diff --git a/config/profiles/common/default.nix b/config/common/default.nix similarity index 90% rename from config/profiles/common/default.nix rename to config/common/default.nix index dcad103e..87ab1d6e 100644 --- a/config/profiles/common/default.nix +++ b/config/common/default.nix @@ -1,16 +1,12 @@ { config, lib, pkgs, ... }: let - sources = import ../../../nix/sources.nix; + sources = import ../../nix/sources.nix; unstable = import sources.nixpkgs-unstable { }; in { imports = [ - ../../../modules - ../../users - ../development - ../gaming - ../network - ../yubikey + ../../modules + ../users (sources.home-manager + "/nixos") ]; diff --git a/config/hosts/athame/configuration.nix b/config/hosts/athame/configuration.nix index 8166fcae..1f59462d 100644 --- a/config/hosts/athame/configuration.nix +++ b/config/hosts/athame/configuration.nix @@ -4,14 +4,22 @@ let unstable = import { }; in { imports = [ ./hardware-configuration.nix + # db + ./services/postgres.nix + # nginx + ../../services/nginx.nix + ./services/virtualHosts.nix + # services + ./services/gitea.nix + ./services/nextcloud.nix ./services/bitwarden.nix + # comms services ./services/znc.nix ./services/weechat.nix - ./services/nginx.nix ./services/matrix.nix - ./services/postgres.nix ]; - meta.deploy.ssh.host = "kittywit.ch"; + + meta.deploy.ssh.host = "athame.kittywit.ch"; boot.loader.grub.enable = true; boot.loader.grub.version = 2; @@ -19,6 +27,8 @@ in { networking = { hostName = "athame"; + domain = "kittywit.ch"; + hostId = "7b0ac74e"; useDHCP = false; interfaces.enp1s0.useDHCP = true; }; diff --git a/config/hosts/athame/services/bitwarden.nix b/config/hosts/athame/services/bitwarden.nix index 7b8b513a..e549d4d6 100644 --- a/config/hosts/athame/services/bitwarden.nix +++ b/config/hosts/athame/services/bitwarden.nix @@ -1,6 +1,6 @@ { config, pkgs, ... }: -let secrets = (import ../secrets.nix); +let secrets = (import ../../../../secrets.nix); in { services.bitwarden_rs = { enable = true; @@ -8,7 +8,7 @@ in { rocketPort = 4000; websocketEnabled = true; signupsAllowed = false; - adminToken = secrets.bitwarden.token; + adminToken = secrets.hosts.athame.bitwarden_secret; domain = "https://vault.kittywit.ch"; }; }; diff --git a/config/hosts/athame/services/gitea.nix b/config/hosts/athame/services/gitea.nix index 60eb70aa..795a119b 100644 --- a/config/hosts/athame/services/gitea.nix +++ b/config/hosts/athame/services/gitea.nix @@ -1,10 +1,10 @@ { config, pkgs, ... }: { - gitea = { + services.gitea = { enable = true; disableRegistration = true; # TODO change for initial setup - domain = "git.dork.dev"; - rootUrl = "https://git.dork.dev"; + domain = "git.kittywit.ch"; + rootUrl = "https://git.kittywit.ch"; }; } diff --git a/config/hosts/athame/services/matrix.nix b/config/hosts/athame/services/matrix.nix index 14b6685f..5a7a0d40 100644 --- a/config/hosts/athame/services/matrix.nix +++ b/config/hosts/athame/services/matrix.nix @@ -1,13 +1,14 @@ { config, pkgs, ... }: -let secrets = (import ../secrets.nix); +let secrets = (import ../../../../secrets.nix); in { environment.systemPackages = [ pkgs.arc.pkgs.mx-puppet-discord pkgs.mautrix-whatsapp ]; services.matrix-synapse = { enable = true; - registration_shared_secret = secrets.matrix.secret; + registration_shared_secret = secrets.hosts.athame.matrix_secret; + max_upload_size = "512M"; server_name = "kittywit.ch"; app_service_config_files = [ "/var/lib/matrix-synapse/telegram-registration.yaml" diff --git a/config/hosts/athame/services/nextcloud.nix b/config/hosts/athame/services/nextcloud.nix index 18e1c09f..1fbc1d91 100644 --- a/config/hosts/athame/services/nextcloud.nix +++ b/config/hosts/athame/services/nextcloud.nix @@ -8,17 +8,22 @@ services.nextcloud = { enable = true; - hostName = "fs.dork.dev"; + hostName = "files.kittywit.ch"; + package = pkgs.nextcloud20; https = true; - nginx.enable = true; config = { dbtype = "pgsql"; dbuser = "nextcloud"; dbhost = "/run/postgresql"; dbname = "nextcloud"; adminpassFile = - "/var/lib/nextcloud/admin_pass"; # TODO replace this with proper secrets management + "/var/lib/nextcloud/admin-pass"; # TODO replace this with proper secrets management adminuser = "root"; }; }; + + services.nginx.virtualHosts."files.kittywit.ch" = { + forceSSL = true; + enableACME = true; + }; } diff --git a/config/hosts/athame/services/nginx.nix b/config/hosts/athame/services/nginx.nix deleted file mode 100644 index 26d5c1cf..00000000 --- a/config/hosts/athame/services/nginx.nix +++ /dev/null @@ -1,107 +0,0 @@ -{ config, pkgs, ... }: - -let - common = { - enableACME = true; - forceSSL = true; - }; - secrets = import ../secrets.nix; -in { - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - commonHttpConfig = '' - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - #add_header X-Frame-Options DENY; - #add_header X-Content-Type-Options nosniff; - #add_header X-XSS-Protection "1; mode=block"; - #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - ''; - - virtualHosts = { - "beltane.dork.dev" = { root = "/var/www/beltane"; } // common; - "dork.dev" = { - root = "/var/www/dork"; - /* locations = { - "/_matrix" = { - proxyPass = "http://[::1]:8008"; - }; - "= /.well-known/matrix/server".extraConfig = - let server = { "m.server" = "dork.dev:443"; }; in '' - add_header Content-Type application/json; - return 200 '${builtins.toJSON server}'; - ''; - "= /.well-known/matrix/client".extraConfig = - let client = { - "m.homeserver" = { "base_url" = "https://dork.dev"; }; - "m.identity_server" = { "base_url" = "https://vector.im"; }; - }; in '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON client}'; - ''; - }; - */ - } // common; - "kittywit.ch" = { - locations = { - "/_matrix" = { proxyPass = "http://[::1]:8008"; }; - "= /.well-known/matrix/server".extraConfig = - let server = { "m.server" = "kittywit.ch:443"; }; - in '' - add_header Content-Type application/json; - return 200 '${builtins.toJSON server}'; - ''; - "= /.well-known/matrix/client".extraConfig = let - client = { - "m.homeserver" = { "base_url" = "https://kittywit.ch"; }; - "m.identity_server" = { "base_url" = "https://vector.im"; }; - }; - in '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON client}'; - ''; - }; - } // common; - "vault.kittywit.ch" = { - locations = { - "/".proxyPass = "http://127.0.0.1:4000"; - "/notifications/hub".proxyPass = "http://127.0.0.1:3012"; - "/notifications/hub/negotiate".proxyPass = "http://127.0.0.1:80"; - }; - } // common; - /* "git.dork.dev" = { - locations = { - "/".proxyPass = "http://127.0.0.1:3000"; - }; - } // common; - */ - "znc.dork.dev" = { - locations = { "/".proxyPass = "http://127.0.0.1:5000"; }; - } // common; - "irc.dork.dev" = { - locations = { - "/" = { root = pkgs.glowing-bear; }; - "^~ /weechat" = { - proxyPass = "http://127.0.0.1:9000"; - proxyWebsockets = true; - }; - }; - } // common; - } // secrets.beltane-protected; - }; - - security.acme = { - email = secrets.acme.email; - acceptTerms = true; - }; -} diff --git a/config/hosts/athame/services/virtualHosts.nix b/config/hosts/athame/services/virtualHosts.nix new file mode 100644 index 00000000..1c596891 --- /dev/null +++ b/config/hosts/athame/services/virtualHosts.nix @@ -0,0 +1,58 @@ +{ config, pkgs, ... }: + +let + common = { + enableACME = true; + forceSSL = true; + }; + secrets = (import ../../../../secrets.nix); +in { + services.nginx.virtualHosts = { + "kittywit.ch" = { + root = "/var/www/kittywitch"; + locations = { + "/_matrix" = { proxyPass = "http://[::1]:8008"; }; + "= /.well-known/matrix/server".extraConfig = + let server = { "m.server" = "kittywit.ch:443"; }; + in '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON server}'; + ''; + "= /.well-known/matrix/client".extraConfig = let + client = { + "m.homeserver" = { "base_url" = "https://kittywit.ch"; }; + "m.identity_server" = { "base_url" = "https://vector.im"; }; + }; + in '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON client}'; + ''; + }; + } // common; + "vault.kittywit.ch" = { + locations = { + "/".proxyPass = "http://127.0.0.1:4000"; + "/notifications/hub".proxyPass = "http://127.0.0.1:3012"; + "/notifications/hub/negotiate".proxyPass = "http://127.0.0.1:80"; + }; + } // common; + "git.kittywit.ch" = { + locations = { + "/".proxyPass = "http://127.0.0.1:3000"; + }; + } // common; + "znc.kittywit.ch" = { + locations = { "/".proxyPass = "http://127.0.0.1:5000"; }; + } // common; + "irc.kittywit.ch" = { + locations = { + "/" = { root = pkgs.glowing-bear; }; + "^~ /weechat" = { + proxyPass = "http://127.0.0.1:9000"; + proxyWebsockets = true; + }; + }; + } // common; + } // secrets.virtualHosts.athame; +} \ No newline at end of file diff --git a/config/hosts/athame/services/weechat.nix b/config/hosts/athame/services/weechat.nix index 43483090..8217d23e 100644 --- a/config/hosts/athame/services/weechat.nix +++ b/config/hosts/athame/services/weechat.nix @@ -1,15 +1,18 @@ { config, pkgs, ... }: -{ +let + sources = import ../../../../nix/sources.nix; + unstable = import sources.nixpkgs-unstable { inherit (pkgs) config; }; +in { services.weechat = { binary = let - new-weechat = pkgs.wrapWeechat pkgs.weechat-unwrapped { + new-weechat = pkgs.arc.pkgs.wrapWeechat pkgs.arc.pkgs.weechat-unwrapped { configure = { availablePlugins, ... }: { - scripts = [ pkgs.weechatScripts.weechat-matrix ]; + scripts = [ pkgs.arc.pkgs.weechatScripts.weechat-matrix ]; plugins = [ availablePlugins.perl (availablePlugins.python.withPackages - (ps: [ ps.potr pkgs.weechatScripts.weechat-matrix ])) + (ps: [ ps.potr ps.weechat-matrix ])) ]; }; }; diff --git a/config/hosts/athame/services/znc.nix b/config/hosts/athame/services/znc.nix index 21c07bca..9e213e7d 100644 --- a/config/hosts/athame/services/znc.nix +++ b/config/hosts/athame/services/znc.nix @@ -1,6 +1,6 @@ { config, pkgs, ... }: -let secrets = import ../secrets.nix; +let secrets = (import ../../../../secrets.nix); in { services.znc = { enable = true; @@ -16,28 +16,28 @@ in { modules = [ "webadmin" "adminlog" ]; User.kat = { Admin = true; - Nick = secrets.znc.nick; - AltNick = secrets.znc.altNick; + Nick = secrets.hosts.athame.znc.nick; + AltNick = secrets.hosts.athame.znc.altNick; Network.freenode = { - Server = "chat.freenode.net +6697 ${secrets.znc.freenode.password}"; - Chan = secrets.znc.freenode.channels; - Nick = secrets.znc.freenode.nick; - AltNick = secrets.znc.freenode.altNick; + Server = "chat.freenode.net +6697 ${secrets.hosts.athame.znc.freenode.password}"; + Chan = secrets.hosts.athame.znc.freenode.channels; + Nick = secrets.hosts.athame.znc.freenode.nick; + AltNick = secrets.hosts.athame.znc.freenode.altNick; JoinDelay = 2; LoadModule = [ "simple_away" "nickserv" ]; }; Network.espernet = { - Server = "anarchy.esper.net +6697 ${secrets.znc.espernet.password}"; - Chan = secrets.znc.espernet.channels; - Nick = secrets.znc.espernet.nick; - AltNick = secrets.znc.espernet.altNick; + Server = "anarchy.esper.net +6697 ${secrets.hosts.athame.znc.espernet.password}"; + Chan = secrets.hosts.athame.znc.espernet.channels; + Nick = secrets.hosts.athame.znc.espernet.nick; + AltNick = secrets.hosts.athame.znc.espernet.altNick; JoinDelay = 2; LoadModule = [ "simple_away" "nickserv" ]; }; Pass.password = { - Method = secrets.znc.password.method; - Hash = secrets.znc.password.hash; - Salt = secrets.znc.password.salt; + Method = secrets.hosts.athame.znc.password.method; + Hash = secrets.hosts.athame.znc.password.hash; + Salt = secrets.hosts.athame.znc.password.salt; }; }; }; diff --git a/config/hosts/boline/configuration.nix b/config/hosts/boline/configuration.nix index aa6aa8ce..cdb8062f 100644 --- a/config/hosts/boline/configuration.nix +++ b/config/hosts/boline/configuration.nix @@ -13,16 +13,18 @@ boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/vda"; - networking.hostId = "0417b551"; - networking.hostName = "boline"; - - networking.useDHCP = false; - networking.interfaces.ens3.ipv4.addresses = [{ - address = "104.244.73.10"; - prefixLength = 24; - }]; - networking.defaultGateway = "104.244.73.1"; - networking.nameservers = [ "1.1.1.1" ]; + networking = { + hostName = "boline"; + domain = "kittywit.ch"; + hostId = "0417b551"; + useDHCP = false; + interfaces.ens3.ipv4.addresses = [{ + address = "104.244.73.10"; + prefixLength = 24; + }]; + defaultGateway = "104.244.73.1"; + nameservers = [ "1.1.1.1" ]; + }; system.stateVersion = "20.09"; } diff --git a/config/hosts/samhain/configuration.nix b/config/hosts/samhain/configuration.nix index f2eaaa56..d5fb8cbb 100644 --- a/config/hosts/samhain/configuration.nix +++ b/config/hosts/samhain/configuration.nix @@ -4,13 +4,13 @@ imports = [ ../../services/zfs.nix ./hardware-configuration.nix - ./services/nginx.nix + ../../services/nginx.nix ./services/thermal/thermal.nix ./services/torrenting.nix ]; meta.deploy.profiles = - [ "desktop" "development" "sway" "gaming" "network" "yubikey" ]; + [ "desktop" "development" "sway" "gaming" "network" ]; meta.deploy.ssh.host = "192.168.1.135"; # libvirtd is used for our virtual machine diff --git a/config/hosts/yule/configuration.nix b/config/hosts/yule/configuration.nix index 78fd9af2..67a7e23d 100644 --- a/config/hosts/yule/configuration.nix +++ b/config/hosts/yule/configuration.nix @@ -1,10 +1,13 @@ { config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ]; + imports = [ + ./hardware-configuration.nix + ../../services/zfs.nix + ]; meta.deploy.profiles = - [ "desktop" "development" "sway" "gaming" "network" "yubikey" ]; + [ "desktop" "development" "sway" "gaming" "network" ]; meta.deploy.ssh.host = "192.168.1.92"; boot.loader.systemd-boot.enable = true; diff --git a/config/profiles/development/default.nix b/config/profiles/development/default.nix deleted file mode 100644 index c27fdb0d..00000000 --- a/config/profiles/development/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - config = lib.mkIf (lib.elem "development" config.meta.deploy.profiles) { - environment.systemPackages = let - python-env = python-packages: - with pkgs.python38Packages; [ - pip - setuptools - psutil - ]; - python-with-env = pkgs.python3.withPackages python-env; - in [ pkgs.php pkgs.php74Packages.composer2 python-with-env ]; - - home-manager.users.kat = { - programs.go.enable = true; - - programs.fish = { - interactiveShellInit = '' - set fish_user_paths $fish_user_paths $HOME/.config/composer/vendor/bin - ''; - }; - - home.packages = [ - pkgs.jetbrains.clion - pkgs.jetbrains.idea-ultimate - pkgs.jetbrains.goland - pkgs.jetbrains.phpstorm - pkgs.nixfmt - pkgs.carnix - pkgs.rustup - pkgs.gcc - ]; - }; - }; -} diff --git a/config/profiles/yubikey/default.nix b/config/profiles/yubikey/default.nix deleted file mode 100644 index 9bc639f9..00000000 --- a/config/profiles/yubikey/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, lib, pkgs, ... }: { - config = lib.mkIf (lib.elem "yubikey" config.meta.deploy.profiles) { - services.pcscd.enable = true; - services.udev.packages = [ pkgs.yubikey-personalization ]; - - programs.gnupg.agent = { - enable = true; - enableSSHSupport = true; - pinentryFlavor = "curses"; - }; - }; -} diff --git a/config/hosts/samhain/services/nginx.nix b/config/services/nginx.nix similarity index 82% rename from config/hosts/samhain/services/nginx.nix rename to config/services/nginx.nix index d05cc60b..74cd12d0 100644 --- a/config/hosts/samhain/services/nginx.nix +++ b/config/services/nginx.nix @@ -1,6 +1,7 @@ { config, pkgs, ... }: -{ +let secrets = (import ../../secrets.nix); +in { services.nginx = { enable = true; recommendedGzipSettings = true; @@ -19,5 +20,11 @@ #add_header X-XSS-Protection "1; mode=block"; #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; ''; + clientMaxBodySize = "512m"; + }; + + security.acme = { + email = secrets.unscoped.acme.email; + acceptTerms = true; }; } diff --git a/config/users/kat/default.nix b/config/users/kat/default.nix index 49cb184c..4ddc6b2e 100644 --- a/config/users/kat/default.nix +++ b/config/users/kat/default.nix @@ -1,7 +1,7 @@ { config, pkgs, ... }: { - imports = [ ./desktop.nix ./sway.nix ./waybar.nix ./kitty.nix ./emacs.nix ]; + imports = [ ./desktop.nix ./gaming.nix ./network.nix ./sway.nix ./waybar.nix ./kitty.nix ./emacs.nix ]; users.users.kat = { uid = 1000; diff --git a/config/users/kat/desktop.nix b/config/users/kat/desktop.nix index f933a01d..b78ea446 100644 --- a/config/users/kat/desktop.nix +++ b/config/users/kat/desktop.nix @@ -11,8 +11,6 @@ in { pulseaudio = true; }; - environment.systemPackages = [ pkgs.redshift ]; - services.xserver.enable = true; services.xserver.displayManager.lightdm.enable = true; programs.light.enable = true; @@ -41,6 +39,7 @@ in { unstable.discord pkgs.tdesktop pkgs.dino + pkgs.nextcloud-client pkgs.vegur pkgs.nitrogen pkgs.terminator @@ -56,6 +55,8 @@ in { pkgs.htop ]; + services.nextcloud-client.enable = true; + programs.fish = { interactiveShellInit = "set -g fish_greeting ''"; }; programs.firefox = { enable = true; }; @@ -78,6 +79,15 @@ in { }; }; + services.pcscd.enable = true; + services.udev.packages = [ pkgs.yubikey-personalization ]; + + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + pinentryFlavor = "curses"; + }; + fonts.fontconfig.enable = true; fonts.fonts = [ pkgs.nerdfonts pkgs.corefonts ]; diff --git a/config/profiles/gaming/default.nix b/config/users/kat/gaming.nix similarity index 91% rename from config/profiles/gaming/default.nix rename to config/users/kat/gaming.nix index d4138658..dbb267d7 100644 --- a/config/profiles/gaming/default.nix +++ b/config/users/kat/gaming.nix @@ -1,5 +1,6 @@ -{ config, lib, pkgs, ... }: { +{ config, lib, pkgs, ... }: +{ config = lib.mkIf (lib.elem "gaming" config.meta.deploy.profiles) { hardware.opengl.driSupport32Bit = true; hardware.opengl.extraPackages32 = with pkgs.pkgsi686Linux; [ libva ]; diff --git a/config/profiles/network/default.nix b/config/users/kat/network.nix similarity index 100% rename from config/profiles/network/default.nix rename to config/users/kat/network.nix diff --git a/config/users/kat/sway.nix b/config/users/kat/sway.nix index ef63b723..f0c80756 100644 --- a/config/users/kat/sway.nix +++ b/config/users/kat/sway.nix @@ -35,7 +35,7 @@ in { config = let dmenu = "${pkgs.bemenu}/bin/bemenu --fn '${style.font.name} ${style.font.size}' --nb '${style.base16.color0}' --nf '${style.base16.color7}' --sb '${style.base16.color1}' --sf '${style.base16.color7}' -l 5 -m -1 -i"; - lockCommand = "swaylock -i ${./wallpapers/main.jpg} -s fill"; + lockCommand = "swaylock -i ${./wallpapers/main.png} -s fill"; cfg = config.home-manager.users.kat.wayland.windowManager.sway.config; in { bars = [{ command = "${pkgs.waybar}/bin/waybar"; }]; @@ -49,7 +49,7 @@ in { middle = { res = "1920x1080"; pos = "1920 0"; - bg = "${./wallpapers/main.jpg} fill"; + bg = "${./wallpapers/main.png} fill"; }; right = { res = "1920x1080"; @@ -59,7 +59,7 @@ in { laptop = { res = "1920x1080"; pos = "0 0"; - bg = "${./wallpapers/main.jpg} fill"; + bg = "${./wallpapers/main.png} fill"; }; in { "DP-1" = left; diff --git a/config/users/kat/wallpapers/left.jpg b/config/users/kat/wallpapers/left.jpg index f886a53a..f519c4d4 100644 Binary files a/config/users/kat/wallpapers/left.jpg and b/config/users/kat/wallpapers/left.jpg differ diff --git a/config/users/kat/wallpapers/main.jpg b/config/users/kat/wallpapers/main.jpg deleted file mode 100644 index f519c4d4..00000000 Binary files a/config/users/kat/wallpapers/main.jpg and /dev/null differ diff --git a/config/users/kat/wallpapers/main.png b/config/users/kat/wallpapers/main.png new file mode 100644 index 00000000..a8f36209 Binary files /dev/null and b/config/users/kat/wallpapers/main.png differ diff --git a/lib/hosts.nix b/lib/hosts.nix index 32fb91e8..1c9c23e4 100644 --- a/lib/hosts.nix +++ b/lib/hosts.nix @@ -1,5 +1,5 @@ { pkgs, hostsDir ? ../config/hosts -, commonImports ? [ ../config/profiles/common ../modules ], pkgsPath ? ../pkgs +, commonImports ? [ ../config/common ../modules ], pkgsPath ? ../pkgs }: with pkgs.lib;