chvp/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Basic configuration for new servers and start modularizing config

Browse source
This commit is contained in:
Charlotte Van Petegem 2020-12-01 19:23:28 +01:00
parent 82bb5b401c
commit ca93d09059
No known key found for this signature in database
GPG key ID: 019E764B7184435A
38 changed files with 622 additions and 316 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.gitattributes vendored
View file

@ -1,4 +1,4 @@
# To add a new file: # To add a new file:
# /secret/file filter=git-crypt diff=git-crypt # /secret/file filter=git-crypt diff=git-crypt
**/*-secret.nix filter=git-crypt diff=git-crypt **/*.secret.nix filter=git-crypt diff=git-crypt
**/secret.nix filter=git-crypt diff=git-crypt **/secret.nix filter=git-crypt diff=git-crypt

14
configurations/docker.nix
View file

@ -1,14 +0,0 @@
{ ... }:
{
virtualisation.docker = {
enable = true;
extraOptions = "--data-root /data/var/lib/docker";
storageDriver = "zfs";
};
users.users.charlotte.extraGroups = [
"docker"
];
}

44
configurations/git.nix
View file

@ -1,44 +0,0 @@
{ config, lib, pkgs, ... }:
{
options.chvp.git.email = lib.mkOption {
type = lib.types.str;
default = "charlotte@vanpetegem.me";
example = "charlotte@vanpetegem.me";
description = ''
Default email set in global git config.
'';
};
config.home-manager.users.charlotte = { pkgs, ... }: {
home.packages = with pkgs; [
gitAndTools.gitflow
git-crypt
];
programs.git = {
enable = true;
extraConfig = {
branch = {
autosetuprebase = "always";
};
pull = {
rebase = true;
};
};
ignores = [
".direnv"
".envrc"
"shell.nix"
# Ruby dependencies in source tree
"/vendor/bundle"
"**/*.patch"
];
signing = {
key = "charlotte@vanpetegem.me";
signByDefault = true;
};
userEmail = config.chvp.git.email;
userName = "Charlotte Van Petegem";
};
};
}

41
configurations/ssh.nix
View file

@ -1,41 +0,0 @@
{ ... }:
{
imports = [ ./ssh/secret.nix ];
chvp.zfs.homeLinks = [
{ path = ".ssh/known_hosts"; type = "cache"; }
];
nixpkgs.overlays = [
(self: super: {
ssh = self.symlinkJoin {
name = "openssh";
paths = [
(
self.writeShellScriptBin "ssh" ''
export TERM=xterm-256color
${super.openssh}/bin/ssh $@
''
)
super.openssh
];
};
})
];
home-manager.users.charlotte = { pkgs, ... }: {
home.packages = with pkgs; [
ssh
];
programs.ssh = {
enable = true;
compression = true;
hashKnownHosts = true;
serverAliveInterval = 300;
extraConfig = ''
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
'';
};
};
}

BIN
configurations/ssh/secret.nix
View file

Binary file not shown.

4
configurations/sway/screenshot.nix
View file

@ -23,8 +23,8 @@ pkgs.writeShellScriptBin "screenshot" ''
if [[ -n "$remote" ]] if [[ -n "$remote" ]]
then then
name=$(${pkgs.utillinux}/bin/uuidgen).png name=$(${pkgs.utillinux}/bin/uuidgen).png
${pkgs.grim}/bin/grim -t png -g "$dims" - | ${pkgs.openssh}/bin/ssh sunspear "cat > /usr/share/nginx/html/screenshots/$name" ${pkgs.grim}/bin/grim -t png -g "$dims" - | ${pkgs.openssh}/bin/ssh data "cat > data/public/$name"
path="https://cvpetegem.be/screenshots/$name" path="https://data.vanpetegem.me/public/$name"
else else
name=$(date +'screenshot_%Y-%m-%d-%H%M%S.png') name=$(date +'screenshot_%Y-%m-%d-%H%M%S.png')
path="$(${pkgs.xdg-user-dirs}/bin/xdg-user-dir PICTURES)/$name" path="$(${pkgs.xdg-user-dirs}/bin/xdg-user-dir PICTURES)/$name"

20
configurations/users.nix
View file

@ -1,23 +1,5 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
imports = [ ./users/secret.nix ]; users.users.charlotte.extraGroups = [ "input" "video" ];
users = {
mutableUsers = false;
defaultUserShell = pkgs.zsh;
users = {
charlotte = {
isNormalUser = true;
home = "/home/charlotte";
description = "Charlotte Van Petegem";
extraGroups = [
"input"
"systemd-journal"
"video"
"wheel"
];
};
};
};
} }

BIN
configurations/users/secret.nix
View file

Binary file not shown.

51
configurations/zsh.nix
View file

@ -1,51 +0,0 @@
{ ... }:
{
chvp.zfs.homeLinks = [
{ path = ".local/share/autojump"; type = "cache"; }
{ path = ".local/share/zsh"; type = "cache"; }
];
home-manager.users.charlotte = { pkgs, ... }: {
home.packages = [ pkgs.autojump ];
programs.zsh = {
enable = true;
enableAutosuggestions = true;
autocd = true;
dotDir = ".config/zsh";
history = {
expireDuplicatesFirst = true;
path = "\$HOME/.local/share/zsh/history";
};
initExtra = ''
source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh
${pkgs.any-nix-shell}/bin/any-nix-shell zsh --info-right | source /dev/stdin
'';
oh-my-zsh = {
enable = true;
plugins = [
"autojump"
"common-aliases"
"extract"
"history-substring-search"
"git"
"sudo"
"systemd"
"tmux"
];
theme = "agnoster";
};
plugins = [
{
name = "zsh-syntax-highlighting";
src = pkgs.fetchFromGitHub {
owner = "zsh-users";
repo = "zsh-syntax-highlighting";
rev = "0.7.1";
sha256 = "03r6hpb5fy4yaakqm3lbf4xcvd408r44jgpv4lnzl9asp4sb9qc0";
};
}
];
sessionVariables = { DEFAULT_USER = "charlotte"; };
};
};
}

12
flake.lock generated
View file

@ -23,11 +23,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1606046962, "lastModified": 1606691558,
"narHash": "sha256-244JrrVFht/VMRItDcDlrcwejqpqJInDUWA/x6mucW4=", "narHash": "sha256-mkLAmBhiQ7kI7Ezw1ken3ymGolBmEfiO881iFWSGrbg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "a3a0f1289acac24ce2ffe0481bf8cabd3a6ccc64", "rev": "c1faa848c5224452660cd6d2e0f4bd3e8d206419",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -38,11 +38,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1606469955, "lastModified": 1606758103,
"narHash": "sha256-0B3igE7xVjr0F8Jgfv9b8Illr/8cVkwcp2GzbrR31MA=", "narHash": "sha256-gSjKrct8zKISPFHYIIWPNZ9TdlVpZhAlLcgwZAmAhpQ=",
"owner": "charvp", "owner": "charvp",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5a8a08c9f02ef3b4b60fa94e769bfb42660eb1ba", "rev": "db5dda0c6d4a82be765c2d5cab18ff4f759281cd",
"type": "github" "type": "github"
}, },
"original": { "original": {

3
flake.nix
View file

@ -21,7 +21,7 @@
inherit system; inherit system;
modules = [ modules = [
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
(./. + "/machines/${hostname}") (./modules)
({ pkgs, ... }: { ({ pkgs, ... }: {
environment.etc."nixpkgs".source = (pkgs.runCommandNoCC "nixpkgs" { } '' environment.etc."nixpkgs".source = (pkgs.runCommandNoCC "nixpkgs" { } ''
cp -r ${nixpkgs} $out cp -r ${nixpkgs} $out
@ -30,6 +30,7 @@
''); '');
nix.nixPath = [ "nixpkgs=/etc/nixpkgs" ]; nix.nixPath = [ "nixpkgs=/etc/nixpkgs" ];
}) })
(./. + "/machines/${hostname}")
]; ];
}; };
in in

24
machines/kharbranth/default.nix
View file

@ -3,7 +3,6 @@
{ {
imports = [ imports = [
./hardware.nix ./hardware.nix
./secret.nix
../../configurations/eid.nix ../../configurations/eid.nix
../../profiles/bluetooth.nix ../../profiles/bluetooth.nix
../../profiles/common.nix ../../profiles/common.nix
@ -17,24 +16,23 @@
time.timeZone = "Europe/Brussels"; time.timeZone = "Europe/Brussels";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.09";
home-manager.users.charlotte = { ... }: {
home.stateVersion = "20.09";
};
# Machine-specific application settings # Machine-specific application settings
chvp = { chvp = {
stateVersion = "20.09";
graphical = true;
docker.enable = true;
git.email = "charlotte.vanpetegem@ugent.be"; git.email = "charlotte.vanpetegem@ugent.be";
zfs = { zfs = {
enable = true; enable = true;
encrypted = true; encrypted = true;
backups = [
{
path = "rpool/safe/data";
remotePath = "zdata/recv/kharbranth/safe/data";
fast = true;
location = "lasting-integrity.vanpetegem.me";
}
];
}; };
}; };
} }

1
machines/kharbranth/hardware.nix
View file

@ -4,7 +4,6 @@
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = { boot = {
# Use the systemd-boot EFI boot loader.
loader = { loader = {
systemd-boot.enable = true; systemd-boot.enable = true;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;

BIN
machines/kharbranth/secret.nix
View file

Binary file not shown.

24
machines/kholinar/default.nix
View file

@ -3,7 +3,6 @@
{ {
imports = [ imports = [
./hardware.nix ./hardware.nix
./secret.nix
../../configurations/eid.nix ../../configurations/eid.nix
../../profiles/bluetooth.nix ../../profiles/bluetooth.nix
../../profiles/common.nix ../../profiles/common.nix
@ -17,24 +16,23 @@
time.timeZone = "Europe/Brussels"; time.timeZone = "Europe/Brussels";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.09";
home-manager.users.charlotte = { ... }: {
home.stateVersion = "20.09";
};
# Machine-specific settings # Machine-specific settings
chvp = { chvp = {
stateVersion = "20.09";
graphical = true;
docker.enable = true;
git.email = "charlotte@vanpetegem.me"; git.email = "charlotte@vanpetegem.me";
zfs = { zfs = {
enable = true; enable = true;
encrypted = true; encrypted = true;
backups = [
{
path = "rpool/safe/data";
remotePath = "zdata/recv/kholinar/safe/data";
fast = true;
location = "lasting-integrity.vanpetegem.me";
}
];
}; };
}; };
} }

2
machines/kholinar/hardware.nix
View file

@ -4,7 +4,6 @@
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = { boot = {
# Use the systemd-boot EFI boot loader.
loader = { loader = {
systemd-boot.enable = true; systemd-boot.enable = true;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
@ -46,7 +45,6 @@
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ swapDevices = [
{ device = "/dev/disk/by-uuid/6c09b90f-8971-4702-a18a-f06dfb3d8dcd"; } { device = "/dev/disk/by-uuid/6c09b90f-8971-4702-a18a-f06dfb3d8dcd"; }
]; ];

BIN
machines/kholinar/secret.nix
View file

Binary file not shown.

51
machines/lasting-integrity/default.nix
View file

@ -6,49 +6,28 @@
./secret.nix ./secret.nix
]; ];
boot.loader = {
grub = {
enable = true;
efiSupport = true;
mirroredBoots = [
{ devices = [ "nodev" ]; path = "/boot/ESP0"; }
{ devices = [ "nodev" ]; path = "/boot/ESP1"; }
];
};
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot/EFI";
};
};
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
networking = { networking = {
hostName = "lasting-integrity"; hostName = "lasting-integrity";
hostId = "b352adfe"; hostId = "b352adfe";
useDHCP = false;
interfaces = {
eno1.useDHCP = false;
eno2.useDHCP = false;
eno3.useDHCP = false;
eno4.useDHCP = false;
};
}; };
users = { chvp = {
mutableUsers = false; stateVersion = "20.09";
defaultUserShell = pkgs.zsh; docker.enable = true;
users.charlotte = { nginx.enable = true;
isNormalUser = true; ovh.enable = true;
extraGroups = [ "wheel" "systemd-journal" ]; sshd.enable = true;
syncthing-server.enable = true;
zfs = {
enable = true;
backups = [{
path = "zroot/safe/data";
remotePath = "zdata/recv/lasting-integrity/safe/data";
fast = true;
location = "192.168.0.1";
}];
}; };
}; };
services.openssh.enable = true;
services.openssh.permitRootLogin = "prohibit-password";
services.zfs.autoScrub.enable = true;
services.zfs.trim.enable = true;
system.stateVersion = "20.09";
} }

22
machines/lasting-integrity/hardware.nix
View file

@ -4,16 +4,21 @@
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = { boot = {
loader = {
grub = {
enable = true;
efiSupport = true;
mirroredBoots = [
{ devices = [ "nodev" ]; path = "/boot/ESP0"; }
{ devices = [ "nodev" ]; path = "/boot/ESP1"; }
];
};
efi.canTouchEfiVariables = true;
};
initrd = { initrd = {
availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
kernelModules = [ ];
postDeviceCommands = lib.mkAfter ''
zfs rollback -r zroot/local/root@blank
'';
}; };
kernelModules = [ "kvm-intel" ]; kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
supportedFilesystems = [ "zfs" ];
}; };
fileSystems = { fileSystems = {
@ -59,4 +64,9 @@
]; ];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware = {
cpu.intel.updateMicrocode = true;
enableRedistributableFirmware = true;
};
services.fstrim.enable = true;
} }

BIN
machines/lasting-integrity/secret.nix
View file

Binary file not shown.

58
machines/urithiru/default.nix
View file

@ -6,49 +6,35 @@
./secret.nix ./secret.nix
]; ];
boot.loader = {
grub = {
enable = true;
efiSupport = true;
mirroredBoots = [
{ devices = [ "nodev" ]; path = "/boot/ESP0"; }
{ devices = [ "nodev" ]; path = "/boot/ESP1"; }
];
};
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot/EFI";
};
};
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
networking = { networking = {
hostName = "urithiru"; hostName = "urithiru";
hostId = "079e60ba"; hostId = "079e60ba";
useDHCP = false;
interfaces = {
eno1.useDHCP = false;
eno2.useDHCP = false;
eno3.useDHCP = false;
eno4.useDHCP = false;
};
}; };
users = { chvp = {
mutableUsers = false; stateVersion = "20.09";
defaultUserShell = pkgs.zsh; docker.enable = true;
users.charlotte = { nginx.enable = true;
isNormalUser = true; ovh.enable = true;
extraGroups = [ "wheel" "systemd-journal" ]; sshd.enable = true;
zfs = {
enable = true;
backups = [
{
path = "zroot/safe/data";
remotePath = "zdata/recv/urithiru/safe/data";
fast = true;
location = "192.168.0.2";
}
{
path = "zdata/data";
remotePath = "zdata/data";
fast = false;
location = "192.168.0.2";
}
];
}; };
}; };
services.openssh.enable = true;
services.openssh.permitRootLogin = "prohibit-password";
services.zfs.autoScrub.enable = true;
services.zfs.trim.enable = true;
system.stateVersion = "20.09";
} }

22
machines/urithiru/hardware.nix
View file

@ -4,16 +4,21 @@
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = { boot = {
loader = {
grub = {
enable = true;
efiSupport = true;
mirroredBoots = [
{ devices = [ "nodev" ]; path = "/boot/ESP0"; }
{ devices = [ "nodev" ]; path = "/boot/ESP1"; }
];
};
efi.canTouchEfiVariables = true;
};
initrd = { initrd = {
availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
kernelModules = [ ];
postDeviceCommands = lib.mkAfter ''
zfs rollback -r zroot/local/root@blank
'';
}; };
kernelModules = [ "kvm-intel" ]; kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
supportedFilesystems = [ "zfs" ];
}; };
fileSystems = { fileSystems = {
@ -59,4 +64,9 @@
]; ];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware = {
cpu.intel.updateMicrocode = true;
enableRedistributableFirmware = true;
};
services.fstrim.enable = true;
} }

BIN
machines/urithiru/secret.nix
View file

Binary file not shown.

70
modules/default.nix Normal file
View file

@ -0,0 +1,70 @@
{ config, lib, pkgs, ... }:
{
imports = [
./default/secret.nix
./docker.nix
./git.nix
./nginx.nix
./ovh.nix
./ssh.nix
./sshd.nix
./syncthing-server.nix
./zfs.nix
./zsh.nix
];
options.chvp = {
stateVersion = lib.mkOption {
example = "20.09";
};
dataPrefix = lib.mkOption {
default = "";
example = "/data";
};
cachePrefix = lib.mkOption {
default = "";
example = "/cache";
};
graphical = lib.mkOption {
default = false;
example = true;
};
};
config = {
home-manager.useGlobalPkgs = true;
system.stateVersion = config.chvp.stateVersion;
home-manager.users = {
charlotte = { ... }: {
home.stateVersion = config.chvp.stateVersion;
};
root = { ... }: {
home.stateVersion = config.chvp.stateVersion;
};
};
environment.systemPackages = with pkgs; [
htop
ncdu
ripgrep
];
users = {
mutableUsers = false;
defaultUserShell = pkgs.zsh;
users = {
charlotte = {
isNormalUser = true;
home = "/home/charlotte";
description = "Charlotte Van Petegem";
extraGroups = [ "wheel" "systemd-journal" ];
};
};
};
};
}

BIN
modules/default/secret.nix Normal file
View file

Binary file not shown.

20
modules/docker.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, lib, pkgs, ... }:
{
options.chvp.docker.enable = lib.mkOption {
default = false;
example = true;
};
config = lib.mkIf config.chvp.docker.enable {
virtualisation.docker = {
enable = true;
extraOptions = "--data-root ${config.chvp.dataPrefix}/var/lib/docker";
storageDriver = lib.mkIf config.chvp.zfs.enable "zfs";
};
environment.systemPackages = [ pkgs.docker-compose ];
users.users.charlotte.extraGroups = [ "docker" ];
};
}

57
modules/git.nix Normal file
View file

@ -0,0 +1,57 @@
{ config, lib, pkgs, ... }:
{
options.chvp.git = {
enable = lib.mkOption {
default = true;
example = false;
};
email = lib.mkOption {
type = lib.types.str;
default = "charlotte@vanpetegem.me";
example = "charlotte@vanpetegem.me";
description = ''
Default email set in global git config.
'';
};
};
config =
let
base = {
home.packages = with pkgs; [
gitAndTools.gitflow
git-crypt
];
programs.git = {
enable = true;
extraConfig = {
branch = {
autosetuprebase = "always";
};
pull = {
rebase = true;
};
};
ignores = [
".direnv"
".envrc"
"shell.nix"
# Ruby dependencies in source tree
"/vendor/bundle"
"**/*.patch"
];
signing = {
key = "charlotte@vanpetegem.me";
signByDefault = config.chvp.graphical;
};
userEmail = config.chvp.git.email;
userName = "Charlotte Van Petegem";
};
};
in
lib.mkIf config.chvp.git.enable {
home-manager.users.charlotte = { ... }: base;
home-manager.users.root = { ... }: base;
};
}

92
modules/nginx.nix Normal file
View file

@ -0,0 +1,92 @@
{ config, lib, ... }:
{
options.chvp.nginx = {
enable = lib.mkOption {
default = false;
example = true;
};
hosts = lib.mkOption {
default = [ ];
example = [
{
fqdn = "data.vanpetegem.me";
options = {
default = true;
basicAuthFile = "/data/var/secrets/data.vanpetegem.me.htpasswd";
root = "/srv/data";
locations = {
"/".extraConfig = ''
autoindex on;
'';
"/public".extraConfig = ''
autoindex on;
auth_basic off;
'';
};
};
}
];
};
extraPostACMEScripts = lib.mkOption {
default = [ ];
example = [
''
cp fullchain.pem /data/home/charlotte/synapse/slack/cert.crt
cp privkey.pem /data/home/charlotte/synapse/slack/key.pem
pushd /data/home/charlotte/synapse
''${pkgs.docker-compose}/bin/docker-compose restart slack
popd
''
];
};
};
config = lib.mkIf config.chvp.nginx.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
certs."vanpetegem.me" = {
dnsProvider = "cloudflare";
credentialsFile = "/data/var/secrets/vanpetegem.me-cloudflare";
extraDomainNames = [
"*.vanpetegem.me"
"cvpetegem.be"
"*.cvpetegem.be"
"chvp.be"
"*.chvp.be"
];
postRun = lib.concatStrings config.chvp.nginx.extraPostACMEScripts;
};
email = "webmaster@vanpetegem.me";
acceptTerms = true;
preliminarySelfsigned = false;
};
chvp.zfs.systemLinks = [
{ type = "data"; path = "/var/lib/acme"; }
];
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
virtualHosts = builtins.listToAttrs
(map
(elem: {
name = elem.fqdn;
value = {
forceSSL = true;
useACMEHost = "vanpetegem.me";
locations."/" = lib.mkIf (builtins.hasAttr "basicProxy" elem) {
proxyPass = elem.basicProxy;
extraConfig = ''
proxy_set_header X-Forwarded-Ssl on;
'' + (elem.extraProxySettings or "");
};
} // (elem.options or { });
})
config.chvp.nginx.hosts);
};
users.users.nginx.extraGroups = [ "acme" ];
};
}

62
modules/ovh.nix Normal file
View file

@ -0,0 +1,62 @@
{ config, lib, ... }:
{
options.chvp.ovh = {
enable = lib.mkOption {
default = false;
example = true;
};
publicIPV4 = lib.mkOption {
example = {
ip = "1.2.3.4";
gateway = "1.2.3.254";
};
};
publicIPV6 = lib.mkOption {
example = {
ip = "1:2:3:4::";
gateway = "1:2:3:ff:ff:ff:ff:ff";
};
};
internalIPV4 = lib.mkOption {
example = "192.168.0.1";
};
};
config = lib.mkIf config.chvp.ovh.enable {
networking = with config.chvp.ovh; {
useDHCP = false;
interfaces = {
eno1.useDHCP = false;
eno2.useDHCP = false;
eno3 = {
useDHCP = false;
ipv4.addresses = [{
address = publicIPV4.ip;
prefixLength = 24;
}];
ipv6 = {
addresses = [{
address = publicIPV6.ip;
prefixLength = 64;
}];
routes = [{
address = publicIPV6.gateway;
prefixLength = 128;
}];
};
};
eno4 = {
useDHCP = false;
ipv4.addresses = [{
address = internalIPV4;
prefixLength = 16;
}];
};
};
defaultGateway = publicIPV4.gateway;
defaultGateway6 = publicIPV6.gateway;
nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
};
};
}

43
modules/ssh.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, lib, pkgs, ... }:
let
ssh = pkgs.symlinkJoin {
name = "ssh";
paths = [
(
pkgs.writeShellScriptBin "ssh" ''
export TERM=xterm-256color
${pkgs.openssh}/bin/ssh $@
''
)
pkgs.openssh
];
};
base = home: {
programs.ssh = {
enable = true;
compression = true;
hashKnownHosts = true;
userKnownHostsFile = "${config.chvp.cachePrefix}${home}/.ssh/known_hosts";
serverAliveInterval = 300;
extraOptionOverrides = {
IdentityFile = "${config.chvp.dataPrefix}${home}/.ssh/id_ed25519";
HostKeyAlgorithms = "ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa";
};
matchBlocks = import ./ssh/hosts.secret.nix;
};
home.packages = lib.mkIf config.chvp.graphical [ ssh ];
};
in
{
options.chvp.ssh = {
enable = lib.mkOption {
default = true;
example = false;
};
};
config = lib.mkIf config.chvp.ssh.enable {
home-manager.users.root = { ... }: (base "/root");
home-manager.users.charlotte = { ... }: (base "/home/charlotte");
};
}

BIN
modules/ssh/hosts.secret.nix Normal file
View file

Binary file not shown.

24
modules/sshd.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, lib, ... }:
{
imports = [
./sshd/secret.nix
];
options.chvp.sshd.enable = lib.mkOption {
default = false;
example = true;
};
config = lib.mkIf config.chvp.sshd.enable {
services.openssh = {
enable = true;
passwordAuthentication = false;
permitRootLogin = "prohibit-password";
hostKeys = [
{ bits = 4096; path = "${config.chvp.dataPrefix}/etc/ssh/ssh_host_rsa_key"; type = "rsa"; }
{ path = "${config.chvp.dataPrefix}/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
];
};
};
}

BIN
modules/sshd/secret.nix Normal file
View file

Binary file not shown.

28
modules/syncthing-server.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, lib, ... }:
{
options.chvp.syncthing-server.enable = lib.mkOption {
default = false;
example = true;
};
config = lib.mkIf config.chvp.syncthing-server.enable {
services.syncthing = {
enable = true;
dataDir = "${config.chvp.dataPrefix}/var/lib/synthing";
configDir = "${config.chvp.dataPrefix}/var/lib/synthing/.config";
openDefaultPorts = true;
guiAddress = "127.0.0.1:8384";
};
chvp.nginx.hosts = [
{
fqdn = "syncthing.vanpetegem.me";
basicProxy = "http://localhost:8384";
options = {
basicAuthFile = "${config.chvp.dataPrefix}/var/secrets/syncthing.vanpetegem.me.htpasswd";
};
}
];
};
}

78
modules/zfs.nix
View file

@ -31,27 +31,73 @@ in
{ path = ".cache/nix-index"; type = "cache"; } { path = ".cache/nix-index"; type = "cache"; }
]; ];
}; };
backups = lib.mkOption {
default = [ ];
example = [{
path = "rpool/safe/data";
remotePath = "zdata/recv/<hostname>/safe/data";
fast = false;
location = "lasting-integrity.vanpetegem.me";
}];
};
}; };
config.boot = lib.mkIf config.chvp.zfs.enable { config = lib.mkIf config.chvp.zfs.enable {
supportedFilesystems = [ "zfs" ]; chvp.dataPrefix = lib.mkDefault "/data";
zfs.requestEncryptionCredentials = config.chvp.zfs.encrypted; chvp.cachePrefix = lib.mkDefault "/cache";
initrd.postDeviceCommands = lib.mkAfter ''
zfs rollback -r rpool/local/root@blank
'';
};
config.services.zfs.autoScrub.enable = config.chvp.zfs.enable; boot = {
config.services.zfs.trim.enable = config.chvp.zfs.enable; supportedFilesystems = [ "zfs" ];
zfs.requestEncryptionCredentials = config.chvp.zfs.encrypted;
initrd.postDeviceCommands = lib.mkAfter ''
zfs rollback -r rpool/local/root@blank
'';
};
config.systemd.tmpfiles.rules = lib.mkIf config.chvp.zfs.enable ( services = {
[ "d /home/charlotte 0700 charlotte users - -" ] ++ znapzend = {
(map (location: "L ${location.path} - - - - /${location.type}${location.path}") config.chvp.zfs.systemLinks) enable = config.chvp.zfs.backups != [ ];
); pure = true;
autoCreation = true;
zetup = builtins.listToAttrs
(map
(elem: {
name = elem.path;
value = {
enable = true;
plan =
if elem.fast then
"1hour=>15min,1day=>1hour,1week=>1day,4week=>1week" else
"1day=>1hour,1week=>1day,4week=>1week,1year=>1month,10year=>6month";
timestampFormat = "%Y-%m-%d--%H%M%SZ";
destinations."${elem.location}" = {
plan =
if elem.fast then
"1day=>1hour,1week=>1day,4week=>1week,1year=>4week,10year=>1year" else
"1day=>1hour,1week=>1day,4week=>1week,1year=>1month,10year=>6month";
host = "${elem.location}";
dataset = elem.remotePath;
};
};
})
config.chvp.zfs.backups);
config.home-manager.users.charlotte = { lib, ... }: { };
home.activation = lib.mkIf config.chvp.zfs.enable { zfs = {
linkCommands = lib.hm.dag.entryAfter [ "writeBoundary" ] (lib.concatStringsSep "\n" linkCommands); autoScrub.enable = true;
trim.enable = true;
};
};
systemd.tmpfiles.rules = (
[ "d /home/charlotte 0700 charlotte users - -" ] ++
(map (location: "L ${location.path} - - - - /${location.type}${location.path}") config.chvp.zfs.systemLinks)
);
home-manager.users.charlotte = { lib, ... }: {
home.activation = {
linkCommands = lib.hm.dag.entryAfter [ "writeBoundary" ] (lib.concatStringsSep "\n" linkCommands);
};
}; };
}; };
} }

61
modules/zsh.nix Normal file
View file

@ -0,0 +1,61 @@
{ config, lib, pkgs, ... }:
{
options.chvp.zsh.enable = lib.mkOption {
default = true;
example = false;
};
config =
let
base = (home: {
home.packages = [ pkgs.autojump ];
programs.zsh = {
enable = true;
enableAutosuggestions = true;
autocd = true;
dotDir = ".config/zsh";
history = {
expireDuplicatesFirst = true;
path = "${config.chvp.cachePrefix}${home}/.local/share/zsh/history";
};
initExtra = ''
source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh
${pkgs.any-nix-shell}/bin/any-nix-shell zsh --info-right | source /dev/stdin
'';
oh-my-zsh = {
enable = true;
plugins = [
"autojump"
"common-aliases"
"extract"
"history-substring-search"
"git"
"sudo"
"systemd"
"tmux"
];
theme = "agnoster";
};
plugins = [{
name = "zsh-syntax-highlighting";
src = pkgs.fetchFromGitHub {
owner = "zsh-users";
repo = "zsh-syntax-highlighting";
rev = "0.7.1";
sha256 = "03r6hpb5fy4yaakqm3lbf4xcvd408r44jgpv4lnzl9asp4sb9qc0";
};
}];
sessionVariables = { DEFAULT_USER = "charlotte"; };
};
});
in
lib.mkIf config.chvp.zsh.enable {
chvp.zfs.systemLinks = [
{ path = "/home/charlotte/.local/share/autojump"; type = "cache"; }
{ path = "/root/.local/share/autojump"; type = "cache"; }
];
home-manager.users.charlotte = { ... }: (base "/home/charlotte");
home-manager.users.root = { ... }: (base "/root");
};
}

7
profiles/common.nix
View file

@ -4,7 +4,6 @@
imports = [ imports = [
../modules/zfs.nix ../modules/zfs.nix
../configurations/direnv.nix ../configurations/direnv.nix
../configurations/git.nix
../configurations/gnupg.nix ../configurations/gnupg.nix
../configurations/hledger.nix ../configurations/hledger.nix
../configurations/locale.nix ../configurations/locale.nix
@ -13,20 +12,14 @@
../configurations/nix-index.nix ../configurations/nix-index.nix
../configurations/nix-store.nix ../configurations/nix-store.nix
../configurations/pass.nix ../configurations/pass.nix
../configurations/ssh.nix
../configurations/tmux.nix ../configurations/tmux.nix
../configurations/users.nix ../configurations/users.nix
../configurations/zsh.nix
]; ];
home-manager.useGlobalPkgs = true;
home-manager.users.charlotte = { pkgs, ... }: { home-manager.users.charlotte = { pkgs, ... }: {
home.packages = with pkgs; [ home.packages = with pkgs; [
htop
moreutils moreutils
ncdu
pandoc pandoc
ripgrep
texlive.combined.scheme-small texlive.combined.scheme-small
unzip unzip
youtube-dl youtube-dl

1
profiles/graphical.nix
View file

@ -6,7 +6,6 @@
../configurations/calibre.nix ../configurations/calibre.nix
../configurations/citrix.nix ../configurations/citrix.nix
../configurations/deluge.nix ../configurations/deluge.nix
../configurations/docker.nix
../configurations/dropbox.nix ../configurations/dropbox.nix
../configurations/dwarf-fortress.nix ../configurations/dwarf-fortress.nix
../configurations/firefox.nix ../configurations/firefox.nix