diff options
Diffstat (limited to 'system')
| -rw-r--r-- | system/linde.nix | 108 | ||||
| -rw-r--r-- | system/mba.nix | 31 | ||||
| -rwxr-xr-x | system/nanopi.nix | 47 | ||||
| -rw-r--r-- | system/prefect.nix | 48 | ||||
| -rw-r--r-- | system/settings/dev.nix | 62 | ||||
| -rw-r--r-- | system/settings/gaming.nix | 4 | ||||
| -rw-r--r-- | system/settings/services/git-server.nix | 35 |
7 files changed, 278 insertions, 57 deletions
diff --git a/system/linde.nix b/system/linde.nix index f255bc30..fc7b5bb0 100644 --- a/system/linde.nix +++ b/system/linde.nix @@ -16,10 +16,17 @@ let net-mask6 = "64"; net-gw6 = "fe80::1"; ts-domain = "hydra-pinecone.ts.net"; + golink = (builtins.getFlake (toString <golink>)).nixosModules.default; in { imports = [ + <personal/modules/nixos/laminar.nix> + <personal/modules/nixos/goatcounter.nix> + <home-manager/nixos> + <agenix/modules/age.nix> + <searchix/nix/modules> + golink # Include the results of the hardware scan. ./linde-hardware.nix @@ -67,7 +74,6 @@ in environment.systemPackages = with pkgs; [ htop lsof - gitMinimal powerdns sqlite-interactive knot-dns @@ -304,7 +310,7 @@ in users.users.root.shell = "${pkgs.fish}/bin/fish"; users.users.alan = { shell = "${pkgs.fish}/bin/fish"; - extraGroups = [ "wheel" "caddy" "docker" ]; + extraGroups = [ "wheel" "caddy" "docker" "laminar" ]; isNormalUser = true; home = "/home/alan"; createHome = true; @@ -313,6 +319,9 @@ in "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8VIII+598QOBxi/52O1Kb19RdUdX0aZmS1/dNoyqc5 alan@hetzner.strongbox" ]; }; + home-manager = { + users.alan = import ../user/server.nix; + }; users.users.nixremote = { shell = "/bin/sh"; @@ -336,11 +345,22 @@ in # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "23.05"; # Did you read the comment? + services.goatcounter = { + enable = true; + listenAddress = "localhost"; + port = 8082; + package = (import <personal> { inherit pkgs; }).goatcounter; + settings = { + tls = "proxy"; + websocket = true; + }; + }; + services.powerdns = let inherit (lib.lists) flatten; inherit (lib.strings) concatStringsSep; - he = rec { + he = { notify = "216.218.130.2"; axfr = [ "216.218.133.2" @@ -589,6 +609,9 @@ in reloadServices = map (x: "kresd@${toString x}") (range 1 config.services.kresd.instances); group = "knot-resolver"; }; + certs."stats.alanpearce.eu" = { + extraDomainNames = [ "*.stats.alanpearce.eu" ]; + }; }; users.groups.acme.members = [ "caddy" @@ -676,7 +699,10 @@ in extraConfig = '' encode zstd gzip ${security-headers {}} - reverse_proxy localhost${config.services.ntfy-sh.settings.listen-http} + reverse_proxy localhost${config.services.ntfy-sh.settings.listen-http} { + health_uri /v1/health + health_body `"healthy":true` + } ''; }; "searchix.alanpearce.eu" = { @@ -705,10 +731,32 @@ in ns = config.services.nix-serve; in { + useACMEHost = "alanpearce.eu"; extraConfig = '' reverse_proxy ${ns.bindAddress}:${toString ns.port} ''; }; + "ci.alanpearce.eu" = + let + srv = config.services.laminar; + in + { + useACMEHost = "alanpearce.eu"; + extraConfig = '' + reverse_proxy ${srv.settings.bindHTTP} + ''; + }; + "stats.alanpearce.eu" = + let + srv = config.services.goatcounter; + in + { + useACMEHost = "stats.alanpearce.eu"; + serverAliases = [ "*.stats.alanpearce.eu" ]; + extraConfig = '' + reverse_proxy ${srv.listenAddress}:${toString srv.port} + ''; + }; }; }; systemd.services.caddy.serviceConfig = { @@ -906,17 +954,17 @@ in { script-src = [ (baseURL + "/static/") - "https://gc.zgo.at" + "https://searchix.stats.alanpearce.eu" "https://js-de.sentry-cdn.com" "https://browser.sentry-cdn.com" ]; img-src = [ self - "https://gc.zgo.at" + "https://searchix.stats.alanpearce.eu" ]; connect-src = [ self - "https://searchix.goatcounter.com/count" + "https://searchix.stats.alanpearce.eu/count" "*.sentry.io" ]; worker-src = [ @@ -927,8 +975,8 @@ in <script async src="https://js-de.sentry-cdn.com/d735e99613a86e1625fb85d0e8e762de.min.js" crossorigin="anonymous"></script> - <script data-goatcounter="https://searchix.goatcounter.com/count" - async src="//gc.zgo.at/count.v4.js" + <script data-goatcounter="https://searchix.stats.alanpearce.eu/count" + async src="//searchix.stats.alanpearce.eu/count.v4.js" crossorigin="anonymous" integrity="sha384-nRw6qfbWyJha9LhsOtSb2YJDyZdKvvCFh0fJYlkquSFjUxp9FVNugbfy8q1jdxI+"></script> ''; @@ -958,4 +1006,46 @@ in }; }; }; + + programs.git = { + enable = true; + package = pkgs.gitMinimal; + config = { + advice = { + detachedHead = false; + mergeConflict = false; + }; + }; + }; + + systemd.services.laminar.environment = { + NIX_PATH = "nixpkgs=${<nixpkgs>}"; + }; + services.laminar = { + enable = true; + path = with pkgs; [ + bash + coreutils + git + cached-nix-shell + nix + config.programs.ssh.package + flock + just + ]; + settings = { + bindHTTP = "[::1]:8002"; + keepRundirs = 1; + }; + }; + users.users.laminar = { + homeMode = "770"; + }; + + virtualisation.containers = { + enable = true; + policy = { + default = [{ type = "insecureAcceptAnything"; }]; + }; + }; } diff --git a/system/mba.nix b/system/mba.nix index abed520b..cc8c81da 100644 --- a/system/mba.nix +++ b/system/mba.nix @@ -1,10 +1,16 @@ { ... }: { imports = [ ./settings/darwin.nix - ./settings/programs/base.nix + ./settings/dev.nix ./settings/programs/shell.nix + <personal/modules/darwin/caddy> ]; + services.caddy = { + user = "root"; + group = "wheel"; + }; + networking = { hostName = "mba"; }; @@ -37,27 +43,4 @@ supportedFeatures = [ ]; } ]; - - nix.linux-builder = { - maxJobs = 4; - config = { pkgs, ... }: { - virtualisation = { - darwin-builder = { - diskSize = 60 * 1024; - memorySize = 8 * 1024; - }; - cores = 4; - }; - # don't go crazy with this setup, it rebuilds the VM - imports = [ - ./settings/configuration/user.nix - ./settings/programs/shell.nix - ]; - environment.systemPackages = with pkgs; [ - kitty.terminfo - hello - ]; - }; - systems = [ "aarch64-linux" ]; - }; } diff --git a/system/nanopi.nix b/system/nanopi.nix index 6ee61e69..3c49ec8f 100755 --- a/system/nanopi.nix +++ b/system/nanopi.nix @@ -504,11 +504,9 @@ in "/ts.net/tailscale" ]; localise-queries = true; - cname = [ - "ha,home-assistant" - ]; interface-name = [ "nanopi.${domain},bridge0" + "ca.${domain},bridge0" "wan.${domain},wan0" "wlan.${domain},wlan0" ]; @@ -538,7 +536,8 @@ in dhcp-rapid-commit = true; dhcp-range = [ "10.0.1.0,10.0.1.250,12h" - "::,constructor:bridge0,ra-stateless,ra-names,48h" + "fd12:d04f:65d:42::,slaac,ra-names,48h" + "::,constructor:bridge0,ra-stateless,48h" ]; dhcp-host = [ "00:a0:de:b3:0c:01,10.0.0.50,wxa-50" @@ -609,6 +608,46 @@ in }; }; + services.caddy = { + enable = true; + globalConfig = '' + auto_https disable_redirects + pki { + ca home { + name "Home CA" + } + } + ''; + virtualHosts = { + "nanopi.${domain}" = { + serverAliases = [ "nanopi.${ts_domain}" ]; + extraConfig = '' + tls { + issuer internal { + ca home + } + } + root /var/lib/caddy/ca + file_server browse + ''; + }; + "ca.${domain}" = { + extraConfig = '' + tls { + issuer internal { + ca home + } + } + acme_server { + allow { + domains *.test *.${domain} + } + } + ''; + }; + }; + }; + system.stateVersion = "23.05"; programs.fish = { diff --git a/system/prefect.nix b/system/prefect.nix index 0fc80eb9..980e35ff 100644 --- a/system/prefect.nix +++ b/system/prefect.nix @@ -23,6 +23,7 @@ ./settings/programs/kde.nix ./settings/programs/shell.nix ./settings/programs/docker.nix + ./settings/dev.nix ./settings/gaming.nix <nixos-hardware/common/cpu/amd> <nixos-hardware/common/cpu/amd/pstate.nix> @@ -31,6 +32,26 @@ <nixos-hardware/common/gpu/nvidia> ]; + virtualisation.vmVariant = { + disabledModules = [ + ./settings/hardware/nvidia-gpu.nix + ./settings/hardware/bare-metal.nix + ./settings/gaming.nix + ./settings/user-interface.nix + ./settings/programs/kde.nix + <nixos-hardware/common/cpu/amd> + <nixos-hardware/common/cpu/amd/pstate.nix> + <nixos-hardware/common/pc/ssd> + <nixos-hardware/common/pc> + <nixos-hardware/common/gpu/nvidia> + ]; + services.qemuGuest.enable = true; + virtualisation = { + memorySize = 4096; + cores = 4; + }; + }; + nixpkgs.hostPlatform = "x86_64-linux"; services.xserver.screenSection = '' @@ -148,10 +169,35 @@ dnssec = "true"; }; - services.tailscale.enable = true; + services.tailscale = { + enable = true; + extraUpFlags = [ + "--accept-dns=true" + "--accept-routes=false" + ]; + }; system.stateVersion = "23.05"; + security.pki.certificates = [ + '' + -----BEGIN CERTIFICATE----- + MIIBozCCAUqgAwIBAgIRAJ1slNK3lsucmYYUbtGRUvswCgYIKoZIzj0EAwIwMDEu + MCwGA1UEAxMlQ2FkZHkgTG9jYWwgQXV0aG9yaXR5IC0gMjAyNCBFQ0MgUm9vdDAe + Fw0yNDA2MjYxNTM3MTJaFw0zNDA1MDUxNTM3MTJaMDAxLjAsBgNVBAMTJUNhZGR5 + IExvY2FsIEF1dGhvcml0eSAtIDIwMjQgRUNDIFJvb3QwWTATBgcqhkjOPQIBBggq + hkjOPQMBBwNCAAR1fc1TOhp9oNy/p40BfUd+E13b1/URwwocuZ5w0SKHTE/t8Hp+ + 7Zd9ZTYvQ7WxFfaVxmBCcFMUJsTm7bbYTEvlo0UwQzAOBgNVHQ8BAf8EBAMCAQYw + EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUcnlbpAM2ZCRsiCzdFiM5EjCm + aoEwCgYIKoZIzj0EAwIDRwAwRAIgcKf3vRiF87G0r2+vgBbyfWo4D2TDQWkSrfek + Q0f1Q5UCIEmyeqrifbp5JnZqtm3IlGVIEQcUeVygqnV/xW3xCAgT + -----END CERTIFICATE----- + '' + ]; + networking.hosts = { + "127.0.0.80" = [ "alanpearce.test" "alanpearce.localhost" ]; + }; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; nix.settings.trusted-users = [ "root" "nixremote" ]; services.displayManager.hiddenUsers = [ "nixremote" ]; diff --git a/system/settings/dev.nix b/system/settings/dev.nix new file mode 100644 index 00000000..7d2e6193 --- /dev/null +++ b/system/settings/dev.nix @@ -0,0 +1,62 @@ +{ ... }: { + services.caddy = { + enable = true; + globalConfig = '' + auto_https disable_redirects + ''; + virtualHosts = + let + local_tls = '' + tls { + issuer internal { + ca local + } + } + ''; + in + { + "localhost" = { + logFormat = "output discard"; + extraConfig = '' + ${local_tls} + acme_server { + allow { + domains *.test *.localhost + } + } + ''; + }; + # need to test forwarding behaviour + "https://alanpearce.localhost" = { + logFormat = "output discard"; + serverAliases = [ + "http://alanpearce.localhost" + + # remember to update /etc/hosts + "https://alanpearce.test" + "http://alanpearce.test" + ]; + extraConfig = '' + ${local_tls} + reverse_proxy http://alanpearce.test:8080 { + transport http { + dial_timeout 1s + compression off + } + } + ''; + }; + "searchix.localhost" = { + logFormat = "output discard"; + extraConfig = '' + reverse_proxy http://localhost:7331 { + transport http { + dial_timeout 1s + compression off + } + } + ''; + }; + }; + }; +} diff --git a/system/settings/gaming.nix b/system/settings/gaming.nix index 17f25065..d11d5a3c 100644 --- a/system/settings/gaming.nix +++ b/system/settings/gaming.nix @@ -19,9 +19,9 @@ }; fonts.fontconfig.cache32Bit = true; hardware.steam-hardware.enable = true; - hardware.opengl = { + hardware.graphics = { enable = true; - driSupport32Bit = true; + enable32Bit = true; }; hardware.pulseaudio.support32Bit = true; services.pipewire.alsa.support32Bit = true; diff --git a/system/settings/services/git-server.nix b/system/settings/services/git-server.nix index 0ef40ccc..e8fe6360 100644 --- a/system/settings/services/git-server.nix +++ b/system/settings/services/git-server.nix @@ -4,8 +4,7 @@ , ... }: let - inherit (builtins) mapAttrs attrValues; - inherit (lib) pipe flatten mergeAttrsList mapAttrsToList; + inherit (lib) pipe flatten concatMapAttrs mapAttrsToList; inherit (import ../../../lib/caddy.nix { inherit lib; }) security-headers; repos = "${config.services.gitolite.dataDir}/repositories"; @@ -35,7 +34,7 @@ let createMirrorService = name: { hostname, username }: { - services."mirror-to-${name}@" = { + "mirror-to-${name}@" = { path = with pkgs; [ gitMinimal openssh ]; serviceConfig = { Type = "oneshot"; @@ -48,7 +47,11 @@ let ConditionPathExists = "${repos}/%i.git/git-daemon-export-ok"; }; }; - paths."mirror-to-${name}@" = { + }; + + createMirrorPath = name: { hostname, username }: + { + "mirror-to-${name}@" = { pathConfig = { PathChanged = "${repos}/%i.git/refs/heads"; StartLimitIntervalSec = "1h"; @@ -57,6 +60,7 @@ let }; }; + mkMirrorWants = repo: map (target: "mirror-to-${target}@${repo}.path"); in { @@ -79,6 +83,7 @@ in push( @{$RC{ENABLE}}, 'D' ); push( @{$RC{ENABLE}}, 'Shell alan' ); push( @{$RC{ENABLE}}, 'cgit' ); + push( @{$RC{ENABLE}}, 'repo-specific-hooks' ); ''; }; services.legit = { @@ -261,18 +266,14 @@ in ]; }; - systemd = (pipe - mirrors [ - (mapAttrsToList createMirrorService) - mergeAttrsList - ]) // { - targets.git-mirroring = { - wantedBy = [ "multi-user.target" ]; - wants = pipe - repoMirrors [ - (mapAttrsToList mkMirrorWants) - flatten - ]; - }; + systemd.services = concatMapAttrs createMirrorService mirrors; + systemd.paths = concatMapAttrs createMirrorPath mirrors; + systemd.targets.git-mirroring = { + wantedBy = [ "multi-user.target" ]; + wants = pipe + repoMirrors [ + (mapAttrsToList mkMirrorWants) + flatten + ]; }; } |