nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Many changes over time

This commit is contained in:
niten 2022-04-08 14:21:56 -07:00
parent 2954dfc1b2
commit e9e61e24d4
14 changed files with 929 additions and 298 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
config/hardware/system3.nix
View File

@ -4,7 +4,7 @@ with lib;
let
in {
system.stateVersion = "21.05";
system.stateVersion = "21.11";
boot = {
loader = {
@ -35,38 +35,38 @@ in {
"/boot" = {
device = "/dev/disk/by-label/SYS3-BOOT";
fsType = "vfat";
options = [ "noexec" ];
options = [ "noexec" "noatime" ];
};
"/" = {
device = "system3-root";
fsType = "tmpfs";
options = [ "mode=755" ];
options = [ "mode=755" "noexec" ];
};
"/nix" = {
device = "/dev/disk/by-label/system3";
fsType = "btrfs";
options = [ "subvol=nix" "compress=zstd" "noatime" ];
device = "/dev/disk/by-label/system3-data";
fsType = "btrfs";
options = [ "subvol=@nix" "compress=zstd" "noatime" ];
};
"/var/log" = {
device = "/dev/disk/by-label/system3";
fsType = "btrfs";
options = [ "subvol=log" "compress=zstd" "noatime" "noexec" ];
device = "/dev/disk/by-label/system3-data";
fsType = "btrfs";
options = [ "subvol=@logs" "compress=zstd" "noatime" "noexec" ];
neededForBoot = true;
};
"/state" = {
device = "/dev/disk/by-label/system3";
fsType = "btrfs";
options = [ "subvol=state" "compress=zstd" "noatime" ];
device = "/dev/disk/by-label/system3-data";
fsType = "btrfs";
options = [ "subvol=@state" "compress=zstd" "noatime" ];
};
"/home" = {
device = "/dev/disk/by-label/system3";
fsType = "btrfs";
options = [ "subvol=home" "compress=zstd" "noatime" ];
device = "/dev/disk/by-label/system3-data";
fsType = "btrfs";
options = [ "subvol=@home" "compress=zstd" "noatime" ];
};
};

72
config/hardware/wormhole0.nix
View File

@ -1,71 +1,89 @@
{ config, lib, pkgs, modulesPath, ... }:
with lib; {
system.stateVersion = "22.05";
system.stateVersion = "21.11";
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
availableKernelModules =
[ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
kernelModules = [ ];
};
loader = {
grub.enable = false;
# generic-extlinux-compatible.enable = true;
raspberryPi = {
enable = true;
version = 4;
};
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
tmpOnTmpfs = true;
kernelModules = [ ];
kernelPackages = pkgs.linuxPackages_rpi4;
kernelParams = [
"8250.nr_uarts=1"
"console=ttyAMA0,115200"
"console=tty1"
];
tmpOnTmpfs = false;
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
hardware = {
bluetooth.enable = false;
enableRedistributableFirmware = true;
# raspberry-pi."4".fkms-3d.enable = true;
};
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = [ "noatime" ];
device = "wormhole0-root";
fsType = "tmpfs";
options = [ "mode=755" "noexec" "noatime" "nodiratime" ];
};
"/boot" = {
device = "/dev/disk/by-label/FIRMWARE";
device = "/dev/disk/by-label/WORMBOOT";
fsType = "vfat";
options = [ "noatime" ];
options = [ "noexec" "noatime" "nodiratime" ];
};
"/nix" = {
device = "/dev/disk/by-label/wormhole0-data";
fsType = "btrfs";
options = [ "subvol=@nix" "compress=zstd" "noatime" "nodiratime" ];
};
"/var/log" = {
device = "/dev/disk/by-label/wormhole0-data";
fsType = "btrfs";
options =
[ "subvol=@logs" "compress=zstd" "noatime" "nodiratime" "noexec" ];
};
"/state" = {
device = "/dev/disk/by-label/wormhole0-data";
fsType = "btrfs";
options =
[ "subvol=@state" "compress=zstd" "noatime" "nodiratime" "noexec" ];
};
};
swapDevices = [ ];
swapDevices = [{ device = "/dev/disk/by-label/wormhole0-swap"; }];
networking = {
useDHCP = mkDefault false;
macvlans = {
intif0 = {
interface = "eth0";
interface = "enp1s0";
mode = "bridge";
};
wormif0 = {
interface = "enp3s0";
mode = "bridge";
};
};
interfaces = {
eth0.useDHCP = false;
intif0.macAddress = "02:fa:d4:07:cf:f4";
enp1s0.useDHCP = false;
enp3s0.useDHCP = false;
intif0.macAddress =
pkgs.lib.network.generate-mac-address "wormhole0" "intif0";
wormif0.macAddress =
pkgs.lib.network.generate-mac-address "wormhole0" "wormif0";
};
};

10
config/hardware/zbox.nix
View File

@ -1,6 +1,6 @@
{ config, lib, pkgs, ... }:
{
{
boot = {
loader = {
systemd-boot.enable = true;
@ -12,7 +12,7 @@
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
kernelPackages = pkgs.linuxPackages_latest;
# kernelPackages = pkgs.linuxPackages_latest;
extraModulePackages = [ ];
};
@ -34,7 +34,8 @@
"/state" = {
device = "/dev/disk/by-label/zbox-data";
fsType = "btrfs";
options = [ "noatime" "nodiratime" "compress=zstd" "noexec" "subvol=@state" ];
options =
[ "noatime" "nodiratime" "compress=zstd" "noexec" "subvol=@state" ];
};
"/nix" = {
@ -46,7 +47,8 @@
"/var/log" = {
device = "/dev/disk/by-label/zbox-data";
fsType = "btrfs";
options = [ "noatime" "nodiratime" "compress=zstd" "noexec" "subvol=@logs" ];
options =
[ "noatime" "nodiratime" "compress=zstd" "noexec" "subvol=@logs" ];
};
"/home" = {

10
config/host-config/lambda.nix
View File

@ -92,8 +92,7 @@ in {
virtualHosts."home.sea.fudo.org" = {
locations."/" = {
proxyPass =
"http://localhost:${toString home-assistant-port}";
proxyPass = "http://localhost:${toString home-assistant-port}";
proxyWebsockets = true;
};
};
@ -113,10 +112,9 @@ in {
image = "homeassistant/home-assistant:stable";
autoStart = true;
environment.TZ = config.time.timeZone;
ports = [ "${toString home-assistant-port}:8123" ];
volumes = [
"/state/services/home-assistant:/config"
];
# ports = [ "${toString home-assistant-port}:8123" ];
volumes = [ "/state/services/home-assistant:/config" ];
extraOptions = [ "--network=host" "--device=/dev/ttyACM0" ];
};
# shinobi = {

132
config/host-config/limina.nix
View File

@ -20,10 +20,17 @@ in {
intif0 = {
useDHCP = false;
ipv4.addresses = [{
address = primary-ip;
prefixLength = 16;
}];
ipv4 = {
addresses = [{
address = primary-ip;
prefixLength = 16;
}];
routes = [{
address = "192.168.86.0";
prefixLength = 24;
via = "10.0.0.3";
}];
};
};
intif1 = { useDHCP = false; };
intif2 = { useDHCP = false; };
@ -79,38 +86,8 @@ in {
};
};
# virtualisation = {
# docker = {
# enable = true;
# autoPrune.enable = true;
# enableOnBoot = true;
# };
# oci-containers = {
# backend = "docker";
# containers = {
# pihole = {
# image = "pihole/pihole:2021.10";
# autoStart = true;
# ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ];
# environment = {
# # ServerIP = primary-ip;
# VIRTUAL_HOST = "dns-hole.sea.fudo.org";
# DNS1 = "${primary-ip}#${toString dns-proxy-port}";
# };
# volumes = [
# "/state/pihole/etc-pihole/:/etc/pihole/"
# "/state/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
# ];
# };
# };
# };
# };
# Support for statelessness
environment.etc = {
# TODO: replace with current config
# nixos.source = "/state/nixos";
NIXOS.source = "/state/etc/NIXOS";
"host-config.nix".source = "/state/etc/host-config.nix";
};
@ -123,79 +100,34 @@ in {
"L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
];
# security.acme.certs."sea-camera.fudo.link".email = "niten@fudo.org";
security.acme.email = "niten@fudo.org";
networking.firewall.allowedTCPPorts = [ 80 443 ];
systemd.services.nginx.requires = [ "bind.service" ];
services = {
# nginx = {
# enable = true;
# recommendedGzipSettings = true;
# recommendedOptimisation = true;
# recommendedProxySettings = true;
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
# virtualHosts = {
# "dns-hole.${domain-name}" = {
# serverAliases = [
# "pi-hole.${domain-name}"
# "pihole.${domain-name}"
# "hole.${domain-name}"
# "pi-hole"
# "pihole"
# "dns-hole"
# "hole"
# ];
# locations."/" = { proxyPass = "http://127.0.0.1:3080"; };
# };
# ## This keeps failing, too many requests...give it a rest for now
# # "sea-camera.fudo.link" = {
# # enableACME = true;
# # forceSSL = true;
# # locations."/" = {
# # # proxyPass = "http://cargo.sea.fudo.org:5000/webman/3rdparty/SurveillanceStation/";
# # proxyPass = "http://cargo.sea.fudo.org:5000/";
# # extraConfig = ''
# # proxy_http_version 1.1;
# # proxy_set_header Upgrade $http_upgrade;
# # proxy_set_header Connection "Upgrade";
# # proxy_set_header Host $host;
# # # proxy_set_header X-Real-IP $remote_addr;
# # # proxy_set_header X-Forwarded-By $server_addr:$server_port;
# # # proxy_set_header X-Forwarded-For $remote_addr;
# # # proxy_set_header X-Forwarded-Proto $scheme;
# # '';
# # };
# # };
# # "sea-camera-od.fudo.link" = {
# # enableACME = true;
# # forceSSL = true;
# # locations."/" = {
# # proxyPass = "http://panopticon-od.sea.fudo.org";
# # extraConfig = ''
# # proxy_http_version 1.1;
# # proxy_set_header Upgrade $http_upgrade;
# # proxy_set_header Connection "Upgrade";
# # proxy_set_header Host $host;
# # proxy_set_header X-Real-IP $remote_addr;
# # proxy_set_header X-Forwarded-By $server_addr:$server_port;
# # proxy_set_header X-Forwarded-For $remote_addr;
# # proxy_set_header X-Forwarded-Proto $scheme;
# # '';
# # };
# # };
# };
# };
virtualHosts = {
"sea-home.fudo.link" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://home-assist.sea.fudo.org/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
'';
};
};
};
};
openssh = {
hostKeys = [

37
config/host-config/system3.nix
View File

@ -1,5 +1,6 @@
{ config, lib, pkgs, ... }:
with lib;
let state-dir = "/state";
in {
fudo.slynk.enable = true;
@ -17,10 +18,12 @@ in {
"L /root/.ssh/id_rsa.pub - - - - ${state-dir}/user/root/ssh/id_rsa.pub"
"L /root/.ssh/known_hosts - - - - ${state-dir}/user/root/ssh/known_hosts"
"L /var/lib/flatpak - - - - ${state-dir}/lib/flatpak"
"L /etc/adjtime - - - - ${state-dir}/etc/adjtime"
];
services = {
blueman.enable = true;
openssh.hostKeys = [
{
path = "${state-dir}/ssh/ssh_host_rsa_key";
@ -30,40 +33,13 @@ in {
{
path = "${state-dir}/ssh/ssh_host_ed25519_key";
type = "ed25519";
bits = 4096;
}
];
};
environment.etc = {
"ssh/ssh_host_rsa_key" = {
source = "${state-dir}/ssh/ssh_host_rsa_key";
user = "root";
group = "root";
mode = "0400";
};
"ssh/ssh_host_rsa_key.pub" = {
source = "${state-dir}/ssh/ssh_host_rsa_key.pub";
user = "root";
group = "root";
mode = "0444";
};
"ssh/ssh_host_ed25519_key" = {
source = "${state-dir}/ssh/ssh_host_ed25519_key";
user = "root";
group = "root";
mode = "0400";
};
"ssh/ssh_host_ed25519_key.pub" = {
source = "${state-dir}/ssh/ssh_host_ed25519_key.pub";
user = "root";
group = "root";
mode = "0444";
};
nixos.source = "/etc/nixos-live";
"host-config.nix".source = "${state-dir}/host/host-config.nix";
adjtime.source = "${state-dir}/host/adjtime";
NIXOS.source = "${state-dir}/host/NIXOS";
NIXOS.source = "${state-dir}/etc/NIXOS";
};
hardware = {
@ -73,9 +49,4 @@ in {
};
xpadneo.enable = true;
};
security.sudo.extraConfig = ''
# Due to rollback, sudo will lecture after every reboot
Defaults lecture = never
'';
}

184
config/host-config/wormhole0.nix
View File

@ -3,8 +3,27 @@
with lib;
let
primary-ip = "10.0.0.3";
state-dir = "/state";
zigbee2mqtt-statedir = "${state-dir}/services/zigbee2mqtt";
mosquitto-statedir = "${state-dir}/services/mosquitto";
home-assistant-port = 8123;
zigbee2mqtt-user = config.systemd.services.zigbee2mqtt.serviceConfig.User;
mosquitto-user = config.systemd.services.mosquitto.serviceConfig.User;
zigbee2mqtt-passwd-file =
pkgs.lib.passwd.random-passwd-file "zigbee2mqtt-passwd" 20;
home-assistant-passwd-file =
pkgs.lib.passwd.stablerandom-passwd-file "home-assistant-passwd"
config.instance.build-seed;
host-secrets = config.fudo.secrets.host-secrets.wormhole0;
in {
boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; };
networking = {
hostName = "wormhole0";
@ -19,24 +38,163 @@ in {
interfaces = {
intif0 = {
ipv4.addresses = [{
address = primary-ip;
prefixLength = 24;
}];
useDHCP = false;
ipv4 = {
addresses = [{
address = primary-ip;
prefixLength = 24;
}];
};
};
wlan0.useDHCP = true;
wormif0.useDHCP = true;
wlp2s0.useDHCP = false;
};
dhcpcd.extraConfig = concatStringsSep "\n" [ "nogateway" ];
};
fudo.secrets.host-secrets.wormhole0 = {
mosquitto-zigbee2mqtt-passwd = {
source-file = zigbee2mqtt-passwd-file;
target-file = "/run/mosquitto-secrets/zigbee2mqtt.passwd";
user = mosquitto-user;
};
mosquitto-home-assistant-passwd = {
source-file = home-assistant-passwd-file;
target-file = "/run/mosquitto-secrets/home-assistant.passwd";
user = mosquitto-user;
};
};
nix = {
# settings = {
# auto-optimise-store = true;
# };
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
systemd = {
services = {
wormhole-route = {
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
serviceConfig = {
ExecStart =
"${pkgs.iproute2}/bin/ip route add 192.168.86.0/24 dev wormif0";
ExecStop =
"${pkgs.iproute2}/bin/ip route del 192.168.86.0/24 dev wormif0";
RemainAfterExit = true;
};
};
zigbee2mqtt.after =
[ config.fudo.secrets.secret-target "mosquitto.service" ];
mosquitto.after = [ config.fudo.secrets.secret-target ];
};
tmpfiles.rules = [
"L /root/.gnupg - - - - ${state-dir}/user/root/gnupg"
"L /root/.ssh/id_rsa - - - - ${state-dir}/user/root/ssh/id_rsa"
"L /root/.ssh/id_rsa.pub - - - - ${state-dir}/user/root/ssh/id_rsa.pub"
"L /root/.ssh/known_hosts - - - - ${state-dir}/user/root/ssh/known_hosts"
"L /etc/adjtime - - - - ${state-dir}/etc/adjtime"
"d /state/services 0711 root root - -"
"d ${zigbee2mqtt-statedir} 0700 ${zigbee2mqtt-user} - - -"
"d ${mosquitto-statedir} 0700 ${mosquitto-user} - - -"
];
};
users.groups = let
zigbee2mqtt-user = config.systemd.services.zigbee2mqtt.serviceConfig.User;
in { dialout.members = [ zigbee2mqtt-user ]; };
services = {
blueman.enable = true;
openssh.hostKeys = [
{
path = "${state-dir}/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
{
path = "${state-dir}/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
nginx = {
enable = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
virtualHosts."home-assist.sea.fudo.org" = {
locations."/" = {
proxyPass = "http://localhost:${toString home-assistant-port}";
proxyWebsockets = true;
};
};
};
mosquitto = {
enable = true;
dataDir = mosquitto-statedir;
listeners = [{
settings.allow_anonymous = false;
port = 1883;
users = {
zigbee2mqtt = {
passwordFile =
host-secrets.mosquitto-zigbee2mqtt-passwd.target-file;
acl = [ "readwrite #" ];
};
home-assistant = {
passwordFile =
host-secrets.mosquitto-home-assistant-passwd.target-file;
acl = [ "readwrite #" ];
};
};
}];
};
zigbee2mqtt = {
enable = true;
dataDir = zigbee2mqtt-statedir;
settings = {
homeassistant = true;
permit_join = true;
serial.port = "/dev/ttyUSB0";
mqtt = {
server = "mqtt://127.0.0.1:1883";
user = "zigbee2mqtt";
password = readFile zigbee2mqtt-passwd-file;
# TODO: could make a yaml file containing password
# described https://www.zigbee2mqtt.io/guide/configuration/mqtt.html#server-connection
# Weird, though.
};
};
};
};
virtualisation = {
docker = {
enable = true;
enableOnBoot = true;
autoPrune.enable = true;
};
oci-containers = {
backend = "docker";
containers = {
home-assistant = {
image = "homeassistant/home-assistant:stable";
autoStart = true;
environment.TZ = config.time.timeZone;
#ports = [ "${toString home-assistant-port}:8123" ];
volumes = [ "/state/services/home-assistant:/config" ];
extraOptions = [ "--network=host" ];
};
};
};
};
security.sudo.extraConfig = ''
# Due to rollback, sudo will lecture after every reboot
Defaults lecture = never
'';
}

31
config/profile-config/common-ui.nix
View File

@ -37,6 +37,26 @@ in {
};
trezord.enable = true;
gnome = mkIf enable-gui {
evolution-data-server.enable = mkForce false;
gnome-user-share.enable = mkForce false;
};
pipewire = {
enable = true;
alsa = {
enable = true;
support32Bit = true;
};
pulse.enable = true;
jack.enable = true;
};
};
security = {
rtkit.enable = true;
sudo.extraConfig = "Defaults lecture = never";
};
hardware = {
@ -47,22 +67,15 @@ in {
driSupport = true;
driSupport32Bit = true;
};
pulseaudio.enable = false;
};
sound.enable = true;
hardware.pulseaudio = {
enable = true;
support32Bit = config.hardware.pulseaudio.enable;
};
# console.font =
# lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-g18n.psf.gz";
services.gnome = mkIf enable-gui {
evolution-data-server.enable = mkForce false;
gnome-user-share.enable = mkForce false;
};
services.flatpak.enable = enable-gui;
fonts = mkIf enable-gui {

5
config/profile-config/common.nix
View File

@ -40,6 +40,11 @@ in {
extraOptions = ''
experimental-features = nix-command flakes
'';
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
};
nixpkgs.config.allowUnfree = true;

106
config/profile-config/host/kerberos.nix
View File

@ -7,64 +7,66 @@ let
try-attr = attr: set: if (hasAttr attr set) then set.${attr} else null;
in {
config = mkIf has-secret-files (let
keytab-file = try-attr hostname config.fudo.secrets.files.host-keytabs;
in mkIf (keytab-file != null) {
## This doesn't seem to work...timing?
# environment.etc."krb5.keytab" = mkIf (keytab-file != null) {
# source =
# config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file;
# user = "root";
# group = "root";
# mode = "0400";
# };
config = mkIf has-secret-files
(let keytab-file = try-attr hostname config.fudo.secrets.files.host-keytabs;
in mkIf (keytab-file != null) {
## This doesn't seem to work...timing?
# environment.etc."krb5.keytab" = mkIf (keytab-file != null) {
# source =
# config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file;
# user = "root";
# group = "root";
# mode = "0400";
# };
systemd = let
host-keytab = config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file;
in {
paths."${hostname}-keytab-watcher" = {
wantedBy = [ "default.target" ];
description = "Watch host keytab for changes.";
pathConfig = {
PathChanged = host-keytab;
Unit = "${hostname}-keytab-watcher.service";
};
};
services = {
"${hostname}-keytab-watcher" = {
description = "When host keytab is available or changed, activate copy job.";
path = with pkgs; [ systemd ];
serviceConfig = {
Type = "oneshot";
systemd = let
host-keytab =
config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file;
in {
paths."${hostname}-keytab-watcher" = {
wantedBy = [ "default.target" ];
description = "Watch host keytab for changes.";
pathConfig = {
PathChanged = host-keytab;
Unit = "${hostname}-keytab-watcher.service";
};
script = "systemctl restart ${hostname}-copy-keytab.service";
};
"${hostname}-copy-keytab" = {
description = "Copy the host krb5.keytab into place once it's available.";
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = pkgs.writeShellScript "${hostname}-copy-keytab.sh" ''
[ -f ${host-keytab} ] || exit 1
[ -f /etc/krb5.keytab ] && rm /etc/krb5.keytab
cp ${host-keytab} /etc/krb5.keytab
chown root:root /etc/krb5.keytab
chmod 0400 /etc/krb5.keytab
'';
ExecStop = pkgs.writeShellScript "${hostname}-remove-keytab.sh" ''
rm -f /etc/krb5.keytab
'';
services = {
"${hostname}-keytab-watcher" = {
description =
"When host keytab is available or changed, activate copy job.";
path = with pkgs; [ systemd ];
serviceConfig = { Type = "oneshot"; };
script = "systemctl restart ${hostname}-copy-keytab.service";
};
"${hostname}-copy-keytab" = {
description =
"Copy the host krb5.keytab into place once it's available.";
serviceConfig = {
Type = "simple";
RemainAfterExit = true;
ExecStart = pkgs.writeShellScript "${hostname}-copy-keytab.sh" ''
[ -f ${host-keytab} ] || exit 1
[ -f /etc/krb5.keytab ] && rm /etc/krb5.keytab
cp ${host-keytab} /etc/krb5.keytab
chown root:root /etc/krb5.keytab
chmod 0400 /etc/krb5.keytab
'';
ExecStop = pkgs.writeShellScript "${hostname}-remove-keytab.sh" ''
rm -f /etc/krb5.keytab
'';
};
};
};
};
};
fudo.secrets.host-secrets.${hostname}.host-keytab = mkIf (keytab-file != null) {
source-file = keytab-file;
target-file = "/run/kerberos/krb5.keytab";
user = "root";
};
});
fudo.secrets.host-secrets.${hostname}.host-keytab =
mkIf (keytab-file != null) {
source-file = keytab-file;
target-file = "/run/kerberos/krb5.keytab";
user = "root";
};
});
}

50
config/site-config/seattle.nix
View File

@ -30,20 +30,20 @@ in {
# };
"/mnt/cargo_video" = {
device = "cargo.${local-domain}:/volume1/video";
fsType = "nfs";
options = [ "comment=systemd.automount" "nfsvers=4.2" ];
fsType = "nfs4";
options = [ "sec=krb5i" "x-systemd.automount" ];
};
"/mnt/photo" = {
device = "cargo.${local-domain}:/volume1/pictures";
fsType = "nfs";
options = [ "comment=systemd.automount" "nfsvers=4.2" ];
fsType = "nfs4";
options = [ "sec=krb5i" "x-systemd.automount" ];
};
# "proto=tcp"
# # NOTE: these are pointing directly to nostromo so the krb lookup works
"/net/documents" = {
device = "nostromo.sea.fudo.org:/export/documents";
device = "nostromo.${local-domain}:/export/documents";
fsType = "nfs4";
options = [
"sec=krb5p"
@ -54,7 +54,7 @@ in {
];
};
"/net/downloads" = {
device = "nostromo.sea.fudo.org:/export/downloads";
device = "nostromo.${local-domain}:/export/downloads";
fsType = "nfs4";
options = [
"sec=krb5i"
@ -65,7 +65,7 @@ in {
];
};
"/net/projects" = {
device = "nostromo.sea.fudo.org:/export/projects";
device = "nostromo.${local-domain}:/export/projects";
fsType = "nfs4";
options = [
"sec=krb5p"
@ -91,14 +91,24 @@ in {
# script = "${pkgs.systemd}/bin/systemctl restart rpc-gssd.service";
# };
services.host-keytab-watcher = {
wantedBy = [ "rpc-gssd.service" "rpc-svcgssd.service" ];
before = [ "rpc-gssd.service" "rpc-svcgssd.service" ];
unitConfig = { ConditionPathExists = [ "/etc/krb5.keytab" ]; };
serviceConfig = {
ExecStart = "${pkgs.coreutils}/bin/sleep 500";
TimeoutStartSec = "3600";
RemainAfterExit = true;
services = {
# host-keytab-watcher = {
# wantedBy = [ "rpc-gssd.service" "rpc-svcgssd.service" ];
# before = [ "rpc-gssd.service" "rpc-svcgssd.service" ];
# serviceConfig = {
# ExecStart = "${pkgs.coreutils}/bin/sleep 500";
# TimeoutStartSec = "3600";
# RemainAfterExit = true;
# };
# };
rpc-gssd = {
after = [ config.fudo.secrets.secret-target ];
unitConfig = { ConditionPathExists = mkForce [ ]; };
};
rpc-svcgssd = {
after = [ config.fudo.secrets.secret-target ];
unitConfig = { ConditionPathExists = mkForce [ ]; };
};
};
};
@ -117,7 +127,7 @@ in {
# in [
# {
# enable = true;
# what = "nostromo.sea.fudo.org:/export/documents";
# what = "nostromo.${local-domain}:/export/documents";
# where = "/net/documents";
# type = "nfs";
# options = mkOpts [
@ -131,7 +141,7 @@ in {
# }
# {
# enable = true;
# what = "nostromo.sea.fudo.org:/export/downloads";
# what = "nostromo.${local-domain}:/export/downloads";
# where = "/net/downloads";
# type = "nfs";
# options = mkOpts [
@ -145,7 +155,7 @@ in {
# }
# {
# enable = true;
# what = "nostromo.sea.fudo.org:/export/projects";
# what = "nostromo.${local-domain}:/export/projects";
# where = "/net/projects";
# type = "nfs";
# options = mkOpts [
@ -165,12 +175,12 @@ in {
drivers = [
# pkgs.brlaser
# pkgs.brgenml1lpr
# pkgs.brgenml1cupswrapper
pkgs.brgenml1cupswrapper
# pkgs.hll2380dw-cups
# pkgs.hll2380dw-lpr
];
};
environment.systemPackages = with pkgs; [ hll2380dw-cups ];
# environment.systemPackages = with pkgs; [ hll2380dw-cups ];
}

36
flake.lock
View File

@ -388,11 +388,11 @@
]
},
"locked": {
"lastModified": 1646155824,
"narHash": "sha256-cVQ4mQNNblY2MjK4kaoW71wUccUOdczVt2Y3umGEkTw=",
"lastModified": 1649111994,
"narHash": "sha256-KVRN3pahTca8gCcppDgr+hY+6xeCL0nQUpLT/l2uGS8=",
"ref": "master",
"rev": "4799d7704ae703693065c47e1e454e58f5e767f4",
"revCount": 76,
"rev": "1e478f59eaadd1b3e857045ad812b45c9bad238f",
"revCount": 89,
"type": "git",
"url": "https://git.fudo.org/fudo-nix/entities.git"
},
@ -413,11 +413,11 @@
]
},
"locked": {
"lastModified": 1646777521,
"narHash": "sha256-0WtNjhJ+66l+3l/s4bhqgIfsuROBtD4GJ0B3yJRipxM=",
"lastModified": 1649445221,
"narHash": "sha256-g2QZSTNDv42oxFI1+zt/rGIvPHM52RZ8olPFru/7Mnc=",
"ref": "master",
"rev": "e860b7aee67d8f0dabcf95fdfde138722fca1f32",
"revCount": 124,
"rev": "8d94134bff85ed39d371b7dd895a9265c5b161b2",
"revCount": 138,
"type": "git",
"url": "https://git.fudo.org/fudo-nix/home.git"
},
@ -443,7 +443,7 @@
},
"fudo-lib_2": {
"locked": {
"narHash": "sha256-JWs8GEoZdR9sqf1nQJgIIQCwe4sQDZoK3C7WzQN3hAo=",
"narHash": "sha256-fBiGlPgqsl5t08IlV1sehtAaOAI2eJqCXKQgdnwMzy0=",
"path": "/state/fudo-lib",
"type": "path"
},
@ -469,11 +469,11 @@
},
"fudo-pkgs_2": {
"locked": {
"lastModified": 1646862825,
"narHash": "sha256-Zqtx4cJXuMG0dNKgmcJgfy3twLfRSMRqI/UMfl2hbsA=",
"lastModified": 1648662131,
"narHash": "sha256-wOJyR8xFQQhZ7gjK+sj3rJND8ORIHPuINNfQsdjM0BE=",
"ref": "master",
"rev": "4ee3fb603b5b9d55c51213acbf90a52ce4c08cf1",
"revCount": 49,
"rev": "c5180cbacd66673a3e8fcd0ce2c4abff119bbe93",
"revCount": 54,
"type": "git",
"url": "https://git.fudo.org/fudo-nix/pkgs.git"
},
@ -497,7 +497,7 @@
"ssh-keypairs": "ssh-keypairs"
},
"locked": {
"narHash": "sha256-ZiSCZ5783ghtNZ6geFR+avU+qnn0nhisbAB4P2yziGY=",
"narHash": "sha256-sDzbS0AnaNCrdiYR3oEsFljzxw128JsVx4exBNAjZo0=",
"path": "/state/secrets",
"type": "path"
},
@ -573,7 +573,7 @@
"host-keytabs": {
"flake": false,
"locked": {
"narHash": "sha256-LAAZVfwD65yS6H7EcKmfiPXtLcfRQ80u3V4LFRjr7ko=",
"narHash": "sha256-SA058alChYye39gm4TwPpCufR1P+X9QnH/EunJYXd5s=",
"path": "/state/secrets/kerberos/host-keytabs",
"type": "path"
},
@ -631,11 +631,11 @@
},
"nixpkgsUnstable": {
"locked": {
"lastModified": 1647297614,
"narHash": "sha256-ulGq3W5XsrBMU/u5k9d4oPy65pQTkunR4HKKtTq0RwY=",
"lastModified": 1649225869,
"narHash": "sha256-u1zLtPmQzhT9mNXyM8Ey9pk7orDrIKdwooeGDEXm5xM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "73ad5f9e147c0d2a2061f1d4bd91e05078dc0b58",
"rev": "b6966d911da89e5a7301aaef8b4f0a44c77e103c",
"type": "github"
},
"original": {

522
live-disk/flake.lock Normal file
View File

@ -0,0 +1,522 @@
{
"nodes": {
"doom-emacs": {
"inputs": {
"doom-emacs": "doom-emacs_2",
"doom-snippets": "doom-snippets",
"emacs-overlay": [
"fudo-home",
"emacs-overlay"
],
"emacs-so-long": "emacs-so-long",
"evil-markdown": "evil-markdown",
"evil-org-mode": "evil-org-mode",
"evil-quick-diff": "evil-quick-diff",
"explain-pause-mode": "explain-pause-mode",
"flake-utils": "flake-utils",
"format-all": "format-all",
"nix-straight": "nix-straight",
"nixpkgs": [
"fudo-home",
"nixpkgs"
],
"nose": "nose",
"ob-racket": "ob-racket",
"org": "org",
"org-contrib": "org-contrib",
"org-yt": "org-yt",
"php-extras": "php-extras",
"revealjs": "revealjs",
"rotate-text": "rotate-text"
},
"locked": {
"lastModified": 1645751511,
"narHash": "sha256-i3cMaHdaxwfeJEKVgk3Sxx/IRfjwNcThaCMcq4uv9jg=",
"owner": "nix-community",
"repo": "nix-doom-emacs",
"rev": "ef434602f6f2a8b469d1b01f9edff4f5b6d7f555",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-doom-emacs",
"type": "github"
}
},
"doom-emacs_2": {
"flake": false,
"locked": {
"lastModified": 1645634993,
"narHash": "sha256-QeE6aUJxoaqHM28Cpt2rKC817VQvXGuuFUyLzehaC50=",
"owner": "hlissner",
"repo": "doom-emacs",
"rev": "42e5763782fdc1aabb9f2624d468248d6978abe2",
"type": "github"
},
"original": {
"owner": "hlissner",
"ref": "master",
"repo": "doom-emacs",
"type": "github"
}
},
"doom-snippets": {
"flake": false,
"locked": {
"lastModified": 1645652740,
"narHash": "sha256-ci5QsTkzmfSd7Pfoe+RActuSOmMY2TvJL7f2giCwNEI=",
"owner": "hlissner",
"repo": "doom-snippets",
"rev": "02aca23fef94fc7a58836fd1812d62e731249fa3",
"type": "github"
},
"original": {
"owner": "hlissner",
"repo": "doom-snippets",
"type": "github"
}
},
"emacs-overlay": {
"flake": false,
"locked": {
"lastModified": 1645953123,
"narHash": "sha256-Be06ikbfQTuRwsU6nxNbMSvSUOzmGzDOLBKXFMekrcA=",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "058e38892484c1ab517c890b0aaee5d53565a494",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "emacs-overlay",
"type": "github"
}
},
"emacs-so-long": {
"flake": false,
"locked": {
"lastModified": 1575031854,
"narHash": "sha256-xIa5zO0ZaToDrec1OFjBK6l39AbA4l/CE4LInVu2hi0=",
"owner": "hlissner",
"repo": "emacs-so-long",
"rev": "ed666b0716f60e8988c455804de24b55919e71ca",
"type": "github"
},
"original": {
"owner": "hlissner",
"repo": "emacs-so-long",
"type": "github"
}
},
"evil-markdown": {
"flake": false,
"locked": {
"lastModified": 1626852210,
"narHash": "sha256-HBBuZ1VWIn6kwK5CtGIvHM1+9eiNiKPH0GUsyvpUVN8=",
"owner": "Somelauw",
"repo": "evil-markdown",
"rev": "8e6cc68af83914b2fa9fd3a3b8472573dbcef477",
"type": "github"
},
"original": {
"owner": "Somelauw",
"repo": "evil-markdown",
"type": "github"
}
},
"evil-org-mode": {
"flake": false,
"locked": {
"lastModified": 1607203864,
"narHash": "sha256-JxwqVYDN6OIJEH15MVI6XOZAPtUWUhJQWHyzcrUvrFg=",
"owner": "hlissner",
"repo": "evil-org-mode",
"rev": "a9706da260c45b98601bcd72b1d2c0a24a017700",
"type": "github"
},
"original": {
"owner": "hlissner",
"repo": "evil-org-mode",
"type": "github"
}
},
"evil-quick-diff": {
"flake": false,
"locked": {
"lastModified": 1575189609,
"narHash": "sha256-oGzl1ayW9rIuq0haoiFS7RZsS8NFMdEA7K1BSozgnJU=",
"owner": "rgrinberg",
"repo": "evil-quick-diff",
"rev": "69c883720b30a892c63bc89f49d4f0e8b8028908",
"type": "github"
},
"original": {
"owner": "rgrinberg",
"repo": "evil-quick-diff",
"type": "github"
}
},
"explain-pause-mode": {
"flake": false,
"locked": {
"lastModified": 1595842060,
"narHash": "sha256-++znrjiDSx+cy4okFBBXUBkRFdtnE2x+trkmqjB3Njs=",
"owner": "lastquestion",
"repo": "explain-pause-mode",
"rev": "2356c8c3639cbeeb9751744dbe737267849b4b51",
"type": "github"
},
"original": {
"owner": "lastquestion",
"repo": "explain-pause-mode",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1644229661,
"narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"format-all": {
"flake": false,
"locked": {
"lastModified": 1581716637,
"narHash": "sha256-ul7LCe60W8TIvUmUtZtZRo8489TK9iTPDsLHmzxY57M=",
"owner": "lassik",
"repo": "emacs-format-all-the-code",
"rev": "47d862d40a088ca089c92cd393c6dca4628f87d3",
"type": "github"
},
"original": {
"owner": "lassik",
"repo": "emacs-format-all-the-code",
"rev": "47d862d40a088ca089c92cd393c6dca4628f87d3",
"type": "github"
}
},
"fudo-entities": {
"inputs": {
"fudo-lib": "fudo-lib",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1646155824,
"narHash": "sha256-cVQ4mQNNblY2MjK4kaoW71wUccUOdczVt2Y3umGEkTw=",
"ref": "master",
"rev": "4799d7704ae703693065c47e1e454e58f5e767f4",
"revCount": 76,
"type": "git",
"url": "https://git.fudo.org/fudo-nix/entities.git"
},
"original": {
"type": "git",
"url": "https://git.fudo.org/fudo-nix/entities.git"
}
},
"fudo-home": {
"inputs": {
"doom-emacs": "doom-emacs",
"emacs-overlay": "emacs-overlay",
"fudo-pkgs": "fudo-pkgs",
"home-manager": "home-manager",
"niten-doom-config": "niten-doom-config",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1646777521,
"narHash": "sha256-0WtNjhJ+66l+3l/s4bhqgIfsuROBtD4GJ0B3yJRipxM=",
"ref": "master",
"rev": "e860b7aee67d8f0dabcf95fdfde138722fca1f32",
"revCount": 124,
"type": "git",
"url": "https://git.fudo.org/fudo-nix/home.git"
},
"original": {
"type": "git",
"url": "https://git.fudo.org/fudo-nix/home.git"
}
},
"fudo-lib": {
"locked": {
"lastModified": 1641848738,
"narHash": "sha256-9+xyFqyUIzIkNo2HyXxp6Lm9/f0EZqRqkRz52AQoW6Q=",
"ref": "master",
"rev": "63b80fb5dc1e6ad69252a233b7c6a20f649884c6",
"revCount": 59,
"type": "git",
"url": "https://git.fudo.org/fudo-nix/lib.git"
},
"original": {
"type": "git",
"url": "https://git.fudo.org/fudo-nix/lib.git"
}
},
"fudo-lib_2": {
"locked": {
"lastModified": 1646004430,
"narHash": "sha256-LqCS4S+glSf9S+1ym+Ac5Ek4foYLxKL/LKRzFYwREI8=",
"ref": "master",
"rev": "c40aba61335451219bc480f7b4ffccbc61d48d2b",
"revCount": 66,
"type": "git",
"url": "https://git.fudo.org/fudo-nix/lib.git"
},
"original": {
"type": "git",
"url": "https://git.fudo.org/fudo-nix/lib.git"
}
},
"fudo-pkgs": {
"locked": {
"lastModified": 1643841844,
"narHash": "sha256-rmTIL94RQQaFhMHCopmeFUVAoP71nSA6sB46riDq2Ik=",
"ref": "master",
"rev": "7e02ad0e7d9ac42605ed318e9d76364ec1d339ec",
"revCount": 41,
"type": "git",
"url": "https://git.fudo.org/fudo-nix/pkgs.git"
},
"original": {
"type": "git",
"url": "https://git.fudo.org/fudo-nix/pkgs.git"
}
},
"fudo-pkgs_2": {
"locked": {
"lastModified": 1646862825,
"narHash": "sha256-Zqtx4cJXuMG0dNKgmcJgfy3twLfRSMRqI/UMfl2hbsA=",
"ref": "master",
"rev": "4ee3fb603b5b9d55c51213acbf90a52ce4c08cf1",
"revCount": 49,
"type": "git",
"url": "https://git.fudo.org/fudo-nix/pkgs.git"
},
"original": {
"type": "git",
"url": "https://git.fudo.org/fudo-nix/pkgs.git"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"fudo-home",
"nixpkgs"
]
},
"locked": {
"lastModified": 1643933536,
"narHash": "sha256-yRmsWAG4DnLxLIUtlaZsl0kH7rN5xSoyNRlf0YZrcH4=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2860d7e3bb350f18f7477858f3513f9798896831",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-21.11",
"repo": "home-manager",
"type": "github"
}
},
"niten-doom-config": {
"flake": false,
"locked": {
"lastModified": 1640017877,
"narHash": "sha256-9twZfDxSjX87NHzuEQXkm1Q037YS98jPQv3Hw4Uktiw=",
"ref": "master",
"rev": "3d990cdf82fc7d5a6c8fd033e8bcf460fb27df1b",
"revCount": 37,
"type": "git",
"url": "https://git.fudo.org/niten/doom-emacs.git"
},
"original": {
"type": "git",
"url": "https://git.fudo.org/niten/doom-emacs.git"
}
},
"nix-straight": {
"flake": false,
"locked": {
"lastModified": 1643475817,
"narHash": "sha256-NpExq5nbPbj/ppkBX3SnETEJuOne1MKJxen8vVHsDFg=",
"owner": "nix-community",
"repo": "nix-straight.el",
"rev": "08d75e5651cb52f8a07e03408ed19e04bee07505",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-straight.el",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1645296114,
"narHash": "sha256-y53N7TyIkXsjMpOG7RhvqJFGDacLs9HlyHeSTBioqYU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "530a53dcbc9437363471167a5e4762c5fcfa34a1",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-21.05",
"type": "indirect"
}
},
"nose": {
"flake": false,
"locked": {
"lastModified": 1400604510,
"narHash": "sha256-daEi8Kta1oGaDEmUUDDQMahTTPOpvNpDKk22rlr7cB0=",
"owner": "emacsattic",
"repo": "nose",
"rev": "f8528297519eba911696c4e68fa88892de9a7b72",
"type": "github"
},
"original": {
"owner": "emacsattic",
"repo": "nose",
"type": "github"
}
},
"ob-racket": {
"flake": false,
"locked": {
"lastModified": 1584656173,
"narHash": "sha256-rBUYDDCXb+3D4xTPQo9UocbTPZ32kWV1Uya/1DmZknU=",
"owner": "xchrishawk",
"repo": "ob-racket",
"rev": "83457ec9e1e96a29fd2086ed19432b9d75787673",
"type": "github"
},
"original": {
"owner": "xchrishawk",
"repo": "ob-racket",
"type": "github"
}
},
"org": {
"flake": false,
"locked": {
"lastModified": 1645557265,
"narHash": "sha256-vBOWOOfdUbvpTkqs2Lx+OCPfUdZdzAOdGxzHBSAslmo=",
"owner": "emacs-straight",
"repo": "org-mode",
"rev": "282a01f22159b4855071ffd54a9ae6ce681c3690",
"type": "github"
},
"original": {
"owner": "emacs-straight",
"repo": "org-mode",
"type": "github"
}
},
"org-contrib": {
"flake": false,
"locked": {
"lastModified": 1639727892,
"narHash": "sha256-+T6Y87aSAx7kMpigm8d1ODDQIyPBM6a+4qGolXjCEXs=",
"ref": "master",
"rev": "5766ff1088191e4df5fecd55007ba4271e609bcc",
"revCount": 2611,
"type": "git",
"url": "https://git.sr.ht/~bzg/org-contrib"
},
"original": {
"type": "git",
"url": "https://git.sr.ht/~bzg/org-contrib"
}
},
"org-yt": {
"flake": false,
"locked": {
"lastModified": 1527381913,
"narHash": "sha256-dzQ6B7ryzatHCTLyEnRSbWO0VUiX/FHYnpHTs74aVUs=",
"owner": "TobiasZawada",
"repo": "org-yt",
"rev": "40cc1ac76d741055cbefa13860d9f070a7ade001",
"type": "github"
},
"original": {
"owner": "TobiasZawada",
"repo": "org-yt",
"type": "github"
}
},
"php-extras": {
"flake": false,
"locked": {
"lastModified": 1573312690,
"narHash": "sha256-r4WyVbzvT0ra4Z6JywNBOw5RxOEYd6Qe2IpebHXkj1U=",
"owner": "arnested",
"repo": "php-extras",
"rev": "d410c5af663c30c01d461ac476d1cbfbacb49367",
"type": "github"
},
"original": {
"owner": "arnested",
"repo": "php-extras",
"type": "github"
}
},
"revealjs": {
"flake": false,
"locked": {
"lastModified": 1645450091,
"narHash": "sha256-3fM1hKCbuIy8HzBv9JjjZW/RwE1CKeq++delBhbSvys=",
"owner": "hakimel",
"repo": "reveal.js",
"rev": "5e12c6aeb7a37acca7ca22c0bd29548f9ff282ea",
"type": "github"
},
"original": {
"owner": "hakimel",
"repo": "reveal.js",
"type": "github"
}
},
"root": {
"inputs": {
"fudo-entities": "fudo-entities",
"fudo-home": "fudo-home",
"fudo-lib": "fudo-lib_2",
"fudo-pkgs": "fudo-pkgs_2",
"nixpkgs": "nixpkgs"
}
},
"rotate-text": {
"flake": false,
"locked": {
"lastModified": 1322962747,
"narHash": "sha256-SOeOgSlcEIsKhUiYDJv0p+mLUb420s9E2BmvZQvZ0wk=",
"owner": "debug-ito",
"repo": "rotate-text.el",
"rev": "48f193697db996855aee1ad2bc99b38c6646fe76",
"type": "github"
},
"original": {
"owner": "debug-ito",
"repo": "rotate-text.el",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

2
live-disk/flake.nix
View File

@ -25,7 +25,7 @@
outputs = { self, nixpkgs, fudo-home, fudo-entities, fudo-lib, fudo-pkgs, ...
}@inputs: {
nixosConfigurations.live-cd-x86_64-linux = let
nixosConfigurations.live-disk-x86_64-linux = let
system = "x86_64-linux";
pkgs = import nixpkgs {
inherit system;