diff --git a/flake.lock b/flake.lock index 5d1ad8b..3baf885 100644 --- a/flake.lock +++ b/flake.lock @@ -158,7 +158,8 @@ "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", - "nur": "nur" + "nur": "nur", + "website": "website" } }, "systems": { @@ -175,6 +176,22 @@ "repo": "default", "type": "github" } + }, + "website": { + "flake": false, + "locked": { + "lastModified": 1689011009, + "narHash": "sha256-fZKVdh8m+XT3Q6+K5MeX9KlBa5oEvDIzPz4XNpQee9k=", + "owner": "buffet", + "repo": "website", + "rev": "1321da0aab3a83733535b8374af20a889cc005b1", + "type": "github" + }, + "original": { + "owner": "buffet", + "repo": "website", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 5ebdc79..229cd62 100644 --- a/flake.nix +++ b/flake.nix @@ -22,24 +22,35 @@ url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; }; + + website = { + url = "github:buffet/website"; + flake = false; + }; }; outputs = { nixpkgs, nixpkgs-unstable, ... - } @ args: { - nixosConfigurations.alice = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = args; - modules = let - overlay-unstable = final: prev: { - unstable = nixpkgs-unstable.legacyPackages.${prev.system}; - }; - in [ - ./hosts/alice - (_: {nixpkgs.overlays = [(import ./overlay args) overlay-unstable];}) - ]; + } @ args: let + makeSystem = system: config: + nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = args; + modules = let + overlay-unstable = final: prev: { + unstable = nixpkgs-unstable.legacyPackages.${prev.system}; + }; + in [ + config + (_: {nixpkgs.overlays = [(import ./overlay args) overlay-unstable];}) + ]; + }; + in { + nixosConfigurations = { + alice = makeSystem "x86_64-linux" ./hosts/alice; + tara = makeSystem "x86_64-linux" ./hosts/tara; }; }; } diff --git a/hosts/alice/system.nix b/hosts/alice/system.nix index d9c6fba..0769cdd 100644 --- a/hosts/alice/system.nix +++ b/hosts/alice/system.nix @@ -37,7 +37,7 @@ settings = { auto-optimise-store = true; - trusted-users = ["root" "buffet"]; + trusted-users = ["root"]; }; gc = { diff --git a/hosts/tara/acme.nix b/hosts/tara/acme.nix new file mode 100644 index 0000000..c500f0f --- /dev/null +++ b/hosts/tara/acme.nix @@ -0,0 +1,11 @@ +_: { + security.acme = { + acceptTerms = true; + defaults.email = "acme@buffet.sh"; + certs."buffet.sh" = { + extraDomainNames = [ + "bitwarden.buffet.sh" + ]; + }; + }; +} diff --git a/hosts/tara/bitwarden.nix b/hosts/tara/bitwarden.nix new file mode 100644 index 0000000..886fcbc --- /dev/null +++ b/hosts/tara/bitwarden.nix @@ -0,0 +1,35 @@ +{config, ...}: let + port = 12224; +in { + age.secrets.bitwarden.file = ../../secrets/bitwarden.age; + + services = { + vaultwarden = { + enable = true; + environmentFile = config.age.secrets.bitwarden.path; + config = { + domain = "https://bitwarden.buffet.sh/"; + signupsAllowed = false; + rocketPort = port; + }; + }; + + nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts."bitwarden.buffet.sh" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://localhost:${toString port}"; + }; + }; + }; + }; +} diff --git a/hosts/tara/borg.nix b/hosts/tara/borg.nix new file mode 100644 index 0000000..f91f384 --- /dev/null +++ b/hosts/tara/borg.nix @@ -0,0 +1,31 @@ +{ + config, + pkgs, + ... +}: let + host = "11967@prio.ch-s011.rsync.net"; +in { + age.secrets.borgpassword.file = ../../secrets/borgpassword.age; + + services.borgbackup = { + jobs.backup = { + paths = ["/etc" "/home" "/root" "/var"]; + exclude = ["/var/log"]; + repo = "${host}:${config.networking.hostName}"; + encryption = { + mode = "repokey"; + passCommand = "cat ${config.age.secrets.borgpassword.path}"; + }; + startAt = "daily"; + persistentTimer = true; + environment.BORG_RSH = "ssh -i /home/buffet/.ssh/id_borg"; + extraArgs = "--remote-path borg1"; + prune.keep = { + within = "1d"; + daily = 7; + weekly = 4; + monthly = -1; + }; + }; + }; +} diff --git a/hosts/tara/default.nix b/hosts/tara/default.nix new file mode 100644 index 0000000..5dec6c8 --- /dev/null +++ b/hosts/tara/default.nix @@ -0,0 +1,36 @@ +{ + pkgs, + agenix, + ... +}: { + imports = [ + ./hardware-configuration.nix + ./system.nix + agenix.nixosModules.default + + ./acme.nix + ./bitwarden.nix + ./borg.nix + ./mosh.nix + ./website.nix + ./weechat.nix + + ../../users/maintainer + ]; + + # TODO: put somewhere + age.identityPaths = ["/home/buffet/.ssh/id_agenix"]; + networking.hostName = "tara"; + + users = { + mutableUsers = false; + users.root.hashedPassword = "!"; + }; + + environment.systemPackages = with pkgs; [ + git + htop + neovim + tree + ]; +} diff --git a/hosts/tara/hardware-configuration.nix b/hosts/tara/hardware-configuration.nix new file mode 100644 index 0000000..cbf5c7c --- /dev/null +++ b/hosts/tara/hardware-configuration.nix @@ -0,0 +1,37 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = ["virtio_pci" "virtio_scsi" "ahci" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/sda"; + fsType = "ext4"; + }; + + swapDevices = [ + {device = "/dev/sdb";} + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s5.useDHCP = lib.mkDefault true; + + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/tara/linode.nix b/hosts/tara/linode.nix new file mode 100644 index 0000000..e4b07ea --- /dev/null +++ b/hosts/tara/linode.nix @@ -0,0 +1,17 @@ +{pkgs, ...}: { + boot = { + kernelParams = ["console=ttyS0,19200n8"]; + loader.grub.extraConfig = '' + serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1; + terminal_input serial; + terminal_output serial + ''; + }; + + # packages used for maintanence + environment.systemPackages = with pkgs; [ + inetutils + mtr + sysstat + ]; +} diff --git a/hosts/tara/mosh.nix b/hosts/tara/mosh.nix new file mode 100644 index 0000000..903c356 --- /dev/null +++ b/hosts/tara/mosh.nix @@ -0,0 +1,5 @@ +_: { + programs.mosh = { + enable = true; + }; +} diff --git a/hosts/tara/system.nix b/hosts/tara/system.nix new file mode 100644 index 0000000..5b095c0 --- /dev/null +++ b/hosts/tara/system.nix @@ -0,0 +1,44 @@ +{...}: { + imports = [ + ./linode.nix + ]; + + # Don't change! + system.stateVersion = "22.05"; + + time.timeZone = "UTC"; + i18n.defaultLocale = "en_US.UTF-8"; + + boot = { + loader.grub.forceInstall = true; + loader.grub.device = "nodev"; + loader.timeout = 10; + tmp.cleanOnBoot = true; + }; + + security.sudo.wheelNeedsPassword = false; + services.openssh.enable = true; + + networking = { + hostName = "tara"; + firewall.allowPing = true; + usePredictableInterfaceNames = false; + }; + + nix = { + settings = { + auto-optimise-store = true; + trusted-users = ["root"]; + }; + + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 14d"; + }; + + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; +} diff --git a/hosts/tara/website.nix b/hosts/tara/website.nix new file mode 100644 index 0000000..510158d --- /dev/null +++ b/hosts/tara/website.nix @@ -0,0 +1,24 @@ +{website, ...}: { + networking.firewall.allowedTCPPorts = [80 443]; + + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts."buffet.sh" = { + enableACME = true; + forceSSL = true; + root = "${website}"; + }; + + virtualHosts."unix.pics" = { + enableACME = true; + forceSSL = true; + root = "/var/lib/stuff/unix.pics"; + }; + }; +} diff --git a/hosts/tara/weechat.nix b/hosts/tara/weechat.nix new file mode 100644 index 0000000..53266ba --- /dev/null +++ b/hosts/tara/weechat.nix @@ -0,0 +1,22 @@ +{pkgs, ...}: let + port = 4124; +in { + networking.firewall.allowedTCPPorts = [port]; + + environment.systemPackages = with pkgs; [ + screen + ]; + + systemd.services.weechat = { + after = ["network-online.target"]; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "simple"; + Restart = "always"; + User = "maintainer"; + Group = "users"; + }; + + script = "exec ${pkgs.screen}/bin/screen -Dm -S weechat ${pkgs.weechat}/bin/weechat"; + }; +} diff --git a/keys.nix b/keys.nix new file mode 100644 index 0000000..ebeaae7 --- /dev/null +++ b/keys.nix @@ -0,0 +1,3 @@ +[ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDci73LlPFhg9Z26jnuGMzGEh0jO192alsLhSVUE+CIOkRfkeRonJ69WxwY9kBFAa5PyY9zrAr2XueLWaQAaHJdmHyWbXmMJGtqsx0oB5KU4aFL8stJGkr8u6Bv5HPpkGr4PyqGkzKEPirUBYOMxXW3KSuP5LCTTx+UVoEFhIRS+j6w67ZIjyEHalwZAVJP8sp1GJkk9eQkmoJjdBt4qxAoBRaZp8kTzdKJezJY1g0f+JBI+0ZUDPS2IdAAXroVho/ea31gGFRsqazbP17Tpbiy1H4dQwTc19YkyOYu7R4klRrOVjzh/CBYgTUmIV1czUISG6KEGfgW4IciYSc6R5IGo+GCf3OsNVDKjjgxCvCLLx03KsBZJXoQJlZ/grfoQ0aulUR/hDeAyOU/bE2XjpzkNiYKhlMd7gEN3AC1iCjsYNL+6Nr82GVpn5XE0UsDYFJyZ//6zI4ldNnCcuYPNgyE9VabaUh0WuemkhdTe/SKIBOQfHSLFlEAZVWVGUQV/dvi5HY9Ie4nIHtUU1IdeNiCa+OB+KxIE5a9+2h5KJB2NPCyPt1TImqS/OiXaQlihEPsNOyKqbBiN/4LUPtixAGbnbdzBwmdP8Pt32Y1ehOyBoDxLv36R1hHP9Xn4C+KUX35lhpfToSRVvWvVUcDDZVq3kUnxPV22BTs3kgLG3rJ6Q==" # id_rsa +] diff --git a/secrets.nix b/secrets.nix index b6fc18c..b1a7eeb 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,5 +1,6 @@ let buffet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOA928bjB90FwkTLtQcPW1mP+QLViVfEVdMHg+7/8Fxh"; in { + "secrets/bitwarden.age".publicKeys = [buffet]; "secrets/borgpassword.age".publicKeys = [buffet]; } diff --git a/secrets/bitwarden.age b/secrets/bitwarden.age new file mode 100644 index 0000000..9818e6a --- /dev/null +++ b/secrets/bitwarden.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 zRvPWg nB1tKQNQ42LV7cIa2ZAhyyzYAtFd7SYBIi+Tn+42swE +tEjEtJTZLduh8sGoH1taPtuVSP5zciOZzRgLvXgibDw +-> ~I/b8A-grease (HOy +uAwKXFCjFDqOl33OSOkWnM3Uag7J9wIWLf691lstEEb9HESumYqC9hVL00Gh0EZ4 ++Q/D44pd6Ezc+QuWhaYjgdY +--- fxPFJd0SxJu7mCR+lroO5NZkL+bkAHd40hWOKixfQ08 + JY=DDqBN:"ݔ$׉LA+C:ȶA>"u*`*B.Tx$QUնB.Oa^ u ~ O \ No newline at end of file diff --git a/users/buffet/default.nix b/users/buffet/default.nix index 1fc2434..e3e5974 100644 --- a/users/buffet/default.nix +++ b/users/buffet/default.nix @@ -25,10 +25,16 @@ ]; }; + nix.settings.trusted-users = ["buffet"]; + home-manager.users.buffet = { home = { stateVersion = "23.11"; + sessionVariables = { + EDITOR = "nvim"; + }; + packages = with pkgs; [ #SDL2 #SDL2.dev diff --git a/users/maintainer/default.nix b/users/maintainer/default.nix new file mode 100644 index 0000000..be7acd1 --- /dev/null +++ b/users/maintainer/default.nix @@ -0,0 +1,12 @@ +{pkgs, ...}: { + users.users.maintainer = { + isNormalUser = true; + uid = 1001; + openssh.authorizedKeys.keys = import ../../keys.nix; + extraGroups = [ + "wheel" + ]; + }; + + nix.settings.trusted-users = ["maintainer"]; +}