diff --git a/.gitattributes b/.gitattributes index 2a31c818..cd93a0da 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,4 +1,4 @@ # To add a new file: # /secret/file filter=git-crypt diff=git-crypt -**/*-secret.nix filter=git-crypt diff=git-crypt +**/*.secret.nix filter=git-crypt diff=git-crypt **/secret.nix filter=git-crypt diff=git-crypt diff --git a/configurations/docker.nix b/configurations/docker.nix deleted file mode 100644 index 8ae6b68d..00000000 --- a/configurations/docker.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ ... }: - -{ - virtualisation.docker = { - enable = true; - extraOptions = "--data-root /data/var/lib/docker"; - storageDriver = "zfs"; - }; - - users.users.charlotte.extraGroups = [ - "docker" - ]; - -} diff --git a/configurations/git.nix b/configurations/git.nix deleted file mode 100644 index 2af35a96..00000000 --- a/configurations/git.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - options.chvp.git.email = lib.mkOption { - type = lib.types.str; - default = "charlotte@vanpetegem.me"; - example = "charlotte@vanpetegem.me"; - description = '' - Default email set in global git config. - ''; - }; - - config.home-manager.users.charlotte = { pkgs, ... }: { - home.packages = with pkgs; [ - gitAndTools.gitflow - git-crypt - ]; - programs.git = { - enable = true; - extraConfig = { - branch = { - autosetuprebase = "always"; - }; - pull = { - rebase = true; - }; - }; - ignores = [ - ".direnv" - ".envrc" - "shell.nix" - # Ruby dependencies in source tree - "/vendor/bundle" - "**/*.patch" - ]; - signing = { - key = "charlotte@vanpetegem.me"; - signByDefault = true; - }; - userEmail = config.chvp.git.email; - userName = "Charlotte Van Petegem"; - }; - }; -} diff --git a/configurations/ssh.nix b/configurations/ssh.nix deleted file mode 100644 index 466dab7a..00000000 --- a/configurations/ssh.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ ... }: - -{ - imports = [ ./ssh/secret.nix ]; - - chvp.zfs.homeLinks = [ - { path = ".ssh/known_hosts"; type = "cache"; } - ]; - - nixpkgs.overlays = [ - (self: super: { - ssh = self.symlinkJoin { - name = "openssh"; - paths = [ - ( - self.writeShellScriptBin "ssh" '' - export TERM=xterm-256color - ${super.openssh}/bin/ssh $@ - '' - ) - super.openssh - ]; - }; - }) - ]; - - home-manager.users.charlotte = { pkgs, ... }: { - home.packages = with pkgs; [ - ssh - ]; - programs.ssh = { - enable = true; - compression = true; - hashKnownHosts = true; - serverAliveInterval = 300; - extraConfig = '' - HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa - ''; - }; - }; -} diff --git a/configurations/ssh/secret.nix b/configurations/ssh/secret.nix deleted file mode 100644 index 068dfa31..00000000 Binary files a/configurations/ssh/secret.nix and /dev/null differ diff --git a/configurations/sway/screenshot.nix b/configurations/sway/screenshot.nix index 1acc1d2a..dac0e584 100644 --- a/configurations/sway/screenshot.nix +++ b/configurations/sway/screenshot.nix @@ -23,8 +23,8 @@ pkgs.writeShellScriptBin "screenshot" '' if [[ -n "$remote" ]] then name=$(${pkgs.utillinux}/bin/uuidgen).png - ${pkgs.grim}/bin/grim -t png -g "$dims" - | ${pkgs.openssh}/bin/ssh sunspear "cat > /usr/share/nginx/html/screenshots/$name" - path="https://cvpetegem.be/screenshots/$name" + ${pkgs.grim}/bin/grim -t png -g "$dims" - | ${pkgs.openssh}/bin/ssh data "cat > data/public/$name" + path="https://data.vanpetegem.me/public/$name" else name=$(date +'screenshot_%Y-%m-%d-%H%M%S.png') path="$(${pkgs.xdg-user-dirs}/bin/xdg-user-dir PICTURES)/$name" diff --git a/configurations/users.nix b/configurations/users.nix index a018b727..1c0b9a22 100644 --- a/configurations/users.nix +++ b/configurations/users.nix @@ -1,23 +1,5 @@ { pkgs, ... }: { - imports = [ ./users/secret.nix ]; - - users = { - mutableUsers = false; - defaultUserShell = pkgs.zsh; - users = { - charlotte = { - isNormalUser = true; - home = "/home/charlotte"; - description = "Charlotte Van Petegem"; - extraGroups = [ - "input" - "systemd-journal" - "video" - "wheel" - ]; - }; - }; - }; + users.users.charlotte.extraGroups = [ "input" "video" ]; } diff --git a/configurations/users/secret.nix b/configurations/users/secret.nix index 1fb856d2..c6544dd5 100644 Binary files a/configurations/users/secret.nix and b/configurations/users/secret.nix differ diff --git a/configurations/zsh.nix b/configurations/zsh.nix deleted file mode 100644 index 235be89a..00000000 --- a/configurations/zsh.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ ... }: - -{ - chvp.zfs.homeLinks = [ - { path = ".local/share/autojump"; type = "cache"; } - { path = ".local/share/zsh"; type = "cache"; } - ]; - home-manager.users.charlotte = { pkgs, ... }: { - home.packages = [ pkgs.autojump ]; - programs.zsh = { - enable = true; - enableAutosuggestions = true; - autocd = true; - dotDir = ".config/zsh"; - history = { - expireDuplicatesFirst = true; - path = "\$HOME/.local/share/zsh/history"; - }; - initExtra = '' - source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh - ${pkgs.any-nix-shell}/bin/any-nix-shell zsh --info-right | source /dev/stdin - ''; - oh-my-zsh = { - enable = true; - plugins = [ - "autojump" - "common-aliases" - "extract" - "history-substring-search" - "git" - "sudo" - "systemd" - "tmux" - ]; - theme = "agnoster"; - }; - plugins = [ - { - name = "zsh-syntax-highlighting"; - src = pkgs.fetchFromGitHub { - owner = "zsh-users"; - repo = "zsh-syntax-highlighting"; - rev = "0.7.1"; - sha256 = "03r6hpb5fy4yaakqm3lbf4xcvd408r44jgpv4lnzl9asp4sb9qc0"; - }; - } - ]; - sessionVariables = { DEFAULT_USER = "charlotte"; }; - }; - }; -} diff --git a/flake.lock b/flake.lock index 1009be05..dd75fac7 100644 --- a/flake.lock +++ b/flake.lock @@ -23,11 +23,11 @@ ] }, "locked": { - "lastModified": 1606046962, - "narHash": "sha256-244JrrVFht/VMRItDcDlrcwejqpqJInDUWA/x6mucW4=", + "lastModified": 1606691558, + "narHash": "sha256-mkLAmBhiQ7kI7Ezw1ken3ymGolBmEfiO881iFWSGrbg=", "owner": "nix-community", "repo": "home-manager", - "rev": "a3a0f1289acac24ce2ffe0481bf8cabd3a6ccc64", + "rev": "c1faa848c5224452660cd6d2e0f4bd3e8d206419", "type": "github" }, "original": { @@ -38,11 +38,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1606469955, - "narHash": "sha256-0B3igE7xVjr0F8Jgfv9b8Illr/8cVkwcp2GzbrR31MA=", + "lastModified": 1606758103, + "narHash": "sha256-gSjKrct8zKISPFHYIIWPNZ9TdlVpZhAlLcgwZAmAhpQ=", "owner": "charvp", "repo": "nixpkgs", - "rev": "5a8a08c9f02ef3b4b60fa94e769bfb42660eb1ba", + "rev": "db5dda0c6d4a82be765c2d5cab18ff4f759281cd", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index f34b5d14..5be0ad57 100644 --- a/flake.nix +++ b/flake.nix @@ -21,7 +21,7 @@ inherit system; modules = [ home-manager.nixosModules.home-manager - (./. + "/machines/${hostname}") + (./modules) ({ pkgs, ... }: { environment.etc."nixpkgs".source = (pkgs.runCommandNoCC "nixpkgs" { } '' cp -r ${nixpkgs} $out @@ -30,6 +30,7 @@ ''); nix.nixPath = [ "nixpkgs=/etc/nixpkgs" ]; }) + (./. + "/machines/${hostname}") ]; }; in diff --git a/machines/kharbranth/default.nix b/machines/kharbranth/default.nix index d9ac3037..ae9b477c 100644 --- a/machines/kharbranth/default.nix +++ b/machines/kharbranth/default.nix @@ -3,7 +3,6 @@ { imports = [ ./hardware.nix - ./secret.nix ../../configurations/eid.nix ../../profiles/bluetooth.nix ../../profiles/common.nix @@ -17,24 +16,23 @@ time.timeZone = "Europe/Brussels"; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "20.09"; - - home-manager.users.charlotte = { ... }: { - home.stateVersion = "20.09"; - }; - # Machine-specific application settings chvp = { + stateVersion = "20.09"; + graphical = true; + docker.enable = true; git.email = "charlotte.vanpetegem@ugent.be"; zfs = { enable = true; encrypted = true; + backups = [ + { + path = "rpool/safe/data"; + remotePath = "zdata/recv/kharbranth/safe/data"; + fast = true; + location = "lasting-integrity.vanpetegem.me"; + } + ]; }; }; } diff --git a/machines/kharbranth/hardware.nix b/machines/kharbranth/hardware.nix index 12b213f1..cbe10b60 100644 --- a/machines/kharbranth/hardware.nix +++ b/machines/kharbranth/hardware.nix @@ -4,7 +4,6 @@ imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot = { - # Use the systemd-boot EFI boot loader. loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; diff --git a/machines/kharbranth/secret.nix b/machines/kharbranth/secret.nix deleted file mode 100644 index 6a77511d..00000000 Binary files a/machines/kharbranth/secret.nix and /dev/null differ diff --git a/machines/kholinar/default.nix b/machines/kholinar/default.nix index e472411f..5d75d896 100644 --- a/machines/kholinar/default.nix +++ b/machines/kholinar/default.nix @@ -3,7 +3,6 @@ { imports = [ ./hardware.nix - ./secret.nix ../../configurations/eid.nix ../../profiles/bluetooth.nix ../../profiles/common.nix @@ -17,24 +16,23 @@ time.timeZone = "Europe/Brussels"; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "20.09"; - - home-manager.users.charlotte = { ... }: { - home.stateVersion = "20.09"; - }; - # Machine-specific settings chvp = { + stateVersion = "20.09"; + graphical = true; + docker.enable = true; git.email = "charlotte@vanpetegem.me"; zfs = { enable = true; encrypted = true; + backups = [ + { + path = "rpool/safe/data"; + remotePath = "zdata/recv/kholinar/safe/data"; + fast = true; + location = "lasting-integrity.vanpetegem.me"; + } + ]; }; }; } diff --git a/machines/kholinar/hardware.nix b/machines/kholinar/hardware.nix index ad61a7e8..88385f00 100644 --- a/machines/kholinar/hardware.nix +++ b/machines/kholinar/hardware.nix @@ -4,7 +4,6 @@ imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot = { - # Use the systemd-boot EFI boot loader. loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; @@ -46,7 +45,6 @@ fsType = "vfat"; }; - swapDevices = [ { device = "/dev/disk/by-uuid/6c09b90f-8971-4702-a18a-f06dfb3d8dcd"; } ]; diff --git a/machines/kholinar/secret.nix b/machines/kholinar/secret.nix deleted file mode 100644 index e1cce260..00000000 Binary files a/machines/kholinar/secret.nix and /dev/null differ diff --git a/machines/lasting-integrity/default.nix b/machines/lasting-integrity/default.nix index 1eb2e0cc..10f7aed8 100644 --- a/machines/lasting-integrity/default.nix +++ b/machines/lasting-integrity/default.nix @@ -6,49 +6,28 @@ ./secret.nix ]; - boot.loader = { - grub = { - enable = true; - efiSupport = true; - mirroredBoots = [ - { devices = [ "nodev" ]; path = "/boot/ESP0"; } - { devices = [ "nodev" ]; path = "/boot/ESP1"; } - ]; - }; - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot/EFI"; - }; - }; - time.timeZone = "Europe/Berlin"; networking = { hostName = "lasting-integrity"; hostId = "b352adfe"; - useDHCP = false; - interfaces = { - eno1.useDHCP = false; - eno2.useDHCP = false; - eno3.useDHCP = false; - eno4.useDHCP = false; - }; }; - users = { - mutableUsers = false; - defaultUserShell = pkgs.zsh; - users.charlotte = { - isNormalUser = true; - extraGroups = [ "wheel" "systemd-journal" ]; + chvp = { + stateVersion = "20.09"; + docker.enable = true; + nginx.enable = true; + ovh.enable = true; + sshd.enable = true; + syncthing-server.enable = true; + zfs = { + enable = true; + backups = [{ + path = "zroot/safe/data"; + remotePath = "zdata/recv/lasting-integrity/safe/data"; + fast = true; + location = "192.168.0.1"; + }]; }; }; - - services.openssh.enable = true; - services.openssh.permitRootLogin = "prohibit-password"; - - services.zfs.autoScrub.enable = true; - services.zfs.trim.enable = true; - - system.stateVersion = "20.09"; } diff --git a/machines/lasting-integrity/hardware.nix b/machines/lasting-integrity/hardware.nix index 0acf8b9e..766aecd0 100644 --- a/machines/lasting-integrity/hardware.nix +++ b/machines/lasting-integrity/hardware.nix @@ -4,16 +4,21 @@ imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot = { + loader = { + grub = { + enable = true; + efiSupport = true; + mirroredBoots = [ + { devices = [ "nodev" ]; path = "/boot/ESP0"; } + { devices = [ "nodev" ]; path = "/boot/ESP1"; } + ]; + }; + efi.canTouchEfiVariables = true; + }; initrd = { availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; - kernelModules = [ ]; - postDeviceCommands = lib.mkAfter '' - zfs rollback -r zroot/local/root@blank - ''; }; kernelModules = [ "kvm-intel" ]; - extraModulePackages = [ ]; - supportedFilesystems = [ "zfs" ]; }; fileSystems = { @@ -59,4 +64,9 @@ ]; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware = { + cpu.intel.updateMicrocode = true; + enableRedistributableFirmware = true; + }; + services.fstrim.enable = true; } diff --git a/machines/lasting-integrity/secret.nix b/machines/lasting-integrity/secret.nix index fdd36868..4311f377 100644 Binary files a/machines/lasting-integrity/secret.nix and b/machines/lasting-integrity/secret.nix differ diff --git a/machines/urithiru/default.nix b/machines/urithiru/default.nix index 9ef72d6f..254dc7e7 100644 --- a/machines/urithiru/default.nix +++ b/machines/urithiru/default.nix @@ -6,49 +6,35 @@ ./secret.nix ]; - boot.loader = { - grub = { - enable = true; - efiSupport = true; - mirroredBoots = [ - { devices = [ "nodev" ]; path = "/boot/ESP0"; } - { devices = [ "nodev" ]; path = "/boot/ESP1"; } - ]; - }; - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot/EFI"; - }; - }; - time.timeZone = "Europe/Berlin"; networking = { hostName = "urithiru"; hostId = "079e60ba"; - useDHCP = false; - interfaces = { - eno1.useDHCP = false; - eno2.useDHCP = false; - eno3.useDHCP = false; - eno4.useDHCP = false; - }; }; - users = { - mutableUsers = false; - defaultUserShell = pkgs.zsh; - users.charlotte = { - isNormalUser = true; - extraGroups = [ "wheel" "systemd-journal" ]; + chvp = { + stateVersion = "20.09"; + docker.enable = true; + nginx.enable = true; + ovh.enable = true; + sshd.enable = true; + zfs = { + enable = true; + backups = [ + { + path = "zroot/safe/data"; + remotePath = "zdata/recv/urithiru/safe/data"; + fast = true; + location = "192.168.0.2"; + } + { + path = "zdata/data"; + remotePath = "zdata/data"; + fast = false; + location = "192.168.0.2"; + } + ]; }; }; - - services.openssh.enable = true; - services.openssh.permitRootLogin = "prohibit-password"; - - services.zfs.autoScrub.enable = true; - services.zfs.trim.enable = true; - - system.stateVersion = "20.09"; } diff --git a/machines/urithiru/hardware.nix b/machines/urithiru/hardware.nix index 67436165..81179ce3 100644 --- a/machines/urithiru/hardware.nix +++ b/machines/urithiru/hardware.nix @@ -4,16 +4,21 @@ imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot = { + loader = { + grub = { + enable = true; + efiSupport = true; + mirroredBoots = [ + { devices = [ "nodev" ]; path = "/boot/ESP0"; } + { devices = [ "nodev" ]; path = "/boot/ESP1"; } + ]; + }; + efi.canTouchEfiVariables = true; + }; initrd = { availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; - kernelModules = [ ]; - postDeviceCommands = lib.mkAfter '' - zfs rollback -r zroot/local/root@blank - ''; }; kernelModules = [ "kvm-intel" ]; - extraModulePackages = [ ]; - supportedFilesystems = [ "zfs" ]; }; fileSystems = { @@ -59,4 +64,9 @@ ]; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware = { + cpu.intel.updateMicrocode = true; + enableRedistributableFirmware = true; + }; + services.fstrim.enable = true; } diff --git a/machines/urithiru/secret.nix b/machines/urithiru/secret.nix index cd6eaead..34a34a43 100644 Binary files a/machines/urithiru/secret.nix and b/machines/urithiru/secret.nix differ diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 00000000..1a993fcd --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,70 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + ./default/secret.nix + ./docker.nix + ./git.nix + ./nginx.nix + ./ovh.nix + ./ssh.nix + ./sshd.nix + ./syncthing-server.nix + ./zfs.nix + ./zsh.nix + ]; + + options.chvp = { + stateVersion = lib.mkOption { + example = "20.09"; + }; + + dataPrefix = lib.mkOption { + default = ""; + example = "/data"; + }; + + cachePrefix = lib.mkOption { + default = ""; + example = "/cache"; + }; + + graphical = lib.mkOption { + default = false; + example = true; + }; + }; + + config = { + home-manager.useGlobalPkgs = true; + + system.stateVersion = config.chvp.stateVersion; + home-manager.users = { + charlotte = { ... }: { + home.stateVersion = config.chvp.stateVersion; + }; + root = { ... }: { + home.stateVersion = config.chvp.stateVersion; + }; + }; + + environment.systemPackages = with pkgs; [ + htop + ncdu + ripgrep + ]; + + users = { + mutableUsers = false; + defaultUserShell = pkgs.zsh; + users = { + charlotte = { + isNormalUser = true; + home = "/home/charlotte"; + description = "Charlotte Van Petegem"; + extraGroups = [ "wheel" "systemd-journal" ]; + }; + }; + }; + }; +} diff --git a/modules/default/secret.nix b/modules/default/secret.nix new file mode 100644 index 00000000..1fb856d2 Binary files /dev/null and b/modules/default/secret.nix differ diff --git a/modules/docker.nix b/modules/docker.nix new file mode 100644 index 00000000..7710ec64 --- /dev/null +++ b/modules/docker.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: + +{ + options.chvp.docker.enable = lib.mkOption { + default = false; + example = true; + }; + + config = lib.mkIf config.chvp.docker.enable { + virtualisation.docker = { + enable = true; + extraOptions = "--data-root ${config.chvp.dataPrefix}/var/lib/docker"; + storageDriver = lib.mkIf config.chvp.zfs.enable "zfs"; + }; + + environment.systemPackages = [ pkgs.docker-compose ]; + + users.users.charlotte.extraGroups = [ "docker" ]; + }; +} diff --git a/modules/git.nix b/modules/git.nix new file mode 100644 index 00000000..dc34366b --- /dev/null +++ b/modules/git.nix @@ -0,0 +1,57 @@ +{ config, lib, pkgs, ... }: + +{ + options.chvp.git = { + enable = lib.mkOption { + default = true; + example = false; + }; + email = lib.mkOption { + type = lib.types.str; + default = "charlotte@vanpetegem.me"; + example = "charlotte@vanpetegem.me"; + description = '' + Default email set in global git config. + ''; + }; + }; + + config = + let + base = { + home.packages = with pkgs; [ + gitAndTools.gitflow + git-crypt + ]; + programs.git = { + enable = true; + extraConfig = { + branch = { + autosetuprebase = "always"; + }; + pull = { + rebase = true; + }; + }; + ignores = [ + ".direnv" + ".envrc" + "shell.nix" + # Ruby dependencies in source tree + "/vendor/bundle" + "**/*.patch" + ]; + signing = { + key = "charlotte@vanpetegem.me"; + signByDefault = config.chvp.graphical; + }; + userEmail = config.chvp.git.email; + userName = "Charlotte Van Petegem"; + }; + }; + in + lib.mkIf config.chvp.git.enable { + home-manager.users.charlotte = { ... }: base; + home-manager.users.root = { ... }: base; + }; +} diff --git a/modules/nginx.nix b/modules/nginx.nix new file mode 100644 index 00000000..7e3e5bfa --- /dev/null +++ b/modules/nginx.nix @@ -0,0 +1,92 @@ +{ config, lib, ... }: + +{ + options.chvp.nginx = { + enable = lib.mkOption { + default = false; + example = true; + }; + hosts = lib.mkOption { + default = [ ]; + example = [ + { + fqdn = "data.vanpetegem.me"; + options = { + default = true; + basicAuthFile = "/data/var/secrets/data.vanpetegem.me.htpasswd"; + root = "/srv/data"; + locations = { + "/".extraConfig = '' + autoindex on; + ''; + "/public".extraConfig = '' + autoindex on; + auth_basic off; + ''; + }; + }; + } + ]; + }; + extraPostACMEScripts = lib.mkOption { + default = [ ]; + example = [ + '' + cp fullchain.pem /data/home/charlotte/synapse/slack/cert.crt + cp privkey.pem /data/home/charlotte/synapse/slack/key.pem + pushd /data/home/charlotte/synapse + ''${pkgs.docker-compose}/bin/docker-compose restart slack + popd + '' + ]; + }; + }; + + config = lib.mkIf config.chvp.nginx.enable { + networking.firewall.allowedTCPPorts = [ 80 443 ]; + security.acme = { + certs."vanpetegem.me" = { + dnsProvider = "cloudflare"; + credentialsFile = "/data/var/secrets/vanpetegem.me-cloudflare"; + extraDomainNames = [ + "*.vanpetegem.me" + "cvpetegem.be" + "*.cvpetegem.be" + "chvp.be" + "*.chvp.be" + ]; + postRun = lib.concatStrings config.chvp.nginx.extraPostACMEScripts; + }; + email = "webmaster@vanpetegem.me"; + acceptTerms = true; + preliminarySelfsigned = false; + }; + chvp.zfs.systemLinks = [ + { type = "data"; path = "/var/lib/acme"; } + ]; + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + virtualHosts = builtins.listToAttrs + (map + (elem: { + name = elem.fqdn; + value = { + forceSSL = true; + useACMEHost = "vanpetegem.me"; + locations."/" = lib.mkIf (builtins.hasAttr "basicProxy" elem) { + proxyPass = elem.basicProxy; + extraConfig = '' + proxy_set_header X-Forwarded-Ssl on; + '' + (elem.extraProxySettings or ""); + }; + } // (elem.options or { }); + }) + config.chvp.nginx.hosts); + }; + users.users.nginx.extraGroups = [ "acme" ]; + }; +} diff --git a/modules/ovh.nix b/modules/ovh.nix new file mode 100644 index 00000000..fb18b377 --- /dev/null +++ b/modules/ovh.nix @@ -0,0 +1,62 @@ +{ config, lib, ... }: + +{ + options.chvp.ovh = { + enable = lib.mkOption { + default = false; + example = true; + }; + publicIPV4 = lib.mkOption { + example = { + ip = "1.2.3.4"; + gateway = "1.2.3.254"; + }; + }; + publicIPV6 = lib.mkOption { + example = { + ip = "1:2:3:4::"; + gateway = "1:2:3:ff:ff:ff:ff:ff"; + }; + }; + internalIPV4 = lib.mkOption { + example = "192.168.0.1"; + }; + }; + + config = lib.mkIf config.chvp.ovh.enable { + networking = with config.chvp.ovh; { + useDHCP = false; + interfaces = { + eno1.useDHCP = false; + eno2.useDHCP = false; + eno3 = { + useDHCP = false; + ipv4.addresses = [{ + address = publicIPV4.ip; + prefixLength = 24; + }]; + ipv6 = { + addresses = [{ + address = publicIPV6.ip; + prefixLength = 64; + }]; + routes = [{ + address = publicIPV6.gateway; + prefixLength = 128; + }]; + }; + }; + eno4 = { + useDHCP = false; + ipv4.addresses = [{ + address = internalIPV4; + prefixLength = 16; + }]; + }; + }; + defaultGateway = publicIPV4.gateway; + defaultGateway6 = publicIPV6.gateway; + nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ]; + }; + }; +} diff --git a/modules/ssh.nix b/modules/ssh.nix new file mode 100644 index 00000000..a8ce57ef --- /dev/null +++ b/modules/ssh.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: +let + ssh = pkgs.symlinkJoin { + name = "ssh"; + paths = [ + ( + pkgs.writeShellScriptBin "ssh" '' + export TERM=xterm-256color + ${pkgs.openssh}/bin/ssh $@ + '' + ) + pkgs.openssh + ]; + }; + base = home: { + programs.ssh = { + enable = true; + compression = true; + hashKnownHosts = true; + userKnownHostsFile = "${config.chvp.cachePrefix}${home}/.ssh/known_hosts"; + serverAliveInterval = 300; + extraOptionOverrides = { + IdentityFile = "${config.chvp.dataPrefix}${home}/.ssh/id_ed25519"; + HostKeyAlgorithms = "ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa"; + }; + matchBlocks = import ./ssh/hosts.secret.nix; + }; + home.packages = lib.mkIf config.chvp.graphical [ ssh ]; + }; +in +{ + options.chvp.ssh = { + enable = lib.mkOption { + default = true; + example = false; + }; + }; + + config = lib.mkIf config.chvp.ssh.enable { + home-manager.users.root = { ... }: (base "/root"); + home-manager.users.charlotte = { ... }: (base "/home/charlotte"); + }; +} diff --git a/modules/ssh/hosts.secret.nix b/modules/ssh/hosts.secret.nix new file mode 100644 index 00000000..90afc503 Binary files /dev/null and b/modules/ssh/hosts.secret.nix differ diff --git a/modules/sshd.nix b/modules/sshd.nix new file mode 100644 index 00000000..b88edd7d --- /dev/null +++ b/modules/sshd.nix @@ -0,0 +1,24 @@ +{ config, lib, ... }: + +{ + imports = [ + ./sshd/secret.nix + ]; + + options.chvp.sshd.enable = lib.mkOption { + default = false; + example = true; + }; + + config = lib.mkIf config.chvp.sshd.enable { + services.openssh = { + enable = true; + passwordAuthentication = false; + permitRootLogin = "prohibit-password"; + hostKeys = [ + { bits = 4096; path = "${config.chvp.dataPrefix}/etc/ssh/ssh_host_rsa_key"; type = "rsa"; } + { path = "${config.chvp.dataPrefix}/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } + ]; + }; + }; +} diff --git a/modules/sshd/secret.nix b/modules/sshd/secret.nix new file mode 100644 index 00000000..d7e575ad Binary files /dev/null and b/modules/sshd/secret.nix differ diff --git a/modules/syncthing-server.nix b/modules/syncthing-server.nix new file mode 100644 index 00000000..81595154 --- /dev/null +++ b/modules/syncthing-server.nix @@ -0,0 +1,28 @@ +{ config, lib, ... }: + +{ + options.chvp.syncthing-server.enable = lib.mkOption { + default = false; + example = true; + }; + + config = lib.mkIf config.chvp.syncthing-server.enable { + services.syncthing = { + enable = true; + dataDir = "${config.chvp.dataPrefix}/var/lib/synthing"; + configDir = "${config.chvp.dataPrefix}/var/lib/synthing/.config"; + openDefaultPorts = true; + guiAddress = "127.0.0.1:8384"; + }; + + chvp.nginx.hosts = [ + { + fqdn = "syncthing.vanpetegem.me"; + basicProxy = "http://localhost:8384"; + options = { + basicAuthFile = "${config.chvp.dataPrefix}/var/secrets/syncthing.vanpetegem.me.htpasswd"; + }; + } + ]; + }; +} diff --git a/modules/zfs.nix b/modules/zfs.nix index 9e18dcf7..ce2d2004 100644 --- a/modules/zfs.nix +++ b/modules/zfs.nix @@ -31,27 +31,73 @@ in { path = ".cache/nix-index"; type = "cache"; } ]; }; + backups = lib.mkOption { + default = [ ]; + example = [{ + path = "rpool/safe/data"; + remotePath = "zdata/recv//safe/data"; + fast = false; + location = "lasting-integrity.vanpetegem.me"; + }]; + }; }; - config.boot = lib.mkIf config.chvp.zfs.enable { - supportedFilesystems = [ "zfs" ]; - zfs.requestEncryptionCredentials = config.chvp.zfs.encrypted; - initrd.postDeviceCommands = lib.mkAfter '' - zfs rollback -r rpool/local/root@blank - ''; - }; + config = lib.mkIf config.chvp.zfs.enable { + chvp.dataPrefix = lib.mkDefault "/data"; + chvp.cachePrefix = lib.mkDefault "/cache"; - config.services.zfs.autoScrub.enable = config.chvp.zfs.enable; - config.services.zfs.trim.enable = config.chvp.zfs.enable; + boot = { + supportedFilesystems = [ "zfs" ]; + zfs.requestEncryptionCredentials = config.chvp.zfs.encrypted; + initrd.postDeviceCommands = lib.mkAfter '' + zfs rollback -r rpool/local/root@blank + ''; + }; - config.systemd.tmpfiles.rules = lib.mkIf config.chvp.zfs.enable ( - [ "d /home/charlotte 0700 charlotte users - -" ] ++ - (map (location: "L ${location.path} - - - - /${location.type}${location.path}") config.chvp.zfs.systemLinks) - ); + services = { + znapzend = { + enable = config.chvp.zfs.backups != [ ]; + pure = true; + autoCreation = true; + zetup = builtins.listToAttrs + (map + (elem: { + name = elem.path; + value = { + enable = true; + plan = + if elem.fast then + "1hour=>15min,1day=>1hour,1week=>1day,4week=>1week" else + "1day=>1hour,1week=>1day,4week=>1week,1year=>1month,10year=>6month"; + timestampFormat = "%Y-%m-%d--%H%M%SZ"; + destinations."${elem.location}" = { + plan = + if elem.fast then + "1day=>1hour,1week=>1day,4week=>1week,1year=>4week,10year=>1year" else + "1day=>1hour,1week=>1day,4week=>1week,1year=>1month,10year=>6month"; + host = "${elem.location}"; + dataset = elem.remotePath; + }; + }; + }) + config.chvp.zfs.backups); - config.home-manager.users.charlotte = { lib, ... }: { - home.activation = lib.mkIf config.chvp.zfs.enable { - linkCommands = lib.hm.dag.entryAfter [ "writeBoundary" ] (lib.concatStringsSep "\n" linkCommands); + }; + zfs = { + autoScrub.enable = true; + trim.enable = true; + }; + }; + + systemd.tmpfiles.rules = ( + [ "d /home/charlotte 0700 charlotte users - -" ] ++ + (map (location: "L ${location.path} - - - - /${location.type}${location.path}") config.chvp.zfs.systemLinks) + ); + + home-manager.users.charlotte = { lib, ... }: { + home.activation = { + linkCommands = lib.hm.dag.entryAfter [ "writeBoundary" ] (lib.concatStringsSep "\n" linkCommands); + }; }; }; } diff --git a/modules/zsh.nix b/modules/zsh.nix new file mode 100644 index 00000000..13b48f91 --- /dev/null +++ b/modules/zsh.nix @@ -0,0 +1,61 @@ +{ config, lib, pkgs, ... }: + +{ + options.chvp.zsh.enable = lib.mkOption { + default = true; + example = false; + }; + + config = + let + base = (home: { + home.packages = [ pkgs.autojump ]; + programs.zsh = { + enable = true; + enableAutosuggestions = true; + autocd = true; + dotDir = ".config/zsh"; + history = { + expireDuplicatesFirst = true; + path = "${config.chvp.cachePrefix}${home}/.local/share/zsh/history"; + }; + initExtra = '' + source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh + ${pkgs.any-nix-shell}/bin/any-nix-shell zsh --info-right | source /dev/stdin + ''; + oh-my-zsh = { + enable = true; + plugins = [ + "autojump" + "common-aliases" + "extract" + "history-substring-search" + "git" + "sudo" + "systemd" + "tmux" + ]; + theme = "agnoster"; + }; + plugins = [{ + name = "zsh-syntax-highlighting"; + src = pkgs.fetchFromGitHub { + owner = "zsh-users"; + repo = "zsh-syntax-highlighting"; + rev = "0.7.1"; + sha256 = "03r6hpb5fy4yaakqm3lbf4xcvd408r44jgpv4lnzl9asp4sb9qc0"; + }; + }]; + sessionVariables = { DEFAULT_USER = "charlotte"; }; + }; + }); + in + lib.mkIf config.chvp.zsh.enable { + chvp.zfs.systemLinks = [ + { path = "/home/charlotte/.local/share/autojump"; type = "cache"; } + { path = "/root/.local/share/autojump"; type = "cache"; } + ]; + home-manager.users.charlotte = { ... }: (base "/home/charlotte"); + home-manager.users.root = { ... }: (base "/root"); + }; +} diff --git a/profiles/common.nix b/profiles/common.nix index eaca1aca..3aec94ea 100644 --- a/profiles/common.nix +++ b/profiles/common.nix @@ -4,7 +4,6 @@ imports = [ ../modules/zfs.nix ../configurations/direnv.nix - ../configurations/git.nix ../configurations/gnupg.nix ../configurations/hledger.nix ../configurations/locale.nix @@ -13,20 +12,14 @@ ../configurations/nix-index.nix ../configurations/nix-store.nix ../configurations/pass.nix - ../configurations/ssh.nix ../configurations/tmux.nix ../configurations/users.nix - ../configurations/zsh.nix ]; - home-manager.useGlobalPkgs = true; home-manager.users.charlotte = { pkgs, ... }: { home.packages = with pkgs; [ - htop moreutils - ncdu pandoc - ripgrep texlive.combined.scheme-small unzip youtube-dl diff --git a/profiles/graphical.nix b/profiles/graphical.nix index 6dac3ec0..7a1d73dd 100644 --- a/profiles/graphical.nix +++ b/profiles/graphical.nix @@ -6,7 +6,6 @@ ../configurations/calibre.nix ../configurations/citrix.nix ../configurations/deluge.nix - ../configurations/docker.nix ../configurations/dropbox.nix ../configurations/dwarf-fortress.nix ../configurations/firefox.nix