gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor: restructure project to remove profiles, users, ...

Browse source
This commit is contained in:
Kat Inskip 2022-07-10 12:59:40 -07:00
parent cb3ae5f434
commit 53655a05fc
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
177 changed files with 544 additions and 2877 deletions
Download patch file Download diff file Expand all files Collapse all files

17
nixos/arc.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }: {
imports = [
({ config, pkgs, ... }:
{
users.users.arc = {
uid = 1001;
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8Z6briIboxIdedPGObEWB6QEQkvxKvnMW/UVU9t/ac mew-pgp"
];
shell = pkgs.zsh;
};
})
];
}

36
nixos/base/access.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, lib, pkgs, meta, ... }:
{
security.sudo.wheelNeedsPassword = lib.mkForce false;
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
'';
imports = with meta; [
home.base
];
users.motd = ''
${config.networking.hostName}.${config.networking.domain}
'';
users.users.root = {
shell = pkgs.zsh;
hashedPassword =
"$6$i28yOXoo$/WokLdKds5ZHtJHcuyGrH2WaDQQk/2Pj0xRGLgS8UcmY2oMv3fw2j/85PRpsJJwCB2GBRYRK5LlvdTleHd3mB.";
openssh.authorizedKeys.keys = with pkgs.lib;
[ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDkeBFF4xxZgeURLzNHcvUFxImmkQ3pxXtpj3mtSyHXB kat@koishi" ] ++ (concatLists (mapAttrsToList
(name: user:
if elem "wheel" user.extraGroups then
user.openssh.authorizedKeys.keys
else
[ ])
config.users.users));
};
}

11
nixos/base/base16.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, ... }:
{
base16 = {
inherit (config.home-manager.users.kat.base16) schemes alias;
console = {
enable = true;
scheme = config.home-manager.users.kat.base16.alias.default;
};
};
}

3
nixos/base/documentation.nix Normal file
View file

@ -0,0 +1,3 @@
{ config, ... }: {
documentation.nixos.enable = false;
}

22
nixos/base/home.nix Normal file
View file

@ -0,0 +1,22 @@
{ meta, config, lib, inputs, tf, ... }:
with lib;
{
options.home-manager.users = mkOption {
type = types.attrsOf (types.submoduleWith {
modules = singleton meta.modules.home;
specialArgs = {
inherit inputs tf meta;
nixos = config;
};
});
};
config = {
home-manager = {
useUserPackages = true;
useGlobalPkgs = true;
};
};
}

5
nixos/base/kitty.nix Normal file
View file

@ -0,0 +1,5 @@
{ config, pkgs, ... }:
{
environment.systemPackages = [ pkgs.buildPackages.buildPackages.kitty.terminfo ];
}

13
nixos/base/locale.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, pkgs, ... }:
{
fonts.fonts = [
pkgs.tamzen
];
i18n.defaultLocale = "en_GB.UTF-8";
time.timeZone = "Europe/London";
console = {
packages = [ pkgs.tamzen ];
keyMap = "uk";
};
}

14
nixos/base/network.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, lib, ... }: with lib;
{
networking.nftables.enable = true;
network = {
enable = true;
dns = {
enable = mkDefault true;
email = "acme@kittywit.ch";
zone = "kittywit.ch.";
};
};
}

34
nixos/base/nix.nix Normal file
View file

@ -0,0 +1,34 @@
{ config, lib, pkgs, inputs, ... }:
{
boot.loader.grub.configurationLimit = 8;
boot.loader.systemd-boot.configurationLimit = 8;
nix = {
nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"nur=${inputs.nur}"
"arc=${inputs.arcexprs}"
"ci=${inputs.ci}"
];
registry = {
nixpkgs.flake = inputs.nixpkgs;
nur.flake = inputs.nur;
arc.flake = inputs.arcexprs;
ci.flake = inputs.ci;
};
settings = {
experimental-features = lib.optional (lib.versionAtLeast config.nix.package.version "2.4") "nix-command flakes";
substituters = [ "https://arc.cachix.org" "https://kittywitch.cachix.org" "https://nix-community.cachix.org" ];
trusted-public-keys =
[ "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=" "kittywitch.cachix.org-1:KIzX/G5cuPw5WgrXad6UnrRZ8UDr7jhXzRTK/lmqyK0=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI=" ];
auto-optimise-store = true;
trusted-users = [ "root" "@wheel" ];
};
gc = {
automatic = lib.mkDefault true;
dates = lib.mkDefault "weekly";
options = lib.mkDefault "--delete-older-than 7d";
};
};
}

11
nixos/base/packages.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, lib, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
neofetch
smartmontools
hddtemp
lm_sensors
gnupg
] ++ (lib.optional config.programs.gnupg.agent.enable pinentry-curses);
}

11
nixos/base/secrets.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, meta, inputs, lib, pkgs, ... }:
{
imports = lib.optional (meta.trusted ? secrets) meta.trusted.secrets;
secrets = {
root = "/var/lib/kat/secrets";
persistentRoot = "/var/lib/kat/secrets";
external = true;
};
}

8
nixos/base/shell.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, ... }:
{
programs.zsh = {
enable = true;
enableCompletion = true;
};
}

43
nixos/base/ssh.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, lib, pkgs, ... }:
with lib;
{
network.firewall = {
public = {
tcp.ports = singleton 62954;
udp.ranges = [{
from = 60000;
to = 61000;
}];
};
private = {
tcp.ports = singleton 62954;
udp.ranges = [{
from = 60000;
to = 61000;
}];
};
};
/*
security.pam.services.sshd.text = mkDefault (mkAfter ''
session required pam_exec.so ${katnotify}/bin/notify
'');
*/
services.openssh = {
enable = true;
ports = lib.mkDefault [ 62954 ];
passwordAuthentication = false;
kbdInteractiveAuthentication = false;
permitRootLogin = lib.mkDefault "prohibit-password";
kexAlgorithms = [ "curve25519-sha256@libssh.org" ];
extraConfig = ''
PubkeyAcceptedAlgorithms +ssh-rsa
StreamLocalBindUnlink yes
LogLevel VERBOSE
'';
};
programs.mosh.enable = true;
}

18
nixos/base/system.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, lib, pkgs, ... }: with lib;
{
boot.kernelPackages = mkIf (elem "zfs" config.boot.supportedFilesystems) (mkDefault config.boot.zfs.package.latestCompatibleLinuxPackages);
hardware.enableRedistributableFirmware = lib.mkDefault true;
boot.tmpOnTmpfs = true;
boot.zfs.enableUnstable = mkIf (elem "zfs" config.boot.supportedFilesystems) true;
boot.kernel.sysctl = {
"fs.inotify.max_user_watches" = "524288";
"net.core.rmem_max" = "16777216";
"net.core.wmem_max" = "16777216";
"net.ipv4.tcp_rmem" = "4096 87380 16777216";
"net.ipv4.tcp_wmem" = "4096 65536 16777216";
};
services.journald.extraConfig = "SystemMaxUse=512M";
users.mutableUsers = false;
boot.tmpOnTmpfsSize = "80%";
}

10
nixos/cross/aarch64.nix Normal file
View file

@ -0,0 +1,10 @@
{ pkgs, config, lib, ... }: with lib; {
boot.binfmt = {
emulatedSystems = [ "aarch64-linux" ];
/*
registrations.aarch64-linux = {
interpreter = mkForce "${pkgs.qemu-vfio or pkgs.qemu}/bin/qemu-aarch64";
};
*/
};
}

6
nixos/cross/arm-common.nix Normal file
View file

@ -0,0 +1,6 @@
{ config, ... }: {
nix.settings = {
substituters = [ "https://thefloweringash-armv7.cachix.org/" ];
trusted-public-keys = [ "thefloweringash-armv7.cachix.org-1:v+5yzBD2odFKeXbmC+OPWVqx4WVoIVO6UXgnSAWFtso=" ];
};
}

9
nixos/cross/armv6.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, ... }: {
nix.settings = {
substituters = [ "https://arm.cachix.org/" ];
trusted-public-keys = [ "arm.cachix.org-1:5BZ2kjoL1q6nWhlnrbAl+G7ThY7+HaBRD9PZzqZkbnM=" ];
};
boot.binfmt = {
emulatedSystems = [ "armv6l-linux" ];
};
}

9
nixos/cross/armv7.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, ... }: {
nix.settings = {
substituters = [ "https://arm.cachix.org/" ];
trusted-public-keys = [ "arm.cachix.org-1:5BZ2kjoL1q6nWhlnrbAl+G7ThY7+HaBRD9PZzqZkbnM=" ];
};
boot.binfmt = {
emulatedSystems = [ "armv7l-linux" ];
};
}

23
nixos/cross/default.nix Normal file
View file

@ -0,0 +1,23 @@
{ lib, tree, ... }: with lib; let
profiles = tree.prev;
appendedProfiles = with profiles; {
aarch64 = {
imports = [
aarch64
];
};
armv7l = {
imports = [
arm-common
armv7
];
};
armv6l = {
imports = [
arm-common
armv6
];
};
};
in
profiles // appendedProfiles

4
nixos/gui/adb.nix Normal file
View file

@ -0,0 +1,4 @@
{ config, ... }: {
programs.adb.enable = true;
users.users.kat.extraGroups = [ "adbusers" ];
}

5
nixos/gui/filesystems.nix Normal file
View file

@ -0,0 +1,5 @@
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [ ntfs3g exfat ];
}

25
nixos/gui/fonts.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, pkgs, lib, ... }:
{
fonts = {
enableDefaultFonts = true;
fontDir.enable = true;
fontconfig = {
enable = true;
allowBitmaps = true;
defaultFonts = {
emoji = [
"Twitter Color Emoji"
];
};
};
};
fonts.fonts = with pkgs; [
cantarell-fonts
emacs-all-the-icons-fonts
font-awesome
cozette
twitter-color-emoji
] ++ map (variant: iosevka-bin.override { inherit variant; } ) [ "" "ss10" "aile" ];
}

12
nixos/gui/gpg.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, pkgs, lib, ... }:
{
services.pcscd.enable = true;
services.udev.packages = [ pkgs.yubikey-personalization ];
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryFlavor = "gtk2";
};
}

46
nixos/gui/mingetty.nix Normal file
View file

@ -0,0 +1,46 @@
{ config, lib, pkgs, ... }:
let
c1 = "\\e[22;34m";
c2 = "\\e[1;35m";
nixos = [
" ${c1} ::::. ${c2}'::::: ::::' "
" ${c1} '::::: ${c2}':::::. ::::' "
" ${c1} ::::: ${c2}'::::.::::: "
" ${c1} .......:::::..... ${c2}:::::::: "
" ${c1} ::::::::::::::::::. ${c2}:::::: ${c1}::::. "
" ${c1} ::::::::::::::::::::: ${c2}:::::. ${c1}.::::' "
" ${c2} ..... ::::' ${c1}:::::' "
" ${c2} ::::: '::' ${c1}:::::' "
" ${c2} ........::::: ' ${c1}:::::::::::. "
" ${c2}::::::::::::: ${c1}::::::::::::: "
" ${c2} ::::::::::: ${c1}.. ${c1}::::: "
" ${c2} .::::: ${c1}.::: ${c1}::::: "
" ${c2} .::::: ${c1}::::: ${c1}''''' ${c2}..... "
" ${c2} ::::: ${c1}':::::. ${c2}......:::::::::::::' "
" ${c2} ::: ${c1}::::::. ${c2}':::::::::::::::::' "
" ${c1} .:::::::: ${c2}':::::::::: "
" ${c1} .::::''::::. ${c2}'::::. "
" ${c1} .::::' ::::. ${c2}'::::. "
" ${c1} .:::: :::: ${c2}'::::. "
];
in
{
console = {
font = "Tamzen7x14";
earlySetup = true;
getty = {
greetingPrefix =
''\e[H\e[2J'' + # topleft
''\e[9;10]''; # setterm blank/powersave = 10 minutes
greeting =
"\n" +
lib.concatStringsSep "\n" nixos +
"\n\n" +
''\e[1;32m>>> NixOS ${config.system.nixos.label} (Linux \r) - \l\e[0m'';
};
};
services.getty = {
helpLine = lib.mkForce "";
};
}

29
nixos/gui/nfs.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, lib, meta, ... }:
{
boot.supportedFilesystems = [ "nfs" ];
/*
fileSystems."/mnt/kat-nas" = lib.mkIf (config.networking.hostName != "yukari") {
device = "${meta.network.nodes.nixos.yukari.network.addresses.w.domain}:/mnt/zraw/media";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" "nfsvers=4" "soft" "retrans=2" "timeo=60" ];
};
fileSystems."/mnt/hex-corn" = {
device = "storah.net.lilwit.ch:/data/cornbox";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" ];
};
fileSystems."/mnt/hex-tor" = {
device = "storah.net.lilwit.ch:/data/torrents";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" ];
};
*/
systemd.services.nfs-mountd = {
wants = [ "network-online.target" "yggdrassil.service" ];
};
}

10
nixos/gui/profile.nix Normal file
View file

@ -0,0 +1,10 @@
{ config, pkgs, meta, ... }: {
imports = with meta; [
services.dnscrypt-proxy
];
environment.systemPackages = with pkgs; [
lyx
texlive.combined.scheme-full
];
}

9
nixos/gui/qt.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, ... }:
{
qt5 = {
enable = true;
style = "adwaita-dark";
platformTheme = "gnome";
};
}

43
nixos/gui/sound.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, lib, pkgs, ... }:
{
sound = {
enable = true;
extraConfig = ''
defaults.pcm.rate_converter "speexrate_best"
'';
};
environment.systemPackages = with pkgs; [ pulsemixer ];
security.rtkit.enable = true;
services.pipewire = {
enable = true;
config = {
pipewire = {
"context.properties" = {
"log.level" = 2;
"default.clock.min-quantum" =
32; # default; going lower may cause crackles and distorted audio
};
pipewire-pulse = {
"context.modules" = [{
name = "libpipewire-module-protocol-pulse";
args = {
"pulse.min.quantum" = 32; # controls minimum playback quant
"pulse.min.req" = 32; # controls minimum recording quant
"pulse.min.frag" = 32; # controls minimum fragment size
"server.address" =
[ "unix:native" ]; # the default address of the server
};
}];
};
};
};
pulse.enable = true;
alsa.support32Bit = true;
jack.enable = true;
alsa.enable = true;
};
}

10
nixos/gui/sway.nix Normal file
View file

@ -0,0 +1,10 @@
{ config, pkgs, lib, ... }:
with lib;
{
programs.sway = {
enable = any (user: user.wayland.windowManager.sway.enable) (attrValues config.home-manager.users);
extraPackages = with pkgs; mkForce [ xwayland swaylock swayidle swaylock-fancy wmctrl ];
};
}

7
nixos/gui/udev.nix Normal file
View file

@ -0,0 +1,7 @@
{ config, ... }: {
services.udev.extraRules = ''
# SteelSeries Arctis (1) Wireless
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1038", ATTRS{idProduct}=="12b3", GROUP="users", MODE="0666"
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1038", ATTRS{idProduct}=="12b6", GROUP="users", MODE="0666"
'';
}

14
nixos/gui/xdg-portals.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, pkgs, ... }:
{
xdg = {
portal = {
enable = true;
extraPortals = with pkgs; [
xdg-desktop-portal-wlr
xdg-desktop-portal-gtk
];
gtkUsePortal = true;
};
};
}

20
nixos/kat.nix Normal file
View file

@ -0,0 +1,20 @@
{ meta, config, pkgs, lib, ... }: with lib;
{
users.users.kat = {
uid = 1000;
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCocjQqiDIvzq+Qu3jkf7FXw5piwtvZ1Mihw9cVjdVcsra3U2c9WYtYrA3rS50N3p00oUqQm9z1KUrvHzdE+03ZCrvaGdrtYVsaeoCuuvw7qxTQRbItTAEsfRcZLQ5c1v/57HNYNEsjVrt8VukMPRXWgl+lmzh37dd9w45cCY1QPi+JXQQ/4i9Vc3aWSe4X6PHOEMSBHxepnxm5VNHm4PObGcVbjBf0OkunMeztd1YYA9sEPyEK3b8IHxDl34e5t6NDLCIDz0N/UgzCxSxoz+YJ0feQuZtud/YLkuQcMxW2dSGvnJ0nYy7SA5DkW1oqcy6CGDndHl5StOlJ1IF9aGh0gGkx5SRrV7HOGvapR60RphKrR5zQbFFka99kvSQgOZqSB3CGDEQGHv8dXKXIFlzX78jjWDOBT67vA/M9BK9FS2iNnBF5x6shJ9SU5IK4ySxq8qvN7Us8emkN3pyO8yqgsSOzzJT1JmWUAx0tZWG/BwKcFBHfceAPQl6pwxx28TM3BTBRYdzPJLTkAy48y6iXW6UYdfAPlShy79IYjQtEThTuIiEzdzgYdros0x3PDniuAP0KOKMgbikr0gRa6zahPjf0qqBnHeLB6nHAfaVzI0aNbhOg2bdOueE1FX0x48sjKqjOpjlIfq4WeZp9REr2YHEsoLFOBfgId5P3BPtpBQ== yubikey5"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPsu3vNsvBb/G+wALpstD/DnoRZ3fipAs00jtl8rzDuv96RlS7AJr4aNvG6Pt2D9SYn2wVLaiw+76mz2gOycH9/N+VCvL4/0MN9uqj+7XIcxNRo0gHVOblmi2bOXcmGKh3eRwHj1xyDwRxo9WIuBEP2bPpDPz75OXRtEdlTgvky7siSguQxJu03cb0p9hNAYhUoohNXyWW2CjDCLUQVE1+QRVUzsKq3KkPy0cHYgmZC1gRSMQyKpMt72L5tayLz3Tp/zrshucc+QO5IJeZdqMxsNAcvALsysT1J5EqxZoYH9VpWLRhSgVD6Nvn853pycJAlXQxgOCpSD3/v/JbgUe5NE+ci0o7NMy5IiHUv2gQMRIEhwBHlRGwokUPL9upx0lsjaEiPya5xQqqDKRom87xytM778ANS5CuMdQMWg9qVbpHZUHMjA0QmNkjPgq71pUDXHk5L4mZuS8wVjyjnvlw68yIJuHEc8P7QiLcjvRHFS2L9Ck8NRmPDTQXlQi9kk6LmMyu6fdevR/kZL21b+xO1e2DMyxBbNDTot8luppiiL8adgUDMwptpIne7JCWB1o9NFCbXUVgwuCCYBif6pOGSc6bGo1JTAKMflRlcy6Mi3t5H0mR2lj/sCSTWwTlP5FM4aPIq08NvW6PeuK1bFJY9fIgTwVsUnbAKOhmsMt62w== cardno:12 078 454"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII74JrgGsDQ6r7tD7+k3ykxXV7DpeeFRscPMxrBsDPhz kat@goliath"
];
shell = pkgs.zsh;
extraGroups = [ "wheel" "video" "systemd-journal" "plugdev" "bird2" "vfio" "input" "uinput" ];
hashedPassword = mkIf (meta.trusted ? secrets) (removeSuffix "\n" config.kw.secrets.repo.kat-user.text);
};
systemd.tmpfiles.rules = [
"f /var/lib/systemd/linger/kat"
];
}

15
nixos/light.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, lib, ... }: with lib; {
options.home-manager.users = let
lightModeExtend = { config, nixos, ... }: {
gtk.iconTheme.name = mkForce "Papirus-Light";
base16 = {
alias.default = "atelier.atelier-cave-light";
defaultSchemeName = "atelier.atelier-cave-light";
};
};
in mkOption {
type = types.attrsOf (types.submoduleWith {
modules = singleton lightModeExtend;
});
};
}

78
nixos/network.nix Normal file
View file

@ -0,0 +1,78 @@
{ config, lib, tf, pkgs, meta, ... }: with lib;
{
options.network = with lib; {
routeDefault = mkOption {
default = true;
type = types.bool;
};
};
config = {
network.yggdrasil.extern = let
in {
pubkeys = {
satorin =
"cbadeaa973b051cf66e23dcb014ab5be59e55a1c98ef541345520868e3bcf9f7";
shanghai =
"5aba9ba2ac7a54ffef19dea9e39881bd977f76032db81a2c82c4674ed475c95b";
grimoire =
"2a1567a2848540070328c9e938c58d40f2b1a3f08982c15c7edc5dcabfde3330";
boline =
"89684441745467da0d1bf7f47dc74ec3ca65e05c72f752298ef3c22a22024d43";
okami =
"f8fd12c6ed924048e93a7bd7dd63c2464813c9edddfef7415c4574518ecd4757";
amaterasu =
"ab9a4a78df124a8413c3a6576332d7739a44c036e14b7b0b4ea4558373ddda97";
duck-powerduck =
"9475274dcd43f0f3f397d56168efd436b0db58e58f4c068f75ab93ba3f51e405";
duck-nagoya =
"0000001a24b38f4341e356e7efc98dd31e259669242e0a82ba86971317b94954";
};
};
kw.secrets.variables.tailscale-authkey = {
path = "secrets/tailscale";
field = "password";
};
deploy.tf.variables.tailscale-authkey.export = true;
networking.firewall = {
trustedInterfaces = [ "tailscale0" ];
# allow the Tailscale UDP port through the firewall
allowedTCPPorts = [ 5200 ];
allowedUDPPorts = [ config.services.tailscale.port ];
};
services.tailscale.enable = true;
systemd.services.tailscale-autoconnect = mkIf (builtins.getEnv "TF_IN_AUTOMATION" != "" || tf.state.enable) {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up -authkey ${tf.variables.tailscale-authkey.get}
'';
};
};
}

98
nixos/systems/chen.nix Normal file
View file

@ -0,0 +1,98 @@
{ meta, config, pkgs, lib, ... }:
with lib;
{
# Imports
imports = with meta; [
hardware.eeepc-1015pem
nixos.network
nixos.arc
services.kattv2
services.dnscrypt-proxy
];
# Terraform
deploy.tf = {
resources.chen = {
provider = "null";
type = "resource";
connection = {
port = head config.services.openssh.ports;
host = config.network.addresses.private.nixos.ipv4.address;
};
};
};
# File Systems and Swap
fileSystems."/" =
{ device = "/dev/disk/by-uuid/fa06ba90-ffc9-4ca6-b1cf-1205340a975e";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/BF39-2AA3";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/9c88235e-9705-4b80-a988-e95eda06124f"; }
];
# Bootloader
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "usb_storage" "sd_mod" "sdhci_acpi" ];
};
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
# Hardware
services.logind.lidSwitchExternalPower = "ignore";
# Networking
networking = {
hostId = "9f89b327";
useDHCP = false;
wireless = {
enable = false;
userControlled.enable = false;
interfaces = singleton "wlp1s0";
};
interfaces.enp0s20u1 = {
useDHCP = true;
};
};
network = {
addresses = {
private = {
enable = true;
nixos = {
ipv4.address = "192.168.1.196";
};
};
};
};
# Firewall
network.firewall = {
public = {
interfaces = singleton "enp0s20u1";
};
};
# State
system.stateVersion = "20.09";
}

47
nixos/systems/daiyousei.nix Normal file
View file

@ -0,0 +1,47 @@
{ config, inputs, tf, meta, kw, pkgs, lib, ... }: with lib; {
imports = with meta; [
hardware.aarch64-linux
hardware.oracle.ubuntu
nixos.network
home.weechat
home.services.weechat
services.nginx
services.murmur
services.murmur-ldap
services.prosody
services.synapse
services.syncplay
services.filehost
services.keycloak
services.openldap
services.mail
services.hedgedoc
services.website
services.dnscrypt-proxy
services.vaultwarden
services.weechat
services.znc
];
kw.oci = {
specs = {
shape = "VM.Standard.A1.Flex";
cores = 4;
ram = 24;
space = 100;
};
ad = 1;
network = {
publicV6 = 6;
privateV4 = 5;
};
};
network.yggdrasil = {
enable = true;
pubkey = "edb7de263e6924b8c9446123979782420e5196317bffc75e9a6ca546551252da";
address = "206:d807:a98:309f:3bc0:de7a:411d:9d95";
};
system.stateVersion = "21.11";
}

143
nixos/systems/koishi.nix Normal file
View file

@ -0,0 +1,143 @@
{ meta, config, pkgs, lib, ... }: with lib; {
imports = with meta; [
hardware.x270
nixos.gui
nixos.light
nixos.network
home.gui
];
config = {
deploy.tf = {
resources.koishi = {
provider = "null";
type = "resource";
connection = {
port = head config.services.openssh.ports;
host = config.network.addresses.private.nixos.ipv4.address;
};
};
};
programs.ssh.extraConfig = ''
Host daiyousei-build
HostName daiyousei.kittywit.ch
Port 62954
User root
'';
nix.buildMachines = [ {
hostName = "daiyousei-build";
system = "aarch64-linux";
# systems = ["x86_64-linux" "aarch64-linux"];
maxJobs = 100;
speedFactor = 1;
supportedFeatures = [ "benchmark" "big-parallel" "kvm" ];
mandatoryFeatures = [ ];
}] ;
nix.distributedBuilds = true;
# optional, useful when the builder has a faster internet connection than yours
nix.extraOptions = ''
builders-use-substitutes = true
'';
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/a664de0f-9883-420e-acc5-b9602a23e816";
fsType = "xfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/DEBC-8F03";
fsType = "vfat";
};
};
swapDevices =
[ { device = "/dev/disk/by-uuid/0d846453-95b4-46e1-8eaf-b910b4321ef0"; }
];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
boot = {
supportedFilesystems = [ "xfs" "zfs" ];
initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/f0ea08b4-6af7-4d90-a2ad-edd5672a2105";
loader = {
efi = {
canTouchEfiVariables = true;
# assuming /boot is the mount point of the EFI partition in NixOS (as the installation section recommends).
efiSysMountPoint = "/boot";
};
grub = {
# despite what the configuration.nix manpage seems to indicate,
# as of release 17.09, setting device to "nodev" will still call
# `grub-install` if efiSupport is true
# (the devices list is not used by the EFI grub install,
# but must be set to some value in order to pass an assert in grub.nix)
devices = [ "nodev" ];
efiSupport = true;
enable = true;
# set $FS_UUID to the UUID of the EFI partition
extraEntries = ''
menuentry "Windows" {
insmod part_gpt
insmod fat
insmod search_fs_uuid
insmod chain
search --fs-uuid --set=root DEBC-8F03
chainloader /EFI/Microsoft/Boot/bootmgfw.efi
}
'';
version = 2;
};
};
};
hardware.displays = {
"eDP-1" = {
res = "1920x1080";
pos = "0 0";
};
};
networking = {
hostId = "dddbb888";
useDHCP = false;
/* wireless = {
enable = true;
userControlled.enable = true;
interfaces = singleton "wlp3s0";
};
interfaces = {
wlp3s0.ipv4.addresses = singleton {
inherit (config.network.addresses.private.nixos.ipv4) address;
prefixLength = 24;
};
}; */
};
services.fstrim.enable = true;
network = {
addresses = {
private = {
enable = true;
nixos = {
ipv4.address = "192.168.1.121";
};
};
};
yggdrasil = {
enable = true;
pubkey = "f94d49458822a73d70306b249a39d4de8a292b13e12339b21010001133417be7";
address = "200:d65:6d74:efba:b185:1f9f:29b6:cb8c";
listen.enable = false;
listen.endpoints = [ "tcp://0.0.0.0:0" ];
};
firewall = {
public.interfaces = [ "enp1s0" "wlp3s0" ];
private.interfaces = singleton "yggdrasil";
};
};
system.stateVersion = "21.11";
};
}

93
nixos/systems/marisa.nix Normal file
View file

@ -0,0 +1,93 @@
{ config, lib, pkgs, modulesPath, tf, meta, ... }: with lib; {
imports = with meta; [
(modulesPath + "/profiles/qemu-guest.nix")
nixos.network
services.nginx
services.access
] ++ optional (meta.trusted ? services) trusted.services.website;
deploy.tf = {
resources.marisa = {
provider = "null";
type = "resource";
connection = {
port = head config.services.openssh.ports;
host = config.network.addresses.public.nixos.ipv4.address;
};
};
};
boot = {
loader.grub = {
enable = true;
version = 2;
device = "/dev/vda";
};
initrd = {
availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
};
kernelModules = [ "kvm-amd" ];
};
networking = {
hostName = "marisa";
nameservers = [
"1.1.1.1"
];
useDHCP = false;
defaultGateway = "104.244.72.1";
defaultGateway6 = {
address = "2605:6400:30::1";
interface = "ens3";
};
interfaces.ens3 = {
ipv4.addresses = [
{
inherit (config.network.addresses.public.nixos.ipv4) address;
prefixLength = 24;
}
];
ipv6.addresses = [
{
inherit (config.network.addresses.public.nixos.ipv6) address;
prefixLength = 48;
}
];
};
};
network = {
addresses.public = {
enable = true;
nixos.ipv4.address = "104.244.72.5";
nixos.ipv6.address = "2605:6400:30:eed1:6cf7:bbfc:b4e:15c0";
};
yggdrasil = {
enable = true;
pubkey = "2134779f3e19e7df46113a814e9a87097839b9d557ebe3856423e148abcfe582";
address = "202:f65c:4306:f30:c105:cf76:2bf5:8b2b";
listen.enable = true;
listen.endpoints = [ "tcp://${config.network.addresses.public.nixos.ipv4.address}:52969" "tcp://[${config.network.addresses.public.nixos.ipv6.address}]:52969" ];
};
firewall = {
public = {
interfaces = singleton "ens3";
tcp.ports = [ 1935 52969 ];
};
private.interfaces = singleton "yggdrasil";
};
};
fileSystems."/" ={
device = "/dev/disk/by-uuid/6ed3e886-d390-433f-90ac-2b37aed9f15f";
fsType = "ext4";
};
swapDevices = [
{ device = "/dev/disk/by-uuid/ba1425d4-8c18-47aa-b909-65bb710be400"; }
];
system.stateVersion = "21.11";
}

82
nixos/systems/ran.nix Normal file
View file

@ -0,0 +1,82 @@
{ meta, config, pkgs, lib, ... }:
with lib;
{
# Imports
imports = with meta; [
hardware.eeepc-1015pem
nixos.network
nixos.arc
services.kattv
services.dnscrypt-proxy
];
# Terraform
deploy.tf = {
resources.ran = {
provider = "null";
type = "resource";
connection = {
port = head config.services.openssh.ports;
host = config.network.addresses.private.nixos.ipv4.address;
};
};
};
# File Systems and Swap
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/469a684b-eb8f-48a8-8f98-be58528312c4";
fsType = "ext4";
};
};
swapDevices = [{ device = "/dev/disk/by-uuid/2223e305-79c9-45b3-90d7-560dcc45775a"; }];
# Bootloader
boot.loader.grub = {
enable = true;
version = 2;
device = "/dev/sda";
};
# Hardware
services.logind.lidSwitchExternalPower = "ignore";
# Networking
networking = {
hostId = "9f89b327";
useDHCP = false;
interfaces.enp1s0.useDHCP = true;
};
network = {
addresses = {
private = {
enable = true;
nixos = {
ipv4.address = "192.168.1.215";
};
};
};
};
# Firewall
network.firewall = {
public = {
interfaces = singleton "enp1s0";
};
};
# State
system.stateVersion = "20.09";
}

32
nixos/systems/rinnosuke.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, tf, meta, kw, pkgs, lib, ... }: with lib; {
imports = with meta; [
hardware.oracle.ubuntu
nixos.network
services.nginx
services.knot
];
kw.oci = {
specs = {
shape = "VM.Standard.E2.1.Micro";
cores = 1;
ram = 1;
space = 50;
};
ad = 2;
network = {
publicV6 = 7;
privateV4 = 3;
};
};
network = {
yggdrasil = {
enable = true;
pubkey = "fc64ee574072ef7420ff98bc53856f881025de252081e661a78e04ebcf7c6b35";
address = "200:736:2351:7f1a:2117:be00:ce87:58f5";
};
};
system.stateVersion = "21.11";
}

122
nixos/systems/yukari.nix Normal file
View file

@ -0,0 +1,122 @@
{ meta, tf, config, pkgs, lib, ... }: with lib; {
imports = with meta; [
hardware.rm-310
nixos.network
nixos.arc
services.ha
services.nextcloud
#services.kattv-ingest
#services.kattv2-ingest
services.postgres
services.nfs
services.nginx
services.transmission
services.tvheadend
services.zfs
services.plex
];
deploy.tf = {
resources.yukari = {
provider = "null";
type = "resource";
connection = {
port = head config.services.openssh.ports;
host = config.network.addresses.private.nixos.ipv4.address;
};
};
};
boot.supportedFilesystems = singleton "zfs";
fileSystems = {
"/" = {
device = "rpool/safe/root";
fsType = "zfs";
};
"/nix" = {
device = "rpool/local/nix";
fsType = "zfs";
};
"/home" = {
device = "rpool/safe/home";
fsType = "zfs";
};
"/boot" = {
device = "/dev/disk/by-id/ata-Samsung_SSD_860_EVO_250GB_S3YJNX0K780441Z-part3";
fsType = "vfat";
};
"/boot-fallback" = {
device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S3R0NF1J841629N-part3";
fsType = "vfat";
};
"/mnt/zraw" = {
device = "zstore/raw";
fsType = "zfs";
};
"/mnt/zenc" = {
device = "zstore/enc";
fsType = "zfs";
};
};
swapDevices = [
{ device = "/dev/disk/by-id/ata-Samsung_SSD_860_EVO_250GB_S3YJNX0K780441Z-part2"; }
{ device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S3R0NF1J841629N-part2"; }
];
boot.loader = {
efi.canTouchEfiVariables = true;
grub = {
enable = true;
efiSupport = true;
device = "nodev";
mirroredBoots = [
{
devices = [ "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S3R0NF1J841629N-part3" ];
path = "/boot-fallback";
}
];
};
};
hardware.displays."VGA-1" = {
res = "1280x1024@75Hz";
pos = "1920 0";
};
networking = {
hostId = "3ef9a419";
useDHCP = false;
interfaces.eno1 = {
useDHCP = true;
tempAddress = "disabled";
};
};
network = {
addresses = {
private = {
enable = true;
nixos = {
ipv4.address = "100.98.152.108";
};
};
};
yggdrasil = {
enable = true;
pubkey = "4f8fb0817afcd6211fb6a2cac2893df7d3f12c5c99eed106718d7223468473b2";
address = "201:c1c1:3dfa:140c:a77b:8125:74d4:f5db";
listen.enable = false;
listen.endpoints = [ "tcp://0.0.0.0:0" ];
};
firewall = {
private.interfaces = singleton "yggdrasil";
public.interfaces = singleton "eno1";
};
};
system.stateVersion = "21.05";
}

185
nixos/vfio/profile.nix Normal file
View file

@ -0,0 +1,185 @@
{ config, pkgs, lib, ... }: with lib; let
win10-toggler = pkgs.writeShellScriptBin "win10-toggle" ''
REQUEST="$0"
if [[ "REQUEST" = "on" ]]; then
sudo win10-vm-pinning $(cat $XDG_RUNTIME_DIR/win10-vm.pid)
systemctl --user stop konawall-rotation.timer
else
sudo win10-vm-pinning
systemctl --user start konawall-rotation.timer
fi
'';
win10-start-pane = pkgs.writeShellScriptBin "win10-start-pane" ''
sudo disk-mapper-part /dev/disk/by-id/ata-ST2000DM008-2FR102_WK301C3H-part2
sudo chown kat:users /dev/mapper/ata-ST2000DM008-2FR102_WK301C3H-part2
echo 3 | sudo tee /proc/sys/vm/drop_caches > /dev/null || true; echo 1 | sudo tee /proc/sys/vm/compact_memory > /dev/null || true
win10-vm -pidfile $XDG_RUNTIME_DIR/win10-vm.pid
'';
win10-start = pkgs.writeShellScriptBin "win10-start" ''
tmux new-session -ds vm "${win10-start-pane}/bin/win10-start-pane" \; split-window -h 'sleep 10; screenstub x'
'';
in {
options.home-manager.users = let
userVFIOExtend = { config, ... }: {
config = mkMerge [
(mkIf config.wayland.windowManager.sway.enable {
wayland.windowManager.sway.config.input = mapListToAttrs (t:
nameValuePair "5824:1503:screenstub-${t}" ({ events = "disabled"; })
) [ "tablet" "mouse" "kbd" ];
})
{
programs.screenstub = {
enable = true;
settings = {
exit_events = [ "show_host" ];
hotkeys = [
{
events = [
{ toggle_grab = { x = { mouse = false; }; }; }
{
toggle_grab = {
evdev = {
devices = [
"/dev/input/by-id/usb-Razer_Razer_Naga_Trinity_00000000001A-event-mouse"
];
evdev_ignore = [ "button" ];
exclusive = false;
xcore_ignore = [ "absolute" ];
};
};
}
"unstick_host"
];
modifiers = [ "LeftMeta" ];
triggers = [ "Esc" ];
}
{
events = [ "toggle_show" ];
modifiers = [ "LeftMeta" ];
on_release = false;
triggers = [ "T" ];
}
];
key_remap = {
LeftMeta = "Reserved";
RightAlt = "LeftMeta";
};
qemu = {
absolute_driver = { virtio = { bus = "pci.21"; }; };
ga_socket = "/tmp/vfio-qga";
keyboard_driver = { virtio = { bus = "pci.23"; }; };
qmp_socket = "/tmp/vfio-qmp";
relative_driver = { virtio = { bus = "pci.22"; }; };
routing = "virtio-host";
};
screens = [{
ddc = {
guest = [ "ddc" ];
host = [ "ddc" ];
};
guest_source = { name = "HDMI-1"; };
host_source = { name = "HDMI-2"; };
monitor = {
manufacturer = "BNQ";
model = "BenQ GW2270";
};
}];
};
};
}
];
};
in mkOption {
type = types.attrsOf (types.submoduleWith {
modules = singleton userVFIOExtend;
});
};
config = {
environment.systemPackages = with pkgs; [
win10-toggler
vfio-vm
vfio-vm-pinning
vfio-disk-mapper
win10-start
ddcutil
];
systemd.mounts = let
hugepages = { where, options }: {
before = ["sysinit.target"];
unitConfig = {
DefaultDependencies = "no";
ConditionPathExists = "/sys/kernel/mm/hugepages";
ConditionCapability = "CAP_SYS_ADMIN";
ConditionVirtualization = "!private-users";
};
what = "hugetlbfs";
inherit where options;
type = "hugetlbfs";
mountConfig = {
Group = "vfio";
};
wantedBy = ["sysinit.target"];
};
in [
(hugepages { where = "/dev/hugepages"; options = "mode=0775"; })
(hugepages { where = "/dev/hugepages1G"; options = "pagesize=1GB,mode=0775"; })
];
/* fileSystems."/sys/fs/cgroup/cpuset" = {
device = "cpuset";
fsType = "cgroup";
noCheck = true;
}; */
systemd.services.preallocate-huggies = {
wantedBy = singleton "multi-user.target";
serviceConfig = {
Type = "oneshot";
};
script = ''
echo 12 > /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages
'';
};
users.groups = { uinput = { }; vfio = { }; };
boot = {
initrd.kernelModules = mkBefore [ "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
kernelParams = [
"video=efifb:off"
];
extraModulePackages = [
(pkgs.linuxPackagesFor config.boot.kernelPackages.kernel).vendor-reset
];
kernelModules = [ "i2c-dev" ]; # i2c-dev is required for DDC/CI for screenstub
};
environment.etc."qemu/bridge.conf".text = "allow br";
security.wrappers = {
qemu-bridge-helper = {
source = "${pkgs.qemu-vfio}/libexec/qemu-bridge-helper";
capabilities = "cap_net_admin+ep";
owner = "root";
group = "root";
};
};
services.udev.extraRules = ''
SUBSYSTEM=="i2c-dev", GROUP="vfio", MODE="0660"
SUBSYSTEM=="misc", KERNEL=="uinput", OPTIONS+="static_node=uinput", MODE="0660", GROUP="uinput"
SUBSYSTEM=="vfio", OWNER="root", GROUP="vfio"
'';
security.pam.loginLimits = [{
domain = "@vfio";
type = "-";
item = "memlock";
value = "unlimited";
}];
systemd.extraConfig = "DefaultLimitMEMLOCK=infinity";
};
}

26
nixos/vfio/tsc-tolerance.patch Normal file
View file

@ -0,0 +1,26 @@
From 5cac0c3c4383010f0579028de8decd6ede4bd460 Mon Sep 17 00:00:00 2001
From: Stefan Springer <stefanspr94@gmail.com>
Date: Sun, 3 Oct 2021 23:26:40 +0200
Subject: [PATCH] clocksource: set WATCHDOG_MAX_SKEW to 60
in order to find a more relaxed middleground between the old default (100) and the new one(50)
---
kernel/time/clocksource.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
index b8a14d2fb..f8f848d13 100644
--- a/kernel/time/clocksource.c
+++ b/kernel/time/clocksource.c
@@ -107,7 +107,7 @@ static u64 suspend_start;
* This delay could be due to SMIs, NMIs, or to VCPU preemptions. Used as
* a lower bound for cs->uncertainty_margin values when registering clocks.
*/
-#define WATCHDOG_MAX_SKEW (50 * NSEC_PER_USEC)
+#define WATCHDOG_MAX_SKEW (80 * NSEC_PER_USEC)
#ifdef CONFIG_CLOCKSOURCE_WATCHDOG
static void clocksource_watchdog_work(struct work_struct *work);
--
2.32.0

7
nixos/x11/layout.xkb Normal file
View file

@ -0,0 +1,7 @@
default partial alphanumeric_keys
xkb_symbols "basic" {
include "us(altgr-intl)"
name[Group1] = "English (US, international with pound sign)";
key <AD03> { [ e, E, EuroSign, cent ] };
key <AE03> { [ 3, numbersign, sterling] };
};

21
nixos/x11/profile.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, pkgs, ... }: {
services.xserver = {
enable = true;
autorun = false;
exportConfiguration = true;
displayManager = let
compiledLayout = pkgs.runCommand "keyboard-layout" {} ''
${pkgs.xorg.xkbcomp}/bin/xkbcomp ${./layout.xkb} $out
'';
in {
sessionCommands = "${pkgs.xorg.xkbcomp}/bin/xkbcomp ${compiledLayout} $DISPLAY";
startx.enable = true;
};
};
environment.systemPackages = with pkgs; [
xorg.xinit
xsel
scrot
];
}