-svcgssd.enable = false;
auth-rpcgss-module-override = {
description = "Kernel Module supporting RPCSEC_GSS";
before = [
"gssproxy.service"
"rpc-svcgssd-override.service"
"rpc-gssd-override.service"
];
wantedBy = [ "nfs-client.target" "nfs-server.target" ];
wants = [
"gssproxy.service"
"rpc-svcgssd-override.service"
"rpc-gssd-override.service"
"host-keytab-watcher.service"
];
after = [ "host-keytab-watcher.service" ];
partOf = [ "nfs-utils.service" "nfs-server.service" ];
unitConfig = {
DefaultDependencies = false;
ConditionPathExists =
[ "|!/run/gssproxy.pid" "|!/proc/net/rpc/use-gss-proxy" ];
};
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.kmod}/bin/modprobe -q auth_rpcgss";
RemainAfterExit = true;
};
};
rpc-gssd-override = {
description = "RPC security service for NFS client and server";
wantedBy = [ "auth-rpcgss-module.service" ];
conflicts = [ "umount.target" ];
after = [ "host-keytab-watcher.service" "rpc_pipefs.target" ];
wants = [ "host-keytab-watcher.service" ];
requires = [ "rpc_pipefs.target" ];
partOf = [ "nfs-utils.service" ];
unitConfig.DefaultDependencies = false;
serviceConfig = {
Type = "forking";
ExecStart = "${pkgs.nfs-utils}/bin/rpc.gssd";
};
};
rpc-svcgssd-override = {
description = "RPC security service for NFS server";
wantedBy = [ "auth-rpcgss-module.service" ];
after =
[ "host-keytab-watcher.service" "local-fs.target" "gssproxy.service" ];
wants = [ "host-keytab-watcher.service" ];
partOf = [ "nfs-utils.service" "nfs-server.service" ];
unitConfig = {
DefaultDependencies = false;
ConditionPathExists =
[ "|!/run/gssproxy.pid" "|!/proc/net/rpc/use-gss-proxy" ];
};
serviceConfig = {
Type = "forking";
ExecStart = "${pkgs.nfs-utils}/bin/rpc.svcgssd";
}; };
}; };
}; };
# systemd = {
# ## This fails if the filesystems already exist
# # tmpfiles.rules = [
# # "d /net/documents - root sea-documents - -"
# # "d /net/downloads - root sea-downloads - -"
# # "d /net/projects - root sea-projects - -"
# # ];
# mounts = let
# mkOpts =
# concatStringsSep ",";
# in [
# {
# enable = true;
# what = "nostromo.${local-domain}:/export/documents";
# where = "/net/documents";
# type = "nfs";
# options = mkOpts [
# "vers=4"
# "minorversion=2"
# "sec=krb5p"
# "x-systemd.automount"
# "proto=tcp"
# ];
# description = "sea-store documents on encrypted filesysem.";
# }
# {
# enable = true;
# what = "nostromo.${local-domain}:/export/downloads";
# where = "/net/downloads";
# type = "nfs";
# options = mkOpts [
# "vers=4"
# "minorversion=2"
# "sec=krb5i"
# "x-systemd.automount"
# "proto=tcp"
# ];
# description = "sea-store downloads on encrypted filesysem.";
# }
# {
# enable = true;
# what = "nostromo.${local-domain}:/export/projects";
# where = "/net/projects";
# type = "nfs";
# options = mkOpts [
# "vers=4"
# "minorversion=2"
# "sec=krb5p"
# "x-systemd.automount"
# "proto=tcp"
# ];
# description = "sea-store projects on encrypted filesysem.";
# }
# ];
# };
services.printing = { services.printing = {
enable = true; enable = true;
drivers = [ drivers = [ pkgs.brgenml1cupswrapper ];
# pkgs.brlaser
# pkgs.brgenml1lpr
pkgs.brgenml1cupswrapper
# pkgs.hll2380dw-cups
# pkgs.hll2380dw-lpr
];
}; };
# environment.systemPackages = with pkgs; [ hll2380dw-cups ];
} }

22
config/users.nix
View File

@ -470,12 +470,12 @@
}; };
# Used to send messages from the chat server # Used to send messages from the chat server
chat = { # chat = {
uid = 10111; # uid = 10111;
primary-group = "fudo"; # primary-group = "fudo";
common-name = "Fudo Chat"; # common-name = "Fudo Chat";
ldap-hashed-passwd = "{SSHA}XDYAM2JE4PXssywRzO4tVSbn5lUZOgg7"; # ldap-hashed-passwd = "{SSHA}XDYAM2JE4PXssywRzO4tVSbn5lUZOgg7";
}; # };
kevinyinjunjie = { kevinyinjunjie = {
uid = 10112; uid = 10112;
@ -507,5 +507,15 @@
"$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/"; "$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/";
email = "viator@informis.land"; email = "viator@informis.land";
}; };
jasper = {
uid = 10116;
primary-group = "selby";
common-name = "Jasper";
login-hashed-passwd =
"$6$ggREeoA2HUmXDDbh$zPEyroAAiSPKseTb.qt4ByLaYBhV08x0hqOz4dnt4wEqcaWtOpBt3UoTpHxyDc2/inMzkRggBwfr.Zm0vI7mp1";
ldap-hashed-passwd = "{SSHA}5OCmPaKrkEG3Q4DOWibsPweuBShsMAz2";
email = "jasper@selby.ca";
};
}; };
} }

3
configuration.nix
View File

@ -7,9 +7,8 @@ let
in { in {
imports = [ imports = [
(initialize { (initialize {
hostname = local.hostname; inherit (local) pkgs hostname;
home-manager-package = <home-manager>; home-manager-package = <home-manager>;
pkgs = pkgs;
include-secrets = false; include-secrets = false;
}) })
]; ];

82
flake.lock
View File

@ -162,11 +162,11 @@
"rotate-text": "rotate-text" "rotate-text": "rotate-text"
}, },
"locked": { "locked": {
"lastModified": 1645751511, "lastModified": 1649509049,
"narHash": "sha256-i3cMaHdaxwfeJEKVgk3Sxx/IRfjwNcThaCMcq4uv9jg=", "narHash": "sha256-gLmRO2gPqjLPmFBhgFkl1nbBzJlNV0lmXMzapbw9qac=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-doom-emacs", "repo": "nix-doom-emacs",
"rev": "ef434602f6f2a8b469d1b01f9edff4f5b6d7f555", "rev": "f3f40f333c3214c9614c23b6abd1ae498af3e5b5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -195,11 +195,11 @@
"doom-snippets": { "doom-snippets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1645652740, "lastModified": 1646222996,
"narHash": "sha256-ci5QsTkzmfSd7Pfoe+RActuSOmMY2TvJL7f2giCwNEI=", "narHash": "sha256-YhOnoNSpmcKNJg+aS/829zqXStMkKWXWf1pulHEBcpQ=",
"owner": "hlissner", "owner": "hlissner",
"repo": "doom-snippets", "repo": "doom-snippets",
"rev": "02aca23fef94fc7a58836fd1812d62e731249fa3", "rev": "f61c23ece1ad47c0522059ac45085fd283ce4452",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -211,11 +211,11 @@
"emacs-overlay": { "emacs-overlay": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1645953123, "lastModified": 1649586061,
"narHash": "sha256-Be06ikbfQTuRwsU6nxNbMSvSUOzmGzDOLBKXFMekrcA=", "narHash": "sha256-gFAHrrY0i71WIP16FGo3pgNKTZ5m5L6FtQsOYpne9gk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "emacs-overlay", "repo": "emacs-overlay",
"rev": "058e38892484c1ab517c890b0aaee5d53565a494", "rev": "16262a84ef07fb0e8cfc592b65d786b086840065",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -388,11 +388,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1649111994, "lastModified": 1653253887,
"narHash": "sha256-KVRN3pahTca8gCcppDgr+hY+6xeCL0nQUpLT/l2uGS8=", "narHash": "sha256-Z88Ck6nCW+zOfsxtHa+7hB2uPPuHotAkpRZqE2KoyF8=",
"ref": "master", "ref": "master",
"rev": "1e478f59eaadd1b3e857045ad812b45c9bad238f", "rev": "52b7da1ceccb919787685875a21a1d2356c6cc1f",
"revCount": 89, "revCount": 93,
"type": "git", "type": "git",
"url": "https://git.fudo.org/fudo-nix/entities.git" "url": "https://git.fudo.org/fudo-nix/entities.git"
}, },
@ -413,11 +413,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1649445221, "lastModified": 1654020774,
"narHash": "sha256-g2QZSTNDv42oxFI1+zt/rGIvPHM52RZ8olPFru/7Mnc=", "narHash": "sha256-iOdg/2Jl3Mh1UiJF8vLvW5KnJ5osGJIukmL/7F6RQ3k=",
"ref": "master", "ref": "master",
"rev": "8d94134bff85ed39d371b7dd895a9265c5b161b2", "rev": "b9db0696c37275021c3fcbf810cd42522ebc405b",
"revCount": 138, "revCount": 160,
"type": "git", "type": "git",
"url": "https://git.fudo.org/fudo-nix/home.git" "url": "https://git.fudo.org/fudo-nix/home.git"
}, },
@ -443,7 +443,7 @@
}, },
"fudo-lib_2": { "fudo-lib_2": {
"locked": { "locked": {
"narHash": "sha256-fBiGlPgqsl5t08IlV1sehtAaOAI2eJqCXKQgdnwMzy0=", "narHash": "sha256-IZsP2NrqUbz0p3KeTnT7U8RjvSkHODmJTePBSGNmlxw=",
"path": "/state/fudo-lib", "path": "/state/fudo-lib",
"type": "path" "type": "path"
}, },
@ -454,11 +454,11 @@
}, },
"fudo-pkgs": { "fudo-pkgs": {
"locked": { "locked": {
"lastModified": 1643841844, "lastModified": 1648662131,
"narHash": "sha256-rmTIL94RQQaFhMHCopmeFUVAoP71nSA6sB46riDq2Ik=", "narHash": "sha256-wOJyR8xFQQhZ7gjK+sj3rJND8ORIHPuINNfQsdjM0BE=",
"ref": "master", "ref": "master",
"rev": "7e02ad0e7d9ac42605ed318e9d76364ec1d339ec", "rev": "c5180cbacd66673a3e8fcd0ce2c4abff119bbe93",
"revCount": 41, "revCount": 54,
"type": "git", "type": "git",
"url": "https://git.fudo.org/fudo-nix/pkgs.git" "url": "https://git.fudo.org/fudo-nix/pkgs.git"
}, },
@ -497,7 +497,7 @@
"ssh-keypairs": "ssh-keypairs" "ssh-keypairs": "ssh-keypairs"
}, },
"locked": { "locked": {
"narHash": "sha256-sDzbS0AnaNCrdiYR3oEsFljzxw128JsVx4exBNAjZo0=", "narHash": "sha256-N3N5RSPFSF/+tA3uqnBkhiiSNzBqsWsUBLXAqG1YS7c=",
"path": "/state/secrets", "path": "/state/secrets",
"type": "path" "type": "path"
}, },
@ -556,11 +556,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1643933536, "lastModified": 1648834319,
"narHash": "sha256-yRmsWAG4DnLxLIUtlaZsl0kH7rN5xSoyNRlf0YZrcH4=", "narHash": "sha256-i5Aj4Aw64D/A0X6XW5LxSS4XBnYj7gMz+kN4dpsbdk8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "2860d7e3bb350f18f7477858f3513f9798896831", "rev": "0bdbdea2e26c984b096f4f7d10e3c88536a980b0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -585,11 +585,11 @@
"niten-doom-config": { "niten-doom-config": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1640017877, "lastModified": 1649611838,
"narHash": "sha256-9twZfDxSjX87NHzuEQXkm1Q037YS98jPQv3Hw4Uktiw=", "narHash": "sha256-O8+LwXi52WZHQrZRfjW+QwI99ppBiBpYQcWYNgqY+iU=",
"ref": "master", "ref": "master",
"rev": "3d990cdf82fc7d5a6c8fd033e8bcf460fb27df1b", "rev": "c45feb7fd8acb0730dfc76ddd993773da5411b82",
"revCount": 37, "revCount": 38,
"type": "git", "type": "git",
"url": "https://git.fudo.org/niten/doom-emacs.git" "url": "https://git.fudo.org/niten/doom-emacs.git"
}, },
@ -631,11 +631,11 @@
}, },
"nixpkgsUnstable": { "nixpkgsUnstable": {
"locked": { "locked": {
"lastModified": 1649225869, "lastModified": 1653931853,
"narHash": "sha256-u1zLtPmQzhT9mNXyM8Ey9pk7orDrIKdwooeGDEXm5xM=", "narHash": "sha256-O3wncIouj9x7gBPntzHeK/Hkmm9M1SGlYq7JI7saTAE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b6966d911da89e5a7301aaef8b4f0a44c77e103c", "rev": "f1c167688a6f81f4a51ab542e5f476c8c595e457",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -739,11 +739,11 @@
"org": { "org": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1645557265, "lastModified": 1646280299,
"narHash": "sha256-vBOWOOfdUbvpTkqs2Lx+OCPfUdZdzAOdGxzHBSAslmo=", "narHash": "sha256-ZNkOfB8o2OHTh2t/ci8uv8aoV3I5IfAgIIOP3azD6eU=",
"owner": "emacs-straight", "owner": "emacs-straight",
"repo": "org-mode", "repo": "org-mode",
"rev": "282a01f22159b4855071ffd54a9ae6ce681c3690", "rev": "91681fc03334285dc0879fcb9a27583bd7ab9782",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -815,11 +815,11 @@
"revealjs": { "revealjs": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1645450091, "lastModified": 1646820626,
"narHash": "sha256-3fM1hKCbuIy8HzBv9JjjZW/RwE1CKeq++delBhbSvys=", "narHash": "sha256-J3bcoO/42FcPIqCU7ORiV7dcvJDKtEHG8N7/stEQqDg=",
"owner": "hakimel", "owner": "hakimel",
"repo": "reveal.js", "repo": "reveal.js",
"rev": "5e12c6aeb7a37acca7ca22c0bd29548f9ff282ea", "rev": "37861335a225a3cc9f67e98977aceda3c2a9eca9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -872,7 +872,7 @@
"service-passwords": { "service-passwords": {
"flake": false, "flake": false,
"locked": { "locked": {
"narHash": "sha256-4xEJlPU+KeBtQuFqRlB1bzJMXUQ6a+DT2v3OptaHyTg=", "narHash": "sha256-vnxG3as7SVq0yIXKsf3qHM58Sv6Dcm7NPg+kLg4QtNs=",
"path": "/state/secrets/service-passwords", "path": "/state/secrets/service-passwords",
"type": "path" "type": "path"
}, },
@ -896,7 +896,7 @@
"ssh-keypairs": { "ssh-keypairs": {
"flake": false, "flake": false,
"locked": { "locked": {
"narHash": "sha256-TlRfaYFuJxLUCarxZ1XYnW8PruKyYO5RErVGo5hTgo4=", "narHash": "sha256-pla2J8HmPHBVDp/2m/22lctwd6VvmJ2cik5n68jf3VY=",
"path": "/state/secrets/ssh-keypairs", "path": "/state/secrets/ssh-keypairs",
"type": "path" "type": "path"
}, },

210
flake.nix
View File

@ -2,7 +2,7 @@
description = "Fudo Host Configuration"; description = "Fudo Host Configuration";
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-21.05"; nixpkgs.url = "nixpkgs/nixos-22.05";
fudo-home = { fudo-home = {
url = "git+https://git.fudo.org/fudo-nix/home.git"; url = "git+https://git.fudo.org/fudo-nix/home.git";
@ -30,140 +30,122 @@
chuteUnstable.url = "git+https://git.fudo.org/chute/chute.git?ref=master"; chuteUnstable.url = "git+https://git.fudo.org/chute/chute.git?ref=master";
nixpkgsUnstable.url = "nixpkgs/nixos-unstable"; nixpkgsUnstable.url = "nixpkgs/nixos-unstable";
# zigbee2mqtt-converters.url = "path:/net/projects/niten/zigbee2mqtt-converters";
}; };
outputs = { self, outputs = { self, nixpkgs, fudo-home, fudo-lib, fudo-entities, fudo-pkgs
nixpkgs, , fudo-secrets, chute, chuteUnstable, nixpkgsUnstable,
fudo-home, # zigbee2mqtt-converters,
fudo-lib, ... }@inputs:
fudo-entities,
fudo-pkgs,
fudo-secrets,
chute,
chuteUnstable,
nixpkgsUnstable,
... } @ inputs:
with nixpkgs.lib; with nixpkgs.lib;
let let
fudo-nixos-hosts = filterAttrs fudo-nixos-hosts = filterAttrs (hostname: hostOpts: hostOpts.nixos-system)
(hostname: hostOpts: hostOpts.nixos-system) fudo-entities.entities.hosts;
(fudo-entities.entities.hosts);
fudo-networks = fudo-entities.entities.networks; fudo-networks = fudo-entities.entities.networks;
unstable-for = arch: import nixpkgsUnstable { unstable-for = arch:
system = arch; import nixpkgsUnstable {
config = { system = arch;
allowUnfree = true; config = {
permittedInsecurePackages = [ allowUnfree = true;
"openssh-with-gssapi-8.4p1" permittedInsecurePackages = [ "openssh-with-gssapi-8.4p1" ];
};
};
pkgs-for = arch:
let unstable = unstable-for arch;
in import nixpkgs {
system = arch;
config = {
allowUnfree = true;
permittedInsecurePackages = [ "openssh-with-gssapi-8.4p1" ];
};
overlays = [
fudo-lib.overlay
fudo-pkgs.overlay
(final: prev: {
chute = chute.packages.${arch}.chute;
chuteUnstable = chuteUnstable.packages.${arch}.chute;
})
(final: prev: { pkgsUnstable = unstable; })
(final: prev: { nyxt = unstable.nyxt; })
]; ];
}; };
};
pkgs-for = arch: let latest-modified-timestamp = head (sort (a: b: a > b)
unstable = unstable-for arch; (map (input: toInt input.lastModifiedDate)
in import nixpkgs { (filter (input: hasAttr "lastModifiedDate" input)
system = arch; (attrValues inputs))));
config = {
allowUnfree = true; concat-timestamp = timestamp: toInt (substring 0 10 (toString timestamp));
permittedInsecurePackages = [
"openssh-with-gssapi-8.4p1" common-host-config = hostname: hostOpts:
let
config-dir = ./config;
build-timestamp = concat-timestamp latest-modified-timestamp;
in { config, ... }: {
imports = [
fudo-home.nixosModule
fudo-secrets.nixosModule
fudo-lib.nixosModule
fudo-entities.nixosModule
# zigbee2mqtt-converters.nixosModule
./config
(config-dir + "/hardware/${hostname}.nix")
(config-dir + "/host-config/${hostname}.nix")
(config-dir + "/profile-config/${hostOpts.profile}.nix")
(config-dir + "/domain-config/${hostOpts.domain}.nix")
(config-dir + "/site-config/${hostOpts.site}.nix")
]; ];
};
overlays = [
fudo-lib.overlay
fudo-pkgs.overlay
(final: prev: {
chute = chute.packages.${arch}.chute;
chuteUnstable = chuteUnstable.packages.${arch}.chute;
})
(final: prev: {
nyxt = unstable.nyxt;
})
];
};
latest-modified-timestamp = head config = let pkgs = pkgs-for hostOpts.arch;
(sort (a: b: a > b)
(map (input: toInt input.lastModifiedDate)
(filter (input: hasAttr "lastModifiedDate" input)
(attrValues inputs))));
concat-timestamp = timestamp:
toInt (substring 0 10 (toString timestamp));
common-host-config = hostname: hostOpts: let
config-dir = ./config;
build-timestamp =
concat-timestamp latest-modified-timestamp;
in { config, ... }: {
imports = [
fudo-home.nixosModule
fudo-secrets.nixosModule
fudo-lib.nixosModule
fudo-entities.nixosModule
./config
(config-dir + /hardware/${hostname}.nix)
(config-dir + /host-config/${hostname}.nix)
(config-dir + /profile-config/${hostOpts.profile}.nix)
(config-dir + /domain-config/${hostOpts.domain}.nix)
(config-dir + /site-config/${hostOpts.site}.nix)
];
config = let
pkgs = pkgs-for hostOpts.arch;
in {
instance = let
build-seed = builtins.readFile
config.fudo.secrets.files.build-seed;
in { in {
inherit hostname build-timestamp build-seed; instance = let
}; build-seed =
builtins.readFile config.fudo.secrets.files.build-seed;
in { inherit hostname build-timestamp build-seed; };
environment.etc.nixos-live.source = ./.; environment.etc.nixos-live.source = ./.;
nix = { nix = {
registry = { registry = {
nixpkgs.flake = nixpkgs; nixpkgs.flake = nixpkgs;
fudo-nixos.flake = self; fudo-nixos.flake = self;
fudo-entities.flake = fudo-entities; fudo-entities.flake = fudo-entities;
fudo-lib.flake = fudo-lib; fudo-lib.flake = fudo-lib;
fudo-pkgs.flake = fudo-pkgs; fudo-pkgs.flake = fudo-pkgs;
};
nixPath = let lib = nixpkgs.lib;
in lib.mkDefault (lib.mkBefore [ "nixpkgs=${nixpkgs}" ]);
}; };
nixPath = let
lib = nixpkgs.lib; nixpkgs.pkgs = pkgs;
in lib.mkDefault (lib.mkBefore [
"nixpkgs=${nixpkgs}"
]);
}; };
nixpkgs.pkgs = pkgs;
}; };
};
nixos-host-config = hostname: hostOpts: let nixos-host-config = hostname: hostOpts:
system = hostOpts.arch; let system = hostOpts.arch;
in nixosSystem { in nixosSystem {
inherit system; inherit system;
modules = [ modules = [ (common-host-config hostname hostOpts) ];
(common-host-config hostname hostOpts) };
];
};
nixops-host-config = hostname: hostOpts: let nixops-host-config = hostname: hostOpts:
zone-hosts = fudo-entities.entities.zones.${hostOpts.domain}.hosts; let zone-hosts = fudo-entities.entities.zones.${hostOpts.domain}.hosts;
in { in {
imports = [ imports = [
(common-host-config hostname hostOpts) (common-host-config hostname hostOpts)
({ ... }: { (_: {
config.deployment.targetHost = config.deployment.targetHost =
zone-hosts.${hostname}.ipv4-address; zone-hosts.${hostname}.ipv4-address;
}) })
]; ];
}; };
in { in {
nixosConfigurations = mapAttrs nixos-host-config fudo-nixos-hosts; nixosConfigurations = mapAttrs nixos-host-config fudo-nixos-hosts;