From 62e2519639faa250f43f9e80e69906a59d07a44e Mon Sep 17 00:00:00 2001 From: Grisha Shipunov Date: Sat, 11 Jan 2025 03:55:19 +0100 Subject: [PATCH] delete legacy stuff and reformat --- flake.nix | 77 +++++++------ hosts/cloud/configuration.nix | 7 +- hosts/cloud/default.nix | 5 +- hosts/cloud/hardware-configuration.nix | 14 ++- hosts/cloud/networking.nix | 5 +- hosts/minime/configuration.nix | 17 +-- hosts/minime/default.nix | 3 +- hosts/minime/hardware-configuration.nix | 93 +++++++++------ hosts/minime/networking.nix | 3 +- hosts/minime/zfs.nix | 48 +++++--- hosts/toaster/amd.nix | 23 ++-- hosts/toaster/default.nix | 3 +- hosts/toaster/hardware-configuration.nix | 104 ++++++++++------- hosts/toaster/irc.nix | 3 +- hosts/toaster/network/default.nix | 49 ++++---- hosts/toaster/network/dumpdvb.nix | 8 +- hosts/toaster/network/mullvad.nix | 99 +++++++++------- hosts/toaster/network/oxalab.nix | 0 hosts/toaster/network/zw.nix | 107 +++++++++-------- hosts/toaster/secure-boot.nix | 3 +- hosts/toaster/zfs.nix | 36 +++--- microvms/dn42/default.nix | 1 - microvms/music/default.nix | 40 ------- microvms/music/navidrome.nix | 16 --- microvms/music/oxaproxy.nix | 68 ----------- microvms/music/upload-user.nix | 21 ---- microvms/news/default.nix | 39 ------- microvms/news/miniflux.nix | 18 --- microvms/news/oxaproxy.nix | 68 ----------- microvms/nextcloud/default.nix | 115 ------------------ microvms/nextcloud/oxaproxy.nix | 58 ---------- microvms/nextcloud/secrets.nix | 11 -- modules/basic-tools/default.nix | 76 +++++++----- modules/basic-tools/fzf.nix | 26 +++-- modules/basic-tools/multiplexers.nix | 3 +- modules/basic-tools/nix-ld.nix | 10 +- modules/basic-tools/nix.nix | 18 ++- modules/binary-caches.nix | 3 +- modules/devtools.nix | 59 +++++----- modules/dvb-dump-nfs-automount.nix | 38 +++--- modules/gnome.nix | 3 +- modules/mail/default.nix | 11 +- modules/sway.nix | 4 +- modules/tlp.nix | 2 +- modules/virtualization.nix | 7 +- modules/wg/default.nix | 3 +- modules/wg/mgmt.nix | 20 +++- modules/wg/module.nix | 85 +++++++++----- modules/wg/options.nix | 141 ++++++++++++----------- pkgs/imhex.nix | 75 ------------ pkgs/slick.nix | 24 ---- 51 files changed, 714 insertions(+), 1056 deletions(-) delete mode 100644 hosts/toaster/network/oxalab.nix delete mode 100644 microvms/dn42/default.nix delete mode 100644 microvms/music/default.nix delete mode 100644 microvms/music/navidrome.nix delete mode 100644 microvms/music/oxaproxy.nix delete mode 100644 microvms/music/upload-user.nix delete mode 100644 microvms/news/default.nix delete mode 100644 microvms/news/miniflux.nix delete mode 100644 microvms/news/oxaproxy.nix delete mode 100644 microvms/nextcloud/default.nix delete mode 100644 microvms/nextcloud/oxaproxy.nix delete mode 100644 microvms/nextcloud/secrets.nix delete mode 100644 pkgs/imhex.nix delete mode 100644 pkgs/slick.nix diff --git a/flake.nix b/flake.nix index e4c6996..6135b69 100644 --- a/flake.nix +++ b/flake.nix @@ -32,42 +32,43 @@ }; outputs = - inputs@{ self - , flake-utils - , lanzaboote - , microvm - , nixos-hardware - , nixpkgs-stable - , nixpkgs-unstable - , sops-nix - , ... - }: + inputs@{ + self, + flake-utils, + lanzaboote, + microvm, + nixos-hardware, + nixpkgs-stable, + nixpkgs-unstable, + sops-nix, + ... + }: - { - nixosConfigurations = { - toaster = nixpkgs-unstable.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { inherit inputs; }; - modules = [ - sops-nix.nixosModules.sops - lanzaboote.nixosModules.lanzaboote - nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen3 + { + nixosConfigurations = { + toaster = nixpkgs-unstable.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { inherit inputs; }; + modules = [ + sops-nix.nixosModules.sops + lanzaboote.nixosModules.lanzaboote + nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen3 - ./hosts/toaster + ./hosts/toaster - ./modules/basic-tools - ./modules/binary-caches.nix - ./modules/devtools.nix - ./modules/gnome.nix - ./modules/gnupg.nix - ./modules/radio.nix - ./modules/science.nix - ./modules/tlp.nix - ./modules/virtualization.nix - ./hosts/toaster/secure-boot.nix - ./modules/chromium.nix - ./modules/mail - ./modules/wg + ./modules/basic-tools + ./modules/binary-caches.nix + ./modules/devtools.nix + ./modules/gnome.nix + ./modules/gnupg.nix + ./modules/radio.nix + ./modules/science.nix + ./modules/tlp.nix + ./modules/virtualization.nix + ./hosts/toaster/secure-boot.nix + ./modules/chromium.nix + ./modules/mail + ./modules/wg ]; }; cloud = nixpkgs-stable.lib.nixosSystem { @@ -100,8 +101,12 @@ }; hydraJobs = let - get-toplevel = (host: nixSystem: nixSystem.config.microvm.declaredRunner or nixSystem.config.system.build.toplevel); + get-toplevel = ( + host: nixSystem: nixSystem.config.microvm.declaredRunner or nixSystem.config.system.build.toplevel + ); in nixpkgs-stable.lib.mapAttrs get-toplevel self.nixosConfigurations; - }; - } + + formatter.x86_64-linux = nixpkgs-stable.legacyPackages.x86_64-linux.nixfmt-rfc-style; + }; +} diff --git a/hosts/cloud/configuration.nix b/hosts/cloud/configuration.nix index 9eddac5..9eaff39 100644 --- a/hosts/cloud/configuration.nix +++ b/hosts/cloud/configuration.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ imports = [ ./hardware-configuration.nix ./networking.nix @@ -9,6 +10,8 @@ networking.hostName = "cloud"; networking.domain = "oxapentane.com"; services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK'' ]; + users.users.root.openssh.authorizedKeys.keys = [ + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK'' + ]; system.stateVersion = "24.11"; } diff --git a/hosts/cloud/default.nix b/hosts/cloud/default.nix index 1cb37c6..78ebe7a 100644 --- a/hosts/cloud/default.nix +++ b/hosts/cloud/default.nix @@ -1,5 +1,6 @@ -{ ... }: { - imports= [ +{ ... }: +{ + imports = [ ./configuration.nix ./hardware-configuration.nix ./networking.nix diff --git a/hosts/cloud/hardware-configuration.nix b/hosts/cloud/hardware-configuration.nix index 5e7b44e..bd94495 100644 --- a/hosts/cloud/hardware-configuration.nix +++ b/hosts/cloud/hardware-configuration.nix @@ -2,8 +2,16 @@ { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; boot.loader.grub.device = "/dev/sda"; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "xen_blkfront" + "vmw_pvscsi" + ]; boot.initrd.kernelModules = [ "nvme" ]; - fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; - + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; + } diff --git a/hosts/cloud/networking.nix b/hosts/cloud/networking.nix index 8f3021a..499bb0c 100644 --- a/hosts/cloud/networking.nix +++ b/hosts/cloud/networking.nix @@ -1,11 +1,12 @@ -{ lib, ... }: { +{ lib, ... }: +{ networking.dhcpcd.enable = false; networking.useNetworkd = true; systemd.network.enable = true; systemd.network = { networks."30-uplink" = { - matchConfig.Name="enp1s0"; + matchConfig.Name = "enp1s0"; networkConfig = { Address = [ "188.245.196.27/32" diff --git a/hosts/minime/configuration.nix b/hosts/minime/configuration.nix index 0a36ae6..bb77eaf 100644 --- a/hosts/minime/configuration.nix +++ b/hosts/minime/configuration.nix @@ -2,23 +2,26 @@ # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - # Enable the X11 windowing system. services.xserver.enable = false; system.stateVersion = "24.11"; # Did you read the comment? } - diff --git a/hosts/minime/default.nix b/hosts/minime/default.nix index 90013f7..3b679be 100644 --- a/hosts/minime/default.nix +++ b/hosts/minime/default.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ imports = [ ./configuration.nix ./hardware-configuration.nix diff --git a/hosts/minime/hardware-configuration.nix b/hosts/minime/hardware-configuration.nix index 12c658f..7e17821 100644 --- a/hosts/minime/hardware-configuration.nix +++ b/hosts/minime/hardware-configuration.nix @@ -1,59 +1,76 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "thunderbolt" + "nvme" + "usbhid" + "usb_storage" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "zpool/nixos/root"; - fsType = "zfs"; - options = [ "zfsutil" ]; - }; + fileSystems."/" = { + device = "zpool/nixos/root"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/12CE-A600"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/12CE-A600"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; - fileSystems."/nix" = - { device = "zpool/nixos/nix"; - fsType = "zfs"; - options = [ "zfsutil" ]; - }; + fileSystems."/nix" = { + device = "zpool/nixos/nix"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; - fileSystems."/home" = - { device = "zpool/data/home"; - fsType = "zfs"; - options = [ "zfsutil" ]; - }; + fileSystems."/home" = { + device = "zpool/data/home"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; - fileSystems."/var" = - { device = "zpool/data/var"; - fsType = "zfs"; - options = [ "zfsutil" ]; - }; + fileSystems."/var" = { + device = "zpool/data/var"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; - fileSystems."/var/lib" = - { device = "zpool/data/var/lib"; - fsType = "zfs"; - options = [ "zfsutil" ]; - }; + fileSystems."/var/lib" = { + device = "zpool/data/var/lib"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; - swapDevices = - [ { + swapDevices = [ + { device = "/dev/disk/by-partuuid/7e7d0e0b-90b7-465c-a022-089b38e0f16d"; randomEncryption = true; - } ]; + } + ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; diff --git a/hosts/minime/networking.nix b/hosts/minime/networking.nix index cd01a42..9631b2d 100644 --- a/hosts/minime/networking.nix +++ b/hosts/minime/networking.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ networking.hostName = "minime"; # Define your hostname. networking.useNetworkd = true; networking.firewall.enable = true; diff --git a/hosts/minime/zfs.nix b/hosts/minime/zfs.nix index 85ff937..fda824e 100644 --- a/hosts/minime/zfs.nix +++ b/hosts/minime/zfs.nix @@ -1,4 +1,10 @@ -{ pkgs, lib, config, ... }: { +{ + pkgs, + lib, + config, + ... +}: +{ services.fstrim.enable = true; services.zfs = { autoSnapshot.enable = true; @@ -12,19 +18,21 @@ }; networking.hostId = "41ba28ff"; boot = { - kernelPackages = let - zfsCompatibleKernelPackages = lib.filterAttrs ( - name: kernelPackages: - (builtins.match "linux_[0-9]+_[0-9]+" name) != null - && (builtins.tryEval kernelPackages).success - && (!kernelPackages.${config.boot.zfs.package.kernelModuleAttribute}.meta.broken) + kernelPackages = + let + zfsCompatibleKernelPackages = lib.filterAttrs ( + name: kernelPackages: + (builtins.match "linux_[0-9]+_[0-9]+" name) != null + && (builtins.tryEval kernelPackages).success + && (!kernelPackages.${config.boot.zfs.package.kernelModuleAttribute}.meta.broken) ) pkgs.linuxKernel.packages; latestKernelPackage = lib.last ( lib.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)) ( builtins.attrValues zfsCompatibleKernelPackages - ) - ); - in latestKernelPackage; + ) + ); + in + latestKernelPackage; supportedFilesystems = [ "zfs" ]; kernelParams = [ "nohibernate" ]; plymouth.enable = false; @@ -38,14 +46,24 @@ enable = true; port = 2222; hostKeys = [ /etc/secrets/initrd/ssh_host_rsa_key ]; - authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK 0xa@toaster 2024-12-31" ]; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK 0xa@toaster 2024-12-31" + ]; }; postCommands = '' - zpool import -a - echo "zfs load-key -a; killall zfs" >> /root/.profile + zpool import -a + echo "zfs load-key -a; killall zfs" >> /root/.profile ''; }; # support for network - boot.initrd.kernelModules = [ "igc" "i40e" "mt7921e" ]; - boot.kernelModules = [ "igc" "i40e" "mt7921e" ]; + boot.initrd.kernelModules = [ + "igc" + "i40e" + "mt7921e" + ]; + boot.kernelModules = [ + "igc" + "i40e" + "mt7921e" + ]; } diff --git a/hosts/toaster/amd.nix b/hosts/toaster/amd.nix index 01eb155..66a93e6 100644 --- a/hosts/toaster/amd.nix +++ b/hosts/toaster/amd.nix @@ -1,4 +1,5 @@ -{ pkgs, config, ... }: { +{ pkgs, config, ... }: +{ boot.initrd.kernelModules = [ "amdgpu" ]; boot.kernelParams = [ @@ -6,14 +7,14 @@ "amd_pstate=active" ]; - # hardware.graphics = { - # extraPackages = with pkgs; [ - # rocm-opencl-icd - # rocm-opencl-runtime - # amdvlk - # ]; - # extraPackages32 = with pkgs; [ - # driversi686Linux.amdvlk - # ]; - # }; + # hardware.graphics = { + # extraPackages = with pkgs; [ + # rocm-opencl-icd + # rocm-opencl-runtime + # amdvlk + # ]; + # extraPackages32 = with pkgs; [ + # driversi686Linux.amdvlk + # ]; + # }; } diff --git a/hosts/toaster/default.nix b/hosts/toaster/default.nix index 860b582..c3b087d 100644 --- a/hosts/toaster/default.nix +++ b/hosts/toaster/default.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ imports = [ ./amd.nix ./hardware-configuration.nix diff --git a/hosts/toaster/hardware-configuration.nix b/hosts/toaster/hardware-configuration.nix index 6a12195..69ebb66 100644 --- a/hosts/toaster/hardware-configuration.nix +++ b/hosts/toaster/hardware-configuration.nix @@ -1,54 +1,70 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "usb_storage" + "usbhid" + "sd_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + boot.zfs.extraPools = [ "zpool" ]; + + fileSystems."/" = { + device = "zpool/root"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/nix" = { + device = "zpool/nix"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/home" = { + device = "zpool/data/home"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/var" = { + device = "zpool/data/var"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/A170-F83D"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" ]; + }; - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "usbhid" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - boot.zfs.extraPools = [ "zpool" ]; - - fileSystems."/" = - { device = "zpool/root"; - fsType = "zfs"; - options = [ "zfsutil" ]; - }; - - fileSystems."/nix" = - { device = "zpool/nix"; - fsType = "zfs"; - options = [ "zfsutil" ]; - }; - - fileSystems."/home" = - { device = "zpool/data/home"; - fsType = "zfs"; - options = [ "zfsutil" ]; - }; - - fileSystems."/var" = - { device = "zpool/data/var"; - fsType = "zfs"; - options = [ "zfsutil" ]; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/A170-F83D"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; - - swapDevices = - [ { device = "/dev/disk/by-partuuid/037518f2-9fa0-44f0-9550-745e27bf1c1f"; - randomEncryption = true;} - ]; + swapDevices = [ + { + device = "/dev/disk/by-partuuid/037518f2-9fa0-44f0-9550-745e27bf1c1f"; + randomEncryption = true; + } + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/toaster/irc.nix b/hosts/toaster/irc.nix index 85398ab..938fac3 100644 --- a/hosts/toaster/irc.nix +++ b/hosts/toaster/irc.nix @@ -1,4 +1,5 @@ -{ config, pkgs, ... }: { +{ config, pkgs, ... }: +{ environment.systemPackages = [ pkgs.senpai ]; sops.secrets = { diff --git a/hosts/toaster/network/default.nix b/hosts/toaster/network/default.nix index e633342..6d96c3c 100644 --- a/hosts/toaster/network/default.nix +++ b/hosts/toaster/network/default.nix @@ -1,4 +1,5 @@ -{ lib, config, ... }: { +{ lib, config, ... }: +{ imports = [ ./mullvad.nix ./dumpdvb.nix @@ -8,32 +9,34 @@ # Networkmanager shouldn't interfere with systemd managed interfaces networking.networkmanager.unmanaged = let - systemd_netdevs = lib.attrsets.attrValues (lib.attrsets.mapAttrs (_name: value: value.netdevConfig.Name) config.systemd.network.netdevs); + systemd_netdevs = lib.attrsets.attrValues ( + lib.attrsets.mapAttrs (_name: value: value.netdevConfig.Name) config.systemd.network.netdevs + ); in systemd_netdevs; - systemd.network = { - enable = true; - wait-online.enable = false; # uplink is managed by networkmanager - }; + systemd.network = { + enable = true; + wait-online.enable = false; # uplink is managed by networkmanager + }; - users.users."0xa".extraGroups = [ "networkmanager" ]; + users.users."0xa".extraGroups = [ "networkmanager" ]; - networking = { - hostName = "toaster"; - firewall.enable = true; - wireguard.enable = true; - }; + networking = { + hostName = "toaster"; + firewall.enable = true; + wireguard.enable = true; + }; - services.resolved = { - enable = true; - dnssec = "false"; - fallbackDns = [ - "9.9.9.9" - "2620:fe::fe" - "149.112.112.112" - "2620:fe::9" - ]; - }; + services.resolved = { + enable = true; + dnssec = "false"; + fallbackDns = [ + "9.9.9.9" + "2620:fe::fe" + "149.112.112.112" + "2620:fe::9" + ]; + }; - } +} diff --git a/hosts/toaster/network/dumpdvb.nix b/hosts/toaster/network/dumpdvb.nix index 84074bd..d3fba93 100644 --- a/hosts/toaster/network/dumpdvb.nix +++ b/hosts/toaster/network/dumpdvb.nix @@ -1,4 +1,5 @@ -{ config, ... }: { +{ config, ... }: +{ systemd.network = { # Wireguard # Dump-dvb @@ -27,7 +28,10 @@ IPv6AcceptRA = true; }; routes = [ - { Gateway = "10.13.37.1"; Destination = "10.13.37.0/24"; } + { + Gateway = "10.13.37.1"; + Destination = "10.13.37.0/24"; + } ]; }; }; diff --git a/hosts/toaster/network/mullvad.nix b/hosts/toaster/network/mullvad.nix index 8ad71b7..a3bfaec 100644 --- a/hosts/toaster/network/mullvad.nix +++ b/hosts/toaster/network/mullvad.nix @@ -1,10 +1,14 @@ -{ config, lib, ... }: { +{ config, lib, ... }: +{ systemd.network = let - pubkey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk="; + pubkey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk="; endpoint = "169.150.196.15"; port = "51820"; - addr = [ "10.74.16.48/32" "fc00:bbbb:bbbb:bb01::b:102f/128" ]; + addr = [ + "10.74.16.48/32" + "fc00:bbbb:bbbb:bb01::b:102f/128" + ]; in { netdevs."10-wg-mullvad" = { @@ -21,7 +25,10 @@ { PublicKey = pubkey; Endpoint = "${endpoint}:${port}"; - AllowedIPs = [ "0.0.0.0/0" "::0/0" ]; + AllowedIPs = [ + "0.0.0.0/0" + "::0/0" + ]; } ]; }; @@ -33,44 +40,52 @@ DNSDefaultRoute = true; Domains = [ "~." ]; }; - routes = map - (gate: { - Gateway = gate; - Table = 1000; - }) [ - "0.0.0.0" - "::" - ]; + routes = + map + (gate: { + Gateway = gate; + Table = 1000; + }) + [ + "0.0.0.0" + "::" + ]; - routingPolicyRules = [ { - Family = "both"; - FirewallMark = 34952; # 0x8888 - InvertRule = true; - Table = "1000"; - Priority = 100; - } - { - Family = "both"; - SuppressPrefixLength = 0; - Table = "main"; - Priority = 90; - } ] ++ map (net: { - # only route global addresses over VPN - Priority = 80; - To = net; - }) [ - # Mullvad endpoint - "${endpoint}/32" - # "10.0.0.0/8" - "10.13.37.0/24" - # 0xa-mgmt - "10.89.87.0/24" - # "172.16.0.0/12" - "172.16.0.0/12" - # "182.168.0.0/16" - "182.168.0.0/16" - # "fc00::/7" - ]; + routingPolicyRules = + [ + { + Family = "both"; + FirewallMark = 34952; # 0x8888 + InvertRule = true; + Table = "1000"; + Priority = 100; + } + { + Family = "both"; + SuppressPrefixLength = 0; + Table = "main"; + Priority = 90; + } + ] + ++ map + (net: { + # only route global addresses over VPN + Priority = 80; + To = net; + }) + [ + # Mullvad endpoint + "${endpoint}/32" + # "10.0.0.0/8" + "10.13.37.0/24" + # 0xa-mgmt + "10.89.87.0/24" + # "172.16.0.0/12" + "172.16.0.0/12" + # "182.168.0.0/16" + "182.168.0.0/16" + # "fc00::/7" + ]; + }; }; - }; } diff --git a/hosts/toaster/network/oxalab.nix b/hosts/toaster/network/oxalab.nix deleted file mode 100644 index e69de29..0000000 diff --git a/hosts/toaster/network/zw.nix b/hosts/toaster/network/zw.nix index af961be..71e75be 100644 --- a/hosts/toaster/network/zw.nix +++ b/hosts/toaster/network/zw.nix @@ -1,56 +1,61 @@ -{ config, ... }: { - # zentralwerk - systemd.network = { - netdevs."10-wg-zentralwerk" = { - netdevConfig = { - Kind = "wireguard"; - Name = "wg-zentralwerk"; - Description = "Tunnel to the best basement in Dresden"; - }; - wireguardConfig = { - PrivateKeyFile = config.sops.secrets."wg/zw".path; - RouteTable = "off"; - }; - wireguardPeers = [ - { - PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo="; - Endpoint = "81.201.149.152:1337"; - AllowedIPs = [ "172.20.72.0/21" "172.22.90.0/24" "172.22.99.0/24" ]; - PersistentKeepalive = 25; - } - ]; +{ config, ... }: +{ + # zentralwerk + systemd.network = { + netdevs."10-wg-zentralwerk" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg-zentralwerk"; + Description = "Tunnel to the best basement in Dresden"; }; - networks."10-wg-zentralwerk" = { - matchConfig.Name = "wg-zentralwerk"; - networkConfig = { - Address = "172.20.76.226/21"; - IPv6AcceptRA = true; - DNS = "172.20.73.8"; - Domains = [ - "~hq.c3d2.de" - "~serv.zentralwerk.org" - "~hq.zentralwerk.org" - "~cluster.zentralwerk.org" + wireguardConfig = { + PrivateKeyFile = config.sops.secrets."wg/zw".path; + RouteTable = "off"; + }; + wireguardPeers = [ + { + PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo="; + Endpoint = "81.201.149.152:1337"; + AllowedIPs = [ + "172.20.72.0/21" + "172.22.90.0/24" + "172.22.99.0/24" ]; - }; - routes = [ - { - Gateway = "172.20.76.225"; - Destination = "172.20.72.0/21"; - Metric = 1023; - } - { - Gateway = "172.20.76.225"; - Destination = "172.20.90.0/24"; - Metric = 1023; - } - { - Gateway = "172.20.76.225"; - Destination = "172.22.99.0/24"; - Metric = 1023; - } - + PersistentKeepalive = 25; + } + ]; + }; + networks."10-wg-zentralwerk" = { + matchConfig.Name = "wg-zentralwerk"; + networkConfig = { + Address = "172.20.76.226/21"; + IPv6AcceptRA = true; + DNS = "172.20.73.8"; + Domains = [ + "~hq.c3d2.de" + "~serv.zentralwerk.org" + "~hq.zentralwerk.org" + "~cluster.zentralwerk.org" ]; }; + routes = [ + { + Gateway = "172.20.76.225"; + Destination = "172.20.72.0/21"; + Metric = 1023; + } + { + Gateway = "172.20.76.225"; + Destination = "172.20.90.0/24"; + Metric = 1023; + } + { + Gateway = "172.20.76.225"; + Destination = "172.22.99.0/24"; + Metric = 1023; + } + + ]; }; - } + }; +} diff --git a/hosts/toaster/secure-boot.nix b/hosts/toaster/secure-boot.nix index 23424af..9d934e1 100644 --- a/hosts/toaster/secure-boot.nix +++ b/hosts/toaster/secure-boot.nix @@ -1,4 +1,5 @@ -{ pkgs, lib, ... }: { +{ pkgs, lib, ... }: +{ boot = { bootspec.enable = true; loader.systemd-boot.enable = lib.mkForce false; diff --git a/hosts/toaster/zfs.nix b/hosts/toaster/zfs.nix index 9a8b5aa..606627d 100644 --- a/hosts/toaster/zfs.nix +++ b/hosts/toaster/zfs.nix @@ -1,4 +1,10 @@ -{ pkgs, lib, config, ... }: { +{ + pkgs, + lib, + config, + ... +}: +{ services.fstrim.enable = true; services.zfs = { autoSnapshot.enable = true; @@ -10,19 +16,21 @@ }; networking.hostId = "dca22577"; boot = { - kernelPackages = let - zfsCompatibleKernelPackages = lib.filterAttrs ( - name: kernelPackages: - (builtins.match "linux_[0-9]+_[0-9]+" name) != null - && (builtins.tryEval kernelPackages).success - && (!kernelPackages.${config.boot.zfs.package.kernelModuleAttribute}.meta.broken) - ) pkgs.linuxKernel.packages; - latestKernelPackage = lib.last ( - lib.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)) ( - builtins.attrValues zfsCompatibleKernelPackages - ) - ); -in latestKernelPackage; + kernelPackages = + let + zfsCompatibleKernelPackages = lib.filterAttrs ( + name: kernelPackages: + (builtins.match "linux_[0-9]+_[0-9]+" name) != null + && (builtins.tryEval kernelPackages).success + && (!kernelPackages.${config.boot.zfs.package.kernelModuleAttribute}.meta.broken) + ) pkgs.linuxKernel.packages; + latestKernelPackage = lib.last ( + lib.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)) ( + builtins.attrValues zfsCompatibleKernelPackages + ) + ); + in + latestKernelPackage; supportedFilesystems = [ "zfs" ]; kernelParams = [ "nohibernate" ]; plymouth.enable = false; diff --git a/microvms/dn42/default.nix b/microvms/dn42/default.nix deleted file mode 100644 index 3f9e239..0000000 --- a/microvms/dn42/default.nix +++ /dev/null @@ -1 +0,0 @@ -{ config, pkgs, lib, ... }: { } diff --git a/microvms/music/default.nix b/microvms/music/default.nix deleted file mode 100644 index 6c5d053..0000000 --- a/microvms/music/default.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ pkgs, lib, config, ... }: { - imports = [ - ./navidrome.nix - ./oxaproxy.nix - ./upload-user.nix - ]; - - microvm = { - hypervisor = "qemu"; - mem = 4 * 1024; - vcpu = 3; - - shares = [{ - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - tag = "store"; - proto = "virtiofs"; - socket = "store.socket"; - }] ++ map - (dir: { - source = "/var/lib/microvms/${config.networking.hostName}/${dir}"; - mountPoint = "/${dir}"; - tag = dir; - proto = "virtiofs"; - socket = "${dir}.socket"; - }) [ "etc" "var" "home" ]; - - interfaces = [{ - type = "tap"; - id = "vm-music"; - mac = "02:00:00:00:00:01"; - }]; - }; - - networking = { - hostName = "music"; - }; - - system.stateVersion = "22.11"; -} diff --git a/microvms/music/navidrome.nix b/microvms/music/navidrome.nix deleted file mode 100644 index f62ddd3..0000000 --- a/microvms/music/navidrome.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, ... }: { - networking.firewall.interfaces.oxaproxy.allowedTCPPorts = [ 4533 ]; - services.navidrome = { - enable = true; - settings = { - Address = "10.34.45.101"; - BaseUrl = "/"; - EnableExternalServices = false; - MusicFolder = "/var/lib/music"; - Port = 4533; - ScanSchedule = "@every 11m"; - TranscondigCacheSize = "5GiB"; - ReverseProxyWhitelist = "10.34.45.1/24"; - }; - }; -} diff --git a/microvms/music/oxaproxy.nix b/microvms/music/oxaproxy.nix deleted file mode 100644 index 737d413..0000000 --- a/microvms/music/oxaproxy.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ config, ... }: { - - networking.wireguard.enable = true; - networking.useNetworkd = true; - - #oxaproxy secret - sops.defaultSopsFile = ../../secrets/music/secrets.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - - sops.secrets."wg/oxaproxy-seckey" = { - owner = config.users.users.systemd-network.name; - }; - - systemd.network = { - enable = true; - netdevs."10-oxaproxy" = { - netdevConfig = { - Kind = "wireguard"; - Name = "oxaproxy"; - Description = "oxa's enterprise reverse-proxy network"; - }; - wireguardConfig = { - PrivateKeyFile = config.sops.secrets."wg/oxaproxy-seckey".path; - #own pubkey: vQNkp51S9qLsu97dLPj0/EqFwvVtRFZpMHufgKhxum0= - }; - wireguardPeers = [ - { - # cirrus - wireguardPeerConfig = { - PublicKey = "0KMtL2fQOrrCH6c2a2l4FKiM73G86sUuyaNj4FarzVM="; - AllowedIPs = [ "10.34.45.0/24" ]; - Endpoint = [ "95.216.166.21:51821" ]; - PersistentKeepalive = 25; - }; - } - ]; - }; - networks."10-oxaproxy" = { - matchConfig.Name = "oxaproxy"; - networkConfig = { - Address = "10.34.45.101/24"; - }; - }; - - networks."111-host" = { - matchConfig.MACAddress = "02:00:00:00:00:01"; - networkConfig = { - Address = "10.99.99.101/24"; - }; - routes = [ - { - routeConfig = { - Gateway = "10.99.99.1"; - Destination = "0.0.0.0/0"; - Metric = 1024; - }; - } - { - routeConfig = { - Gateway = "10.99.99.1"; - Destination = "10.99.99.0/24"; - Metric = 1024; - }; - } - ]; - }; - }; -} diff --git a/microvms/music/upload-user.nix b/microvms/music/upload-user.nix deleted file mode 100644 index ae67f66..0000000 --- a/microvms/music/upload-user.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, ... }: { - security.sudo.wheelNeedsPassword = false; - - users.users.caretaker = { - isNormalUser = true; - home = "/home/caretaker"; - createHome = true; - extraGroups = [ - "wheel" - "navidrome" - ]; - openssh.authorizedKeys.keys = [ - # melo - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMbUizElFyULDlpEE9XHWWOca4ZXepS18ljh4Fj4YnJOAs7sbYzzhfMUiD703FIgK5YObzOlheu/PBbwUOStgcmPDuRalZWLr+0kCUYERfjLHkgliFx96xEFw9dluvII6JpbzFI/uvkEkQ3ESKapRcYAuBTk2sRoit8za+HX9sLmMueqNtN4H92sFYYm1wWy3FFgz/NN+uTh7F5nmA7SrSS/fpbmugcgBdR/Zy1YwSA8Rl1pagEvgN9/qAnP7pssvXr9pTCUNxVSQ7FlTUOHmxzG16RybYRikgevQaHtFYvmS7AuRvRDlQWhHt1drREGOIwwZPXD1smfQAsvP66J85j9aeanZdoBoJcvvFNer3071QGmi+5NHDSiG+YvoWt7qgiKLF4lOfByzjdoRRSg01uuhdQLOHHt0hbfyGS6hx//1MtjiXTElXvOOiUJ6AqfCSwOTK+72W6VKhKYcO11+Ngym1dyF3TtVcoEYN3JpUdbNq+qctMzXFMGovPEEMh7s= mel@umbreon" - # revol-xut - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6NLB8EHnUgl2GO2uaojdf3p3YpsHH6px6CZleif8klhLN+ro5KeFK2OXC2SO3Vo4qgF/NySdsoInV9JEsssELZ2ttVbeKxI6f76V5dZgGI7qoSf4E0TXIgpS9n9K2AEmRKr65uC2jgkSJuo/T1mF+4/Nzyo706FT/GGVoiBktgq9umbYX0vIQkTMFAcw921NwFCWFQcMYRruaH01tLu6HIAdJ9FVG8MAt84hCr4D4PobD6b029bHXTzcixsguRtl+q4fQAl3WK3HAxT+txN91CDoP2eENo3gbmdTBprD2RcB/hz5iI6IaY3p1+8fTX2ehvI3loRA8Qjr/xzkzMUlpA/8NLKbJD4YxNGgFbauEmEnlC8Evq2vMrxdDr2SjnBAUwzZ63Nq+pUoBNYG/c+h+eO/s7bjnJVe0m2/2ZqPj1jWQp4hGoNzzU1cQmy6TdEWJcg2c8ints5068HN3o0gQKkp1EseNrdB8SuG+me/c/uIOX8dPASgo3Yjv9IGLhhx8GOGQxHEQN9QFC4QyZt/rrAyGmlX342PBNYmmStgVWHiYCcMVUWGlsG0XvG6bvGgmMeHNVsDf6WdMQuLj9luvxJzrd4FlKX6O0X/sIaqMVSkhIbD2+vvKNqrii7JdUTntUPs89L5h9DoDqQWkL13Plg1iQt4/VYeKTbUhYYz1lw== revo-xut@plank" - # 0xa gpg - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHv82n6F6kwJ3/EMYlOoCc1/NaYFW7QHC5F8jKVzdlio gshipunov@toaster" - ]; - }; -} diff --git a/microvms/news/default.nix b/microvms/news/default.nix deleted file mode 100644 index dfb196c..0000000 --- a/microvms/news/default.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ config, ... }: { - imports = [ - ./miniflux.nix - ./oxaproxy.nix - ]; - - microvm = { - hypervisor = "qemu"; - mem = 1 * 1024; - vcpu = 1; - - shares = [{ - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - tag = "store"; - proto = "virtiofs"; - socket = "store.socket"; - }] ++ map - (dir: { - source = "/var/lib/microvms/${config.networking.hostName}/${dir}"; - mountPoint = "/${dir}"; - tag = dir; - proto = "virtiofs"; - socket = "${dir}.socket"; - }) [ "etc" "var" "home" ]; - - interfaces = [{ - type = "tap"; - id = "vm-news"; - mac = "02:00:00:00:00:02"; - }]; - }; - - networking = { - hostName = "news"; - }; - - system.stateVersion = "22.11"; -} diff --git a/microvms/news/miniflux.nix b/microvms/news/miniflux.nix deleted file mode 100644 index 94d409b..0000000 --- a/microvms/news/miniflux.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ config, ... }: -let - listenport = 8080; -in -{ - sops.secrets."miniflux-admin" = { }; - - networking.firewall.interfaces.oxaproxy.allowedTCPPorts = [ listenport ]; - services.miniflux = { - enable = true; - config = { - LISTEN_ADDR = "10.34.45.102:${toString listenport}"; - POLLING_FREQUENCY = "37"; - CREATE_ADMIN = "1"; - }; - adminCredentialsFile = config.sops.secrets."miniflux-admin".path; - }; -} diff --git a/microvms/news/oxaproxy.nix b/microvms/news/oxaproxy.nix deleted file mode 100644 index d7de046..0000000 --- a/microvms/news/oxaproxy.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ config, ... }: { - - networking.wireguard.enable = true; - networking.useNetworkd = true; - - #oxaproxy secret - sops.defaultSopsFile = ../../secrets/news/secrets.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - - sops.secrets."oxaproxy-seckey" = { - owner = config.users.users.systemd-network.name; - }; - - systemd.network = { - enable = true; - netdevs."10-oxaproxy" = { - netdevConfig = { - Kind = "wireguard"; - Name = "oxaproxy"; - Description = "oxa's enterprise reverse-proxy network"; - }; - wireguardConfig = { - PrivateKeyFile = config.sops.secrets."oxaproxy-seckey".path; - #own pubkey: guzNmsPcQw4EGSLU3X0SP+WPKAcoMc+xv9SLWdHV1V0= - }; - wireguardPeers = [ - { - # cirrus - wireguardPeerConfig = { - PublicKey = "0KMtL2fQOrrCH6c2a2l4FKiM73G86sUuyaNj4FarzVM="; - AllowedIPs = [ "10.34.45.0/24" ]; - Endpoint = [ "95.216.166.21:51821" ]; - PersistentKeepalive = 25; - }; - } - ]; - }; - networks."10-oxaproxy" = { - matchConfig.Name = "oxaproxy"; - networkConfig = { - Address = "10.34.45.102/24"; - }; - }; - - networks."111-host" = { - matchConfig.MACAddress = (builtins.elemAt config.microvm.interfaces 0).mac; - networkConfig = { - Address = "10.99.99.102/24"; - }; - routes = [ - { - routeConfig = { - Gateway = "10.99.99.1"; - Destination = "0.0.0.0/0"; - Metric = 1024; - }; - } - { - routeConfig = { - Gateway = "10.99.99.1"; - Destination = "10.99.99.0/24"; - Metric = 1024; - }; - } - ]; - }; - }; -} diff --git a/microvms/nextcloud/default.nix b/microvms/nextcloud/default.nix deleted file mode 100644 index 94b1fa3..0000000 --- a/microvms/nextcloud/default.nix +++ /dev/null @@ -1,115 +0,0 @@ -{ config, pkgs, ... }: { - - imports = [ - ./oxaproxy.nix - ./secrets.nix - ]; - - # nextcloud goes here - networking.firewall.interfaces.oxaproxy.allowedTCPPorts = [ 8080 ]; - - services.postgresql = { - enable = true; - package = pkgs.postgresql_14; - ensureDatabases = [ "nextcloud" ]; - ensureUsers = [{ - name = "nextcloud"; - ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; - }]; - }; - - services.redis.servers.nextcloud.enable = true; - - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - virtualHosts."nc.oxapentane.com" = { - extraConfig = '' - # HTTP response headers borrowed from Nextcloud .htaccess - add_header Referrer-Policy "no-referrer" always; - #add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - #add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - ''; - listen = [{ - # We are listening on wireguard interface only - addr = "10.34.45.100"; - port = 8080; - ssl = false; - }]; - }; - }; - - services.nextcloud = { - enable = true; - hostName = "nc.oxapentane.com"; - home = "/var/lib/nextcloud-oxa"; - package = pkgs.nextcloud28; - maxUploadSize = "5000M"; - caching.redis = true; - autoUpdateApps = { - enable = true; - startAt = "07:00:00"; - }; - config = { - overwriteProtocol = "https"; - trustedProxies = [ "10.34.45.1" ]; - - dbtype = "pgsql"; - dbuser = "nextcloud"; - dbhost = "/run/postgresql"; - dbname = "nextcloud"; - adminuser = "admin"; - adminpassFile = config.sops.secrets."nextcloud/adminpass".path; - }; - }; - - systemd.services."nextcloud-setup" = { - requires = [ "postgresql.service" ]; - after = [ "postgresql.service" ]; - }; - - - - - microvm = { - hypervisor = "qemu"; - mem = 4 * 1024; - vcpu = 3; - - shares = [{ - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - tag = "store"; - proto = "virtiofs"; - socket = "store.socket"; - }] ++ map - (dir: { - source = "/var/lib/microvms/${config.networking.hostName}/${dir}"; - mountPoint = "/${dir}"; - tag = dir; - proto = "virtiofs"; - socket = "${dir}.socket"; - }) [ "etc" "var" "home" ]; - - interfaces = [{ - type = "tap"; - id = "vm-nextcloud"; - mac = "02:00:00:00:00:00"; - }]; - }; - - networking = { - hostName = "nextcloud"; - }; - - system.stateVersion = "22.05"; -} diff --git a/microvms/nextcloud/oxaproxy.nix b/microvms/nextcloud/oxaproxy.nix deleted file mode 100644 index 3a3843c..0000000 --- a/microvms/nextcloud/oxaproxy.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ config, ... }: { - networking.wireguard.enable = true; - networking.useNetworkd = true; - systemd.network = { - enable = true; - netdevs."10-oxaproxy" = { - netdevConfig = { - Kind = "wireguard"; - Name = "oxaproxy"; - Description = "oxa's enterprise reverse-proxy network"; - }; - wireguardConfig = { - PrivateKeyFile = config.sops.secrets."wg/oxaproxy-seckey".path; - #own pubkey: KCYoGx7TGei4X79EZo2NONCcmQjPzBUN1Ds6I9lQbz0= - }; - wireguardPeers = [ - { - # cirrus - wireguardPeerConfig = { - PublicKey = "0KMtL2fQOrrCH6c2a2l4FKiM73G86sUuyaNj4FarzVM="; - AllowedIPs = [ "10.34.45.0/24" ]; - Endpoint = [ "95.216.166.21:51821" ]; - PersistentKeepalive = 25; - }; - } - ]; - }; - networks."10-oxaproxy" = { - matchConfig.Name = "oxaproxy"; - networkConfig = { - Address = "10.34.45.100/24"; - }; - }; - - networks."111-host" = { - matchConfig.MACAddress = "02:00:00:00:00:00"; - networkConfig = { - Address = "10.99.99.100/24"; - }; - routes = [ - { - routeConfig = { - Gateway = "10.99.99.1"; - Destination = "0.0.0.0/0"; - Metric = 1024; - }; - } - { - routeConfig = { - Gateway = "10.99.99.1"; - Destination = "10.99.99.0/24"; - Metric = 1024; - }; - } - ]; - }; - }; -} diff --git a/microvms/nextcloud/secrets.nix b/microvms/nextcloud/secrets.nix deleted file mode 100644 index 50ae8e0..0000000 --- a/microvms/nextcloud/secrets.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, ... }: { - sops.defaultSopsFile = ../../secrets/nextcloud/secrets.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - - sops.secrets."wg/oxaproxy-seckey" = { - owner = config.users.users.systemd-network.name; - }; - sops.secrets."nextcloud/adminpass" = { - owner = config.users.users.nextcloud.name; - }; -} diff --git a/modules/basic-tools/default.nix b/modules/basic-tools/default.nix index f7ef3c3..1d4f2a4 100644 --- a/modules/basic-tools/default.nix +++ b/modules/basic-tools/default.nix @@ -8,37 +8,48 @@ ./nix-ld.nix ]; - environment.systemPackages = with pkgs; [ - bat - fd - file - gnupg - glow - htop - irssi - killall - neovim - ripgrep - tealdeer - traceroute - tcpdump - tree - (aspellWithDicts (ps: with ps; [ en en-science en-computers ru nl ])) - exfatprogs - nmap - bind - nnn - lf - man-pages - unzip - usbutils - pciutils - ouch - cryptsetup - sshfs - whois - mtr - ] ++ (if config.networking.hostName == "toaster" then [ gitFull ] else [ git ]); + environment.systemPackages = + with pkgs; + [ + bat + fd + file + gnupg + glow + htop + irssi + killall + neovim + ripgrep + tealdeer + traceroute + tcpdump + tree + (aspellWithDicts ( + ps: with ps; [ + en + en-science + en-computers + ru + nl + ] + )) + exfatprogs + nmap + bind + nnn + lf + man-pages + unzip + usbutils + pciutils + ouch + cryptsetup + sshfs + whois + mtr + ] + ++ (if config.networking.hostName == "toaster" then [ gitFull ] else [ git ]); environment.variables = let @@ -53,7 +64,8 @@ { PAGER = "less"; LESS = "-X -R -F"; - } // editorconf; + } + // editorconf; environment.shellAliases = { ls = "ls --color=auto"; diff --git a/modules/basic-tools/fzf.nix b/modules/basic-tools/fzf.nix index 6fc84fe..8ad1b92 100644 --- a/modules/basic-tools/fzf.nix +++ b/modules/basic-tools/fzf.nix @@ -1,4 +1,10 @@ -{ lib, config, pkgs, ... }: { +{ + lib, + config, + pkgs, + ... +}: +{ environment = { systemPackages = [ pkgs.fzf ]; @@ -8,11 +14,15 @@ }; }; # integrate fzf into shell, >23.05 only - programs = with lib; - if (toInt (elemAt (splitVersion config.system.nixos.release) 0) >= 23) then { - fzf = { - keybindings = true; - fuzzyCompletion = true; - }; - } else { }; + programs = + with lib; + if (toInt (elemAt (splitVersion config.system.nixos.release) 0) >= 23) then + { + fzf = { + keybindings = true; + fuzzyCompletion = true; + }; + } + else + { }; } diff --git a/modules/basic-tools/multiplexers.nix b/modules/basic-tools/multiplexers.nix index 55268ef..b744942 100644 --- a/modules/basic-tools/multiplexers.nix +++ b/modules/basic-tools/multiplexers.nix @@ -1,4 +1,5 @@ -{ pkgs, inputs, ... }: { +{ pkgs, inputs, ... }: +{ programs.tmux = { enable = true; keyMode = "vi"; diff --git a/modules/basic-tools/nix-ld.nix b/modules/basic-tools/nix-ld.nix index 2462721..d9abd55 100644 --- a/modules/basic-tools/nix-ld.nix +++ b/modules/basic-tools/nix-ld.nix @@ -1,10 +1,10 @@ { pkgs, lib, ... }: { - programs.nix-ld ={ - enable = true; - libraries = [ - pkgs.stdenv.cc.cc - ]; + programs.nix-ld = { + enable = true; + libraries = [ + pkgs.stdenv.cc.cc + ]; }; #environment.variables = { # NIX_LD_LIBRARY_PATH = lib.makeLibraryPath [ diff --git a/modules/basic-tools/nix.nix b/modules/basic-tools/nix.nix index 9faa527..980ab76 100644 --- a/modules/basic-tools/nix.nix +++ b/modules/basic-tools/nix.nix @@ -1,9 +1,15 @@ -{ lib, pkgs, inputs, ... }: { +{ + lib, + pkgs, + inputs, + ... +}: +{ nix = { extraOptions = '' - experimental-features = nix-command flakes - narinfo-cache-negative-ttl = 0 + experimental-features = nix-command flakes + narinfo-cache-negative-ttl = 0 ''; }; @@ -12,8 +18,10 @@ # override default nix shell nixpkgs# behaviour to use current flake lock nix.registry = - let flakes = lib.filterAttrs (_name: value: value ? outputs) inputs.self.inputs; - in builtins.mapAttrs (_name: v: { flake = v; }) flakes; + let + flakes = lib.filterAttrs (_name: value: value ? outputs) inputs.self.inputs; + in + builtins.mapAttrs (_name: v: { flake = v; }) flakes; nix.nixPath = lib.mapAttrsToList (name: value: "${name}=${value.outPath}") inputs.self.inputs; diff --git a/modules/binary-caches.nix b/modules/binary-caches.nix index 8a2b5ac..f1fee1d 100644 --- a/modules/binary-caches.nix +++ b/modules/binary-caches.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ nix = { extraOptions = '' builders-use-substitutes = true diff --git a/modules/devtools.nix b/modules/devtools.nix index 16737df..c4f7c88 100644 --- a/modules/devtools.nix +++ b/modules/devtools.nix @@ -1,31 +1,36 @@ -{ pkgs, inputs, ... }: { +{ pkgs, inputs, ... }: +{ - environment.systemPackages = with pkgs; - let - kicad = pkgs.kicad.override { - addons = with pkgs.kicadAddons; [ kikit kikit-library ]; - }; - in - [ - # general - cmake - gcc - gef - gdb - binutils - binwalk - clang - clang-tools - direnv - sops - nil - nixpkgs-fmt - nix-index - kicad - freecad-wayland - imhex - python313Full - ]; + environment.systemPackages = + with pkgs; + let + kicad = pkgs.kicad.override { + addons = with pkgs.kicadAddons; [ + kikit + kikit-library + ]; + }; + in + [ + # general + cmake + gcc + gef + gdb + binutils + binwalk + clang + clang-tools + direnv + sops + nil + nixpkgs-fmt + nix-index + kicad + freecad-wayland + imhex + python313Full + ]; # Wireshark programs.wireshark = { diff --git a/modules/dvb-dump-nfs-automount.nix b/modules/dvb-dump-nfs-automount.nix index 2dce2ea..fbc6a8f 100644 --- a/modules/dvb-dump-nfs-automount.nix +++ b/modules/dvb-dump-nfs-automount.nix @@ -4,23 +4,25 @@ environment.systemPackages = with pkgs; [ nfs-utils ]; services.rpcbind.enable = true; - systemd.mounts = [{ - type = "nfs"; - mountConfig = { - Options = "noatime"; - }; - what = "10.13.37.5:/"; - where = "/mnt/dvb"; - }]; + systemd.mounts = [ + { + type = "nfs"; + mountConfig = { + Options = "noatime"; + }; + what = "10.13.37.5:/"; + where = "/mnt/dvb"; + } + ]; - systemd.automounts = [{ - wantedBy = [ "multi-user.target" ]; - requires = [ "wg-quick-wg-dvb.service" ]; - automountConfig = { - TimeoutIdleSec = "600"; - }; - where = "/mnt/dvb"; - }]; + systemd.automounts = [ + { + wantedBy = [ "multi-user.target" ]; + requires = [ "wg-quick-wg-dvb.service" ]; + automountConfig = { + TimeoutIdleSec = "600"; + }; + where = "/mnt/dvb"; + } + ]; } - - diff --git a/modules/gnome.nix b/modules/gnome.nix index 999ebe2..d902933 100644 --- a/modules/gnome.nix +++ b/modules/gnome.nix @@ -1,4 +1,5 @@ -{ config, pkgs, ... }: { +{ config, pkgs, ... }: +{ imports = [ ./desktop-software.nix diff --git a/modules/mail/default.nix b/modules/mail/default.nix index f0a9853..ba65f2c 100644 --- a/modules/mail/default.nix +++ b/modules/mail/default.nix @@ -82,13 +82,15 @@ in ''; }; - systemd.user = { # Service and timer to sync imap to local maildir services.mbsync = { enable = true; - after = [ "graphical.target" "network-online.target" ]; + after = [ + "graphical.target" + "network-online.target" + ]; script = '' ${pkgs.isync}/bin/mbsync -q -a --config=${mbsyncConf} ''; @@ -110,7 +112,10 @@ in # service and timer to flush the msmtp queue services.flush-msmtpq = { enable = true; - after = [ "graphical.target" "network-online.target" ]; + after = [ + "graphical.target" + "network-online.target" + ]; script = '' ${pkgs.msmtp}/bin/msmtp-queue -r ''; diff --git a/modules/sway.nix b/modules/sway.nix index 06b3606..f536bcb 100644 --- a/modules/sway.nix +++ b/modules/sway.nix @@ -120,7 +120,9 @@ wl-mirror ]; }; - environment.sessionVariables = { GTK_THEME = "Adwaita:dark"; }; + environment.sessionVariables = { + GTK_THEME = "Adwaita:dark"; + }; xdg.portal = { enable = true; wlr.enable = true; diff --git a/modules/tlp.nix b/modules/tlp.nix index 930ca6d..ad3d743 100644 --- a/modules/tlp.nix +++ b/modules/tlp.nix @@ -9,7 +9,7 @@ USB_BLACKLIST = "1d50:604b 1d50:6089 1d50:cc15 1fc9:000c"; CPU_SCALING_GOVERNOR_ON_AC = "performance"; CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; - WIFI_PWR_ON_BAT= "off"; + WIFI_PWR_ON_BAT = "off"; }; }; } diff --git a/modules/virtualization.nix b/modules/virtualization.nix index d04bed6..b61cc4f 100644 --- a/modules/virtualization.nix +++ b/modules/virtualization.nix @@ -1,4 +1,9 @@ -{ config, pkgs, inputs, ... }: +{ + config, + pkgs, + inputs, + ... +}: { environment.systemPackages = with pkgs; [ virt-manager diff --git a/modules/wg/default.nix b/modules/wg/default.nix index cab721b..82c1179 100644 --- a/modules/wg/default.nix +++ b/modules/wg/default.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ imports = [ # module ./module.nix diff --git a/modules/wg/mgmt.nix b/modules/wg/mgmt.nix index 33f483e..64a55fd 100644 --- a/modules/wg/mgmt.nix +++ b/modules/wg/mgmt.nix @@ -4,11 +4,17 @@ oxalab.wg = [ { networkName = "0xa-mgmt"; - CIDRs = [ "10.89.87.0/24" "fd31:185d:722e::/48" ]; + CIDRs = [ + "10.89.87.0/24" + "fd31:185d:722e::/48" + ]; hosts = { "cloud" = { - address = [ "10.89.87.1/24" "fd31:185d:722e::1/48" ]; + address = [ + "10.89.87.1/24" + "fd31:185d:722e::1/48" + ]; publicKey = "zKSaw+SXzWgi/T7ByXHqPk1XNXXapoQYB8UPMTRmhm0="; privateKeyFile = config.sops.secrets."wg/0xa-mgmt".path; endpoint = { @@ -20,12 +26,18 @@ }; "toaster" = { - address = [ "10.89.87.100/24" "fd31:185d:722e::100/48" ]; + address = [ + "10.89.87.100/24" + "fd31:185d:722e::100/48" + ]; publicKey = "H+WeYIBdX7ZHwkgm4BGnF0HF0JULkxyNMcvCviHhmks="; privateKeyFile = config.sops.secrets."wg/0xa-mgmt".path; }; "minime" = { - address = [ "10.89.87.10/24" "fd31:185d:722e::10/48" ]; + address = [ + "10.89.87.10/24" + "fd31:185d:722e::10/48" + ]; publicKey = "zN2Dr/ZGMh1Ftparszp22Qnbz2ISJU12iDVatebOHUE="; privateKeyFile = config.sops.secrets."wg/0xa-mgmt".path; }; diff --git a/modules/wg/module.nix b/modules/wg/module.nix index 84575c7..c27f325 100644 --- a/modules/wg/module.nix +++ b/modules/wg/module.nix @@ -1,8 +1,11 @@ -{ lib -, config -, self -, registry -, ... }: { +{ + lib, + config, + self, + registry, + ... +}: +{ config = let @@ -17,10 +20,20 @@ name = "30-wg-${net.networkName}"; value = { matchConfig.Name = "wg-${net.networkName}"; - networkConfig = { - Address = net.hosts.${currenthost}.address; - IPv6AcceptRA = false; # for now static IPv6 - } // (if net.hosts.${currenthost}.endpoint.enable then {IPv4Forwarding=true; IPv6Forwarding=true; } else {}); + networkConfig = + { + Address = net.hosts.${currenthost}.address; + IPv6AcceptRA = false; # for now static IPv6 + } + // ( + if net.hosts.${currenthost}.endpoint.enable then + { + IPv4Forwarding = true; + IPv6Forwarding = true; + } + else + { } + ); }; }) networks; @@ -45,8 +58,7 @@ wireguardPeers = let endpoint = lib.attrsets.filterAttrs (_k: v: v.endpoint.enable) net.hosts; - wg-peers-attrs = lib.attrsets.mapAttrs (_k: v: - { + wg-peers-attrs = lib.attrsets.mapAttrs (_k: v: { PersistentKeepalive = 29; PublicKey = v.publicKey; Endpoint = "${v.endpoint.endpoint}:${toString v.endpoint.port}"; @@ -55,19 +67,24 @@ wg-peers = lib.attrsets.attrValues wg-peers-attrs; in wg-peers; - }; - }) net-client; - netdev-client = builtins.listToAttrs netdev-client-list; + }; + }) net-client; + netdev-client = builtins.listToAttrs netdev-client-list; - maskip = (net: hostattrs: - if hostattrs.endpoint.enable then hostattrs.address else map (baseaddr: - if lib.strings.hasInfix "." baseaddr then "${baseaddr}/32" else "${baseaddr}/128" - ) (map (addr: builtins.elemAt (lib.strings.splitString "/" addr) 0) hostattrs.address)); + maskip = ( + net: hostattrs: + if hostattrs.endpoint.enable then + hostattrs.address + else + map (baseaddr: if lib.strings.hasInfix "." baseaddr then "${baseaddr}/32" else "${baseaddr}/128") ( + map (addr: builtins.elemAt (lib.strings.splitString "/" addr) 0) hostattrs.address + ) + ); # endpoint # TODO: this requires bit more logic for allowedIPs if we have more then # 2 endpoints e.g. for routing client -> endpoint1 -> endpoint2 -> # client2 - netdev-endpoint-list = map (net: { + netdev-endpoint-list = map (net: { name = "30-wg-${net.networkName}"; value = { netdevConfig = { @@ -79,19 +96,27 @@ wireguardPeers = let peers = lib.attrsets.filterAttrs (k: _v: k != currenthost) net.hosts; - wg-peers-attrs = lib.attrsets.mapAttrs (_k: v: - { - PersistentKeepalive = 29; - PublicKey = v.publicKey; - # only route to /32 or /128, i.e. single client - AllowedIPs = maskip net v; - } // (if !isNull v.endpoint.endpoint then { Endpoint = "${v.endpoint.endpoint}:${toString v.endpoint.port}"; } else {})) peers; + wg-peers-attrs = lib.attrsets.mapAttrs ( + _k: v: + { + PersistentKeepalive = 29; + PublicKey = v.publicKey; + # only route to /32 or /128, i.e. single client + AllowedIPs = maskip net v; + } + // ( + if !isNull v.endpoint.endpoint then + { Endpoint = "${v.endpoint.endpoint}:${toString v.endpoint.port}"; } + else + { } + ) + ) peers; wg-peers = lib.attrsets.attrValues wg-peers-attrs; in wg-peers; - }; - }) net-endpoint; - netdev-endpoint = builtins.listToAttrs netdev-endpoint-list; + }; + }) net-endpoint; + netdev-endpoint = builtins.listToAttrs netdev-endpoint-list; in { @@ -102,4 +127,4 @@ systemd.network.networks = systemd-networks; systemd.network.netdevs = netdev-client // netdev-endpoint; }; - } +} diff --git a/modules/wg/options.nix b/modules/wg/options.nix index 4f090d0..56fd964 100644 --- a/modules/wg/options.nix +++ b/modules/wg/options.nix @@ -1,79 +1,88 @@ -{ lib -, ...}: { - options.oxalab.wg = with lib; - lib.mkOption { - default = []; - type = types.listOf (types.submodule { - options = { - # general network stuff - networkName = mkOption { - type = types.nullOr types.str; - default = null; - }; - CIDRs = mkOption { - type = types.nullOr (types.listOf types.str); - default = null; - }; + lib, + ... +}: +{ + options.oxalab.wg = + with lib; + lib.mkOption { + default = [ ]; + type = types.listOf ( + types.submodule { + options = { + # general network stuff + networkName = mkOption { + type = types.nullOr types.str; + default = null; + }; + CIDRs = mkOption { + type = types.nullOr (types.listOf types.str); + default = null; + }; - hosts = mkOption { - default = {}; - type = types.attrsOf (types.submodule { - options = { - - enable = mkOption { - type = types.bool; - default = true; - }; - address = mkOption { - type = types.listOf types.str; - default = null; - }; - publicKey = mkOption { - type = types.str; - default = null; - }; - privateKeyFile = mkOption { - type = types.path; - default = null; - }; - - endpoint.enable = mkOption { - type = types.bool; - default = false; - }; - endpoint.endpoint = mkOption { - type = types.nullOr types.str; - default = null; - }; - endpoint.port = mkOption { - type = types.nullOr types.int; - default = null; - }; - endpoint.publicIface = mkOption { - type = types.nullOr types.str; - default = null; - }; - - endpoint.extraPeers = mkOption { - default = []; - type = types.listOf (types.submodule { + hosts = mkOption { + default = { }; + type = types.attrsOf ( + types.submodule { options = { + + enable = mkOption { + type = types.bool; + default = true; + }; address = mkOption { type = types.listOf types.str; - default = []; + default = null; }; publicKey = mkOption { + type = types.str; + default = null; + }; + privateKeyFile = mkOption { + type = types.path; + default = null; + }; + + endpoint.enable = mkOption { + type = types.bool; + default = false; + }; + endpoint.endpoint = mkOption { type = types.nullOr types.str; default = null; }; + endpoint.port = mkOption { + type = types.nullOr types.int; + default = null; + }; + endpoint.publicIface = mkOption { + type = types.nullOr types.str; + default = null; + }; + + endpoint.extraPeers = mkOption { + default = [ ]; + type = types.listOf ( + types.submodule { + options = { + address = mkOption { + type = types.listOf types.str; + default = [ ]; + }; + publicKey = mkOption { + type = types.nullOr types.str; + default = null; + }; + }; + } + ); + }; }; - }); - }; + } + ); }; - }); - }; - }; - }); - }; + }; + } + ); + }; } diff --git a/pkgs/imhex.nix b/pkgs/imhex.nix deleted file mode 100644 index 9f096fe..0000000 --- a/pkgs/imhex.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ gcc12Stdenv -, lib -, cmake -, ccache -, glfw -, glm -, magic-vlsi -, mbedtls -, freetype -, dbus -, capstone -, openssl -, pkg-config -, lld -, libGL -, wrapQtAppsHook -, fetchFromGitHub -}: -gcc12Stdenv.mkDerivation rec { - pname = "imhex"; - version = "1.26.2"; - - src = fetchFromGitHub { - owner = "WerWolv"; - repo = "ImHex"; - rev = "v${version}"; - fetchSubmodules = true; - sha256 = "sha256-H2bnRByCUAltngmVWgPW4vW8k5AWecOAzwtBKsjbpTw="; - }; - - nativeBuildInputs = [ - cmake - pkg-config - lld - ]; - - cmakeFlags = [ - "-DCMAKE_BUILD_TYPE=Release" - # "-DCMAKE_INSTALL_PREFIX="/usr"" - "-DCMAKE_C_COMPILER_LAUNCHER=ccache" - "-DCMAKE_CXX_COMPILER_LAUNCHER=ccache" - "-DCMAKE_C_FLAGS=-fuse-ld=lld" - "-DCMAKE_CXX_FLAGS=-fuse-ld=lld" - "-DCMAKE_OBJC_COMPILER_LAUNCHER=ccache" - "-DCMAKE_OBJCXX_COMPILER_LAUNCHER=ccache" - - # looks like the cmake here tries to be "helpful"... - "-DFREETYPE_LIBRARY=${freetype.dev}" - "-DFREETYPE_INCLUDE_DIRS=${freetype.dev}" - "-DOPENGL_opengl_LIBRARY=${libGL.dev}" - "-DOPENGL_glx_LIBRARY=${libGL.dev}" - "-DOPENGL_INCLUDE_DIR=${libGL.dev}" - "-DMBEDTLS_LIBRARY=${mbedtls}" - "-DMBEDTLS_INCLUDE_DIRS=${mbedtls}" - "-DMBEDX509_LIBRARY=${mbedtls}" - "-DMBEDCRYPTO_LIBRARY=${mbedtls}" - - "-DCMAKE_PREFIX_PATH=${glfw}" - "-DCMAKE_LIBRARY_PATH=${magic-vlsi}" - "-DCMAKE_PREFIX_PATH=${dbus.dev}" - ]; - - BuildInputs = [ - ccache - glfw - glm - magic-vlsi - mbedtls - freetype - dbus - openssl - capstone - libGL - ]; -} diff --git a/pkgs/slick.nix b/pkgs/slick.nix deleted file mode 100644 index c476440..0000000 --- a/pkgs/slick.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ stdenv, lib, openssl, pkgconfig, fetchFromGitHub, rustPlatform }: - -rustPlatform.buildRustPackage rec { - pname = "slick"; - version = "0.10.0"; - - src = fetchFromGitHub { - owner = "nbari"; - repo = pname; - rev = version; - sha256 = "sha256-GM9OHnySc3RVkfaK7yMf1LqpGdz3emq2H/3tSAph4jw="; - }; - - buildInputs = [ openssl pkgconfig ]; - nativeBuildInputs = [ pkgconfig ]; - - cargoSha256 = "sha256-2WxFprq+AcXGXDMjMQvqKTkeWQEWM/z2Fz6qYPtSFGw="; - - meta = with lib; { - description = "Async ZSH prompt"; - homepage = "https://github.com/nbari/slick"; - license = licenses.bsd3; - }; -}