gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

hosts: Refactor and new nomenclature

Browse source
This commit is contained in:
kat witch 2021-09-09 00:56:01 +01:00
parent 7b079e36d8
commit f88022f847
No known key found for this signature in database
GPG key ID: 1B477797DCA5EC72
45 changed files with 471 additions and 591 deletions
Download patch file Download diff file Expand all files Collapse all files

22
README.md
View file

@ -12,14 +12,14 @@ These are the NixOS configurations for my systems. I run nothing other than NixO
| Node | Network | Purpose |
|------------------|---------|----------------------------------------------------------|
| [athame][] | Public | Currently the main server. Ad-hoc hetzner cloud box. |
| [daiyousei][] | Public | Intended athame replacement. Provisioned OCI Ampere box. |
| [kyouko][] | Public | Currently the main server. Ad-hoc hetzner cloud box. |
| [daiyousei][] | Public | Intended kyouko replacement. Provisioned OCI Ampere box. |
| [rinnosuke][] | Public | My primary nameserver. Provisioned OCI EPYC box. |
| [shinmyoumaru][] | Public | My Raspberry Pi 1 Model B+. DHT22 sensors box. |
| [beltane][] | Private | Home server. NAS + HTPC, does DVB stuff. |
| [samhain][] | Private | Beloved workstation. Does VFIO. |
| [yule][] | Private | Main laptop. |
| [ostara][] | Private | CCTV netbook. |
| [yukari][] | Private | Home server. NAS + HTPC, does DVB stuff. |
| [goliath][] | Private | Beloved workstation. Does VFIO. |
| [koishi][] | Private | Main laptop. |
| [ran][] | Private | CCTV netbook. |
## Profiles
@ -151,14 +151,14 @@ Please use `nix-shell` or [direnv/direnv][]. The shell is not compatible with [n
[1]: https://github.com/kittywitch/nixfiles/actions/workflows/nodes.yml
[This repository on my self hosted git.]: https://git.kittywit.ch/kat/nixfiles
[This repository on GitHub.]: https://github.com/kittywitch/nixfiles
[athame]: config/hosts/athame
[kyouko]: config/hosts/kyouko
[daiyousei]: config/hosts/daiyousei
[rinnosuke]: config/hosts/rinnosuke
[shinmyoumaru]: config/hosts/shinmyoumaru
[beltane]: config/hosts/beltane
[samhain]: config/hosts/samhain
[yule]: config/hosts/yule
[ostara]: config/hosts/ostara
[yukari]: config/hosts/yukari
[goliath]: config/hosts/goliath
[koishi]: config/hosts/koishi
[ran]: config/hosts/ran
[here]: config/profiles/base/profiles.nix
[base]: config/profiles/base
[gui]: config/profiles/gui

1
config/hosts/beltane/home.nix
View file

@ -1 +0,0 @@
{ ... }: { imports = [ ./home/sway.nix ]; }

18
config/hosts/beltane/home/sway.nix
View file

@ -1,18 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
{
wayland.windowManager.sway.config = {
output =
let
middle = {
res = "1280x1024@75Hz";
pos = "1920 0";
};
in
{
"VGA-1" = middle;
};
};
}

0
config/hosts/daiyousei/nixos.nix → config/hosts/daiyousei.nix
View file

48
config/hosts/dummy/nixos.nix
View file

@ -1,48 +0,0 @@
{ config, lib, pkgs, sources, ... }:
with lib;
let
hexchen = (import sources.hexchen) { };
hexYgg = filterAttrs (_: c: c.enable)
(mapAttrs (_: host: host.config.network.yggdrasil) hexchen.hosts);
in
{
# stuff so dummy host is buildable (you probably don't want/need this???)
# but idk your config sooooo
boot.isContainer = true;
networking.useDHCP = false;
users.users.root.hashedPassword = "";
network.yggdrasil = {
enable = true;
pubkey = "0000000000000000000000000000000000000000000000000000000000000000";
listen.enable = true;
listen.endpoints = flatten (map (c: c.listen.endpoints) (filter
(c:
c.listen.enable && (c.pubkey
!= "0000000000000000000000000000000000000000000000000000000000000000"))
(attrValues hexYgg)));
extra.pubkeys = {
satorin =
"53d99a74a648ff7bd5bc9ba68ef4f472fb4fb8b2e26dfecea33c781f0d5c9525";
shanghai =
"0cc3c26366cbfddfb1534b25c5655733d8f429edc941bcce674c46566fc87027";
grimoire =
"2a1567a2848540070328c9e938c58d40f2b1a3f08982c15c7edc5dcabfde3330";
boline =
"89684441745467da0d1bf7f47dc74ec3ca65e05c72f752298ef3c22a22024d43";
} // (mapAttrs (_: c: c.pubkey) hexYgg);
};
# snippet for single host
# hexchen.network = {
# enable = true;
# pubkey = "0000000000000000000000000000000000000000000000000000000000000000";
# # if server, enable this and set endpoint:
# listen.enable = false;
# listen.endpoints = [
# "tcp://0.0.0.0:0"
# ];
# };
}

61
config/hosts/samhain/nixos.nix → config/hosts/goliath.nix
View file

@ -1,17 +1,9 @@
{ meta, tf, config, pkgs, lib, sources, ... }:
with lib;
let
hexchen = (import sources.hexchen) { };
hexYgg = filterAttrs (_: c: c.enable)
(mapAttrs (_: host: host.config.network.yggdrasil) hexchen.hosts);
in
{
# Imports
{ meta, tf, config, pkgs, lib, sources, ... }: with lib; {
imports = with meta; [
profiles.hardware.ms-7b86
profiles.hardware.razer
profiles.hardware.bamboo
profiles.gui
profiles.vfio
profiles.network
@ -26,10 +18,8 @@ in
services.zfs
];
# Terraform
deploy.tf = {
resources.samhain = {
resources.goliath = {
provider = "null";
type = "resource";
connection = {
@ -39,8 +29,6 @@ in
};
};
# File Systems and Swap
boot.supportedFilesystems = [ "zfs" "xfs" ];
fileSystems = {
@ -141,22 +129,34 @@ in
{ device = "/dev/disk/by-uuid/8f944315-fe1c-4095-90ce-50af03dd5e3f"; }
];
# Bootloader
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
# Hardware
deploy.profile.hardware.acs-override = true;
users.users.kat.extraGroups = singleton "openrazer";
hardware.openrazer = {
enable = true;
hardware = {
displays = {
"HDMI-A-1" = {
res = "1920x1080";
pos = "0 0";
};
"DVI-D-1" = {
res = "1920x1200";
pos = "1290 0";
};
"DP-1" = {
res = "1920x1080";
pos = "3840 0";
};
};
bamboo.display = "HDMI-A-1";
openrazer.enable = true;
};
environment.systemPackages = [ pkgs.razergenie ];
boot.modprobe.modules = {
@ -179,8 +179,6 @@ in
SUBSYSTEM=="block", ACTION=="add", ATTRS{model}=="HFS256G32TNF-N3A", ATTRS{wwid}=="t10.ATA HFS256G32TNF-N3A0A MJ8BN15091150BM1Z ", OWNER="kat"
'';
# Networking
networking = {
hostId = "617050fc";
useDHCP = false;
@ -224,19 +222,14 @@ in
listen.enable = false;
listen.endpoints = [ "tcp://0.0.0.0:0" ];
};
};
# Firewall
network.firewall = {
public.interfaces = singleton "br";
private = {
interfaces = singleton "yggdrasil";
firewall = {
public.interfaces = singleton "br";
private = {
interfaces = singleton "yggdrasil";
};
};
};
# State
system.stateVersion = "20.09";
}

115
config/hosts/koishi.nix Normal file
View file

@ -0,0 +1,115 @@
{ meta, config, pkgs, lib, ... }: with lib; {
options.home-manager.users = let
userBase16Extend = { config, nixos, ... }: {
base16.alias.default = "atelier.atelier-cave-light";
};
in mkOption {
type = types.attrsOf (types.submoduleWith {
modules = singleton userBase16Extend;
});
};
imports = with meta; [
profiles.hardware.v330-14arr
profiles.gui
profiles.network
users.kat.guiFull
services.nginx
services.restic
services.zfs
];
config = {
deploy.tf = {
resources.koishi = {
provider = "null";
type = "resource";
connection = {
port = head config.services.openssh.ports;
host = config.network.addresses.private.nixos.ipv4.address;
};
};
};
boot.supportedFilesystems = singleton "zfs";
fileSystems = {
"/" = {
device = "rpool/safe/root";
fsType = "zfs";
};
"/home" = {
device = "rpool/safe/home";
fsType = "zfs";
};
"/nix" = {
device = "rpool/local/nix";
fsType = "zfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/2552-18F2";
fsType = "vfat";
};
};
swapDevices = [{ device = "/dev/disk/by-uuid/87ff4f68-cc00-494e-8eba-050469c3bf03"; }];
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
modprobe.modules = {
iwlwifi = {
options = {
wd_disable = 1;
};
};
};
};
hardware.displays = {
"eDP-1" = {
res = "1920x1080";
pos = "0 0";
};
};
networking = {
hostId = "dddbb888";
useDHCP = false;
wireless.interfaces = singleton "wlp2s0";
interfaces = {
wlp2s0.ipv4.addresses = singleton {
inherit (config.network.addresses.private.nixos.ipv4) address;
prefixLength = 24;
};
};
defaultGateway = config.network.privateGateway;
};
network = {
addresses = {
private = {
enable = true;
nixos = {
ipv4.address = "192.168.1.3";
};
};
};
yggdrasil = {
enable = true;
pubkey = "9779fd6b5bdba6b9e0f53c96e141f4b11ce5ef749d1b9e77a759a3fdbd33a653";
listen.enable = false;
listen.endpoints = [ "tcp://0.0.0.0:0" ];
};
firewall = {
public.interfaces = [ "enp1s0" "wlp2s0" ];
private.interfaces = singleton "yggdrasil";
};
};
system.stateVersion = "20.09";
};
}

2
config/hosts/athame/nixos.nix → config/hosts/kyouko.nix
View file

@ -46,7 +46,7 @@ with lib;
# Terraform
deploy.tf = {
resources.athame = {
resources.kyouko = {
provider = "null";
type = "resource";
connection = {

2
config/hosts/ostara/nixos.nix → config/hosts/ran.nix
View file

@ -15,7 +15,7 @@ with lib;
# Terraform
deploy.tf = {
resources.ostara = {
resources.ran = {
provider = "null";
type = "resource";
connection = {

0
config/hosts/rinnosuke/nixos.nix → config/hosts/rinnosuke.nix
View file

1
config/hosts/samhain/home.nix
View file

@ -1 +0,0 @@
{ ... }: { imports = [ ./home/sway.nix ]; }

56
config/hosts/samhain/home/sway.nix
View file

@ -1,56 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
{
wayland.windowManager.sway = {
config = {
output =
let
left = {
res = "1920x1080";
pos = "0 0";
};
middle = {
res = "1920x1200";
pos = "1920 0";
};
right = {
res = "1920x1080";
pos = "3840 0";
};
in
{
"DP-1" = right;
"DVI-D-1" = middle;
"HDMI-A-1" = left;
};
input = {
"5426:103:Razer_Razer_Naga_Trinity" = {
accel_profile = "adaptive";
pointer_accel = "-0.5";
};
"5824:1503:screenstub-tablet" = { events = "disabled"; };
"5824:1503:screenstub-mouse" = { events = "disabled"; };
"5824:1503:screenstub-kbd" = { events = "disabled"; };
"1386:215:Wacom_BambooPT_2FG_Small_Pen" = {
map_to_output = "HDMI-A-1";
};
"1386:215:Wacom_BambooPT_2FG_Small_Finger" = {
natural_scroll = "enabled";
middle_emulation = "enabled";
tap = "enabled";
dwt = "enabled";
accel_profile = "flat";
pointer_accel = "0.05";
};
};
};
extraConfig = ''
workspace "1" output "DP-1"
workspace "11:F1" output "DVI-1"
workspace "12:F2" output "HDMI-A-1"
'';
};
}

25
config/hosts/shinmyoumaru/nixos.nix → config/hosts/shinmyoumaru.nix
View file

@ -1,21 +1,15 @@
{ config, meta, pkgs, lib, ... }: with lib;
{
# Imports
{ config, meta, pkgs, lib, modulesPath, ... }: with lib; {
imports = with meta; [
profiles.hardware.raspi
profiles.network
services.dnscrypt-proxy
services.dht22-exporter
./image.nix
(modulesPath + "/installer/sd-card/sd-image-raspberrypi.nix")
];
home-manager.users.kat.programs.neovim.enable = mkForce false;
programs.mosh.enable = mkForce false;
# Terraform
deploy.tf = {
resources.shinmyoumaru = {
provider = "null";
@ -27,8 +21,6 @@
};
};
# Networking
networking = {
useDHCP = true;
interfaces.eth0.ipv4.addresses = singleton {
@ -54,16 +46,11 @@
listen.enable = false;
listen.endpoints = [ "tcp://0.0.0.0:0" ];
};
firewall = {
private.interfaces = singleton "yggdrasil";
public.interfaces = singleton "eth0";
};
};
# Firewall
network.firewall = {
private.interfaces = singleton "yggdrasil";
public.interfaces = singleton "eth0";
};
# State
system.stateVersion = "21.11";
}

5
config/hosts/shinmyoumaru/image.nix
View file

@ -1,5 +0,0 @@
{ modulesPath, ... }: {
imports = [
(modulesPath + "/installer/sd-card/sd-image-raspberrypi.nix")
];
}

1
config/hosts/to-do/mabon/home/default.nix
View file

@ -1 +0,0 @@
{ ... }: { }

28
config/hosts/to-do/mabon/nixos/default.nix
View file

@ -1,28 +0,0 @@
{ config, users, pkgs, profiles, ... }:
{
imports = [
./hw.nix
profiles.gui
profiles.fvwm
profiles.laptop
users.kairi.guiFull
];
networking.wireless.interfaces = [ "wlp3s0" ];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelPackages = pkgs.linuxPackages;
boot.kernelModules = [ "wl" ];
boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
networking.hostId = "d199ad70";
networking.useDHCP = false;
networking.interfaces.enp1s0.useDHCP = false;
networking.interfaces.wlp2s0.useDHCP = true;
system.stateVersion = "20.09";
}

38
config/hosts/to-do/mabon/nixos/hw.nix
View file

@ -1,38 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"firewire_ohci"
"usbhid"
"usb_storage"
"sd_mod"
"sr_mod"
"sdhci_pci"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" "wl" ];
boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/236f9363-19ee-46e3-8db4-5dd1e28b742d";
fsType = "ext4";
};
boot.initrd.luks.devices."cryptroot".device =
"/dev/disk/by-uuid/b0435b6c-fd76-44d0-8b63-2c2c059df814";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/84FB-4F88";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/926c41d6-c06a-4dcc-b55d-f4cfaafe4bac"; }];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

37
config/hosts/beltane/nixos.nix → config/hosts/yukari.nix
View file

@ -1,10 +1,4 @@
{ meta, tf, config, pkgs, lib, ... }:
with lib;
{
# Imports
{ meta, tf, config, pkgs, lib, ... }: with lib; {
imports = with meta; [
profiles.hardware.rm-310
profiles.network
@ -21,10 +15,8 @@ with lib;
services.zfs
];
# Terraform
deploy.tf = {
resources.beltane = {
resources.yukari = {
provider = "null";
type = "resource";
connection = {
@ -34,8 +26,6 @@ with lib;
};
};
# File Systems and Swap
boot.supportedFilesystems = singleton "zfs";
fileSystems = {
@ -74,8 +64,6 @@ with lib;
{ device = "/dev/disk/by-uuid/1ee2d322-235c-41de-b272-7ceded4e2624"; }
];
# Bootloader
boot.loader = {
efi.canTouchEfiVariables = true;
grub = {
@ -91,7 +79,10 @@ with lib;
};
};
# Networking
hardware.displays."VGA-1" = {
res = "1280x1024@75Hz";
pos = "1920 0";
};
networking = {
hostId = "3ef9a419";
@ -119,20 +110,12 @@ with lib;
listen.enable = false;
listen.endpoints = [ "tcp://0.0.0.0:0" ];
};
firewall = {
private.interfaces = singleton "yggdrasil";
public.interfaces = singleton "eno1";
};
};
# Firewall
network.firewall = {
private.interfaces = singleton "yggdrasil";
public.interfaces = singleton "eno1";
};
# Yggdrasil
# State
system.stateVersion = "21.05";
}

1
config/hosts/yule/home.nix
View file

@ -1 +0,0 @@
{ ... }: { imports = [ ./home/sway.nix ./home/base16.nix ]; }

5
config/hosts/yule/home/base16.nix
View file

@ -1,5 +0,0 @@
{ config, ... }:
{
base16.alias.default = "atelier.atelier-cave-light";
}

26
config/hosts/yule/home/sway.nix
View file

@ -1,26 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
{
wayland.windowManager.sway.config = {
output =
let
laptop = {
res = "1920x1080";
pos = "0 0";
};
in
{ "eDP-1" = laptop; };
input = {
"1739:33362:Synaptics_TM3336-002" = {
dwt = "enabled";
tap = "enabled";
natural_scroll = "enabled";
middle_emulation = "enabled";
click_method = "clickfinger";
};
};
};
}

114
config/hosts/yule/nixos.nix
View file

@ -1,114 +0,0 @@
{ meta, config, pkgs, lib, ... }:
with lib;
{
# Imports
imports = with meta; [
profiles.hardware.v330-14arr
profiles.gui
profiles.network
users.kat.guiFull
services.nginx
services.restic
services.zfs
];
# Terraform
deploy.tf = {
resources.yule = {
provider = "null";
type = "resource";
connection = {
port = head config.services.openssh.ports;
host = config.network.addresses.private.nixos.ipv4.address;
};
};
};
# File Systems and Swap
boot.supportedFilesystems = singleton "zfs";
fileSystems = {
"/" = {
device = "rpool/safe/root";
fsType = "zfs";
};
"/home" = {
device = "rpool/safe/home";
fsType = "zfs";
};
"/nix" = {
device = "rpool/local/nix";
fsType = "zfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/2552-18F2";
fsType = "vfat";
};
};
swapDevices = [{ device = "/dev/disk/by-uuid/87ff4f68-cc00-494e-8eba-050469c3bf03"; }];
# Bootloader
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
# Hardware
boot.modprobe.modules = {
iwlwifi = {
options.wd_disable = 1;
};
};
# Networking
networking = {
hostId = "dddbb888";
useDHCP = false;
wireless.interfaces = singleton "wlp2s0";
interfaces = {
wlp2s0.ipv4.addresses = singleton {
inherit (config.network.addresses.private.nixos.ipv4) address;
prefixLength = 24;
};
};
defaultGateway = config.network.privateGateway;
};
network = {
addresses = {
private = {
enable = true;
nixos = {
ipv4.address = "192.168.1.3";
};
};
};
yggdrasil = {
enable = true;
pubkey = "9779fd6b5bdba6b9e0f53c96e141f4b11ce5ef749d1b9e77a759a3fdbd33a653";
listen.enable = false;
listen.endpoints = [ "tcp://0.0.0.0:0" ];
};
};
# Firewall
network.firewall = {
public.interfaces = [ "enp1s0" "wlp2s0" ];
private.interfaces = singleton "yggdrasil";
};
# State
system.stateVersion = "20.09";
}

22
config/modules/home/displays.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, lib, nixos, ... }: with lib; {
options.hardware.displays = mkOption {
type = with types; attrsOf (submodule ({ config, ... }: {
options = {
pos = mkOption {
type = types.str;
};
res = mkOption {
type = types.str;
};
};
}));
};
config = mkMerge [
{
hardware.displays = nixos.hardware.displays;
}
(mkIf config.wayland.windowManager.sway.enable {
wayland.windowManager.sway.config.output = config.hardware.displays;
})
];
}

2
config/modules/meta/deploy.nix
View file

@ -71,7 +71,7 @@ in
config.tf = mkMerge (singleton
({ ... }: {
imports = [
../../tf-common.nix
../../tf.nix
];
deploy.gcroot = {
name = mkDefault "kw-${config.name}";

1
config/modules/meta/imports.nix
View file

@ -22,6 +22,7 @@ with lib;
config = {
network.importing = {
nixosImports = mkDefault (map (path: toString path) [
(root + "/config/hosts/HN.nix")
(root + "/config/hosts/HN/nixos.nix")
(root + "/config/trusted/hosts/HN/nixos.nix")
]);

14
config/modules/nixos/displays.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, lib, ... }: with lib; {
options.hardware.displays = mkOption {
type = with types; attrsOf (submodule ({ config, ... }: {
options = {
pos = mkOption {
type = types.str;
};
res = mkOption {
type = types.str;
};
};
}));
};
}

132
config/modules/nixos/yggdrasil.nix
View file

@ -25,71 +25,75 @@ in
description = "Open Firewall completely for the network";
default = false;
};
listen.enable = mkOption {
type = types.bool;
description = "Allow other hosts in the network to connect directly";
default = false;
listen = {
enable = mkOption {
type = types.bool;
description = "Allow other hosts in the network to connect directly";
default = false;
};
endpoints = mkOption {
type = types.listOf types.str;
description = "Endpoints to listen on";
default = [ ];
};
};
listen.endpoints = mkOption {
type = types.listOf types.str;
description = "Endpoints to listen on";
default = [ ];
tunnel = {
localV6 = mkOption {
type = types.listOf types.str;
description = "v6 subnets to expose";
default = [ ];
};
localV4 = mkOption {
type = types.listOf types.str;
description = "v4 subnets to expose";
default = [ ];
};
remoteV6 = mkOption {
type = types.attrsOf types.str;
description = "Extra v6 subnets to route";
default = { };
};
remoteV4 = mkOption {
type = types.attrsOf types.str;
description = "Extra v4 subnets to route";
default = { };
};
};
dns.enable = mkOption {
type = types.bool;
description = "enable automatic dns record generation";
default = false;
extra = {
pubkeys = mkOption {
type = types.attrsOf types.str;
description = "Additional hosts to allow into the network. Keys won't be added to definition host.";
default = { };
example = { host = "0000000000000000000000000000000000000000000000000000000000000000"; };
};
addresses = mkOption {
type = types.attrsOf types.str;
internal = true;
default = mapAttrs (_: c: calcAddr c) cfg.extra.pubkeys;
};
localV6 = mkOption {
type = types.listOf types.str;
description = "v6 subnets to expose, but not route";
default = [ ];
};
localV4 = mkOption {
type = types.listOf types.str;
description = "v4 subnets to expose, but not route";
default = [ ];
};
};
dns.zone = mkOption {
type = types.str;
description = "Main zone to insert DNS records into";
default = "lilwit.ch";
};
dns.subdomain = mkOption {
type = types.str;
description = "subdomain to put the records into";
default = "net";
};
tunnel.localV6 = mkOption {
type = types.listOf types.str;
description = "v6 subnets to expose";
default = [ ];
};
tunnel.localV4 = mkOption {
type = types.listOf types.str;
description = "v4 subnets to expose";
default = [ ];
};
tunnel.remoteV6 = mkOption {
type = types.attrsOf types.str;
description = "Extra v6 subnets to route";
default = { };
};
tunnel.remoteV4 = mkOption {
type = types.attrsOf types.str;
description = "Extra v4 subnets to route";
default = { };
};
extra.pubkeys = mkOption {
type = types.attrsOf types.str;
description = "Additional hosts to allow into the network. Keys won't be added to definition host.";
default = { };
example = { host = "0000000000000000000000000000000000000000000000000000000000000000"; };
};
extra.addresses = mkOption {
type = types.attrsOf types.str;
internal = true;
default = mapAttrs (_: c: calcAddr c) cfg.extra.pubkeys;
};
extra.localV6 = mkOption {
type = types.listOf types.str;
description = "v6 subnets to expose, but not route";
default = [ ];
};
extra.localV4 = mkOption {
type = types.listOf types.str;
description = "v4 subnets to expose, but not route";
default = [ ];
extern = {
pubkeys = mkOption {
type = types.attrsOf types.str;
description = "Additional hosts to allow into the network. Keys won't be added to definition host.";
default = { };
example = { host = "0000000000000000000000000000000000000000000000000000000000000000"; };
};
endpoints = mkOption {
type = types.listOf types.str;
description = "Endpoints to listen on";
default = [ ];
};
};
};
@ -102,7 +106,7 @@ in
(
mapAttrsToList (_: node: node.network.yggdrasil or { enable = false; pubkey = null; }) meta.network.nodes
);
pubkeys = flatten (map (c: [ c.pubkey ] ++ (attrValues c.extra.pubkeys)) yggConfigs);
pubkeys = flatten ((filter (n: n != "0000000000000000000000000000000000000000000000000000000000000000") (attrValues cfg.extern.pubkeys)) ++ (map (c: [ c.pubkey ] ++ (attrValues c.extra.pubkeys)) yggConfigs));
in
{
assertions = [
@ -121,7 +125,7 @@ in
AllowedEncryptionPublicKeys = pubkeys;
IfName = "yggdrasil";
Listen = cfg.listen.endpoints;
Peers = lib.flatten (map (c: c.listen.endpoints) (filter (c: c.listen.enable) yggConfigs));
Peers = lib.flatten (cfg.extern.endpoints ++ (map (c: c.listen.endpoints) (filter (c: c.listen.enable) yggConfigs)));
SessionFirewall = {
Enable = true;
AllowFromRemote = false;

8
config/profiles/gui/nfs.nix
View file

@ -3,11 +3,13 @@
{
boot.supportedFilesystems = [ "nfs" ];
fileSystems."/mnt/kat-nas" = lib.mkIf (config.networking.hostName != "beltane") {
device = "${meta.network.nodes.beltane.network.addresses.wireguard.domain}:/mnt/zraw/media";
/*
fileSystems."/mnt/kat-nas" = lib.mkIf (config.networking.hostName != "yukari") {
device = "${meta.network.nodes.yukari.network.addresses.wireguard.domain}:/mnt/zraw/media";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" "nfsvers=4" "soft" "retrans=2" "timeo=60" ];
};
};
*/
/*
fileSystems."/mnt/hex-corn" = {

30
config/profiles/hardware/bamboo.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, lib, ... }: with lib; {
options = {
hardware.bamboo.display = mkOption {
type = types.str;
};
home-manager.users = let
userBambooExtend = { config, nixos, ... }: {
config = mkIf config.wayland.windowManager.sway.enable {
wayland.windowManager.sway.config.input = {
"1386:215:Wacom_BambooPT_2FG_Small_Pen" = {
map_to_output = nixos.hardware.bamboo.display;
};
"1386:215:Wacom_BambooPT_2FG_Small_Finger" = {
natural_scroll = "enabled";
middle_emulation = "enabled";
tap = "enabled";
dwt = "enabled";
accel_profile = "flat";
pointer_accel = "0.05";
};
};
};
};
in mkOption {
type = types.attrsOf (types.submoduleWith {
modules = singleton userBambooExtend;
});
};
};
}

4
config/profiles/hardware/oracle/common.nix
View file

@ -92,7 +92,8 @@ in
in
{
enable = true;
nixos.ipv6.address = mkIf (tf.state.resources ? ${tf.resources.${config.networking.hostName}.out.reference}) addr_ipv6_nix;
#nixos.ipv6.address = mkIf (tf.state.resources ? ${tf.resources.${config.networking.hostName}.out.reference}) addr_ipv6_nix;
nixos.ipv6.address = addr_ipv6_nix;
tf.ipv6.address = tf.resources."${config.networking.hostName}_ipv6".refAttr "ip_address";
};
};
@ -214,6 +215,7 @@ in
};
lifecycle.ignoreChanges = [
"source_details[0].source_id"
"metadata"
];
connection = {
type = "ssh";

20
config/profiles/hardware/razer.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, lib, ... }: with lib; {
options = {
home-manager.users = let
userRazerExtend = { config, nixos, ... }: {
config = mkIf (config.wayland.windowManager.sway.enable && nixos.hardware.openrazer.enable) {
wayland.windowManager.sway.config.input = {
"5426:103:Razer_Razer_Naga_Trinity" = {
accel_profile = "adaptive";
pointer_accel = "-0.5";
};
};
};
};
in mkOption {
type = types.attrsOf (types.submoduleWith {
modules = singleton userRazerExtend;
});
};
};
}

32
config/profiles/hardware/v330-14arr.nix
View file

@ -1,15 +1,33 @@
{ config, ... }:
{ config, lib, ... }: with lib;
/*
This hardware profile corresponds to the Lenovo IdeaPad v330-14ARR.
*/
{
deploy.profile.hardware.v330-14arr = true;
options.home-manager.users = let
userTouchpadExtend = { config, nixos, ... }: {
wayland.windowManager.sway.config.input."1739:33362:Synaptics_TM3336-002" = {
dwt = "enabled";
tap = "enabled";
natural_scroll = "enabled";
middle_emulation = "enabled";
click_method = "clickfinger";
};
};
in mkOption {
type = types.attrsOf (types.submoduleWith {
modules = singleton userTouchpadExtend;
});
};
boot.initrd.availableKernelModules =
[ "xhci_pci" "ahci" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
config = {
deploy.profile.hardware.v330-14arr = true;
boot.initrd.availableKernelModules =
[ "xhci_pci" "ahci" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
};
}

24
config/profiles/network.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: with lib;
{ config, lib, pkgs, sources, ... }: with lib;
{
options.network = with lib; {
@ -9,6 +9,28 @@
};
config = {
network.yggdrasil.extern = let
hexchen = (import sources.hexchen) { };
hexYgg = filterAttrs (_: c: c.enable)
(mapAttrs (_: host: host.config.network.yggdrasil) hexchen.hosts);
in {
endpoints = flatten (map (c: c.listen.endpoints) (filter
(c:
c.listen.enable && (c.pubkey
!= "0000000000000000000000000000000000000000000000000000000000000000"))
(attrValues hexYgg)));
pubkeys = {
satorin =
"53d99a74a648ff7bd5bc9ba68ef4f472fb4fb8b2e26dfecea33c781f0d5c9525";
shanghai =
"0cc3c26366cbfddfb1534b25c5655733d8f429edc941bcce674c46566fc87027";
grimoire =
"2a1567a2848540070328c9e938c58d40f2b1a3f08982c15c7edc5dcabfde3330";
boline =
"89684441745467da0d1bf7f47dc74ec3ca65e05c72f752298ef3c22a22024d43";
} // (mapAttrs (_: c: c.pubkey) hexYgg);
};
networking.firewall.extraCommands = "ip6tables -A INPUT -p 89 -i wgmesh-+ -j ACCEPT";
networking.nftables.extraInput = ''
meta l4proto 89 iifname wgmesh-* accept

127
config/profiles/vfio/profile.nix
View file

@ -1,8 +1,4 @@
{ config, pkgs, lib, ... }:
with lib;
let
{ config, pkgs, lib, ... }: with lib; let
win10-screenstub = pkgs.writeShellScriptBin "win10-screenstub" ''
${pkgs.screenstub-kat}/bin/screenstub -c "${./screenstub.yml}" x
'';
@ -11,62 +7,75 @@ let
'';
in
{
# TODO: move to upstream screenstub with config options, move screenstub.yml into specific host
deploy.profile.vfio = true;
environment.systemPackages = with pkgs; [
win10-screenstub
win10-vm
win10-diskmapper
ddcutil
];
users.users.kat.extraGroups = [ "vfio" "input" "uinput" ];
users.groups = { uinput = { }; vfio = { }; };
boot = lib.mkMerge [{
initrd.kernelModules = mkBefore [ "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
kernelModules = [ "i2c-dev" ]; # i2c-dev is required for DDC/CI for screenstub
kernelPatches = with pkgs.kernelPatches; [
(mkIf config.deploy.profile.hardware.acs-override acs-override)
];
}
(mkIf (config.deploy.profile.hardware.amdgpu) {
kernelParams = [
"video=efifb:off"
];
extraModulePackages = [
(pkgs.linuxPackagesFor config.boot.kernelPackages.kernel).vendor-reset
];
})
(mkIf (config.deploy.profile.hardware.acs-override) {
kernelParams = [
"pci=noats"
"pcie_acs_override=downstream,multifunction"
];
})];
environment.etc."qemu/bridge.conf".text = "allow br";
security.wrappers = {
qemu-bridge-helper = {
source = "${pkgs.qemu-vfio}/libexec/qemu-bridge-helper";
};
options.home-manager.users = let
userVFIOExtend = { config, ... }: {
config = mkIf config.wayland.windowManager.sway.enable {
wayland.windowManager.sway.config.input = genAttrs [ "tablet" "mouse" "kbd" ] (t:
nameValuePair "5824:1503:screenstub-${t}" ({ events = "disabled"; })
);
};
};
in mkOption {
type = types.attrsOf (types.submoduleWith {
modules = singleton userVFIOExtend;
});
};
services.udev.extraRules = ''
SUBSYSTEM=="i2c-dev", GROUP="vfio", MODE="0660"
SUBSYSTEM=="misc", KERNEL=="uinput", OPTIONS+="static_node=uinput", MODE="0660", GROUP="uinput"
SUBSYSTEM=="vfio", OWNER="root", GROUP="vfio"
'';
config = {
deploy.profile.vfio = true;
security.pam.loginLimits = [{
domain = "@vfio";
type = "-";
item = "memlock";
value = "unlimited";
}];
environment.systemPackages = with pkgs; [
win10-screenstub
win10-vm
win10-diskmapper
ddcutil
];
systemd.extraConfig = "DefaultLimitMEMLOCK=infinity";
users.groups = { uinput = { }; vfio = { }; };
boot = lib.mkMerge [{
initrd.kernelModules = mkBefore [ "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
kernelModules = [ "i2c-dev" ]; # i2c-dev is required for DDC/CI for screenstub
kernelPatches = with pkgs.kernelPatches; [
(mkIf config.deploy.profile.hardware.acs-override acs-override)
];
}
(mkIf (config.deploy.profile.hardware.amdgpu) {
kernelParams = [
"video=efifb:off"
];
extraModulePackages = [
(pkgs.linuxPackagesFor config.boot.kernelPackages.kernel).vendor-reset
];
})
(mkIf (config.deploy.profile.hardware.acs-override) {
kernelParams = [
"pci=noats"
"pcie_acs_override=downstream,multifunction"
];
})];
environment.etc."qemu/bridge.conf".text = "allow br";
security.wrappers = {
qemu-bridge-helper = {
source = "${pkgs.qemu-vfio}/libexec/qemu-bridge-helper";
};
};
services.udev.extraRules = ''
SUBSYSTEM=="i2c-dev", GROUP="vfio", MODE="0660"
SUBSYSTEM=="misc", KERNEL=="uinput", OPTIONS+="static_node=uinput", MODE="0660", GROUP="uinput"
SUBSYSTEM=="vfio", OWNER="root", GROUP="vfio"
'';
security.pam.loginLimits = [{
domain = "@vfio";
type = "-";
item = "memlock";
value = "unlimited";
}];
systemd.extraConfig = "DefaultLimitMEMLOCK=infinity";
};
}

2
config/services/gitea/default.nix
View file

@ -45,7 +45,7 @@
mailer = {
ENABLED = true;
SUBJECT = "%(APP_NAME)s";
HOST = "athame.kittywit.ch:465";
HOST = "kyouko.kittywit.ch:465";
USER = "gitea@kittywit.ch";
#SEND_AS_PLAIN_TEXT = true;
USE_SENDMAIL = false;

2
config/services/kattv/default.nix
View file

@ -35,7 +35,7 @@ let
{ element.matroskamux.streamable = true; }
{
element.tcpclientsink = {
host = meta.network.nodes.beltane.network.addresses.private.nixos.ipv4.address;
host = meta.network.nodes.yukari.network.addresses.private.nixos.ipv4.address;
port = "4953";
sync = false;
};

4
config/services/mail/default.nix
View file

@ -71,8 +71,8 @@ in
fqdn = config.network.addresses.public.domain;
domains = [ "kittywit.ch" "dork.dev" ];
certificateScheme = 1;
certificateFile = "/var/lib/acme/${config.mailserver.fqdn}/cert.pem";
keyFile = "/var/lib/acme/${config.mailserver.fqdn}/key.pem";
certificateFile = "/var/lib/acme/public_${config.networking.hostName}/cert.pem";
keyFile = "/var/lib/acme/public_${config.networking.hostName}/key.pem";
enableImap = true;
enablePop3 = true;
enableImapSsl = true;

2
config/services/vaultwarden/default.nix
View file

@ -10,7 +10,7 @@
secrets.files.vaultwarden-env = {
text = ''
ADMIN_TOKEN=${tf.variables.vaultwarden-password.ref}
SMTP_HOST=athame.kittywit.ch
SMTP_HOST=kyouko.kittywit.ch
SMTP_FROM=vaultwarden@kittywit.ch
SMTP_FROM_NAME=Vaultwarden
SMTP_PORT=465

0
config/tf-common.nix → config/tf.nix
View file

6
config/users/kat/base/weechat.nix
View file

@ -6,9 +6,9 @@ with lib;
programs.weechat = {
init = lib.mkMerge [
(lib.mkBefore ''
/server add espernet athame.kittywit.ch/5001 -ssl -autoconnect
/server add softnet athame.kittywit.ch/5001 -ssl -autoconnect
/server add liberachat athame.kittywit.ch/5001 -ssl -autoconnect
/server add espernet kyouko.kittywit.ch/5001 -ssl -autoconnect
/server add softnet kyouko.kittywit.ch/5001 -ssl -autoconnect
/server add liberachat kyouko.kittywit.ch/5001 -ssl -autoconnect
/matrix server add kittywitch kittywit.ch
/key bind meta-g /go
/key bind meta-v /input jump_last_buffer_displayed

2
config/users/kat/nixos.nix
View file

@ -8,7 +8,7 @@
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCocjQqiDIvzq+Qu3jkf7FXw5piwtvZ1Mihw9cVjdVcsra3U2c9WYtYrA3rS50N3p00oUqQm9z1KUrvHzdE+03ZCrvaGdrtYVsaeoCuuvw7qxTQRbItTAEsfRcZLQ5c1v/57HNYNEsjVrt8VukMPRXWgl+lmzh37dd9w45cCY1QPi+JXQQ/4i9Vc3aWSe4X6PHOEMSBHxepnxm5VNHm4PObGcVbjBf0OkunMeztd1YYA9sEPyEK3b8IHxDl34e5t6NDLCIDz0N/UgzCxSxoz+YJ0feQuZtud/YLkuQcMxW2dSGvnJ0nYy7SA5DkW1oqcy6CGDndHl5StOlJ1IF9aGh0gGkx5SRrV7HOGvapR60RphKrR5zQbFFka99kvSQgOZqSB3CGDEQGHv8dXKXIFlzX78jjWDOBT67vA/M9BK9FS2iNnBF5x6shJ9SU5IK4ySxq8qvN7Us8emkN3pyO8yqgsSOzzJT1JmWUAx0tZWG/BwKcFBHfceAPQl6pwxx28TM3BTBRYdzPJLTkAy48y6iXW6UYdfAPlShy79IYjQtEThTuIiEzdzgYdros0x3PDniuAP0KOKMgbikr0gRa6zahPjf0qqBnHeLB6nHAfaVzI0aNbhOg2bdOueE1FX0x48sjKqjOpjlIfq4WeZp9REr2YHEsoLFOBfgId5P3BPtpBQ== yubikey5"
];
shell = pkgs.zsh;
extraGroups = [ "wheel" "video" "systemd-journal" "plugdev" "bird2" ];
extraGroups = [ "wheel" "video" "systemd-journal" "plugdev" "bird2" "vfio" "input" "uinput" ];
hashedPassword =
removeSuffix "\n" config.kw.secrets.repo.kat-user.text;
};

4
config/users/kat/personal/email.nix
View file

@ -34,8 +34,8 @@
boxes = [ "Inbox" ];
onNotifyPost = "${pkgs.notmuch}/bin/notmuch new && ${pkgs.libnotify}/bin/notify-send 'New mail arrived'";
};
imap.host = "athame.kittywit.ch";
smtp.host = "athame.kittywit.ch";
imap.host = "kyouko.kittywit.ch";
smtp.host = "kyouko.kittywit.ch";
passwordCommand = "bitw get services/email/kittywitch -f password";
gpg = {
signByDefault = true;

6
config/users/kat/personal/weechat.nix
View file

@ -37,21 +37,21 @@
irc = {
server = {
softnet = {
address = "athame.kittywit.ch/5001";
address = "kyouko.kittywit.ch/5001";
password = "kat@${nixos.networking.hostName}/softnet:\${sec.data.znc}";
ssl = true;
ssl_verify = false;
autoconnect = true;
};
liberachat = {
address = "athame.kittywit.ch/5001";
address = "kyouko.kittywit.ch/5001";
password = "kat@${nixos.networking.hostName}/liberachat:\${sec.data.znc}";
ssl = true;
ssl_verify = false;
autoconnect = true;
};
espernet = {
address = "athame.kittywit.ch/5001";
address = "kyouko.kittywit.ch/5001";
password = "kat@${nixos.networking.hostName}/espernet:\${sec.data.znc}";
ssl = true;
ssl_verify = false;

6
config/users/kat/services/weechat.nix
View file

@ -54,21 +54,21 @@
irc = {
server = {
softnet = {
address = "athame.kittywit.ch/5001";
address = "kyouko.kittywit.ch/5001";
password = "kat@${nixos.networking.hostName}/softnet:\${sec.data.znc}";
ssl = true;
ssl_verify = false;
autoconnect = true;
};
liberachat = {
address = "athame.kittywit.ch/5001";
address = "kyouko.kittywit.ch/5001";
password = "kat@${nixos.networking.hostName}/liberachat:\${sec.data.znc}";
ssl = true;
ssl_verify = false;
autoconnect = true;
};
espernet = {
address = "athame.kittywit.ch/5001";
address = "kyouko.kittywit.ch/5001";
password = "kat@${nixos.networking.hostName}/espernet:\${sec.data.znc}";
ssl = true;
ssl_verify = false;

6
nix/sources.json
View file

@ -171,10 +171,10 @@
"homepage": null,
"owner": "arcnmx",
"repo": "tf-nix",
"rev": "074956f3d323d480581cee26a581f0819c6c25c4",
"sha256": "18d376hqk9ydmaj1zybpj3al3wr5p31ap86cbxyixbiyqgbg5ni3",
"rev": "80a8aac6e114b23aea71ba92f9791ba31354b302",
"sha256": "00fgnbvcqdhpnniqjjli2p49am27bkcb6ijbhplcdnwf7wcjlvrp",
"type": "tarball",
"url": "https://github.com/arcnmx/tf-nix/archive/074956f3d323d480581cee26a581f0819c6c25c4.tar.gz",
"url": "https://github.com/arcnmx/tf-nix/archive/80a8aac6e114b23aea71ba92f9791ba31354b302.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}
}