gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

Refactors for usability

Browse source 
Using ./home.nix and ./nixos.nix as entrypoints for hosts.
Using hardware profiles.
Using new entrypoints (profiles/base/profiles.nix + profiles/base/home.nix).
New modules (for DNS handling, for themeing, ...).
Split up deploy-tf.nix into several modules.
Renamed common profile to base profile.
This commit is contained in:
kat witch 2021-08-05 03:21:21 +01:00
parent 487bf9c8d5
commit 2a5ec2e0b4
No known key found for this signature in database
GPG key ID: 1B477797DCA5EC72
114 changed files with 1209 additions and 953 deletions
Download patch file Download diff file Expand all files Collapse all files

1
config/hosts/athame/home/default.nix
View file

@ -1 +0,0 @@
{ ... }: { imports = [ ./weechat.nix ]; }

5
config/hosts/athame/home/weechat.nix
View file

@ -1,5 +0,0 @@
{ config, pkgs, lib, ... }:
{
programs.weechat = { enable = true; };
}

108
config/hosts/athame/nixos.nix Normal file
View file

@ -0,0 +1,108 @@
{ config, users, lib, pkgs, profiles, ... }:
with lib;
{
# Imports
imports = [
# profiles
profiles.hardware.hcloud-imperative
users.kat.server
# host-specific services
./nixos/virtualhosts.nix
# services
../../services/fail2ban.nix
../../services/logrotate.nix
../../services/postgres.nix
../../services/nginx.nix
../../services/mail.nix
../../services/radicale.nix
../../services/xmpp.nix
../../services/gitea
../../services/syncplay.nix
../../services/weechat.nix
../../services/vaultwarden.nix
../../services/taskserver.nix
../../services/murmur.nix
../../services/matrix.nix
../../services/restic.nix
../../services/grafana.nix
../../services/prometheus.nix
../../services/loki.nix
../../services/node-exporter.nix
../../services/promtail.nix
../../services/netdata.nix
../../services/znc.nix
../../services/asterisk.nix
];
# File Systems and Swap
fileSystems = {
"/" = {
device = "/dev/sda1";
fsType = "ext4";
};
};
# Bootloader
boot.loader.grub = {
enable = true;
version = 2;
device = "/dev/sda";
};
# Networking
networking = {
hostName = "athame";
domain = "kittywit.ch";
hostId = "7b0ac74e";
useDHCP = false;
interfaces = {
enp1s0 = {
useDHCP = true;
ipv6.addresses = [{
address = "2a01:4f8:c2c:b7a8::1";
prefixLength = 64;
}];
};
};
defaultGateway6 = {
address = "fe80::1";
interface = "enp1s0";
};
};
# Firewall
kw.fw.public.interfaces = singleton "enp1s0";
kw.fw.private.interfaces = singleton "yggdrasil";
# Host-specific DNS Config
kw.dns.ipv4 = "168.119.126.111";
kw.dns.ipv6 = (lib.head config.networking.interfaces.enp1s0.ipv6.addresses).address;
deploy.tf.dns.records.kittywitch_athame_v6 = {
tld = "kittywit.ch.";
domain = "athame";
aaaa.address = config.kw.dns.ipv6;
};
# Yggdrasil
network.yggdrasil = {
enable = true;
pubkey = "55e3f29c252d16e73ac849a6039824f94df1dee670c030b9e29f90584f935575";
listen.enable = true;
listen.endpoints = [ "tcp://${config.kw.dns.ipv4}:52969" ];
};
# State
system.stateVersion = "20.09";
}

79
config/hosts/athame/nixos/default.nix
View file

@ -1,79 +0,0 @@
{ config, users, lib, pkgs, profiles, ... }:
with lib;
{
imports = [
./hw.nix
# profiles
users.kat.server
# host-specific services
./virtualhosts.nix
# services
../../../services/fail2ban.nix
../../../services/logrotate.nix
../../../services/postgres.nix
../../../services/nginx.nix
../../../services/mail.nix
../../../services/calendar.nix
../../../services/xmpp.nix
../../../services/gitea
../../../services/syncplay.nix
../../../services/weechat.nix
../../../services/vaultwarden.nix
../../../services/taskserver.nix
../../../services/murmur.nix
../../../services/matrix.nix
../../../services/restic.nix
../../../services/grafana.nix
../../../services/prometheus.nix
../../../services/loki.nix
../../../services/node-exporter.nix
../../../services/promtail.nix
../../../services/netdata.nix
../../../services/znc.nix
../../../services/asterisk.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
networking = {
hostName = "athame";
domain = "kittywit.ch";
hostId = "7b0ac74e";
useDHCP = false;
interfaces.enp1s0.useDHCP = true;
};
networking.interfaces.enp1s0.ipv6.addresses = [{
address = "2a01:4f8:c2c:b7a8::1";
prefixLength = 64;
}];
networking.defaultGateway6 = {
address = "fe80::1";
interface = "enp1s0";
};
kw.fw.public.interfaces = singleton "enp1s0";
kw.fw.private.interfaces = singleton "yggdrasil";
kw.fw.public.tcp.ports = singleton 52969;
deploy.tf.dns.records.kittywitch_athame_v6 = {
tld = "kittywit.ch.";
domain = "athame";
aaaa.address =
(lib.head config.networking.interfaces.enp1s0.ipv6.addresses).address;
};
network.yggdrasil = {
enable = true;
pubkey = "55e3f29c252d16e73ac849a6039824f94df1dee670c030b9e29f90584f935575";
listen.enable = true;
listen.endpoints = [ "tcp://168.119.126.111:52969" ];
};
system.stateVersion = "20.09";
}

10
config/hosts/athame/nixos/hw.nix
View file

@ -1,10 +0,0 @@
{ sources, ... }: {
imports = [ (sources.nixpkgs + "/nixos/modules/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules =
[ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
boot.loader.grub.device = "/dev/sda";
fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
}

1
config/hosts/beltane/home.nix Normal file
View file

@ -0,0 +1 @@
{ ... }: { imports = [ ./home/sway.nix ]; }

1
config/hosts/beltane/home/default.nix
View file

@ -1 +0,0 @@
{ ... }: { imports = [ ./sway ]; }

6
config/hosts/beltane/home/sway/default.nix → config/hosts/beltane/home/sway.nix
View file

@ -1,4 +1,6 @@
{ config, pkgs, ... }:
{ config, pkgs, lib, ... }:
with lib;
{
imports = [ ./swayidle.nix ];
@ -6,7 +8,7 @@
wayland.windowManager.sway = {
config =
let
lockCommand = "swaylock -i VGA-1:${../../../../users/kat/sway/wallpapers/main.png} -s fill";
lockCommand = "swaylock -i VGA-1:${builtins.elemAt config.kw.wallpapers 0} -s fill";
cfg = config.wayland.windowManager.sway.config;
in
{

8
config/hosts/beltane/home/sway/swayidle.nix → config/hosts/beltane/home/swayidle.nix
View file

@ -11,14 +11,10 @@
Type = "simple";
ExecStart = ''
${pkgs.swayidle}/bin/swayidle -w \
timeout 300 '${pkgs.swaylock}/bin/swaylock -f -i VGA-1:${
../../../../users/kat/sway/wallpapers/main.png
} \
timeout 300 '${pkgs.swaylock}/bin/swaylock -f -i VGA-1:${builtins.elemAt config.kw.wallpapers 0} \
timeout 600 'swaymsg "output * dpms off"' \
resume 'swaymsg "output * dpms on"' \
before-sleep '${pkgs.swaylock}/bin/swaylock -f -i VGA-1:${
../../../../users/kat/sway/wallpapers/main.png
}'
before-sleep '${pkgs.swaylock}/bin/swaylock -f -i VGA-1:${builtins.elemAt config.kw.wallpapers 0}'
'';
RestartSec = 3;
Restart = "always";

106
config/hosts/beltane/nixos.nix Normal file
View file

@ -0,0 +1,106 @@
{ config, lib, pkgs, profiles, users, tf, ... }:
with lib;
{
# Imports
imports = [
profiles.hardware.rm-310
profiles.gui
users.kat.guiFull
./nixos/jellyfin.nix
./nixos/virtualhosts.nix
./nixos/transmission.nix
../../services/node-exporter.nix
../../services/promtail.nix
../../services/netdata.nix
../../services/nginx.nix
../../services/zfs.nix
];
home-manager.users.kat = {
imports = [
./home.nix
];
};
# File Systems and Swap
boot.supportedFilesystems = singleton "zfs";
fileSystems = {
"/" = {
device = "zroot/safe/root";
fsType = "zfs";
};
"/nix" = {
device = "zroot/local/nix";
fsType = "zfs";
};
"/home" = {
device = "zroot/safe/home";
fsType = "zfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/44CC-7137";
fsType = "vfat";
};
"/boot-fallback" = {
device = "/dev/disk/by-uuid/4520-4E5F";
fsType = "vfat";
};
};
swapDevices = [
{ device = "/dev/disk/by-uuid/682df001-bad8-4d94-a86b-9068ce5eee4c"; }
{ device = "/dev/disk/by-uuid/1ee2d322-235c-41de-b272-7ceded4e2624"; }
];
# Bootloader
boot.loader = {
efi.canTouchEfiVariables = true;
grub = {
enable = true;
efiSupport = true;
device = "nodev";
mirroredBoots = [
{
devices = [ "/dev/disk/by-uuid/4520-4E5F" ];
path = "/boot-fallback";
}
];
};
};
# Networking
networking = {
hostName = "beltane";
hostId = "3ef9a419";
useDHCP = false;
interfaces.eno1.useDHCP = true;
};
# Firewall
kw.fw.private.interfaces = singleton "yggdrasil";
kw.fw.public.interfaces = singleton "eno1";
# Yggdrasil
network.yggdrasil = {
enable = true;
pubkey = "d3e488574367056d3ae809b678f799c29ebfd5c7151bb1f4051775b3953e5f52";
# if server, enable this and set endpoint:
listen.enable = false;
listen.endpoints = [ "tcp://0.0.0.0:0" ];
};
# State
system.stateVersion = "21.05";
}

36
config/hosts/beltane/nixos/default.nix
View file

@ -1,36 +0,0 @@
{ config, pkgs, profiles, users, tf, ... }:
{
imports = [
./hw.nix
profiles.gui
profiles.sway
users.kat.guiFull
../../../services/zfs.nix
];
home-manager.users.kat = {
imports = [
../home
];
};
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.device = "nodev";
boot.loader.grub.mirroredBoots = [
{ devices = [ "/dev/disk/by-uuid/4520-4E5F" ];
path = "/boot-fallback"; }
];
boot.supportedFilesystems = [ "zfs" ];
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "beltane";
networking.hostId = "3ef9a419";
networking.useDHCP = false;
networking.interfaces.eno1.useDHCP = true;
system.stateVersion = "21.05";
}

45
config/hosts/beltane/nixos/hw.nix
View file

@ -1,45 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ata_generic" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "zroot/safe/root";
fsType = "zfs";
};
fileSystems."/nix" =
{ device = "zroot/local/nix";
fsType = "zfs";
};
fileSystems."/home" =
{ device = "zroot/safe/home";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/44CC-7137";
fsType = "vfat";
};
fileSystems."/boot-fallback" =
{ device = "/dev/disk/by-uuid/4520-4E5F";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/682df001-bad8-4d94-a86b-9068ce5eee4c"; }
{ device = "/dev/disk/by-uuid/1ee2d322-235c-41de-b272-7ceded4e2624"; }
];
}

0
config/hosts/samhain/nixos/jellyfin.nix → config/hosts/beltane/nixos/jellyfin.nix
View file

0
config/hosts/samhain/nixos/transmission.nix → config/hosts/beltane/nixos/transmission.nix
View file

52
config/hosts/beltane/nixos/virtualhosts.nix Normal file
View file

@ -0,0 +1,52 @@
{ config, ... }:
{
services.nginx.virtualHosts = {
"beltane.net.kittywit.ch" = {
useACMEHost = "beltane.net.kittywit.ch";
forceSSL = true;
locations = {
"/jellyfin/".proxyPass = "http://127.0.0.1:8096/jellyfin/";
"/jellyfin/socket" = {
proxyPass = "http://127.0.0.1:8096/jellyfin/";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
"/tvheadend/".proxyPass = "http://192.168.1.245:9981";
"/" = {
root = "/mnt/zraw/media/";
extraConfig = "autoindex on;";
};
"/transmission" = {
proxyPass = "http://[::1]:9091";
extraConfig = "proxy_pass_header X-Transmission-Session-Id;";
};
};
};
"192.168.1.223" = {
locations = {
"/jellyfin/".proxyPass = "http://127.0.0.1:8096/jellyfin/";
"/jellyfin/socket" = {
proxyPass = "http://127.0.0.1:8096/jellyfin/";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
"/share/" = {
alias = "/mnt/zraw/media/";
extraConfig = "autoindex on;";
};
};
};
"100.103.111.44" = {
locations."/share/" = {
alias = "/mnt/zraw/media/";
extraConfig = "autoindex on;";
};
};
};
}

0
config/hosts/dummy/nixos/default.nix → config/hosts/dummy/nixos.nix
View file

1
config/hosts/samhain/home.nix Normal file
View file

@ -0,0 +1 @@
{ ... }: { imports = [ ./home/sway.nix ]; }

1
config/hosts/samhain/home/default.nix
View file

@ -1 +0,0 @@
{ ... }: { imports = [ ./sway ]; }

8
config/hosts/samhain/home/sway/default.nix → config/hosts/samhain/home/sway.nix
View file

@ -1,4 +1,6 @@
{ config, pkgs, ... }:
{ config, pkgs, lib, ... }:
with lib;
{
imports = [ ./swayidle.nix ];
@ -6,9 +8,7 @@
wayland.windowManager.sway = {
config =
let
lockCommand = "swaylock -i HDMI-A-1:${../../../../users/kat/sway/wallpapers/main.png} -i DP-1:${
../../../../users/kat/sway/wallpapers/left.jpg
} -i DVI-D-1:${../../../../users/kat/sway/wallpapers/right.jpg} -s fill";
lockCommand = "swaylock -i HDMI-A-1:${builtins.elemAt config.kw.wallpapers 0} -i DP-1:${builtins.elemAt config.kw.wallpapers 1} -i DVI-D-1:${builtins.elemAt config.kw.wallpapers 2} -s fill";
cfg = config.wayland.windowManager.sway.config;
in
{

14
config/hosts/samhain/home/sway/swayidle.nix → config/hosts/samhain/home/swayidle.nix
View file

@ -1,5 +1,7 @@
{ config, pkgs, lib, ... }:
with lib;
{
systemd.user.services.swayidle = {
Unit = {
@ -11,18 +13,10 @@
Type = "simple";
ExecStart = ''
${pkgs.swayidle}/bin/swayidle -w \
timeout 300 '${pkgs.swaylock}/bin/swaylock -f -i HDMI-A-1:${
../../../../users/kat/sway/wallpapers/main.png
} -i DP-1:${../../../../users/kat/sway/wallpapers/left.jpg} -i DVI-D-1:${
../../../../users/kat/sway/wallpapers/right.jpg
}' \
timeout 300 '${pkgs.swaylock}/bin/swaylock -f -i HDMI-A-1:${builtins.elemAt config.kw.wallpapers 0} -i DP-1:${builtins.elemAt config.kw.wallpapers 1} -i DVI-D-1:${builtins.elemAt config.kw.wallpapers 2}' \
timeout 600 'swaymsg "output * dpms off"' \
resume 'swaymsg "output * dpms on"' \
before-sleep '${pkgs.swaylock}/bin/swaylock -f -i HDMI-A-1:${
../../../../users/kat/sway/wallpapers/main.png
} -i DP-1:${../../../../users/kat/sway/wallpapers/left.jpg} -i DVI-D-1:${
../../../../users/kat/sway/wallpapers/right.jpg
}'
before-sleep '${pkgs.swaylock}/bin/swaylock -f -i HDMI-A-1:${builtins.elemAt config.kw.wallpapers 0} -i DP-1:${builtins.elemAt config.kw.wallpapers 1} -i DVI-D-1:${builtins.elemAt config.kw.wallpapers 2}'
'';
RestartSec = 3;
Restart = "always";

128
config/hosts/samhain/nixos.nix Normal file
View file

@ -0,0 +1,128 @@
{ tf, config, users, pkgs, lib, profiles, sources, ... }:
with lib;
let
hexchen = (import sources.hexchen) { };
hexYgg = filterAttrs (_: c: c.enable)
(mapAttrs (_: host: host.config.network.yggdrasil) hexchen.hosts);
in {
# Imports
imports = [
profiles.hardware.ms-7b86
profiles.gui
users.kat.guiFull
../../services/zfs.nix
../../services/restic.nix
../../services/nginx.nix
../../services/node-exporter.nix
../../services/promtail.nix
../../services/netdata.nix
./nixos/virtualhosts.nix
];
home-manager.users.kat = {
imports = [
./home.nix
];
};
# File Systems and Swap
boot.supportedFilesystems = [ "zfs" "xfs" ];
fileSystems = {
"/" = {
device = "rpool/safe/root";
fsType = "zfs";
};
"/nix" = {
device = "rpool/local/nix";
fsType = "zfs";
};
"/home" = {
device = "rpool/safe/home";
fsType = "zfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/AED6-D0D1";
fsType = "vfat";
};
};
swapDevices = [
{ device = "/dev/disk/by-uuid/89831a0f-93e6-4d30-85e4-09061259f140"; }
{ device = "/dev/disk/by-uuid/8f944315-fe1c-4095-90ce-50af03dd5e3f"; }
];
# Bootloader
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
# Hardware
hardware.openrazer = {
enable = true;
};
environment.systemPackages = [ pkgs.razergenie ];
# Networking
networking = {
hostName = "samhain";
hostId = "617050fc";
useDHCP = false;
useNetworkd = true;
firewall.allowPing = true;
};
systemd.network = {
networks.enp34s0 = {
matchConfig.Name = "enp34s0";
bridge = singleton "br";
};
networks.br = {
matchConfig.Name = "br";
address = [ "192.168.1.135/24" ];
gateway = [ "192.168.1.254" ];
};
netdevs.br = {
netdevConfig = {
Name = "br";
Kind = "bridge";
MACAddress = "00:d8:61:c7:f4:9d";
};
};
};
services.avahi.enable = true;
# Firewall
kw.fw.private.interfaces = singleton "yggdrasil";
kw.fw.public.interfaces = singleton "br";
kw.fw.private.tcp.ports = [ 10445 ]; # VM Prometheus
# Host-specific DNS Config
kw.dns.dynamic = true;
# Yggdrasil
network.yggdrasil = {
enable = true;
pubkey = "a7110d0a1dc9ec963d6eb37bb6922838b8088b53932eae727a9136482ce45d47";
# if server, enable this and set endpoint:
listen.enable = false;
listen.endpoints = [ "tcp://0.0.0.0:0" ];
};
# State
system.stateVersion = "20.09";
}

142
config/hosts/samhain/nixos/default.nix
View file

@ -1,142 +0,0 @@
{ tf, config, users, pkgs, lib, profiles, sources, ... }:
with lib;
let
hexchen = (import sources.hexchen) { };
hexYgg = filterAttrs (_: c: c.enable)
(mapAttrs (_: host: host.config.network.yggdrasil) hexchen.hosts);
in
{
imports = [
./hw.nix
profiles.gui
profiles.sway
users.kat.guiFull
../../../services/zfs.nix
../../../services/restic.nix
../../../services/nginx.nix
../../../services/node-exporter.nix
../../../services/promtail.nix
../../../services/netdata.nix
./transmission.nix
./jellyfin.nix
./virtualhosts.nix
];
home-manager.users.kat = {
imports = [
../home
];
};
deploy.tf.variables.dyn_username = {
type = "string";
value.shellCommand = "bitw get infra/hexdns-dynamic -f username";
};
deploy.tf.variables.dyn_password = {
type = "string";
value.shellCommand = "bitw get infra/hexdns-dynamic -f password";
};
deploy.tf.variables.dyn_hostname = {
type = "string";
value.shellCommand = "bitw get infra/hexdns-dynamic -f hostname";
};
security.acme.certs."samhain.net.kittywit.ch" = {
domain = "samhain.net.kittywit.ch";
dnsProvider = "rfc2136";
credentialsFile = config.secrets.files.dns_creds.path;
group = "nginx";
};
secrets.files.kat-glauca-dns = {
text = ''
user="${tf.variables.dyn_username.ref}"
pass="${tf.variables.dyn_password.ref}"
hostname="${tf.variables.dyn_hostname.ref}"
'';
owner = "kat";
group = "users";
};
systemd.services.kat-glauca-dns = {
serviceConfig = {
ExecStart = "${pkgs.kat-glauca-dns}/bin/kat-glauca-dns";
};
environment = { passFile = config.secrets.files.kat-glauca-dns.path; };
wantedBy = [ "default.target" ];
};
#hardware.ckb-next = {
# enable = true;
# package = pkgs.ckb-next;
#};
kw.fw.private.interfaces = singleton "yggdrasil";
kw.fw.public.interfaces = singleton "br";
hardware.openrazer = {
enable = true;
};
kw.fw.private.tcp.ports = [ 10445 ];
systemd.timers.kat-glauca-dns = {
timerConfig = {
Unit = "kat-glauca-dns.service";
OnBootSec = "5m";
OnUnitActiveSec = "30m";
};
wantedBy = [ "default.target" ];
};
# graphics tablet
services.xserver.wacom.enable = true;
environment.systemPackages = [ pkgs.screenstub pkgs.razergenie ];
# other stuffs
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.supportedFilesystems = [ "zfs" "xfs" ];
networking.hostName = "samhain";
networking.hostId = "617050fc";
networking.useDHCP = false;
networking.useNetworkd = true;
networking.firewall.allowPing = true;
systemd.network = {
networks.enp34s0 = {
matchConfig.Name = "enp34s0";
bridge = singleton "br";
};
networks.br = {
matchConfig.Name = "br";
address = [ "192.168.1.135/24" ];
gateway = [ "192.168.1.254" ];
};
netdevs.br = {
netdevConfig = {
Name = "br";
Kind = "bridge";
MACAddress = "00:d8:61:c7:f4:9d";
};
};
};
services.avahi.enable = true;
network.yggdrasil = {
enable = true;
pubkey = "a7110d0a1dc9ec963d6eb37bb6922838b8088b53932eae727a9136482ce45d47";
# if server, enable this and set endpoint:
listen.enable = false;
listen.endpoints = [ "tcp://0.0.0.0:0" ];
};
system.stateVersion = "20.09";
}

51
config/hosts/samhain/nixos/hw.nix
View file

@ -1,51 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" "nct6775" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "rpool/safe/root";
fsType = "zfs";
};
fileSystems."/nix" = {
device = "rpool/local/nix";
fsType = "zfs";
};
fileSystems."/home" = {
device = "rpool/safe/home";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/AED6-D0D1";
fsType = "vfat";
};
fileSystems."/mnt/zraw" = {
device = "zstore/raw";
fsType = "zfs";
};
fileSystems."/mnt/zcomp" = {
device = "zstore/compress";
fsType = "zfs";
};
fileSystems."/mnt/zenc" = {
device = "zstore/protect";
fsType = "zfs";
};
swapDevices = [
{ device = "/dev/disk/by-uuid/89831a0f-93e6-4d30-85e4-09061259f140"; }
{ device = "/dev/disk/by-uuid/8f944315-fe1c-4095-90ce-50af03dd5e3f"; }
];
}

49
config/hosts/samhain/nixos/virtualhosts.nix
View file

@ -6,55 +6,6 @@ with lib;
kw.fw.private.tcp.ports = singleton 1935;
kw.fw.public.tcp.ports = singleton 1935;
services.nginx.virtualHosts = {
"samhain.net.kittywit.ch" = {
useACMEHost = "samhain.net.kittywit.ch";
forceSSL = true;
locations = {
"/jellyfin/".proxyPass = "http://127.0.0.1:8096/jellyfin/";
"/jellyfin/socket" = {
proxyPass = "http://127.0.0.1:8096/jellyfin/";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
"/tvheadend/".proxyPass = "http://192.168.1.245:9981";
"/" = {
root = "/mnt/zraw/media/";
extraConfig = "autoindex on;";
};
"/transmission" = {
proxyPass = "http://[::1]:9091";
extraConfig = "proxy_pass_header X-Transmission-Session-Id;";
};
};
};
"192.168.1.135" = {
locations = {
"/jellyfin/".proxyPass = "http://127.0.0.1:8096/jellyfin/";
"/jellyfin/socket" = {
proxyPass = "http://127.0.0.1:8096/jellyfin/";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
"/share/" = {
alias = "/mnt/zraw/media/";
extraConfig = "autoindex on;";
};
};
};
"100.103.111.44" = {
locations."/share/" = {
alias = "/mnt/zraw/media/";
extraConfig = "autoindex on;";
};
};
};
services.nginx.appendConfig = ''
rtmp {
server {

0
config/hosts/mabon/home/default.nix → config/hosts/to-do/mabon/home/default.nix
View file

0
config/hosts/mabon/meta.nix → config/hosts/to-do/mabon/meta.nix
View file

0
config/hosts/mabon/nixos/default.nix → config/hosts/to-do/mabon/nixos/default.nix
View file

0
config/hosts/mabon/nixos/hw.nix → config/hosts/to-do/mabon/nixos/hw.nix
View file

0
config/hosts/ostara/home/default.nix → config/hosts/to-do/ostara/home/default.nix
View file

0
config/hosts/ostara/meta.nix → config/hosts/to-do/ostara/meta.nix
View file

0
config/hosts/ostara/nixos/default.nix → config/hosts/to-do/ostara/nixos/default.nix
View file

0
config/hosts/ostara/nixos/hw.nix → config/hosts/to-do/ostara/nixos/hw.nix
View file

1
config/hosts/yule/home.nix Normal file
View file

@ -0,0 +1 @@
{ ... }: { imports = [ ./home/sway.nix ./home/base16.nix ]; }

1
config/hosts/yule/home/default.nix
View file

@ -1 +0,0 @@
{ ... }: { imports = [ ./sway ./base16.nix ]; }

8
config/hosts/yule/home/sway/default.nix → config/hosts/yule/home/sway.nix
View file

@ -1,13 +1,13 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with lib;
{
imports = [ ./swayidle.nix ];
wayland.windowManager.sway.config =
let
lockCommand = "swaylock -i eDP-1:${
../../../../users/kat/sway/wallpapers/main.png
} -s fill";
lockCommand = "swaylock -i eDP-1:${builtins.elemAt config.kw.wallpapers 0} -s fill";
cfg = config.wayland.windowManager.sway.config;
in
{

6
config/hosts/yule/home/sway/swayidle.nix → config/hosts/yule/home/swayidle.nix
View file

@ -1,5 +1,7 @@
{ config, pkgs, lib, ... }:
with lib;
{
systemd.user.services.swayidle = {
Unit = {
@ -11,10 +13,10 @@
Type = "simple";
ExecStart = ''
${pkgs.swayidle}/bin/swayidle -w \
timeout 300 '${pkgs.swaylock}/bin/swaylock -f -i eDP-1:${../../../../users/kat/sway/wallpapers/main.png} \
timeout 300 '${pkgs.swaylock}/bin/swaylock -f -i eDP-1:${builtins.elemAt config.kw.wallpapers 0} \
timeout 600 'swaymsg "output * dpms off"' \
resume 'swaymsg "output * dpms on"' \
before-sleep '${pkgs.swaylock}/bin/swaylock -f -i eDP-1:${../../../../users/kat/sway/wallpapers/main.png}'
before-sleep '${pkgs.swaylock}/bin/swaylock -f -i eDP-1:${builtins.elemAt config.kw.wallpapers 0}'
'';
RestartSec = 3;
Restart = "always";

91
config/hosts/yule/nixos.nix Normal file
View file

@ -0,0 +1,91 @@
{ config, users, pkgs, lib, profiles, ... }:
with lib;
{
# Imports
imports = [
profiles.hardware.v330-14arr
profiles.gui
profiles.laptop
users.kat.guiFull
../../services/zfs.nix
../../services/restic.nix
../../services/node-exporter.nix
../../services/promtail.nix
../../services/netdata.nix
../../services/nginx.nix
];
home-manager.users.kat = {
imports = [
./home.nix
];
};
# File Systems and Swap
boot.supportedFilesystems = singleton "zfs";
fileSystems = {
"/" = {
device = "rpool/safe/root";
fsType = "zfs";
};
"/home" = {
device = "rpool/safe/home";
fsType = "zfs";
};
"/nix" = {
device = "rpool/local/nix";
fsType = "zfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/2552-18F2";
fsType = "vfat";
};
};
swapDevices = [{ device = "/dev/disk/by-uuid/87ff4f68-cc00-494e-8eba-050469c3bf03"; }];
# Bootloader
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
# Networking
networking = {
hostId = "dddbb888";
hostName = "yule";
useDHCP = false;
wireless.interfaces = singleton "wlp2s0";
interfaces = {
enp1s0.useDHCP = true;
wlp2s0.useDHCP = true;
};
};
# Firewall
kw.fw.private.interfaces = singleton "yggdrasil";
kw.fw.public.interfaces = [ "enp1s0" "wlp2s0" ];
# Yggdrasil
network.yggdrasil = {
enable = true;
pubkey = "9779fd6b5bdba6b9e0f53c96e141f4b11ce5ef749d1b9e77a759a3fdbd33a653";
# if server, enable this and set endpoint:
listen.enable = false;
listen.endpoints = [ "tcp://0.0.0.0:0" ];
};
# State
system.stateVersion = "20.09";
}

52
config/hosts/yule/nixos/default.nix
View file

@ -1,52 +0,0 @@
{ config, users, pkgs, lib, profiles, ... }:
with lib;
{
imports = [
./hw.nix
../../../services/zfs.nix
../../../services/restic.nix
../../../services/node-exporter.nix
../../../services/promtail.nix
../../../services/netdata.nix
../../../services/nginx.nix
profiles.gui
profiles.sway
profiles.laptop
users.kat.guiFull
];
home-manager.users.kat = {
imports = [
../home
];
};
networking.wireless.interfaces = [ "wlp2s0" ];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.supportedFilesystems = [ "zfs" ];
kw.fw.private.interfaces = singleton "yggdrasil";
kw.fw.public.interfaces = [ "enp1s0" "wlp2s0" ];
networking.hostId = "dddbb888";
networking.hostName = "yule";
networking.useDHCP = false;
networking.interfaces.enp1s0.useDHCP = true;
networking.interfaces.wlp2s0.useDHCP = true;
network.yggdrasil = {
enable = true;
pubkey = "9779fd6b5bdba6b9e0f53c96e141f4b11ce5ef749d1b9e77a759a3fdbd33a653";
# if server, enable this and set endpoint:
listen.enable = false;
listen.endpoints = [ "tcp://0.0.0.0:0" ];
};
system.stateVersion = "20.09";
}

35
config/hosts/yule/nixos/hw.nix
View file

@ -1,35 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules =
[ "xhci_pci" "ahci" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "rpool/safe/root";
fsType = "zfs";
};
fileSystems."/home" = {
device = "rpool/safe/home";
fsType = "zfs";
};
fileSystems."/nix" = {
device = "rpool/local/nix";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/2552-18F2";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/87ff4f68-cc00-494e-8eba-050469c3bf03"; }];
}

4
config/modules/home/default.nix
View file

@ -4,7 +4,9 @@
disabledModules = [ "programs/vim.nix" ];
imports = with (import (sources.nixexprs + "/modules")).home-manager; [ base16 syncplay konawall i3gopher weechat shell ] ++ [
./vim.nix
./deploy-tf.nix
./fvwm.nix
./deploy.nix
./theme.nix
(sources.tf-nix + "/modules/home/secrets.nix")
];
}

5
config/modules/home/deploy-tf.nix → config/modules/home/deploy.nix
View file

@ -1,5 +1,10 @@
{ config, lib, ... }:
/*
This module:
* Provides in-scope TF config for home-manager.
*/
with lib;
let

9
config/modules/home/fvwm.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, lib, ... }:
with lib;
{
options.programs.fvwm = {
enable = mkEnableOption "Enable FVWM";
};
}

31
config/modules/home/theme.nix Normal file
View file

@ -0,0 +1,31 @@
{ config, lib, ... }:
/*
This module:
* provides a central way to change the font my system uses.
*/
with lib;
let cfg = config.kw; in {
options.kw = {
wallpapers = mkOption {
type = types.listOf types.path;
};
font = {
name = mkOption {
type = types.str;
default = "Cozette";
};
size = mkOption {
type = types.float;
default = 9.0;
};
size_css = mkOption {
type = types.str;
default = "${toString (cfg.font.size + 3)}px";
};
};
};
}

7
config/modules/home/vim.nix
View file

@ -1,5 +1,12 @@
{ config, lib, pkgs, ... }:
/*
This module:
* is from an unmerged PR from home-manager.
See: https://github.com/nix-community/home-manager/pull/1745
*/
with lib;
let

14
config/modules/meta/deploy.nix
View file

@ -1,4 +1,16 @@
{ sources, config, pkgs, lib, ... }: with lib; let
{ sources, config, pkgs, lib, ... }:
/*
This module:
* makes tf-nix a part of the meta config
* handles the trusted import for tf-nix
* provides the target interface
* imports the per-host TF config for each target
*/
with lib;
let
cfg = config.deploy;
meta = config;
tfModule = { lib, ... }: with lib; {

12
config/modules/meta/network.nix
View file

@ -1,4 +1,13 @@
{ pkgs, sources, users, profiles, lib, config, ... }: with lib;
{ pkgs, sources, users, profiles, hardware, lib, config, ... }:
/*
This module:
* Makes hosts nixosModules.
* Manages module imports and specialArgs.
* Builds network.nodes.
*/
with lib;
{
options.network = {
@ -22,7 +31,6 @@
nixpkgs = {
system = mkDefault pkgs.system;
pkgs = mkDefault pkgs;
#inherit (pkgs) config;
};
};
};

12
config/modules/nixos/default.nix
View file

@ -3,18 +3,22 @@
{
imports = with (import (sources.nixexprs + "/modules")).nixos; [ base16 base16-shared ] ++ [
./nftables.nix
./fw-abstraction.nix
./deploy-tf.nix
./firewall.nix
./deploy.nix
./dns.nix
./dyndns.nix
./yggdrasil.nix
(sources.tf-nix + "/modules/nixos/secrets.nix")
(sources.tf-nix + "/modules/nixos/secrets-users.nix")
(sources.hexchen + "/modules/network/yggdrasil")
];
# stubs for hexchens modules, until more generalized
options.hexchen.dns = lib.mkOption { };
options.hexchen.deploy = lib.mkOption { };
# shim
/*
This maps hosts to network.nodes from the meta config. This is required for hexchen's yggdrasil network module.
*/
config = {
_module.args.hosts = lib.mapAttrs (_: config: { inherit config; } ) meta.network.nodes;
};

24
config/modules/nixos/deploy-tf.nix → config/modules/nixos/deploy.nix
View file

@ -1,5 +1,14 @@
{ tf, target, name, meta, config, lib, ... }:
/*
This module:
* aliases <hostname>.system.build.toplevel to <hostname>.deploy.system for ease of use.
* marries meta config to NixOS configs for each host.
* provides in-scope TF config in NixOS and home-manager, instead of only as a part of meta config.
*/
with lib;
let
cfg = config.deploy;
unmergedValues = types.mkOptionType {
@ -65,26 +74,11 @@ in
triggers.secrets.${config.networking.hostName} =
tf.resources.${config.networking.hostName}.refAttr "id";
};
dns.records."kittywitch_net_${config.networking.hostName}" =
mkIf (config.network.yggdrasil.enable) {
tld = "kittywit.ch.";
domain = "${config.networking.hostName}.net";
aaaa.address = config.network.yggdrasil.address;
};
} ++ mapAttrsToList
(_: user:
mapAttrs (_: mkMerge) user.deploy.tf.out.set)
config.home-manager.users);
security.acme.certs."${config.networking.hostName}.net.kittywit.ch" =
mkIf (config.services.nginx.enable && config.network.yggdrasil.enable) {
domain = "${config.networking.hostName}.net.kittywit.ch";
dnsProvider = "rfc2136";
credentialsFile = config.secrets.files.dns_creds.path;
group = "nginx";
};
_module.args.target = mapNullable (targetName: meta.deploy.targets.${targetName}) cfg.targetName;
_module.args.tf = mapNullable (target: target.tf) target;
};

49
config/modules/nixos/dns.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, lib, tf, ... }:
/*
This module:
* Provides options for setting the domain/tld/... used by default in my service configs.
*/
with lib;
{
options.kw.dns = {
email = mkOption {
type = types.nullOr types.str;
default = "";
};
tld = mkOption {
type = types.nullOr types.str;
default = "";
};
domain = mkOption {
type = types.nullOr types.str;
default = "";
};
ygg_prefix = mkOption {
type = types.nullOr types.str;
default = "";
};
ipv4 = mkOption {
type = types.str;
};
ipv6 = mkOption {
type = types.str;
};
};
config = {
# Set these.
kw.dns.email = "kat@kittywit.ch";
kw.dns.tld = "kittywit.ch.";
kw.dns.ygg_prefix = "net";
# This should be set in host config if it needs to be set for a host. Otherwise, they're retrieved from terraform.
kw.dns.ipv4 = mkIf (tf.resources ? config.networking.hostName) (mkOptionDefault (config.deploy.tf.resources."${config.networking.hostName}".refAttr "ipv4_address"));
kw.dns.ipv6 = mkIf (tf.resources ? config.networking.hostName) (mkOptionDefault (config.deploy.tf.resources."${config.networking.hostName}".refAttr "ipv6_address"));
# This is derived.
kw.dns.domain = builtins.substring 0 ((builtins.stringLength config.kw.dns.tld) - 1) config.kw.dns.tld;
};
}

63
config/modules/nixos/dyndns.nix Normal file
View file

@ -0,0 +1,63 @@
{ config, pkgs, lib, tf, ... }:
with lib;
{
options = {
kw.dns.dynamic = mkEnableOption "Enable Glauca Dynamic DNS Updater";
};
config = mkIf (config.kw.dns.dynamic) {
deploy.tf.variables.dyn_username = {
type = "string";
value.shellCommand = "bitw get infra/hexdns-dynamic -f username";
};
deploy.tf.variables.dyn_password = {
type = "string";
value.shellCommand = "bitw get infra/hexdns-dynamic -f password";
};
deploy.tf.variables.dyn_hostname = {
type = "string";
value.shellCommand = "bitw get infra/hexdns-dynamic -f hostname";
};
secrets.files.kat-glauca-dns = {
text = ''
user="${tf.variables.dyn_username.ref}"
pass="${tf.variables.dyn_password.ref}"
hostname="${tf.variables.dyn_hostname.ref}"
'';
};
systemd.services.kat-glauca-dns =
let updater = pkgs.writeShellScriptBin "glauca-dyndns" ''
#!/usr/bin/env bash
set -eu
ip4=$(${pkgs.curl}/bin/curl -s --ipv4 https://dns.glauca.digital/checkip)
ip6=$(${pkgs.curl}/bin/curl -s --ipv6 https://dns.glauca.digital/checkip)
source $passFile
echo "$ip4, $ip6"
${pkgs.curl}/bin/curl -u ''${user}:''${pass} --data-urlencode "hostname=''${hostname}" --data-urlencode "myip=''${ip4}" "https://dns.glauca.digital/nic/update"
echo ""
${pkgs.curl}/bin/curl -u ''${user}:''${pass} --data-urlencode "hostname=''${hostname}" --data-urlencode "myip=''${ip6}" "https://dns.glauca.digital/nic/update"
''; in {
serviceConfig = {
ExecStart = "${updater}/bin/glauca-dyndns";
};
environment = { passFile = config.secrets.files.kat-glauca-dns.path; };
wantedBy = [ "default.target" ];
};
systemd.timers.kat-glauca-dns = {
timerConfig = {
Unit = "kat-glauca-dns.service";
OnBootSec = "5m";
OnUnitActiveSec = "1h";
};
wantedBy = [ "default.target" ];
};
};
}

0
config/modules/nixos/fw-abstraction.nix → config/modules/nixos/firewall.nix
View file

27
config/modules/nixos/yggdrasil.nix Normal file
View file

@ -0,0 +1,27 @@
{ config, lib, ... }:
/*
This module:
* Provides AAAA records on a per-host basis for each yggdrasil enabled host.
* Provides certificates for those hosts if they run NGINX.
*/
with lib;
{
config = {
deploy.tf.dns.records."ygg_${config.networking.hostName}" =
mkIf (config.network.yggdrasil.enable) {
tld = config.kw.dns.tld;
domain = "${config.networking.hostName}.${config.kw.dns.ygg_prefix}";
aaaa.address = config.network.yggdrasil.address;
};
security.acme.certs."${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}" =
mkIf (config.services.nginx.enable && config.network.yggdrasil.enable) {
domain = "${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}";
dnsProvider = "rfc2136";
credentialsFile = config.secrets.files.dns_creds.path;
group = "nginx";
};
};
}

52
config/nixos.nix
View file

@ -1,52 +0,0 @@
{ pkgs, config, lib, tf, sources, options, profiles, ... }:
{
imports = [
profiles/common
];
options = {
deploy.profile.gui = lib.mkEnableOption "graphical system";
deploy.profile.fvwm = lib.mkEnableOption "fvwm";
deploy.profile.sway = lib.mkEnableOption "sway wm";
deploy.profile.laptop = lib.mkEnableOption "lappytop";
home-manager.users = lib.mkOption {
type = lib.types.attrsOf (lib.types.submoduleWith {
modules = [ ./modules/home ];
specialArgs = {
inherit sources tf;
superConfig = config;
modulesPath = sources.home-manager + "/modules";
};
});
};
};
config = {
home-manager = {
useUserPackages = true;
useGlobalPkgs = true;
users = {
kat = {
imports = lib.optional (builtins.pathExists ./trusted/users/kat) (import ./trusted/users/kat);
options = {
deploy.profile.gui = lib.mkEnableOption "graphical system";
deploy.profile.sway = lib.mkEnableOption "sway wm";
deploy.profile.laptop = lib.mkEnableOption "lappytop";
};
};
kairi = {
imports = lib.optional (builtins.pathExists ./trusted/users/kairi) (import ./trusted/users/kairi);
options = {
deploy.profile.gui = lib.mkEnableOption "graphical system";
deploy.profile.fvwm = lib.mkEnableOption "fvwm";
deploy.profile.laptop = lib.mkEnableOption "lappytop";
};
};
};
};
};
}

2
config/profiles/common/access.nix → config/profiles/base/access.nix
View file

@ -4,6 +4,8 @@
security.sudo.wheelNeedsPassword = lib.mkForce false;
users.users.root = {
hashedPassword =
"$6$i28yOXoo$/WokLdKds5ZHtJHcuyGrH2WaDQQk/2Pj0xRGLgS8UcmY2oMv3fw2j/85PRpsJJwCB2GBRYRK5LlvdTleHd3mB.";
openssh.authorizedKeys.keys = with pkgs.lib;
concatLists (mapAttrsToList
(name: user:

0
config/profiles/common/base16.nix → config/profiles/base/base16.nix
View file

4
config/profiles/common/default.nix → config/profiles/base/default.nix
View file

@ -3,10 +3,12 @@
{
imports = [
users.kat.base
users.kairi.base
# users.kairi.base TODO
users.arc
users.hexchen
./system.nix
./home.nix
./profiles.nix
./base16.nix
./net.nix
./access.nix

23
config/profiles/base/home.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, lib, sources, tf, ... }:
with lib;
{
options.home-manager.users = mkOption {
type = types.attrsOf (types.submoduleWith {
modules = [ ../../modules/home ];
specialArgs = {
inherit sources tf;
superConfig = config;
modulesPath = sources.home-manager + "/modules";
};
});
};
config = {
home-manager = {
useUserPackages = true;
useGlobalPkgs = true;
};
};
}

0
config/profiles/common/locale.nix → config/profiles/base/locale.nix
View file

0
config/profiles/common/net.nix → config/profiles/base/net.nix
View file

3
config/profiles/common/nix.nix → config/profiles/base/nix.nix
View file

@ -11,6 +11,9 @@
"arc=${sources.nixexprs}"
"ci=${sources.ci}"
];
sandboxPaths = [
"/var/run/nscd/socket"
];
binaryCaches = [ "https://arc.cachix.org" "https://kittywitch.cachix.org" ];
binaryCachePublicKeys =
[ "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=" "kittywitch.cachix.org-1:KIzX/G5cuPw5WgrXad6UnrRZ8UDr7jhXzRTK/lmqyK0=" ];

0
config/profiles/common/packages.nix → config/profiles/base/packages.nix
View file

49
config/profiles/base/profiles.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, lib, ... }:
with lib;
{
options = {
deploy.profile = {
gui = mkEnableOption "Graphical System";
laptop = mkEnableOption "Laptop (Implies WiFi)";
vfio = mkEnableOption "VFIO";
trusted = mkEnableOption "Trusted Submodule";
hardware = {
amdgpu = mkEnableOption "AMD GPU";
hcloud-imperative = mkEnableOption "Imperative Hetzner Cloud Setup";
intel = mkEnableOption "Intel CPU";
ms-7b86 = mkEnableOption "MSI B450-A Pro Max";
rm-310 = mkEnableOption "Intel DQ67OW";
ryzen = mkEnableOption "AMD Ryzen CPU";
v330-14arr = mkEnableOption "Lenovo Ideapad v330-14ARR";
};
};
home-manager.users = mkOption {
type = types.attrsOf (types.submoduleWith {
modules = [
({ superConfig, ... }: {
options.deploy.profile = {
gui = mkEnableOption "Graphical System";
laptop = mkEnableOption "Laptop (Implies WiFi)";
vfio = mkEnableOption "VFIO";
trusted = mkEnableOption "Trusted Submodule";
hardware = {
amdgpu = mkEnableOption "AMD GPU";
hcloud-imperative = mkEnableOption "Imperative Hetzner Cloud Setup";
intel = mkEnableOption "Intel CPU";
ms-7b86 = mkEnableOption "MSI B450-A Pro Max";
rm-310 = mkEnableOption "Intel DQ67OW";
ryzen = mkEnableOption "AMD Ryzen CPU";
v330-14arr = mkEnableOption "Lenovo Ideapad v330-14ARR";
};
};
config = {
deploy.profile = superConfig.deploy.profile;
};
})
];
});
};
};
}

0
config/profiles/common/secrets.nix → config/profiles/base/secrets.nix
View file

3
config/profiles/common/ssh.nix → config/profiles/base/ssh.nix
View file

@ -10,6 +10,9 @@
to = 61000;
}];
kw.fw.public.tcp.ports = [ 62954 ];
kw.fw.private.tcp.ports = [ 62954 ];
services.openssh = {
enable = true;
ports = lib.mkDefault [ 62954 ];

16
config/profiles/base/system.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, lib, pkgs, ... }:
{
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
hardware.enableRedistributableFirmware = lib.mkDefault true;
boot.tmpOnTmpfs = true;
boot.zfs.enableUnstable = true;
boot.kernel.sysctl = {
"net.core.rmem_max" = "16777216";
"net.core.wmem_max" ="16777216";
"net.ipv4.tcp_rmem" = "4096 87380 16777216";
"net.ipv4.tcp_wmem" = "4096 65536 16777216";
};
services.journald.extraConfig = "SystemMaxUse=512M";
users.mutableUsers = false;
}

9
config/profiles/common/system.nix
View file

@ -1,9 +0,0 @@
{ config, lib, pkgs, ... }:
{
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
boot.tmpOnTmpfs = true;
boot.zfs.enableUnstable = true;
services.journald.extraConfig = "SystemMaxUse=512M";
users.mutableUsers = false;
}

7
config/profiles/fvwm/default.nix
View file

@ -1,7 +0,0 @@
{ config, pkgs, ... }:
{
imports = [ ./fvwm.nix ];
deploy.profile.fvwm = true;
}

10
config/profiles/fvwm/fvwm.nix
View file

@ -1,10 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.xserver.enable = true;
services.xserver.displayManager.startx.enable = true;
services.xserver.windowManager.fvwm = {
enable = true;
gestures = true;
};
}

7
config/profiles/gui/default.nix
View file

@ -4,8 +4,11 @@
imports = [
./adb.nix
./fonts.nix
./sway.nix
./fvwm.nix
./filesystems.nix
./gpg.nix
./firefox.nix
./xdg-portals.nix
./dns.nix
./nfs.nix
./nix-doc.nix
@ -15,9 +18,7 @@
./sound.nix
];
hardware.opengl.extraPackages = with pkgs; [ libvdpau-va-gl vaapiVdpau ];
services.tumbler.enable = true;
environment.systemPackages = with pkgs; [ ntfs3g exfat-utils ];
deploy.profile.gui = true;
}

5
config/profiles/gui/filesystems.nix Normal file
View file

@ -0,0 +1,5 @@
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [ ntfs3g exfat-utils ];
}

14
config/profiles/gui/fvwm.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, lib, ... }:
with lib;
{
config = mkIf (any (user: user.programs.fvwm.enable) (attrValues config.home-manager.users)) {
services.xserver.enable = true;
services.xserver.displayManager.startx.enable = true;
services.xserver.windowManager.fvwm = {
enable = true;
gestures = true;
};
};
}

12
config/profiles/gui/nfs.nix
View file

@ -1,14 +1,15 @@
{ config, ... }:
{ config, lib, ... }:
{
boot.supportedFilesystems = [ "nfs" ];
fileSystems."/mnt/kat-nas" = {
device = "samhain.net.kittywit.ch:/mnt/zraw/media";
fileSystems."/mnt/kat-nas" = lib.mkIf (config.networking.hostName != "beltane") {
device = "192.168.1.223:/mnt/zraw/media";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" ];
options = [ "x-systemd.automount" "noauto" "nfsvers=4" "soft" "retrans=2" "timeo=60"];
};
/*
fileSystems."/mnt/hex-corn" = {
device = "storah.net.lilwit.ch:/data/cornbox";
fsType = "nfs";
@ -19,7 +20,8 @@
device = "storah.net.lilwit.ch:/data/torrents";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" ];
};
};
*/
systemd.services.nfs-mountd = {
wants = [ "network-online.target" "yggdrassil.service" ];

10
config/profiles/gui/sway.nix Normal file
View file

@ -0,0 +1,10 @@
{ config, pkgs, lib, ... }:
with lib;
{
programs.sway = {
enable = any (user: user.wayland.windowManager.sway.enable) (attrValues config.home-manager.users);
extraPackages = with pkgs; mkForce [ xwayland swaylock swayidle ];
};
}

2
config/profiles/gui/firefox.nix → config/profiles/gui/xdg-portals.nix
View file

@ -1,8 +1,6 @@
{ config, pkgs, ... }:
{
environment.variables = { BROWSER = "firefox"; };
xdg = {
portal = {
enable = true;

8
config/profiles/hardware/amdgpu/default.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, pkgs, ... }:
{
deploy.profile.hardware.amdgpu = true;
boot.initrd.availableKernelModules = [ "amdgpu" ];
hardware.opengl.extraPackages = with pkgs; [ libvdpau-va-gl vaapiVdpau ];
}

30
config/profiles/hardware/default.nix Normal file
View file

@ -0,0 +1,30 @@
rec {
ms-7b86-base = ./ms-7b86;
v330-14arr-base = ./v330-14arr;
rm-310-base = ./rm-310;
hcloud-imperative = ./hcloud-imperative;
ryzen = ./ryzen;
intel = ./intel;
amdgpu = ./amdgpu;
ms-7b86 = {
imports = [
ms-7b86-base
ryzen
amdgpu
];
};
v330-14arr = {
imports = [
v330-14arr-base
ryzen
amdgpu
];
};
rm-310 = {
imports = [
rm-310-base
intel
];
};
}

14
config/profiles/hardware/hcloud-imperative/default.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, lib, sources, ... }:
/*
This hardware profile corresponds with the imperatively provisioned hetzner cloud box.
*/
with lib;
{
deploy.profile.hardware.hcloud-imperative = true;
imports = [ (sources.nixpkgs + "/nixos/modules/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
}

13
config/profiles/hardware/intel/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, ... }:
/*
This hardware profile corresponds to any machine which has an Intel processor.
*/
{
deploy.profile.hardware.intel = true;
boot = {
kernelModules = [ "kvm-intel" ];
};
}

33
config/profiles/hardware/ms-7b86/default.nix Normal file
View file

@ -0,0 +1,33 @@
{ config, lib, ... }:
/*
This hardware profile corresponds to the MSI B450-A PRO MAX system.
*/
with lib;
{
deploy.profile.hardware.ms-7b86 = true;
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.kernelModules = [ "nct6775" ];
systemd.network = {
networks.enp34s0 = {
matchConfig.Name = "enp34s0";
bridge = singleton "br";
};
networks.br = {
matchConfig.Name = "br";
address = [ "192.168.1.135/24" ];
gateway = [ "192.168.1.254" ];
};
netdevs.br = {
netdevConfig = {
Name = "br";
Kind = "bridge";
MACAddress = "00:d8:61:c7:f4:9d";
};
};
};
}

14
config/profiles/hardware/rm-310/default.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, ... }:
/*
This hardware profile corresponds with the RM DESKTOP 310 system, which is actually just an Intel DQ67OW motherboard.
*/
{
deploy.profile.hardware.rm-310 = true;
boot.initrd.availableKernelModules = [ "ata_generic" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
}

26
config/profiles/hardware/ryzen/default.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, pkgs, ... }:
/*
This hardware profile corresponds to any machine which has an AMD Ryzen processor.
*/
{
deploy.profile.hardware.ryzen = true;
boot = {
kernelModules = [
"msr"
"ryzen_smu"
"kvm-amd"
];
kernelParams = [ "amd_iommu=on" ];
};
hardware.cpu.amd.updateMicrocode = true;
environment.systemPackages = with pkgs; [
lm_sensors
ryzen-smu-monitor_cpu
ryzen-monitor
];
}

15
config/profiles/hardware/v330-14arr/default.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, ... }:
/*
This hardware profile corresponds to the Lenovo IdeaPad v330-14ARR.
*/
{
deploy.profile.hardware.v330-14arr = true;
boot.initrd.availableKernelModules =
[ "xhci_pci" "ahci" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
}

7
config/profiles/sway/default.nix
View file

@ -1,7 +0,0 @@
{ config, pkgs, ... }:
{
imports = [ ./sway.nix ];
deploy.profile.sway = true;
}

8
config/profiles/sway/sway.nix
View file

@ -1,8 +0,0 @@
{ config, pkgs, lib, ... }:
{
programs.sway = {
enable = true;
extraPackages = with pkgs; lib.mkForce [ xwayland swaylock swayidle ];
};
}

9
config/profiles/vfio/default.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, pkgs, ... }:
{
deploy.profile.vfio = true;
environment.systemPackages = with pkgs; [
screenstub
];
}

34
config/services/gitea/default.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, pkgs, tf, ... }:
{
services.postgresql = {
@ -10,11 +10,24 @@
}];
};
deploy.tf.variables.gitea_mail = {
type = "string";
value.shellCommand = "bitw get infra/gitea-mail -f password";
};
secrets.files.gitea_mail = {
text = ''
${tf.variables.gitea_mail.ref};
'';
owner = "gitea";
group = "gitea";
};
services.gitea = {
enable = true;
disableRegistration = true;
domain = "git.kittywit.ch";
rootUrl = "https://git.kittywit.ch";
domain = "git.${config.kw.dns.domain}";
rootUrl = "https://git.${config.kw.dns.domain}";
httpAddress = "127.0.0.1";
appName = "kittywitch git";
ssh = { clonePort = 62954; };
@ -24,13 +37,16 @@
user = "gitea";
};
settings = {
mailerPasswordFile = config.secrets.files.gitea_mail.path;
security = { DISABLE_GIT_HOOKS = false; };
api = { ENABLE_SWAGGER = true; };
mailer = {
ENABLED = true;
MAILER_TYPE = "sendmail";
FROM = "gitea@kittywit.ch";
SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
SUBJECT = "%(APP_NAME)s";
HOST = "kittywit.ch:465";
SEND_AS_PLAIN_TEXT = true;
USE_SENDMAIL = false;
FROM = "\"kittywitch git\" <gitea@${config.kw.dns.domain}>";
};
ui = {
THEMES = "gitea,arc-green";
@ -45,15 +61,15 @@
${pkgs.coreutils}/bin/ln -sfT ${./templates} /var/lib/gitea/custom/templates
'';
services.nginx.virtualHosts."git.kittywit.ch" = {
services.nginx.virtualHosts."git.${config.kw.dns.domain}" = {
enableACME = true;
forceSSL = true;
locations = { "/".proxyPass = "http://127.0.0.1:3000"; };
};
deploy.tf.dns.records.kittywitch_git = {
tld = "kittywit.ch.";
tld = config.kw.dns.tld;
domain = "git";
cname.target = "athame.kittywit.ch.";
cname.target = "${config.networking.hostName}.${config.kw.dns.tld}";
};
}

10
config/services/grafana.nix
View file

@ -12,8 +12,8 @@
services.grafana = {
enable = true;
port = 3001;
domain = "graph.kittywit.ch";
rootUrl = "https://graph.kittywit.ch/";
domain = "graph.${config.kw.dns.domain}";
rootUrl = "https://graph.${config.kw.dns.domain}/";
database = {
type = "postgres";
host = "/run/postgresql/";
@ -22,15 +22,15 @@
};
};
services.nginx.virtualHosts."graph.kittywit.ch" = {
services.nginx.virtualHosts."graph.${config.kw.dns.domain}" = {
enableACME = true;
forceSSL = true;
locations = { "/".proxyPass = "http://127.0.0.1:3001"; };
};
deploy.tf.dns.records.kittywitch_graph = {
tld = "kittywit.ch.";
tld = config.kw.dns.tld;
domain = "graph";
cname.target = "athame.kittywit.ch.";
cname.target = "${config.networking.hostName}.${config.kw.dns.tld}";
};
}

7
config/services/logrotate.nix
View file

@ -13,13 +13,6 @@ with lib;
frequency = "weekly";
keep = 2;
};
asterisk = mkIf config.systemd.services.asterisk.enable {
path = "/var/log/asterisk/messages";
user = "asterisk";
group = "asterisk";
frequency = "daily";
keep = 2;
};
};
};
}

67
config/services/mail.nix
View file

@ -5,86 +5,41 @@ with lib;
{
imports = [ sources.nixos-mailserver.outPath ];
services.fail2ban.jails = {
postfix = ''
enabled = true
filter = postfix
maxretry = 3
action = nftables-multiport[name=postfix, port=smtp, protocol=tcp]
'';
postfix-sasl = ''
enabled = true
filter = postfix-sasl
port = postfix,imap3,imaps,pop3,pop3s
maxretry = 3
action = nftables-multiport[name=postfix, port=smtp, protocol=tcp]
'';
postfix-ddos = ''
enabled = true
filter = postfix-ddos
maxretry = 3
action = nftables-multiport[name=postfix, port=submission, protocol=tcp]
bantime = 7200
'';
};
environment.etc."fail2ban/filter.d/postfix-sasl.conf" = {
enable = true;
text = ''
# Fail2Ban filter for postfix authentication failures
[INCLUDES]
before = common.conf
[Definition]
daemon = postfix/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
'';
};
environment.etc."fail2ban/filter.d/postfix-ddos.conf" = {
enable = true;
text = ''
[Definition]
failregex = lost connection after EHLO from \S+\[<HOST>\]
'';
};
deploy.tf.variables.domainkey_kitty = {
type = "string";
value.shellCommand = "bitw get infra/domainkey-kitty";
};
deploy.tf.dns.records.kittywitch_mx = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_mail_mx = {
tld = config.kw.dns.tld;
domain = "@";
mx = {
priority = 10;
target = "athame.kittywit.ch.";
target = "${config.networking.hostName}.${config.kw.dns.tld}";
};
};
deploy.tf.dns.records.kittywitch_spf = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_mail_spf = {
tld = config.kw.dns.tld;
domain = "@";
txt.value = "v=spf1 ip4:168.119.126.111 ip6:${
(head config.networking.interfaces.enp1s0.ipv6.addresses).address
} -all";
txt.value = "v=spf1 ip4:${config.kw.dns.ipv4} ip6:${config.kw.dns.ipv6} -all";
};
deploy.tf.dns.records.kittywitch_dmarc = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_mail_dmarc = {
tld = config.kw.dns.tld;
domain = "_dmarc";
txt.value = "v=DMARC1; p=none";
};
deploy.tf.dns.records.kittywitch_domainkey = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_mail_domainkey = {
tld = config.kw.dns.tld;
domain = "mail._domainkey";
txt.value = tf.variables.domainkey_kitty.ref;
};
mailserver = {
enable = true;
fqdn = "athame.kittywit.ch";
fqdn = "${config.networking.hostName}.${config.kw.dns.domain}";
domains = [ "kittywit.ch" "dork.dev" ];
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.

16
config/services/matrix.nix
View file

@ -43,7 +43,7 @@ root:
disable_existing_loggers: False
'';
server_name = "kittywit.ch";
server_name = config.kw.dns.domain;
app_service_config_files = [
"/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-synapse/discord-registration.yaml"
@ -78,7 +78,7 @@ disable_existing_loggers: False
settings = {
homeserver = {
address = "http://localhost:8008";
domain = "kittywit.ch";
domain = config.kw.dns.domain;
};
appservice = {
provisioning.enabled = false;
@ -86,14 +86,14 @@ disable_existing_loggers: False
public = {
enabled = false;
prefix = "/public";
external = "https://kittywit.ch/public";
external = "https://${config.kw.dns.domain}/public";
};
};
bridge = {
relaybot.authless_portals = false;
permissions = {
"@kat:kittywit.ch" = "admin";
"kittywit.ch" = "full";
"@kat:${config.kw.dns.domain}" = "admin";
"${config.kw.dns.domain}" = "full";
};
};
};
@ -143,7 +143,7 @@ disable_existing_loggers: False
after = [ "network.target" ];
};
services.nginx.virtualHosts."kittywit.ch" = {
services.nginx.virtualHosts."${config.kw.dns.domain}" = {
# allegedly fixes https://github.com/poljar/weechat-matrix/issues/240
extraConfig = ''
keepalive_requests 100000;
@ -152,7 +152,7 @@ disable_existing_loggers: False
locations = {
"/_matrix" = { proxyPass = "http://[::1]:8008"; };
"= /.well-known/matrix/server".extraConfig =
let server = { "m.server" = "kittywit.ch:443"; };
let server = { "m.server" = "${config.kw.dns.domain}:443"; };
in
''
add_header Content-Type application/json;
@ -161,7 +161,7 @@ disable_existing_loggers: False
"= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://kittywit.ch"; };
"m.homeserver" = { "base_url" = "https://${config.kw.dns.domain}"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
in

28
config/services/murmur.nix
View file

@ -8,32 +8,32 @@ with lib;
services.murmur = {
enable = true;
hostName = "voice.kittywit.ch";
hostName = "voice.${config.kw.dns.domain}";
bandwidth = 130000;
welcometext = "mew!";
extraConfig = ''
sslCert=/var/lib/acme/voice.kittywit.ch/fullchain.pem
sslKey=/var/lib/acme/voice.kittywit.ch/key.pem
sslCert=/var/lib/acme/voice.${config.kw.dns.domain}/fullchain.pem
sslKey=/var/lib/acme/voice.${config.kw.dns.domain}/key.pem
'';
};
services.nginx.virtualHosts."voice.kittywit.ch" = {
services.nginx.virtualHosts."voice.${config.kw.dns.domain}" = {
enableACME = true;
forceSSL = true;
};
users.groups."voice-cert".members = [ "nginx" "murmur" ];
security.acme.certs = { "voice.kittywit.ch" = { group = "voice-cert"; }; };
security.acme.certs = { "voice.${config.kw.dns.domain}" = { group = "voice-cert"; }; };
deploy.tf.dns.records.kittywitch_voice = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_murmur = {
tld = config.kw.dns.tld;
domain = "voice";
cname.target = "athame.kittywit.ch.";
cname.target = "${config.networking.hostName}.${config.kw.dns.tld}";
};
deploy.tf.dns.records.kittywitch_voice_tcp = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_murmur_tcp_srv = {
tld = config.kw.dns.tld;
domain = "@";
srv = {
service = "mumble";
@ -41,12 +41,12 @@ with lib;
priority = 0;
weight = 5;
port = 64738;
target = "voice.kittywit.ch.";
target = "voice.${config.kw.dns.tld}";
};
};
deploy.tf.dns.records.kittywitch_voice_udp = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_murmur_udp_srv = {
tld = config.kw.dns.tld;
domain = "@";
srv = {
service = "mumble";
@ -54,7 +54,7 @@ with lib;
priority = 0;
weight = 5;
port = 64738;
target = "voice.kittywit.ch.";
target = "voice.${config.kw.dns.tld}";
};
};
}

4
config/services/netdata.nix
View file

@ -8,8 +8,8 @@
services.nginx = {
enable = true;
virtualHosts = {
"${config.networking.hostName}.net.kittywit.ch" = {
useACMEHost = "${config.networking.hostName}.net.kittywit.ch";
"${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}" = {
useACMEHost = "${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}";
forceSSL = true;
locations = { "/netdata" = { proxyPass = "http://[::1]:19999/"; }; };
};

2
config/services/nginx.nix
View file

@ -37,7 +37,7 @@ with lib;
};
security.acme = {
email = "acme@kittywit.ch";
email = config.kw.dns.email;
acceptTerms = true;
};
}

8
config/services/prometheus.nix
View file

@ -17,12 +17,12 @@ in
scrapeConfigs = [
{
job_name = "boline";
static_configs = [{ targets = [ "boline.net.kittywit.ch:8002" ]; }];
static_configs = [{ targets = [ "boline.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}:8002" ]; }];
}
{
job_name = "samhain-vm";
metrics_path = "/metrics";
static_configs = [{ targets = [ "samhain.net.kittywit.ch:10445" ]; }];
static_configs = [{ targets = [ "samhain.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}:10445" ]; }];
}
] ++ mapAttrsToList
(hostName: prom: {
@ -30,13 +30,13 @@ in
metrics_path = "/api/v1/allmetrics";
honor_labels = true;
params = { format = [ "prometheus" ]; };
static_configs = [{ targets = [ "${hostName}.net.kittywit.ch:19999" ]; }];
static_configs = [{ targets = [ "${hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}:19999" ]; }];
})
nd_configs ++ mapAttrsToList
(hostName: prom: {
job_name = hostName;
static_configs = [{
targets = [ "${hostName}.net.kittywit.ch:${toString prom.port}" ];
targets = [ "${hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}:${toString prom.port}" ];
}];
})
prom_configs;

2
config/services/promtail.nix
View file

@ -5,7 +5,7 @@ with lib;
let
promtail_config = pkgs.writeText "prom-config.json" (builtins.toJSON {
clients =
[{ url = "http://athame.net.kittywit.ch:3100/loki/api/v1/push"; }];
[{ url = "http://${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}:3100/loki/api/v1/push"; }];
positions = { filename = "/tmp/positions.yaml"; };
scrape_configs = [{
job_name = "journal";

9
config/services/calendar.nix → config/services/radicale.nix
View file

@ -7,7 +7,6 @@ let
htpasswd = pkgs.writeText "radicale.users" (concatStrings
(flip mapAttrsToList mailAccounts
(mail: user: mail + ":" + user.hashedPassword + "\n")));
in
{
services.radicale = {
@ -22,7 +21,7 @@ in
};
services.nginx.virtualHosts = {
"cal.kittywit.ch" = {
"cal.${config.kw.dns.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
@ -36,9 +35,9 @@ in
};
};
deploy.tf.dns.records.kittywitch_cal = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_radicale = {
tld = config.kw.dns.tld;
domain = "cal";
cname.target = "athame.kittywit.ch.";
cname.target = "${config.networking.hostName}.${config.kw.dns.tld}";
};
}

24
config/services/syncplay.nix
View file

@ -6,19 +6,27 @@ with lib;
users.users.syncplay = { isSystemUser = true; };
users.groups."sync-cert".members = [ "nginx" "syncplay" ];
security.acme = { certs."sync.kittywit.ch" = { group = "sync-cert"; }; };
security.acme = {
certs."sync.${config.kw.dns.domain}" = {
group = "sync-cert";
postRun = ''
cp key.pem privkey.pem
chown acme:voice-cert privkey.pem
'';
};
};
kw.fw.public.tcp.ports = singleton 8999;
services.nginx.virtualHosts."sync.kittywit.ch" = {
services.nginx.virtualHosts."sync.${config.kw.dns.domain}" = {
enableACME = true;
forceSSL = true;
};
deploy.tf.dns.records.kittywitch_sync = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_syncplay = {
tld = config.kw.dns.tld;
domain = "sync";
cname.target = "athame.kittywit.ch.";
cname.target = "${config.networking.hostName}.${config.kw.dns.tld}";
};
deploy.tf.variables.syncplay_pass = {
@ -48,13 +56,9 @@ with lib;
serviceConfig = {
EnvironmentFile = config.secrets.files.syncplay-env.path;
ExecStart =
"${pkgs.syncplay}/bin/syncplay-server --port 8999 --tls /var/lib/acme/sync.kittywit.ch/ --disable-ready";
"${pkgs.syncplay}/bin/syncplay-server --port 8999 --tls /var/lib/acme/sync.${config.kw.dns.domain}/ --disable-ready";
User = "syncplay";
Group = "sync-cert";
};
};
security.acme.certs."sync.kittywit.ch".postRun = ''
cp key.pem privkey.pem
chown acme:voice-cert privkey.pem'';
}

10
config/services/vaultwarden.nix
View file

@ -19,12 +19,12 @@
rocketPort = 4000;
websocketEnabled = true;
signupsAllowed = false;
domain = "https://vault.kittywit.ch";
domain = "https://vault.${config.kw.dns.domain}";
databaseUrl = "postgresql://bitwarden_rs@/bitwarden_rs";
};
};
services.nginx.virtualHosts."vault.kittywit.ch" = {
services.nginx.virtualHosts."vault.${config.kw.dns.domain}" = {
enableACME = true;
forceSSL = true;
locations = {
@ -34,9 +34,9 @@
};
};
deploy.tf.dns.records.kittywitch_vault = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_vaultwarden = {
tld = config.kw.dns.tld;
domain = "vault";
cname.target = "athame.kittywit.ch.";
cname.target = "${config.networking.hostName}.${config.kw.dns.tld}";
};
}

8
config/services/weechat.nix
View file

@ -1,7 +1,7 @@
{ config, pkgs, ... }:
{
services.nginx.virtualHosts."irc.kittywit.ch" = {
services.nginx.virtualHosts."irc.${config.kw.dns.domain}" = {
enableACME = true;
forceSSL = true;
locations = {
@ -13,9 +13,9 @@
};
};
deploy.tf.dns.records.kittywitch_irc = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_weechat = {
tld = config.kw.dns.tld;
domain = "irc";
cname.target = "athame.kittywit.ch.";
cname.target = "${config.networking.hostName}.${config.kw.dns.tld}";
};
}

69
config/services/xmpp.nix
View file

@ -13,12 +13,11 @@ with lib;
}];
};
services.prosody = {
enable = true;
ssl.cert = "/var/lib/acme/prosody/fullchain.pem";
ssl.key = "/var/lib/acme/prosody/key.pem";
admins = [ "kat@kittywit.ch" ];
admins = singleton "kat@kittywit.ch";
package =
let
package = pkgs.prosody.override (old: {
@ -36,54 +35,53 @@ with lib;
}
'';
virtualHosts = {
"xmpp.kittywit.ch" = {
domain = "kittywit.ch";
"xmpp.${config.kw.dns.domain}" = {
domain = config.kw.dns.domain;
enabled = true;
ssl.cert = "/var/lib/acme/prosody/fullchain.pem";
ssl.key = "/var/lib/acme/prosody/key.pem";
};
};
muc = [{ domain = "conference.kittywit.ch"; }];
uploadHttp = { domain = "upload.kittywit.ch"; };
muc = [{ domain = "conference.${config.kw.dns.domain}"; }];
uploadHttp = { domain = "upload.${config.kw.dns.domain}"; };
};
security.acme.certs.prosody = {
domain = "xmpp.kittywit.ch";
domain = "xmpp.${config.kw.dns.domain}";
group = "prosody";
dnsProvider = "rfc2136";
credentialsFile = config.secrets.files.dns_creds.path;
postRun = "systemctl restart prosody";
extraDomainNames =
[ "kittywit.ch" "upload.kittywit.ch" "conference.kittywit.ch" ];
[ config.kw.dns.domain "upload.${config.kw.dns.domain}" "conference.${config.kw.dns.domain}" ];
};
deploy.tf.dns.records.kittywitch_xmpp = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_prosody_xmpp = {
tld = config.kw.dns.tld;
domain = "xmpp";
a.address = "168.119.126.111";
a.address = config.kw.dns.ipv4;
};
deploy.tf.dns.records.kittywitch_xmpp_v6 = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_prosody_xmpp_v6 = {
tld = config.kw.dns.tld;
domain = "xmpp";
aaaa.address =
(lib.head config.networking.interfaces.enp1s0.ipv6.addresses).address;
aaaa.address = config.kw.dns.ipv6;
};
deploy.tf.dns.records.kittywitch_upload = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_prosody_upload = {
tld = config.kw.dns.tld;
domain = "upload";
cname.target = "xmpp.kittywit.ch.";
cname.target = "xmpp.${config.kw.dns.tld}";
};
deploy.tf.dns.records.kittywitch_conference = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_prosody_conference = {
tld = config.kw.dns.tld;
domain = "conference";
cname.target = "xmpp.kittywit.ch.";
cname.target = "xmpp.${config.kw.dns.tld}";
};
deploy.tf.dns.records.kittywitch_xmpp_muc = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_prosody_muc = {
tld = config.kw.dns.tld;
domain = "conference";
srv = {
service = "xmpp-server";
@ -91,12 +89,12 @@ with lib;
priority = 0;
weight = 5;
port = 5269;
target = "xmpp.kittywit.ch.";
target = "xmpp.${config.kw.dns.tld}";
};
};
deploy.tf.dns.records.kittywitch_xmpp_client = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_prosody_client_srv = {
tld = config.kw.dns.tld;
domain = "@";
srv = {
service = "xmpp-client";
@ -104,12 +102,12 @@ with lib;
priority = 0;
weight = 5;
port = 5222;
target = "xmpp.kittywit.ch.";
target = "xmpp.${config.kw.dns.tld}";
};
};
deploy.tf.dns.records.kittywitch_xmpps_client = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_prosody_secure_client_srv = {
tld = config.kw.dns.tld;
domain = "@";
srv = {
service = "xmpps-client";
@ -117,12 +115,12 @@ with lib;
priority = 0;
weight = 5;
port = 5223;
target = "xmpp.kittywit.ch.";
target = "xmpp.${config.kw.dns.tld}";
};
};
deploy.tf.dns.records.kittywitch_xmpp_server = {
tld = "kittywit.ch.";
deploy.tf.dns.records.services_prosody_server_srv = {
tld = config.kw.dns.tld;
domain = "@";
srv = {
service = "xmpp-server";
@ -130,20 +128,21 @@ with lib;
priority = 0;
weight = 5;
port = 5269;
target = "xmpp.kittywit.ch.";
target = "xmpp.${config.kw.dns.tld}";
};
};
services.nginx.virtualHosts = {
"upload.kittywit.ch" = {
"upload.${config.kw.dns.domain}" = {
useACMEHost = "prosody";
forceSSL = true;
};
"conference.kittywit.ch" = {
"conference.${config.kw.dns.domain}" = {
useACMEHost = "prosody";
forceSSL = true;
};
};
users.users.nginx.extraGroups = [ "prosody" ];
}

Some files were not shown because too many files have changed in this diff Show more