From ca93d090596865ec12e51cc961309950918dd390 Mon Sep 17 00:00:00 2001 From: Charlotte Van Petegem Date: Tue, 1 Dec 2020 19:23:28 +0100 Subject: [PATCH] Basic configuration for new servers and start modularizing config --- .gitattributes | 2 +- configurations/docker.nix | 14 ---- configurations/git.nix | 44 ------------ configurations/ssh.nix | 41 ----------- configurations/ssh/secret.nix | Bin 3643 -> 0 bytes configurations/sway/screenshot.nix | 4 +- configurations/users.nix | 20 +----- configurations/users/secret.nix | Bin 328 -> 22 bytes configurations/zsh.nix | 51 ------------- flake.lock | 12 ++-- flake.nix | 3 +- machines/kharbranth/default.nix | 24 +++---- machines/kharbranth/hardware.nix | 1 - machines/kharbranth/secret.nix | Bin 2481 -> 0 bytes machines/kholinar/default.nix | 24 +++---- machines/kholinar/hardware.nix | 2 - machines/kholinar/secret.nix | Bin 759 -> 0 bytes machines/lasting-integrity/default.nix | 51 ++++--------- machines/lasting-integrity/hardware.nix | 22 ++++-- machines/lasting-integrity/secret.nix | Bin 1374 -> 2734 bytes machines/urithiru/default.nix | 58 ++++++--------- machines/urithiru/hardware.nix | 22 ++++-- machines/urithiru/secret.nix | Bin 1374 -> 1309 bytes modules/default.nix | 70 ++++++++++++++++++ modules/default/secret.nix | Bin 0 -> 328 bytes modules/docker.nix | 20 ++++++ modules/git.nix | 57 +++++++++++++++ modules/nginx.nix | 92 ++++++++++++++++++++++++ modules/ovh.nix | 62 ++++++++++++++++ modules/ssh.nix | 43 +++++++++++ modules/ssh/hosts.secret.nix | Bin 0 -> 3279 bytes modules/sshd.nix | 24 +++++++ modules/sshd/secret.nix | Bin 0 -> 2497 bytes modules/syncthing-server.nix | 28 ++++++++ modules/zfs.nix | 78 +++++++++++++++----- modules/zsh.nix | 61 ++++++++++++++++ profiles/common.nix | 7 -- profiles/graphical.nix | 1 - 38 files changed, 622 insertions(+), 316 deletions(-) delete mode 100644 configurations/docker.nix delete mode 100644 configurations/git.nix delete mode 100644 configurations/ssh.nix delete mode 100644 configurations/ssh/secret.nix delete mode 100644 configurations/zsh.nix delete mode 100644 machines/kharbranth/secret.nix delete mode 100644 machines/kholinar/secret.nix create mode 100644 modules/default.nix create mode 100644 modules/default/secret.nix create mode 100644 modules/docker.nix create mode 100644 modules/git.nix create mode 100644 modules/nginx.nix create mode 100644 modules/ovh.nix create mode 100644 modules/ssh.nix create mode 100644 modules/ssh/hosts.secret.nix create mode 100644 modules/sshd.nix create mode 100644 modules/sshd/secret.nix create mode 100644 modules/syncthing-server.nix create mode 100644 modules/zsh.nix diff --git a/.gitattributes b/.gitattributes index 2a31c818..cd93a0da 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,4 +1,4 @@ # To add a new file: # /secret/file filter=git-crypt diff=git-crypt -**/*-secret.nix filter=git-crypt diff=git-crypt +**/*.secret.nix filter=git-crypt diff=git-crypt **/secret.nix filter=git-crypt diff=git-crypt diff --git a/configurations/docker.nix b/configurations/docker.nix deleted file mode 100644 index 8ae6b68d..00000000 --- a/configurations/docker.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ ... }: - -{ - virtualisation.docker = { - enable = true; - extraOptions = "--data-root /data/var/lib/docker"; - storageDriver = "zfs"; - }; - - users.users.charlotte.extraGroups = [ - "docker" - ]; - -} diff --git a/configurations/git.nix b/configurations/git.nix deleted file mode 100644 index 2af35a96..00000000 --- a/configurations/git.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - options.chvp.git.email = lib.mkOption { - type = lib.types.str; - default = "charlotte@vanpetegem.me"; - example = "charlotte@vanpetegem.me"; - description = '' - Default email set in global git config. - ''; - }; - - config.home-manager.users.charlotte = { pkgs, ... }: { - home.packages = with pkgs; [ - gitAndTools.gitflow - git-crypt - ]; - programs.git = { - enable = true; - extraConfig = { - branch = { - autosetuprebase = "always"; - }; - pull = { - rebase = true; - }; - }; - ignores = [ - ".direnv" - ".envrc" - "shell.nix" - # Ruby dependencies in source tree - "/vendor/bundle" - "**/*.patch" - ]; - signing = { - key = "charlotte@vanpetegem.me"; - signByDefault = true; - }; - userEmail = config.chvp.git.email; - userName = "Charlotte Van Petegem"; - }; - }; -} diff --git a/configurations/ssh.nix b/configurations/ssh.nix deleted file mode 100644 index 466dab7a..00000000 --- a/configurations/ssh.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ ... }: - -{ - imports = [ ./ssh/secret.nix ]; - - chvp.zfs.homeLinks = [ - { path = ".ssh/known_hosts"; type = "cache"; } - ]; - - nixpkgs.overlays = [ - (self: super: { - ssh = self.symlinkJoin { - name = "openssh"; - paths = [ - ( - self.writeShellScriptBin "ssh" '' - export TERM=xterm-256color - ${super.openssh}/bin/ssh $@ - '' - ) - super.openssh - ]; - }; - }) - ]; - - home-manager.users.charlotte = { pkgs, ... }: { - home.packages = with pkgs; [ - ssh - ]; - programs.ssh = { - enable = true; - compression = true; - hashKnownHosts = true; - serverAliveInterval = 300; - extraConfig = '' - HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa - ''; - }; - }; -} diff --git a/configurations/ssh/secret.nix b/configurations/ssh/secret.nix deleted file mode 100644 index 068dfa3130c6800341ad0e1138ec1114e6d2d30e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3643 zcmZQ@_Y83kiVO&0`0Rahoz1<@3ypDRuDvVVLQ>XU-_HN{#~0@r%ccq}pQ*-N&|}(s z^4aoLk(^GZ%L1&zW}5J=K6cD+KdW5S6y+6hWo>5O26m;Z)_F4oaqRIBt2%XXgCbAz znZMhog=z-$M+pju?NUE!?02&=-jwm1x?$A*nzu|BxfIz2KK}CJi;|LbpAz$8PRP5v z=DkWej@oX*ZYjcByycHG-r-=nr`L2+`i;Ve20!yJwvPJSG$sGVNge8Aj;xNl&8vN= zOTS~j^r$*|qd$SnRMko3V1@&lzvq?)hvm zI(Olt+_njikNlkTz;fnl%~qjY33J|}$^(0=RreJBxfvN={Mr0g``qW&+{#iaj#sksXYGQl52^fl5b{|o zZe{y6&HDeYDA=r5#^J+QIOCLhlZk_fc zZKmGsY~#q=t#A9DF81~PmDyS|FVlK@BKH-u=h1}>qStO!W#{;{D`jziH}Jewzhd&H zkB7Ttd$w$jd3nd3=}61A-wp46h5q>Z<^1)37af!T@?QT`5nfeLvp>x~|BhO<_GPz? zp`RjCx0LwJkyzrhDAp@MeZNaw%OWt2HQf=$r z%@(-#Y>zWDf5+s*70f>rwGK69{?fZvEG?W*cs;SU7pXl=ZRp={Nxwa zsdP2AAXp00YU?NZ3D)H}KnkCN~IwL3gJ zcb1+WUpL3SR;3=Ma|~bFOtZ4vHhpC}_WAw1xWngWZ{p|KF{gS7$NGjezg4C=S<$cb z5_g6QUzyfnvHbAXV*{7e;)S^Y+@Xwx(9GkoEd+m`RAB?pWs(VvQo-|r06-t`4#2D+% zlo!0xEvO_Cv7o-@?{2-rr$3usV3J-tJ>NR{xt_GUhm7BJ)q5+CZm!qtQBk&&FTCQc zBH8}wgZ^B?wGRji&3gvq~Mbn4(nWoglu!y-xd>A31s~f zF8@$qb@uezR+kUL&Azp-GcfrARHS23a8(011W4zp(&K=KI%_-X)vSAO0n(d_}*LIxy;E^SJg;hC5 zrf0I-@$@GtZ#p(+JvewF{q~nb8hV{p$rsH&neAmr+Vi*0>iV^}vSJTEoe<0XA$zXk z;P(Gle6D?oex!Dyz+si(qEqFQeVXQ5T=ng|SD{&TYRlOVKltXiWIpBI!*wyJdPDm8 zK7NK5EXpVOw3{8x?R93{dHRQW$I<03nTq?RKYr!9kX|qNwN&8`lX1rTo^A6~Ce2X) zG-vZAn;51l1!18Ur9CtLN(Wp#%6>!Y{<<$B$}*Fx))>U=`Rv@7@N2z<+H=veh@>}q z+i!OtSis?2#M|Ivp#FOPtvw;n=Q3~gEp6Z1e6a1ArQE;C2W*p%O>fF8dzs7iwD6$A zl*GMfcH7(M_XJ+3e($0^^InNpaZ-KXjqpEFzIhjpY1cXyK25mWayRCB$O{c?dF7MW zMNUd+zc}+zm{0U4htMa#FXEFJrZsj-&#^Pz={I9-+36-Ho1?E(`#Zb)n$xE6AA2&x zWBsue?X6QjMCSE&g=@Gb-8J?%=&Xqz28*x7Fe$L)L(J$XHLA)m7*{2oeu6WdY0MJ z8MjkLX}Q>e%>|qers^y2r2SB5n)F^|{+zQu8Y>jGP2Vrlo*MY^gW+3AAw!d?8k;+= ztHs0w9#|J-zvjdFRkt+wE^RZOyubT@T=VILHKmXv3_ug8NKc zFQvI9y?WH?YQAh{$-#+x86TaOU<%uFGe>xuobUI89AeJLEpJz4IO-Vc#3|em;rr0? ziSe3(G}E;{?(*NO)_Lr@dSoV3SDv@5#QAFd+pBqZSwB4&FCg_GA=Zn84B)={IGbJptq zyKd~M^I+C)cKt)Iv@cE-c(JZQVET>lAftMzL-V@Nov}Vrc<_8;W@wSHz1{XD8z;Da zo*Nl+I7Qk;UEskLmYMr*ISN%hY!IsPWwnfyko}N818gje^4EIs5@}}QKt7A0q2!? zw<-s?nwB1)$lx6vGe6Cf)9c&0ZBO=#3pe_HID2D}$Tz3HrZYcZ^K9EWN7*xb)`JSi z-^MrW9rvF(9k%pyn8hEh$ERb%8&&2s-M0E0@a;QSZg!kw!{mgJzx>A++bdoznY({) z`i0|>ru-AUjC2EDzDfGw&-+VTnWa~J74z-$X?#mW-nkpgKi9rGL(Dm>!S=VcqeIZL zn+bR3p15SyaAN1Va|?yOPApxbp`P(UG}YMQt50$*3X{IIt%!z$!u?urUdgJ#;ttb}bKWK1=<4*OYilz!Vw~2zf zVN0GY^1e{oTw3bKHFS~P8OW#-e6z|-xXU+FjP53yyCSLQFt^dS(99|Q-MfQ*GvAf4_ixkgR@<|MG)nb?>vqfOF+mz6| zKQAU1TOGZcb@AQ#yWXbXd*=8oJFx1c$HDB}R%ia}du2qgCfo|&rd`Rm+jU>eO1914 zzO{L^yz@*kpYrX}ex;``bIs2!H#!n|YDf3%-nKQHHShMa38j3|7F+q#ba}*tJ!jcd zc3hbi&Ua-(@y5>kbC?z+W^+m}S$^`71Ecxgjfv`Q8Y_&_9~5V+H)<|Ew_DmcG5yol zgZKR1%MVQT(%UE>s=GWtsr>rp#g2v(_A@4&ICw^~d^=}Iq`{P|GO6NZ=Zm}s2k%Wj z5zBvHapQ7kgLom)Y0858`goY-YNx-_U3*nafcM&)uUrSFP0)D8`G3aIb(vuGcC1pQ47iBTbhq2o;`HEu;A?6#s||5 zoodl5{Jv`aFX{98ikWH&f8H+I`dHKD?8H?U|MW(lZ^^P=d2K(Jlc2|RpZ)3G8Jqs+ zHQ$)@{eSS4ChM;sl$tC8c)lCmn#ZiXt6u)|@(AgZKN8I3TTW>|4mWX}!N1KlWJ$pW zrKKy@zr5#m#^=&%$*{kczfMlx$-Ltj&)!v$ey0C}pOzWl*W!*?Y^=Uf%_lR&g2hz* zUyMz(>ao(GsKW;DyvVo#k17me2cojfvB&*%b;Ite!b$qnRa5*-jJ_Pw#W)_ItW=k3)^17a8{e~->apG zw~q_Sn=#|07P1g~#-=Q3Dqv~`-G@e%9?A!Tjhi38%mzBa&-&Y3eUasG>y~Na8|L~-Uw71zC0S8h8 AdjJ3c diff --git a/configurations/sway/screenshot.nix b/configurations/sway/screenshot.nix index 1acc1d2a..dac0e584 100644 --- a/configurations/sway/screenshot.nix +++ b/configurations/sway/screenshot.nix @@ -23,8 +23,8 @@ pkgs.writeShellScriptBin "screenshot" '' if [[ -n "$remote" ]] then name=$(${pkgs.utillinux}/bin/uuidgen).png - ${pkgs.grim}/bin/grim -t png -g "$dims" - | ${pkgs.openssh}/bin/ssh sunspear "cat > /usr/share/nginx/html/screenshots/$name" - path="https://cvpetegem.be/screenshots/$name" + ${pkgs.grim}/bin/grim -t png -g "$dims" - | ${pkgs.openssh}/bin/ssh data "cat > data/public/$name" + path="https://data.vanpetegem.me/public/$name" else name=$(date +'screenshot_%Y-%m-%d-%H%M%S.png') path="$(${pkgs.xdg-user-dirs}/bin/xdg-user-dir PICTURES)/$name" diff --git a/configurations/users.nix b/configurations/users.nix index a018b727..1c0b9a22 100644 --- a/configurations/users.nix +++ b/configurations/users.nix @@ -1,23 +1,5 @@ { pkgs, ... }: { - imports = [ ./users/secret.nix ]; - - users = { - mutableUsers = false; - defaultUserShell = pkgs.zsh; - users = { - charlotte = { - isNormalUser = true; - home = "/home/charlotte"; - description = "Charlotte Van Petegem"; - extraGroups = [ - "input" - "systemd-journal" - "video" - "wheel" - ]; - }; - }; - }; + users.users.charlotte.extraGroups = [ "input" "video" ]; } diff --git a/configurations/users/secret.nix b/configurations/users/secret.nix index 1fb856d2af49aa6af12dae969d91b6db97f09da4..c6544dd5859e2bb02d21f782d230b80eea43d507 100644 GIT binary patch literal 22 dcmZQ@_Y83kiVO&0*rB_1V=43V_%C{1x&Ttp2pIqX literal 328 zcmZQ@_Y83kiVO&0m=Pa*)ne_etAfv$eW{h|JZWF`;5*m+n}^dJHU#XtR<-c+qhj~a z{RXEu*jF8cE1P>f>VSi#h}S8jgwVO=pN>3C<`Hq6 zn|vboWYvl`TjiCVf0U(nSnWAkw%Z|Q>g|{9ht9v_hznjeFZsq>=KA$u`*CQ;_F-w%cA6eaTU|!(l zRlfOBU&KB#&hd6&ZTCsu$0$}ddGnIc=Eh22r~ONlpUC>E_k6CsZKpAD1E=TCR*4gT o^H)6*bF$xh@%;j44YQ+`2^+hAzij-pG28IGfLFHLanX6=00l0gJOBUy diff --git a/configurations/zsh.nix b/configurations/zsh.nix deleted file mode 100644 index 235be89a..00000000 --- a/configurations/zsh.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ ... }: - -{ - chvp.zfs.homeLinks = [ - { path = ".local/share/autojump"; type = "cache"; } - { path = ".local/share/zsh"; type = "cache"; } - ]; - home-manager.users.charlotte = { pkgs, ... }: { - home.packages = [ pkgs.autojump ]; - programs.zsh = { - enable = true; - enableAutosuggestions = true; - autocd = true; - dotDir = ".config/zsh"; - history = { - expireDuplicatesFirst = true; - path = "\$HOME/.local/share/zsh/history"; - }; - initExtra = '' - source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh - ${pkgs.any-nix-shell}/bin/any-nix-shell zsh --info-right | source /dev/stdin - ''; - oh-my-zsh = { - enable = true; - plugins = [ - "autojump" - "common-aliases" - "extract" - "history-substring-search" - "git" - "sudo" - "systemd" - "tmux" - ]; - theme = "agnoster"; - }; - plugins = [ - { - name = "zsh-syntax-highlighting"; - src = pkgs.fetchFromGitHub { - owner = "zsh-users"; - repo = "zsh-syntax-highlighting"; - rev = "0.7.1"; - sha256 = "03r6hpb5fy4yaakqm3lbf4xcvd408r44jgpv4lnzl9asp4sb9qc0"; - }; - } - ]; - sessionVariables = { DEFAULT_USER = "charlotte"; }; - }; - }; -} diff --git a/flake.lock b/flake.lock index 1009be05..dd75fac7 100644 --- a/flake.lock +++ b/flake.lock @@ -23,11 +23,11 @@ ] }, "locked": { - "lastModified": 1606046962, - "narHash": "sha256-244JrrVFht/VMRItDcDlrcwejqpqJInDUWA/x6mucW4=", + "lastModified": 1606691558, + "narHash": "sha256-mkLAmBhiQ7kI7Ezw1ken3ymGolBmEfiO881iFWSGrbg=", "owner": "nix-community", "repo": "home-manager", - "rev": "a3a0f1289acac24ce2ffe0481bf8cabd3a6ccc64", + "rev": "c1faa848c5224452660cd6d2e0f4bd3e8d206419", "type": "github" }, "original": { @@ -38,11 +38,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1606469955, - "narHash": "sha256-0B3igE7xVjr0F8Jgfv9b8Illr/8cVkwcp2GzbrR31MA=", + "lastModified": 1606758103, + "narHash": "sha256-gSjKrct8zKISPFHYIIWPNZ9TdlVpZhAlLcgwZAmAhpQ=", "owner": "charvp", "repo": "nixpkgs", - "rev": "5a8a08c9f02ef3b4b60fa94e769bfb42660eb1ba", + "rev": "db5dda0c6d4a82be765c2d5cab18ff4f759281cd", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index f34b5d14..5be0ad57 100644 --- a/flake.nix +++ b/flake.nix @@ -21,7 +21,7 @@ inherit system; modules = [ home-manager.nixosModules.home-manager - (./. + "/machines/${hostname}") + (./modules) ({ pkgs, ... }: { environment.etc."nixpkgs".source = (pkgs.runCommandNoCC "nixpkgs" { } '' cp -r ${nixpkgs} $out @@ -30,6 +30,7 @@ ''); nix.nixPath = [ "nixpkgs=/etc/nixpkgs" ]; }) + (./. + "/machines/${hostname}") ]; }; in diff --git a/machines/kharbranth/default.nix b/machines/kharbranth/default.nix index d9ac3037..ae9b477c 100644 --- a/machines/kharbranth/default.nix +++ b/machines/kharbranth/default.nix @@ -3,7 +3,6 @@ { imports = [ ./hardware.nix - ./secret.nix ../../configurations/eid.nix ../../profiles/bluetooth.nix ../../profiles/common.nix @@ -17,24 +16,23 @@ time.timeZone = "Europe/Brussels"; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "20.09"; - - home-manager.users.charlotte = { ... }: { - home.stateVersion = "20.09"; - }; - # Machine-specific application settings chvp = { + stateVersion = "20.09"; + graphical = true; + docker.enable = true; git.email = "charlotte.vanpetegem@ugent.be"; zfs = { enable = true; encrypted = true; + backups = [ + { + path = "rpool/safe/data"; + remotePath = "zdata/recv/kharbranth/safe/data"; + fast = true; + location = "lasting-integrity.vanpetegem.me"; + } + ]; }; }; } diff --git a/machines/kharbranth/hardware.nix b/machines/kharbranth/hardware.nix index 12b213f1..cbe10b60 100644 --- a/machines/kharbranth/hardware.nix +++ b/machines/kharbranth/hardware.nix @@ -4,7 +4,6 @@ imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot = { - # Use the systemd-boot EFI boot loader. loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; diff --git a/machines/kharbranth/secret.nix b/machines/kharbranth/secret.nix deleted file mode 100644 index 6a77511d5090b35fd94fec93192c41de64ad6efb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2481 zcmZQ@_Y83kiVO&0X!&x_i}}dcx__U@yml31%zP23 z@}M;A&PVn0TP0+qmrFayM-<(E+Mxb)qAkzI8wRR#=AP@^UhSLI__QWs;hp5}wd##6 zmHI!o^IsC16|JW%>%}j7By{BopU^3HKQ3ij$u0HN^V)8Eg{w#XdrIyV@jEzwFJ5q? zdcMovGKc)78?{&d*{;*lwB>2qu1eS6^O|Rxd|LF%B{TiFEQ`X)iM!?;_VAiNMIa_^ z(V;ebNu{Z^-+n)}D7wwv;-$Up>+KcKWvBdQofKns`^H_V ziHC}fUpY7?-CVSB)`QKndPDcGe0J+PcXyYi*Jgxk6F>)#CoRn z-Zme1Te&Rjm>HS3FVuf&5imF6J;H4l^C(sCL|9YVucQDA8=-yaX*18~TgL^g-MFIf zY)Sq$0j=yK$7=R}c=TzWpO?tAiF<_o51Z<)^by{4O+)NaTrykf_k`aEj+@`VzVc$*+rvk`{c@G#T2cLLeZa!H zI(FUV7pKO&`r@G5*z2-|M_{eahcoP_Ue-N7^6vkO&O=w`@)p}N?3vVO@}S?V+@gbd z(~2@P_t{;0))<>so_ttW>6X@g^poy`S(3kx{!QIqG4(G)-L-8m*do0mUZm8gI8WQm zZz~$P-k$fx;(1Tx-b6Q^QIqC>JY~w0HO1yU;n_|9OGDE{pA}4YlHit@kgvMVTgTu; z`719|gZ=mCa^0&raO1A+#Q0gv-eqcE3|GonZ4z1YoVTI=f=Rb*vb0w&yXplu#$_LZ z7R{J`=aINi}qwA(;&05hO zp>{{w&m*~zC$}$}H`$*p^_v27*NdHjZ`}(VE>^G77MsX1bIR%j(boO`&b+paWy{uh z?L6_`-g>^6m=kCAz618n7t7)TQ=%@meb~NH?Z*545}kh*`o-FVuO0bJB*%#ca@IyCI_-FKHE(W6)64ujpFYqlh z@|)^$KRRHl_)?u2iqUTOdw3r|-1cenLxb~aky_6kwAD;M8~3Cg&i<~@dQv(nsr-Gs+!OO$pcwCpxLjZ2kV<@&X%Tp1j&=^lQn4)@@&>@6Y$Foy}za=0TEp%et+%^Q25Ur~N4?jGY$U{>v=O@nm=O zJ4O!gextL6rR(3UZ07Ntdxbl^SZDv?(|;P59rLOVs@L#dFRsE?aI8#na+``_g z500rfwlb7%jahr!F9?ozo!!7()xPx zl7EWNp9}v^f41aL0js_1tcgDd##9E$BaqQQd{mU(L1)rE&lAS=?mwr`eWH_Q(SR5@V>qB zWRp3JGqyDEFJ5Ba`+BOy`DM?SzjnMXygp&G)o!NrBC7w87m~Zdbd>{_7vvo^ANpY9DJNre8Su09$*G z$Y1I3z_*KJXK-bnP%k)F6QY0louY|Db*Q;gN5osD#nL=cGj};K>A!7oVGi(*{&ruO zLznNIMr=X!jtj?BTEEnXOi90bsn`GV{@2o%w_J2TyYQNY`<(8x%pKGIHk!?upmve% z&1$~+q0i=c3Pw&5H2X7k-u0xL>XtU^UeA*IDwV~06y=02cq*_1ENI%x}^NwP%x?kL>U(*-FIU6&Y?__lKbL?Qdyh31W$dwgq zS2H}9NjqX9aPHoVliD}zEf2Z8-0WsHqvGE3%g21nKdWjSF8SOv>mx6V`P+hH8Ozu4 zo2=P?BeDG68_tM^O__|&FHXf>Vfl13USnVR%18V2U)-zkao{zO+8FXIirUGA?eD;wL=Jt=3HpT}A4T;pkDc!Fi?yq^yzPJXv* V$&^Fv{{nK;wjX&qcSoq3HvqeC!N>pr diff --git a/machines/kholinar/default.nix b/machines/kholinar/default.nix index e472411f..5d75d896 100644 --- a/machines/kholinar/default.nix +++ b/machines/kholinar/default.nix @@ -3,7 +3,6 @@ { imports = [ ./hardware.nix - ./secret.nix ../../configurations/eid.nix ../../profiles/bluetooth.nix ../../profiles/common.nix @@ -17,24 +16,23 @@ time.timeZone = "Europe/Brussels"; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "20.09"; - - home-manager.users.charlotte = { ... }: { - home.stateVersion = "20.09"; - }; - # Machine-specific settings chvp = { + stateVersion = "20.09"; + graphical = true; + docker.enable = true; git.email = "charlotte@vanpetegem.me"; zfs = { enable = true; encrypted = true; + backups = [ + { + path = "rpool/safe/data"; + remotePath = "zdata/recv/kholinar/safe/data"; + fast = true; + location = "lasting-integrity.vanpetegem.me"; + } + ]; }; }; } diff --git a/machines/kholinar/hardware.nix b/machines/kholinar/hardware.nix index ad61a7e8..88385f00 100644 --- a/machines/kholinar/hardware.nix +++ b/machines/kholinar/hardware.nix @@ -4,7 +4,6 @@ imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot = { - # Use the systemd-boot EFI boot loader. loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; @@ -46,7 +45,6 @@ fsType = "vfat"; }; - swapDevices = [ { device = "/dev/disk/by-uuid/6c09b90f-8971-4702-a18a-f06dfb3d8dcd"; } ]; diff --git a/machines/kholinar/secret.nix b/machines/kholinar/secret.nix deleted file mode 100644 index e1cce260ee836ed710cafc4e699a19de76c82e09..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 759 zcmZQ@_Y83kiVO&0;C;1wc4E&=>##jiX15YbO)iyp{##R)l(9V0FDlD?~W z_OJy6>AfgrYq>suPS35co8$umQcqvt>a#eyBIw%UKb@PNPhRc2yue9eM_9}g@qM=x z%{*V*#tY>|9oU;t`BkXr*cbK}jd`rACrF>(Vi}V6(bQdhvCSXPvx>%IhbR8Do!}hc zm;Tu3i4A}9xdq-Ubz_*Cr=7dt_3BMY&1B9UADpZ{SpQX0RI9jqUgf}##_c*OE0XM9 zxhPzY{b29s`|Hc=Id!Ml0%lv>TID$BZ$rCkv3E%*Pr;ly4?E{x{dlr|`ia?}M7V2Y zGrOO^wvX7boXs?Bm*0{-Gp5e#%Lt0$sNBeOJInlVuUtyg*(+Hm{2yk!&a8Ag;M2>@ zlG#7!=XpQdnx}uAx;OvJS@F`oJ7H;N+WMFKI4qK8+w4j>RsM9wwIsHfIdN~FEv(+` zueAR9#wBU?ino>cURySKTsO1(W7~8*MBKJ$n$E|}bcMwyS>CJ&nleM`>&_3>`$VT~ zakqM*a7c-L{a%Hwo49-QZzZ)H*Z**E^NUZbm(4iwl40el#b!|p7j%60zw>Cx7V9Zr ztu`;}WBGSfaN5%kf7jnRbR+5bJnudFPIs@rQ&ea2&2T=n(#Tly_oMO~vpF)`6gD$F zE?wEM`zRZ~#*)BNy-)mmtGDFaM=apc$+F%3;9a*O#~JZUITMaAoyHw@?$3_K+siE0 z8{4h65R2$dEX#arVrRYgRfeC|y|8zS|L%UYxJThl$)UcT31$-HO7iA(3=Q!Xs{`pSqe<9u&=3 zd+4UCN#J6$eKG8?59r?etFrQuxKHOH zdyPu_vo`g!vJ7RfXkFN5;lgq-Kh6qVb!=#O2q(r>@F z62?M|&%c+>es9G#^+d41OF8!r-G;m8Vy6YHzpiyy|7y#0UF#$FrsPY+vebqDJfxPp za!YJt)`MWO;8=eq)@cfqNyR|K<6Rr0!30{m?Z0{`?r`8nWzq!5rCd=A~i3tL& z52Vv7XXGFA&idW{LiYCbQxZw7mygs<$e(vGQiC_>w2Ih{*)zV|=XE?ykK13;R%{`3 zzGA8Ws=qc>BXx~gZtaPgAB^JX$`7oJz`eQS2kuTE;$9ii)9UUsta zOowmm&7B){e)=RWO~w3BwuJw4@9o|vn(3cyoYWn(-}cdaX{%qG^8Gbxd9Sm(Jw6qp zo|i7Fz17)j`i6Y(Unh#!@|LMN{W`bD=^>-erR`Tjrq=Gg8Okj_k!Q1z#P|Aw{_e%?k#O?uNEXO)m@$R=D4H5kAhRnHL3SC+J`Sf3*lb8WwvoY00PB3B%f);%`5 z`naa!{=wo2#s1xk^%xqK8a8VEy)b=!8;euLyFD9cf8AMVc=$#PpXv073kyFyU3IPg zW}<#|kig=f>!19*ajHT>>i&19#5uDUyY7uEn6mE(-}#ENImb>k)hCHh|7fl#e01Xr zhTl6+>KK|@N|@(($;vZdf4EBOP4ua0%GIe|8qYPFG+Rq5!(*GY7W=+#e3{VM?jBhC z;$#&=@UiVpmR|x-q^GHEX6={u&GZg43ZL5l@36Gas-KymeK$CMq^s`Lz0RPY@idmL zb-C?@Igey+?ER)Uc}2AU^;S@MXFU6Z~eGX*zwrP^uT4C6Bu1C-tu~#nm%Jmr})Ij>sH)gioYG< zmT2$j`n<$^<@5J_HcG438>Ro+b7-NDLC=jtR=;@oN<`e9nHsf^{X6}}a%8oT#iVxpUxlT;s0?zuC~Us{s6&`d0Hx03X|dQXm^-3foXg$h^cZ+^#n zkym-gt#fOhF_|WpX>Utu*ZnzRZt$PYI!!6@xw3WlIjp=|;$rgrr92+%rStfnonpbf z{lo*)nzNmIr$6T?pXI!8#{LpNqs}(%*FB|Q{#|>#?~6-KCPwkaC zfyPYdy6=i?en0=ytXDglw+WW#?U&oM@8! zgXgjOmiwNe{oCX2M44T%Ud^W4RM=(j_}f}vmbG7>TvLy6}IGxYw-RM zL9X0Ar$Z|Q=kAhK#Xbv8TNalut9SQ)7hyDZhmKcDqG~1_cg5c{qq3+y0_&voATb&p0`qHf1T)j;`3U) z+MWy9>s;4-ef?k1Da-iIBD3FX6kb}}FL#*NAu4Uv9yb%m^!L_JyXWZbb6B>yw1{=nXM+xJ zx#jU2-lQz>Fqmeq6JT-p)9VepWyF^7#t1WT=||_jK2v{wyPm?nd}*~T;j(~T>1-1p z-c~zjyh*7*yPb9O`k*_jHKufKy3)Uy?Q_)86|A~RjQ3{==wJA9WV&A-v&CG)yj4Y- zcOMCIbbU_$A}J@gza;QPc7yDWKUGq$=RNPnU%tTb$Gm)JvJ)RVA zGjbFy)=&D+AAfv#m1N+`gIi7BU2-|}Vvmf?QTCV{^B$b0l)=qm?Yz|lMU@OR!cQ*32m~Xak;tlcT3U(*g%sHG9_F&#k|Cq^= a*}KoC0_y>o5as0v-wB!JDy#M|6VwqPTsUCtTFBI>%VL!?@voOtPqW; ziZ0`_TD#=mi?klUpWhUW7cTdDS2nlzZpfLc6Fevij9H#B%==7{{LnYnGPbkwP}H^jx9G?LcbbJ{LZu-19Qq3FjG%4N%6 zp4;|;^~$R1x=EKpr`5jSs_qakd|6~~;c3PaHqMAgA`0H>U%tJqa$xFbmYUwNRatSO zLQ}?iADflmOeR{oC@k3YdooAmMX%WvOp9u(Z|-s_YKdL-b&7HvmsfrHw_wtmkm#rF`vL+KFSuzpY~wth zbMg7Pm{Nuh6(3KpSo!20OTo0V;Fh<(=fxEMOGIy;)O+7;{h~jQE(fKpe*ga6B=+pL zHzvILt|Yf)iRvtsZi680SJ&+scmE39lgVh3;!^5nEFxU_hU2ZujkC(y8vQa=lSyl@ zk(hn;-H+d`XKGz8bKmh6?rYE0ZOA?JZ_@d5t7CgK?=!~y-@p3yr_(j=lRv2HZ$9~K zTO8|_2|0_E_V4AXsg?Lq`7UHxz)Rig`EC0z1UFBAv`Q|^qjcNe)6Qc1(%5U>ioDg% znwP14?Z7EZJH}V*BX9C%+}*nMChtG5=k3Z-DrNI!6ouXGB7f!YKejVUU+21%(~R>C zTV5*$Dc^diSaZq#`A&_=+PRG0v%_|K&AGV#^^!<+`SgdPzc(#RTYvFo<;7cj_;i^=|!d4F%ox?qRBG1pb+Pi-$b7-vGs_%{yw=)Hph+Itjrzl|0u5=i(M9 z3;#bjs>nChRsViP-+6KAhH144q5*#GQHRd7KDv3qt@vA@@y}n^6u0VVU5P!nc-Ktb zSA2^uxc&X9$tq=Wo5?QGX8&=1*26CD8~0mZ3J<&Cc-#9OZ|tf!FRISlrhN$cx#V_f zq)1?qr%7*xmg`ohrDx`eipWp7V|}h=g6qMosYVYfdC#!eHR$Kwee^cY`r_peSNpFC zns}Z(FKgT@T(Ilbq~`|$?>>(FAtajQBp#Z*q&@d%tC*6VO;5p$U;){G8S^*=>@%N~ z|B#P06Wpw#81Ay+7`M6S3eq%zbD7jRn(A)!17^8ok&j892Y-zwzdeO52=NUrgGgvi#Q3 z<*q;Yyo;FEOs{a~lRFwbzE4SBhWx|i9r#G&0*l$^v3jol( BtDgV> diff --git a/machines/urithiru/default.nix b/machines/urithiru/default.nix index 9ef72d6f..254dc7e7 100644 --- a/machines/urithiru/default.nix +++ b/machines/urithiru/default.nix @@ -6,49 +6,35 @@ ./secret.nix ]; - boot.loader = { - grub = { - enable = true; - efiSupport = true; - mirroredBoots = [ - { devices = [ "nodev" ]; path = "/boot/ESP0"; } - { devices = [ "nodev" ]; path = "/boot/ESP1"; } - ]; - }; - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot/EFI"; - }; - }; - time.timeZone = "Europe/Berlin"; networking = { hostName = "urithiru"; hostId = "079e60ba"; - useDHCP = false; - interfaces = { - eno1.useDHCP = false; - eno2.useDHCP = false; - eno3.useDHCP = false; - eno4.useDHCP = false; - }; }; - users = { - mutableUsers = false; - defaultUserShell = pkgs.zsh; - users.charlotte = { - isNormalUser = true; - extraGroups = [ "wheel" "systemd-journal" ]; + chvp = { + stateVersion = "20.09"; + docker.enable = true; + nginx.enable = true; + ovh.enable = true; + sshd.enable = true; + zfs = { + enable = true; + backups = [ + { + path = "zroot/safe/data"; + remotePath = "zdata/recv/urithiru/safe/data"; + fast = true; + location = "192.168.0.2"; + } + { + path = "zdata/data"; + remotePath = "zdata/data"; + fast = false; + location = "192.168.0.2"; + } + ]; }; }; - - services.openssh.enable = true; - services.openssh.permitRootLogin = "prohibit-password"; - - services.zfs.autoScrub.enable = true; - services.zfs.trim.enable = true; - - system.stateVersion = "20.09"; } diff --git a/machines/urithiru/hardware.nix b/machines/urithiru/hardware.nix index 67436165..81179ce3 100644 --- a/machines/urithiru/hardware.nix +++ b/machines/urithiru/hardware.nix @@ -4,16 +4,21 @@ imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot = { + loader = { + grub = { + enable = true; + efiSupport = true; + mirroredBoots = [ + { devices = [ "nodev" ]; path = "/boot/ESP0"; } + { devices = [ "nodev" ]; path = "/boot/ESP1"; } + ]; + }; + efi.canTouchEfiVariables = true; + }; initrd = { availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; - kernelModules = [ ]; - postDeviceCommands = lib.mkAfter '' - zfs rollback -r zroot/local/root@blank - ''; }; kernelModules = [ "kvm-intel" ]; - extraModulePackages = [ ]; - supportedFilesystems = [ "zfs" ]; }; fileSystems = { @@ -59,4 +64,9 @@ ]; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware = { + cpu.intel.updateMicrocode = true; + enableRedistributableFirmware = true; + }; + services.fstrim.enable = true; } diff --git a/machines/urithiru/secret.nix b/machines/urithiru/secret.nix index cd6eaead0b9bbd14dea3f7982be40a807979ada0..34a34a43d26f51028f672d9a45a2545b674cd89c 100644 GIT binary patch literal 1309 zcmZQ@_Y83kiVO&0h~t@1x1hykZREj&XSCF7-X6WoV4SA*Z{-UAp4}qhT=|w|e64@l z4E|1ExX$?InMZq`DnzY4(6X@K`DTOYlc0l(-yFEC;;{ZQ=Z?ejpLxrkDKxL_s|h)h zHS5Z)DceszvgzM>BQAQ?Ym5AS?tXK9o_5$gdT`R&H}pTtg4W*_X6#C@XH8d#aeefM zKmVi1*Dr~`w>`V;liquid4ui0mCtR~>&s4A_d-tM5ZmPTXM2`??FpVyzV142?>U#? z31XbHJ)2XGHQZo1_P;&){j8e54r1!5td}HDRRtaCmRn-ya`^j?8&7>qkB0JgX-!@5 zf4PF{^XAIj$KpZ4A+pbdXWEyX<-585hEDH1b6r)QndY(AwkYX!UbZ^g9m#WR%6GNA z_WsMtM!6RkKVH4d<^Cd<&>N+?-)%bc9({MLIk9egzDR-oor!Zp|M0MJ#x=f8Zi<~2 zWg{rn^57%+l0%U4U9L+vdwBL(MhVGc)4J1+9K`6cbAlInWpvSy^XT+q`3(4K+gHm*dz(b;ITtq1 zQmN6y_3i8pa+X(8eWrbzbZ&>>MW?)p$LoqGOs{6#JI#VIR5)y6E9|sn^duI=IcPgg_VY zO-+}tsb+`%75H8pCEdEf*7IP{!yAIJZxps#?KR*sPPLto^lVyn!SD8MR(&#>^S$FN zqr2VL=|rz|_`r1UONO5Q8aB&66E~f%jNh^QRK-Gh6UGYmV=W*0O%lHTt$BVVbDMhH z&2NGt-F*{yt)o;N&(M1Q^wXXwE>>}%~G`+iZ4|I06I$G>Y`;D*#sG74vN4l9QzF3I+`cz5J{ z>1i$xp9-f5h39_iyg2*eta1PA#^Vwf)l~nR{|Ohh464|_$f&L2-(3YC>woF2u2K&# z%qV4Wn5%D@;sp~msCe)hqNX~i_{8v+P@*O?lDK9?EE)L%ycIZT9j;{9e z0_}q9E0&e?Y>L@#99NSd_~4&GSjhJ?*?e+dHhWy2xH@(72FagV;G+`plE3!QyB{7= zED1$Rrr2uEI5*Ys)2b}jm4%|qxpX~eaVlyRelL)}xZpC ze)U17k0mr>Mp>ll1?krut4~k+b=~xy^sz}#CI77cTbFlXgX-lI>NozFzKe_fbh31# g@~^~rjqX`LBtvCgc8MN%sr#ji-)!Gy*5~HM0N3z_aR2}S literal 1374 zcmZQ@_Y83kiVO&0@PFgZyv;q8-=pS-aN-voTgij+%jER#-S69eFGG2ESIV{@X{Qf& zzh>x9y+yLZ|7t8cBY-cH=I?^^z&Z&@qXN&H{NP`KiH`x%!^Ri-%t z-_~u`UTPiK`l#OdtMsa_s@8yeTlr^9m0t9s>PL_@-vQ%((+9pUKOd{^i#~VYp6kZ4 zm73M||FqXe-hJoU@UgBkt?41xFSkv1=SOoMoX*yDYu4NaYx`wnY9Bil|CgK;6#ty1 z|KGw%(ut?OMe&A+{XHwSE#!=eLW-2HIDYeKce7#X~`gTr{m75;OJz$GC7Un$r-<#rq=K>!)T;JYFVrhBPHG4zo zb(6PT^BX%mFBCqh)V>y&T&l)!bCnfm^D%j!qlt48W`?ZJPJjD3o_o_W|KOm@SC`Bv zkF~CUv&y1pt<%1K_e$26o6NnKe+ZZ`l_>SAeW>=*rI%~&sDDe2^0+Yfx${mx=kWa%5xh$)bEiz=2>E?)+ewua zMdv&GqLbDn#~$C7@bW>B?$p}g2Ue<65?30&_^>r#YxBK=TTeXVt6QdJrTu6)uu$uo znvGAa$D}!5^CvyMAoz0G!5vdqXLp%N=ZMFJMLwIZ`gfo4t2mFj>)O`uR_L1HXXD;{ zZ2C1P*0r7i%vnyJw-+4Qth+AV&d9afcwq%^i}K?1Q>k-2zVloa+FY_X^RBb$qC;^^ z^=BvdPx&vf;;c_t+)s|Y#|$CqPk&BXd!)Iw^~po^8$VtIPP@53>x#@h>q{5?=f6{o zEh(P<$xXY!_e$rb56iOr)1wOC8TjPw@3&t1AT&+Z#vv|g^?sdu zk!+`X+o!nPuxYS4yGP-F{|?DZt-SXBGFEySvXzfS^_;!Twq;MBsaN~n{GICC!*37F zjao4G%`;DRhxnfn&r3J;=j5z5(VZoKJ}bH0e39^ydt1J_%-?u**|9&50~Y?7$hQAS zUBmvR4=V5NRWaEtn9-0^zvdjD?>_muZr{gO#imy7;+v~IW$uHI8eXygyDFG(%Sz8{ z$m{f$`L^D(gl*>WT#fHrI6wWk#=j@@ue6%2uCr2T#wJbEzfDo%s(rFb{)rzy9hh2u z!esH2H=C!+ubp6*eLt$u>XAXx_uVPB*2?!C{kk;Q_ca+*G2Z)EcJJZZn5FiSbB>rw z@J!u5-)Y9L9{HIjQ~LZ|)0_8xI3lq}e(j1A5=F0hj`=YBw4XJrt7p!l7jyW}scke% z6f)S>?wGox$mZ$xxdNI#Hxu`p9}<4a=*b`&{^?Ze;%7?&y8dVJZ`yrl7FVFc=d=}ompD(gZYDVh?tHa-3$^M({rB=G>!e#vz z`(3)&yI-GmWI4TX)!nF8*4eWvUg=TDQb$im$`+IHm4>_jZOUu7*Sh?l7Zt|sNk6z1$rR_8N)HJpAl$_d~ z2nmi;*;dm9z0FSip1syYOoFX_r$@G!Vg8)F71s;9pC4gy+roY@*SLkF8cE1P>f>VSi#h}S8jgwVO=pN>3C<`Hq6 zn|vboWYvl`TjiCVf0U(nSnWAkw%Z|Q>g|{9ht9v_hznjeFZsq>=KA$u`*CQ;_F-w%cA6eaTU|!(l zRlfOBU&KB#&hd6&ZTCsu$0$}ddGnIc=Eh22r~ONlpUC>E_k6CsZKpAD1E=TCR*4gT o^H)6*bF$xh@%;j44YQ+`2^+hAzij-pG28IGfLFHLanX6=00l0gJOBUy literal 0 HcmV?d00001 diff --git a/modules/docker.nix b/modules/docker.nix new file mode 100644 index 00000000..7710ec64 --- /dev/null +++ b/modules/docker.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: + +{ + options.chvp.docker.enable = lib.mkOption { + default = false; + example = true; + }; + + config = lib.mkIf config.chvp.docker.enable { + virtualisation.docker = { + enable = true; + extraOptions = "--data-root ${config.chvp.dataPrefix}/var/lib/docker"; + storageDriver = lib.mkIf config.chvp.zfs.enable "zfs"; + }; + + environment.systemPackages = [ pkgs.docker-compose ]; + + users.users.charlotte.extraGroups = [ "docker" ]; + }; +} diff --git a/modules/git.nix b/modules/git.nix new file mode 100644 index 00000000..dc34366b --- /dev/null +++ b/modules/git.nix @@ -0,0 +1,57 @@ +{ config, lib, pkgs, ... }: + +{ + options.chvp.git = { + enable = lib.mkOption { + default = true; + example = false; + }; + email = lib.mkOption { + type = lib.types.str; + default = "charlotte@vanpetegem.me"; + example = "charlotte@vanpetegem.me"; + description = '' + Default email set in global git config. + ''; + }; + }; + + config = + let + base = { + home.packages = with pkgs; [ + gitAndTools.gitflow + git-crypt + ]; + programs.git = { + enable = true; + extraConfig = { + branch = { + autosetuprebase = "always"; + }; + pull = { + rebase = true; + }; + }; + ignores = [ + ".direnv" + ".envrc" + "shell.nix" + # Ruby dependencies in source tree + "/vendor/bundle" + "**/*.patch" + ]; + signing = { + key = "charlotte@vanpetegem.me"; + signByDefault = config.chvp.graphical; + }; + userEmail = config.chvp.git.email; + userName = "Charlotte Van Petegem"; + }; + }; + in + lib.mkIf config.chvp.git.enable { + home-manager.users.charlotte = { ... }: base; + home-manager.users.root = { ... }: base; + }; +} diff --git a/modules/nginx.nix b/modules/nginx.nix new file mode 100644 index 00000000..7e3e5bfa --- /dev/null +++ b/modules/nginx.nix @@ -0,0 +1,92 @@ +{ config, lib, ... }: + +{ + options.chvp.nginx = { + enable = lib.mkOption { + default = false; + example = true; + }; + hosts = lib.mkOption { + default = [ ]; + example = [ + { + fqdn = "data.vanpetegem.me"; + options = { + default = true; + basicAuthFile = "/data/var/secrets/data.vanpetegem.me.htpasswd"; + root = "/srv/data"; + locations = { + "/".extraConfig = '' + autoindex on; + ''; + "/public".extraConfig = '' + autoindex on; + auth_basic off; + ''; + }; + }; + } + ]; + }; + extraPostACMEScripts = lib.mkOption { + default = [ ]; + example = [ + '' + cp fullchain.pem /data/home/charlotte/synapse/slack/cert.crt + cp privkey.pem /data/home/charlotte/synapse/slack/key.pem + pushd /data/home/charlotte/synapse + ''${pkgs.docker-compose}/bin/docker-compose restart slack + popd + '' + ]; + }; + }; + + config = lib.mkIf config.chvp.nginx.enable { + networking.firewall.allowedTCPPorts = [ 80 443 ]; + security.acme = { + certs."vanpetegem.me" = { + dnsProvider = "cloudflare"; + credentialsFile = "/data/var/secrets/vanpetegem.me-cloudflare"; + extraDomainNames = [ + "*.vanpetegem.me" + "cvpetegem.be" + "*.cvpetegem.be" + "chvp.be" + "*.chvp.be" + ]; + postRun = lib.concatStrings config.chvp.nginx.extraPostACMEScripts; + }; + email = "webmaster@vanpetegem.me"; + acceptTerms = true; + preliminarySelfsigned = false; + }; + chvp.zfs.systemLinks = [ + { type = "data"; path = "/var/lib/acme"; } + ]; + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + virtualHosts = builtins.listToAttrs + (map + (elem: { + name = elem.fqdn; + value = { + forceSSL = true; + useACMEHost = "vanpetegem.me"; + locations."/" = lib.mkIf (builtins.hasAttr "basicProxy" elem) { + proxyPass = elem.basicProxy; + extraConfig = '' + proxy_set_header X-Forwarded-Ssl on; + '' + (elem.extraProxySettings or ""); + }; + } // (elem.options or { }); + }) + config.chvp.nginx.hosts); + }; + users.users.nginx.extraGroups = [ "acme" ]; + }; +} diff --git a/modules/ovh.nix b/modules/ovh.nix new file mode 100644 index 00000000..fb18b377 --- /dev/null +++ b/modules/ovh.nix @@ -0,0 +1,62 @@ +{ config, lib, ... }: + +{ + options.chvp.ovh = { + enable = lib.mkOption { + default = false; + example = true; + }; + publicIPV4 = lib.mkOption { + example = { + ip = "1.2.3.4"; + gateway = "1.2.3.254"; + }; + }; + publicIPV6 = lib.mkOption { + example = { + ip = "1:2:3:4::"; + gateway = "1:2:3:ff:ff:ff:ff:ff"; + }; + }; + internalIPV4 = lib.mkOption { + example = "192.168.0.1"; + }; + }; + + config = lib.mkIf config.chvp.ovh.enable { + networking = with config.chvp.ovh; { + useDHCP = false; + interfaces = { + eno1.useDHCP = false; + eno2.useDHCP = false; + eno3 = { + useDHCP = false; + ipv4.addresses = [{ + address = publicIPV4.ip; + prefixLength = 24; + }]; + ipv6 = { + addresses = [{ + address = publicIPV6.ip; + prefixLength = 64; + }]; + routes = [{ + address = publicIPV6.gateway; + prefixLength = 128; + }]; + }; + }; + eno4 = { + useDHCP = false; + ipv4.addresses = [{ + address = internalIPV4; + prefixLength = 16; + }]; + }; + }; + defaultGateway = publicIPV4.gateway; + defaultGateway6 = publicIPV6.gateway; + nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ]; + }; + }; +} diff --git a/modules/ssh.nix b/modules/ssh.nix new file mode 100644 index 00000000..a8ce57ef --- /dev/null +++ b/modules/ssh.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: +let + ssh = pkgs.symlinkJoin { + name = "ssh"; + paths = [ + ( + pkgs.writeShellScriptBin "ssh" '' + export TERM=xterm-256color + ${pkgs.openssh}/bin/ssh $@ + '' + ) + pkgs.openssh + ]; + }; + base = home: { + programs.ssh = { + enable = true; + compression = true; + hashKnownHosts = true; + userKnownHostsFile = "${config.chvp.cachePrefix}${home}/.ssh/known_hosts"; + serverAliveInterval = 300; + extraOptionOverrides = { + IdentityFile = "${config.chvp.dataPrefix}${home}/.ssh/id_ed25519"; + HostKeyAlgorithms = "ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa"; + }; + matchBlocks = import ./ssh/hosts.secret.nix; + }; + home.packages = lib.mkIf config.chvp.graphical [ ssh ]; + }; +in +{ + options.chvp.ssh = { + enable = lib.mkOption { + default = true; + example = false; + }; + }; + + config = lib.mkIf config.chvp.ssh.enable { + home-manager.users.root = { ... }: (base "/root"); + home-manager.users.charlotte = { ... }: (base "/home/charlotte"); + }; +} diff --git a/modules/ssh/hosts.secret.nix b/modules/ssh/hosts.secret.nix new file mode 100644 index 0000000000000000000000000000000000000000..90afc503c45715647f633cef67324be3a90e1071 GIT binary patch literal 3279 zcmZQ@_Y83kiVO&0P+sWFm}>mP@zBB@_U>*@ljg4baQ4Vd%i{dZ{d%*)cO6#=JAY*R zeqEWY$!lt>Pb#$sZ~wRAMZ0d+|4&!;EO{Ar>R<|cU8eKOuUlp>RG1LFZ0VetN7Pn) zTl06eiiy;lJnOvIFU@q*)9m$8-r%|HQjr|(tDaob+fpcGXR+v4 zmg2H48@}q9tvmZj?L13b?(O@@|5Wt7PPy@vsWAr4E??Hkk(Rf8>eh%2MO$`V;*DT* zl)U=L72Ha`9+-8%vqSgtq$LtD3zVX^JzgdpdbaEB;rS~IuFkAJaKoWn zdd|#}hzw(ki60sH7q57`B*v_1%B2Sp*KZ~tmRUYC{p2artIu^!xEVJGFekmXuBr4j zI%}mLGMhE#(9Vwnxf64|ANWVT+?giTQxrdU@x6$Zi<%GA{ON8u^mgsjys#Gz7w5V% z^mq0et~{aJkzT7}zCPM=)vQXfSE6gIn7OX6 zz-X1yr8+j78C!OJKh=Kp+?|zsIvdpv>^q>k;eL-roW{xd8~^@bFpjisKUc$5`Xn=f zL&4i(#*AI>EEvC~Y_gjm!Kfde%cRHuCF1mI)dwdHAI$h_7=N{N!Md7b)-2)%|w(MAfM$^?x_to93|VS>F$CFGfAxpXo1NG%xdCSig*EZfJhZw3&X9Wg7#6 zWb&sU{KB_|wNpJI%+ySs(d)Xkq-pk!ExI>maXOXajeJVm5H5E?pbk^5-vZGTh;-9p5{q@Ju zoBLO{{fM#Zk9f4=F0bbdBVH}m^>54m3d~n>+1~p9T;aDRc8?~O?Q`jqUfhF#yXs!}+^XlFVf5}S_GESew~A(7!RXOE%6ha~wuq30hn6diuBmo?|s!l0z*UI%@dV@}?h)*qUS^B*&=^9`)q zExFQzz3Ed~pNymq=aU!l5zns)b>Fqpp8ZpqJ+iAZbMI1rj^s6m=Z9Q3nDgPy3cct8 zzggz{%_lOKb+!u`9#pK=5qA|)44n14>bLs($o9*gd$;`%YG_sudQ>jHXHU_&drM2z zmP$Rmxs`z-(P0gPTxEIZ?W*F+oqM9dGzi?aOnikpOd%bgZP@dOY;*B zI32&IUbxFKO1S&}Yj(eKR-HAovo0BkWaON7Dl~qU>?_){a;ocwt(;cjJFe)ZPCwqT z#o({$ng_<~t7}ECD6EfI{9ce{$~^xK8Gp+8o44OJ+4FAwEoFB^6*9I>aC`7C!g|8PzXFFewqAVmsAAXuXB($ZzstEx?6pqDY( zUv5k)?@c;Bp?jgm_mGeo(tjR)EbmlaBeT#T(dj`?>>4rGn%CMAkDGdCxtz`W8mE5i zulUsWeK^i0 z{pvyO2CbBwixb5bPL;?%RQbFq-tEBz&E;)w-!B)Ln%_}W-4ecZm5)N2jG&05(fNv{ zhgbZ_^V#GgXOK{`;-zGt#iU!w^QXo8XXm~Xs$~>9p%PNL;ZuVB8E=zaS(l57t?x2S z>bU(QIDVhvgv~p&WJ@={y%i;LZ};SbBGFTY=AN2;jUm*2j>oS0gtocSD_z2~BLbGF zpIT$6($%*pa_X#r@5(iSlkS)bJ~Wv9uw06_{=0j*5nI^Y?T!YVM^^n3-{8A!gGtTo zPmT-2TkmZszqV9=htoSWdZ4+jDSY>$@iH011@E3ab&Rh`&+6+|ADjIOky%K9QUq#Gj(_MKH;#FonO{SO&8YZaoQsG{uJ}PvtG0A z$d_{4uaBv1dFss`|0$E{V(&v=7e{N+&qg~8ceHz|Ex68^H8H9)+UN-1sfOQ1lb5`b zxDurQ<%4wkp=Bjr; zkA55qQe~Uc`9)0c0{8QpMNj4|`X+e(_ZeQj)LMB_(;512>!x4H5RR@Fm_FN0x5qHV zWX3lRpYJ>c@w!J^+k*5m?u10&KIM3#%Da2VzYm^KH9ZMzc^x7rUoR@HT4kGdc3MVP z=d2ZJ@y$tW*PWhloV~rAaksxz>Z2U@X|E!)e_W~3$bEKl$7<#)7Ej|A)W>^Hy&hO^ z#5S#JYkuN$MZfgQcozfl4pF}!Z^RZn=USw9b+T}V#R6fbuAOPeU-*^8y!alP!^T&* zRbBT%Q^}6Fg|eT&FWdfob93*<*=+5qUtXSHdF%F4rc{-=*SwCKOR-izwTup{TGA3N zA(eh^#leX8S_k{QXENQ|QMYP+#L`=Tw{`wDaoe#icF!~O6}BRsJN=hOxK!`RdtZ3W zre^Nf3C$9Vj?F%D{j^Wqk0sn))e&0_d6Sz?bI#R$!?W-8lv{h#0{4ATTz#Uu_*;Pg zdmX;p&vyqih*tg7PJb^L9;{>geXfXly7;Xx0?GICV|wDAhOxd*p5-1;>ZF=;Eq(q& z)oSJW%Kn>8&F>c-Uj59<-gM2x!{uummOk@TlG!Jer2qYIyv|JHiPBu_jY5_i3*~6X zNvij0w#|NAH~RuB*FyP8&%Da&r5K8qP4w>*)jtxg@OE3;DWlar`|ln*tHrTf?+&Za zaUF+0l9oYl!UMlYIL*p7ZP2VgA9cB~?x&9P6y<-XD`ttm`I%lHHzg~ns5v^6n`7s4 zlT3xp+i&=Ooq7Gz`))aXo+-WCF0*}UQ+m3@`$ne9Y&Mr)ANE{->wS(*k27FJT9}Le z&1)Hj8wBLGtarSzN_^wW?uBuNq5F@m+9f|KW8YK(st-*&EruE#ue=n7*QBYQ@UF6M@ zLoL<@Co-b5O7e3b)rt$>U!l37LA*6oed)n|@9E9W3i+p5+h_0E_4P%GR#^KR)+_cM z>P>4t#~d^7;aF&@r|@;Yk?GrKO^c7qbFE*NH^Kji!K2#-?;OiaYT6Gzd9nYc<2<&- zyR@FDw@-46T-UBUPyRgK{^wod9FE#xlZ$+_ zt!=O5*`0q8S70G_@A|lZ&?bFO{w^%FDd-(I`^tmkyi zqoHpr{oFsE5+t?cKv{A2#Yi?gdv^DbL@$I@@@T#KW1Kd;s~@iBeBcfMT7U1mnV z$>BxY3nwjQn^IG=nzK0c-K5)F=BWsOD2=l_wEz8%X0LPSPkvwWtSxi@y3a9hO&4o# z*ziuBch>GxFZQJydJFwObaI2)>7oPE#OFHYcub3Y5S{kj=Iqi}_PX}If0|D66wQ0- z+R@|e^RIt*?VQc!hvPZS_vB4tS6!6&Z}*&!h7-@$+`VyJXv4gyl9)2{mCQTlXP))? zb|o=6T8ukYq^i5*{p>IPFG|JK+@i0(h%Q;)KAm%|ySvryQ%s_zvd!x=#d89cN@vO} z>;3VR)kj%z+bKo<%THgwUG!VPJFQireR5l6cIY|P|Kauf0}4OL97*(XNq-lp8+d2FXy_O z5qJOP3yEDyy{qs3o8eHxP3fC5^Lw7Je|59>$zAPj8MjJ{^?Q#Lm{k6b=QU;Crhak; zXV9~Q997j^kq%3Rn6oC{V7DwSTa@^}$nCwh$%2*ZdZ!!=H&E!9^4+j4rNLprzr27= zjoX)fxgTVEE&52R!S8lfPqij-&Bo+>yP5IwVUn|h&Ty}|WGnx&)FM8jQEK6@?-xJz z%1%0YrKkO!iI+~}b;0+Vep@w{p8lJ5<6TVRk;ng;^JjjMT<2d>wT;*Re@wI>gPrxh z&5Y^W56iGxdCi%|AT6`z@y*8zo^39ex%cj?w48S3Q#az*Y&`0l7XSXGykXRmh=^7D z*8XO3c_{KSb^oPFS-5t7#u9$ly-kw&etjR)+WTgjT`Nwt zl+u#eTd6C(@b6j$ovY{WKmSm7^(6DFli%cQYM)BXk4`#UQXHyzrLE`o{GxSfTX)?0 zp2+CSad@_tVxvh(kW!-2q2krc-y6T4C}6$sU5ir2Cq||qB}Fxn6$cL_WUF|jY~yK= zI(2aMy(i0jKbeutI2@^cy1Of3)yClIY|pRXjlS`~ z>+v?9o&V!HZ#OKHm!Do7s_#4_JZ#;6W~&3YzgxFtO*CiHTC(HF*$$&8YznGJecnH? z_2kjwWsC1$k=SF%r%`Z}ulc;6y7zm#_jUglrh4yhNw&_PC1&y7ewDhzdk(K-wG-|N z%sH@d_Yu*z4eK|auZ+*i{q;SBKTFQj=I(;P#51DP51z`r?(?!xaaoCew1TXUY8u1- zA1NOnHJ9t;Sx9f~w=Y>}aq|?zhpuCj607Pj-OgQCzGv0dP2pwUBFA*HQa`tU`MR=~ zWe0N{bNjIkZ};uCmAe?n{Ck;-MKkZ$zzGJ2HQYpl+~WI|_!`y)@pCL^SgWFI`aE=| zP)gwb)6s1)=6sH|ZAVh4O>kYd=l-*6ky!^H1wBvm@(MbB!o6mG?elU)7F);HANi;B zTAg_@wV*Rts`i^~+SwcD)Zdh7`OH`_@5qNYiGRHw&5-VyFMaJv@weh-t+PtkE)& za~P*5WzPJ(=y9G%)SEWT z%D?=DqBq^SPkHtB|8JG%`m_7_m#Wna=db2P-ZnknuPggSLC=1Eowvu1HQ%5;VcXR4%(#vHpT)JC3sVIycT9@c_1dq- z8F%Ah%B9#@Gv9Xkl<8b{W@~9(X%q8v@y3&Du1uJ2sgzOm;uG_C`3%MBk8kbPz2n!w zy5OCw@6HUF+cwV3#xCJ&UAgvTIo?c^Y15TCT^3$uaMfj&{ZglOHGLcF8WfFpJQQDC z7V?0pkK=Up9~6@k7+Qjef?uo%bo>1IvvSre8xV?UCqqTRvcFD^mlO&a9w-JslXyxcK$y1()OfU zx70_!%O?Gi<7uV_k1h`WeX;T83;4?+HAixe{%8RT`HJhuGMHn0D@v};$u zpHmIz5(Pdx`(&;THJ-D*HhW1J$gNm$w9)Wm zzt_TDAI#>x;?+4ep;jox>E7cE&$(tD@pmU>gq&CwCw13tu}nQ*)UP#yT@z}wEcV5% zG5maoE#`upVzKrV?ng6HKNUWx*e5^#a`z3XI;ubINwL=gudko) zZ0Jc(|5G%5hS;;Tw;cP$19$FvmT};-e9ZoegSW)pk3HYgaOQI2>x;_wnYE0!J}Q@q z{86v!`ui?R5l7oj<~#Y4eJpHiA7N3@Gti8CCUE%iC5SdUdx%JT- zAJyapJn>()_0`n)*aiK?ET^6MS3WWNK20t!Hf}eU!m%lfT|HU%{_dT5;!>L2OWyPA z-*;WEUpZ5?pu^Zo`jXD;<_qV#cAT|zh;iR}e(j}4Mw-)B{&e?Ldv|H&2~)=3_9u@0 z;VNJasmeKcxU+5Jy=A6mAqgqL%lQmlp6t#&_g;J9THex@7d6M`dYdm|Slhh$jlDzh o&%15min,1day=>1hour,1week=>1day,4week=>1week" else + "1day=>1hour,1week=>1day,4week=>1week,1year=>1month,10year=>6month"; + timestampFormat = "%Y-%m-%d--%H%M%SZ"; + destinations."${elem.location}" = { + plan = + if elem.fast then + "1day=>1hour,1week=>1day,4week=>1week,1year=>4week,10year=>1year" else + "1day=>1hour,1week=>1day,4week=>1week,1year=>1month,10year=>6month"; + host = "${elem.location}"; + dataset = elem.remotePath; + }; + }; + }) + config.chvp.zfs.backups); - config.home-manager.users.charlotte = { lib, ... }: { - home.activation = lib.mkIf config.chvp.zfs.enable { - linkCommands = lib.hm.dag.entryAfter [ "writeBoundary" ] (lib.concatStringsSep "\n" linkCommands); + }; + zfs = { + autoScrub.enable = true; + trim.enable = true; + }; + }; + + systemd.tmpfiles.rules = ( + [ "d /home/charlotte 0700 charlotte users - -" ] ++ + (map (location: "L ${location.path} - - - - /${location.type}${location.path}") config.chvp.zfs.systemLinks) + ); + + home-manager.users.charlotte = { lib, ... }: { + home.activation = { + linkCommands = lib.hm.dag.entryAfter [ "writeBoundary" ] (lib.concatStringsSep "\n" linkCommands); + }; }; }; } diff --git a/modules/zsh.nix b/modules/zsh.nix new file mode 100644 index 00000000..13b48f91 --- /dev/null +++ b/modules/zsh.nix @@ -0,0 +1,61 @@ +{ config, lib, pkgs, ... }: + +{ + options.chvp.zsh.enable = lib.mkOption { + default = true; + example = false; + }; + + config = + let + base = (home: { + home.packages = [ pkgs.autojump ]; + programs.zsh = { + enable = true; + enableAutosuggestions = true; + autocd = true; + dotDir = ".config/zsh"; + history = { + expireDuplicatesFirst = true; + path = "${config.chvp.cachePrefix}${home}/.local/share/zsh/history"; + }; + initExtra = '' + source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh + ${pkgs.any-nix-shell}/bin/any-nix-shell zsh --info-right | source /dev/stdin + ''; + oh-my-zsh = { + enable = true; + plugins = [ + "autojump" + "common-aliases" + "extract" + "history-substring-search" + "git" + "sudo" + "systemd" + "tmux" + ]; + theme = "agnoster"; + }; + plugins = [{ + name = "zsh-syntax-highlighting"; + src = pkgs.fetchFromGitHub { + owner = "zsh-users"; + repo = "zsh-syntax-highlighting"; + rev = "0.7.1"; + sha256 = "03r6hpb5fy4yaakqm3lbf4xcvd408r44jgpv4lnzl9asp4sb9qc0"; + }; + }]; + sessionVariables = { DEFAULT_USER = "charlotte"; }; + }; + }); + in + lib.mkIf config.chvp.zsh.enable { + chvp.zfs.systemLinks = [ + { path = "/home/charlotte/.local/share/autojump"; type = "cache"; } + { path = "/root/.local/share/autojump"; type = "cache"; } + ]; + home-manager.users.charlotte = { ... }: (base "/home/charlotte"); + home-manager.users.root = { ... }: (base "/root"); + }; +} diff --git a/profiles/common.nix b/profiles/common.nix index eaca1aca..3aec94ea 100644 --- a/profiles/common.nix +++ b/profiles/common.nix @@ -4,7 +4,6 @@ imports = [ ../modules/zfs.nix ../configurations/direnv.nix - ../configurations/git.nix ../configurations/gnupg.nix ../configurations/hledger.nix ../configurations/locale.nix @@ -13,20 +12,14 @@ ../configurations/nix-index.nix ../configurations/nix-store.nix ../configurations/pass.nix - ../configurations/ssh.nix ../configurations/tmux.nix ../configurations/users.nix - ../configurations/zsh.nix ]; - home-manager.useGlobalPkgs = true; home-manager.users.charlotte = { pkgs, ... }: { home.packages = with pkgs; [ - htop moreutils - ncdu pandoc - ripgrep texlive.combined.scheme-small unzip youtube-dl diff --git a/profiles/graphical.nix b/profiles/graphical.nix index 6dac3ec0..7a1d73dd 100644 --- a/profiles/graphical.nix +++ b/profiles/graphical.nix @@ -6,7 +6,6 @@ ../configurations/calibre.nix ../configurations/citrix.nix ../configurations/deluge.nix - ../configurations/docker.nix ../configurations/dropbox.nix ../configurations/dwarf-fortress.nix ../configurations/firefox.nix