From 8fdb6d87cad64e14547516bad0ad36a7a28e8e06 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Sun, 24 Dec 2023 17:14:10 +0100 Subject: [PATCH 1/6] Initialize defiant --- flake.nix | 18 +++++++++++++++++ hosts/defiant/configuration.nix | 34 +++++++++++++++++++++++++++++++++ hosts/defiant/home.nix | 19 ++++++++++++++++++ 3 files changed, 71 insertions(+) create mode 100644 hosts/defiant/configuration.nix create mode 100644 hosts/defiant/home.nix diff --git a/flake.nix b/flake.nix index 132a164..af69ef2 100644 --- a/flake.nix +++ b/flake.nix @@ -51,6 +51,24 @@ } ]; }; + defiant = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { + inherit inputs; + }; + modules = [ + # Overlays-module makes "pkgs.unstable" available in configuration.nix + ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) + + ./hosts/defiant/configuration.nix + sops-nix.nixosModules.sops + home-manager.nixosModules.home-manager { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users."felixalb" = import ./hosts/defiant/home.nix; + } + ]; + }; edison = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { diff --git a/hosts/defiant/configuration.nix b/hosts/defiant/configuration.nix new file mode 100644 index 0000000..9401246 --- /dev/null +++ b/hosts/defiant/configuration.nix @@ -0,0 +1,34 @@ +{ config, pkgs, ... }: + +{ + imports = + [ + ../../base.nix + ../../common/metrics-exporters.nix + ./hardware-configuration.nix + ]; + + networking = { + hostName = "defiant"; + defaultGateway = "192.168.10.1"; + interfaces.eno1.ipv4 = { + addresses = [ + { address = "192.168.10.175"; prefixLength = 24; } + ]; + }; + hostId = "8e84f235"; + }; + + # sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml; + + environment.variables = { EDITOR = "vim"; }; + environment.systemPackages = with pkgs; [ + zfs + ]; + + virtualisation.docker.enable = true; + virtualisation.oci-containers.backend = "docker"; + + system.stateVersion = "23.11"; +} + diff --git a/hosts/defiant/home.nix b/hosts/defiant/home.nix new file mode 100644 index 0000000..84fa68e --- /dev/null +++ b/hosts/defiant/home.nix @@ -0,0 +1,19 @@ +{ pkgs, lib, ... }: +{ + home.packages = with pkgs; [ + bat + bottom + ncdu + neofetch + ]; + + imports = [ + ./../../home/base.nix + ]; + + programs = { + zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config"; + }; + + home.stateVersion = "23.05"; +} -- 2.44.1 From fe030b5d05ba16e84f6a316854b704ba5e39bdd7 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Sun, 24 Dec 2023 17:40:47 +0100 Subject: [PATCH 2/6] defiant: add hardware config --- hosts/defiant/configuration.nix | 2 +- hosts/defiant/hardware-configuration.nix | 33 ++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 hosts/defiant/hardware-configuration.nix diff --git a/hosts/defiant/configuration.nix b/hosts/defiant/configuration.nix index 9401246..9e6548d 100644 --- a/hosts/defiant/configuration.nix +++ b/hosts/defiant/configuration.nix @@ -11,7 +11,7 @@ networking = { hostName = "defiant"; defaultGateway = "192.168.10.1"; - interfaces.eno1.ipv4 = { + interfaces.enp3s0.ipv4 = { addresses = [ { address = "192.168.10.175"; prefixLength = 24; } ]; diff --git a/hosts/defiant/hardware-configuration.nix b/hosts/defiant/hardware-configuration.nix new file mode 100644 index 0000000..48638cd --- /dev/null +++ b/hosts/defiant/hardware-configuration.nix @@ -0,0 +1,33 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/45ceae6b-cf6d-42d6-9694-d14c1d42b49f"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/DDDC-5C0C"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + networking.useDHCP = lib.mkDefault false; + # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} -- 2.44.1 From ffceacfbc0df185d385ccb4eaebc353da1763745 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Mon, 25 Dec 2023 00:06:26 +0100 Subject: [PATCH 3/6] defiant: Configure matrix-synapse. Remove janeway. --- .sops.yaml | 15 ++++--- flake.nix | 15 +------ hosts/defiant/configuration.nix | 8 +++- .../services/matrix-synapse.nix | 7 ++-- hosts/defiant/services/nginx.nix | 30 ++++++++++++++ .../services/postgresql.nix | 0 hosts/janeway/configuration.nix | 40 ------------------- hosts/janeway/services/bridge-discord.nix | 33 --------------- hosts/janeway/services/nginx.nix | 19 --------- secrets/defiant/defiant.yaml | 32 +++++++++++++++ 10 files changed, 80 insertions(+), 119 deletions(-) rename hosts/{janeway => defiant}/services/matrix-synapse.nix (92%) create mode 100644 hosts/defiant/services/nginx.nix rename hosts/{janeway => defiant}/services/postgresql.nix (100%) delete mode 100644 hosts/janeway/configuration.nix delete mode 100644 hosts/janeway/services/bridge-discord.nix delete mode 100644 hosts/janeway/services/nginx.nix create mode 100644 secrets/defiant/defiant.yaml diff --git a/.sops.yaml b/.sops.yaml index c498892..5440fce 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,7 +3,7 @@ keys: - &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu - &host_sarek age1yjc08ykd5d687p9tmn6mpsna3azryreuuz6akj2p0dtft9xqq5lsuamljk - - &host_janeway age1sjk38fy5dk2nn0q0rmxuvr9uw3ttgz7mq4632f8jllzqryft0y3s46j65k + - &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64 creation_rules: # Global secrets @@ -21,16 +21,15 @@ creation_rules: - *user_felixalb_old - *user_felixalb + - path_regex: secrets/defiant/[^/]+\.yaml$ + key_groups: + - age: + - *host_defiant + - *user_felixalb + - path_regex: secrets/sarek/[^/]+\.yaml$ key_groups: - age: - *host_sarek - *user_felixalb_old - *user_felixalb - - - path_regex: secrets/janeway/[^/]+\.yaml$ - key_groups: - - age: - - *host_janeway - - *user_felixalb_old - - *user_felixalb diff --git a/flake.nix b/flake.nix index af69ef2..3351400 100644 --- a/flake.nix +++ b/flake.nix @@ -62,6 +62,7 @@ ./hosts/defiant/configuration.nix sops-nix.nixosModules.sops + matrix-synapse-next.nixosModules.default home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; @@ -105,20 +106,6 @@ } ]; }; - janeway = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { - inherit inputs; - }; - modules = [ - # Overlays-module makes "pkgs.unstable" available in configuration.nix - ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) - - ./hosts/janeway/configuration.nix - sops-nix.nixosModules.sops - matrix-synapse-next.nixosModules.default - ]; - }; redshirt = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { diff --git a/hosts/defiant/configuration.nix b/hosts/defiant/configuration.nix index 9e6548d..2be9052 100644 --- a/hosts/defiant/configuration.nix +++ b/hosts/defiant/configuration.nix @@ -6,6 +6,10 @@ ../../base.nix ../../common/metrics-exporters.nix ./hardware-configuration.nix + + ./services/postgresql.nix + ./services/nginx.nix + ./services/matrix-synapse.nix ]; networking = { @@ -13,13 +17,13 @@ defaultGateway = "192.168.10.1"; interfaces.enp3s0.ipv4 = { addresses = [ - { address = "192.168.10.175"; prefixLength = 24; } + { address = "192.168.10.175"; prefixLength = 24; } # Main IP for defiant, internal ]; }; hostId = "8e84f235"; }; - # sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml; + sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml; environment.variables = { EDITOR = "vim"; }; environment.systemPackages = with pkgs; [ diff --git a/hosts/janeway/services/matrix-synapse.nix b/hosts/defiant/services/matrix-synapse.nix similarity index 92% rename from hosts/janeway/services/matrix-synapse.nix rename to hosts/defiant/services/matrix-synapse.nix index 61897af..f534cff 100644 --- a/hosts/janeway/services/matrix-synapse.nix +++ b/hosts/defiant/services/matrix-synapse.nix @@ -73,11 +73,12 @@ }; services.redis.servers."".enable = true; - networking.firewall.allowedTCPPorts = [ 80 443 ]; services.nginx.virtualHosts."matrix.feal.no" = { - enableACME = lib.mkForce false; - forceSSL = lib.mkForce false; + listen = [ + { addr = "192.168.10.175"; port = 43443; ssl = true; } + { addr = "192.168.10.175"; port = 43080; ssl = false; } + ]; }; } diff --git a/hosts/defiant/services/nginx.nix b/hosts/defiant/services/nginx.nix new file mode 100644 index 0000000..8ef3566 --- /dev/null +++ b/hosts/defiant/services/nginx.nix @@ -0,0 +1,30 @@ +{ config, values, ... }: +{ + services.nginx = { + enable = true; + enableReload = true; + + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + + defaultListen = [ + { + addr = "192.168.10.175"; + port = "80"; + ssl = false; + } + ]; + }; + + networking.firewall.allowedTCPPorts = [ + 80 443 # Internal / Default + 43080 43443 # External / Publicly exposed + ]; + + security.acme = { + acceptTerms = true; + defaults.email = "felix@albrigtsen.it"; + }; +} diff --git a/hosts/janeway/services/postgresql.nix b/hosts/defiant/services/postgresql.nix similarity index 100% rename from hosts/janeway/services/postgresql.nix rename to hosts/defiant/services/postgresql.nix diff --git a/hosts/janeway/configuration.nix b/hosts/janeway/configuration.nix deleted file mode 100644 index 60c35f0..0000000 --- a/hosts/janeway/configuration.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, pkgs, lib, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ../../base.nix - ../../common/metrics-exporters.nix - - ./services/nginx.nix - ./services/postgresql.nix - ./services/matrix-synapse.nix - ]; - - # Boot and console is handled by proxmoxLXC. - boot.loader.systemd-boot.enable = lib.mkForce false; # Enabled in base.nix, forced off here. - - # Override proxmox networking - proxmoxLXC.manageNetwork = true; - networking = { - hostName = "janeway"; - defaultGateway = "192.168.10.1"; - interfaces."eth0".ipv4 = { - addresses = [ - { address = "192.168.10.183"; prefixLength = 24; } - ]; - }; - hostId = "bed956ff"; - }; - - environment.systemPackages = with pkgs; [ - vim - bottom - ]; - - sops.defaultSopsFile = ../../secrets/janeway/janeway.yaml; - - system.stateVersion = "23.05"; -} - diff --git a/hosts/janeway/services/bridge-discord.nix b/hosts/janeway/services/bridge-discord.nix deleted file mode 100644 index 0d5586c..0000000 --- a/hosts/janeway/services/bridge-discord.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.mx-puppet-discord = { - enable = true; - - serviceDependencies = [ - "matrix-synapse.service" - "postgresql.service" - ]; - - settings = { - bridge = { - bindAddress = "localhost"; - domain = "feal.no"; - homeserverUrl = "https://matrix.feal.no"; - # homeserverUrl = "http://127.0.1.2:8008"; - - port = 8434; - enableGroupSync = true; - }; - - database.connString = "postgresql://mx-puppet-discord@localhost/mx-puppet-discord?sslmode=disable"; - - provisioning.whitelist = [ "@felixalb:feal\\.no" ]; - relay.whitelist = [ ".*" ]; - selfService.whitelist = [ "@felixalb:feal\\.no" ]; - - }; - }; - - services.matrix-synapse.settings.app_service_config_files = [ /var/lib/mx-puppet-discord/discord-registration.yaml ]; -} diff --git a/hosts/janeway/services/nginx.nix b/hosts/janeway/services/nginx.nix deleted file mode 100644 index 4c376d7..0000000 --- a/hosts/janeway/services/nginx.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, values, ... }: -{ - services.nginx = { - enable = true; - enableReload = true; - - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - /* security.acme = { */ - /* acceptTerms = true; */ - /* email = "felix@albrigtsen.it"; */ - /* }; */ -} diff --git a/secrets/defiant/defiant.yaml b/secrets/defiant/defiant.yaml new file mode 100644 index 0000000..eb1e2a5 --- /dev/null +++ b/secrets/defiant/defiant.yaml @@ -0,0 +1,32 @@ +matrix: + synapse: + registrationsecret: ENC[AES256_GCM,data:6gRW6t080VSyNRAmIrMqXL/oj7dj0JbcQekG3lac7zcdvJbgkUaqEGoWdrym2XiEOSLBOVMthnpLdalC2wcyJdmxB7xMNsYS4RfjR3PMKIo1Ap7JSmuKBl3eeaOalHk=,iv:dZl4/qFMoqEbSwL4JF/sjG21e6DuKVxbXwrGHkxfW4U=,tag:LWdCcmUUeTO4YAHkHOSJuw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhQXEzMHQzaTU2YW85Yjhh + eDZ1eG15UytULzhYaTBZemlRak5USmVrMlhRCmtOUmNqYS9xa0VHU2J1V0E0NjN0 + ZDRhek9xNXJNY0FhZUJCVjJpYW1ZNHcKLS0tIER3OFlyV2Q3b2l0RkkzVkZMaHdt + MHI3WEV0RnZvWGw5a3BIV21kMlJxdU0Kpa1mjuwYoyk8Qfsst1k/pGGONYQf/sdZ + kfTZV2btleBISsP5aBDTF+I4AJZesumJuNVA0gPsI88GaQuf3rqb8w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRi9mRDMvcDhBN3RVcG90 + Q2Y5NGhTVmVOaW9VRTl0R25QQXJsb2FQOTFrCnNsL0M2OTQ1KzJKSXJaVlVrL01v + R1RnOURGcDU3V2JldTdlRitQeDBIZE0KLS0tIHB2T3ZGQjZZRUlUL0FUSzhoZ1Ez + RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A + fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-24T17:26:56Z" + mac: ENC[AES256_GCM,data:lj6GLwoKmDyZ7Gs7X4LOl531jHXn/yiollTFtKNTRfXKoayg40edWuyZR4eQBUWyjmznWeWSB7DT4L82S5DX6NNEqzBFMBlPFrz6DLDfWW/nMdmHW3l7tPxydm8BbmVi1kvp6W7JnHeA3dTaHyMaq5mwwPxhui64joN7964ABWA=,iv:TeESIqgS4ml7cYERq8+NItIjU+HLuxhXdzGMErcSrjg=,tag:fCIHhf77O6SjY9KjHVdrYw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 -- 2.44.1 From 361a6c5eb0058de0f96a58e45441c0a297ba1116 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Mon, 25 Dec 2023 00:10:00 +0100 Subject: [PATCH 4/6] update readme --- README.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index ade818e..6a4192e 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,10 @@ -# Work In Progress! -Notice, these things might be missing: -- Functionality -- Style -- Safety +## Felixalbs nixos config + +Contains configurations for some nixos servers, some nixos desktops and a [nix-darwin](https://github.com/LnL7/nix-darwin) host. +Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix). ### Build: -- Build locally on another machine (verify) +- Build locally on another machine: ``` nix --extra-experimental-features "nix-command flakes" build ".#nixosConfigurations.sarek.config.system.build.toplevel" ``` -- 2.44.1 From ad40d92dff27f73eadd90880c777648cc097eec1 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Mon, 25 Dec 2023 01:37:05 +0100 Subject: [PATCH 5/6] Move more services to defiant. Remove sarek. --- .sops.yaml | 8 -- flake.nix | 18 ---- hosts/defiant/configuration.nix | 3 + hosts/defiant/hardware-configuration.nix | 27 +++--- hosts/defiant/services/flame.nix | 22 +++++ hosts/defiant/services/hedgedoc.nix | 117 +++++++++++++++++++++++ hosts/defiant/services/nginx.nix | 20 +++- hosts/defiant/services/pihole.nix | 30 ++++++ hosts/defiant/services/postgresql.nix | 3 +- hosts/sarek/configuration.nix | 54 ----------- hosts/sarek/home.nix | 20 ---- hosts/sarek/services/flame.nix | 24 ----- hosts/sarek/services/hedgedoc.nix | 94 ------------------ hosts/sarek/services/nginx.nix | 19 ---- hosts/sarek/services/postgresql.nix | 22 ----- hosts/worf/configuration.nix | 2 +- secrets/defiant/defiant.yaml | 6 +- 17 files changed, 212 insertions(+), 277 deletions(-) create mode 100644 hosts/defiant/services/flame.nix create mode 100644 hosts/defiant/services/hedgedoc.nix create mode 100644 hosts/defiant/services/pihole.nix delete mode 100644 hosts/sarek/configuration.nix delete mode 100644 hosts/sarek/home.nix delete mode 100644 hosts/sarek/services/flame.nix delete mode 100644 hosts/sarek/services/hedgedoc.nix delete mode 100644 hosts/sarek/services/nginx.nix delete mode 100644 hosts/sarek/services/postgresql.nix diff --git a/.sops.yaml b/.sops.yaml index 5440fce..22aa91b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,7 +2,6 @@ keys: - &user_felixalb_old age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw - &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu - - &host_sarek age1yjc08ykd5d687p9tmn6mpsna3azryreuuz6akj2p0dtft9xqq5lsuamljk - &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64 creation_rules: @@ -26,10 +25,3 @@ creation_rules: - age: - *host_defiant - *user_felixalb - - - path_regex: secrets/sarek/[^/]+\.yaml$ - key_groups: - - age: - - *host_sarek - - *user_felixalb_old - - *user_felixalb diff --git a/flake.nix b/flake.nix index 3351400..0fbbc8e 100644 --- a/flake.nix +++ b/flake.nix @@ -88,24 +88,6 @@ } ]; }; - sarek = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { - inherit inputs; - }; - modules = [ - # Overlays-module makes "pkgs.unstable" available in configuration.nix - ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) - - ./hosts/sarek/configuration.nix - sops-nix.nixosModules.sops - home-manager.nixosModules.home-manager { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users."felixalb" = import ./hosts/sarek/home.nix; - } - ]; - }; redshirt = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { diff --git a/hosts/defiant/configuration.nix b/hosts/defiant/configuration.nix index 2be9052..776c5c0 100644 --- a/hosts/defiant/configuration.nix +++ b/hosts/defiant/configuration.nix @@ -10,6 +10,9 @@ ./services/postgresql.nix ./services/nginx.nix ./services/matrix-synapse.nix + ./services/flame.nix + ./services/hedgedoc.nix + ./services/pihole.nix ]; networking = { diff --git a/hosts/defiant/hardware-configuration.nix b/hosts/defiant/hardware-configuration.nix index 48638cd..05ce9bc 100644 --- a/hosts/defiant/hardware-configuration.nix +++ b/hosts/defiant/hardware-configuration.nix @@ -4,26 +4,29 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/45ceae6b-cf6d-42d6-9694-d14c1d42b49f"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/45ceae6b-cf6d-42d6-9694-d14c1d42b49f"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/DDDC-5C0C"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/DDDC-5C0C"; + fsType = "vfat"; + }; - swapDevices = [ ]; + swapDevices = [ { + device = "/swapfile"; + size = 8*1024; + } ]; networking.useDHCP = lib.mkDefault false; # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; diff --git a/hosts/defiant/services/flame.nix b/hosts/defiant/services/flame.nix new file mode 100644 index 0000000..c7e7659 --- /dev/null +++ b/hosts/defiant/services/flame.nix @@ -0,0 +1,22 @@ +{ config, pkgs, lib, ... }: +let + domain = "flame.home.feal.no"; + host = "127.0.1.2"; + port = "5005"; +in { + # Flame - Homelab dashboard/linktree + virtualisation.oci-containers.containers = { + flame = { + image = "pawelmalak/flame"; + ports = [ "${host}:${port}:5005" ]; + volumes = [ + "/var/lib/flame/data:/app/data/" + ]; + }; + }; + + services.nginx.virtualHosts."${domain}" = { + locations."/".proxyPass = "http://${host}:${port}"; + }; +} + diff --git a/hosts/defiant/services/hedgedoc.nix b/hosts/defiant/services/hedgedoc.nix new file mode 100644 index 0000000..e5b50ce --- /dev/null +++ b/hosts/defiant/services/hedgedoc.nix @@ -0,0 +1,117 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.services.hedgedoc.settings; + domain = "md.feal.no"; + port = 3300; + host = "127.0.1.2"; + authServerUrl = "https://auth.feal.no"; +in { + # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET + sops.secrets."hedgedoc/env" = { + restartUnits = [ "hedgedoc.service" ]; + }; + + services.hedgedoc = { + enable = true; + environmentFile = config.sops.secrets."hedgedoc/env".path; + settings = { + inherit domain port host; + protocolUseSSL = true; + sessionSecret = "$CMD_SESSION_SECRET"; + + allowFreeURL = true; + allowAnonymous = false; + allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission + + # dbURL = "postgres://hedgedoc@localhost/hedgedoc"; + db = { + username = "hedgedoc"; + database = "hedgedoc"; + host = "/run/postgresql"; + dialect = "postgresql"; + }; + + email = false; + oauth2 = { + baseURL = "${authServerUrl}/oauth2"; + tokenURL = "${authServerUrl}/oauth2/token"; + authorizationURL = "${authServerUrl}/ui/oauth2"; + userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo"; + + clientID = "hedgedoc"; + clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; + scope = "openid email profile"; + userProfileUsernameAttr = "name"; + userProfileEmailAttr = "email"; + userProfileDisplayNameAttr = "displayname"; + + providerName = "KaniDM"; + }; + }; + }; + + systemd.services.hedgedoc = { + requires = [ + "postgresql.service" + # "kanidm.service" + ]; + serviceConfig = let + workDir = "/var/lib/hedgedoc"; + in { + WorkingDirectory = lib.mkForce workDir; + StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ]; + + # Better safe than sorry :) + CapabilityBoundingSet = ""; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = [ workDir ]; + RemoveIPC = true; + RestrictSUIDSGID = true; + UMask = "0007"; + RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; + SystemCallArchitectures = "native"; + # SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; + }; + }; + + services.postgresql = { + ensureDatabases = [ "hedgedoc" ]; + ensureUsers = [{ + name = "hedgedoc"; + ensureDBOwnership = true; + }]; + }; + + services.nginx.virtualHosts."${domain}" = { + listen = [ + { addr = "192.168.10.175"; port = 43443; ssl = true; } + { addr = "192.168.10.175"; port = 43080; ssl = false; } + ]; + + enableACME = true; + forceSSL = true; + + locations = { + "/" = { + proxyPass = "http://${host}:${toString port}"; + }; + "/socket.io" = { + proxyPass = "http://${host}:${toString port}"; + proxyWebsockets = true; + }; + }; + }; +} diff --git a/hosts/defiant/services/nginx.nix b/hosts/defiant/services/nginx.nix index 8ef3566..e15e7c5 100644 --- a/hosts/defiant/services/nginx.nix +++ b/hosts/defiant/services/nginx.nix @@ -12,7 +12,7 @@ defaultListen = [ { addr = "192.168.10.175"; - port = "80"; + port = 80; ssl = false; } ]; @@ -27,4 +27,22 @@ acceptTerms = true; defaults.email = "felix@albrigtsen.it"; }; + + # Publicly exposed services: + + services.nginx.virtualHosts = let + publicProxy = upstream: { + listen = [ + { addr = "192.168.10.175"; port = 43443; ssl = true; } + { addr = "192.168.10.175"; port = 43080; ssl = false; } + ]; + enableACME = true; + forceSSL = true; + + locations."/".proxyPass = "${upstream}"; + }; + in { + "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/"; + # "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/"; + }; } diff --git a/hosts/defiant/services/pihole.nix b/hosts/defiant/services/pihole.nix new file mode 100644 index 0000000..b869826 --- /dev/null +++ b/hosts/defiant/services/pihole.nix @@ -0,0 +1,30 @@ +{ config, pkgs, lib, ... }: +let + domain = "pihole.home.feal.no"; + dnsHost = "192.168.10.175"; + webuiListen = "127.0.1.2:5053"; +in { + # Flame - Homelab dashboard/linktree + virtualisation.oci-containers.containers = { + pihole = { + image = "pihole/pihole"; + ports = [ + "${dnsHost}:53:53/tcp" + "${dnsHost}:53:53/udp" + "${webuiListen}:80" + ]; + + environment.TZ = "Europe/Oslo"; + + volumes = [ + "/var/lib/pihole/etc:/etc/pihole" + "/var/lib/pihole/dnsmasq:/etc/dnsmasq.d" + ]; + }; + }; + + services.nginx.virtualHosts."${domain}" = { + locations."/".proxyPass = "http://${webuiListen}"; + }; +} + diff --git a/hosts/defiant/services/postgresql.nix b/hosts/defiant/services/postgresql.nix index 83b4285..a8d8d4f 100644 --- a/hosts/defiant/services/postgresql.nix +++ b/hosts/defiant/services/postgresql.nix @@ -6,12 +6,11 @@ }; services.postgresqlBackup = { - enable = true; + # enable = true; location = "/data/backup/postgresql/"; startAt = "*-*-* 03:15:00"; backupAll = true; }; - environment.systemPackages = [ config.services.postgresql.package ]; } diff --git a/hosts/sarek/configuration.nix b/hosts/sarek/configuration.nix deleted file mode 100644 index 22eebbe..0000000 --- a/hosts/sarek/configuration.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ config, pkgs, lib, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ../../base.nix - ../../common/metrics-exporters.nix - - ./services/flame.nix - ./services/hedgedoc.nix - ./services/nginx.nix - ./services/postgresql.nix - ]; - - # Boot and console is handled by proxmoxLXC. - boot.loader.systemd-boot.enable = lib.mkForce false; # Enabled in base.nix, forced off here. - - # Override proxmox networking - proxmoxLXC.manageNetwork = true; - networking = { - hostName = "sarek"; - defaultGateway = "192.168.10.1"; - interfaces."eth0".ipv4 = { - addresses = [ - { address = "192.168.10.181"; prefixLength = 24; } - ]; - }; - hostId = "15dd36bc"; - }; - - sops.defaultSopsFile = ../../secrets/sarek/sarek.yaml; - virtualisation.docker.enable = true; - virtualisation.oci-containers.backend = "docker"; - - # Undo https://github.com/NixOS/nixpkgs/commit/59e37267556eb917146ca3110ab7c96905b9ffbd to work on unprivileged LXC containers - system.activationScripts.var = lib.mkForce '' - # Various log/runtime directories. - mkdir -p /var/tmp - chmod 1777 /var/tmp - # Empty, immutable home directory of many system accounts. - mkdir -p /var/empty - # Make sure it's really empty - ${pkgs.e2fsprogs}/bin/chattr -f -i /var/empty || true - find /var/empty -mindepth 1 -delete - chmod 0555 /var/empty - chown root:root /var/empty - ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true - ''; - systemd.tmpfiles.rules = lib.mkForce []; - - system.stateVersion = "23.05"; -} - diff --git a/hosts/sarek/home.nix b/hosts/sarek/home.nix deleted file mode 100644 index bb390ad..0000000 --- a/hosts/sarek/home.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ pkgs, lib, ... }: -{ - home.packages = with pkgs; [ - bat - bottom - ncdu - neofetch - nix-index - ]; - - imports = [ - ./../../home/base.nix - ]; - - programs = { - zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config"; - }; - - home.stateVersion = "23.05"; -} diff --git a/hosts/sarek/services/flame.nix b/hosts/sarek/services/flame.nix deleted file mode 100644 index 455f8d1..0000000 --- a/hosts/sarek/services/flame.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, pkgs, lib, ... }: -let - domain = "flame.home.feal.no"; - host = "127.0.1.2"; - port = "5005"; -in { - # Flame - Homelab dashboard/linktree - virtualisation.oci-containers.containers = { - flame = { - image = "pawelmalak/flame"; - ports = [ "${host}:${port}:5005" ]; - volumes = [ - "/var/lib/flame/data:/app/data/" - ]; - }; - }; - - services.nginx.virtualHosts."${domain}" = { - locations."/" = { - proxyPass = "http://${host}:${port}"; - }; - }; - } - diff --git a/hosts/sarek/services/hedgedoc.nix b/hosts/sarek/services/hedgedoc.nix deleted file mode 100644 index a63a238..0000000 --- a/hosts/sarek/services/hedgedoc.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ config, pkgs, lib, ... }: -let - cfg = config.services.hedgedoc.settings; - domain = "md.feal.no"; - port = 3300; - host = "0.0.0.0"; - authServerUrl = "https://auth.feal.no"; -in { - # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET - sops.secrets."hedgedoc/env" = { - restartUnits = [ "hedgedoc.service" ]; - }; - - services.hedgedoc = { - enable = true; - environmentFile = config.sops.secrets."hedgedoc/env".path; - settings = { - inherit domain port host; - protocolUseSSL = true; - sessionSecret = "$CMD_SESSION_SECRET"; - - allowFreeURL = true; - allowAnonymous = false; - allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission - - dbURL = "postgres://hedgedoc:@localhost/hedgedoc"; - - email = false; - oauth2 = { - baseURL = "${authServerUrl}/oauth2"; - tokenURL = "${authServerUrl}/oauth2/token"; - authorizationURL = "${authServerUrl}/ui/oauth2"; - userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo"; - - clientID = "hedgedoc"; - clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; - scope = "openid email profile"; - userProfileUsernameAttr = "name"; - userProfileEmailAttr = "email"; - userProfileDisplayNameAttr = "displayname"; - - providerName = "KaniDM"; - }; - - }; - }; - - systemd.services.hedgedoc = { - requires = [ - "postgresql.service" - # "kanidm.service" - ]; - serviceConfig = let - workDir = "/var/lib/hedgedoc"; - in { - WorkingDirectory = lib.mkForce workDir; - StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ]; - - # Better safe than sorry :) - CapabilityBoundingSet = ""; - LockPersonality = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateMounts = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - ReadWritePaths = [ workDir ]; - RemoveIPC = true; - RestrictSUIDSGID = true; - UMask = "0007"; - RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; - SystemCallArchitectures = "native"; - # SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; - }; - }; - - networking.firewall.allowedTCPPorts = [ port ]; - - services.postgresql = { - ensureDatabases = [ "hedgedoc" ]; - ensureUsers = [{ - name = "hedgedoc"; - ensureDBOwnership = true; - }]; - }; -} diff --git a/hosts/sarek/services/nginx.nix b/hosts/sarek/services/nginx.nix deleted file mode 100644 index 4c376d7..0000000 --- a/hosts/sarek/services/nginx.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, values, ... }: -{ - services.nginx = { - enable = true; - enableReload = true; - - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - /* security.acme = { */ - /* acceptTerms = true; */ - /* email = "felix@albrigtsen.it"; */ - /* }; */ -} diff --git a/hosts/sarek/services/postgresql.nix b/hosts/sarek/services/postgresql.nix deleted file mode 100644 index c7c804b..0000000 --- a/hosts/sarek/services/postgresql.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, pkgs, lib, ... }: -{ - services.postgresql = { - enable = true; - enableTCPIP = true; # Expose on the network - authentication = pkgs.lib.mkOverride 10 '' - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - ''; - }; - - services.postgresqlBackup = { - enable = true; - location = "/backup/postgresql/"; - startAt = "*-*-* 03:15:00"; - backupAll = true; - }; - - - environment.systemPackages = [ config.services.postgresql.package ]; -} diff --git a/hosts/worf/configuration.nix b/hosts/worf/configuration.nix index b8f6351..6b7af8d 100644 --- a/hosts/worf/configuration.nix +++ b/hosts/worf/configuration.nix @@ -34,7 +34,7 @@ sshKey = "/var/root/.ssh/nix-builder"; } { - hostName = "sarek.home.feal.no"; + hostName = "defiant.home.feal.no"; system = "x86_64-linux"; maxJobs = 6; diff --git a/secrets/defiant/defiant.yaml b/secrets/defiant/defiant.yaml index eb1e2a5..7678531 100644 --- a/secrets/defiant/defiant.yaml +++ b/secrets/defiant/defiant.yaml @@ -1,6 +1,8 @@ matrix: synapse: registrationsecret: ENC[AES256_GCM,data:6gRW6t080VSyNRAmIrMqXL/oj7dj0JbcQekG3lac7zcdvJbgkUaqEGoWdrym2XiEOSLBOVMthnpLdalC2wcyJdmxB7xMNsYS4RfjR3PMKIo1Ap7JSmuKBl3eeaOalHk=,iv:dZl4/qFMoqEbSwL4JF/sjG21e6DuKVxbXwrGHkxfW4U=,tag:LWdCcmUUeTO4YAHkHOSJuw==,type:str] +hedgedoc: + env: ENC[AES256_GCM,data:7UU8MNo3AEpG1L0lpbfow4mGsIj7qMgtldCxv2T8rimintl1PN+avb2yxXz2P+1MqxNhacYYfBn5AkVqUJvAvo/HaQmsu+M1iFuMG6vEQuMGZZ1bjcslKxjVFWe9Rxzb9O33jqielsBiUmkP7f0MoGzfdyncpRuGjge+ADL7YXdRdH2zyDLW0txM3P593MQYiGo9wzwb7ZpycX4NsuE=,iv:4QE4RwD6c7KQS/w15YP/P2u7iOTWd36/YhpA2Jtdu0U=,tag:QBvO3q5C9TK0oSeso367/Q==,type:str] sops: kms: [] gcp_kms: [] @@ -25,8 +27,8 @@ sops: RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-24T17:26:56Z" - mac: ENC[AES256_GCM,data:lj6GLwoKmDyZ7Gs7X4LOl531jHXn/yiollTFtKNTRfXKoayg40edWuyZR4eQBUWyjmznWeWSB7DT4L82S5DX6NNEqzBFMBlPFrz6DLDfWW/nMdmHW3l7tPxydm8BbmVi1kvp6W7JnHeA3dTaHyMaq5mwwPxhui64joN7964ABWA=,iv:TeESIqgS4ml7cYERq8+NItIjU+HLuxhXdzGMErcSrjg=,tag:fCIHhf77O6SjY9KjHVdrYw==,type:str] + lastmodified: "2023-12-24T23:15:29Z" + mac: ENC[AES256_GCM,data:h+omoqeN7ssm7lfF/kdUCX7umQwWtTeph2C9tJQEAP7naL+Sm5WgXl/6PYHjjDSJ8X56tQgNdA2F5P5xIwTEfi6ip0Xbqy9vL+TfqjRhaT897O9W3Gka0zKTIkLFH2klgv3FXRd1CybxfyZpuz8Gpyy/tHZMcdIbEt+snlAII/A=,iv:+MgU7SfErnTMc63liEr8SmJLAthlbG8kU/xY6fUC7jU=,tag:I56xwXpVOF38QelGqW0XPg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 -- 2.44.1 From b37ffb7bae636776225726004d01f67d59bc48e2 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Mon, 25 Dec 2023 02:08:15 +0100 Subject: [PATCH 6/6] Update DNS, add wackattack proxy --- base.nix | 2 +- hosts/defiant/services/nginx.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/base.nix b/base.nix index 64ec6b8..8991f1c 100644 --- a/base.nix +++ b/base.nix @@ -6,7 +6,7 @@ networking = { domain = "home.feal.no"; - nameservers = [ "192.168.10.3" "192.168.11.100" "1.1.1.1" ]; + nameservers = [ "192.168.10.175" "192.168.10.1" "1.1.1.1" ]; useDHCP = lib.mkDefault false; }; diff --git a/hosts/defiant/services/nginx.nix b/hosts/defiant/services/nginx.nix index e15e7c5..576537b 100644 --- a/hosts/defiant/services/nginx.nix +++ b/hosts/defiant/services/nginx.nix @@ -43,6 +43,6 @@ }; in { "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/"; - # "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/"; + "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/"; }; } -- 2.44.1