kitchen/rice
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

add tara config

Browse source
This commit is contained in:
buffet 2024-01-25 16:54:05 +01:00
parent df8b38d5f5
commit 593639ba21
18 changed files with 334 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
flake.lock
View file

@ -158,7 +158,8 @@
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"nur": "nur" "nur": "nur",
"website": "website"
} }
}, },
"systems": { "systems": {
@ -175,6 +176,22 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"website": {
"flake": false,
"locked": {
"lastModified": 1689011009,
"narHash": "sha256-fZKVdh8m+XT3Q6+K5MeX9KlBa5oEvDIzPz4XNpQee9k=",
"owner": "buffet",
"repo": "website",
"rev": "1321da0aab3a83733535b8374af20a889cc005b1",
"type": "github"
},
"original": {
"owner": "buffet",
"repo": "website",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

35
flake.nix
View file

@ -22,24 +22,35 @@
url = "github:Mic92/nix-index-database"; url = "github:Mic92/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
website = {
url = "github:buffet/website";
flake = false;
};
}; };
outputs = { outputs = {
nixpkgs, nixpkgs,
nixpkgs-unstable, nixpkgs-unstable,
... ...
} @ args: { } @ args: let
nixosConfigurations.alice = nixpkgs.lib.nixosSystem { makeSystem = system: config:
system = "x86_64-linux"; nixpkgs.lib.nixosSystem {
specialArgs = args; inherit system;
modules = let specialArgs = args;
overlay-unstable = final: prev: { modules = let
unstable = nixpkgs-unstable.legacyPackages.${prev.system}; overlay-unstable = final: prev: {
}; unstable = nixpkgs-unstable.legacyPackages.${prev.system};
in [ };
./hosts/alice in [
(_: {nixpkgs.overlays = [(import ./overlay args) overlay-unstable];}) config
]; (_: {nixpkgs.overlays = [(import ./overlay args) overlay-unstable];})
];
};
in {
nixosConfigurations = {
alice = makeSystem "x86_64-linux" ./hosts/alice;
tara = makeSystem "x86_64-linux" ./hosts/tara;
}; };
}; };
} }

2
hosts/alice/system.nix
View file

@ -37,7 +37,7 @@
settings = { settings = {
auto-optimise-store = true; auto-optimise-store = true;
trusted-users = ["root" "buffet"]; trusted-users = ["root"];
}; };
gc = { gc = {

11
hosts/tara/acme.nix Normal file
View file

@ -0,0 +1,11 @@
_: {
security.acme = {
acceptTerms = true;
defaults.email = "acme@buffet.sh";
certs."buffet.sh" = {
extraDomainNames = [
"bitwarden.buffet.sh"
];
};
};
}

35
hosts/tara/bitwarden.nix Normal file
View file

@ -0,0 +1,35 @@
{config, ...}: let
port = 12224;
in {
age.secrets.bitwarden.file = ../../secrets/bitwarden.age;
services = {
vaultwarden = {
enable = true;
environmentFile = config.age.secrets.bitwarden.path;
config = {
domain = "https://bitwarden.buffet.sh/";
signupsAllowed = false;
rocketPort = port;
};
};
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."bitwarden.buffet.sh" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString port}";
};
};
};
};
}

31
hosts/tara/borg.nix Normal file
View file

@ -0,0 +1,31 @@
{
config,
pkgs,
...
}: let
host = "11967@prio.ch-s011.rsync.net";
in {
age.secrets.borgpassword.file = ../../secrets/borgpassword.age;
services.borgbackup = {
jobs.backup = {
paths = ["/etc" "/home" "/root" "/var"];
exclude = ["/var/log"];
repo = "${host}:${config.networking.hostName}";
encryption = {
mode = "repokey";
passCommand = "cat ${config.age.secrets.borgpassword.path}";
};
startAt = "daily";
persistentTimer = true;
environment.BORG_RSH = "ssh -i /home/buffet/.ssh/id_borg";
extraArgs = "--remote-path borg1";
prune.keep = {
within = "1d";
daily = 7;
weekly = 4;
monthly = -1;
};
};
};
}

36
hosts/tara/default.nix Normal file
View file

@ -0,0 +1,36 @@
{
pkgs,
agenix,
...
}: {
imports = [
./hardware-configuration.nix
./system.nix
agenix.nixosModules.default
./acme.nix
./bitwarden.nix
./borg.nix
./mosh.nix
./website.nix
./weechat.nix
../../users/maintainer
];
# TODO: put somewhere
age.identityPaths = ["/home/buffet/.ssh/id_agenix"];
networking.hostName = "tara";
users = {
mutableUsers = false;
users.root.hashedPassword = "!";
};
environment.systemPackages = with pkgs; [
git
htop
neovim
tree
];
}

37
hosts/tara/hardware-configuration.nix Normal file
View file

@ -0,0 +1,37 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = ["virtio_pci" "virtio_scsi" "ahci" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/sda";
fsType = "ext4";
};
swapDevices = [
{device = "/dev/sdb";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s5.useDHCP = lib.mkDefault true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

17
hosts/tara/linode.nix Normal file
View file

@ -0,0 +1,17 @@
{pkgs, ...}: {
boot = {
kernelParams = ["console=ttyS0,19200n8"];
loader.grub.extraConfig = ''
serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
terminal_input serial;
terminal_output serial
'';
};
# packages used for maintanence
environment.systemPackages = with pkgs; [
inetutils
mtr
sysstat
];
}

5
hosts/tara/mosh.nix Normal file
View file

@ -0,0 +1,5 @@
_: {
programs.mosh = {
enable = true;
};
}

44
hosts/tara/system.nix Normal file
View file

@ -0,0 +1,44 @@
{...}: {
imports = [
./linode.nix
];
# Don't change!
system.stateVersion = "22.05";
time.timeZone = "UTC";
i18n.defaultLocale = "en_US.UTF-8";
boot = {
loader.grub.forceInstall = true;
loader.grub.device = "nodev";
loader.timeout = 10;
tmp.cleanOnBoot = true;
};
security.sudo.wheelNeedsPassword = false;
services.openssh.enable = true;
networking = {
hostName = "tara";
firewall.allowPing = true;
usePredictableInterfaceNames = false;
};
nix = {
settings = {
auto-optimise-store = true;
trusted-users = ["root"];
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 14d";
};
extraOptions = ''
experimental-features = nix-command flakes
'';
};
}

24
hosts/tara/website.nix Normal file
View file

@ -0,0 +1,24 @@
{website, ...}: {
networking.firewall.allowedTCPPorts = [80 443];
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."buffet.sh" = {
enableACME = true;
forceSSL = true;
root = "${website}";
};
virtualHosts."unix.pics" = {
enableACME = true;
forceSSL = true;
root = "/var/lib/stuff/unix.pics";
};
};
}

22
hosts/tara/weechat.nix Normal file
View file

@ -0,0 +1,22 @@
{pkgs, ...}: let
port = 4124;
in {
networking.firewall.allowedTCPPorts = [port];
environment.systemPackages = with pkgs; [
screen
];
systemd.services.weechat = {
after = ["network-online.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "simple";
Restart = "always";
User = "maintainer";
Group = "users";
};
script = "exec ${pkgs.screen}/bin/screen -Dm -S weechat ${pkgs.weechat}/bin/weechat";
};
}

3
keys.nix Normal file
View file

@ -0,0 +1,3 @@
[
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDci73LlPFhg9Z26jnuGMzGEh0jO192alsLhSVUE+CIOkRfkeRonJ69WxwY9kBFAa5PyY9zrAr2XueLWaQAaHJdmHyWbXmMJGtqsx0oB5KU4aFL8stJGkr8u6Bv5HPpkGr4PyqGkzKEPirUBYOMxXW3KSuP5LCTTx+UVoEFhIRS+j6w67ZIjyEHalwZAVJP8sp1GJkk9eQkmoJjdBt4qxAoBRaZp8kTzdKJezJY1g0f+JBI+0ZUDPS2IdAAXroVho/ea31gGFRsqazbP17Tpbiy1H4dQwTc19YkyOYu7R4klRrOVjzh/CBYgTUmIV1czUISG6KEGfgW4IciYSc6R5IGo+GCf3OsNVDKjjgxCvCLLx03KsBZJXoQJlZ/grfoQ0aulUR/hDeAyOU/bE2XjpzkNiYKhlMd7gEN3AC1iCjsYNL+6Nr82GVpn5XE0UsDYFJyZ//6zI4ldNnCcuYPNgyE9VabaUh0WuemkhdTe/SKIBOQfHSLFlEAZVWVGUQV/dvi5HY9Ie4nIHtUU1IdeNiCa+OB+KxIE5a9+2h5KJB2NPCyPt1TImqS/OiXaQlihEPsNOyKqbBiN/4LUPtixAGbnbdzBwmdP8Pt32Y1ehOyBoDxLv36R1hHP9Xn4C+KUX35lhpfToSRVvWvVUcDDZVq3kUnxPV22BTs3kgLG3rJ6Q==" # id_rsa
]

1
secrets.nix
View file

@ -1,5 +1,6 @@
let let
buffet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOA928bjB90FwkTLtQcPW1mP+QLViVfEVdMHg+7/8Fxh"; buffet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOA928bjB90FwkTLtQcPW1mP+QLViVfEVdMHg+7/8Fxh";
in { in {
"secrets/bitwarden.age".publicKeys = [buffet];
"secrets/borgpassword.age".publicKeys = [buffet]; "secrets/borgpassword.age".publicKeys = [buffet];
} }

8
secrets/bitwarden.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 zRvPWg nB1tKQNQ42LV7cIa2ZAhyyzYAtFd7SYBIi+Tn+42swE
tEjEtJTZLduh8sGoH1taPtuVSP5zciOZzRgLvXgibDw
-> ~I/b8A-grease (HOy
uAwKXFCjFDqOl33OSOkWnM3Uag7J9wIWLf691lstEEb9HESumYqC9hVL00Gh0EZ4
+Q/D44pd6Ezc+QuWhaYjgdY
--- fxPFJd0SxJu7mCR+lroO5NZkL+bkAHd40hWOKixfQ08
·¥¬ JY=óD½óD•qB©N:ÿ²"ˆÿÝ”¼$˜êã¶ð׉±¢ýLAù+C:ȶØA>ý"š<>u*óÄ`*BÕ.Tæ÷x$ƒQáUÕ¶B.ŽOÍÑa…£^Ê u Ê~ ÔO…¸

6
users/buffet/default.nix
View file

@ -25,10 +25,16 @@
]; ];
}; };
nix.settings.trusted-users = ["buffet"];
home-manager.users.buffet = { home-manager.users.buffet = {
home = { home = {
stateVersion = "23.11"; stateVersion = "23.11";
sessionVariables = {
EDITOR = "nvim";
};
packages = with pkgs; [ packages = with pkgs; [
#SDL2 #SDL2
#SDL2.dev #SDL2.dev

12
users/maintainer/default.nix Normal file
View file

@ -0,0 +1,12 @@
{pkgs, ...}: {
users.users.maintainer = {
isNormalUser = true;
uid = 1001;
openssh.authorizedKeys.keys = import ../../keys.nix;
extraGroups = [
"wheel"
];
};
nix.settings.trusted-users = ["maintainer"];
}