Compare commits
169 Commits
Author | SHA1 | Date | |
---|---|---|---|
d5c2f8d543 | |||
1189a41df9 | |||
39730d2ec3 | |||
ac6f285400 | |||
e4b8fd7438 | |||
24be3394bc | |||
ba053c539c | |||
3aeeb69c2b | |||
85246af424 | |||
ba7a39b66e | |||
df31ebebf8 | |||
2f3a33ad8e | |||
343b34b4dc | |||
264799952e | |||
5cef32cf1e | |||
6cc70e117d | |||
a52aed5778 | |||
70b53b5c01 | |||
3d642e2320 | |||
41d5f0cc53 | |||
974c947130 | |||
8a9498f8d7 | |||
2ecdafe1cf | |||
db5dc5aee6 | |||
f96f03ba0c | |||
e81cad1670 | |||
67c8e3dcaf | |||
1052379119 | |||
0edb8394c8 | |||
bbab551b0f | |||
13c937b196 | |||
6bdaca40e0 | |||
462f0eecf4 | |||
5dcf3b8e3f | |||
b0618cd3dc | |||
a9829eea9e | |||
cfd64e9a73 | |||
b3af1739a8 | |||
cde6bdd498 | |||
bd5efa3648 | |||
30679f9f4b | |||
67644162e1 | |||
81c77de5ad | |||
a0f93c73d0 | |||
78705d440a | |||
3f829236a2 | |||
7b221eda07 | |||
22305815c6 | |||
fa493123fc | |||
62e61bec8a | |||
50d70ed8bc | |||
796bbc7a68 | |||
8123653a92 | |||
55ade830a8 | |||
a9c9600b14 | |||
eae5e105ff | |||
f1fd6ee270 | |||
1dc370709a | |||
de905e23a8 | |||
9247ae5d91 | |||
7298955391 | |||
f59824ad62 | |||
bff93529aa | |||
13bfe6f787 | |||
ad8c8b9b19 | |||
b7c07d0107 | |||
9cc389f865 | |||
2153c22d7f | |||
a4235b2581 | |||
36ce6ca185 | |||
e3887e320e | |||
a272cd0661 | |||
1ca4daab9c | |||
745ea58dec | |||
348bca745b | |||
0ef24c14e7 | |||
d9233021c7 | |||
b39549e1a9 | |||
8fdd915e76 | |||
62d62500ae | |||
b012d48e1d | |||
eba1dae06b | |||
b6ef41cae0 | |||
700ca88feb | |||
1c75fa88a7 | |||
c3447b3ec9 | |||
5350581676 | |||
4d1521e4b4 | |||
88b33598d7 | |||
4a09f50889 | |||
cf76a055e7 | |||
f4f6c66098 | |||
2c432ce986 | |||
d6b15a1f25 | |||
bd34d0e3ad | |||
52caf6edf9 | |||
016d0e61b5 | |||
b4a33bb6b2 | |||
8cee990f54 | |||
59e5717e00 | |||
f2fe064f72 | |||
dd76435ec3 | |||
85e5c9d00e | |||
ca1751533c | |||
8900423527 | |||
1ae3cf0c41 | |||
72898701da | |||
3c693ee42f | |||
9752e63f09 | |||
d4fb381fcf | |||
e812e96afc | |||
d3fb88a328 | |||
804aa10048 | |||
8f493d1335 | |||
9674e6651d | |||
88378c3179 | |||
d682d5434b | |||
790d0a8a6b | |||
78a024a924 | |||
5e725b14bb | |||
7f25cab5f8 | |||
b0e4e2cca1 | |||
80b4305e60 | |||
90cbec88db | |||
89dade473a | |||
d7398e38df | |||
fc599096b4 | |||
ec4f9f8af4 | |||
26908c8b77 | |||
da8f4bb5a5 | |||
a1e4578ee1 | |||
4c3b948beb | |||
f176a9e4d5 | |||
d0dabc18f7 | |||
c54f4f8166 | |||
85843bbd55 | |||
013de46aaa | |||
2032b7693a | |||
104ea7f0cb | |||
bc5d370d0b | |||
8cdd3d6d6c | |||
5a6151306c | |||
785a17059d | |||
89374c44dc | |||
5d13643ee9 | |||
126424ad12 | |||
af1d0f8810 | |||
82c98f4685 | |||
2e27067660 | |||
f047111de7 | |||
6ee3e2f095 | |||
51a849b9c8 | |||
cd79b1e60a | |||
34e042f68b | |||
3a92fe8a7f | |||
1945294218 | |||
41b722860d | |||
6e748ec05f | |||
d3dc82a150 | |||
cd32b94c75 | |||
496d816f12 | |||
ceedaa852f | |||
8bc57eb583 | |||
7fc95b98d2 | |||
754d770e53 | |||
6a3a5cd416 | |||
74d687af40 | |||
ceab3b50a8 | |||
538706d3f7 |
26
.drone.yml
26
.drone.yml
@ -1,26 +0,0 @@
|
||||
---
|
||||
kind: pipeline
|
||||
type: docker
|
||||
name: check
|
||||
|
||||
steps:
|
||||
- name: lint
|
||||
image: nixos/nix:2.16.1
|
||||
commands:
|
||||
- nix --extra-experimental-features 'nix-command flakes' fmt
|
||||
- git diff --exit-code
|
||||
|
||||
- name: check
|
||||
image: nixos/nix:2.16.1
|
||||
commands:
|
||||
- nix --extra-experimental-features 'nix-command flakes' flake check
|
||||
|
||||
trigger:
|
||||
event:
|
||||
exclude:
|
||||
- tag
|
||||
---
|
||||
kind: signature
|
||||
hmac: 27c93405b251bb8bc80c82d7271702f80753ff63a0422678e62bbe2c4a025840
|
||||
|
||||
...
|
23
.gitea/workflows/flake.yaml
Normal file
23
.gitea/workflows/flake.yaml
Normal file
@ -0,0 +1,23 @@
|
||||
name: flake
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- '**'
|
||||
tags-ignore:
|
||||
- '**'
|
||||
|
||||
jobs:
|
||||
flake:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: DeterminateSystems/nix-installer-action@da36cb69b1c3247ad7a1f931ebfd954a1105ef14 # v14
|
||||
- uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8
|
||||
- name: lint
|
||||
run: |
|
||||
nix fmt
|
||||
git diff --exit-code
|
||||
- name: flake check
|
||||
run: nix flake check --all-systems
|
||||
timeout-minutes: 10
|
@ -4,7 +4,10 @@
|
||||
|
||||
Raspberry Pi images that support Tailscale and headless SSH can be built using a command. It is easiest to run this command on AArch64 on Linux, such as within a Linux VM or Docker container on an M1 Mac.
|
||||
|
||||
$ docker run -v $PWD:/etc/nixos -it --rm nixos/nix:latest
|
||||
# cd /etc/nixos
|
||||
# nix build .#images.microserver.home.ts.hillion.co.uk
|
||||
docker run -v $PWD:/src -it --rm nixos/nix:latest /bin/sh
|
||||
nix-env -f https://github.com/nix-community/nixos-generators/archive/master.tar.gz -i
|
||||
cd /src
|
||||
nixos-generate -f sd-aarch64-installer --system aarch64-linux -c hosts/microserver.home.ts.hillion.co.uk/default.nix
|
||||
cp SOME_OUTPUT out.img.zst
|
||||
|
||||
Alternatively, a Raspberry Pi image with headless SSH can be easily built using the logic in [this repo](https://github.com/Robertof/nixos-docker-sd-image-builder/tree/master).
|
||||
|
27
darwin/jakehillion-mba-m2-15/configuration.nix
Normal file
27
darwin/jakehillion-mba-m2-15/configuration.nix
Normal file
@ -0,0 +1,27 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
config = {
|
||||
system.stateVersion = 4;
|
||||
|
||||
networking.hostName = "jakehillion-mba-m2-15";
|
||||
|
||||
nix = {
|
||||
useDaemon = true;
|
||||
};
|
||||
|
||||
programs.zsh.enable = true;
|
||||
|
||||
security.pam.enableSudoTouchIdAuth = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
fd
|
||||
htop
|
||||
mosh
|
||||
neovim
|
||||
nix
|
||||
ripgrep
|
||||
sapling
|
||||
];
|
||||
};
|
||||
}
|
134
flake.lock
134
flake.lock
@ -2,18 +2,23 @@
|
||||
"nodes": {
|
||||
"agenix": {
|
||||
"inputs": {
|
||||
"darwin": "darwin",
|
||||
"home-manager": "home-manager",
|
||||
"darwin": [
|
||||
"darwin"
|
||||
],
|
||||
"home-manager": [
|
||||
"home-manager"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
],
|
||||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1690228878,
|
||||
"narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=",
|
||||
"lastModified": 1723293904,
|
||||
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"rev": "d8c973fd228949736dedf61b7f8cc1ece3236792",
|
||||
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -25,56 +30,33 @@
|
||||
"darwin": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"agenix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1673295039,
|
||||
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
|
||||
"lastModified": 1726188813,
|
||||
"narHash": "sha256-Vop/VRi6uCiScg/Ic+YlwsdIrLabWUJc57dNczp0eBc=",
|
||||
"owner": "lnl7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
|
||||
"rev": "21fe31f26473c180390cfa81e3ea81aca0204c80",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "lnl7",
|
||||
"ref": "master",
|
||||
"repo": "nix-darwin",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"darwin_2": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1692248770,
|
||||
"narHash": "sha256-tZeFpETKQGbgnaSIO1AGWD27IyTcBm4D+A9d7ulQ4NM=",
|
||||
"owner": "lnl7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "511177ffe8226c78c9cf6a92a7b5f2df3684956b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "lnl7",
|
||||
"ref": "master",
|
||||
"repo": "nix-darwin",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"inputs": {
|
||||
"systems": "systems"
|
||||
"systems": "systems_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1692799911,
|
||||
"narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=",
|
||||
"lastModified": 1710146030,
|
||||
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44",
|
||||
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -86,52 +68,51 @@
|
||||
"home-manager": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"agenix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1682203081,
|
||||
"narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
|
||||
"lastModified": 1725703823,
|
||||
"narHash": "sha256-tDgM4d8mLK0Hd6YMB2w1BqMto1XBXADOzPEaLl10VI4=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
|
||||
"rev": "208df2e558b73b6a1f0faec98493cb59a25f62ba",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"ref": "release-24.05",
|
||||
"repo": "home-manager",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"home-manager_2": {
|
||||
"home-manager-unstable": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
"nixpkgs-unstable"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1693208669,
|
||||
"narHash": "sha256-hHFaaUsZ860wvppPeiu7nJn/nXZjJfnqAQEu9SPFE9I=",
|
||||
"lastModified": 1726357542,
|
||||
"narHash": "sha256-p4OrJL2weh0TRtaeu1fmNYP6+TOp/W2qdaIJxxQay4c=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "5bac4a1c06cd77cf8fc35a658ccb035a6c50cd2c",
|
||||
"rev": "e524c57b1fa55d6ca9d8354c6ce1e538d2a1f47f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"ref": "release-23.05",
|
||||
"repo": "home-manager",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"impermanence": {
|
||||
"locked": {
|
||||
"lastModified": 1690797372,
|
||||
"narHash": "sha256-GImz19e33SeVcIvBB7NnhbJSbTpFFmNtWLh7Z85Y188=",
|
||||
"lastModified": 1725690722,
|
||||
"narHash": "sha256-4qWg9sNh5g1qPGO6d/GV2ktY+eDikkBTbWSg5/iD2nY=",
|
||||
"owner": "nix-community",
|
||||
"repo": "impermanence",
|
||||
"rev": "e3a7acd113903269a1b5c8b527e84ce7ee859851",
|
||||
"rev": "63f4d0443e32b0dd7189001ee1894066765d18a5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -141,45 +122,44 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1693341273,
|
||||
"narHash": "sha256-wrsPjsIx2767909MPGhSIOmkpGELM9eufqLQOPxmZQg=",
|
||||
"lastModified": 1725885300,
|
||||
"narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "2ab91c8d65c00fd22a441c69bbf1bc9b420d5ea1",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-23.05",
|
||||
"repo": "nixpkgs",
|
||||
"repo": "nixos-hardware",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-chia": {
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1685960109,
|
||||
"narHash": "sha256-uTuKV5ua048dIGdaC+lexSUK/9A/X4la4BEJXODZm9U=",
|
||||
"owner": "lourkeur",
|
||||
"lastModified": 1726320982,
|
||||
"narHash": "sha256-RuVXUwcYwaUeks6h3OLrEmg14z9aFXdWppTWPMTwdQw=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "e2b683787475d344892bddea9ab413dc611b894e",
|
||||
"rev": "8f7492cce28977fbf8bd12c72af08b1f6c7c3e49",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "lourkeur",
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-24.05",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "e2b683787475d344892bddea9ab413dc611b894e",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1693250523,
|
||||
"narHash": "sha256-y3up5gXMTbnCsXrNEB5j+7TVantDLUYyQLu/ueiXuyg=",
|
||||
"lastModified": 1726243404,
|
||||
"narHash": "sha256-sjiGsMh+1cWXb53Tecsm4skyFNag33GPbVgCdfj3n9I=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "3efb0f6f404ec8dae31bdb1a9b17705ce0d6986e",
|
||||
"rev": "345c263f2f53a3710abe117f28a5cb86d0ba4059",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -192,12 +172,13 @@
|
||||
"root": {
|
||||
"inputs": {
|
||||
"agenix": "agenix",
|
||||
"darwin": "darwin_2",
|
||||
"darwin": "darwin",
|
||||
"flake-utils": "flake-utils",
|
||||
"home-manager": "home-manager_2",
|
||||
"home-manager": "home-manager",
|
||||
"home-manager-unstable": "home-manager-unstable",
|
||||
"impermanence": "impermanence",
|
||||
"nixos-hardware": "nixos-hardware",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-chia": "nixpkgs-chia",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable"
|
||||
}
|
||||
},
|
||||
@ -215,6 +196,21 @@
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems_2": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
|
87
flake.nix
87
flake.nix
@ -1,55 +1,60 @@
|
||||
{
|
||||
inputs = {
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
|
||||
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
nixpkgs-chia.url = "github:lourkeur/nixpkgs?rev=e2b683787475d344892bddea9ab413dc611b894e";
|
||||
|
||||
nixos-hardware.url = "github:nixos/nixos-hardware";
|
||||
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
|
||||
darwin.url = "github:lnl7/nix-darwin/master";
|
||||
darwin.url = "github:lnl7/nix-darwin";
|
||||
darwin.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
agenix.url = "github:ryantm/agenix";
|
||||
agenix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
agenix.inputs.darwin.follows = "darwin";
|
||||
agenix.inputs.home-manager.follows = "home-manager";
|
||||
|
||||
home-manager.url = "github:nix-community/home-manager/release-23.05";
|
||||
home-manager.url = "github:nix-community/home-manager/release-24.05";
|
||||
home-manager.inputs.nixpkgs.follows = "nixpkgs";
|
||||
home-manager-unstable.url = "github:nix-community/home-manager";
|
||||
home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
|
||||
|
||||
impermanence.url = "github:nix-community/impermanence/master";
|
||||
};
|
||||
|
||||
description = "Hillion Nix flake";
|
||||
|
||||
outputs =
|
||||
{ self, nixpkgs, nixpkgs-unstable, nixpkgs-chia, flake-utils, agenix, home-manager, impermanence, darwin, ... }@inputs:
|
||||
outputs = { self, nixpkgs, nixpkgs-unstable, nixos-hardware, flake-utils, agenix, home-manager, home-manager-unstable, darwin, impermanence, ... }@inputs:
|
||||
let
|
||||
fqdns = builtins.attrNames (builtins.readDir ./hosts);
|
||||
isDarwin = host: builtins.pathExists ./hosts/${host}/darwin;
|
||||
isNixos = fqdn: !isDarwin fqdn;
|
||||
needsImage = fqdn: builtins.pathExists ./hosts/${fqdn}/image;
|
||||
getSystemOverlays = system: nixpkgsConfig: [
|
||||
(final: prev: {
|
||||
unstable = nixpkgs-unstable.legacyPackages.${prev.system};
|
||||
"storj" = final.callPackage ./pkgs/storj.nix { };
|
||||
})
|
||||
];
|
||||
in
|
||||
rec {
|
||||
{
|
||||
nixosConfigurations =
|
||||
let
|
||||
getSystemOverlays = system: nixpkgsConfig: [
|
||||
(final: prev: {
|
||||
"storj" = final.callPackage ./pkgs/storj.nix { };
|
||||
})
|
||||
];
|
||||
fqdns = builtins.attrNames (builtins.readDir ./hosts);
|
||||
mkHost = fqdn:
|
||||
let system = builtins.readFile ./hosts/${fqdn}/system;
|
||||
let
|
||||
system = builtins.readFile ./hosts/${fqdn}/system;
|
||||
func = if builtins.pathExists ./hosts/${fqdn}/unstable then nixpkgs-unstable.lib.nixosSystem else nixpkgs.lib.nixosSystem;
|
||||
home-manager-pick = if builtins.pathExists ./hosts/${fqdn}/unstable then home-manager-unstable else home-manager;
|
||||
in
|
||||
nixpkgs.lib.nixosSystem {
|
||||
func {
|
||||
inherit system;
|
||||
specialArgs = inputs;
|
||||
modules = (if needsImage then [ ] else [ "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix" ]) ++ [
|
||||
modules = [
|
||||
./hosts/${fqdn}/default.nix
|
||||
./modules/default.nix
|
||||
|
||||
agenix.nixosModules.default
|
||||
impermanence.nixosModules.impermanence
|
||||
|
||||
home-manager.nixosModules.default
|
||||
home-manager-pick.nixosModules.default
|
||||
{
|
||||
home-manager.sharedModules = [
|
||||
impermanence.nixosModules.home-manager.impermanence
|
||||
@ -57,43 +62,29 @@
|
||||
}
|
||||
|
||||
({ config, ... }: {
|
||||
nix.registry.nixpkgs.flake = nixpkgs; # pin `nix shell` nixpkgs
|
||||
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
|
||||
nixpkgs.overlays = getSystemOverlays config.nixpkgs.hostPlatform.system config.nixpkgs.config;
|
||||
})
|
||||
];
|
||||
};
|
||||
in
|
||||
nixpkgs.lib.genAttrs (builtins.filter isNixos fqdns) mkHost;
|
||||
nixpkgs.lib.genAttrs fqdns mkHost;
|
||||
|
||||
# images =
|
||||
# let
|
||||
# mkImage = fqdn: nixosConfigurations.${fqdn}.config.system.build.sdImage;
|
||||
# in
|
||||
# nixpkgs.lib.genAttrs (builtins.filter needsImage fqdns) mkImage;
|
||||
|
||||
images = {
|
||||
"microserver" = nixosConfigurations."microserver.home.ts.hillion.co.uk".config.system.build.sdImage;
|
||||
darwinConfigurations = {
|
||||
jakehillion-mba-m2-15 = darwin.lib.darwinSystem {
|
||||
system = "aarch64-darwin";
|
||||
specialArgs = inputs;
|
||||
|
||||
modules = [
|
||||
./darwin/jakehillion-mba-m2-15/configuration.nix
|
||||
|
||||
({ config, ... }: {
|
||||
nixpkgs.overlays = getSystemOverlays "aarch64-darwin" config.nixpkgs.config;
|
||||
})
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
darwinConfigurations =
|
||||
let
|
||||
hosts = builtins.attrNames (builtins.readDir ./hosts);
|
||||
isDarwin = host: builtins.pathExists ./hosts/${host}/darwin;
|
||||
mkHost = host:
|
||||
let system = builtins.readFile ./hosts/${host}/system;
|
||||
in
|
||||
darwin.lib.darwinSystem {
|
||||
inherit system;
|
||||
inherit inputs;
|
||||
modules = [
|
||||
./hosts/${host}/default.nix
|
||||
agenix.darwinModules.default
|
||||
home-manager.darwinModules.default
|
||||
];
|
||||
};
|
||||
in
|
||||
nixpkgs.lib.genAttrs (builtins.filter isDarwin hosts) mkHost;
|
||||
} // flake-utils.lib.eachDefaultSystem (system: {
|
||||
formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
|
||||
});
|
||||
|
55
hosts/be.lt.ts.hillion.co.uk/default.nix
Normal file
55
hosts/be.lt.ts.hillion.co.uk/default.nix
Normal file
@ -0,0 +1,55 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
system.stateVersion = "23.11";
|
||||
|
||||
networking.hostName = "be";
|
||||
networking.domain = "lt.ts.hillion.co.uk";
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
custom.defaults = true;
|
||||
|
||||
## Impermanence
|
||||
custom.impermanence = {
|
||||
enable = true;
|
||||
userExtraFiles.jake = [
|
||||
".ssh/id_ecdsa_sk_keys"
|
||||
];
|
||||
};
|
||||
|
||||
## WiFi
|
||||
age.secrets."wifi/be.lt.ts.hillion.co.uk".file = ../../secrets/wifi/be.lt.ts.hillion.co.uk.age;
|
||||
networking.wireless = {
|
||||
enable = true;
|
||||
environmentFile = config.age.secrets."wifi/be.lt.ts.hillion.co.uk".path;
|
||||
|
||||
networks = {
|
||||
"Hillion WPA3 Network".psk = "@HILLION_WPA3_NETWORK_PSK@";
|
||||
};
|
||||
};
|
||||
|
||||
## Desktop
|
||||
custom.users.jake.password = true;
|
||||
custom.desktop.awesome.enable = true;
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/be.lt.ts.hillion.co.uk".file = ../../secrets/tailscale/be.lt.ts.hillion.co.uk.age;
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
authKeyFile = config.age.secrets."tailscale/be.lt.ts.hillion.co.uk".path;
|
||||
};
|
||||
|
||||
security.sudo.wheelNeedsPassword = lib.mkForce true;
|
||||
|
||||
## Enable btrfs compression
|
||||
fileSystems."/data".options = [ "compress=zstd" ];
|
||||
fileSystems."/nix".options = [ "compress=zstd" ];
|
||||
};
|
||||
}
|
59
hosts/be.lt.ts.hillion.co.uk/hardware-configuration.nix
Normal file
59
hosts/be.lt.ts.hillion.co.uk/hardware-configuration.nix
Normal file
@ -0,0 +1,59 @@
|
||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "tmpfs";
|
||||
fsType = "tmpfs";
|
||||
options = [ "mode=0755" ];
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/D184-A79B";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
fileSystems."/nix" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/3fdc1b00-28d5-41dd-b8e0-fa6b1217f6eb";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=nix" ];
|
||||
};
|
||||
|
||||
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/c8ffa91a-5152-4d84-8995-01232fd5acd6";
|
||||
|
||||
fileSystems."/data" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/3fdc1b00-28d5-41dd-b8e0-fa6b1217f6eb";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=data" ];
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp0s20f0u1u4.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
7
hosts/boron.cx.ts.hillion.co.uk/README.md
Normal file
7
hosts/boron.cx.ts.hillion.co.uk/README.md
Normal file
@ -0,0 +1,7 @@
|
||||
# boron.cx.ts.hillion.co.uk
|
||||
|
||||
Additional installation step for Clevis/Tang:
|
||||
|
||||
$ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe
|
||||
$ sudo chown root:root /mnt/data/disk_encryption.jwe
|
||||
$ sudo chmod 0400 /mnt/data/disk_encryption.jwe
|
13
hosts/boron.cx.ts.hillion.co.uk/clevis_config.json
Normal file
13
hosts/boron.cx.ts.hillion.co.uk/clevis_config.json
Normal file
@ -0,0 +1,13 @@
|
||||
{
|
||||
"t": 1,
|
||||
"pins": {
|
||||
"tang": [
|
||||
{
|
||||
"url": "http://80.229.251.26:7654"
|
||||
},
|
||||
{
|
||||
"url": "http://185.240.111.53:7654"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
170
hosts/boron.cx.ts.hillion.co.uk/default.nix
Normal file
170
hosts/boron.cx.ts.hillion.co.uk/default.nix
Normal file
@ -0,0 +1,170 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
system.stateVersion = "23.11";
|
||||
|
||||
networking.hostName = "boron";
|
||||
networking.domain = "cx.ts.hillion.co.uk";
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
boot.kernelParams = [ "ip=dhcp" ];
|
||||
boot.initrd = {
|
||||
availableKernelModules = [ "igb" ];
|
||||
network.enable = true;
|
||||
clevis = {
|
||||
enable = true;
|
||||
useTang = true;
|
||||
devices = {
|
||||
"disk0-crypt".secretFile = "/data/disk_encryption.jwe";
|
||||
"disk1-crypt".secretFile = "/data/disk_encryption.jwe";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
custom.defaults = true;
|
||||
|
||||
## Kernel
|
||||
### Explicitly use the latest kernel at time of writing because the LTS
|
||||
### kernels available in NixOS do not seem to support this server's very
|
||||
### modern hardware.
|
||||
boot.kernelPackages = pkgs.linuxPackages_6_10;
|
||||
### Apply patch to enable sched_ext which isn't yet available upstream.
|
||||
boot.kernelPatches = [{
|
||||
name = "sched_ext";
|
||||
patch = pkgs.fetchpatch {
|
||||
url = "https://github.com/sched-ext/scx-kernel-releases/releases/download/v6.10.3-scx1/linux-v6.10.3-scx1.patch.zst";
|
||||
hash = "sha256-c4UlXsVOHGe0gvL69K9qTMWqCR8as25qwhfNVxCXUTs=";
|
||||
decode = "${pkgs.zstd}/bin/unzstd";
|
||||
excludes = [ "Makefile" ];
|
||||
};
|
||||
extraConfig = ''
|
||||
BPF y
|
||||
BPF_EVENTS y
|
||||
BPF_JIT y
|
||||
BPF_SYSCALL y
|
||||
DEBUG_INFO_BTF y
|
||||
FTRACE y
|
||||
SCHED_CLASS_EXT y
|
||||
'';
|
||||
}];
|
||||
|
||||
## Enable btrfs compression
|
||||
fileSystems."/data".options = [ "compress=zstd" ];
|
||||
fileSystems."/nix".options = [ "compress=zstd" ];
|
||||
|
||||
## Impermanence
|
||||
custom.impermanence = {
|
||||
enable = true;
|
||||
cache.enable = true;
|
||||
};
|
||||
boot.initrd.postDeviceCommands = lib.mkAfter ''
|
||||
btrfs subvolume delete /cache/system
|
||||
btrfs subvolume snapshot /cache/empty_snapshot /cache/system
|
||||
'';
|
||||
|
||||
## Custom Services
|
||||
custom = {
|
||||
locations.autoServe = true;
|
||||
www.global.enable = true;
|
||||
services = {
|
||||
gitea.actions = {
|
||||
enable = true;
|
||||
tokenSecret = ../../secrets/gitea/actions/boron.age;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nsd.interfaces = [
|
||||
"138.201.252.214"
|
||||
"2a01:4f8:173:23d2::2"
|
||||
];
|
||||
|
||||
## Enable ZRAM to help with root on tmpfs
|
||||
zramSwap = {
|
||||
enable = true;
|
||||
memoryPercent = 200;
|
||||
algorithm = "zstd";
|
||||
};
|
||||
|
||||
## Filesystems
|
||||
services.btrfs.autoScrub = {
|
||||
enable = true;
|
||||
interval = "Tue, 02:00";
|
||||
# By default both /data and /nix would be scrubbed. They are the same filesystem so this is wasteful.
|
||||
fileSystems = [ "/data" ];
|
||||
};
|
||||
|
||||
## General usability
|
||||
### Make podman available for dev tools such as act
|
||||
virtualisation = {
|
||||
containers.enable = true;
|
||||
podman = {
|
||||
enable = true;
|
||||
dockerCompat = true;
|
||||
dockerSocket.enable = true;
|
||||
};
|
||||
};
|
||||
users.users.jake.extraGroups = [ "podman" ];
|
||||
|
||||
## Networking
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.ip_forward" = true;
|
||||
"net.ipv6.conf.all.forwarding" = true;
|
||||
};
|
||||
|
||||
networking = {
|
||||
useDHCP = false;
|
||||
interfaces = {
|
||||
enp6s0 = {
|
||||
name = "eth0";
|
||||
useDHCP = true;
|
||||
ipv6.addresses = [{
|
||||
address = "2a01:4f8:173:23d2::2";
|
||||
prefixLength = 64;
|
||||
}];
|
||||
};
|
||||
};
|
||||
defaultGateway6 = {
|
||||
address = "fe80::1";
|
||||
interface = "eth0";
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
trustedInterfaces = [ "tailscale0" ];
|
||||
allowedTCPPorts = lib.mkForce [ ];
|
||||
allowedUDPPorts = lib.mkForce [ ];
|
||||
interfaces = {
|
||||
eth0 = {
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
22 # SSH
|
||||
3022 # SSH (Gitea) - redirected to 22
|
||||
53 # DNS
|
||||
80 # HTTP 1-2
|
||||
443 # HTTPS 1-2
|
||||
8080 # Unifi (inform)
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [
|
||||
53 # DNS
|
||||
443 # HTTP 3
|
||||
3478 # Unifi STUN
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/boron.cx.ts.hillion.co.uk".file = ../../secrets/tailscale/boron.cx.ts.hillion.co.uk.age;
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
authKeyFile = config.age.secrets."tailscale/boron.cx.ts.hillion.co.uk".path;
|
||||
};
|
||||
};
|
||||
}
|
72
hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix
Normal file
72
hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix
Normal file
@ -0,0 +1,72 @@
|
||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "tmpfs";
|
||||
fsType = "tmpfs";
|
||||
options = [ "mode=0755" "size=100%" ];
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/ED9C-4ABC";
|
||||
fsType = "vfat";
|
||||
options = [ "fmask=0022" "dmask=0022" ];
|
||||
};
|
||||
|
||||
fileSystems."/data" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=data" ];
|
||||
};
|
||||
|
||||
fileSystems."/cache" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=cache" ];
|
||||
};
|
||||
|
||||
fileSystems."/nix" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=nix" ];
|
||||
};
|
||||
|
||||
boot.initrd.luks.devices."disk0-crypt" = {
|
||||
device = "/dev/disk/by-uuid/a68ead16-1bdc-4d26-9e55-62c2be11ceee";
|
||||
allowDiscards = true;
|
||||
};
|
||||
boot.initrd.luks.devices."disk1-crypt" = {
|
||||
device = "/dev/disk/by-uuid/19bde205-bee4-430d-a4c1-52d635a23963";
|
||||
allowDiscards = true;
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp6s0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
1
hosts/boron.cx.ts.hillion.co.uk/system
Normal file
1
hosts/boron.cx.ts.hillion.co.uk/system
Normal file
@ -0,0 +1 @@
|
||||
x86_64-linux
|
@ -2,8 +2,6 @@
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../modules/common/default.nix
|
||||
../../modules/spotify/default.nix
|
||||
./bluetooth.nix
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
@ -17,6 +15,8 @@
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
custom.defaults = true;
|
||||
|
||||
## Impermanence
|
||||
custom.impermanence = {
|
||||
enable = true;
|
||||
@ -29,7 +29,15 @@
|
||||
];
|
||||
};
|
||||
|
||||
## Enable ZRAM swap to help with root on tmpfs
|
||||
zramSwap = {
|
||||
enable = true;
|
||||
memoryPercent = 200;
|
||||
algorithm = "zstd";
|
||||
};
|
||||
|
||||
## Desktop
|
||||
custom.users.jake.password = true;
|
||||
custom.desktop.awesome.enable = true;
|
||||
|
||||
## Resilio
|
||||
@ -60,9 +68,9 @@
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".file = ../../secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age;
|
||||
custom.tailscale = {
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
preAuthKeyFile = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
|
||||
authKeyFile = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
|
||||
};
|
||||
|
||||
security.sudo.wheelNeedsPassword = lib.mkForce true;
|
||||
@ -75,24 +83,13 @@
|
||||
boot.initrd.kernelModules = [ "amdgpu" ];
|
||||
services.xserver.videoDrivers = [ "amdgpu" ];
|
||||
|
||||
## Spotify
|
||||
home-manager.users.jake.services.spotifyd.settings = {
|
||||
global = {
|
||||
device_name = "Gendry";
|
||||
device_type = "computer";
|
||||
bitrate = 320;
|
||||
};
|
||||
};
|
||||
|
||||
## Password (for interactive logins)
|
||||
age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".file = ../../secrets/passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake.age;
|
||||
|
||||
users.users."${config.custom.user}" = {
|
||||
passwordFile = config.age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".path;
|
||||
|
||||
packages = with pkgs; [
|
||||
prismlauncher
|
||||
];
|
||||
};
|
||||
|
||||
## Networking
|
||||
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
||||
};
|
||||
}
|
||||
|
@ -28,7 +28,10 @@
|
||||
options = [ "subvol=nix" ];
|
||||
};
|
||||
|
||||
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/af328e8d-d929-43f1-8d04-1c96b5147e5e";
|
||||
boot.initrd.luks.devices."root" = {
|
||||
device = "/dev/disk/by-uuid/af328e8d-d929-43f1-8d04-1c96b5147e5e";
|
||||
allowDiscards = true;
|
||||
};
|
||||
|
||||
fileSystems."/data" =
|
||||
{
|
||||
|
@ -1,13 +0,0 @@
|
||||
{ pkgs, config, agenix, ... }:
|
||||
|
||||
{
|
||||
config.services.nix-daemon.enable = true;
|
||||
|
||||
config.environment.systemPackages = with pkgs; [
|
||||
git
|
||||
htop
|
||||
mosh
|
||||
nix
|
||||
vim
|
||||
];
|
||||
}
|
@ -1 +0,0 @@
|
||||
aarch64-darwin
|
50
hosts/li.pop.ts.hillion.co.uk/default.nix
Normal file
50
hosts/li.pop.ts.hillion.co.uk/default.nix
Normal file
@ -0,0 +1,50 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
../../modules/rpi/rpi4.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
system.stateVersion = "23.11";
|
||||
|
||||
networking.hostName = "li";
|
||||
networking.domain = "pop.ts.hillion.co.uk";
|
||||
|
||||
custom.defaults = true;
|
||||
|
||||
## Custom Services
|
||||
custom.locations.autoServe = true;
|
||||
|
||||
# Networking
|
||||
## Tailscale
|
||||
age.secrets."tailscale/li.pop.ts.hillion.co.uk".file = ../../secrets/tailscale/li.pop.ts.hillion.co.uk.age;
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
authKeyFile = config.age.secrets."tailscale/li.pop.ts.hillion.co.uk".path;
|
||||
useRoutingFeatures = "server";
|
||||
extraUpFlags = [ "--advertise-routes" "192.168.1.0/24" ];
|
||||
};
|
||||
|
||||
## Enable ZRAM to make up for 2GB of RAM
|
||||
zramSwap = {
|
||||
enable = true;
|
||||
memoryPercent = 200;
|
||||
algorithm = "zstd";
|
||||
};
|
||||
|
||||
## Run a persistent iperf3 server
|
||||
services.iperf3.enable = true;
|
||||
services.iperf3.openFirewall = true;
|
||||
|
||||
networking.firewall.interfaces = {
|
||||
"end0" = {
|
||||
allowedTCPPorts = [
|
||||
7654 # Tang
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -3,7 +3,6 @@
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
../../modules/common/default.nix
|
||||
../../modules/rpi/rpi4.nix
|
||||
];
|
||||
|
||||
@ -13,14 +12,23 @@
|
||||
networking.hostName = "microserver";
|
||||
networking.domain = "home.ts.hillion.co.uk";
|
||||
|
||||
custom.defaults = true;
|
||||
|
||||
## Custom Services
|
||||
custom.locations.autoServe = true;
|
||||
|
||||
# Networking
|
||||
## Tailscale
|
||||
age.secrets."tailscale/microserver.home.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.home.ts.hillion.co.uk.age;
|
||||
custom.tailscale = {
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
preAuthKeyFile = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path;
|
||||
advertiseRoutes = [ "10.64.50.0/24" "10.239.19.0/24" ];
|
||||
advertiseExitNode = true;
|
||||
authKeyFile = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path;
|
||||
useRoutingFeatures = "server";
|
||||
extraUpFlags = [
|
||||
"--advertise-routes"
|
||||
"10.64.50.0/24,10.239.19.0/24"
|
||||
"--advertise-exit-node"
|
||||
];
|
||||
};
|
||||
|
||||
## Enable IoT VLAN
|
||||
@ -31,6 +39,10 @@
|
||||
};
|
||||
};
|
||||
|
||||
hardware = {
|
||||
bluetooth.enable = true;
|
||||
};
|
||||
|
||||
## Enable IP forwarding for Tailscale
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.ip_forward" = true;
|
||||
@ -40,9 +52,19 @@
|
||||
services.iperf3.enable = true;
|
||||
services.iperf3.openFirewall = true;
|
||||
|
||||
networking.firewall.interfaces."tailscale0".allowedTCPPorts = [
|
||||
1883 # MQTT server
|
||||
];
|
||||
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
||||
networking.firewall.interfaces = {
|
||||
"eth0" = {
|
||||
allowedUDPPorts = [
|
||||
5353 # HomeKit
|
||||
];
|
||||
allowedTCPPorts = [
|
||||
1400 # HA Sonos
|
||||
7654 # Tang
|
||||
21063 # HomeKit
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
|
@ -1,35 +0,0 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
../../modules/common/default.nix
|
||||
../../modules/rpi/rpi4.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
system.stateVersion = "22.05";
|
||||
|
||||
networking.hostName = "microserver";
|
||||
networking.domain = "parents.ts.hillion.co.uk";
|
||||
|
||||
# Networking
|
||||
## Tailscale
|
||||
age.secrets."tailscale/microserver.parents.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.parents.ts.hillion.co.uk.age;
|
||||
custom.tailscale = {
|
||||
enable = true;
|
||||
preAuthKeyFile = config.age.secrets."tailscale/microserver.parents.ts.hillion.co.uk".path;
|
||||
advertiseRoutes = [ "192.168.1.0/24" ];
|
||||
};
|
||||
|
||||
## Enable IP forwarding for Tailscale
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.ip_forward" = true;
|
||||
};
|
||||
|
||||
## Run a persistent iperf3 server
|
||||
services.iperf3.enable = true;
|
||||
services.iperf3.openFirewall = true;
|
||||
};
|
||||
}
|
||||
|
@ -2,7 +2,6 @@
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../modules/common/default.nix
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
@ -19,6 +18,11 @@
|
||||
"net.ipv4.conf.all.forwarding" = true;
|
||||
};
|
||||
|
||||
custom.defaults = true;
|
||||
|
||||
## Interactive password
|
||||
custom.users.jake.password = true;
|
||||
|
||||
## Impermanence
|
||||
custom.impermanence.enable = true;
|
||||
|
||||
@ -28,6 +32,14 @@
|
||||
nat.enable = lib.mkForce false;
|
||||
|
||||
useDHCP = false;
|
||||
|
||||
vlans = {
|
||||
cameras = {
|
||||
id = 3;
|
||||
interface = "eth2";
|
||||
};
|
||||
};
|
||||
|
||||
interfaces = {
|
||||
enp1s0 = {
|
||||
name = "eth0";
|
||||
@ -52,6 +64,14 @@
|
||||
}
|
||||
];
|
||||
};
|
||||
cameras /* cameras@eth2 */ = {
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "10.133.145.1";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
};
|
||||
enp4s0 = { name = "eth3"; };
|
||||
enp5s0 = { name = "eth4"; };
|
||||
enp6s0 = { name = "eth5"; };
|
||||
@ -78,8 +98,8 @@
|
||||
|
||||
ip protocol icmp counter accept comment "accept all ICMP types"
|
||||
|
||||
iifname "eth0" ct state { established, related } counter accept
|
||||
iifname "eth0" drop
|
||||
iifname { "eth0", "cameras" } ct state { established, related } counter accept
|
||||
iifname { "eth0", "cameras" } drop
|
||||
}
|
||||
|
||||
chain forward {
|
||||
@ -102,14 +122,8 @@
|
||||
ip daddr 10.64.50.20 tcp dport 32400 counter accept comment "Plex"
|
||||
|
||||
ip daddr 10.64.50.20 tcp dport 8444 counter accept comment "Chia"
|
||||
ip daddr 10.64.50.20 tcp dport 28967 counter accept comment "zfs.tywin.storj"
|
||||
ip daddr 10.64.50.20 udp dport 28967 counter accept comment "zfs.tywin.storj"
|
||||
ip daddr 10.64.50.20 tcp dport 28968 counter accept comment "d0.tywin.storj"
|
||||
ip daddr 10.64.50.20 udp dport 28968 counter accept comment "d0.tywin.storj"
|
||||
ip daddr 10.64.50.20 tcp dport 28969 counter accept comment "d1.tywin.storj"
|
||||
ip daddr 10.64.50.20 udp dport 28969 counter accept comment "d1.tywin.storj"
|
||||
ip daddr 10.64.50.20 tcp dport 28970 counter accept comment "d2.tywin.storj"
|
||||
ip daddr 10.64.50.20 udp dport 28970 counter accept comment "d2.tywin.storj"
|
||||
|
||||
ip daddr 10.64.50.21 tcp dport 7654 counter accept comment "Tang"
|
||||
}
|
||||
}
|
||||
|
||||
@ -120,14 +134,8 @@
|
||||
iifname eth0 tcp dport 32400 counter dnat to 10.64.50.20
|
||||
|
||||
iifname eth0 tcp dport 8444 counter dnat to 10.64.50.20
|
||||
iifname eth0 tcp dport 28967 counter dnat to 10.64.50.20
|
||||
iifname eth0 udp dport 28967 counter dnat to 10.64.50.20
|
||||
iifname eth0 tcp dport 28968 counter dnat to 10.64.50.20
|
||||
iifname eth0 udp dport 28968 counter dnat to 10.64.50.20
|
||||
iifname eth0 tcp dport 28969 counter dnat to 10.64.50.20
|
||||
iifname eth0 udp dport 28969 counter dnat to 10.64.50.20
|
||||
iifname eth0 tcp dport 28970 counter dnat to 10.64.50.20
|
||||
iifname eth0 udp dport 28970 counter dnat to 10.64.50.20
|
||||
|
||||
iifname eth0 tcp dport 7654 counter dnat to 10.64.50.21
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
@ -140,54 +148,181 @@
|
||||
};
|
||||
|
||||
services = {
|
||||
dhcpd4 = {
|
||||
kea = {
|
||||
dhcp4 = {
|
||||
enable = true;
|
||||
|
||||
settings = {
|
||||
interfaces-config = {
|
||||
interfaces = [ "eth1" "eth2" "cameras" ];
|
||||
};
|
||||
lease-database = {
|
||||
type = "memfile";
|
||||
persist = true;
|
||||
name = "/var/lib/kea/dhcp4.leases";
|
||||
};
|
||||
|
||||
option-def = [
|
||||
{
|
||||
name = "cookie";
|
||||
space = "vendor-encapsulated-options-space";
|
||||
code = 1;
|
||||
type = "string";
|
||||
array = false;
|
||||
}
|
||||
];
|
||||
client-classes = [
|
||||
{
|
||||
name = "APC";
|
||||
test = "option[vendor-class-identifier].text == 'APC'";
|
||||
option-data = [
|
||||
{
|
||||
always-send = true;
|
||||
name = "vendor-encapsulated-options";
|
||||
}
|
||||
{
|
||||
name = "cookie";
|
||||
space = "vendor-encapsulated-options-space";
|
||||
code = 1;
|
||||
data = "1APC";
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
|
||||
subnet4 = [
|
||||
{
|
||||
subnet = "10.64.50.0/24";
|
||||
interface = "eth1";
|
||||
pools = [{
|
||||
pool = "10.64.50.64 - 10.64.50.254";
|
||||
}];
|
||||
option-data = [
|
||||
{
|
||||
name = "routers";
|
||||
data = "10.64.50.1";
|
||||
}
|
||||
{
|
||||
name = "broadcast-address";
|
||||
data = "10.64.50.255";
|
||||
}
|
||||
{
|
||||
name = "domain-name-servers";
|
||||
data = "10.64.50.1, 1.1.1.1, 8.8.8.8";
|
||||
}
|
||||
];
|
||||
reservations = lib.lists.imap0
|
||||
(i: el: {
|
||||
ip-address = "10.64.50.${toString (20 + i)}";
|
||||
inherit (el) hw-address hostname;
|
||||
}) [
|
||||
{ hostname = "tywin"; hw-address = "c8:7f:54:6d:e1:03"; }
|
||||
{ hostname = "microserver"; hw-address = "e4:5f:01:b4:58:95"; }
|
||||
{ hostname = "theon"; hw-address = "00:1e:06:49:06:1e"; }
|
||||
{ hostname = "server-switch"; hw-address = "84:d8:1b:9d:0d:85"; }
|
||||
{ hostname = "apc-ap7921"; hw-address = "00:c0:b7:6b:f4:34"; }
|
||||
{ hostname = "sodium"; hw-address = "d8:3a:dd:c3:d6:2b"; }
|
||||
];
|
||||
}
|
||||
{
|
||||
subnet = "10.239.19.0/24";
|
||||
interface = "eth2";
|
||||
pools = [{
|
||||
pool = "10.239.19.64 - 10.239.19.254";
|
||||
}];
|
||||
option-data = [
|
||||
{
|
||||
name = "routers";
|
||||
data = "10.239.19.1";
|
||||
}
|
||||
{
|
||||
name = "broadcast-address";
|
||||
data = "10.239.19.255";
|
||||
}
|
||||
{
|
||||
name = "domain-name-servers";
|
||||
data = "10.239.19.1, 1.1.1.1, 8.8.8.8";
|
||||
}
|
||||
];
|
||||
reservations = [
|
||||
{
|
||||
# bedroom-everything-presence-one
|
||||
hw-address = "40:22:d8:e0:1d:50";
|
||||
ip-address = "10.239.19.2";
|
||||
hostname = "bedroom-everything-presence-one";
|
||||
}
|
||||
{
|
||||
# living-room-everything-presence-one
|
||||
hw-address = "40:22:d8:e0:0f:78";
|
||||
ip-address = "10.239.19.3";
|
||||
hostname = "living-room-everything-presence-one";
|
||||
}
|
||||
];
|
||||
}
|
||||
{
|
||||
subnet = "10.133.145.0/24";
|
||||
interface = "cameras";
|
||||
pools = [{
|
||||
pool = "10.133.145.64 - 10.133.145.254";
|
||||
}];
|
||||
option-data = [
|
||||
{
|
||||
name = "routers";
|
||||
data = "10.133.145.1";
|
||||
}
|
||||
{
|
||||
name = "broadcast-address";
|
||||
data = "10.133.145.255";
|
||||
}
|
||||
{
|
||||
name = "domain-name-servers";
|
||||
data = "1.1.1.1, 8.8.8.8";
|
||||
}
|
||||
];
|
||||
reservations = [
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
unbound = {
|
||||
enable = true;
|
||||
interfaces = [ "eth1" "eth2" ];
|
||||
extraConfig = ''
|
||||
subnet 10.64.50.0 netmask 255.255.255.0 {
|
||||
interface eth1;
|
||||
settings = {
|
||||
server = {
|
||||
interface = [
|
||||
"127.0.0.1"
|
||||
"10.64.50.1"
|
||||
"10.239.19.1"
|
||||
];
|
||||
access-control = [
|
||||
"10.64.50.0/24 allow"
|
||||
"10.239.19.0/24 allow"
|
||||
];
|
||||
};
|
||||
|
||||
option broadcast-address 10.64.50.255;
|
||||
option routers 10.64.50.1;
|
||||
range 10.64.50.64 10.64.50.254;
|
||||
|
||||
option domain-name-servers 1.1.1.1, 8.8.8.8;
|
||||
}
|
||||
|
||||
subnet 10.239.19.0 netmask 255.255.255.0 {
|
||||
interface eth2;
|
||||
|
||||
option broadcast-address 10.239.19.255;
|
||||
option routers 10.239.19.1;
|
||||
range 10.239.19.64 10.239.19.254;
|
||||
|
||||
option domain-name-servers 1.1.1.1, 8.8.8.8;
|
||||
}
|
||||
'';
|
||||
machines = [
|
||||
{
|
||||
# tywin.storage.ts.hillion.co.uk
|
||||
ethernetAddress = "c8:7f:54:6d:e1:03";
|
||||
ipAddress = "10.64.50.20";
|
||||
hostName = "tywin";
|
||||
}
|
||||
{
|
||||
# syncbox
|
||||
ethernetAddress = "00:1e:06:49:06:1e";
|
||||
ipAddress = "10.64.50.22";
|
||||
hostName = "syncbox";
|
||||
}
|
||||
];
|
||||
forward-zone = [
|
||||
{
|
||||
name = ".";
|
||||
forward-tls-upstream = "yes";
|
||||
forward-addr = [
|
||||
"1.1.1.1#cloudflare-dns.com"
|
||||
"1.0.0.1#cloudflare-dns.com"
|
||||
"8.8.8.8#dns.google"
|
||||
"8.8.4.4#dns.google"
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/router.home.ts.hillion.co.uk".file = ../../secrets/tailscale/router.home.ts.hillion.co.uk.age;
|
||||
custom.tailscale = {
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
preAuthKeyFile = config.age.secrets."tailscale/router.home.ts.hillion.co.uk".path;
|
||||
ipv4Addr = "100.105.71.48";
|
||||
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6269:4730";
|
||||
authKeyFile = config.age.secrets."tailscale/router.home.ts.hillion.co.uk".path;
|
||||
};
|
||||
|
||||
## Enable btrfs compression
|
||||
@ -203,7 +338,6 @@
|
||||
## Netdata
|
||||
services.netdata = {
|
||||
enable = true;
|
||||
group = "caddy";
|
||||
config = {
|
||||
web = {
|
||||
"bind to" = "unix:/run/netdata/netdata.sock";
|
||||
@ -213,15 +347,21 @@
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
virtualHosts."http://graphs.router.home.ts.hillion.co.uk" = {
|
||||
listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ];
|
||||
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
|
||||
extraConfig = "reverse_proxy unix///run/netdata/netdata.sock";
|
||||
};
|
||||
};
|
||||
|
||||
### HACK: caddy needs tailscale to be up so allow it to restart on failure
|
||||
systemd.services.caddy.serviceConfig = {
|
||||
Restart = lib.mkForce "on-failure";
|
||||
RestartSec = 15;
|
||||
users.users.caddy.extraGroups = [ "netdata" ];
|
||||
### HACK: Allow Caddy to restart if it fails. This happens because Tailscale
|
||||
### is too late at starting. Upstream nixos caddy does restart on failure
|
||||
### but it's prevented on exit code 1. Set the exit code to 0 (non-failure)
|
||||
### to override this.
|
||||
systemd.services.caddy = {
|
||||
requires = [ "tailscaled.service" ];
|
||||
after = [ "tailscaled.service" ];
|
||||
serviceConfig = {
|
||||
RestartPreventExitStatus = lib.mkForce 0;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -12,6 +12,7 @@
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.kernelParams = [ "console=ttyS0,115200n8" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
|
87
hosts/sodium.pop.ts.hillion.co.uk/default.nix
Normal file
87
hosts/sodium.pop.ts.hillion.co.uk/default.nix
Normal file
@ -0,0 +1,87 @@
|
||||
{ config, pkgs, lib, nixos-hardware, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
"${nixos-hardware}/raspberry-pi/5/default.nix"
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
system.stateVersion = "24.05";
|
||||
|
||||
networking.hostName = "sodium";
|
||||
networking.domain = "pop.ts.hillion.co.uk";
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
custom.defaults = true;
|
||||
|
||||
## Enable btrfs compression
|
||||
fileSystems."/data".options = [ "compress=zstd" ];
|
||||
fileSystems."/nix".options = [ "compress=zstd" ];
|
||||
|
||||
## Impermanence
|
||||
custom.impermanence = {
|
||||
enable = true;
|
||||
cache.enable = true;
|
||||
};
|
||||
boot.initrd.postDeviceCommands = lib.mkAfter ''
|
||||
btrfs subvolume delete /cache/tmp
|
||||
btrfs subvolume snapshot /cache/empty_snapshot /cache/tmp
|
||||
chmod 1777 /cache/tmp
|
||||
'';
|
||||
|
||||
## CA server
|
||||
custom.ca.service.enable = true;
|
||||
|
||||
### nix only supports build-dir from 2.22. bind mount /tmp to something persistent instead.
|
||||
fileSystems."/tmp" = {
|
||||
device = "/cache/tmp";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
# nix = {
|
||||
# settings = {
|
||||
# build-dir = "/cache/tmp/";
|
||||
# };
|
||||
# };
|
||||
|
||||
## Custom Services
|
||||
custom.locations.autoServe = true;
|
||||
|
||||
# Networking
|
||||
networking = {
|
||||
useDHCP = false;
|
||||
interfaces = {
|
||||
end0 = {
|
||||
name = "eth0";
|
||||
useDHCP = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
||||
|
||||
networking.firewall = {
|
||||
trustedInterfaces = [ "tailscale0" ];
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [ ];
|
||||
interfaces = {
|
||||
eth0 = {
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
7654 # Tang
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".file = ../../secrets/tailscale/sodium.pop.ts.hillion.co.uk.age;
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
authKeyFile = config.age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".path;
|
||||
};
|
||||
};
|
||||
}
|
63
hosts/sodium.pop.ts.hillion.co.uk/hardware-configuration.nix
Normal file
63
hosts/sodium.pop.ts.hillion.co.uk/hardware-configuration.nix
Normal file
@ -0,0 +1,63 @@
|
||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "usbhid" "usb_storage" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "tmpfs";
|
||||
fsType = "tmpfs";
|
||||
options = [ "mode=0755" ];
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/417B-1063";
|
||||
fsType = "vfat";
|
||||
options = [ "fmask=0022" "dmask=0022" ];
|
||||
};
|
||||
|
||||
fileSystems."/nix" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=nix" ];
|
||||
};
|
||||
|
||||
fileSystems."/data" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=data" ];
|
||||
};
|
||||
|
||||
fileSystems."/cache" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=cache" ];
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enu1u4.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
|
||||
}
|
1
hosts/sodium.pop.ts.hillion.co.uk/system
Normal file
1
hosts/sodium.pop.ts.hillion.co.uk/system
Normal file
@ -0,0 +1 @@
|
||||
aarch64-linux
|
56
hosts/theon.storage.ts.hillion.co.uk/default.nix
Normal file
56
hosts/theon.storage.ts.hillion.co.uk/default.nix
Normal file
@ -0,0 +1,56 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
system.stateVersion = "23.11";
|
||||
|
||||
networking.hostName = "theon";
|
||||
networking.domain = "storage.ts.hillion.co.uk";
|
||||
|
||||
boot.loader.grub.enable = false;
|
||||
boot.loader.generic-extlinux-compatible.enable = true;
|
||||
|
||||
custom.defaults = true;
|
||||
|
||||
## Custom Services
|
||||
custom = {
|
||||
locations.autoServe = true;
|
||||
};
|
||||
|
||||
## Networking
|
||||
networking.useNetworkd = true;
|
||||
systemd.network.enable = true;
|
||||
|
||||
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
||||
networking.firewall = {
|
||||
trustedInterfaces = [ "tailscale0" ];
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
22 # SSH
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [ ];
|
||||
interfaces = {
|
||||
end0 = {
|
||||
allowedTCPPorts = lib.mkForce [ ];
|
||||
allowedUDPPorts = lib.mkForce [ ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/theon.storage.ts.hillion.co.uk".file = ../../secrets/tailscale/theon.storage.ts.hillion.co.uk.age;
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
authKeyFile = config.age.secrets."tailscale/theon.storage.ts.hillion.co.uk".path;
|
||||
};
|
||||
|
||||
## Packages
|
||||
environment.systemPackages = with pkgs; [
|
||||
scrub
|
||||
smartmontools
|
||||
];
|
||||
};
|
||||
}
|
@ -6,26 +6,20 @@
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.availableKernelModules = [ "ahci" "usbhid" "usb_storage" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/6d59bd4b-439d-4480-897c-4480ea6fbe56";
|
||||
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/data" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/01a351b8-cf66-4a31-9804-0b4145e69153";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
@ -33,8 +27,7 @@
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.tailscale0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.end0.useDHCP = lib.mkDefault true;
|
||||
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
|
||||
}
|
1
hosts/theon.storage.ts.hillion.co.uk/system
Normal file
1
hosts/theon.storage.ts.hillion.co.uk/system
Normal file
@ -0,0 +1 @@
|
||||
aarch64-linux
|
7
hosts/tywin.storage.ts.hillion.co.uk/README.md
Normal file
7
hosts/tywin.storage.ts.hillion.co.uk/README.md
Normal file
@ -0,0 +1,7 @@
|
||||
# tywin.storage.ts.hillion.co.uk
|
||||
|
||||
Additional installation step for Clevis/Tang:
|
||||
|
||||
$ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json)" >/mnt/disk_encryption.jwe
|
||||
$ sudo chown root:root /mnt/disk_encryption.jwe
|
||||
$ sudo chmod 0400 /mnt/disk_encryption.jwe
|
14
hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json
Normal file
14
hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json
Normal file
@ -0,0 +1,14 @@
|
||||
{
|
||||
"t": 1,
|
||||
"pins": {
|
||||
"tang": [
|
||||
{
|
||||
"url": "http://10.64.50.21:7654"
|
||||
},
|
||||
{
|
||||
"url": "http://10.64.50.25:7654"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
@ -2,7 +2,6 @@
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../modules/common/default.nix
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
@ -16,15 +15,35 @@
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
boot.kernelParams = [
|
||||
"ip=dhcp"
|
||||
"zfs.zfs_arc_max=25769803776"
|
||||
];
|
||||
boot.initrd = {
|
||||
availableKernelModules = [ "r8169" ];
|
||||
network.enable = true;
|
||||
clevis = {
|
||||
enable = true;
|
||||
useTang = true;
|
||||
devices."root".secretFile = "/disk_encryption.jwe";
|
||||
};
|
||||
};
|
||||
|
||||
custom.locations.autoServe = true;
|
||||
custom.defaults = true;
|
||||
|
||||
# zram swap: used in the hope it will give the ZFS ARC more room to back off
|
||||
zramSwap = {
|
||||
enable = true;
|
||||
memoryPercent = 200;
|
||||
algorithm = "zstd";
|
||||
};
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".file = ../../secrets/tailscale/tywin.storage.ts.hillion.co.uk.age;
|
||||
custom.tailscale = {
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
preAuthKeyFile = config.age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".path;
|
||||
ipv4Addr = "100.115.31.91";
|
||||
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6273:1f5b";
|
||||
authKeyFile = config.age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".path;
|
||||
};
|
||||
|
||||
## Filesystems
|
||||
@ -35,18 +54,18 @@
|
||||
forceImportRoot = false;
|
||||
extraPools = [ "data" ];
|
||||
};
|
||||
boot.kernelParams = [ "zfs.zfs_arc_max=25769803776" ];
|
||||
|
||||
services.zfs.autoScrub = {
|
||||
services.btrfs.autoScrub = {
|
||||
enable = true;
|
||||
interval = "Tue, 02:00";
|
||||
# All filesystems includes the BTRFS parts of all the hard drives. This
|
||||
# would take forever and is redundant as they get fully read regularly.
|
||||
fileSystems = [ "/" ];
|
||||
};
|
||||
services.zfs.autoScrub = {
|
||||
enable = true;
|
||||
interval = "Wed, 02:00";
|
||||
};
|
||||
services.sanoid.enable = true;
|
||||
|
||||
fileSystems."/mnt/d0".options = [ "x-systemd.mount-timeout=3m" ];
|
||||
fileSystems."/mnt/d1".options = [ "x-systemd.mount-timeout=3m" ];
|
||||
fileSystems."/mnt/d2".options = [ "x-systemd.mount-timeout=3m" ];
|
||||
fileSystems."/mnt/d3".options = [ "x-systemd.mount-timeout=3m" ];
|
||||
|
||||
## Backups
|
||||
### Git
|
||||
@ -136,11 +155,21 @@
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
virtualHosts."http://restic.tywin.storage.ts.hillion.co.uk".extraConfig = ''
|
||||
bind ${config.custom.tailscale.ipv4Addr} ${config.custom.tailscale.ipv6Addr}
|
||||
bind ${config.custom.dns.tailscale.ipv4} ${config.custom.dns.tailscale.ipv6}
|
||||
reverse_proxy http://localhost:8000
|
||||
'';
|
||||
};
|
||||
systemd.services.caddy.requires = [ "tailscaled.service" ];
|
||||
### HACK: Allow Caddy to restart if it fails. This happens because Tailscale
|
||||
### is too late at starting. Upstream nixos caddy does restart on failure
|
||||
### but it's prevented on exit code 1. Set the exit code to 0 (non-failure)
|
||||
### to override this.
|
||||
systemd.services.caddy = {
|
||||
requires = [ "tailscaled.service" ];
|
||||
after = [ "tailscaled.service" ];
|
||||
serviceConfig = {
|
||||
RestartPreventExitStatus = lib.mkForce 0;
|
||||
};
|
||||
};
|
||||
|
||||
services.restic.backups."prune-128G" = {
|
||||
repository = "/data/backups/restic/128G";
|
||||
@ -188,53 +217,9 @@
|
||||
custom.chia = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
path = "/data/chia";
|
||||
keyFile = config.age.secrets."chia/farmer.key".path;
|
||||
targetAddress = "xch1tl87mjd9zpugs7qy2ysc3j4qlftqlyjn037jywq6v2y4kp22g74qahn6sw";
|
||||
plotDirectories = builtins.genList (i: "/mnt/d${toString i}/plots/contract-k32") 3;
|
||||
plotDirectories = builtins.genList (i: "/mnt/d${toString i}/plots/contract-k32") 8;
|
||||
};
|
||||
services.sanoid.datasets."data/chia" = {
|
||||
autosnap = true;
|
||||
autoprune = true;
|
||||
|
||||
hourly = 0;
|
||||
daily = 7;
|
||||
weekly = 12;
|
||||
monthly = 6;
|
||||
};
|
||||
|
||||
## Storj
|
||||
age.secrets."storj/auth" = {
|
||||
file = ../../secrets/storj/auth.age;
|
||||
owner = "storj";
|
||||
group = "storj";
|
||||
};
|
||||
custom.storj = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
email = "jake+storj@hillion.co.uk";
|
||||
wallet = "0x03cebe2608945D51f0bcE6c5ef70b4948fCEcfEe";
|
||||
};
|
||||
|
||||
custom.storj.instances =
|
||||
let
|
||||
mkStorj = index: {
|
||||
name = "d${toString index}";
|
||||
value = {
|
||||
configDir = "/mnt/d${toString index}/storj/config";
|
||||
identityDir = "/mnt/d${toString index}/storj/identity";
|
||||
authorizationTokenFile = config.age.secrets."storj/auth".path;
|
||||
|
||||
serverPort = 28967 + index;
|
||||
externalAddress = "d${toString index}.tywin.storj.hillion.co.uk:${toString (28967 + index)}";
|
||||
consoleAddress = "100.115.31.91:${toString (14002 + index)}";
|
||||
|
||||
storage = "1000GB";
|
||||
};
|
||||
};
|
||||
instances = builtins.genList (x: x) 4;
|
||||
in
|
||||
builtins.listToAttrs (builtins.map mkStorj instances);
|
||||
|
||||
## Downloads
|
||||
custom.services.downloads = {
|
||||
@ -251,13 +236,10 @@
|
||||
openFirewall = true;
|
||||
};
|
||||
|
||||
## Firewall
|
||||
## Networking
|
||||
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
||||
networking.firewall.interfaces."tailscale0".allowedTCPPorts = [
|
||||
80 # Caddy (restic.tywin.storage.ts.)
|
||||
14002 # Storj Dashboard (d0.)
|
||||
14003 # Storj Dashboard (d1.)
|
||||
14004 # Storj Dashboard (d2.)
|
||||
14005 # Storj Dashboard (d3.)
|
||||
];
|
||||
};
|
||||
}
|
||||
|
@ -20,6 +20,11 @@
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
boot.initrd.luks.devices."root" = {
|
||||
device = "/dev/disk/by-uuid/32837730-5e15-4917-9939-cbb58bb0aabf";
|
||||
allowDiscards = true;
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/BC57-0AF6";
|
||||
@ -28,25 +33,49 @@
|
||||
|
||||
fileSystems."/mnt/d0" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/b424c997-4be6-42f3-965a-f5b3573a9cb3";
|
||||
device = "/dev/disk/by-uuid/9136434d-d883-4118-bd01-903f720e5ce1";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
fileSystems."/mnt/d1" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/9136434d-d883-4118-bd01-903f720e5ce1";
|
||||
device = "/dev/disk/by-uuid/a55d164e-b48e-4a4e-b073-d0768662d3d0";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
fileSystems."/mnt/d2" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/a55d164e-b48e-4a4e-b073-d0768662d3d0";
|
||||
device = "/dev/disk/by-uuid/82b82c66-e6e6-4b76-a5ef-8adea33dbe18";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
fileSystems."/mnt/d3" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/82b82c66-e6e6-4b76-a5ef-8adea33dbe18";
|
||||
device = "/dev/disk/by-uuid/6566588a-9399-4b35-a18c-060de0ee8431";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
fileSystems."/mnt/d4" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/850ce5db-4245-428a-a66d-2647abf62a4c";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
fileSystems."/mnt/d5" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/78bc5c57-d554-43c5-9a84-14e3dc52b1b3";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
fileSystems."/mnt/d6" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/b461e07d-39ab-46b4-b1d1-14c2e0791915";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
fileSystems."/mnt/d7" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/eb8d32d0-e506-449b-8dbc-585ba05c4252";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
|
@ -1,88 +0,0 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../modules/common/default.nix
|
||||
../../modules/drone/server.nix
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
system.stateVersion = "22.05";
|
||||
|
||||
networking.hostName = "vm";
|
||||
networking.domain = "strangervm.ts.hillion.co.uk";
|
||||
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
device = "/dev/sda";
|
||||
};
|
||||
|
||||
## Custom Services
|
||||
custom = {
|
||||
locations.autoServe = true;
|
||||
www.global.enable = true;
|
||||
services.matrix.enable = true;
|
||||
services.version_tracker.enable = true;
|
||||
};
|
||||
|
||||
## Networking
|
||||
networking.interfaces.ens18.ipv4.addresses = [{
|
||||
address = "10.72.164.3";
|
||||
prefixLength = 24;
|
||||
}];
|
||||
networking.defaultGateway = "10.72.164.1";
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
22 # SSH
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [ ];
|
||||
interfaces = {
|
||||
ens18 = {
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
80 # HTTP 1-2
|
||||
443 # HTTPS 1-2
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [
|
||||
443 # HTTP 3
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".file = ../../secrets/tailscale/vm.strangervm.ts.hillion.co.uk.age;
|
||||
custom.tailscale = {
|
||||
enable = true;
|
||||
preAuthKeyFile = config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".path;
|
||||
};
|
||||
|
||||
## Resilio Sync (Encrypted)
|
||||
custom.resilio.enable = true;
|
||||
services.resilio.deviceName = "vm.strangervm";
|
||||
services.resilio.directoryRoot = "/data/sync";
|
||||
services.resilio.storagePath = "/data/sync/.sync";
|
||||
|
||||
custom.resilio.folders =
|
||||
let
|
||||
folderNames = [
|
||||
"dad"
|
||||
"projects"
|
||||
"resources"
|
||||
"sync"
|
||||
];
|
||||
mkFolder = name: {
|
||||
name = name;
|
||||
secret = {
|
||||
name = "resilio/encrypted/${name}";
|
||||
file = ../../secrets/resilio/encrypted/${name}.age;
|
||||
};
|
||||
};
|
||||
in
|
||||
builtins.map (mkFolder) folderNames;
|
||||
|
||||
## Backups
|
||||
services.postgresqlBackup.location = "/data/backup/postgres";
|
||||
};
|
||||
}
|
@ -3,6 +3,7 @@
|
||||
{
|
||||
imports = [
|
||||
./git.nix
|
||||
./homeassistant.nix
|
||||
./matrix.nix
|
||||
];
|
||||
}
|
||||
|
34
modules/backups/homeassistant.nix
Normal file
34
modules/backups/homeassistant.nix
Normal file
@ -0,0 +1,34 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.backups.homeassistant;
|
||||
in
|
||||
{
|
||||
options.custom.backups.homeassistant = {
|
||||
enable = lib.mkEnableOption "homeassistant";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
age.secrets."backups/homeassistant/restic/128G" = {
|
||||
file = ../../secrets/restic/128G.age;
|
||||
owner = "hass";
|
||||
group = "hass";
|
||||
};
|
||||
|
||||
services = {
|
||||
restic.backups."homeassistant" = {
|
||||
user = "hass";
|
||||
timerConfig = {
|
||||
OnCalendar = "03:00";
|
||||
RandomizedDelaySec = "60m";
|
||||
};
|
||||
repository = "rest:http://restic.tywin.storage.ts.hillion.co.uk/128G";
|
||||
passwordFile = config.age.secrets."backups/homeassistant/restic/128G".path;
|
||||
paths = [
|
||||
config.services.home-assistant.configDir
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
11
modules/ca/README.md
Normal file
11
modules/ca/README.md
Normal file
@ -0,0 +1,11 @@
|
||||
# ca
|
||||
|
||||
Getting the certificates in the right place is a manual process (for now, at least). This is to keep the most control over the root certificate's key and allow manual cycling. The manual commands should be run on a trusted machine.
|
||||
|
||||
Creating a 10 year root certificate:
|
||||
|
||||
nix run nixpkgs#step-cli -- certificate create 'Hillion ACME' cert.pem key.pem --kty=EC --curve=P-521 --profile=root-ca --not-after=87600h
|
||||
|
||||
Creating the intermediate key:
|
||||
|
||||
nix run nixpkgs#step-cli -- certificate create 'Hillion ACME (sodium.pop.ts.hillion.co.uk)' intermediate_cert.pem intermediate_key.pem --kty=EC --curve=P-521 --profile=intermediate-ca --not-after=8760h --ca=$NIXOS_ROOT/modules/ca/cert.pem --ca-key=DOWNLOADED_KEY.pem
|
13
modules/ca/cert.pem
Normal file
13
modules/ca/cert.pem
Normal file
@ -0,0 +1,13 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIB+TCCAVqgAwIBAgIQIZdaIUsuJdjnu7DQP1N8oTAKBggqhkjOPQQDBDAXMRUw
|
||||
EwYDVQQDEwxIaWxsaW9uIEFDTUUwHhcNMjQwODAxMjIyMjEwWhcNMzQwNzMwMjIy
|
||||
MjEwWjAXMRUwEwYDVQQDEwxIaWxsaW9uIEFDTUUwgZswEAYHKoZIzj0CAQYFK4EE
|
||||
ACMDgYYABAAJI3z1PrV97EFc1xaENcr6ML1z6xdXTy+ReHtf42nWsw+c3WDKzJ45
|
||||
+xHJ/p2BTOR5+NQ7RGQQ68zmFJnEYTYDogAw6U9YzxxDGlG1HlgnZ9PPmXoF+PFl
|
||||
Zy2WZCiDPx5KDJcjTPzLV3ITt4fl3PMA12BREVeonvrvRLcpVrMfS2b7wKNFMEMw
|
||||
DgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFFBT
|
||||
fMT0uUbS+lVUbGKK8/SZHPISMAoGCCqGSM49BAMEA4GMADCBiAJCAPNIwrQztPrN
|
||||
MaHB3J0lNVODIGwQWblt99vnjqIWOKJhgckBxaElyInsyt8dlnmTCpOCJdY4BA+K
|
||||
Nr87AfwIWdAaAkIBV5i4zXPXVKblGKnmM0FomFSbq2cYE3pmi5BO1StakH1kEHlf
|
||||
vbkdwFgkw2MlARp0Ka3zbWivBG9zjPoZtsL/8tk=
|
||||
-----END CERTIFICATE-----
|
14
modules/ca/consumer.nix
Normal file
14
modules/ca/consumer.nix
Normal file
@ -0,0 +1,14 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.ca.consumer;
|
||||
in
|
||||
{
|
||||
options.custom.ca.consumer = {
|
||||
enable = lib.mkEnableOption "ca.service";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
security.pki.certificates = [ (builtins.readFile ./cert.pem) ];
|
||||
};
|
||||
}
|
8
modules/ca/default.nix
Normal file
8
modules/ca/default.nix
Normal file
@ -0,0 +1,8 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./consumer.nix
|
||||
./service.nix
|
||||
];
|
||||
}
|
45
modules/ca/service.nix
Normal file
45
modules/ca/service.nix
Normal file
@ -0,0 +1,45 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.ca.service;
|
||||
in
|
||||
{
|
||||
options.custom.ca.service = {
|
||||
enable = lib.mkEnableOption "ca.service";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.step-ca = {
|
||||
enable = true;
|
||||
|
||||
address = config.custom.dns.tailscale.ipv4;
|
||||
port = 8443;
|
||||
|
||||
intermediatePasswordFile = "/data/system/ca/intermediate.psk";
|
||||
|
||||
settings = {
|
||||
root = ./cert.pem;
|
||||
crt = "/data/system/ca/intermediate.crt";
|
||||
key = "/data/system/ca/intermediate.pem";
|
||||
|
||||
dnsNames = [ "ca.ts.hillion.co.uk" ];
|
||||
|
||||
logger = { format = "text"; };
|
||||
|
||||
db = {
|
||||
type = "badgerv2";
|
||||
dataSource = "/var/lib/step-ca/db";
|
||||
};
|
||||
|
||||
authority = {
|
||||
provisioners = [
|
||||
{
|
||||
type = "ACME";
|
||||
name = "acme";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -1,17 +1,12 @@
|
||||
{ config, pkgs, lib, nixpkgs-chia, ... }:
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.chia;
|
||||
chia = nixpkgs-chia.legacyPackages.x86_64-linux.chia;
|
||||
|
||||
ctl = pkgs.writeScriptBin "chiactl" ''
|
||||
#! ${pkgs.runtimeShell}
|
||||
sudo=exec
|
||||
if [[ "$USER" != chia ]]; then
|
||||
sudo='exec /run/wrappers/bin/sudo -u chia'
|
||||
fi
|
||||
|
||||
$sudo ${chia}/bin/chia "$@"
|
||||
set -e
|
||||
sudo ${pkgs.podman}/bin/podman exec chia chia "$@"
|
||||
'';
|
||||
in
|
||||
{
|
||||
@ -26,14 +21,6 @@ in
|
||||
type = with lib.types; nullOr str;
|
||||
default = null;
|
||||
};
|
||||
keyLabel = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "default";
|
||||
};
|
||||
targetAddress = lib.mkOption {
|
||||
type = with lib.types; nullOr str;
|
||||
default = null;
|
||||
};
|
||||
plotDirectories = lib.mkOption {
|
||||
type = with lib.types; nullOr (listOf str);
|
||||
default = null;
|
||||
@ -47,52 +34,31 @@ in
|
||||
config = lib.mkIf cfg.enable {
|
||||
environment.systemPackages = [ ctl ];
|
||||
|
||||
users.groups.chia = { };
|
||||
users.groups.chia = {
|
||||
gid = config.ids.gids.chia;
|
||||
};
|
||||
users.users.chia = {
|
||||
home = cfg.path;
|
||||
createHome = true;
|
||||
isSystemUser = true;
|
||||
group = "chia";
|
||||
uid = config.ids.uids.chia;
|
||||
};
|
||||
|
||||
systemd.services.chia = {
|
||||
description = "Chia daemon.";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
preStart = lib.strings.concatStringsSep "\n" ([ "${chia}/bin/chia init" ]
|
||||
++ (if cfg.keyFile == null then [ ] else [ "${chia}/bin/chia keys add -f ${cfg.keyFile} -l '${cfg.keyLabel}'" ])
|
||||
++ (if cfg.targetAddress == null then [ ] else [
|
||||
''
|
||||
${pkgs.yq-go}/bin/yq e \
|
||||
'.farmer.xch_target_address = "${cfg.targetAddress}" | .pool.xch_target_address = "${cfg.targetAddress}"' \
|
||||
-i ${cfg.path}/.chia/mainnet/config/config.yaml
|
||||
''
|
||||
]) ++ (if cfg.plotDirectories == null then [ ] else [
|
||||
''
|
||||
${pkgs.yq-go}/bin/yq e \
|
||||
'.harvester.plot_directories = [${lib.strings.concatMapStringsSep "," (x: "\"" + x + "\"") cfg.plotDirectories}]' \
|
||||
-i ${cfg.path}/.chia/mainnet/config/config.yaml
|
||||
''
|
||||
]));
|
||||
script = "${chia}/bin/chia start farmer";
|
||||
preStop = "${chia}/bin/chia stop -d farmer";
|
||||
|
||||
serviceConfig = {
|
||||
Type = "forking";
|
||||
|
||||
User = "chia";
|
||||
Group = "chia";
|
||||
|
||||
WorkingDirectory = cfg.path;
|
||||
|
||||
Restart = "always";
|
||||
RestartSec = 10;
|
||||
TimeoutStopSec = 120;
|
||||
OOMScoreAdjust = 1000;
|
||||
|
||||
Nice = 2;
|
||||
IOSchedulingClass = "best-effort";
|
||||
IOSchedulingPriority = 7;
|
||||
virtualisation.oci-containers.containers.chia = {
|
||||
image = "ghcr.io/chia-network/chia:2.4.1";
|
||||
ports = [ "8444" ];
|
||||
extraOptions = [
|
||||
"--uidmap=0:${toString config.users.users.chia.uid}:1"
|
||||
"--gidmap=0:${toString config.users.groups.chia.gid}:1"
|
||||
];
|
||||
volumes = [
|
||||
"${cfg.keyFile}:/run/keyfile"
|
||||
"${cfg.path}/.chia:/root/.chia"
|
||||
] ++ lib.lists.imap0 (i: v: "${v}:/plots${toString i}") cfg.plotDirectories;
|
||||
environment = {
|
||||
keys = "/run/keyfile";
|
||||
plots_dir = lib.strings.concatImapStringsSep ":" (i: v: "/plots${toString i}") cfg.plotDirectories;
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -1,6 +0,0 @@
|
||||
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOt74U+rL+BMtAEjfu/Optg1D7Ly7U+TupRxd5u9kfN7oJnW4dJA25WRSr4dgQNq7MiMveoduBY/ky2s0c9gvIA= jake@jake-gentoo
|
||||
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC0uKIvvvkzrOcS7AcamsQRFId+bqPwUC9IiUIsiH5oWX1ReiITOuEo+TL9YMII5RyyfJFeu2ZP9moNuZYlE7Bs= jake@jake-mbp
|
||||
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAyFsYYjLZ/wyw8XUbcmkk6OKt2IqLOnWpRE5gEvm3X0V4IeTOL9F4IL79h7FTsPvi2t9zGBL1hxeTMZHSGfrdWaMJkQp94gA1W30MKXvJ47nEVt0HUIOufGqgTTaAn4BHxlFUBUuS7UxaA4igFpFVoPJed7ZMhMqxg+RWUmBAkcgTWDMgzUx44TiNpzkYlG8cYuqcIzpV2dhGn79qsfUzBMpGJgkxjkGdDEHRk66JXgD/EtVasZvqp5/KLNnOpisKjR88UJKJ6/buV7FLVra4/0hA9JtH9e1ecCfxMPbOeluaxlieEuSXV2oJMbQoPP87+/QriNdi/6QuCHkMDEhyGw== jake@jake-mbp
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw4lgH20nfuchDqvVf0YciqN0GnBw5hfh8KIun5z0P7wlNgVYnCyvPvdIlGf2Nt1z5EGfsMzMLhKDOZkcTMlhupd+j2Er/ZB764uVBGe1n3CoPeasmbIlnamZ12EusYDvQGm2hVJTGQPPp9nKaRxr6ljvTMTNl0KWlWvKP4kec74d28MGgULOPLT3HlAyvUymSULK4lSxFK0l97IVXLa8YwuL5TNFGHUmjoSsi/Q7/CKaqvNh+ib1BYHzHYsuEzaaApnCnfjDBNexHm/AfbI7s+g3XZDcZOORZn6r44dOBNFfwvppsWj3CszwJQYIFeJFuMRtzlC8+kyYxci0+FXHn jake@jake-gentoo
|
||||
|
@ -1,57 +0,0 @@
|
||||
{ pkgs, lib, config, agenix, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../home/default.nix
|
||||
./shell.nix
|
||||
./ssh.nix
|
||||
];
|
||||
|
||||
nix = {
|
||||
settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
settings = {
|
||||
auto-optimise-store = true;
|
||||
};
|
||||
gc = {
|
||||
automatic = true;
|
||||
dates = "weekly";
|
||||
options = "--delete-older-than 90d";
|
||||
};
|
||||
};
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
time.timeZone = "Europe/London";
|
||||
i18n.defaultLocale = "en_GB.UTF-8";
|
||||
|
||||
users = {
|
||||
mutableUsers = false;
|
||||
users."jake" = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ]; # enable sudo
|
||||
};
|
||||
};
|
||||
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
agenix.packages."${system}".default
|
||||
git
|
||||
htop
|
||||
nix
|
||||
vim
|
||||
];
|
||||
variables.EDITOR = "vim";
|
||||
shellAliases = {
|
||||
ls = "ls -p --color=auto";
|
||||
};
|
||||
};
|
||||
|
||||
networking = rec {
|
||||
nameservers = [ "1.1.1.1" "8.8.8.8" ];
|
||||
networkmanager.dns = "none";
|
||||
};
|
||||
networking.firewall.enable = true;
|
||||
|
||||
custom.hostinfo.enable = true;
|
||||
}
|
@ -1,36 +0,0 @@
|
||||
# Global Internet hosts
|
||||
server.stranger.proxmox.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9d5u/VaeRTQUQfu5JzCRa+zij/DtrPNWOfr+jM4iDp
|
||||
ssh.gitea.hillion.co.uk ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxQpywsy+WGeaEkEL67xOBL1NIE++pcojxro5xAPO6VQe2N79388NRFMLlX6HtnebkIpVrvnqdLOs0BPMAokjaWCC4Ay7T/3ko1kXSOlqHY5Ye9jtjRK+wPHMZgzf74a3jlvxjrXJMA70rPQ3X+8UGpA04eB3JyyLTLuVvc6znMe53QiZ0x+hSz+4pYshnCO2UazJ148vV3htN6wRK+uqjNdjjQXkNJ7llNBSrvmfrLidlf0LRphEk43maSQCBcLEZgf4pxXBA7rFuZABZTz1twbnxP2ziyBaSOs7rcII+jVhF2cqJlElutBfIgRNJ3DjNiTcdhNaZzkwJ59huR0LUFQlHI+SALvPzE9ZXWVOX/SqQG+oIB8VebR52icii0aJH7jatkogwNk0121xmhpvvR7gwbJ9YjYRTpKs4lew3bq/W/OM8GF/FEuCsCuNIXRXKqIjJVAtIpuuhxPymFHeqJH3wK3f6jTJfcAz/z33Rwpow2VOdDyqrRfAW8ti73CCnRlN+VJi0V/zvYGs9CHldY3YvMr7rSd0+fdGyJHSTSRBF0vcyRVA/SqSfcIo/5o0ssYoBnQCg6gOkc3nNQ0C0/qh1ww17rw4hqBRxFJ2t3aBUMK+UHPxrELLVmG6ZUmfg9uVkOoafjRsoML6DVDB4JAk5JsmcZhybOarI9PJfEQ==
|
||||
|
||||
# Tailscale hosts
|
||||
alpha.proxmox.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ267QJXv82cee9pIly66hFGlNd9QPK4A6CNXatNnJRx
|
||||
archnas.storage.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIISWIJMYD2I9+tdJCmtR3JlnymzfCN76uKbkHL3hzfDi
|
||||
caddy.caddy.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKOqe2UPPs+xGJHjC2M3GTiL5wYlOjgu/H1C9cNGRi2
|
||||
caddyhome.caddy.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICFo4MiQwjvd0d3J3T9uuIrdmfQw8IUpbtCc4C6qicvu
|
||||
dancefloor.dancefloor.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXkGueVYKr2wp/VHo2QLis0kmKtc/Upg3pGoHr6RkzY
|
||||
gendry.jakehillion.terminals.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c
|
||||
gitea.gitea.ts.hillion.co.uk ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCb73Wbp87HwLOVdEvlUv739e974rm9OPJ1NuB2et5D1h8ak7fSOgbhs7Kl8F7smkuiFFQUOfJEmroEbiiCj1So=
|
||||
gitea.gitea.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPiJtFPP10yoi3Ij685hfck7r5rwUV4d7QIBjG5Jtih/
|
||||
headscale.headscale.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQNLDoIt1Rvu900sgnRncdDbMs5bCjvbZWu8+tk7Ega
|
||||
homeassistant.homeassistant.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM2ytacl/zYXhgvosvhudsl0zW5eQRHXm9aMqG9adux
|
||||
microserver.home.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw
|
||||
microserver.home.ts.hillion.co.uk ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzSf/Kmgfp3MQJzEeHNGhCDqg7YQRtJf14ydZb966XEkq0a0LGaiVSRh4gRXxJdKYD1Lr29Xw0EYdqFgOONPd8MLuH8rAlnr5HL5aiERyvYfrQXSudedpPRQ0wLL1HFAs3wmafbdv0EVYMLidm6YNNvF0pPGHVQ55A2FHcyGsix5OsK45SMr+yeIuHXKzp/0kzHb5LnnzlWO/0SHMuhw1V3Lb5zzPUzz3BgC1tz2cwsC88rz2Z/Mywfl4wRkYqxFf3KIYMT+Cn5SPE6jl6sAO4hTG/aHoIs/d/tGui5E2xOsF2kWy1oWB7Xfy0eYDX/TN5Y9iBOszGgQgW3bR+Mf379NnqVyZcN0KWM406c/LmbJXWKxfJQ19kF1xlfJHQ+SbsOg/28HUTOt09oj4+z8j6RFgKNKkOtj4qPc4nxTojJDPBa+qemxxSCHrmoZ1q9qKkuiY6bUzufuT/rgtZ17Mv8Yu9+jz5wX6AeLA/RJsRTnURrcfTcu9ShXlRg4CN+y6ArV8JdTv7ASaA2DcB4P2wfaHj3oWloU0CnSyzdy7OFkr8vZGgoqr81lbyctZvHbi7AJX9nCnTgBM/M0Z5qpI/L3aBA0Pq7oJGo44qOGM6tvTbnK0wck4VxlY1IpNNvH0FeS5RvfFOFFI0hhQtbdQHwpLYIOfs/EMvO0aNKDtkKw==
|
||||
microserver.parents.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0cjjNQPnJwpu4wcYmvfjB1jlIfZwMxT+3nBusoYQFr
|
||||
pbs.proxmox.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGGY6ky2sQjg/bLRUWOUERmAOqboAjy+9PkE8sU+angx
|
||||
plex.mediaserver.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1sk3FOsuf4ZPrhGBYprQF/oVk7jITaAaVmBO6xwbdg
|
||||
router.alpha.proxmox.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGL5Asl7OhF7R2a/YJNNv+fIE/VPw8ZCr+ABI7wlAdJI
|
||||
router.home.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu
|
||||
router.stranger.proxmox.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHq9tITN59FJfGoyOPNgP1QyJ0ohbVQS8OZtRO960Uxk
|
||||
stranger.proxmox.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9d5u/VaeRTQUQfu5JzCRa+zij/DtrPNWOfr+jM4iDp
|
||||
tywin.storage.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k
|
||||
unifi.unifi.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOeayV2pu0IpZS0OT17c4DqkILCZVRl1Y3s2fu087QkO
|
||||
vm.strangervm.ts.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINb9mgyD/G3Rt6lvO4c0hoaVOlLE8e3+DUfAoB1RI5cy
|
||||
|
||||
# Deprecated (Internal) hosts
|
||||
containers.internal.hillion.co.uk ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIe1LLMeXRFDsmtt1dPhYm414oTcARJD7fGQXJwGXLPXJtCtoqFhVNq8+qYikdx+eNtiokI+Wz3xOi6ULt5gg2g=
|
||||
containers.internal.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyUD7/6/bYmjPy+Fd8hBQMSVvUcs0cnSi5ZtlUICiVD
|
||||
containers.internal.hillion.co.uk ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgXYzClYOipN7H0ueoe0oUkGDvxAIlkO15/wIDGe13FHlHutDqvFr3CSfj521vXKGeh7udkL1zJ380dbvploJ4CtK3gp0sVG/5miodaH/elUBy3/hCl1dIdcaf0abDYitJGD9vPsOIKAML6b6z/uGTK9S4SQ86YZVriVt1tKNCrAjTnm9kd3nE1BXYZQiDNi/+/u05SStnvmF9uEnsADTYH6PKhQ2ms9SKRjTZRrQ4QE5LHcRHyxCI8oVEsBABx+7t0G9sQgbZZoU8qhJ4OEH5o82eQkjIqr+Qgef2SUpI6skv/Cv7nLVWAx+QFbIdi9hPEdtyz+v683/DOFTgm5/1p+tkOimPf9xJe9fZudlPDg5XtkBHoPXIT4LGlpCEWBBjrhRYcDwFkYs1o7Z8pNwxGhJhVZPIegs2HWnwlUA3gbLyBjTx6oa2WZYuPoIAjAZlaPcvqRHDU2zmHakX1cJrQNRd+AG6zbFJyg6bNJBCfheFyebZRjP9N5hU9VteNoM=
|
||||
downloads.internal.hillion.co.uk ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL12K8fx9awUowFzw68AxrNzjyxKG00IVQKwQDdCIQ/yxUjL+86p+H3O99vkcGrLoWxDbXIIO0phRzfRf7//sv8=
|
||||
downloads.internal.hillion.co.uk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMaZqzMevw/+T0O6tAICn1iuu8+Uf8Inb39dlLwr0rGZ
|
||||
downloads.internal.hillion.co.uk ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrQwi4uRCsoEaswrvNPSXpHM5CpzY4OXaRMApTtgHaMGSKnhC6QaDKP+P8nqcfYKLMKOlyOUkBUE28uftjLcs4oT/exfKuq0jm6PGxCdzZlQRDW0RemsRmBIY0sca0NS+Jwe6YxuC37wq7FRLkE3AH07FJxlfIqaA/xtq6s5JNYDPzKqsMww/sFu7fZJ3S8rh8ft+tf1oC8T4kM9AANIIgbvG+PIqOd0C3Az5cbsV6+Ejk3Afm/c5sBVjbiqAjmgsjXhObnmvreojBhJpcUAwYmRP7NJc/bfhWnb0Eo20xsOBZKt3RFTOpdDhp5KyTL+yUr0rcMMPH2Pbydk+hhdcD
|
||||
|
@ -1,25 +0,0 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
{
|
||||
users.users."jake".openssh.authorizedKeys.keyFiles = [ ./authorized_keys ];
|
||||
|
||||
programs.mosh.enable = true;
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
|
||||
settings = {
|
||||
PermitRootLogin = "no";
|
||||
PasswordAuthentication = false;
|
||||
};
|
||||
};
|
||||
|
||||
programs.ssh.knownHostsFiles = [
|
||||
./known_hosts
|
||||
(pkgs.writeText "github.keys" ''
|
||||
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
|
||||
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
|
||||
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
|
||||
'')
|
||||
];
|
||||
}
|
@ -3,19 +3,21 @@
|
||||
{
|
||||
imports = [
|
||||
./backups/default.nix
|
||||
./ca/default.nix
|
||||
./chia.nix
|
||||
./common/hostinfo.nix
|
||||
./defaults.nix
|
||||
./desktop/awesome/default.nix
|
||||
./dns.nix
|
||||
./home/default.nix
|
||||
./hostinfo.nix
|
||||
./ids.nix
|
||||
./impermanence.nix
|
||||
./locations.nix
|
||||
./resilio.nix
|
||||
./services/downloads.nix
|
||||
./services/mastodon/default.nix
|
||||
./services/matrix.nix
|
||||
./services/version_tracker.nix
|
||||
./services/zigbee2mqtt.nix
|
||||
./services/default.nix
|
||||
./shell/default.nix
|
||||
./ssh/default.nix
|
||||
./storj.nix
|
||||
./tailscale.nix
|
||||
./users.nix
|
||||
./www/global.nix
|
||||
./www/www-repo.nix
|
||||
|
64
modules/defaults.nix
Normal file
64
modules/defaults.nix
Normal file
@ -0,0 +1,64 @@
|
||||
{ pkgs, lib, config, agenix, ... }:
|
||||
|
||||
{
|
||||
options.custom.defaults = lib.mkEnableOption "defaults";
|
||||
|
||||
config = lib.mkIf config.custom.defaults {
|
||||
nix = {
|
||||
settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
settings = {
|
||||
auto-optimise-store = true;
|
||||
};
|
||||
gc = {
|
||||
automatic = true;
|
||||
dates = "weekly";
|
||||
options = "--delete-older-than 90d";
|
||||
};
|
||||
};
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
time.timeZone = "Europe/London";
|
||||
i18n.defaultLocale = "en_GB.UTF-8";
|
||||
|
||||
users = {
|
||||
mutableUsers = false;
|
||||
users.${config.custom.user} = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ]; # enable sudo
|
||||
uid = config.ids.uids.${config.custom.user};
|
||||
};
|
||||
};
|
||||
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
agenix.packages."${system}".default
|
||||
gh
|
||||
git
|
||||
htop
|
||||
nix
|
||||
sapling
|
||||
vim
|
||||
];
|
||||
variables.EDITOR = "vim";
|
||||
shellAliases = {
|
||||
ls = "ls -p --color=auto";
|
||||
};
|
||||
};
|
||||
|
||||
networking = rec {
|
||||
nameservers = [ "1.1.1.1" "8.8.8.8" ];
|
||||
networkmanager.dns = "none";
|
||||
};
|
||||
networking.firewall.enable = true;
|
||||
|
||||
# Delegation
|
||||
custom.ca.consumer.enable = true;
|
||||
custom.dns.enable = true;
|
||||
custom.home.defaults = true;
|
||||
custom.hostinfo.enable = true;
|
||||
custom.shell.enable = true;
|
||||
custom.ssh.enable = true;
|
||||
};
|
||||
}
|
112
modules/dns.nix
Normal file
112
modules/dns.nix
Normal file
@ -0,0 +1,112 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.dns;
|
||||
in
|
||||
{
|
||||
options.custom.dns = {
|
||||
enable = lib.mkEnableOption "dns";
|
||||
|
||||
authoritative = {
|
||||
ipv4 = lib.mkOption {
|
||||
description = "authoritative ipv4 mappings";
|
||||
readOnly = true;
|
||||
};
|
||||
ipv6 = lib.mkOption {
|
||||
description = "authoritative ipv6 mappings";
|
||||
readOnly = true;
|
||||
};
|
||||
};
|
||||
|
||||
tailscale =
|
||||
{
|
||||
ipv4 = lib.mkOption {
|
||||
description = "tailscale ipv4 address";
|
||||
readOnly = true;
|
||||
};
|
||||
ipv6 = lib.mkOption {
|
||||
description = "tailscale ipv6 address";
|
||||
readOnly = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
custom.dns.authoritative = {
|
||||
ipv4 = {
|
||||
uk = {
|
||||
co = {
|
||||
hillion = {
|
||||
ts = {
|
||||
cx = {
|
||||
boron = "100.113.188.46";
|
||||
};
|
||||
home = {
|
||||
microserver = "100.105.131.47";
|
||||
router = "100.105.71.48";
|
||||
};
|
||||
jakehillion-terminals = { gendry = "100.70.100.77"; };
|
||||
lt = { be = "100.105.166.79"; };
|
||||
pop = {
|
||||
li = "100.106.87.35";
|
||||
sodium = "100.87.188.4";
|
||||
};
|
||||
storage = {
|
||||
theon = "100.104.142.22";
|
||||
tywin = "100.115.31.91";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
ipv6 = {
|
||||
uk = {
|
||||
co = {
|
||||
hillion = {
|
||||
ts = {
|
||||
cx = {
|
||||
boron = "fd7a:115c:a1e0::2a01:bc2f";
|
||||
};
|
||||
home = {
|
||||
microserver = "fd7a:115c:a1e0:ab12:4843:cd96:6269:832f";
|
||||
router = "fd7a:115c:a1e0:ab12:4843:cd96:6269:4730";
|
||||
};
|
||||
jakehillion-terminals = { gendry = "fd7a:115c:a1e0:ab12:4843:cd96:6246:644d"; };
|
||||
lt = { be = "fd7a:115c:a1e0::9001:a64f"; };
|
||||
pop = {
|
||||
li = "fd7a:115c:a1e0::e701:5723";
|
||||
sodium = "fd7a:115c:a1e0::3701:bc04";
|
||||
};
|
||||
storage = {
|
||||
theon = "fd7a:115c:a1e0::4aa8:8e16";
|
||||
tywin = "fd7a:115c:a1e0:ab12:4843:cd96:6273:1f5b";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
custom.dns.tailscale =
|
||||
let
|
||||
lookupFqdn = lib.attrsets.attrByPath (lib.reverseList (lib.splitString "." config.networking.fqdn)) null;
|
||||
in
|
||||
{
|
||||
ipv4 = lookupFqdn cfg.authoritative.ipv4;
|
||||
ipv6 = lookupFqdn cfg.authoritative.ipv6;
|
||||
};
|
||||
|
||||
networking.hosts =
|
||||
let
|
||||
mkHosts = hosts:
|
||||
(lib.collect (x: (builtins.hasAttr "name" x && builtins.hasAttr "value" x))
|
||||
(lib.mapAttrsRecursive
|
||||
(path: value:
|
||||
lib.nameValuePair value [ (lib.concatStringsSep "." (lib.reverseList path)) ])
|
||||
hosts));
|
||||
in
|
||||
builtins.listToAttrs (mkHosts cfg.authoritative.ipv4 ++ mkHosts cfg.authoritative.ipv6);
|
||||
};
|
||||
}
|
@ -1,25 +0,0 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
config.age.secrets."drone/gitea_client_secret".file = ../../secrets/drone/gitea_client_secret.age;
|
||||
config.age.secrets."drone/rpc_secret".file = ../../secrets/drone/rpc_secret.age;
|
||||
|
||||
config.virtualisation.oci-containers.containers."drone" = {
|
||||
image = "drone/drone:2.16.0";
|
||||
volumes = [ "/data/drone:/data" ];
|
||||
ports = [ "18733:80" ];
|
||||
environment = {
|
||||
DRONE_AGENTS_ENABLED = "true";
|
||||
DRONE_GITEA_SERVER = "https://gitea.hillion.co.uk";
|
||||
DRONE_GITEA_CLIENT_ID = "687ee331-ad9e-44fd-9e02-7f1c652754bb";
|
||||
DRONE_SERVER_HOST = "drone.hillion.co.uk";
|
||||
DRONE_SERVER_PROTO = "https";
|
||||
DRONE_LOGS_DEBUG = "true";
|
||||
DRONE_USER_CREATE = "username:JakeHillion,admin:true";
|
||||
};
|
||||
environmentFiles = [
|
||||
config.age.secrets."drone/gitea_client_secret".path
|
||||
config.age.secrets."drone/rpc_secret".path
|
||||
];
|
||||
};
|
||||
}
|
@ -6,7 +6,9 @@
|
||||
./tmux/default.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
options.custom.home.defaults = lib.mkEnableOption "home";
|
||||
|
||||
config = lib.mkIf config.custom.home.defaults {
|
||||
home-manager = {
|
||||
users.root.home = {
|
||||
stateVersion = "22.11";
|
||||
@ -22,5 +24,9 @@
|
||||
file.".zshrc".text = "";
|
||||
};
|
||||
};
|
||||
|
||||
# Delegation
|
||||
custom.home.git.enable = true;
|
||||
custom.home.tmux.enable = true;
|
||||
};
|
||||
}
|
||||
|
@ -1,21 +1,30 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.home.git;
|
||||
in
|
||||
{
|
||||
home-manager.users.jake.programs.git = {
|
||||
enable = true;
|
||||
extraConfig = {
|
||||
user = {
|
||||
email = "jake@hillion.co.uk";
|
||||
name = "Jake Hillion";
|
||||
};
|
||||
pull = {
|
||||
rebase = true;
|
||||
};
|
||||
merge = {
|
||||
conflictstyle = "diff3";
|
||||
};
|
||||
init = {
|
||||
defaultBranch = "main";
|
||||
options.custom.home.git = {
|
||||
enable = lib.mkEnableOption "git";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
home-manager.users.jake.programs.git = lib.mkIf (config.custom.user == "jake") {
|
||||
enable = true;
|
||||
extraConfig = {
|
||||
user = {
|
||||
email = "jake@hillion.co.uk";
|
||||
name = "Jake Hillion";
|
||||
};
|
||||
pull = {
|
||||
rebase = true;
|
||||
};
|
||||
merge = {
|
||||
conflictstyle = "diff3";
|
||||
};
|
||||
init = {
|
||||
defaultBranch = "main";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -8,3 +8,11 @@ bind -n C-k clear-history
|
||||
bind '"' split-window -c "#{pane_current_path}"
|
||||
bind % split-window -h -c "#{pane_current_path}"
|
||||
bind c new-window -c "#{pane_current_path}"
|
||||
|
||||
# Start indices at 1 to match keyboard
|
||||
set -g base-index 1
|
||||
setw -g pane-base-index 1
|
||||
|
||||
# Open a new session when attached to and one isn't open
|
||||
# Must come after base-index settings
|
||||
new-session
|
||||
|
@ -1,8 +1,17 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.home.tmux;
|
||||
in
|
||||
{
|
||||
home-manager.users.jake.programs.tmux = {
|
||||
enable = true;
|
||||
extraConfig = lib.readFile ./.tmux.conf;
|
||||
options.custom.home.tmux = {
|
||||
enable = lib.mkEnableOption "tmux";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
home-manager.users.jake.programs.tmux = {
|
||||
enable = true;
|
||||
extraConfig = lib.readFile ./.tmux.conf;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -17,7 +17,7 @@ in
|
||||
|
||||
script = "${pkgs.writers.writePerl "hostinfo" {
|
||||
libraries = with pkgs; [
|
||||
perl536Packages.HTTPDaemon
|
||||
perlPackages.HTTPDaemon
|
||||
];
|
||||
} ''
|
||||
use v5.10;
|
25
modules/ids.nix
Normal file
25
modules/ids.nix
Normal file
@ -0,0 +1,25 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
config = {
|
||||
ids.uids = {
|
||||
## Defined System Users (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix)
|
||||
unifi = 183;
|
||||
chia = 185;
|
||||
gitea = 186;
|
||||
|
||||
## Consistent People
|
||||
jake = 1000;
|
||||
joseph = 1001;
|
||||
};
|
||||
ids.gids = {
|
||||
## Defined System Groups (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix)
|
||||
unifi = 183;
|
||||
chia = 185;
|
||||
gitea = 186;
|
||||
|
||||
## Consistent Groups
|
||||
mediaaccess = 1200;
|
||||
};
|
||||
};
|
||||
}
|
@ -2,7 +2,6 @@
|
||||
|
||||
let
|
||||
cfg = config.custom.impermanence;
|
||||
listIf = (enable: x: if enable then x else [ ]);
|
||||
in
|
||||
{
|
||||
options.custom.impermanence = {
|
||||
@ -12,6 +11,13 @@ in
|
||||
type = lib.types.str;
|
||||
default = "/data";
|
||||
};
|
||||
cache = {
|
||||
enable = lib.mkEnableOption "impermanence.cache";
|
||||
path = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/cache";
|
||||
};
|
||||
};
|
||||
|
||||
users = lib.mkOption {
|
||||
type = with lib.types; listOf str;
|
||||
@ -31,41 +37,69 @@ in
|
||||
config = lib.mkIf cfg.enable {
|
||||
fileSystems.${cfg.base}.neededForBoot = true;
|
||||
|
||||
services.openssh.hostKeys = [
|
||||
{ path = "/data/system/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
|
||||
{ path = "/data/system/etc/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; }
|
||||
];
|
||||
|
||||
environment.persistence."${cfg.base}/system" = {
|
||||
hideMounts = true;
|
||||
|
||||
directories = [
|
||||
"/etc/nixos"
|
||||
] ++ (listIf config.custom.tailscale.enable [ "/var/lib/tailscale" ]) ++
|
||||
(listIf config.services.zigbee2mqtt.enable [ config.services.zigbee2mqtt.dataDir ]) ++
|
||||
(listIf config.hardware.bluetooth.enable [ "/var/lib/bluetooth" ]);
|
||||
services = {
|
||||
openssh.hostKeys = [
|
||||
{ path = "/data/system/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
|
||||
{ path = "/data/system/etc/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; }
|
||||
];
|
||||
matrix-synapse.dataDir = "${cfg.base}/system/var/lib/matrix-synapse";
|
||||
gitea.stateDir = "${cfg.base}/system/var/lib/gitea";
|
||||
};
|
||||
|
||||
environment.persistence = lib.mkMerge [
|
||||
{
|
||||
"${cfg.base}/system" = {
|
||||
hideMounts = true;
|
||||
|
||||
directories = [
|
||||
"/etc/nixos"
|
||||
] ++ (lib.lists.optional config.services.tailscale.enable "/var/lib/tailscale") ++
|
||||
(lib.lists.optional config.services.zigbee2mqtt.enable config.services.zigbee2mqtt.dataDir) ++
|
||||
(lib.lists.optional config.services.postgresql.enable config.services.postgresql.dataDir) ++
|
||||
(lib.lists.optional config.hardware.bluetooth.enable "/var/lib/bluetooth") ++
|
||||
(lib.lists.optional config.custom.services.unifi.enable "/var/lib/unifi") ++
|
||||
(lib.lists.optional (config.virtualisation.oci-containers.containers != { }) "/var/lib/containers") ++
|
||||
(lib.lists.optional config.services.tang.enable "/var/lib/private/tang") ++
|
||||
(lib.lists.optional config.services.caddy.enable "/var/lib/caddy") ++
|
||||
(lib.lists.optional config.services.step-ca.enable "/var/lib/step-ca/db");
|
||||
};
|
||||
}
|
||||
(lib.mkIf cfg.cache.enable {
|
||||
"${cfg.cache.path}/system" = {
|
||||
hideMounts = true;
|
||||
|
||||
directories = (lib.lists.optional config.services.postgresqlBackup.enable config.services.postgresqlBackup.location);
|
||||
};
|
||||
})
|
||||
];
|
||||
|
||||
home-manager.users =
|
||||
let
|
||||
mkUser = (x: {
|
||||
name = x;
|
||||
value = {
|
||||
home.persistence."/data/users/${x}" = {
|
||||
files = [
|
||||
".zsh_history"
|
||||
] ++ cfg.userExtraFiles.${x} or [ ];
|
||||
home = {
|
||||
persistence."/data/users/${x}" = {
|
||||
allowOther = false;
|
||||
|
||||
directories = cfg.userExtraDirs.${x} or [ ];
|
||||
files = cfg.userExtraFiles.${x} or [ ];
|
||||
directories = cfg.userExtraDirs.${x} or [ ];
|
||||
};
|
||||
file.".zshrc".text = lib.mkForce ''
|
||||
HISTFILE=/data/users/${x}/.zsh_history
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
in
|
||||
builtins.listToAttrs (builtins.map mkUser cfg.users);
|
||||
|
||||
systemd.tmpfiles.rules = builtins.map
|
||||
systemd.tmpfiles.rules = lib.lists.flatten (builtins.map
|
||||
(user:
|
||||
let details = config.users.users.${user}; in "L ${details.home}/local - ${user} ${details.group} - /data/users/${user}")
|
||||
cfg.users;
|
||||
let details = config.users.users.${user}; in [
|
||||
"d /data/users/${user} 0700 ${user} ${details.group} - -"
|
||||
"L ${details.home}/local - ${user} ${details.group} - /data/users/${user}"
|
||||
])
|
||||
cfg.users);
|
||||
};
|
||||
}
|
||||
|
@ -11,19 +11,41 @@ in
|
||||
};
|
||||
|
||||
locations = lib.mkOption {
|
||||
default = {
|
||||
services = {
|
||||
downloads = "tywin.storage.ts.hillion.co.uk";
|
||||
mastodon = "vm.strangervm.ts.hillion.co.uk";
|
||||
matrix = "vm.strangervm.ts.hillion.co.uk";
|
||||
};
|
||||
};
|
||||
readOnly = true;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.autoServe {
|
||||
custom.services.downloads.enable = cfg.locations.services.downloads == config.networking.fqdn;
|
||||
custom.services.mastodon.enable = cfg.locations.services.mastodon == config.networking.fqdn;
|
||||
custom.services.matrix.enable = cfg.locations.services.matrix == config.networking.fqdn;
|
||||
};
|
||||
config = lib.mkMerge [
|
||||
{
|
||||
custom.locations.locations = {
|
||||
services = {
|
||||
authoritative_dns = [ "boron.cx.ts.hillion.co.uk" ];
|
||||
downloads = "tywin.storage.ts.hillion.co.uk";
|
||||
gitea = "boron.cx.ts.hillion.co.uk";
|
||||
homeassistant = "microserver.home.ts.hillion.co.uk";
|
||||
mastodon = "";
|
||||
matrix = "boron.cx.ts.hillion.co.uk";
|
||||
tang = [
|
||||
"li.pop.ts.hillion.co.uk"
|
||||
"microserver.home.ts.hillion.co.uk"
|
||||
"sodium.pop.ts.hillion.co.uk"
|
||||
];
|
||||
unifi = "boron.cx.ts.hillion.co.uk";
|
||||
version_tracker = [ "boron.cx.ts.hillion.co.uk" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
(lib.mkIf cfg.autoServe
|
||||
{
|
||||
custom.services = lib.mapAttrsRecursive
|
||||
(path: value: {
|
||||
enable =
|
||||
if builtins.isList value
|
||||
then builtins.elem config.networking.fqdn value
|
||||
else config.networking.fqdn == value;
|
||||
})
|
||||
cfg.locations.services;
|
||||
})
|
||||
];
|
||||
}
|
||||
|
@ -1,12 +1,9 @@
|
||||
{ pkgs, lib, config, nixpkgs-unstable, ... }:
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.resilio;
|
||||
in
|
||||
{
|
||||
imports = [ "${nixpkgs-unstable}/nixos/modules/services/networking/resilio.nix" ];
|
||||
disabledModules = [ "services/networking/resilio.nix" ];
|
||||
|
||||
options.custom.resilio = {
|
||||
enable = lib.mkEnableOption "resilio";
|
||||
|
||||
@ -64,5 +61,7 @@ in
|
||||
in
|
||||
builtins.map (folder: mkFolder folder.name folder.secret) cfg.folders;
|
||||
};
|
||||
|
||||
systemd.services.resilio.unitConfig.RequiresMountsFor = builtins.map (folder: "${config.services.resilio.directoryRoot}/${folder.name}") cfg.folders;
|
||||
};
|
||||
}
|
||||
|
50
modules/services/authoritative_dns.nix
Normal file
50
modules/services/authoritative_dns.nix
Normal file
@ -0,0 +1,50 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.services.authoritative_dns;
|
||||
in
|
||||
{
|
||||
options.custom.services.authoritative_dns = {
|
||||
enable = lib.mkEnableOption "authoritative_dns";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.nsd = {
|
||||
enable = true;
|
||||
|
||||
zones = {
|
||||
"ts.hillion.co.uk" = {
|
||||
data =
|
||||
let
|
||||
makeRecords = type: s: (lib.concatStringsSep "\n" (lib.collect builtins.isString (lib.mapAttrsRecursive (path: value: "${lib.concatStringsSep "." (lib.reverseList path)} 86400 ${type} ${value}") s)));
|
||||
in
|
||||
''
|
||||
$ORIGIN ts.hillion.co.uk.
|
||||
$TTL 86400
|
||||
|
||||
ts.hillion.co.uk. IN SOA ns1.hillion.co.uk. hostmaster.hillion.co.uk. (
|
||||
1 ;Serial
|
||||
7200 ;Refresh
|
||||
3600 ;Retry
|
||||
1209600 ;Expire
|
||||
3600 ;Negative response caching TTL
|
||||
)
|
||||
|
||||
86400 NS ns1.hillion.co.uk.
|
||||
|
||||
ca 21600 CNAME sodium.pop.ts.hillion.co.uk.
|
||||
deluge.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
|
||||
graphs.router.home 21600 CNAME router.home.ts.hillion.co.uk.
|
||||
prowlarr.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
|
||||
radarr.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
|
||||
restic.tywin.storage 21600 CNAME tywin.storage.ts.hillion.co.uk.
|
||||
sonarr.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
|
||||
zigbee2mqtt.home 21600 CNAME router.home.ts.hillion.co.uk.
|
||||
|
||||
'' + (makeRecords "A" config.custom.dns.authoritative.ipv4.uk.co.hillion.ts) + "\n\n" + (makeRecords "AAAA" config.custom.dns.authoritative.ipv6.uk.co.hillion.ts);
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
16
modules/services/default.nix
Normal file
16
modules/services/default.nix
Normal file
@ -0,0 +1,16 @@
|
||||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./authoritative_dns.nix
|
||||
./downloads.nix
|
||||
./gitea/default.nix
|
||||
./homeassistant.nix
|
||||
./mastodon/default.nix
|
||||
./matrix.nix
|
||||
./tang.nix
|
||||
./unifi.nix
|
||||
./version_tracker.nix
|
||||
./zigbee2mqtt.nix
|
||||
];
|
||||
}
|
@ -29,10 +29,16 @@ in
|
||||
|
||||
virtualHosts = builtins.listToAttrs (builtins.map
|
||||
(x: {
|
||||
name = "http://${x}.downloads.ts.hillion.co.uk";
|
||||
name = "${x}.downloads.ts.hillion.co.uk";
|
||||
value = {
|
||||
listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ];
|
||||
extraConfig = "reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock";
|
||||
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
|
||||
extraConfig = ''
|
||||
reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock
|
||||
|
||||
tls {
|
||||
ca https://ca.ts.hillion.co.uk:8443/acme/acme/directory
|
||||
}
|
||||
'';
|
||||
};
|
||||
}) [ "prowlarr" "sonarr" "radarr" "deluge" ]);
|
||||
};
|
||||
@ -94,6 +100,8 @@ in
|
||||
containers."downloads" = {
|
||||
autoStart = true;
|
||||
ephemeral = true;
|
||||
|
||||
additionalCapabilities = [ "CAP_NET_ADMIN" ];
|
||||
extraFlags = [ "--network-namespace-path=/run/netns/downloads" ];
|
||||
|
||||
bindMounts = {
|
||||
@ -123,13 +131,17 @@ in
|
||||
|
||||
systemd.services.setup-loopback = {
|
||||
description = "Setup container loopback adapter.";
|
||||
|
||||
after = [ "network-pre.target" ];
|
||||
before = [ "network.target" ];
|
||||
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.RemainAfterExit = true;
|
||||
|
||||
script = with pkgs; "${iproute2}/bin/ip link set up lo";
|
||||
};
|
||||
networking.hosts = { "127.0.0.1" = builtins.map (x: "${x}.downloads.ts.hillion.co.uk") [ "prowlarr" "sonarr" "radarr" "deluge" ]; };
|
||||
networking = {
|
||||
nameservers = [ "1.1.1.1" "8.8.8.8" ];
|
||||
hosts = { "127.0.0.1" = builtins.map (x: "${x}.downloads.ts.hillion.co.uk") [ "prowlarr" "sonarr" "radarr" "deluge" ]; };
|
||||
};
|
||||
|
||||
services = {
|
||||
prowlarr.enable = true;
|
||||
@ -146,6 +158,7 @@ in
|
||||
deluge = {
|
||||
enable = true;
|
||||
web.enable = true;
|
||||
group = "mediaaccess";
|
||||
|
||||
dataDir = "/var/lib/deluge";
|
||||
authFile = "/run/agenix/deluge/auth";
|
||||
@ -154,11 +167,18 @@ in
|
||||
config = {
|
||||
download_location = "/media/downloads";
|
||||
max_connections_global = 1024;
|
||||
|
||||
max_upload_speed = 12500;
|
||||
max_download_speed = 25000;
|
||||
|
||||
max_active_seeding = 192;
|
||||
max_active_downloading = 64;
|
||||
max_active_limit = 256;
|
||||
dont_count_slow_torrents = true;
|
||||
|
||||
stop_seed_at_ratio = true;
|
||||
stop_seed_ratio = 2;
|
||||
share_ratio_limit = 2;
|
||||
|
||||
enabled_plugins = [ "Label" ];
|
||||
};
|
||||
};
|
||||
|
105
modules/services/gitea/actions.nix
Normal file
105
modules/services/gitea/actions.nix
Normal file
@ -0,0 +1,105 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.services.gitea.actions;
|
||||
in
|
||||
{
|
||||
options.custom.services.gitea.actions = {
|
||||
enable = lib.mkEnableOption "gitea-actions";
|
||||
|
||||
labels = lib.mkOption {
|
||||
type = with lib.types; listOf str;
|
||||
default = [
|
||||
"ubuntu-latest:docker://node:16-bullseye"
|
||||
"ubuntu-20.04:docker://node:16-bullseye"
|
||||
];
|
||||
};
|
||||
tokenSecret = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
age.secrets."gitea/actions/token".file = cfg.tokenSecret;
|
||||
|
||||
# Run gitea-actions in a container and firewall it such that it can only
|
||||
# access the Internet (not private networks).
|
||||
containers."gitea-actions" = {
|
||||
autoStart = true;
|
||||
ephemeral = true;
|
||||
|
||||
privateNetwork = true; # all traffic goes through ve-gitea-actions on the host
|
||||
hostAddress = "10.108.27.1";
|
||||
localAddress = "10.108.27.2";
|
||||
|
||||
extraFlags = [
|
||||
# Extra system calls required to nest Docker, taken from https://wiki.archlinux.org/title/systemd-nspawn
|
||||
"--system-call-filter=add_key"
|
||||
"--system-call-filter=keyctl"
|
||||
"--system-call-filter=bpf"
|
||||
];
|
||||
|
||||
bindMounts = let tokenPath = config.age.secrets."gitea/actions/token".path; in {
|
||||
"${tokenPath}".hostPath = tokenPath;
|
||||
};
|
||||
|
||||
timeoutStartSec = "5min";
|
||||
|
||||
config = (hostConfig: ({ config, pkgs, ... }: {
|
||||
config = let cfg = hostConfig.custom.services.gitea.actions; in {
|
||||
system.stateVersion = "23.11";
|
||||
|
||||
virtualisation.docker.enable = true;
|
||||
|
||||
services.gitea-actions-runner.instances.container = {
|
||||
enable = true;
|
||||
url = "https://gitea.hillion.co.uk";
|
||||
tokenFile = hostConfig.age.secrets."gitea/actions/token".path;
|
||||
|
||||
name = "${hostConfig.networking.hostName}";
|
||||
labels = cfg.labels;
|
||||
|
||||
settings = {
|
||||
runner = {
|
||||
capacity = 3;
|
||||
};
|
||||
cache = {
|
||||
enabled = true;
|
||||
host = "10.108.27.2";
|
||||
port = 41919;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Drop any packets to private networks
|
||||
networking = {
|
||||
firewall.enable = lib.mkForce false;
|
||||
nftables = {
|
||||
enable = true;
|
||||
ruleset = ''
|
||||
table inet filter {
|
||||
chain output {
|
||||
type filter hook output priority 100; policy accept;
|
||||
|
||||
ct state { established, related } counter accept
|
||||
|
||||
ip daddr 10.0.0.0/8 drop
|
||||
ip daddr 100.64.0.0/10 drop
|
||||
ip daddr 172.16.0.0/12 drop
|
||||
ip daddr 192.168.0.0/16 drop
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
})) config;
|
||||
};
|
||||
|
||||
networking.nat = {
|
||||
enable = true;
|
||||
externalInterface = "eth0";
|
||||
internalIPs = [ "10.108.27.2" ];
|
||||
};
|
||||
};
|
||||
}
|
8
modules/services/gitea/default.nix
Normal file
8
modules/services/gitea/default.nix
Normal file
@ -0,0 +1,8 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./actions.nix
|
||||
./gitea.nix
|
||||
];
|
||||
}
|
113
modules/services/gitea/gitea.nix
Normal file
113
modules/services/gitea/gitea.nix
Normal file
@ -0,0 +1,113 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.services.gitea;
|
||||
in
|
||||
{
|
||||
options.custom.services.gitea = {
|
||||
enable = lib.mkEnableOption "gitea";
|
||||
|
||||
httpPort = lib.mkOption {
|
||||
type = lib.types.port;
|
||||
default = 3000;
|
||||
};
|
||||
sshPort = lib.mkOption {
|
||||
type = lib.types.port;
|
||||
default = 3022;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
age.secrets = {
|
||||
"gitea/mailer_password" = {
|
||||
file = ../../../secrets/gitea/mailer_password.age;
|
||||
owner = config.services.gitea.user;
|
||||
group = config.services.gitea.group;
|
||||
};
|
||||
"gitea/oauth_jwt_secret" = {
|
||||
file = ../../../secrets/gitea/oauth_jwt_secret.age;
|
||||
owner = config.services.gitea.user;
|
||||
group = config.services.gitea.group;
|
||||
path = "${config.services.gitea.customDir}/conf/oauth2_jwt_secret";
|
||||
};
|
||||
"gitea/lfs_jwt_secret" = {
|
||||
file = ../../../secrets/gitea/lfs_jwt_secret.age;
|
||||
owner = config.services.gitea.user;
|
||||
group = config.services.gitea.group;
|
||||
path = "${config.services.gitea.customDir}/conf/lfs_jwt_secret";
|
||||
};
|
||||
"gitea/security_secret_key" = {
|
||||
file = ../../../secrets/gitea/security_secret_key.age;
|
||||
owner = config.services.gitea.user;
|
||||
group = config.services.gitea.group;
|
||||
path = "${config.services.gitea.customDir}/conf/secret_key";
|
||||
};
|
||||
"gitea/security_internal_token" = {
|
||||
file = ../../../secrets/gitea/security_internal_token.age;
|
||||
owner = config.services.gitea.user;
|
||||
group = config.services.gitea.group;
|
||||
path = "${config.services.gitea.customDir}/conf/internal_token";
|
||||
};
|
||||
};
|
||||
|
||||
users.users.gitea.uid = config.ids.uids.gitea;
|
||||
users.groups.gitea.gid = config.ids.gids.gitea;
|
||||
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
package = pkgs.unstable.gitea;
|
||||
mailerPasswordFile = config.age.secrets."gitea/mailer_password".path;
|
||||
|
||||
appName = "Hillion Gitea";
|
||||
|
||||
database = {
|
||||
type = "sqlite3";
|
||||
name = "gitea";
|
||||
path = "${config.services.gitea.stateDir}/data/gitea.db";
|
||||
};
|
||||
lfs.enable = true;
|
||||
|
||||
settings = {
|
||||
server = {
|
||||
DOMAIN = "gitea.hillion.co.uk";
|
||||
HTTP_PORT = cfg.httpPort;
|
||||
ROOT_URL = "https://gitea.hillion.co.uk/";
|
||||
OFFLINE_MODE = false;
|
||||
START_SSH_SERVER = true;
|
||||
SSH_LISTEN_PORT = cfg.sshPort;
|
||||
BUILTIN_SSH_SERVER_USER = "git";
|
||||
SSH_DOMAIN = "ssh.gitea.hillion.co.uk";
|
||||
SSH_PORT = 22;
|
||||
};
|
||||
|
||||
mailer = {
|
||||
ENABLED = true;
|
||||
SMTP_ADDR = "smtp.mailgun.org:587";
|
||||
FROM = "gitea@mg.hillion.co.uk";
|
||||
USER = "gitea@mg.hillion.co.uk";
|
||||
};
|
||||
security = {
|
||||
INSTALL_LOCK = true;
|
||||
};
|
||||
service = {
|
||||
REGISTER_EMAIL_CONFIRM = true;
|
||||
ENABLE_NOTIFY_MAIL = true;
|
||||
EMAIL_DOMAIN_ALLOWLIST = "hillion.co.uk,cam.ac.uk,cl.cam.ac.uk";
|
||||
};
|
||||
session = {
|
||||
PROVIDER = "file";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.extraCommands = ''
|
||||
# proxy all traffic on public interface to the gitea SSH server
|
||||
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
|
||||
ip6tables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
|
||||
|
||||
# proxy locally originating outgoing packets
|
||||
iptables -A OUTPUT -d 138.201.252.214 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
|
||||
ip6tables -A OUTPUT -d 2a01:4f8:173:23d2::2 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
|
||||
'';
|
||||
};
|
||||
}
|
164
modules/services/homeassistant.nix
Normal file
164
modules/services/homeassistant.nix
Normal file
@ -0,0 +1,164 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.services.homeassistant;
|
||||
in
|
||||
{
|
||||
options.custom.services.homeassistant = {
|
||||
enable = lib.mkEnableOption "homeassistant";
|
||||
|
||||
backup = lib.mkOption {
|
||||
default = true;
|
||||
type = lib.types.bool;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
custom = {
|
||||
backups.homeassistant.enable = cfg.backup;
|
||||
};
|
||||
|
||||
age.secrets."homeassistant/secrets.yaml" = {
|
||||
file = ../../secrets/homeassistant/secrets.yaml.age;
|
||||
path = "${config.services.home-assistant.configDir}/secrets.yaml";
|
||||
owner = "hass";
|
||||
group = "hass";
|
||||
};
|
||||
|
||||
services = {
|
||||
postgresql = {
|
||||
enable = true;
|
||||
initialScript = pkgs.writeText "homeassistant-init.sql" ''
|
||||
CREATE ROLE "hass" WITH LOGIN;
|
||||
CREATE DATABASE "homeassistant" WITH OWNER "hass" ENCODING "utf8";
|
||||
'';
|
||||
};
|
||||
|
||||
home-assistant = {
|
||||
enable = true;
|
||||
|
||||
extraPackages = python3Packages: with python3Packages; [
|
||||
psycopg2 # postgresql support
|
||||
];
|
||||
extraComponents = [
|
||||
"bluetooth"
|
||||
"default_config"
|
||||
"esphome"
|
||||
"google_assistant"
|
||||
"homekit"
|
||||
"met"
|
||||
"mobile_app"
|
||||
"mqtt"
|
||||
"otp"
|
||||
"smartthings"
|
||||
"sonos"
|
||||
"sun"
|
||||
"switchbot"
|
||||
];
|
||||
customComponents = with pkgs.home-assistant-custom-components; [
|
||||
adaptive_lighting
|
||||
];
|
||||
|
||||
config = {
|
||||
default_config = { };
|
||||
|
||||
recorder = {
|
||||
db_url = "postgresql://@/homeassistant";
|
||||
};
|
||||
|
||||
http = {
|
||||
use_x_forwarded_for = true;
|
||||
trusted_proxies = with config.custom.dns.authoritative; [
|
||||
ipv4.uk.co.hillion.ts.cx.boron
|
||||
ipv6.uk.co.hillion.ts.cx.boron
|
||||
];
|
||||
};
|
||||
|
||||
google_assistant = {
|
||||
project_id = "homeassistant-8de41";
|
||||
service_account = {
|
||||
client_email = "!secret google_assistant_service_account_client_email";
|
||||
private_key = "!secret google_assistant_service_account_private_key";
|
||||
};
|
||||
report_state = true;
|
||||
expose_by_default = true;
|
||||
exposed_domains = [ "light" ];
|
||||
entity_config = {
|
||||
"input_boolean.sleep_mode" = { };
|
||||
};
|
||||
};
|
||||
homekit = [{
|
||||
filter = {
|
||||
include_domains = [ "light" ];
|
||||
};
|
||||
}];
|
||||
|
||||
bluetooth = { };
|
||||
|
||||
adaptive_lighting = {
|
||||
lights = [
|
||||
"light.bedroom_lamp"
|
||||
"light.bedroom_light"
|
||||
"light.cubby_light"
|
||||
"light.desk_lamp"
|
||||
"light.hallway_light"
|
||||
"light.living_room_lamp"
|
||||
"light.living_room_light"
|
||||
"light.wardrobe_light"
|
||||
];
|
||||
min_sunset_time = "21:00";
|
||||
};
|
||||
|
||||
light = [
|
||||
{
|
||||
platform = "template";
|
||||
lights = {
|
||||
bathroom_light = {
|
||||
unique_id = "87a4cbb5-e5a7-44fd-9f28-fec2d6a62538";
|
||||
value_template = "{{ false if state_attr('script.bathroom_light_switch_if_on', 'last_triggered') > states.sensor.bathroom_motion_sensor_illuminance_lux.last_reported else states('sensor.bathroom_motion_sensor_illuminance_lux') | int > 500 }}";
|
||||
turn_on = { service = "script.noop"; };
|
||||
turn_off = { service = "script.bathroom_light_switch_if_on"; };
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
sensor = [
|
||||
{
|
||||
# Time/Date (for automations)
|
||||
platform = "time_date";
|
||||
display_options = [
|
||||
"date"
|
||||
"date_time_iso"
|
||||
];
|
||||
}
|
||||
|
||||
{
|
||||
# Living Room Temperature
|
||||
platform = "statistics";
|
||||
name = "Living Room temperature (rolling average)";
|
||||
entity_id = "sensor.living_room_environment_sensor_temperature";
|
||||
state_characteristic = "average_linear";
|
||||
unique_id = "e86198a8-88f4-4822-95cb-3ec7b2662395";
|
||||
max_age = {
|
||||
minutes = 5;
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
input_boolean = {
|
||||
sleep_mode = {
|
||||
name = "Set house to sleep mode";
|
||||
icon = "mdi:sleep";
|
||||
};
|
||||
};
|
||||
|
||||
# UI managed expansions
|
||||
automation = "!include automations.yaml";
|
||||
script = "!include scripts.yaml";
|
||||
scene = "!include scenes.yaml";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -32,26 +32,72 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
services.mastodon = {
|
||||
enable = true;
|
||||
localDomain = "social.hillion.co.uk";
|
||||
users.users.caddy.extraGroups = [ "mastodon" ];
|
||||
|
||||
vapidPublicKeyFile = builtins.path { path = ./vapid_public_key; };
|
||||
otpSecretFile = config.age.secrets."mastodon/otp_secret_file".path;
|
||||
secretKeyBaseFile = config.age.secrets."mastodon/secret_key_base".path;
|
||||
vapidPrivateKeyFile = config.age.secrets."mastodon/vapid_private_key".path;
|
||||
services = {
|
||||
mastodon = {
|
||||
enable = true;
|
||||
localDomain = "social.hillion.co.uk";
|
||||
|
||||
smtp = {
|
||||
user = "mastodon@social.hillion.co.uk";
|
||||
port = 587;
|
||||
passwordFile = config.age.secrets."mastodon/mastodon_at_social.hillion.co.uk".path;
|
||||
host = "smtp.eu.mailgun.org";
|
||||
fromAddress = "mastodon@social.hillion.co.uk";
|
||||
authenticate = true;
|
||||
vapidPublicKeyFile = builtins.path { path = ./vapid_public_key; };
|
||||
otpSecretFile = config.age.secrets."mastodon/otp_secret_file".path;
|
||||
secretKeyBaseFile = config.age.secrets."mastodon/secret_key_base".path;
|
||||
vapidPrivateKeyFile = config.age.secrets."mastodon/vapid_private_key".path;
|
||||
|
||||
smtp = {
|
||||
user = "mastodon@social.hillion.co.uk";
|
||||
port = 587;
|
||||
passwordFile = config.age.secrets."mastodon/mastodon_at_social.hillion.co.uk".path;
|
||||
host = "smtp.eu.mailgun.org";
|
||||
fromAddress = "mastodon@social.hillion.co.uk";
|
||||
authenticate = true;
|
||||
};
|
||||
|
||||
extraConfig = {
|
||||
EMAIL_DOMAIN_WHITELIST = "hillion.co.uk";
|
||||
};
|
||||
|
||||
streamingProcesses = 9;
|
||||
};
|
||||
|
||||
extraConfig = {
|
||||
EMAIL_DOMAIN_WHITELIST = "hillion.co.uk";
|
||||
caddy = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts."social.hillion.co.uk".extraConfig = ''
|
||||
handle_path /system/* {
|
||||
file_server * {
|
||||
root /var/lib/mastodon/public-system
|
||||
}
|
||||
}
|
||||
|
||||
handle /api/v1/streaming/* {
|
||||
reverse_proxy unix//run/mastodon-streaming/streaming.socket
|
||||
}
|
||||
|
||||
route * {
|
||||
file_server * {
|
||||
root ${pkgs.mastodon}/public
|
||||
pass_thru
|
||||
}
|
||||
reverse_proxy * unix//run/mastodon-web/web.socket
|
||||
}
|
||||
|
||||
handle_errors {
|
||||
root * ${pkgs.mastodon}/public
|
||||
rewrite 500.html
|
||||
file_server
|
||||
}
|
||||
|
||||
encode gzip
|
||||
|
||||
header /* {
|
||||
Strict-Transport-Security "max-age=31536000;"
|
||||
}
|
||||
header /emoji/* Cache-Control "public, max-age=31536000, immutable"
|
||||
header /packs/* Cache-Control "public, max-age=31536000, immutable"
|
||||
header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
|
||||
header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -35,6 +35,16 @@ in
|
||||
owner = "matrix-synapse";
|
||||
group = "matrix-synapse";
|
||||
};
|
||||
|
||||
"matrix/matrix.hillion.co.uk/registration_shared_secret" = {
|
||||
file = ../../secrets/matrix/matrix.hillion.co.uk/registration_shared_secret.age;
|
||||
owner = "matrix-synapse";
|
||||
group = "matrix-synapse";
|
||||
};
|
||||
|
||||
"matrix/matrix.hillion.co.uk/syncv3_secret" = {
|
||||
file = ../../secrets/matrix/matrix.hillion.co.uk/syncv3_secret.age;
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
@ -58,6 +68,8 @@ in
|
||||
];
|
||||
|
||||
settings = {
|
||||
registration_shared_secret_path = config.age.secrets."matrix/matrix.hillion.co.uk/registration_shared_secret".path;
|
||||
|
||||
server_name = "hillion.co.uk";
|
||||
public_baseurl = "https://matrix.hillion.co.uk/";
|
||||
listeners = [
|
||||
@ -66,7 +78,11 @@ in
|
||||
tls = false;
|
||||
type = "http";
|
||||
x_forwarded = true;
|
||||
bind_addresses = [ "::1" ];
|
||||
bind_addresses = [
|
||||
"::1"
|
||||
config.custom.dns.tailscale.ipv4
|
||||
config.custom.dns.tailscale.ipv6
|
||||
];
|
||||
resources = [
|
||||
{
|
||||
names = [ "client" "federation" ];
|
||||
@ -102,6 +118,15 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
matrix-sliding-sync = {
|
||||
enable = true;
|
||||
environmentFile = config.age.secrets."matrix/matrix.hillion.co.uk/syncv3_secret".path;
|
||||
settings = {
|
||||
SYNCV3_SERVER = "https://matrix.hillion.co.uk";
|
||||
SYNCV3_BINDADDR = "[::]:8009";
|
||||
};
|
||||
};
|
||||
|
||||
heisenbridge = lib.mkIf cfg.heisenbridge {
|
||||
enable = true;
|
||||
owner = "@jake:hillion.co.uk";
|
||||
@ -109,10 +134,12 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.heisenbridge = lib.mkIf cfg.heisenbridge {
|
||||
serviceConfig = {
|
||||
Restart = "on-failure";
|
||||
RestartSec = 15;
|
||||
systemd.services = {
|
||||
heisenbridge = lib.mkIf cfg.heisenbridge {
|
||||
serviceConfig = {
|
||||
Restart = "on-failure";
|
||||
RestartSec = 15;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
20
modules/services/tang.nix
Normal file
20
modules/services/tang.nix
Normal file
@ -0,0 +1,20 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.services.tang;
|
||||
in
|
||||
{
|
||||
options.custom.services.tang = {
|
||||
enable = lib.mkEnableOption "tang";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.tang = {
|
||||
enable = true;
|
||||
ipAddressAllow = [
|
||||
"138.201.252.214/32"
|
||||
"10.64.50.20/32"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
41
modules/services/unifi.nix
Normal file
41
modules/services/unifi.nix
Normal file
@ -0,0 +1,41 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.services.unifi;
|
||||
in
|
||||
{
|
||||
options.custom.services.unifi = {
|
||||
enable = lib.mkEnableOption "unifi";
|
||||
|
||||
dataDir = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/var/lib/unifi";
|
||||
readOnly = true; # NixOS module only supports this directory
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
# Fix dynamically allocated user and group ids
|
||||
users.users.unifi.uid = config.ids.uids.unifi;
|
||||
users.groups.unifi.gid = config.ids.gids.unifi;
|
||||
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"unifi.hillion.co.uk".extraConfig = ''
|
||||
reverse_proxy https://localhost:8443 {
|
||||
transport http {
|
||||
tls_insecure_skip_verify
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.unifi = {
|
||||
enable = true;
|
||||
unifiPackage = pkgs.unifi8;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -35,12 +35,12 @@ in
|
||||
fi
|
||||
cd repo
|
||||
${git}/bin/git fetch
|
||||
${git}/bin/git switch --detach origin/main
|
||||
|
||||
code=0
|
||||
for path in hosts/*
|
||||
do
|
||||
hostname=''${path##*/}
|
||||
if test -f "hosts/$hostname/darwin"; then continue; fi
|
||||
|
||||
if rev=$(${curl}/bin/curl -s --connect-timeout 15 http://$hostname:30653/current/nixos/system/configurationRevision); then
|
||||
echo "$hostname: $rev (current)"
|
||||
|
@ -23,7 +23,7 @@ in
|
||||
enable = true;
|
||||
|
||||
virtualHosts."http://zigbee2mqtt.home.ts.hillion.co.uk" = {
|
||||
listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ];
|
||||
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
|
||||
extraConfig = "reverse_proxy http://127.0.0.1:15606";
|
||||
};
|
||||
};
|
||||
|
@ -1,7 +1,20 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.shell;
|
||||
in
|
||||
{
|
||||
config = {
|
||||
imports = [
|
||||
./update_scripts.nix
|
||||
];
|
||||
|
||||
options.custom.shell = {
|
||||
enable = lib.mkEnableOption "shell";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
custom.shell.update_scripts.enable = true;
|
||||
|
||||
users.defaultUserShell = pkgs.zsh;
|
||||
|
||||
environment.systemPackages = with pkgs; [ direnv ];
|
64
modules/shell/update_scripts.nix
Normal file
64
modules/shell/update_scripts.nix
Normal file
@ -0,0 +1,64 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.shell.update_scripts;
|
||||
|
||||
update = pkgs.writeScriptBin "update" ''
|
||||
#! ${pkgs.runtimeShell}
|
||||
set -e
|
||||
|
||||
if [[ $EUID -ne 0 ]]; then
|
||||
exec sudo ${pkgs.runtimeShell} "$0" "$@"
|
||||
fi
|
||||
|
||||
if [ -n "$1" ]; then
|
||||
BRANCH=$1
|
||||
else
|
||||
BRANCH=main
|
||||
fi
|
||||
|
||||
cd /etc/nixos
|
||||
if [ "$BRANCH" = "main" ]; then
|
||||
${pkgs.git}/bin/git switch $BRANCH
|
||||
${pkgs.git}/bin/git pull
|
||||
else
|
||||
${pkgs.git}/bin/git fetch
|
||||
${pkgs.git}/bin/git switch --detach origin/$BRANCH
|
||||
fi
|
||||
|
||||
if ! ${pkgs.nixos-rebuild}/bin/nixos-rebuild --flake "/etc/nixos#${config.networking.fqdn}" test; then
|
||||
echo "WARNING: \`nixos-rebuild test' failed!"
|
||||
fi
|
||||
|
||||
while true; do
|
||||
read -p "Do you want to boot this configuration? " yn
|
||||
case $yn in
|
||||
[Yy]* ) break;;
|
||||
[Nn]* ) exit;;
|
||||
* ) echo "Please answer yes or no.";;
|
||||
esac
|
||||
done
|
||||
|
||||
${pkgs.nixos-rebuild}/bin/nixos-rebuild --flake "/etc/nixos#${config.networking.fqdn}" boot
|
||||
|
||||
while true; do
|
||||
read -p "Would you like to reboot now? " yn
|
||||
case $yn in
|
||||
[Yy]* ) reboot;;
|
||||
[Nn]* ) exit;;
|
||||
* ) echo "Please answer yes or no.";;
|
||||
esac
|
||||
done
|
||||
'';
|
||||
in
|
||||
{
|
||||
options.custom.shell.update_scripts = {
|
||||
enable = lib.mkEnableOption "update_scripts";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
environment.systemPackages = [
|
||||
update
|
||||
];
|
||||
};
|
||||
}
|
@ -1,25 +0,0 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
|
||||
{
|
||||
config.age.secrets."spotify/11132032266" = {
|
||||
file = ../../secrets/spotify/11132032266.age;
|
||||
owner = "jake";
|
||||
};
|
||||
|
||||
config.hardware.pulseaudio.enable = true;
|
||||
|
||||
config.users.users.jake.extraGroups = [ "audio" ];
|
||||
config.users.users.jake.packages = with pkgs; [ spotify-tui ];
|
||||
|
||||
config.home-manager.users.jake.services.spotifyd = {
|
||||
enable = true;
|
||||
settings = {
|
||||
global = {
|
||||
username = "11132032266";
|
||||
password_cmd = "cat ${config.age.secrets."spotify/11132032266".path}";
|
||||
backend = "pulseaudio";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
55
modules/ssh/default.nix
Normal file
55
modules/ssh/default.nix
Normal file
@ -0,0 +1,55 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.ssh;
|
||||
in
|
||||
{
|
||||
options.custom.ssh = {
|
||||
enable = lib.mkEnableOption "ssh";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
users.users =
|
||||
if config.custom.user == "jake" then {
|
||||
"jake".openssh.authorizedKeys.keys = [
|
||||
"sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBBwJH4udKNvi9TjOBgkxpBBy7hzWqmP0lT5zE9neusCpQLIiDhr6KXYMPXWXdZDc18wH1OLi2+639dXOvp8V/wgAAAAEc3NoOg== jake@beryllium-keys"
|
||||
|
||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOt74U+rL+BMtAEjfu/Optg1D7Ly7U+TupRxd5u9kfN7oJnW4dJA25WRSr4dgQNq7MiMveoduBY/ky2s0c9gvIA= jake@jake-gentoo"
|
||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC0uKIvvvkzrOcS7AcamsQRFId+bqPwUC9IiUIsiH5oWX1ReiITOuEo+TL9YMII5RyyfJFeu2ZP9moNuZYlE7Bs= jake@jake-mbp"
|
||||
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAyFsYYjLZ/wyw8XUbcmkk6OKt2IqLOnWpRE5gEvm3X0V4IeTOL9F4IL79h7FTsPvi2t9zGBL1hxeTMZHSGfrdWaMJkQp94gA1W30MKXvJ47nEVt0HUIOufGqgTTaAn4BHxlFUBUuS7UxaA4igFpFVoPJed7ZMhMqxg+RWUmBAkcgTWDMgzUx44TiNpzkYlG8cYuqcIzpV2dhGn79qsfUzBMpGJgkxjkGdDEHRk66JXgD/EtVasZvqp5/KLNnOpisKjR88UJKJ6/buV7FLVra4/0hA9JtH9e1ecCfxMPbOeluaxlieEuSXV2oJMbQoPP87+/QriNdi/6QuCHkMDEhyGw== jake@jake-mbp"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw4lgH20nfuchDqvVf0YciqN0GnBw5hfh8KIun5z0P7wlNgVYnCyvPvdIlGf2Nt1z5EGfsMzMLhKDOZkcTMlhupd+j2Er/ZB764uVBGe1n3CoPeasmbIlnamZ12EusYDvQGm2hVJTGQPPp9nKaRxr6ljvTMTNl0KWlWvKP4kec74d28MGgULOPLT3HlAyvUymSULK4lSxFK0l97IVXLa8YwuL5TNFGHUmjoSsi/Q7/CKaqvNh+ib1BYHzHYsuEzaaApnCnfjDBNexHm/AfbI7s+g3XZDcZOORZn6r44dOBNFfwvppsWj3CszwJQYIFeJFuMRtzlC8+kyYxci0+FXHn jake@jake-gentoo"
|
||||
];
|
||||
} else { };
|
||||
|
||||
programs.mosh.enable = true;
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
|
||||
settings = {
|
||||
PermitRootLogin = "no";
|
||||
PasswordAuthentication = false;
|
||||
};
|
||||
};
|
||||
|
||||
programs.ssh.knownHosts = {
|
||||
# Global Internet hosts
|
||||
"ssh.gitea.hillion.co.uk".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxQpywsy+WGeaEkEL67xOBL1NIE++pcojxro5xAPO6VQe2N79388NRFMLlX6HtnebkIpVrvnqdLOs0BPMAokjaWCC4Ay7T/3ko1kXSOlqHY5Ye9jtjRK+wPHMZgzf74a3jlvxjrXJMA70rPQ3X+8UGpA04eB3JyyLTLuVvc6znMe53QiZ0x+hSz+4pYshnCO2UazJ148vV3htN6wRK+uqjNdjjQXkNJ7llNBSrvmfrLidlf0LRphEk43maSQCBcLEZgf4pxXBA7rFuZABZTz1twbnxP2ziyBaSOs7rcII+jVhF2cqJlElutBfIgRNJ3DjNiTcdhNaZzkwJ59huR0LUFQlHI+SALvPzE9ZXWVOX/SqQG+oIB8VebR52icii0aJH7jatkogwNk0121xmhpvvR7gwbJ9YjYRTpKs4lew3bq/W/OM8GF/FEuCsCuNIXRXKqIjJVAtIpuuhxPymFHeqJH3wK3f6jTJfcAz/z33Rwpow2VOdDyqrRfAW8ti73CCnRlN+VJi0V/zvYGs9CHldY3YvMr7rSd0+fdGyJHSTSRBF0vcyRVA/SqSfcIo/5o0ssYoBnQCg6gOkc3nNQ0C0/qh1ww17rw4hqBRxFJ2t3aBUMK+UHPxrELLVmG6ZUmfg9uVkOoafjRsoML6DVDB4JAk5JsmcZhybOarI9PJfEQ==";
|
||||
|
||||
# Tailscale hosts
|
||||
"boron.cx.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtcJ7HY/vjtheMV8EN2wlTw1hU53CJebGIeRJcSkzt5";
|
||||
"be.lt.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV3OSUT+cqFqrFHZGfn7/xi5FW3n1qjUFy8zBbYs2Sm";
|
||||
"dancefloor.dancefloor.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXkGueVYKr2wp/VHo2QLis0kmKtc/Upg3pGoHr6RkzY";
|
||||
"gendry.jakehillion.terminals.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c";
|
||||
"homeassistant.homeassistant.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM2ytacl/zYXhgvosvhudsl0zW5eQRHXm9aMqG9adux";
|
||||
"li.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u";
|
||||
"microserver.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw";
|
||||
"router.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu";
|
||||
"sodium.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQmG7v/XrinPmkTU2eIoISuU3+hoV4h60Bmbwd+xDjr";
|
||||
"theon.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN59psLVu3/sQORA4x3p8H3ei8MCQlcwX5T+k3kBeBMf";
|
||||
"tywin.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k";
|
||||
};
|
||||
programs.ssh.knownHostsFiles = [ ./github_known_hosts ];
|
||||
};
|
||||
}
|
3
modules/ssh/github_known_hosts
Normal file
3
modules/ssh/github_known_hosts
Normal file
@ -0,0 +1,3 @@
|
||||
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"
|
||||
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg="
|
||||
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="
|
@ -1,65 +0,0 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.tailscale;
|
||||
in
|
||||
{
|
||||
options.custom.tailscale = {
|
||||
enable = lib.mkEnableOption "tailscale";
|
||||
|
||||
preAuthKeyFile = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
|
||||
advertiseRoutes = lib.mkOption {
|
||||
type = with lib.types; listOf str;
|
||||
default = [ ];
|
||||
};
|
||||
|
||||
advertiseExitNode = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
};
|
||||
|
||||
ipv4Addr = lib.mkOption { type = lib.types.str; };
|
||||
ipv6Addr = lib.mkOption { type = lib.types.str; };
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
environment.systemPackages = [ pkgs.tailscale ];
|
||||
|
||||
services.tailscale.enable = true;
|
||||
|
||||
networking.firewall.checkReversePath = lib.mkIf cfg.advertiseExitNode "loose";
|
||||
|
||||
systemd.services.tailscale-autoconnect = {
|
||||
description = "Automatic connection to Tailscale";
|
||||
|
||||
# make sure tailscale is running before trying to connect to tailscale
|
||||
after = [ "network-pre.target" "tailscale.service" ];
|
||||
wants = [ "network-pre.target" "tailscale.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
# set this service as a oneshot job
|
||||
serviceConfig.Type = "oneshot";
|
||||
|
||||
# have the job run this shell script
|
||||
script = with pkgs; ''
|
||||
# wait for tailscaled to settle
|
||||
sleep 2
|
||||
|
||||
# check if we are already authenticated to tailscale
|
||||
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
|
||||
if [ $status = "Running" ]; then # if so, then do nothing
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# otherwise authenticate with tailscale
|
||||
${tailscale}/bin/tailscale up \
|
||||
--authkey "$(<${cfg.preAuthKeyFile})" \
|
||||
--advertise-routes "${lib.concatStringsSep "," cfg.advertiseRoutes}" \
|
||||
--advertise-exit-node=${if cfg.advertiseExitNode then "true" else "false"}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
@ -1,19 +1,21 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.users;
|
||||
in
|
||||
{
|
||||
config = {
|
||||
ids.uids = {
|
||||
## Defined System Users (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix)
|
||||
|
||||
## Consistent People
|
||||
jake = 1000;
|
||||
joseph = 1001;
|
||||
};
|
||||
ids.gids = {
|
||||
## Defined System Groups (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix)
|
||||
|
||||
## Consistent Groups
|
||||
mediaaccess = 1200;
|
||||
options.custom.users = {
|
||||
jake = {
|
||||
password = lib.mkOption {
|
||||
description = "Enable an interactive password.";
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.jake.password {
|
||||
age.secrets."passwords/jake".file = ../secrets/passwords/jake.age;
|
||||
users.users.jake.hashedPasswordFile = config.age.secrets."passwords/jake".path;
|
||||
};
|
||||
}
|
||||
|
19
modules/www/certs/blog.hillion.co.uk.pem
Normal file
19
modules/www/certs/blog.hillion.co.uk.pem
Normal file
@ -0,0 +1,19 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDGTCCAsCgAwIBAgIUMOkPfgLpbA08ovrPt+deXQPpA9kwCgYIKoZIzj0EAwIw
|
||||
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
|
||||
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
|
||||
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
|
||||
eTAeFw0yNDA0MTMyMTQ0MDBaFw0zOTA0MTAyMTQ0MDBaMGIxGTAXBgNVBAoTEENs
|
||||
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
|
||||
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
|
||||
AgEGCCqGSM49AwEHA0IABNweW8IgrXj7Q64RxyK8s9XpbxJ8TbYVv7NALbWUahlT
|
||||
QPlGX/5XoM3Z5AtISBi1irLEy5o6mx7ebNK4NmwzNlCjggEkMIIBIDAOBgNVHQ8B
|
||||
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
|
||||
/wQCMAAwHQYDVR0OBBYEFMy3oz9l3bwpjgtx6IqL9IH90PXcMB8GA1UdIwQYMBaA
|
||||
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
|
||||
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAdBgNV
|
||||
HREEFjAUghJibG9nLmhpbGxpb24uY28udWswPAYDVR0fBDUwMzAxoC+gLYYraHR0
|
||||
cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fZWNjX2NhLmNybDAKBggqhkjO
|
||||
PQQDAgNHADBEAiAgVRgo5V09uyMbz1Mevmxe6d2K5xvZuBElVYja/Rf99AIgZkm1
|
||||
wHEq9wqVYP0oWTiEYQZ6dzKoSwxviOEZI+ttQRA=
|
||||
-----END CERTIFICATE-----
|
19
modules/www/certs/gitea.hillion.co.uk.pem
Normal file
19
modules/www/certs/gitea.hillion.co.uk.pem
Normal file
@ -0,0 +1,19 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDHDCCAsGgAwIBAgIUMHdmb+Ef9YvVmCtliDhg1gDGt8cwCgYIKoZIzj0EAwIw
|
||||
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
|
||||
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
|
||||
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
|
||||
eTAeFw0yNDA0MTMyMTQ1MDBaFw0zOTA0MTAyMTQ1MDBaMGIxGTAXBgNVBAoTEENs
|
||||
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
|
||||
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
|
||||
AgEGCCqGSM49AwEHA0IABGn2vImTE+gpWx/0ELXue7cL0eGb+I2c9VbUYcy3TBJi
|
||||
G7S+wl79MBM5+5G0wKhTpBgVpXu1/NHunfM97LGZb5ejggElMIIBITAOBgNVHQ8B
|
||||
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
|
||||
/wQCMAAwHQYDVR0OBBYEFI6dxFPItIKnNN7/xczMOtlTytuvMB8GA1UdIwQYMBaA
|
||||
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
|
||||
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAeBgNV
|
||||
HREEFzAVghNnaXRlYS5oaWxsaW9uLmNvLnVrMDwGA1UdHwQ1MDMwMaAvoC2GK2h0
|
||||
dHA6Ly9jcmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYIKoZI
|
||||
zj0EAwIDSQAwRgIhAKfRSEKCGNY5x4zUNzOy6vfxgDYPfkP6iW5Ha4gNmE+QAiEA
|
||||
nTsGKr2EoqEdPtnB+wVrYMblWF7/or3JpRYGs6zD2FU=
|
||||
-----END CERTIFICATE-----
|
19
modules/www/certs/hillion.co.uk.pem
Normal file
19
modules/www/certs/hillion.co.uk.pem
Normal file
@ -0,0 +1,19 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDFDCCArugAwIBAgIUedwIJx096VH/KGDgpAKK/Q8jGWUwCgYIKoZIzj0EAwIw
|
||||
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
|
||||
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
|
||||
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
|
||||
eTAeFw0yNDA0MTMyMTIzMDBaFw0zOTA0MTAyMTIzMDBaMGIxGTAXBgNVBAoTEENs
|
||||
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
|
||||
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
|
||||
AgEGCCqGSM49AwEHA0IABIdc0hnQQP7tLADaCGXxZ+1BGbZ8aow/TtHl+aXDbN3t
|
||||
2vVV2iLmsMbiPcJZ5e9Q2M27L8fZ0uPJP19dDvvN97SjggEfMIIBGzAOBgNVHQ8B
|
||||
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
|
||||
/wQCMAAwHQYDVR0OBBYEFJilRKL8wXskL/LmgH8BnIvLIpkEMB8GA1UdIwQYMBaA
|
||||
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
|
||||
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAYBgNV
|
||||
HREEETAPgg1oaWxsaW9uLmNvLnVrMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9j
|
||||
cmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYIKoZIzj0EAwID
|
||||
RwAwRAIgbexSqkt3pzCpnpqYXwC5Gmt+nG5OEqETQ6690kpIS74CIFQI3zXlx8zk
|
||||
GB0BlaZdrraAQP7AuI8CcMd5vbQdnldY
|
||||
-----END CERTIFICATE-----
|
19
modules/www/certs/homeassistant.hillion.co.uk.pem
Normal file
19
modules/www/certs/homeassistant.hillion.co.uk.pem
Normal file
@ -0,0 +1,19 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDJDCCAsmgAwIBAgIUaSXrL4UHFHxDvvnW1720aZkkBCkwCgYIKoZIzj0EAwIw
|
||||
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
|
||||
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
|
||||
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
|
||||
eTAeFw0yNDA0MTMyMTUzMDBaFw0zOTA0MTAyMTUzMDBaMGIxGTAXBgNVBAoTEENs
|
||||
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
|
||||
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
|
||||
AgEGCCqGSM49AwEHA0IABOz/ljJJjKawHtILlD09YMwmAdhzxTfPPi61qw7R670T
|
||||
Oe4/KA4zClCKfzqnVEZ4YonfgK8U6VqhLPI4crxUQk+jggEtMIIBKTAOBgNVHQ8B
|
||||
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
|
||||
/wQCMAAwHQYDVR0OBBYEFO7S2TbvL1kel0QH+sYfjD6v2L7oMB8GA1UdIwQYMBaA
|
||||
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
|
||||
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAmBgNV
|
||||
HREEHzAdghtob21lYXNzaXN0YW50LmhpbGxpb24uY28udWswPAYDVR0fBDUwMzAx
|
||||
oC+gLYYraHR0cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fZWNjX2NhLmNy
|
||||
bDAKBggqhkjOPQQDAgNJADBGAiEAgaiFVCBLVYKjTJV67qKOg1R1GBVszNF+9PCi
|
||||
ZejJcjwCIQDtl9S3zCl/h8/7uYfk8dHg0Y6kwd5GVuu6HE67GWJ2Yg==
|
||||
-----END CERTIFICATE-----
|
19
modules/www/certs/links.hillion.co.uk.pem
Normal file
19
modules/www/certs/links.hillion.co.uk.pem
Normal file
@ -0,0 +1,19 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDGzCCAsGgAwIBAgIUFUDTvq6L7SR3qKxaNh77g3XkJk8wCgYIKoZIzj0EAwIw
|
||||
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
|
||||
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
|
||||
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
|
||||
eTAeFw0yNDA0MTMyMTQ2MDBaFw0zOTA0MTAyMTQ2MDBaMGIxGTAXBgNVBAoTEENs
|
||||
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
|
||||
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
|
||||
AgEGCCqGSM49AwEHA0IABGpSYrOqMuzCfE6qdpXqFze8RxWDcDSUFRYmotnp4cyK
|
||||
i6ISovoK7YDKarrHRIvIrsNBaqk+0hjZpOhN/XpU16SjggElMIIBITAOBgNVHQ8B
|
||||
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
|
||||
/wQCMAAwHQYDVR0OBBYEFLoqUdEVGspJs/SGcV7pf2bCzqTrMB8GA1UdIwQYMBaA
|
||||
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
|
||||
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAeBgNV
|
||||
HREEFzAVghNsaW5rcy5oaWxsaW9uLmNvLnVrMDwGA1UdHwQ1MDMwMaAvoC2GK2h0
|
||||
dHA6Ly9jcmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYIKoZI
|
||||
zj0EAwIDSAAwRQIhANh3Ds0ZSZp3rEZ46z4sBp+WNQejnDhTCXt2OIRiCrecAiAB
|
||||
oe21Oz1Pmqv0htFxNf1YbkgJMCoGfENlViuR0cUAJg==
|
||||
-----END CERTIFICATE-----
|
@ -10,82 +10,78 @@ in
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
users.users.caddy.extraGroups = [ "mastodon" ];
|
||||
age.secrets =
|
||||
let
|
||||
mkSecret = domain: {
|
||||
name = "caddy/${domain}.pem";
|
||||
value = {
|
||||
file = ../../secrets/certs/${domain}.pem.age;
|
||||
owner = config.services.caddy.user;
|
||||
group = config.services.caddy.group;
|
||||
};
|
||||
};
|
||||
in
|
||||
builtins.listToAttrs (builtins.map mkSecret [
|
||||
"hillion.co.uk"
|
||||
"blog.hillion.co.uk"
|
||||
"gitea.hillion.co.uk"
|
||||
"homeassistant.hillion.co.uk"
|
||||
"links.hillion.co.uk"
|
||||
]);
|
||||
|
||||
custom.www.www-repo.enable = true;
|
||||
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
package = pkgs.unstable.caddy;
|
||||
|
||||
virtualHosts."hillion.co.uk".extraConfig = ''
|
||||
handle /.well-known/* {
|
||||
respond /.well-known/matrix/server "{\"m.server\": \"matrix.hillion.co.uk:443\"}" 200
|
||||
respond 404
|
||||
}
|
||||
globalConfig = ''
|
||||
email acme@hillion.co.uk
|
||||
'';
|
||||
|
||||
handle {
|
||||
redir https://blog.hillion.co.uk{uri}
|
||||
}
|
||||
'';
|
||||
virtualHosts."blog.hillion.co.uk".extraConfig = ''
|
||||
root * /var/www/blog.hillion.co.uk
|
||||
file_server
|
||||
'';
|
||||
virtualHosts."gitea.hillion.co.uk".extraConfig = ''
|
||||
reverse_proxy http://gitea.gitea.ts.hillion.co.uk:3000
|
||||
'';
|
||||
virtualHosts."homeassistant.hillion.co.uk".extraConfig = ''
|
||||
reverse_proxy http://homeassistant.homeassistant.ts.hillion.co.uk:8123
|
||||
'';
|
||||
virtualHosts."emby.hillion.co.uk".extraConfig = ''
|
||||
reverse_proxy http://plex.mediaserver.ts.hillion.co.uk:8096
|
||||
'';
|
||||
virtualHosts."matrix.hillion.co.uk".extraConfig = ''
|
||||
reverse_proxy http://${locations.services.matrix}:8008
|
||||
'';
|
||||
virtualHosts."unifi.hillion.co.uk".extraConfig = ''
|
||||
reverse_proxy https://unifi.unifi.ts.hillion.co.uk:8443 {
|
||||
transport http {
|
||||
tls_insecure_skip_verify
|
||||
virtualHosts = {
|
||||
"hillion.co.uk".extraConfig = ''
|
||||
tls ${./certs/hillion.co.uk.pem} ${config.age.secrets."caddy/hillion.co.uk.pem".path}
|
||||
handle /.well-known/* {
|
||||
header /.well-known/matrix/* Content-Type application/json
|
||||
header /.well-known/matrix/* Access-Control-Allow-Origin *
|
||||
|
||||
respond /.well-known/matrix/server "{\"m.server\": \"matrix.hillion.co.uk:443\"}" 200
|
||||
respond /.well-known/matrix/client `${builtins.toJSON {
|
||||
"m.homeserver" = { "base_url" = "https://matrix.hillion.co.uk"; };
|
||||
"org.matrix.msc3575.proxy" = { "url" = "https://matrix.hillion.co.uk"; };
|
||||
}}` 200
|
||||
|
||||
respond 404
|
||||
}
|
||||
}
|
||||
'';
|
||||
virtualHosts."drone.hillion.co.uk".extraConfig = ''
|
||||
reverse_proxy http://vm.strangervm.ts.hillion.co.uk:18733
|
||||
'';
|
||||
virtualHosts."social.hillion.co.uk".extraConfig = ''
|
||||
handle_path /system/* {
|
||||
file_server * {
|
||||
root /var/lib/mastodon/public-system
|
||||
}
|
||||
}
|
||||
|
||||
handle /api/v1/streaming/* {
|
||||
reverse_proxy unix//run/mastodon-streaming/streaming.socket
|
||||
}
|
||||
|
||||
route * {
|
||||
file_server * {
|
||||
root ${pkgs.mastodon}/public
|
||||
pass_thru
|
||||
handle {
|
||||
redir https://blog.hillion.co.uk{uri}
|
||||
}
|
||||
reverse_proxy * unix//run/mastodon-web/web.socket
|
||||
}
|
||||
|
||||
handle_errors {
|
||||
root * ${pkgs.mastodon}/public
|
||||
rewrite 500.html
|
||||
'';
|
||||
"blog.hillion.co.uk".extraConfig = ''
|
||||
tls ${./certs/blog.hillion.co.uk.pem} ${config.age.secrets."caddy/blog.hillion.co.uk.pem".path}
|
||||
root * /var/www/blog.hillion.co.uk
|
||||
file_server
|
||||
}
|
||||
|
||||
encode gzip
|
||||
|
||||
header /* {
|
||||
Strict-Transport-Security "max-age=31536000;"
|
||||
}
|
||||
header /emoji/* Cache-Control "public, max-age=31536000, immutable"
|
||||
header /packs/* Cache-Control "public, max-age=31536000, immutable"
|
||||
header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
|
||||
header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
|
||||
'';
|
||||
'';
|
||||
"homeassistant.hillion.co.uk".extraConfig = ''
|
||||
tls ${./certs/homeassistant.hillion.co.uk.pem} ${config.age.secrets."caddy/homeassistant.hillion.co.uk.pem".path}
|
||||
reverse_proxy http://${locations.services.homeassistant}:8123
|
||||
'';
|
||||
"gitea.hillion.co.uk".extraConfig = ''
|
||||
tls ${./certs/gitea.hillion.co.uk.pem} ${config.age.secrets."caddy/gitea.hillion.co.uk.pem".path}
|
||||
reverse_proxy http://${locations.services.gitea}:3000
|
||||
'';
|
||||
"matrix.hillion.co.uk".extraConfig = ''
|
||||
reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync http://${locations.services.matrix}:8009
|
||||
reverse_proxy /_matrix/* http://${locations.services.matrix}:8008
|
||||
reverse_proxy /_synapse/client/* http://${locations.services.matrix}:8008
|
||||
'';
|
||||
"links.hillion.co.uk".extraConfig = ''
|
||||
tls ${./certs/links.hillion.co.uk.pem} ${config.age.secrets."caddy/links.hillion.co.uk.pem".path}
|
||||
redir https://matrix.to/#/@jake:hillion.co.uk
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -53,10 +53,10 @@ in
|
||||
};
|
||||
|
||||
script = ''
|
||||
if [ ! -d "${cfg.path}/.git" ] ; then
|
||||
${pkgs.git}/bin/git clone ${cfg.remote} ${cfg.path}
|
||||
if [ ! -d "${cfg.location}/.git" ] ; then
|
||||
${pkgs.git}/bin/git clone ${cfg.remote} ${cfg.location}
|
||||
else
|
||||
cd ${cfg.path}
|
||||
cd ${cfg.location}
|
||||
${pkgs.git} remote set-url origin ${cfg.remote}
|
||||
${pkgs.git}/bin/git fetch
|
||||
${pkgs.git}/bin/git reset --hard origin/${cfg.branch}
|
||||
|
@ -6,8 +6,8 @@ let
|
||||
domain = "gitea.hillion.co.uk";
|
||||
owner = "JakeHillion";
|
||||
repo = "storj";
|
||||
rev = "977a27dde2affe6801840b827dde387551b15126";
|
||||
hash = "sha256-DHDVrYGWGK91uMMa9rF3RVpFA9IVhtvqHJtLUXyuL5E=";
|
||||
rev = "5546e07191f01be3269d5ea2dbf5ebb908852288";
|
||||
hash = "sha256-OpLxi84oS2sCUaZEuKTvbaygkxkRiXlAlRVQDV8VWHg=";
|
||||
};
|
||||
meta = with lib; {
|
||||
description = "Storj is building a distributed cloud storage network.";
|
||||
@ -25,7 +25,7 @@ in
|
||||
buildGoModule rec {
|
||||
pname = "storagenode";
|
||||
inherit version src meta;
|
||||
vendorHash = "sha256-iZEEADI1JxdsL1j4kJpkV3owfO8DnUcCNSKJMyPgYhE=";
|
||||
vendorHash = "sha256-eSm1Bp+nycd1W9Tx5hvh/Ta3w9u1zsXZ4D77zAnViOA=";
|
||||
subPackages = [
|
||||
"cmd/storagenode"
|
||||
"cmd/identity"
|
||||
|
24
renovate.json
Normal file
24
renovate.json
Normal file
@ -0,0 +1,24 @@
|
||||
{
|
||||
"nix": {
|
||||
"enabled": true
|
||||
},
|
||||
"lockFileMaintenance": {
|
||||
"enabled": true,
|
||||
"schedule": ["* 2-5 * * *"]
|
||||
},
|
||||
"rebaseWhen": "behind-base-branch",
|
||||
"packageRules": [
|
||||
{
|
||||
"matchManagers": ["github-actions"],
|
||||
"automerge": true,
|
||||
"schedule": [
|
||||
"after 11pm on Monday",
|
||||
"after 11pm on Thursday"
|
||||
]
|
||||
}
|
||||
],
|
||||
"extends": [
|
||||
"config:recommended",
|
||||
"helpers:pinGitHubActionDigests"
|
||||
]
|
||||
}
|
5
scripts/update_nixpkgs.sh
Executable file
5
scripts/update_nixpkgs.sh
Executable file
@ -0,0 +1,5 @@
|
||||
#!/bin/sh
|
||||
set -xe
|
||||
|
||||
VERSION=`curl https://gitea.hillion.co.uk/JakeHillion/nixos/raw/branch/main/flake.lock | nix run nixpkgs#jq -- -r '.nodes."nixpkgs-unstable".locked.rev'`
|
||||
nix registry add nixpkgs "github:NixOS/nixpkgs/${VERSION}"
|
BIN
secrets/certs/blog.hillion.co.uk.pem.age
Normal file
BIN
secrets/certs/blog.hillion.co.uk.pem.age
Normal file
Binary file not shown.
BIN
secrets/certs/gitea.hillion.co.uk.pem.age
Normal file
BIN
secrets/certs/gitea.hillion.co.uk.pem.age
Normal file
Binary file not shown.
BIN
secrets/certs/hillion.co.uk.pem.age
Normal file
BIN
secrets/certs/hillion.co.uk.pem.age
Normal file
Binary file not shown.
BIN
secrets/certs/homeassistant.hillion.co.uk.pem.age
Normal file
BIN
secrets/certs/homeassistant.hillion.co.uk.pem.age
Normal file
Binary file not shown.
20
secrets/certs/links.hillion.co.uk.pem.age
Normal file
20
secrets/certs/links.hillion.co.uk.pem.age
Normal file
@ -0,0 +1,20 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-rsa GxPFJQ
|
||||
AaDBHnrzzyVgSLJfjuzNYVqOfGVoNYvtwOZ/8JWdzTiKjFjvFThTwRxXm04x4zV2
|
||||
yDGl2YQn/SdA//tPt2aTt/HEr2vvfvTupf+p8dO81JsdQ2QNEwJq6GFPYvzwpUMt
|
||||
2aY99IWgfZMnNdm1dD40UPRXthRy4neY64fLmrpNH9hM/Tj/O9L9aHo/Z8rROien
|
||||
k/qN0uVWDlrxoCooZNmzuWe8VNE9PtEj07YBjUKY9frVpP38iL9hWZ435x59bRru
|
||||
HTz/I1NEeKyCzUKDz562cmmPl1ihJkelSOLIS/SUL4CfbePt6lGeGgJ1UB1lLBlo
|
||||
nOE79ekfh92wbYJWrogvFg
|
||||
-> ssh-rsa K9mW1w
|
||||
W34jfSpkxpJKesV7ZDl92bQRMtWWB7ht93n7+APJNL18VvLHmqDztkPQovd9FuKY
|
||||
YLEt5qevncV/O2/f6QW87I0ySFT2tpFPflXOITk1INYH8Z/NPfGfHBgUpnl+vM4w
|
||||
xVujFTnFXaFYBpoyOOl5VBLvFTlYvzXL/e2lYyZT/HGb2V43OHQe3dsMWhPKzKLL
|
||||
2eg21XK/LzLFkYdpMwmt5bpVVgXB9kaB9fpmV9ZDtEYDO18/uQQI7Wdn+6XAzB+3
|
||||
iJwIQaqL7YjaOwiF8u6NYOd4Qo7WNEd1WnO9/qIGMp9E4x5V3vToS9fePynE2PtH
|
||||
Chcu3y8jT+Qpby+6joyLwQ
|
||||
-> ssh-ed25519 iWiFbA fxhC7p0ywGIGmpio8x7yFktdB/JnKiiXJF3kvP2X2wk
|
||||
Q2HJ78QRc3nZyyWgB/MjhcEHiKoXou/4421SvoTj9fM
|
||||
--- OYElVzl6Gk/4ma/OgiU1Xtvg5+9Rtq/CIieG85QDOBI
|
||||
Ì$y³6ãyE÷ì=qÉH®y
IûŸ?R @ìG†³H<C2B3>ÓJf\JîaÛ‹¤i¨§2¿ÆÕe³º¯<C2BA>6b%ÑBÜ|.ôgZE¬ßƒ˜ô3ürÄxŽœëë~\Ü\íW‡ïluӚà E¼r$<0C>ÕýÛá'ý¥ÿšaŽÄÙ1Çý—<C3BD>Tæm˜ºp<šIp5hw.Æ'¼GÉÀ7*õ[â\7È*5ôò¤èЖÂãßÓŽör%u06Ó¦û"Ù´G“Àßœvzä6¤
|
||||
Åךe%½¶û QékqôeDoM¹ŸØ(q&r@¶Ï™?Fn
ê_—€<18>\˜°ßÞ"<22>úDÍw½À|úOD]ïê@ö@Ê»Y<C2BB>Ó
|
Binary file not shown.
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user