add tara config

2024-01-25 16:54:05 +01:00 · 2024-01-25 16:54:05 +01:00 · 593639ba21
commit 593639ba21
parent df8b38d5f5
18 changed files with 334 additions and 14 deletions
--- a/flake.lock
+++ b/flake.lock
@ -158,7 +158,8 @@
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
-        "nur": "nur"
+        "nur": "nur",
+        "website": "website"
      }
    },
    "systems": {
@ -175,6 +176,22 @@
        "repo": "default",
        "type": "github"
      }
+    },
+    "website": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1689011009,
+        "narHash": "sha256-fZKVdh8m+XT3Q6+K5MeX9KlBa5oEvDIzPz4XNpQee9k=",
+        "owner": "buffet",
+        "repo": "website",
+        "rev": "1321da0aab3a83733535b8374af20a889cc005b1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "buffet",
+        "repo": "website",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -22,24 +22,35 @@
      url = "github:Mic92/nix-index-database";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
+    website = {
+      url = "github:buffet/website";
+      flake = false;
+    };
  };

  outputs = {
    nixpkgs,
    nixpkgs-unstable,
    ...
-  } @ args: {
-    nixosConfigurations.alice = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      specialArgs = args;
-      modules = let
-        overlay-unstable = final: prev: {
-          unstable = nixpkgs-unstable.legacyPackages.${prev.system};
-        };
-      in [
-        ./hosts/alice
-        (_: {nixpkgs.overlays = [(import ./overlay args) overlay-unstable];})
-      ];
+  } @ args: let
+    makeSystem = system: config:
+      nixpkgs.lib.nixosSystem {
+        inherit system;
+        specialArgs = args;
+        modules = let
+          overlay-unstable = final: prev: {
+            unstable = nixpkgs-unstable.legacyPackages.${prev.system};
+          };
+        in [
+          config
+          (_: {nixpkgs.overlays = [(import ./overlay args) overlay-unstable];})
+        ];
+      };
+  in {
+    nixosConfigurations = {
+      alice = makeSystem "x86_64-linux" ./hosts/alice;
+      tara = makeSystem "x86_64-linux" ./hosts/tara;
    };
  };
 }
--- a/hosts/alice/system.nix
+++ b/hosts/alice/system.nix
@ -37,7 +37,7 @@

    settings = {
      auto-optimise-store = true;
-      trusted-users = ["root" "buffet"];
+      trusted-users = ["root"];
    };

    gc = {
--- a/hosts/tara/acme.nix
+++ b/hosts/tara/acme.nix
@ -0,0 +1,11 @@
+_: {
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@buffet.sh";
+    certs."buffet.sh" = {
+      extraDomainNames = [
+        "bitwarden.buffet.sh"
+      ];
+    };
+  };
+}
--- a/hosts/tara/bitwarden.nix
+++ b/hosts/tara/bitwarden.nix
@ -0,0 +1,35 @@
+{config, ...}: let
+  port = 12224;
+in {
+  age.secrets.bitwarden.file = ../../secrets/bitwarden.age;
+
+  services = {
+    vaultwarden = {
+      enable = true;
+      environmentFile = config.age.secrets.bitwarden.path;
+      config = {
+        domain = "https://bitwarden.buffet.sh/";
+        signupsAllowed = false;
+        rocketPort = port;
+      };
+    };
+
+    nginx = {
+      enable = true;
+
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      virtualHosts."bitwarden.buffet.sh" = {
+        enableACME = true;
+        forceSSL = true;
+
+        locations."/" = {
+          proxyPass = "http://localhost:${toString port}";
+        };
+      };
+    };
+  };
+}
--- a/hosts/tara/borg.nix
+++ b/hosts/tara/borg.nix
@ -0,0 +1,31 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  host = "11967@prio.ch-s011.rsync.net";
+in {
+  age.secrets.borgpassword.file = ../../secrets/borgpassword.age;
+
+  services.borgbackup = {
+    jobs.backup = {
+      paths = ["/etc" "/home" "/root" "/var"];
+      exclude = ["/var/log"];
+      repo = "${host}:${config.networking.hostName}";
+      encryption = {
+        mode = "repokey";
+        passCommand = "cat ${config.age.secrets.borgpassword.path}";
+      };
+      startAt = "daily";
+      persistentTimer = true;
+      environment.BORG_RSH = "ssh -i /home/buffet/.ssh/id_borg";
+      extraArgs = "--remote-path borg1";
+      prune.keep = {
+        within = "1d";
+        daily = 7;
+        weekly = 4;
+        monthly = -1;
+      };
+    };
+  };
+}
--- a/hosts/tara/default.nix
+++ b/hosts/tara/default.nix
@ -0,0 +1,36 @@
+{
+  pkgs,
+  agenix,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+    ./system.nix
+    agenix.nixosModules.default
+
+    ./acme.nix
+    ./bitwarden.nix
+    ./borg.nix
+    ./mosh.nix
+    ./website.nix
+    ./weechat.nix
+
+    ../../users/maintainer
+  ];
+
+  # TODO: put somewhere
+  age.identityPaths = ["/home/buffet/.ssh/id_agenix"];
+  networking.hostName = "tara";
+
+  users = {
+    mutableUsers = false;
+    users.root.hashedPassword = "!";
+  };
+
+  environment.systemPackages = with pkgs; [
+    git
+    htop
+    neovim
+    tree
+  ];
+}
--- a/hosts/tara/hardware-configuration.nix
+++ b/hosts/tara/hardware-configuration.nix
@ -0,0 +1,37 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["virtio_pci" "virtio_scsi" "ahci" "sd_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/sda";
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    {device = "/dev/sdb";}
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s5.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/tara/linode.nix
+++ b/hosts/tara/linode.nix
@ -0,0 +1,17 @@
+{pkgs, ...}: {
+  boot = {
+    kernelParams = ["console=ttyS0,19200n8"];
+    loader.grub.extraConfig = ''
+      serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
+      terminal_input serial;
+      terminal_output serial
+    '';
+  };
+
+  # packages used for maintanence
+  environment.systemPackages = with pkgs; [
+    inetutils
+    mtr
+    sysstat
+  ];
+}
--- a/hosts/tara/mosh.nix
+++ b/hosts/tara/mosh.nix
@ -0,0 +1,5 @@
+_: {
+  programs.mosh = {
+    enable = true;
+  };
+}
--- a/hosts/tara/system.nix
+++ b/hosts/tara/system.nix
@ -0,0 +1,44 @@
+{...}: {
+  imports = [
+    ./linode.nix
+  ];
+
+  # Don't change!
+  system.stateVersion = "22.05";
+
+  time.timeZone = "UTC";
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  boot = {
+    loader.grub.forceInstall = true;
+    loader.grub.device = "nodev";
+    loader.timeout = 10;
+    tmp.cleanOnBoot = true;
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+  services.openssh.enable = true;
+
+  networking = {
+    hostName = "tara";
+    firewall.allowPing = true;
+    usePredictableInterfaceNames = false;
+  };
+
+  nix = {
+    settings = {
+      auto-optimise-store = true;
+      trusted-users = ["root"];
+    };
+
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 14d";
+    };
+
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+  };
+}
--- a/hosts/tara/website.nix
+++ b/hosts/tara/website.nix
@ -0,0 +1,24 @@
+{website, ...}: {
+  networking.firewall.allowedTCPPorts = [80 443];
+
+  services.nginx = {
+    enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts."buffet.sh" = {
+      enableACME = true;
+      forceSSL = true;
+      root = "${website}";
+    };
+
+    virtualHosts."unix.pics" = {
+      enableACME = true;
+      forceSSL = true;
+      root = "/var/lib/stuff/unix.pics";
+    };
+  };
+}
--- a/hosts/tara/weechat.nix
+++ b/hosts/tara/weechat.nix
@ -0,0 +1,22 @@
+{pkgs, ...}: let
+  port = 4124;
+in {
+  networking.firewall.allowedTCPPorts = [port];
+
+  environment.systemPackages = with pkgs; [
+    screen
+  ];
+
+  systemd.services.weechat = {
+    after = ["network-online.target"];
+    wantedBy = ["multi-user.target"];
+    serviceConfig = {
+      Type = "simple";
+      Restart = "always";
+      User = "maintainer";
+      Group = "users";
+    };
+
+    script = "exec ${pkgs.screen}/bin/screen -Dm -S weechat ${pkgs.weechat}/bin/weechat";
+  };
+}
--- a/keys.nix
+++ b/keys.nix
@ -0,0 +1,3 @@
+[
+  "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDci73LlPFhg9Z26jnuGMzGEh0jO192alsLhSVUE+CIOkRfkeRonJ69WxwY9kBFAa5PyY9zrAr2XueLWaQAaHJdmHyWbXmMJGtqsx0oB5KU4aFL8stJGkr8u6Bv5HPpkGr4PyqGkzKEPirUBYOMxXW3KSuP5LCTTx+UVoEFhIRS+j6w67ZIjyEHalwZAVJP8sp1GJkk9eQkmoJjdBt4qxAoBRaZp8kTzdKJezJY1g0f+JBI+0ZUDPS2IdAAXroVho/ea31gGFRsqazbP17Tpbiy1H4dQwTc19YkyOYu7R4klRrOVjzh/CBYgTUmIV1czUISG6KEGfgW4IciYSc6R5IGo+GCf3OsNVDKjjgxCvCLLx03KsBZJXoQJlZ/grfoQ0aulUR/hDeAyOU/bE2XjpzkNiYKhlMd7gEN3AC1iCjsYNL+6Nr82GVpn5XE0UsDYFJyZ//6zI4ldNnCcuYPNgyE9VabaUh0WuemkhdTe/SKIBOQfHSLFlEAZVWVGUQV/dvi5HY9Ie4nIHtUU1IdeNiCa+OB+KxIE5a9+2h5KJB2NPCyPt1TImqS/OiXaQlihEPsNOyKqbBiN/4LUPtixAGbnbdzBwmdP8Pt32Y1ehOyBoDxLv36R1hHP9Xn4C+KUX35lhpfToSRVvWvVUcDDZVq3kUnxPV22BTs3kgLG3rJ6Q==" # id_rsa
+]
--- a/secrets.nix
+++ b/secrets.nix
@ -1,5 +1,6 @@
 let
  buffet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOA928bjB90FwkTLtQcPW1mP+QLViVfEVdMHg+7/8Fxh";
 in {
+  "secrets/bitwarden.age".publicKeys = [buffet];
  "secrets/borgpassword.age".publicKeys = [buffet];
 }
--- a/secrets/bitwarden.age
+++ b/secrets/bitwarden.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 zRvPWg nB1tKQNQ42LV7cIa2ZAhyyzYAtFd7SYBIi+Tn+42swE
+tEjEtJTZLduh8sGoH1taPtuVSP5zciOZzRgLvXgibDw
+-> ~I/b8A-grease (HOy
+uAwKXFCjFDqOl33OSOkWnM3Uag7J9wIWLf691lstEEb9HESumYqC9hVL00Gh0EZ4
+Q/D44pd6Ezc+QuWhaYjgdY
+--- fxPFJd0SxJu7mCR+lroO5NZkL+bkAHd40hWOKixfQ08
+·¥¬	JY=óD’½óD•qB©N:ÿ²"ˆÿÝ”¼$˜êã¶ð×‰±¢‹ýLAù+C:È¶ØA>ý"š<>u*óÄ`*BÕ.Tæ÷x$ƒQáUÕ¶B.ŽOÍÑa…£^Ê
uÊ~ ÔO…¸
--- a/users/buffet/default.nix
+++ b/users/buffet/default.nix
@ -25,10 +25,16 @@
    ];
  };

+  nix.settings.trusted-users = ["buffet"];
+
  home-manager.users.buffet = {
    home = {
      stateVersion = "23.11";

+      sessionVariables = {
+        EDITOR = "nvim";
+      };
+
      packages = with pkgs; [
        #SDL2
        #SDL2.dev
--- a/users/maintainer/default.nix
+++ b/users/maintainer/default.nix
@ -0,0 +1,12 @@
+{pkgs, ...}: {
+  users.users.maintainer = {
+    isNormalUser = true;
+    uid = 1001;
+    openssh.authorizedKeys.keys = import ../../keys.nix;
+    extraGroups = [
+      "wheel"
+    ];
+  };
+
+  nix.settings.trusted-users = ["maintainer"];
+}