Commit 0c45777361a4
Changed files (4)
systems
systems/hosts/default.nix
@@ -1,34 +0,0 @@
-inputs:
-
-let
- inherit (inputs) self;
-
- sharedModules = [
- { _module.args = { inherit inputs; }; }
- #../modules/minimal.nix
- #../modules/security.nix
- inputs.home-manager.nixosModule
- {
- home-manager = {
- inherit (inputs.self.lib) extraSpecialArgs;
- useGlobalPkgs = true;
- };
- }
- ];
-
- inherit (self.lib) nixosSystem;
- # inherit (import "${self}/home/profiles" inputs) homeImports;
-in
-{
- # naruhodo
- naruhodo = nixosSystem {
- modules = [
- ./naruhodo.nix
- ] ++ sharedModules;
- system = "x86_64-linux";
- };
- # shikoku
- # aomi
- # wakasu
- # sakhalin
-}
systems/hosts/kerkouane.nix
@@ -1,336 +0,0 @@
-{ pkgs, lib, ... }:
-
-with lib;
-let
- hostname = "kerkouane";
- metadata = importTOML ../../ops/hosts.toml;
-
- secretPath = ../../secrets/machines.nix;
- secretCondition = builtins.pathExists secretPath;
-
- wireguardIp =
- strings.optionalString secretCondition
- (import secretPath).wireguard.ips."${hostname}";
-
- nginxExtraConfig = ''
- expires 31d;
- add_header Cache-Control "public, max-age=604800, immutable";
- add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
- add_header X-Content-Type-Options "nosniff";
- add_header X-Frame-Options "SAMEORIGIN";
- add_header X-Content-Security-Policy "default-src 'self' *.sbr.pm *.sbr.systems *.demeester.fr";
- add_header X-XSS-Protection "1; mode=block";
- '';
-
- nginx = pkgs.nginxMainline.override (_old: {
- modules = with pkgs.nginxModules; [
- fancyindex
- ];
- });
-
- filesWWW = {
- enableACME = true;
- forceSSL = true;
- root = "/var/www/dl.sbr.pm";
- locations."/" = {
- index = "index.html";
- extraConfig = ''
- fancyindex on;
- fancyindex_localtime on;
- fancyindex_exact_size off;
- fancyindex_header "/.fancyindex/header.html";
- fancyindex_footer "/.fancyindex/footer.html";
- # fancyindex_ignore "examplefile.html";
- fancyindex_ignore "README.md";
- fancyindex_ignore "HEADER.md";
- fancyindex_ignore ".fancyindex";
- fancyindex_name_length 255;
- '';
- };
- locations."/private" = {
- extraConfig = ''
- auth_basic "Restricted";
- auth_basic_user_file /var/www/dl.sbr.pm/private/.htpasswd;
- '';
- };
- extraConfig = nginxExtraConfig;
- };
-in
-{
- imports = [
- (import ../../users/vincent)
- (import ../../users/root)
- ];
-
- networking.hostName = hostname;
-
- ## From qemu-quest.nix
- boot.initrd.availableKernelModules = [
- "virtio_net"
- "virtio_pci"
- "virtio_mmio"
- "virtio_blk"
- "virtio_scsi"
- "9p"
- "9pnet_virtio"
- ];
- boot.initrd.kernelModules = [
- "virtio_balloon"
- "virtio_console"
- "virtio_rng"
- ];
-
- boot.initrd.postDeviceCommands = ''
- # Set the system time from the hardware clock to work around a
- # bug in qemu-kvm > 1.5.2 (where the VM clock is initialised
- # to the *boot time* of the host).
- hwclock -s
- '';
-
- # START OF DigitalOcean specifics
- # FIXME: move this into a secret ?
- # This file was populated at runtime with the networking
- # details gathered from the active system.
- networking = {
- nameservers = [
- "67.207.67.2"
- "67.207.67.3"
- ];
- defaultGateway = "188.166.64.1";
- defaultGateway6 = "";
- dhcpcd.enable = false;
- usePredictableInterfaceNames = lib.mkForce true;
- interfaces = {
- eth0 = {
- ipv4.addresses = [
- {
- address = "188.166.102.243";
- prefixLength = 18;
- }
- {
- address = "10.18.0.5";
- prefixLength = 16;
- }
- ];
- ipv6.addresses = [
- {
- address = "fe80::8035:3aff:fe72:1036";
- prefixLength = 64;
- }
- ];
- };
-
- };
- };
- services.udev.extraRules = ''
- ATTR{address}=="82:35:3a:72:10:36", NAME="eth0"
-
- '';
- # END OF DigitalOcean specifics
-
- boot.loader.grub.device = "/dev/vda";
- boot.loader.grub.enable = lib.mkForce true;
- boot.loader.systemd-boot.enable = lib.mkForce false;
- fileSystems."/" = {
- device = "/dev/vda1";
- fsType = "ext4";
- };
- swapDevices = [
- {
- device = "/swapfile";
- size = 1024;
- }
- ];
-
- core.nix = {
- # FIXME move this away
- localCaches = [ ];
- buildCores = 1;
- };
-
- modules.services = {
- wireguard.server.enable = true;
- syncthing = {
- enable = true;
- guiAddress = "${metadata.hosts.kerkouane.wireguard.addrs.v4}:8384";
- };
- ssh = {
- enable = true;
- extraConfig = ''
- Match User nginx
- ChrootDirectory /var/www
- ForceCommand interfal-sftp
- AllowTcpForwarding no
- PermitTunnel no
- X11Forwarding no
- '';
- };
- };
-
- networking.firewall.allowPing = true;
- networking.firewall.allowedTCPPorts = [
- 80
- 443
- ];
- security = {
- acme = {
- acceptTerms = true;
- email = "vincent@sbr.pm";
- };
- #acme.certs = {
- # "sbr.pm".email = "vincent@sbr.pm";
- #};
- };
- security.pam.enableSSHAgentAuth = true;
- #systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
- services = {
- prometheus.exporters = {
- node = {
- enable = true;
- port = 9000;
- enabledCollectors = [
- "systemd"
- "processes"
- ];
- extraFlags = [
- "--collector.ethtool"
- "--collector.softirqs"
- "--collector.tcpstat"
- ];
- };
- nginx = {
- enable = true;
- port = 9001;
- };
- # wireguard = { enable = true; };
- };
- gosmee = {
- enable = true;
- public-url = "https://webhook.sbr.pm";
- };
- govanityurl = {
- enable = true;
- user = "nginx";
- host = "go.sbr.pm";
- config = ''
- paths:
- /lord:
- repo: https://github.com/vdemeester/lord
- /ape:
- repo: https://git.sr.ht/~vdemeester/ape
- /nr:
- repo: https://git.sr.ht/~vdemeester/nr
- /ram:
- repo: https://git.sr.ht/~vdemeester/ram
- /sec:
- repo: https://git.sr.ht/~vdemeester/sec
- '';
- };
- nginx = {
- enable = true;
- statusPage = true;
- package = nginx;
- recommendedGzipSettings = true;
- recommendedTlsSettings = true;
- recommendedOptimisation = true;
- virtualHosts."dl.sbr.pm" = filesWWW;
- virtualHosts."files.sbr.pm" = filesWWW;
- virtualHosts."paste.sbr.pm" = {
- enableACME = true;
- forceSSL = true;
- root = "/var/www/paste.sbr.pm";
- locations."/" = {
- index = "index.html";
- };
- extraConfig = nginxExtraConfig;
- };
- virtualHosts."go.sbr.pm" = {
- enableACME = true;
- forceSSL = true;
- locations."/" = {
- proxyPass = "http://127.0.0.1:8080";
- };
- extraConfig = nginxExtraConfig;
- };
- virtualHosts."whoami.sbr.pm" = {
- enableACME = true;
- forceSSL = true;
- locations."/" = {
- proxyPass = "http://10.100.0.8:80";
- extraConfig = ''
- proxy_set_header Host $host;
- proxy_set_header X-Forwarded-For $remote_addr;
- '';
- };
- };
- virtualHosts."webhook.sbr.pm" = {
- enableACME = true;
- forceSSL = true;
- locations."/" = {
- proxyPass = "http://127.0.0.1:3333";
- extraConfig = ''
- proxy_buffering off;
- proxy_cache off;
- proxy_set_header Host $host;
- proxy_set_header X-Forwarded-For $remote_addr;
- proxy_set_header Connection "";
- proxy_http_version 1.1;
- chunked_transfer_encoding off;
- '';
- };
- };
- virtualHosts."sbr.pm" = {
- enableACME = true;
- forceSSL = true;
- root = "/var/www/sbr.pm";
- locations."/" = {
- index = "index.html";
- };
- extraConfig = nginxExtraConfig;
- };
- virtualHosts."sbr.systems" = {
- enableACME = true;
- forceSSL = true;
- root = "/var/www/sbr.systems";
- locations."/" = {
- index = "index.html";
- };
- extraConfig = nginxExtraConfig;
- };
- virtualHosts."vincent.demeester.fr" = {
- enableACME = true;
- forceSSL = true;
- root = "/var/www/vincent.demeester.fr";
- locations."/" = {
- index = "index.html";
- extraConfig = ''
- default_type text/html;
- try_files $uri $uri.html $uri/ = 404;
- fancyindex on;
- fancyindex_localtime on;
- fancyindex_exact_size off;
- fancyindex_header "/assets/.fancyindex/header.html";
- fancyindex_footer "/assets/.fancyindex/footer.html";
- # fancyindex_ignore "examplefile.html";
- fancyindex_ignore "README.md";
- fancyindex_ignore "HEADER.md";
- fancyindex_ignore ".fancyindex";
- fancyindex_name_length 255;
- '';
- };
- extraConfig = nginxExtraConfig;
- };
- };
- openssh = {
- listenAddresses = [
- {
- addr = wireguardIp;
- port = 22;
- }
- ];
- openFirewall = false;
- passwordAuthentication = false;
- permitRootLogin = "without-password";
- };
- };
-}
systems/hosts/okinawa.nix
@@ -1,35 +0,0 @@
-{
- lib,
- pkgs,
- modulesPath,
- ...
-}:
-
-with lib;
-{
- imports = [
- "${modulesPath}/profiles/minimal.nix"
- ];
-
- wsl = {
- enable = true;
- automountPath = "/mnt";
- defaultUser = "nixos";
- startMenuLaunchers = true;
-
- # Enable integration with Docker Desktop (needs to be installed)
- # docker.enable = true;
- };
-
- environment.systemPackages = with pkgs; [
- docker-client
- git
- vim
- ];
-
- # Enable nix flakes
- nix.package = pkgs.nixFlakes;
- nix.extraOptions = ''
- experimental-features = nix-command flakes
- '';
-}
systems/hosts/wakasu.nix
@@ -1,226 +0,0 @@
-{ lib, pkgs, ... }:
-
-with lib;
-let
- hostname = "wakasu";
- secretPath = ../../secrets/machines.nix;
- secretCondition = builtins.pathExists secretPath;
-
- endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
- endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
- endpointPublicKey = strings.optionalString secretCondition (import secretPath)
- .wireguard.kerkouane.publicKey;
- metadata = importTOML ../../ops/hosts.toml;
-
- # Scripts
- officemode = pkgs.writeShellScriptBin "officemode" ''
- echo "80" > /sys/class/power_supply/BAT0/charge_control_end_threshold
- echo "70" > /sys/class/power_supply/BAT0/charge_control_start_threshold
- '';
- roadmode = pkgs.writeShellScriptBin "roadmode" ''
- echo "100" > /sys/class/power_supply/BAT0/charge_control_end_threshold
- echo "0" > /sys/class/power_supply/BAT0/charge_control_start_threshold
- '';
-in
-{
- imports = [
- ../hardware/thinkpad-x1g9.nix
- ../../users/vincent
- ../../users/root
- ];
-
- fileSystems."/" = {
- device = "/dev/mapper/root";
- # uuid: 637ee2a5-638d-46cd-8845-3cc0fa8551bd
- fsType = "ext4";
- options = [
- "noatime"
- "discard"
- ];
- };
-
- fileSystems."/boot" = {
- device = "/dev/disk/by-uuid/7D17-F310";
- fsType = "vfat";
- };
-
- swapDevices = [ { device = "/dev/disk/by-uuid/ab056cfc-fb17-4db7-a393-f93726cc2987"; } ];
-
- networking = {
- hostName = hostname;
- firewall.allowedTCPPortRanges = [
- {
- from = 45000;
- to = 47000;
- }
- ];
- };
-
- boot = {
- initrd = {
- luks.devices = {
- root = {
- device = "/dev/disk/by-uuid/c0cac87c-53ec-4262-9ab2-a3ee8331c75a";
- #device = "/dev/nvme0n1p1";
- preLVM = true;
- allowDiscards = true;
- keyFile = "/dev/disk/by-id/usb-_USB_DISK_2.0_070D375D84327E87-0:0";
- keyFileOffset = 30992883712;
- keyFileSize = 4096;
- fallbackToPassword = lib.mkForce true;
- };
- };
- };
- kernelPackages = pkgs.linuxPackages_latest;
- };
-
- hardware.sensor.iio.enable = true;
- hardware.sane = {
- enable = true;
- extraBackends = [ pkgs.sane-airscan ];
- };
- services.printing.enable = true;
- services.printing.drivers = [
- pkgs.gutenprint
- pkgs.gutenprintBin
- pkgs.canon-capt
- # pkgs.canon-cups-ufr2 # Doesn't compile today…
- # pkgs.cups-bjnp # Doesn't compile today
- pkgs.carps-cups
- pkgs.cnijfilter2
- ];
- services.udev.packages = [ pkgs.sane-airscan ];
- services.udev.extraRules = ''
- KERNEL=="hidraw*", ATTRS{idVendor}=="16c0", MODE="0664", GROUP="wheel"
- KERNEL=="hidraw*", ATTRS{idVendor}=="3297", MODE="0664", GROUP="wheel"
- # STM32 rules for the Moonlander and Planck EZ
- # All zsa keyboards
- SUBSYSTEM=="usb", ATTR{idVendor}=="3297", GROUP="wheel"
- # zsa moonlander
- SUBSYSTEM=="usb", ATTR{idVendor}=="3297", ATTR{idProduct}=="1969", GROUP="wheel"
- SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE:="0666", SYMLINK+="stm32_dfu
- SUBSYSTEMS=="usb", ATTRS{idVendor}=="3297", MODE:="0666", SYMLINK+="ignition_dfu"
-
- # Suspend the system when battery level drops to 5% or lower
- SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-5]", RUN+="${pkgs.systemd}/bin/systemctl hibernate"
-
- #Flipper Zero serial port
- SUBSYSTEMS==“usb”, ATTRS{idVendor}==“0483”, ATTRS{idProduct}==“5740”, ATTRS{manufacturer}==“Flipper Devices Inc.”, TAG+=“uaccess”, GROUP=“wheel”
- #Flipper Zero DFU
- SUBSYSTEMS==“usb”, ATTRS{idVendor}==“0483”, ATTRS{idProduct}==“df11”, ATTRS{manufacturer}==“STMicroelectronics”, TAG+=“uaccess”, GROUP=“wheel”
- '';
-
- security.sudo.extraRules = [
- # Allow execution of roadmode and officemode by users in wheel, without a password
- {
- groups = [ "wheel" ];
- commands = [
- {
- command = "${officemode}/bin/officemode";
- options = [ "NOPASSWD" ];
- }
- {
- command = "${roadmode}/bin/roadmode";
- options = [ "NOPASSWD" ];
- }
- ];
- }
- ];
-
- modules = {
- core.binfmt.enable = true;
- editors.emacs.enable = true;
- editors.neovim.enable = true;
- hardware = {
- yubikey = {
- enable = true;
- u2f = true;
- };
- laptop.enable = true;
- bluetooth.enable = true;
- };
- desktop = {
- wayland.sway.enable = true;
- # wayland.hyprland.enable = true;
- };
- dev = {
- enable = true;
- containers = {
- enable = true;
- # docker.enable = true;
- podman.enable = true;
- };
- };
- profiles = {
- work.redhat = true;
- };
- services = {
- syncthing = {
- enable = true;
- guiAddress = "${metadata.hosts.wakasu.wireguard.addrs.v4}:8384";
- };
- ssh.enable = true;
- };
- virtualisation.libvirt = {
- enable = true;
- nested = true;
- };
- };
-
- # TODO Migrate to modules
- modules.profiles.home = true;
- virtualisation.podman.dockerSocket.enable = true;
- virtualisation.podman.autoPrune.enable = true;
- environment.systemPackages = with pkgs; [
- # docker client only
- (docker_27.override { clientOnly = true; })
- officemode
- roadmode
- discord
- virt-manager
- catt
- go-org-readwise
- age-plugin-tpm
- keymapp
- kontroll
- ];
-
- location.provider = "geoclue2";
- security = {
- tpm2 = {
- enable = true;
- pkcs11.enable = true;
- };
- };
- services = {
- ollama.enable = true;
- dictd = {
- enable = true;
- DBs = with pkgs.dictdDBs; [
- wiktionary
- wordnet
- fra2eng
- eng2fra
- ];
- };
- locate = {
- enable = true;
- pruneBindMounts = true;
- };
- geoclue2.enable = true;
- # clight = {
- # enable = true;
- # };
- # envfs.enable = false;
- # automatic login is "safe" as we ask for the encryption passphrase anyway..
- getty.autologinUser = "vincent";
- wireguard = {
- enable = true;
- ips = [ "${metadata.hosts.wakasu.wireguard.addrs.v4}/24" ];
- endpoint = endpointIP;
- inherit endpointPort;
- inherit endpointPublicKey;
- };
- };
-
-}