aciceri/nixfleet
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

I should commit more frequently

Browse source
This commit is contained in:
Andrea Ciceri 2023-12-07 23:07:36 +01:00
parent aa8003f5b4
commit e82241b8b0
Signed by: aciceri
SSH key fingerprint: SHA256:/AagBweyV4Hlfg9u092n8hbHwD5fcB6A3qhDiDA65Rg
70 changed files with 1091 additions and 2018 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/adb/default.nix
View file

@ -1,4 +1,4 @@
{
programs.adb.enable = true;
users.users.ccr.extraGroups = ["adbusers"];
ccr.extraGroups = ["adbusers"];
}

1
modules/bluetooth/default.nix
View file

@ -3,4 +3,5 @@
hardware.pulseaudio.enable = true;
hardware.bluetooth.enable = true;
services.dbus.packages = with pkgs; [blueman];
ccr.extraGroups = ["bluetooth"];
}

67
modules/ccr/default.nix
View file

@ -5,55 +5,74 @@
fleetHmModules,
fleetFlake,
...
}: {
}: let
cfg = config.ccr;
inherit (lib) types;
in {
options.ccr = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
enable = lib.mkEnableOption "ccr";
username = lib.mkOption {
type = types.str;
default = "ccr";
};
description = lib.mkOption {
type = types.str;
default = "Andrea Ciceri";
};
shell = lib.mkOption {
type = lib.types.package;
default = pkgs.fish;
};
modules = lib.mkOption {
type = with lib.types; listOf str;
type = types.listOf types.str;
default = [];
};
packages = lib.mkOption {
type = with lib.types; listOf package;
type = types.listOf types.package;
default = [];
};
autologin = lib.mkOption {
type = lib.types.bool;
type = types.bool;
default = false;
};
authorizedKeys = lib.mkOption {
type = with lib.types; listOf str;
type = types.listOf types.str;
default = builtins.attrValues (import "${fleetFlake}/lib").keys.users;
};
hashedPassword = lib.mkOption {
type = lib.types.str;
type = types.str;
default = "$6$JGOefuRk7kL$fK9.5DFnLLoW08GL4eKRyf958jyZdw//hLMaz4pp28jJuSFb24H6R3dgt1.sMs0huPY85rludSw4dnQJG5xSw1"; # mkpasswd -m sha-512
};
extraGroups = lib.mkOption {
type = with lib.types; listOf str;
default = ["wheel" "fuse" "networkmanager" "dialout"];
type = types.listOf types.str;
default = {};
};
extraModules = lib.mkOption {
type = types.listOf types.deferredModule;
default = [];
};
};
config = lib.mkIf config.ccr.enable {
ccr.extraGroups = ["wheel" "fuse" "networkmanager" "dialout"];
config = lib.mkIf cfg.enable {
# FIXME shouldn't set these groups by default
ccr.extraGroups = ["wheel" "fuse" "video" "dialout" "systemd-journal" "camera"];
ccr.modules = ["shell" "git" "nix-index"];
users.users.ccr = {
users.users.${cfg.username} = {
inherit (config.ccr) hashedPassword extraGroups description;
uid = 1000;
inherit (config.ccr) hashedPassword;
description = "Andrea Ciceri";
isNormalUser = true;
inherit (config.ccr) extraGroups;
shell = pkgs.fish;
shell = cfg.shell;
openssh.authorizedKeys.keys = config.ccr.authorizedKeys;
};
@ -61,22 +80,24 @@
services.getty.autologinUser =
if config.ccr.autologin
then "ccr"
then cfg.username
else null;
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.ccr = {
home-manager.users.${cfg.username} = {
imports =
fleetHmModules config.ccr.modules
fleetHmModules cfg.modules
++ [
{
_module.args = {
inherit (config.age) secrets;
inherit (cfg) username;
};
}
];
home.packages = config.ccr.packages;
]
++ cfg.extraModules;
home.packages = cfg.packages;
home.stateVersion = config.system.stateVersion;
};
};

15
modules/cloudflare-dyndns/default.nix Normal file
View file

@ -0,0 +1,15 @@
{config, ...}: {
services.cloudflare-dyndns = {
enable = true;
ipv4 = true;
ipv6 = true;
domains = [
"sevenofnix.aciceri.dev"
"home.aciceri.dev"
"torrent.aciceri.dev"
"search.aciceri.dev"
"invidious.aciceri.dev"
];
apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path;
};
}

7
modules/common/default.nix
View file

@ -7,13 +7,10 @@
"nix"
];
hardware.i2c.enable = true;
system.stateVersion = lib.mkForce "22.11";
time.timeZone = lib.mkDefault "Europe/Rome";
networking.useDHCP = lib.mkDefault true;
users.mutableUsers = false;
# TODO remove
users.users.root.password = "password";
i18n.defaultLocale = "en_US.UTF-8";
nixpkgs.config.allowUnfree = true;
nixpkgs.config.allowUnfree = true; # Forgive me Mr. Stallman :(
}

2
modules/dbus/default.nix
View file

@ -1,4 +1,4 @@
{pkgs, ...}: {
services.dbus.packages = with pkgs; [dconf];
services.dbus.packages = [pkgs.dconf];
programs.dconf.enable = true;
}

7
modules/docker/default.nix
View file

@ -1,14 +1,13 @@
{
config,
lib,
pkgs,
config,
...
}: {
virtualisation.docker.enable = true;
virtualisation.podman.enable = true;
users.users.ccr.extraGroups = ["docker"];
users.users.${config.ccr.username}.extraGroups = ["docker"];
environment.systemPackages = with pkgs; [
docker-compose
podman-compose
];
ccr.extraGroups = ["docker"];
}

2
modules/fonts/default.nix
View file

@ -1,6 +1,6 @@
{pkgs, ...}: {
fonts = {
fonts = with pkgs; [powerline-fonts dejavu_fonts fira-code fira-code-symbols iosevka iosevka-comfy.comfy emacs-all-the-icons-fonts nerdfonts joypixels etBook];
packages = with pkgs; [powerline-fonts dejavu_fonts fira-code fira-code-symbols iosevka iosevka-comfy.comfy emacs-all-the-icons-fonts nerdfonts joypixels etBook];
fontconfig.defaultFonts = {
monospace = ["DejaVu Sans Mono for Powerline"];
sansSerif = ["DejaVu Sans"];

2
modules/fprintd/default.nix
View file

@ -1,4 +1,4 @@
{pkgs, ...}: {
{
services.fprintd = {
enable = false; # temporarily disable
};

2
modules/home-assistant/default.nix
View file

@ -69,7 +69,7 @@ in {
default_config = {};
http = {
use_x_forwarded_for = true;
trusted_proxies = ["10.100.0.1"];
trusted_proxies = ["127.0.0.1" "::1"];
};
# ffmpeg = {};
# camera = [

3
modules/invidious/default.nix Normal file
View file

@ -0,0 +1,3 @@
{
services.invidious.enable = true;
}

15
modules/proxy/default.nix → modules/mothership-proxy/default.nix
View file

@ -1,13 +1,6 @@
{config, ...}: {
imports = [../nginx-base];
services.nginx.virtualHosts = {
"bubbleupnp.mothership.aciceri.dev" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://rock5b.fleet:58050";
};
};
"home.aciceri.dev" = {
forceSSL = true;
enableACME = true;
@ -27,6 +20,14 @@
proxyPass = "http://rock5b.fleet:9091";
};
};
"sevenofnix.aciceri.dev" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://thinkpad.fleet:8010";
proxyWebsockets = true;
};
};
"photos.aciceri.dev" = {
forceSSL = true;
enableACME = true;

5
modules/networkmanager/default.nix Normal file
View file

@ -0,0 +1,5 @@
{lib, ...}: {
networking.networkmanager.enable = true;
ccr.extraGroups = ["networkmanager"];
networking.useDHCP = lib.mkDefault true;
}

47
modules/nix/default.nix
View file

@ -1,7 +1,6 @@
{
config,
lib,
pkgs,
fleetFlake,
...
}: {
@ -12,61 +11,47 @@
auto-optimise-store = true;
trusted-users = [
"root"
"ccr"
config.ccr.username
"@wheel"
];
netrc-file = "/etc/nix/netrc";
# Disabled all the substituters, this should be managed at flakes level
# trusted-public-keys = [
# "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ="
# "mlabs.cachix.org-1:gStKdEqNKcrlSQw5iMW6wFCj3+b+1ASpBVY2SYuNV2M="
# "aciceri-fleet.cachix.org-1:e1AodrwmzRWy0eQi3lUY71M41fp9Sq+UpuKKv705xsI="
# "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
# ];
# substituters = [
# "https://cache.iog.io"
# "https://mlabs.cachix.org"
# "https://aciceri-fleet.cachix.org"
# "https://nix-community.cachix.org"
# ];
};
extraOptions = ''
experimental-features = nix-command flakes ca-derivations
builders-use-substitutes = true
'';
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
options = "--delete-older-than 180d";
};
# buildMachines = [
# {
# hostName = "rock5b.fleet";
# system = "aarch64-linux";
# maxJobs = 6;
# speedFactor = 1;
# supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
# mandatoryFeatures = [];
# # sshKey = "/var/lib/hydra/queue-runner/.ssh/id_rsa";
# sshUser = "root";
# }
# ];
distributedBuilds = true;
registry = lib.mkForce {
nixpkgs.to = {
type = "path";
path = fleetFlake.inputs.nixpkgsUnstable;
};
nixpkgsUnstable.to = {
type = "path";
path = fleetFlake.inputs.nixpkgsUnstable;
};
nixpkgsStable.to = {
type = "path";
path = fleetFlake.inputs.nixpkgsStable;
};
n.to = {
type = "path";
path = fleetFlake.inputs.nixpkgsUnstable;
};
nixfleet.to = {
type = "path";
path = "/home/ccr/projects/aciceri/nixfleet";
path = "/home/${config.ccr.username}/projects/aciceri/nixfleet";
};
fleet.to = {
type = "path";
path = "/home/${config.ccr.username}/projects/aciceri/nixfleet";
};
};
};

3
modules/pipewire/default.nix Normal file
View file

@ -0,0 +1,3 @@
{
services.pipewire.enable = true;
}

98
modules/rock5b-proxy/default.nix Normal file
View file

@ -0,0 +1,98 @@
{config, ...}: {
imports = [../nginx-base];
services.nginx.virtualHosts = {
localhost.listen = [{addr = "127.0.0.1";}];
"home.aciceri.dev" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${builtins.toString config.services.home-assistant.config.http.server_port}";
proxyWebsockets = true;
};
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
'';
};
"torrent.aciceri.dev" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${builtins.toString config.services.transmission.settings.rpc-port}";
};
};
"search.aciceri.dev" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8888";
};
};
"invidious.aciceri.dev" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${builtins.toString config.services.invidious.port}";
};
};
"sevenofnix.aciceri.dev" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://10.1.1.2:${builtins.toString config.services.buildbot-master.port}";
proxyWebsockets = true;
};
};
};
# services.oauth2_proxy = {
# enable = true;
# provider = "oidc";
# reverseProxy = true;
# # replaces following options with .keyFile
# clientID = "shouldThisBePrivate?";
# clientSecret = "thisShouldBePrivate";
# cookie.secret = "thisShouldBePrivate00000";
# email.domains = [ "*" ];
# extraConfig = {
# # custom-sign-in-logo = "${../../lib/mlabs-logo.svg}";
# # scope = "user:email";
# # banner = "MLabs Status";
# # whitelist-domain = ".status.staging.mlabs.city";
# oidc-issuer-url = "http://127.0.0.1:5556/dex";
# };
# # redirectURL = "https://status.staging.mlabs.city/oauth2/callback";
# # keyFile = config.age.secrets.status-oauth2-secrets.path;
# # cookie.domain = ".status.staging.mlabs.city";
# nginx = {
# virtualHosts = [
# "search.aciceri.dev"
# ];
# };
# };
# services.dex = {
# enable = true;
# settings = {
# issuer = "http://127.0.0.1:5556/dex";
# storage = {
# type = "postgres";
# config.host = "/var/run/postgresql";
# };
# web = {
# http = "127.0.0.1:5556";
# };
# enablePasswordDB = true;
# staticClients = [
# {
# # id = "oidcclient";
# # name = "client";
# # redirecturis = [ "https://login.aciceri.dev/callback" ];
# # secretfile = "/etc/dex/oidcclient"; # the content of `secretfile` will be written into to the config as `secret`.
# }
# ];
# };
# };
}

42
modules/rock5b-samba/default.nix Normal file
View file

@ -0,0 +1,42 @@
{
services = {
samba-wsdd = {
enable = true;
workgroup = "WORKGROUP";
hostname = "rock5b";
discovery = true;
};
samba = {
enable = true;
securityType = "user";
extraConfig = ''
workgroup = WORKGROUP
server string = rock5b
netbios name = rock5b
security = user
map to guest = bad user
vfs objects = recycle
recycle:repository = .recycle
recycle:keeptree = yes
recycle:versions = yes
'';
shares = {
torrent = {
path = "/mnt/hd/torrent";
comment = "torrent";
"force user" = "ccr";
browseable = "yes";
writeable = "yes";
"guest ok" = "yes";
"read only" = "no";
};
};
};
};
networking.firewall = {
allowedTCPPorts = [139 445];
allowedUDPPorts = [138];
};
}

10
modules/searx/default.nix Normal file
View file

@ -0,0 +1,10 @@
{pkgs, ...}: {
services.searx = {
enable = true;
package = pkgs.searxng;
settings = {
server.secret_key = "secret";
search.formats = ["html" "json"];
};
};
}

24
modules/ssh-initrd/default.nix Normal file
View file

@ -0,0 +1,24 @@
{config, ...}: {
# For unlocking the disk connect using ssh and type
# systemctl start initrd-nixos-activation
boot.initrd = {
network = {
enable = true;
ssh = {
enable = true;
ignoreEmptyHostKeys = true;
extraConfig = ''
HostKey /ssh_initrd_host_ed25519_key
'';
};
};
systemd = {
enable = true;
storePaths = ["${config.programs.ssh.package}/bin/ssh-keygen"];
services.sshd.preStart = ''
${config.programs.ssh.package}/bin/ssh-keygen -t ed25519 -N "" -f /ssh_initrd_host_ed25519_key
chmod 600 /ssh_initrd_host_ed25519_key
'';
};
};
}

6
modules/ssh/default.nix
View file

@ -5,11 +5,9 @@
fail2ban = {
enable = true;
maxretry = 10;
ignoreIP = [
"88.198.49.106"
"10.100.0.1/24"
];
};
};
# This makes sense only because I'm the only user for these machines
users.users.root.openssh.authorizedKeys.keys = builtins.attrValues (with (import "${fleetFlake}/lib"); keys.users // keys.hosts);
}

6
modules/virt-manager/default.nix Normal file
View file

@ -0,0 +1,6 @@
{config, ...}: {
programs.virt-manager.enable = true;
virtualisation.libvirtd.enable = true;
users.users."${config.ccr.username}".extraGroups = ["libvirtd"];
virtualisation.libvirtd.qemu.swtpm.enable = true;
}

1
modules/wireguard-client/default.nix
View file

@ -6,6 +6,7 @@
networking.firewall = {
allowedUDPPorts = [51820];
};
networking.firewall.trustedInterfaces = ["wg0"];
networking.wireguard.interfaces = {
wg0 = {
ips = ["${(import "${fleetFlake}/lib").ips."${config.networking.hostName}"}/32"];

5
modules/xdg/default.nix
View file

@ -3,14 +3,13 @@
portal = {
enable = true;
extraPortals = with pkgs; [
xdg-desktop-portal-wlr
xdg-desktop-portal-gtk
xdg-desktop-portal-hyprland
];
config.common.default = "*";
};
};
services.pipewire.enable = true;
environment.sessionVariables = {
GTK_USE_PORTAL = "1";
};