diff --git a/README.md b/README.md index a6236a86..1bf79a1c 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ These are the NixOS configurations for my systems. I run nothing other than NixO ## Contents +* [To-do](#to-do) * [Nodes](#nodes) * [Profiles](#profiles) * [User Profiles](#user-profiles) @@ -15,6 +16,16 @@ These are the NixOS configurations for my systems. I run nothing other than NixO * [Dependencies](#dependencies) * [Commands](#commands) +## To-do + +* Expand [kittywitch/anicca](https://github.com/kittywitch/anicca) to be a module that helps with impermanence, too. +* Move to using [arcnmx/screenstub](https://github.com/arcnmx/screenstub) without any patches. +* Add swaylock-effects to our theme module. +* Set up [rinnosuke](config/hosts/rinnosuke) as a nameserver. Either using Knot DNS or BIND. (Need RFC2136.) +* Migrate [athame](config/hosts/athame) to OCI. +* Look into alternatives to Yggdrasil and move to them. +* Set up IPv6 network handling for our hosts. + ## Nodes | Node | Purpose | diff --git a/config/hosts/athame/nixos.nix b/config/hosts/athame/nixos.nix index 2d84b281..5377fabc 100644 --- a/config/hosts/athame/nixos.nix +++ b/config/hosts/athame/nixos.nix @@ -12,7 +12,6 @@ with lib; services.filehost services.gitea services.logrotate - services.loki services.mail services.matrix services.murmur diff --git a/config/hosts/rinnosuke/nixos.nix b/config/hosts/rinnosuke/nixos.nix index 1af7cfbd..8cf3b775 100644 --- a/config/hosts/rinnosuke/nixos.nix +++ b/config/hosts/rinnosuke/nixos.nix @@ -5,6 +5,7 @@ in imports = (with (import (sources.tf-nix + "/modules")); [ nixos.ubuntu-linux nixos.oracle + ./oracle.nix ]) ++ (with meta; [ services.nginx ]); services.nginx.virtualHosts = @@ -28,157 +29,4 @@ in ipv4_attr = "public_ip"; }; }; - - deploy.tf = - let - compartment_id = oci-root.resources.oci_kw_compartment.importAttr "id"; - inherit (tf.lib.tf) terraformExpr; - in - { - deploy.systems.rinnosuke = { - lustrate = { - enable = true; - connection = tf.resources.rinnosuke.connection.set; - }; - connection = { - port = 62954; - }; - }; - providers.oci = { - inputs = { - tenancy_ocid = oci-root.outputs.oci_tenancy.import; - user_ocid = oci-root.resources.oci_kw_user.importAttr "id"; - fingerprint = oci-root.resources.oci_kw_apikey.importAttr "fingerprint"; - region = oci-root.outputs.oci_region.import; - private_key_path = oci-root.resources.oci_kw_key_file.importAttr "filename"; - }; - }; - resources = mkMerge [{ - cloudinit = { - provider = "cloudinit"; - type = "config"; - dataSource = true; - inputs = { - part = singleton { - content_type = "text/cloud-config"; - content = "#cloud-config\n" + builtins.toJSON { - disable_root = false; - }; - }; - }; - }; - availability_domain = { - provider = "oci"; - type = "identity_availability_domain"; - dataSource = true; - inputs = { - inherit compartment_id; - ad_number = 2; - }; - }; - generic_image = { - provider = "oci"; - type = "core_images"; - dataSource = true; - inputs = { - inherit compartment_id; - inherit (tf.resources.rinnosuke.inputs) shape; - operating_system = "Canonical Ubuntu"; # "Oracle Linux" - sort_by = "TIMECREATED"; - sort_order = "DESC"; - }; - }; - rinnosuke = { - provider = "oci"; - type = "core_instance"; - inputs = { - inherit compartment_id; - extended_metadata = { }; - metadata = { - ssh_authorized_keys = concatStringsSep "\n" config.users.users.root.openssh.authorizedKeys.keys; - user_data = tf.resources.cloudinit.refAttr "rendered"; - }; - shape = "VM.Standard.E2.1.Micro"; - shape_config = { - memory_in_gbs = 1; - ocpus = 1; - }; - source_details = { - source_type = "image"; - source_id = tf.resources.generic_image.refAttr "images[0].id"; - boot_volume_size_in_gbs = 50; # min 50GB, up to 200GB free - }; - create_vnic_details = [ - { - assign_public_ip = true; - subnet_id = oci-root.resources.oci_kw_subnet.importAttr "id"; - private_ip = terraformExpr ''cidrhost("${oci-root.resources.oci_kw_subnet.importAttr "cidr_block"}", 3)''; - nsg_ids = [ - (tf.resources.firewall_group.refAttr "id") - ]; - } - ]; - availability_domain = tf.resources.availability_domain.refAttr "name"; - }; - lifecycle.ignoreChanges = [ - "source_details[0].source_id" - ]; - connection = { - type = "ssh"; - user = "root"; - host = tf.lib.tf.terraformSelf "public_ip"; - timeout = "5m"; - }; - }; - firewall_group = { - provider = "oci"; - type = "core_network_security_group"; - inputs = { - display_name = "${config.networking.hostName} firewall group"; - inherit compartment_id; - vcn_id = oci-root.resources.oci_vcn.importAttr "id"; - }; - }; - } - ( - let - protoValues = { - TCP = 6; - UDP = 17; - }; - inherit (config.networking) firewall; - ipv4 = "0.0.0.0/0"; - ipv6 = "::/0"; - mapPort = source: protocol: port: { - provider = "oci"; - type = "core_network_security_group_security_rule"; - inputs = { - network_security_group_id = tf.resources.firewall_group.refAttr "id"; - inherit protocol source; - direction = "INGRESS"; - ${if protocol == protoValues.TCP then "tcp_options" else "udp_options"} = { - destination_port_range = - if isAttrs port then { - min = port.from; - max = port.to; - } else { - min = port; - max = port; - }; - }; - }; - }; - mapAll = protocol: port: [ (mapPort ipv4 protocol port) (mapPort ipv6 protocol port) ]; - mapAllForInterface = - let - protos = [ "TCP" "UDP" ]; - types = [ "Ports" "PortRanges" ]; - in - interface: concatMap (type: concatMap (proto: (concatMap (port: (mapAll protoValues.${proto}) port) interface."allowed${proto}${type}")) protos) types; - rules = concatMap mapAllForInterface ([ firewall ] ++ map (interface: firewall.interfaces.${interface}) config.network.firewall.public.interfaces); - # TODO: use `count` and index into a fancy json or something? - in - listToAttrs (imap0 (i: rule: nameValuePair "firewall${toString i}" rule) rules) - )]; - }; } diff --git a/config/hosts/rinnosuke/oracle.nix b/config/hosts/rinnosuke/oracle.nix new file mode 100644 index 00000000..e4e3d51b --- /dev/null +++ b/config/hosts/rinnosuke/oracle.nix @@ -0,0 +1,156 @@ +{ config, tf, meta, kw, pkgs, lib, sources, ... }: with lib; let + oci-root = meta.deploy.targets.oci-root.tf; +in +{ + deploy.tf = + let + compartment_id = oci-root.resources.oci_kw_compartment.importAttr "id"; + inherit (tf.lib.tf) terraformExpr; + in + { + deploy.systems.rinnosuke = { + lustrate = { + enable = true; + connection = tf.resources.rinnosuke.connection.set; + }; + connection = { + port = 62954; + }; + }; + providers.oci = { + inputs = { + tenancy_ocid = oci-root.outputs.oci_tenancy.import; + user_ocid = oci-root.resources.oci_kw_user.importAttr "id"; + fingerprint = oci-root.resources.oci_kw_apikey.importAttr "fingerprint"; + region = oci-root.outputs.oci_region.import; + private_key_path = oci-root.resources.oci_kw_key_file.importAttr "filename"; + }; + }; + resources = mkMerge [{ + cloudinit = { + provider = "cloudinit"; + type = "config"; + dataSource = true; + inputs = { + part = singleton { + content_type = "text/cloud-config"; + content = "#cloud-config\n" + builtins.toJSON { + disable_root = false; + }; + }; + }; + }; + availability_domain = { + provider = "oci"; + type = "identity_availability_domain"; + dataSource = true; + inputs = { + inherit compartment_id; + ad_number = 2; + }; + }; + generic_image = { + provider = "oci"; + type = "core_images"; + dataSource = true; + inputs = { + inherit compartment_id; + inherit (tf.resources.rinnosuke.inputs) shape; + operating_system = "Canonical Ubuntu"; # "Oracle Linux" + sort_by = "TIMECREATED"; + sort_order = "DESC"; + }; + }; + rinnosuke = { + provider = "oci"; + type = "core_instance"; + inputs = { + inherit compartment_id; + extended_metadata = { }; + metadata = { + ssh_authorized_keys = concatStringsSep "\n" config.users.users.root.openssh.authorizedKeys.keys; + user_data = tf.resources.cloudinit.refAttr "rendered"; + }; + shape = "VM.Standard.E2.1.Micro"; + shape_config = { + memory_in_gbs = 1; + ocpus = 1; + }; + source_details = { + source_type = "image"; + source_id = tf.resources.generic_image.refAttr "images[0].id"; + boot_volume_size_in_gbs = 50; # min 50GB, up to 200GB free + }; + create_vnic_details = [ + { + assign_public_ip = true; + subnet_id = oci-root.resources.oci_kw_subnet.importAttr "id"; + private_ip = terraformExpr ''cidrhost("${oci-root.resources.oci_kw_subnet.importAttr "cidr_block"}", 3)''; + nsg_ids = [ + (tf.resources.firewall_group.refAttr "id") + ]; + } + ]; + availability_domain = tf.resources.availability_domain.refAttr "name"; + }; + lifecycle.ignoreChanges = [ + "source_details[0].source_id" + ]; + connection = { + type = "ssh"; + user = "root"; + host = tf.lib.tf.terraformSelf "public_ip"; + timeout = "5m"; + }; + }; + firewall_group = { + provider = "oci"; + type = "core_network_security_group"; + inputs = { + display_name = "${config.networking.hostName} firewall group"; + inherit compartment_id; + vcn_id = oci-root.resources.oci_vcn.importAttr "id"; + }; + }; + } + ( + let + protoValues = { + TCP = 6; + UDP = 17; + }; + inherit (config.networking) firewall; + ipv4 = "0.0.0.0/0"; + ipv6 = "::/0"; + mapPort = source: protocol: port: { + provider = "oci"; + type = "core_network_security_group_security_rule"; + inputs = { + network_security_group_id = tf.resources.firewall_group.refAttr "id"; + inherit protocol source; + direction = "INGRESS"; + ${if protocol == protoValues.TCP then "tcp_options" else "udp_options"} = { + destination_port_range = + if isAttrs port then { + min = port.from; + max = port.to; + } else { + min = port; + max = port; + }; + }; + }; + }; + mapAll = protocol: port: [ (mapPort ipv4 protocol port) (mapPort ipv6 protocol port) ]; + mapAllForInterface = + let + protos = [ "TCP" "UDP" ]; + types = [ "Ports" "PortRanges" ]; + in + interface: concatMap (type: concatMap (proto: (concatMap (port: (mapAll protoValues.${proto}) port) interface."allowed${proto}${type}")) protos) types; + rules = concatMap mapAllForInterface ([ firewall ] ++ map (interface: firewall.interfaces.${interface}) config.network.firewall.public.interfaces); + # TODO: use `count` and index into a fancy json or something? + in + listToAttrs (imap0 (i: rule: nameValuePair "firewall${toString i}" rule) rules) + )]; + }; diff --git a/config/hosts/samhain/nixos.nix b/config/hosts/samhain/nixos.nix index 8c82ea4f..015e9f59 100644 --- a/config/hosts/samhain/nixos.nix +++ b/config/hosts/samhain/nixos.nix @@ -174,9 +174,6 @@ in SUBSYSTEM=="block", ACTION=="add", ATTRS{model}=="HFS256G32TNF-N3A", ATTRS{wwid}=="t10.ATA HFS256G32TNF-N3A0A MJ8BN15091150BM1Z ", OWNER="kat" ''; - # TODO: Replace this drive forward with one half of the 1.82TiB drive. - # SUBSYSTEM=="block", ACTION=="add", ATTR{partition}=="2", ATTR{size}=="1953503232", ATTRS{wwid}=="naa.5000039fe6e8614e", OWNER="kat" - # Networking networking = { diff --git a/overlays/default.nix b/overlays/default.nix index 11494610..8f86a55b 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -8,9 +8,6 @@ let (import ./rustfmt) (import ./katlib) (import ./katpkgs) - /* # TODO: implement these - (import ./vimrc) - */ ] ++ (map (path: import "${path}/overlay.nix") [ sources.arcexprs sources.anicca