From c0f3d1dfb73b4b49155e46b0008ef2682e1fd8cb Mon Sep 17 00:00:00 2001 From: Hendrik Sokolowski Date: Mon, 22 Aug 2022 00:53:04 +0200 Subject: [PATCH] add hosts --- flake.nix | 42 ++++- hosts/companion/companion.nix | 16 ++ hosts/companion/configuration.nix | 63 +++++++ hosts/companion/default.nix | 6 + hosts/companion/hardware-configuration.nix | 61 +++++++ hosts/companion/home-controller.nix | 55 ++++++ hosts/cox/configuration.nix | 64 +++++++ hosts/cox/cox.nix | 16 ++ hosts/cox/default.nix | 6 + hosts/cox/hardware-configuration.nix | 61 +++++++ hosts/cox/home-controller.nix | 55 ++++++ hosts/cube/acme.nix | 8 + hosts/cube/backup.nix | 34 ++++ hosts/cube/configuration.nix | 55 ++++++ hosts/cube/cube.nix | 15 ++ hosts/cube/default.nix | 6 + hosts/cube/drone.nix | 21 +++ hosts/cube/hardware-configuration.nix | 38 +++++ hosts/cube/home-assistant.nix | 19 +++ hosts/cube/nextcloud-apps.nix | 156 ++++++++++++++++++ hosts/cube/nextcloud.nix | 142 ++++++++++++++++ hosts/cube/wireguard.nix | 63 +++++++ hosts/falcone/configuration.nix | 57 +++++++ hosts/falcone/default.nix | 6 + hosts/falcone/falcone.nix | 16 ++ hosts/falcone/hardware-configuration.nix | 35 ++++ hosts/giggles/configuration.nix | 65 ++++++++ hosts/giggles/default.nix | 6 + hosts/giggles/giggles.nix | 16 ++ hosts/giggles/hardware-configuration.nix | 61 +++++++ hosts/giggles/home-controller.nix | 53 ++++++ .../.config/sway/config.d/screens.conf | 19 +++ hosts/harrison/configuration.nix | 49 ++++++ hosts/harrison/default.nix | 6 + hosts/harrison/hardware-configuration.nix | 70 ++++++++ hosts/harrison/harrison.nix | 21 +++ .../sway/config.d/custom-keybindings.conf | 16 ++ .../norman/.config/sway/config.d/screens.conf | 13 ++ hosts/norman/configuration.nix | 63 +++++++ hosts/norman/default.nix | 6 + hosts/norman/hardware-configuration.nix | 46 ++++++ hosts/norman/norman.nix | 22 +++ hosts/norman/wireguard.nix | 93 +++++++++++ hosts/ringo/configuration.nix | 35 ++++ hosts/ringo/default.nix | 6 + hosts/ringo/hardware-configuration.nix | 43 +++++ hosts/ringo/home-controller.nix | 43 +++++ hosts/ringo/ringo.nix | 13 ++ modules/core/bluetooth.nix | 0 secrets/cube_drone_exec_runner_config.age | Bin 0 -> 1211 bytes secrets/cube_restic_repository_password.age | 21 +++ secrets/cube_restic_ssh_private_key.age | 22 +++ secrets/secrets.nix | 4 + 53 files changed, 1926 insertions(+), 2 deletions(-) create mode 100644 hosts/companion/companion.nix create mode 100644 hosts/companion/configuration.nix create mode 100644 hosts/companion/default.nix create mode 100644 hosts/companion/hardware-configuration.nix create mode 100644 hosts/companion/home-controller.nix create mode 100644 hosts/cox/configuration.nix create mode 100644 hosts/cox/cox.nix create mode 100644 hosts/cox/default.nix create mode 100644 hosts/cox/hardware-configuration.nix create mode 100644 hosts/cox/home-controller.nix create mode 100644 hosts/cube/acme.nix create mode 100644 hosts/cube/backup.nix create mode 100644 hosts/cube/configuration.nix create mode 100644 hosts/cube/cube.nix create mode 100644 hosts/cube/default.nix create mode 100644 hosts/cube/drone.nix create mode 100644 hosts/cube/hardware-configuration.nix create mode 100644 hosts/cube/home-assistant.nix create mode 100644 hosts/cube/nextcloud-apps.nix create mode 100644 hosts/cube/nextcloud.nix create mode 100644 hosts/cube/wireguard.nix create mode 100644 hosts/falcone/configuration.nix create mode 100644 hosts/falcone/default.nix create mode 100644 hosts/falcone/falcone.nix create mode 100644 hosts/falcone/hardware-configuration.nix create mode 100644 hosts/giggles/configuration.nix create mode 100644 hosts/giggles/default.nix create mode 100644 hosts/giggles/giggles.nix create mode 100644 hosts/giggles/hardware-configuration.nix create mode 100644 hosts/giggles/home-controller.nix create mode 100644 hosts/harrison/.config/sway/config.d/screens.conf create mode 100644 hosts/harrison/configuration.nix create mode 100644 hosts/harrison/default.nix create mode 100644 hosts/harrison/hardware-configuration.nix create mode 100644 hosts/harrison/harrison.nix create mode 100644 hosts/norman/.config/sway/config.d/custom-keybindings.conf create mode 100644 hosts/norman/.config/sway/config.d/screens.conf create mode 100644 hosts/norman/configuration.nix create mode 100644 hosts/norman/default.nix create mode 100644 hosts/norman/hardware-configuration.nix create mode 100644 hosts/norman/norman.nix create mode 100644 hosts/norman/wireguard.nix create mode 100644 hosts/ringo/configuration.nix create mode 100644 hosts/ringo/default.nix create mode 100644 hosts/ringo/hardware-configuration.nix create mode 100644 hosts/ringo/home-controller.nix create mode 100644 hosts/ringo/ringo.nix create mode 100644 modules/core/bluetooth.nix create mode 100644 secrets/cube_drone_exec_runner_config.age create mode 100644 secrets/cube_restic_repository_password.age create mode 100644 secrets/cube_restic_ssh_private_key.age diff --git a/flake.nix b/flake.nix index f470690a..6699bdf8 100644 --- a/flake.nix +++ b/flake.nix @@ -45,6 +45,8 @@ # hensoko additions musnix.url = "github:musnix/musnix"; musnix.inputs.nixpkgs.follows = "nixos"; + + nixpkgs-hensoko.url = "git+https://git.b12f.io/hensoko/nixpkgs"; }; outputs = @@ -107,7 +109,6 @@ digga.nixosModules.nixConfig home.nixosModules.home-manager agenix.nixosModules.age - musnix.nixosModules.musnix ]; }; @@ -124,6 +125,27 @@ (import ./tests/first-test.nix { pkgs = nixos.legacyPackages.x86_64-linux; lib = nixos.lib; }) ]; }; + + companion = { + system = "aarch64-linux"; + }; + cox = { + system = "aarch64-linux"; + }; + falcone = { + system = "aarch64-linux"; + }; + giggles = { + system = "aarch64-linux"; + }; + + norman = { }; + + harrison = { + modules = [ + musnix.nixosModules.musnix + ]; + }; }; importables = rec { profiles = digga.lib.rakeLeaves ./profiles // { @@ -134,7 +156,6 @@ iso = base ++ [ base-user graphical pub-solar-iso ]; pubsolaros = [ base-user users.root ]; anonymous = [ pubsolaros users.pub-solar ]; - pubsolaros-light = [ core-light base-user users.root ]; hensoko = pubsolaros ++ [ users.hensoko ]; hensoko-iot = [ server base-user users.root users.iot ]; @@ -151,6 +172,15 @@ # vm redpanda = hensoko; + + # home pc + harrison = hensoko ++ [ daw graphical non-free social work ]; + + # work laptop + norman = hensoko ++ [ graphical non-free social virtualisation work ]; + + # cm4 + falcone = hensoko-iot; }; }; }; @@ -186,6 +216,14 @@ path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.hensoko; }; }; + + companion = { sshUser = "iot"; }; + cox = { }; + giggles = { }; + ringo = { }; + cube = { + sshUser = "iot"; + }; }; }; } diff --git a/hosts/companion/companion.nix b/hosts/companion/companion.nix new file mode 100644 index 00000000..ca873721 --- /dev/null +++ b/hosts/companion/companion.nix @@ -0,0 +1,16 @@ +{ config, pkgs, lib, ... }: +with lib; +let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; +in +{ + imports = [ + ./configuration.nix + ]; + + config = { + boot.plymouth.enable = lib.mkForce false; + pub-solar.nextcloud.enable = lib.mkForce false; + }; +} diff --git a/hosts/companion/configuration.nix b/hosts/companion/configuration.nix new file mode 100644 index 00000000..1b8dc6c7 --- /dev/null +++ b/hosts/companion/configuration.nix @@ -0,0 +1,63 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./home-controller.nix + ]; + + boot.loader.timeout = lib.mkForce 0; + + boot.loader.generic-extlinux-compatible.enable = lib.mkForce false; + + boot.loader.grub = { + enable = lib.mkForce true; + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = true; + networking.interfaces.wlan0.useDHCP = false; + networking.networkmanager.enable = lib.mkForce false; + + boot.loader.systemd-boot.enable = lib.mkForce false; + + nix = { + extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes"; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + wget + ]; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 2380 6443 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} + diff --git a/hosts/companion/default.nix b/hosts/companion/default.nix new file mode 100644 index 00000000..8cac5356 --- /dev/null +++ b/hosts/companion/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./companion.nix + ] ++ suites.companion; +} diff --git a/hosts/companion/hardware-configuration.nix b/hosts/companion/hardware-configuration.nix new file mode 100644 index 00000000..1b59fa36 --- /dev/null +++ b/hosts/companion/hardware-configuration.nix @@ -0,0 +1,61 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.initrd.supportedFilesystems = [ "zfs" ]; + boot.supportedFilesystems = [ "zfs" ]; + + boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18; + + boot.initrd.luks.devices = { + cryptroot = { + device = "/dev/disk/by-uuid/3bbde916-e12a-46a7-9eea-4f5e2aef7883"; + keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04017028021722045451-0:0-part1"; + bypassWorkqueues = true; + fallbackToPassword = true; + }; + }; + + fileSystems."/" = + { + device = "zroot/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/5552-1B21"; + fsType = "vfat"; + }; + + fileSystems."/var/lib/rancher/k3s/storage" = + { + device = "zroot/kubernetes-localstorage"; + fsType = "zfs"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/0545db4a-0494-44d7-927a-4c78351c4303"; }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + networking.hostId = "71f2d82a"; + + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +} diff --git a/hosts/companion/home-controller.nix b/hosts/companion/home-controller.nix new file mode 100644 index 00000000..ff7ab606 --- /dev/null +++ b/hosts/companion/home-controller.nix @@ -0,0 +1,55 @@ +{ self, config, pkgs, ... }: + +{ + config = { + age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age"; + age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age"; + + pub-solar.home-controller = { + enable = true; + role = "server"; + ownIp = "10.0.1.13"; + + k3s = { + serverAddr = "https://api.kube:6443"; + tokenFile = "/run/agenix/home_controller_k3s_token"; + enableLocalStorage = true; + enableZfs = true; + }; + + wireguard = { + privateKeyFile = "/run/agenix/home_controller_wireguard"; + peers = [ + { + # cube + publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk="; + allowedIPs = [ "10.0.1.5/32" ]; + endpoint = "data.gssws.de:51899"; + persistentKeepalive = 25; + } + { + # giggles + publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; + allowedIPs = [ "10.0.1.11/32" ]; + endpoint = "giggles.local:51899"; + persistentKeepalive = 25; + } + { + # cox + publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; + allowedIPs = [ "10.0.1.12/32" ]; + endpoint = "cox.local:51899"; + persistentKeepalive = 25; + } + { + # ringo + publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw="; + allowedIPs = [ "10.0.1.21/32" ]; + endpoint = "ringo.local:51899"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; +} diff --git a/hosts/cox/configuration.nix b/hosts/cox/configuration.nix new file mode 100644 index 00000000..f79c0016 --- /dev/null +++ b/hosts/cox/configuration.nix @@ -0,0 +1,64 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./home-controller.nix + ]; + + boot.loader.timeout = 0; + + boot.loader.generic-extlinux-compatible.enable = lib.mkForce false; + + boot.loader.grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = true; + networking.interfaces.wlan0.useDHCP = false; + networking.networkmanager.enable = lib.mkForce false; + + boot.loader.systemd-boot.enable = lib.mkForce false; + + nix = { + #package = pkgs.nixFlakes; + extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes"; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + wget + ]; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 2380 6443 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} + diff --git a/hosts/cox/cox.nix b/hosts/cox/cox.nix new file mode 100644 index 00000000..ca873721 --- /dev/null +++ b/hosts/cox/cox.nix @@ -0,0 +1,16 @@ +{ config, pkgs, lib, ... }: +with lib; +let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; +in +{ + imports = [ + ./configuration.nix + ]; + + config = { + boot.plymouth.enable = lib.mkForce false; + pub-solar.nextcloud.enable = lib.mkForce false; + }; +} diff --git a/hosts/cox/default.nix b/hosts/cox/default.nix new file mode 100644 index 00000000..aa29e195 --- /dev/null +++ b/hosts/cox/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./cox.nix + ] ++ suites.cox; +} diff --git a/hosts/cox/hardware-configuration.nix b/hosts/cox/hardware-configuration.nix new file mode 100644 index 00000000..3b52c24b --- /dev/null +++ b/hosts/cox/hardware-configuration.nix @@ -0,0 +1,61 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.initrd.supportedFilesystems = [ "zfs" ]; + boot.supportedFilesystems = [ "zfs" ]; + + boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18; + + boot.initrd.luks.devices = { + cryptroot = { + device = "/dev/disk/by-uuid/bf333b74-875f-4187-922e-4b433fb53aa2"; + keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03024516121421043657-0:0-part1"; + bypassWorkqueues = true; + fallbackToPassword = true; + }; + }; + + fileSystems."/" = + { + device = "zroot/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/6CB3-6DB8"; + fsType = "vfat"; + }; + + fileSystems."/var/lib/rancher/k3s/storage" = + { + device = "zroot/kubernetes-localstorage"; + fsType = "zfs"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/7ef4a3f8-f4a6-42f5-a57d-21f502ed3dba"; }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + networking.hostId = "71f2d82a"; + + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +} diff --git a/hosts/cox/home-controller.nix b/hosts/cox/home-controller.nix new file mode 100644 index 00000000..d017c570 --- /dev/null +++ b/hosts/cox/home-controller.nix @@ -0,0 +1,55 @@ +{ self, config, pkgs, ... }: + +{ + config = { + age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age"; + age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age"; + + pub-solar.home-controller = { + enable = true; + role = "server"; + ownIp = "10.0.1.12"; + + k3s = { + serverAddr = "https://api.kube:6443"; + tokenFile = "/run/agenix/home_controller_k3s_token"; + enableLocalStorage = true; + enableZfs = true; + }; + + wireguard = { + privateKeyFile = "/run/agenix/home_controller_wireguard"; + peers = [ + { + # cube + publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk="; + allowedIPs = [ "10.0.1.5/32" ]; + endpoint = "data.gssws.de:51899"; + persistentKeepalive = 25; + } + { + # giggles + publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; + allowedIPs = [ "10.0.1.11/32" ]; + endpoint = "giggles.local:51899"; + persistentKeepalive = 25; + } + { + # companion + publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; + allowedIPs = [ "10.0.1.13/32" ]; + endpoint = "companion.local:51899"; + persistentKeepalive = 25; + } + { + # ringo + publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw="; + allowedIPs = [ "10.0.1.21/32" ]; + endpoint = "ringo.local:51899"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; +} diff --git a/hosts/cube/acme.nix b/hosts/cube/acme.nix new file mode 100644 index 00000000..6ed057b3 --- /dev/null +++ b/hosts/cube/acme.nix @@ -0,0 +1,8 @@ +{ pkgs, config, ... }: + +{ + security.acme = { + acceptTerms = true; + defaults.email = "hensoko@gssws.de"; + }; +} diff --git a/hosts/cube/backup.nix b/hosts/cube/backup.nix new file mode 100644 index 00000000..a2c0ca19 --- /dev/null +++ b/hosts/cube/backup.nix @@ -0,0 +1,34 @@ +{ config, lib, self, ... }: + +{ + age.secrets.restic_repository_password.file = "${self}/secrets/cube_restic_repository_password.age"; + age.secrets.restic_ssh_private_key.file = "${self}/secrets/cube_restic_ssh_private_key.age"; + + programs.ssh.extraConfig = '' + Host backup + HostName 10.0.1.12 + Port 32222 + User backup + IdentityFile /run/agenix/restic_ssh_private_key + ''; + + services.postgresqlBackup = { + enable = true; + backupAll = true; + compression = "zstd"; + }; + + services.restic.backups = { + cox = { + passwordFile = "/run/agenix/restic_repository_password"; + paths = [ + "/mnt/internal/nextcloud" + "/var/backup/postgresql" + ]; + repository = "sftp:backup:/data/hdd/restic"; + timerConfig = { + OnCalendar = "02:00"; + }; + }; + }; +} diff --git a/hosts/cube/configuration.nix b/hosts/cube/configuration.nix new file mode 100644 index 00000000..b14b6c6f --- /dev/null +++ b/hosts/cube/configuration.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +{ + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./acme.nix + ./backup.nix + ./drone.nix + ./home-assistant.nix + ./nextcloud.nix + #./whiteboard.nix + ./wireguard.nix + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/disk/by-id/usb-HP_iLO_Internal_SD-CARD_000002660A01-0:0"; + + boot.loader.systemd-boot.enable = lib.mkForce false; + + time.timeZone = "Europe/Berlin"; + + networking = { + useDHCP = false; + + interfaces.eno1.ipv4.addresses = [{ + address = "80.244.242.2"; + prefixLength = 29; + }]; + + defaultGateway = "80.244.242.1"; + nameservers = [ "95.129.51.51" "80.244.244.244" ]; + }; + + nix = { + trustedUsers = [ "ci-cache-nix-store" ]; + }; + + services.openssh.ports = [ 2222 ]; + + networking.nat.enable = true; + networking.nat.internalIPs = [ "10.10.42.0/24" ]; + networking.nat.externalInterface = "eno1"; + + + networking.firewall.allowedTCPPorts = [ 80 443 2222 ]; + networking.firewall.allowedUDPPorts = [ 51899 ]; + + networking.firewall.enable = lib.mkForce true; + + system.stateVersion = "21.05"; # Did you read the comment? +} diff --git a/hosts/cube/cube.nix b/hosts/cube/cube.nix new file mode 100644 index 00000000..2274383f --- /dev/null +++ b/hosts/cube/cube.nix @@ -0,0 +1,15 @@ +{ config, pkgs, lib, ... }: +with lib; +with pkgs; +let + psCfg = config.pub-solar; +in +{ + imports = [ + ./configuration.nix + ]; + + pub-solar.core.disk-encryption-active = false; + + networking.networkmanager.enable = lib.mkForce false; +} diff --git a/hosts/cube/default.nix b/hosts/cube/default.nix new file mode 100644 index 00000000..7834ef54 --- /dev/null +++ b/hosts/cube/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./cube.nix + ] ++ suites.cube; +} diff --git a/hosts/cube/drone.nix b/hosts/cube/drone.nix new file mode 100644 index 00000000..c0b41c04 --- /dev/null +++ b/hosts/cube/drone.nix @@ -0,0 +1,21 @@ +{ self, config, pkgs, ... }: + +{ + age.secrets.drone_exec_runner_config = { + file = "${self}/secrets/cube_drone_exec_runner_config.age"; + owner = "999"; + }; + + pub-solar.ci-runner = { + enable = true; + enableKvm = true; + nixCacheLocation = "/mnt/internal/ci-cache-nix-store/nix"; + + runnerEnvironment = { + DRONE_RUNNER_CAPACITY = "1"; + DRONE_RUNNER_LABELS = "hosttype:baremetal"; + }; + + runnerVarsFile = "/run/agenix/drone_exec_runner_config"; + }; +} diff --git a/hosts/cube/hardware-configuration.nix b/hosts/cube/hardware-configuration.nix new file mode 100644 index 00000000..4cacc166 --- /dev/null +++ b/hosts/cube/hardware-configuration.nix @@ -0,0 +1,38 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "uhci_hcd" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + boot.extraModprobeConfig = "options kvm_intel nested=1"; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/715ef65c-6cb3-4455-99ed-fe7408935d00"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/e76a2e82-bf17-4287-967c-bd0f16d16875"; + fsType = "ext2"; + }; + + fileSystems."/mnt/internal" = + { + device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a"; + fsType = "ext4"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/4b0b445b-ae72-439a-8aeb-cbd6a3ed73b9"; }]; +} diff --git a/hosts/cube/home-assistant.nix b/hosts/cube/home-assistant.nix new file mode 100644 index 00000000..e9b1d714 --- /dev/null +++ b/hosts/cube/home-assistant.nix @@ -0,0 +1,19 @@ +{ self, pkgs, config, ... }: + +{ + # HTTP + services.nginx = { + virtualHosts."ha.gssws.de" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://10.0.1.254:8123"; + proxyWebsockets = true; + extraConfig = + "proxy_ssl_server_name on;" + + "proxy_pass_header Authorization;" + ; + }; + }; + }; +} diff --git a/hosts/cube/nextcloud-apps.nix b/hosts/cube/nextcloud-apps.nix new file mode 100644 index 00000000..d8053ee4 --- /dev/null +++ b/hosts/cube/nextcloud-apps.nix @@ -0,0 +1,156 @@ +{ self, pkgs, config, lib, ... }: + +{ + services.nextcloud.extraApps = { + "bookmarks" = pkgs.fetchNextcloudApp { + name = "bookmarks"; + sha256 = "+Lon8Bbu1O6axALYFDQUkBw5K0fNonEehY51ZSqOiZA="; + url = "https://github.com/nextcloud/bookmarks/releases/download/v11.0.3/bookmarks-11.0.3.tar.gz"; + version = "11.0.3"; + }; + "bruteforcesettings" = pkgs.fetchNextcloudApp { + name = "bruteforcesettings"; + sha256 = "cy1Fg6kCiolkDtPF8u/n4JvPrdJadRv4FVMr1zB/Lmk="; + url = "https://github.com/nextcloud-releases/bruteforcesettings/releases/download/v2.4.0/bruteforcesettings-v2.4.0.tar.gz"; + version = "2.4.0"; + }; + "calendar" = pkgs.fetchNextcloudApp { + name = "calendar"; + sha256 = "+LRGl9h40AQdWN9SW+NqGwTafAGwV07Af8nVs3pUCm0="; + url = "https://github.com/nextcloud-releases/calendar/releases/download/v3.5.0/calendar-v3.5.0.tar.gz"; + version = "3.5.0"; + }; + "contacts" = pkgs.fetchNextcloudApp { + name = "contacts"; + sha256 = "GTiyZsUHBXPgQ17DHAihmt2W/ZnAjDwfgwnujkRwk6A="; + url = "https://github.com/nextcloud-releases/contacts/releases/download/v4.2.2/contacts-v4.2.2.tar.gz"; + version = "4.2.2"; + }; + "cookbook" = pkgs.fetchNextcloudApp { + name = "cookbook"; + sha256 = "v64rLGyMQOdStyivpJsKrNxwumVQvyK3CnHtZ+K+elE="; + url = "https://github.com/nextcloud/cookbook/releases/download/v0.9.15/Cookbook-0.9.15.tar.gz"; + version = "0.9.15"; + }; + "cospend" = pkgs.fetchNextcloudApp { + name = "cospend"; + sha256 = "VyTo7jii40a0m2hLuUH5PFJXzogECTfGq+2oifMtNNI="; + url = "https://github.com/eneiluj/cospend-nc/releases/download/v1.4.10/cospend-1.4.10.tar.gz"; + version = "1.4.10"; + }; + "deck" = pkgs.fetchNextcloudApp { + name = "deck"; + sha256 = "G4v1B5XHYuKEZxNhkd7Fu5OSbzwcS7yFaDkUkydpdPU="; + url = "https://github.com/nextcloud-releases/deck/releases/download/v1.7.1/deck-v1.7.1.tar.gz"; + version = "1.7.1"; + }; + "files_accesscontrol" = pkgs.fetchNextcloudApp { + name = "files_accesscontrol"; + sha256 = "7vfN3FF8pfQ3iQib/3EbG7r5HNyrQXjwgwJ9Cna6nT0="; + url = "https://github.com/nextcloud-releases/files_accesscontrol/releases/download/v1.14.1/files_accesscontrol-v1.14.1.tar.gz"; + version = "1.14.1"; + }; + "files_automatedtagging" = pkgs.fetchNextcloudApp { + name = "files_automatedtagging"; + sha256 = "C59NQNxox4gyTqIwQX5Yi8D0VwNqoorPli6CE7bl/P0="; + url = "https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.14.0/files_automatedtagging-v1.14.0.tar.gz"; + version = "1.14.0"; + }; + "files_fulltextsearch" = pkgs.fetchNextcloudApp { + name = "files_fulltextsearch"; + sha256 = "+cKu9kvsPxajGzyZhu+DDqsxWKrpZmMMxAKg0tyZdBw="; + url = "https://github.com/nextcloud-releases/files_fulltextsearch/releases/download/v24.0.1/files_fulltextsearch-v24.0.1.tar.gz"; + version = "24.0.1"; + }; + "files_markdown" = pkgs.fetchNextcloudApp { + name = "files_markdown"; + sha256 = "6vrPNKcPmJ4DuMXN8/oRMr/B/dTlJn2GGi/w4t2wimk="; + url = "https://github.com/icewind1991/files_markdown/releases/download/v2.3.6/files_markdown.tar.gz"; + version = "2.3.6"; + }; + "files_mindmap" = pkgs.fetchNextcloudApp { + name = "files_mindmap"; + sha256 = "GcJqn90n9+3VDndNuiohLMDx9fmmMyMkNVNb/bB7ksM="; + url = "https://github.com/ACTom/files_mindmap/releases/download/v0.0.26/files_mindmap-0.0.26.tar.gz"; + version = "0.0.26"; + }; + "fulltextsearch" = pkgs.fetchNextcloudApp { + name = "fulltextsearch"; + sha256 = "7Yp+ZELZf2tqKoZ0td2CgPNym7EbLXyxbVKF8OdpNqs="; + url = "https://github.com/nextcloud-releases/fulltextsearch/releases/download/v24.0.0/fulltextsearch-v24.0.0.tar.gz"; + version = "24.0.0"; + }; + "groupfolders" = pkgs.fetchNextcloudApp { + name = "groupfolders"; + sha256 = "RHkvpAWH4HbKbM4ZoUy1HCzydVdw2SYQJvzO02sZEVQ="; + url = "https://github.com/nextcloud/groupfolders/releases/download/v12.0.2/groupfolders.tar.gz"; + version = "12.0.2"; + }; + "impersonate" = pkgs.fetchNextcloudApp { + name = "impersonate"; + sha256 = "ww11Rfcy0yXU5+8w/rOXRxH+7eD6G8RAm3fZ3PpXgdM="; + url = "https://github.com/nextcloud-releases/impersonate/releases/download/v1.11.0/impersonate-v1.11.0.tar.gz"; + version = "1.11.0"; + }; + "keeweb" = pkgs.fetchNextcloudApp { + name = "keeweb"; + sha256 = "idftaF9EU/f61HmL1gijeuKD4yPuf0MJPth4Xr9WgFs="; + url = "https://github.com/jhass/nextcloud-keeweb/releases/download/v0.6.9/keeweb-0.6.9.tar.gz"; + version = "0.6.9"; + }; + "maps" = pkgs.fetchNextcloudApp { + name = "maps"; + sha256 = "6dTNNGHKu97LZvRvg7452e2fw+2loUchtRuv31vLIgY="; + url = "https://github.com/nextcloud/maps/releases/download/v0.2.1/maps-0.2.1.tar.gz"; + version = "0.2.1"; + }; + "news" = pkgs.fetchNextcloudApp { + name = "news"; + sha256 = "eS0cFwJmYfGGJmA02AOWO/OXfqfyI71u2GataDj18DE="; + url = "https://github.com/nextcloud/news/releases/download/18.2.0/news.tar.gz"; + version = "18.2.0"; + }; + "notes" = pkgs.fetchNextcloudApp { + name = "notes"; + sha256 = "rd3uVkVtARX4enRAWm1ivV468lboYZnYe7/zsqaHYpk="; + url = "https://github.com/nextcloud/notes/releases/download/v4.5.1/notes.tar.gz"; + version = "4.5.1"; + }; + "quota_warning" = pkgs.fetchNextcloudApp { + name = "quota_warning"; + sha256 = "UaURF2NIj0h+81vbbFxZuyFX7B9QsicUMK5RKtG5O04="; + url = "https://github.com/nextcloud-releases/quota_warning/releases/download/v1.14.0/quota_warning-v1.14.0.tar.gz"; + version = "1.14.0"; + }; + "richdocuments" = pkgs.fetchNextcloudApp { + name = "richdocuments"; + sha256 = "nov6GQX4FEg1MAxuTvWxuk9yAPuWHtE1rsbM1B/1Dgk="; + url = "https://github.com/nextcloud-releases/richdocuments/releases/download/v6.2.0/richdocuments-v6.2.0.tar.gz"; + version = "6.2.0"; + }; + #"richdocumentscode" = pkgs.fetchNextcloudApp { + # name = "richdocumentscode"; + # sha256 = "URbEB3I02SjoVlRI+gjoNi+/o5Oe4snmoKQUff4T9+A="; + # url = "https://github.com/CollaboraOnline/richdocumentscode/releases/download/22.5.502/richdocumentscode.tar.gz"; + # version = "22.5.502"; + #}; + "spreed" = pkgs.fetchNextcloudApp { + name = "spreed"; + sha256 = "wg4BYhcbWCaz1OE4sIVlV1r0cUX5Z923ej7Y/Meands="; + url = "https://github.com/nextcloud-releases/spreed/releases/download/v14.0.5/spreed-v14.0.5.tar.gz"; + version = "14.0.5"; + }; + "tasks" = pkgs.fetchNextcloudApp { + name = "tasks"; + sha256 = "kXXUzzODi/qRi2NqtJyiS1GmLTx0kFAwtH1p0rCdnRM="; + url = "https://github.com/nextcloud/tasks/releases/download/v0.14.4/tasks.tar.gz"; + version = "0.14.4"; + }; + "twofactor_totp" = pkgs.fetchNextcloudApp { + name = "twofactor_totp"; + sha256 = "cRtpRs1s31l8xG84YkZIuR3C3pg2kQFNlrY2f5NTSBo="; + url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.0/twofactor_totp-v6.4.0.tar.gz"; + version = "6.4.0"; + }; + }; +} diff --git a/hosts/cube/nextcloud.nix b/hosts/cube/nextcloud.nix new file mode 100644 index 00000000..3e839d7a --- /dev/null +++ b/hosts/cube/nextcloud.nix @@ -0,0 +1,142 @@ +{ self, pkgs, config, lib, ... }: + +{ + imports = [ + ./nextcloud-apps.nix + ]; + + age.secrets.nextcloud_db_pass = { + owner = "nextcloud"; + group = "nextcloud"; + file = "${self}/secrets/cube_nextcloud_db_pass.age"; + }; + + age.secrets.nextcloud_admin_pass = { + owner = "nextcloud"; + group = "nextcloud"; + file = "${self}/secrets/cube_nextcloud_admin_pass.age"; + }; + + # HTTP + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + virtualHosts."data.gssws.de" = { + enableACME = true; + forceSSL = true; + }; + }; + + # DATABASES + services.postgresql = { + enable = true; + package = pkgs.postgresql_11; + + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { + name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + } + ]; + }; + + # REDIS + services.redis.servers = { + "nextcloud".enable = true; + }; + + users.groups."redis-nextcloud".members = [ "nextcloud" ]; + + # Collabora Code server + virtualisation.oci-containers.containers."nextcloud-collabora-code" = { + image = "collabora/code"; + autoStart = true; + ports = [ "127.0.0.1:9980:9980" ]; + environment.domain = "data\\.gssws\\.de"; + extraOptions = [ "--cap-add" "MKNOD" ]; + }; + + services.nginx.virtualHosts."office.gssws.de" = + let + proxyPass = "https://127.0.0.1:9980"; + extraConfig = "proxy_ssl_verify off;"; + in + { + enableACME = true; + forceSSL = true; + + locations."^~ /browser" = { + inherit proxyPass extraConfig; + }; + locations."^~ /hosting/discovery" = { + inherit proxyPass extraConfig; + }; + locations."^~ /hosting/capabilities" = { + inherit proxyPass extraConfig; + }; + locations."~ ^/cool/(.*)/ws''$" = { + inherit proxyPass extraConfig; + proxyWebsockets = true; + }; + locations."~ ^/(c|l)ool" = { + inherit proxyPass extraConfig; + }; + locations."^~ /cool/adminws" = { + inherit proxyPass extraConfig; + proxyWebsockets = true; + }; + }; + + # NEXTCLOUD + systemd.services."nextcloud-setup" = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + services.nextcloud = { + enable = true; + package = pkgs.nextcloud24; + hostName = "data.gssws.de"; + https = true; + datadir = "/mnt/internal/nextcloud"; + + caching.apcu = true; + caching.redis = true; + + phpPackage = lib.mkForce pkgs.php81; + + phpOptions = { + short_open_tag = "Off"; + expose_php = "Off"; + error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; + display_errors = "stderr"; + "opcache.enable_cli" = "1"; + "opcache.interned_strings_buffer" = "32"; + "opcache.max_accelerated_files" = "100000"; + "opcache.memory_consumption" = "256"; + "opcache.revalidate_freq" = "1"; + "opcache.fast_shutdown" = "1"; + "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; + catch_workers_output = "yes"; + }; + + config = { + overwriteProtocol = "https"; + + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; + dbname = "nextcloud"; + dbpassFile = "/run/agenix/nextcloud_db_pass"; + adminpassFile = "/run/agenix/nextcloud_admin_pass"; + adminuser = "admin"; + + trustedProxies = [ "80.244.242.2" ]; + defaultPhoneRegion = "DE"; + }; + }; +} diff --git a/hosts/cube/wireguard.nix b/hosts/cube/wireguard.nix new file mode 100644 index 00000000..92b1ffd1 --- /dev/null +++ b/hosts/cube/wireguard.nix @@ -0,0 +1,63 @@ +{ self, config, pkgs, ... }: + +{ + age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cube_wireguard_key.age"; + + + systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure"; + systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s"; + + # Enable WireGuard + networking.wireguard.interfaces = { + wg1 = { + # Determines the IP address and subnet of the client's end of the tunnel interface. + ips = [ "10.0.1.5" ]; + listenPort = 51899; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/run/agenix/home_controller_wireguard"; + + peers = [ + # For a client configuration, one peer entry for the server will suffice. + + { + # giggles + publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; + allowedIPs = [ "10.0.1.11/32" ]; + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + { + # cox + publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; + allowedIPs = [ "10.0.1.12/32" ]; + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + { + # companion + publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; + allowedIPs = [ "10.0.1.13/32" ]; + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + + { + # hsha + publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc="; + allowedIPs = [ "10.0.1.254/32" ]; + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + ]; + }; + }; +} diff --git a/hosts/falcone/configuration.nix b/hosts/falcone/configuration.nix new file mode 100644 index 00000000..6383f78f --- /dev/null +++ b/hosts/falcone/configuration.nix @@ -0,0 +1,57 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ inputs, pkgs, builtins, config, lib, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ]; + + pub-solar.core.disk-encryption-active = false; + + boot.loader.timeout = lib.mkForce 0; + + boot.loader.generic-extlinux-compatible.enable = lib.mkForce false; + + boot.loader.grub = { + enable = lib.mkForce true; + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + + extraInstallCommands = '' + cp -r ${inputs.nixpkgs-hensoko.packages.aarch64-linux.raspberrypi4_firmware_uefi}/share/raspberrypi4-firmware-uefi/* /boot/ + ''; + }; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = true; + networking.interfaces.wlan0.useDHCP = false; + networking.networkmanager.enable = lib.mkForce false; + + boot.loader.systemd-boot.enable = lib.mkForce false; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 2380 6443 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} + diff --git a/hosts/falcone/default.nix b/hosts/falcone/default.nix new file mode 100644 index 00000000..86de5233 --- /dev/null +++ b/hosts/falcone/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./falcone.nix + ] ++ suites.falcone; +} diff --git a/hosts/falcone/falcone.nix b/hosts/falcone/falcone.nix new file mode 100644 index 00000000..ca873721 --- /dev/null +++ b/hosts/falcone/falcone.nix @@ -0,0 +1,16 @@ +{ config, pkgs, lib, ... }: +with lib; +let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; +in +{ + imports = [ + ./configuration.nix + ]; + + config = { + boot.plymouth.enable = lib.mkForce false; + pub-solar.nextcloud.enable = lib.mkForce false; + }; +} diff --git a/hosts/falcone/hardware-configuration.nix b/hosts/falcone/hardware-configuration.nix new file mode 100644 index 00000000..8815265a --- /dev/null +++ b/hosts/falcone/hardware-configuration.nix @@ -0,0 +1,35 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + #boot.initrd.supportedFilesystems = [ "zfs" ]; + #boot.supportedFilesystems = [ "zfs" ]; + + #boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18; + + fileSystems."/" = + { device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +} diff --git a/hosts/giggles/configuration.nix b/hosts/giggles/configuration.nix new file mode 100644 index 00000000..5e8d9f36 --- /dev/null +++ b/hosts/giggles/configuration.nix @@ -0,0 +1,65 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, ... }: + +{ + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./home-controller.nix + ]; + + boot.loader.timeout = 0; + + boot.loader.generic-extlinux-compatible.enable = lib.mkForce false; + + boot.loader.grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = true; + networking.interfaces.wlan0.useDHCP = false; + networking.networkmanager.enable = lib.mkForce false; + + boot.loader.systemd-boot.enable = lib.mkForce false; + + nix = { + #package = pkgs.nixFlakes; + extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes"; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + wget + ]; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 2380 6443 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} + diff --git a/hosts/giggles/default.nix b/hosts/giggles/default.nix new file mode 100644 index 00000000..ebce8516 --- /dev/null +++ b/hosts/giggles/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./giggles.nix + ] ++ suites.giggles; +} diff --git a/hosts/giggles/giggles.nix b/hosts/giggles/giggles.nix new file mode 100644 index 00000000..ca873721 --- /dev/null +++ b/hosts/giggles/giggles.nix @@ -0,0 +1,16 @@ +{ config, pkgs, lib, ... }: +with lib; +let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; +in +{ + imports = [ + ./configuration.nix + ]; + + config = { + boot.plymouth.enable = lib.mkForce false; + pub-solar.nextcloud.enable = lib.mkForce false; + }; +} diff --git a/hosts/giggles/hardware-configuration.nix b/hosts/giggles/hardware-configuration.nix new file mode 100644 index 00000000..cfc5cf70 --- /dev/null +++ b/hosts/giggles/hardware-configuration.nix @@ -0,0 +1,61 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.initrd.supportedFilesystems = [ "zfs" ]; + boot.supportedFilesystems = [ "zfs" ]; + + boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18; + + boot.initrd.luks.devices = { + cryptroot = { + device = "/dev/disk/by-uuid/ef5804e2-2b07-4434-8144-6ae7d9f615e2"; + keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1"; + bypassWorkqueues = true; + fallbackToPassword = true; + }; + }; + + fileSystems."/" = + { + device = "zroot/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/2F05-9B4A"; + fsType = "vfat"; + }; + + fileSystems."/var/lib/rancher/k3s/storage" = + { + device = "zroot/kubernetes-localstorage"; + fsType = "zfs"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/ddad2310-57b5-4851-a7bd-280d7182bcec"; }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + networking.hostId = "71f2d82a"; + + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +} diff --git a/hosts/giggles/home-controller.nix b/hosts/giggles/home-controller.nix new file mode 100644 index 00000000..ac7cfc01 --- /dev/null +++ b/hosts/giggles/home-controller.nix @@ -0,0 +1,53 @@ +{ self, config, pkgs, ... }: + +{ + config = { + age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age"; + age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_giggles_wireguard_key.age"; + + pub-solar.home-controller = { + enable = true; + role = "server"; + ownIp = "10.0.1.11"; + + k3s = { + enableLocalStorage = true; + enableZfs = true; + }; + + wireguard = { + privateKeyFile = "/run/agenix/home_controller_wireguard"; + peers = [ + { + # cube + publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk="; + allowedIPs = [ "10.0.1.5/32" ]; + endpoint = "data.gssws.de:51899"; + persistentKeepalive = 25; + } + { + # cox + publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; + allowedIPs = [ "10.0.1.12/32" ]; + endpoint = "cox.local:51899"; + persistentKeepalive = 25; + } + { + # companion + publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; + allowedIPs = [ "10.0.1.13/32" ]; + endpoint = "companion.local:51899"; + persistentKeepalive = 25; + } + { + # ringo + publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw="; + allowedIPs = [ "10.0.1.21/32" ]; + endpoint = "ringo.local:51899"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; +} diff --git a/hosts/harrison/.config/sway/config.d/screens.conf b/hosts/harrison/.config/sway/config.d/screens.conf new file mode 100644 index 00000000..e3d66c29 --- /dev/null +++ b/hosts/harrison/.config/sway/config.d/screens.conf @@ -0,0 +1,19 @@ +set $left 'Dell Inc. DELL S2721DS D0SVQ43' +set $middle 'Samsung Electric Company SMBX2450L 0x00003231' +set $right 'Eizo Nanao Corporation EV2316W 39117013' + +output $left { + scale 1 + pos 0 0 + transform 270 +} + +output $middle { + scale 1 + pos 1440 1150 +} + +output $right { + scale 1 + pos 3360 1150 +} diff --git a/hosts/harrison/configuration.nix b/hosts/harrison/configuration.nix new file mode 100644 index 00000000..c0d7e06c --- /dev/null +++ b/hosts/harrison/configuration.nix @@ -0,0 +1,49 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, ... }: + +{ + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + time.hardwareClockInLocalTime = true; # easiest quirk for windows time offset feature + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.dhcpcd.wait = "background"; + networking.useDHCP = false; + networking.interfaces.eno1 = { + useDHCP = true; + wakeOnLan = { + enable = true; + }; + }; + networking.networkmanager.enable = lib.mkForce false; + + nixpkgs.config.allowUnsupportedSystem = true; + + # List services that you want to enable: + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 22 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.05"; # Did you read the comment? +} + diff --git a/hosts/harrison/default.nix b/hosts/harrison/default.nix new file mode 100644 index 00000000..a1d958f0 --- /dev/null +++ b/hosts/harrison/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./harrison.nix + ] ++ suites.harrison; +} diff --git a/hosts/harrison/hardware-configuration.nix b/hosts/harrison/hardware-configuration.nix new file mode 100644 index 00000000..3863bc96 --- /dev/null +++ b/hosts/harrison/hardware-configuration.nix @@ -0,0 +1,70 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" "raid1" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + boot.initrd.luks.devices."cryptroot" = { + device = "/dev/disk/by-uuid/e3a0394d-8bb5-4049-bf65-90d7202163cd"; + keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04011806021722115743-0:0-part1"; + fallbackToPassword = true; + bypassWorkqueues = true; + }; + + boot.loader.systemd-boot.enable = lib.mkForce false; + boot.loader.efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot"; + }; + boot.loader.grub = { + efiSupport = true; + enable = lib.mkForce true; + extraEntries = '' + menuentry "Windows" { + insmod part_gpt + insmod fat + insmod search_fs_uuid + insmod chain + search --fs-uuid --set=root 02DB-F12C + chainloader /efi/Microsoft/Boot/bootmgfw.efi + } + ''; + devices = [ "nodev" ]; + }; + + + fileSystems = { + "/" = + { + device = "/dev/disk/by-uuid/4ad4db6d-543e-4cc5-a781-396e3b527a05"; + fsType = "ext4"; + }; + + "/boot" = + { + device = "/dev/disk/by-uuid/4B4A-B1B4"; + fsType = "vfat"; + }; + + "/boot2" = + { + device = "/dev/disk/by-uuid/4B2C-385A"; + fsType = "vfat"; + }; + }; + + swapDevices = + [{ device = "/dev/mapper/vg0-swap"; }]; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/harrison/harrison.nix b/hosts/harrison/harrison.nix new file mode 100644 index 00000000..2fea3d5a --- /dev/null +++ b/hosts/harrison/harrison.nix @@ -0,0 +1,21 @@ +{ config, pkgs, lib, ... }: +with lib; +with pkgs; +let + psCfg = config.pub-solar; +in +{ + imports = [ + ./configuration.nix + ]; + + config = { + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + + home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable { + "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf; + }; + + services.teamviewer.enable = true; + }; +} diff --git a/hosts/norman/.config/sway/config.d/custom-keybindings.conf b/hosts/norman/.config/sway/config.d/custom-keybindings.conf new file mode 100644 index 00000000..a2938d77 --- /dev/null +++ b/hosts/norman/.config/sway/config.d/custom-keybindings.conf @@ -0,0 +1,16 @@ +# Screen brightness controls +bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')" +bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ { print $4}')" + +# Keyboard backlight brightness controls +bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ { print $4}')" +bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ { print $4}')" + +# Pulse Audio controls +bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume +bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume +bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound +# Media player controls +bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'" +bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'" +bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'" diff --git a/hosts/norman/.config/sway/config.d/screens.conf b/hosts/norman/.config/sway/config.d/screens.conf new file mode 100644 index 00000000..c8b323b5 --- /dev/null +++ b/hosts/norman/.config/sway/config.d/screens.conf @@ -0,0 +1,13 @@ +set $left 'Dell Inc. DELL S2721DS D0SVQ43' +set $middle 'Samsung Electric Company SMBX2450L 0x00003231' + +output $left { + scale 1 + pos 0 0 + transform 270 +} + +output $middle { + scale 1 + pos 1440 1050 +} diff --git a/hosts/norman/configuration.nix b/hosts/norman/configuration.nix new file mode 100644 index 00000000..099cc583 --- /dev/null +++ b/hosts/norman/configuration.nix @@ -0,0 +1,63 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./wireguard.nix + ]; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.firewall = { + allowedUDPPorts = [ + 51820 + 51821 + ]; # Clients and peers can use the same port, see listenport + }; + + hardware.nitrokey.enable = true; + + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + services.tlp = { + enable = true; + settings = { + CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; + CPU_SCALING_GOVERNOR_ON_AC = "performance"; + + # The following prevents the battery from charging fully to + # preserve lifetime. Run `tlp fullcharge` to temporarily force + # full charge. + # https://linrunner.de/tlp/faq/battery.html#how-to-choose-good-battery-charge-thresholds + START_CHARGE_THRESH_BAT0 = 40; + STOP_CHARGE_THRESH_BAT0 = 80; + + # 100 being the maximum, limit the speed of my CPU to reduce + # heat and increase battery usage: + CPU_MAX_PERF_ON_AC = 100; + CPU_MAX_PERF_ON_BAT = 30; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? +} + diff --git a/hosts/norman/default.nix b/hosts/norman/default.nix new file mode 100644 index 00000000..20216667 --- /dev/null +++ b/hosts/norman/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./norman.nix + ] ++ suites.norman; +} diff --git a/hosts/norman/hardware-configuration.nix b/hosts/norman/hardware-configuration.nix new file mode 100644 index 00000000..158f6cb9 --- /dev/null +++ b/hosts/norman/hardware-configuration.nix @@ -0,0 +1,46 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "uas" "sdhci_pci" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + boot.loader.grub.trustedBoot = { + enable = true; + systemHasTPM = "YES_TPM_is_activated"; + }; + + boot.initrd.luks.devices."cryptroot" = { + device = "/dev/disk/by-uuid/cdc29f0f-5b18-4ee7-8d38-1f4bac80b1e6"; + bypassWorkqueues = true; + }; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/5b441f8f-d7eb-44f8-8df2-7354b3314a61"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/84CD-91B6"; + fsType = "vfat"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9"; }]; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + hardware.trackpoint = { + enable = true; + device = "TPPS/2 ALPS TrackPoint"; + emulateWheel = true; + }; +} diff --git a/hosts/norman/norman.nix b/hosts/norman/norman.nix new file mode 100644 index 00000000..b85d4c6e --- /dev/null +++ b/hosts/norman/norman.nix @@ -0,0 +1,22 @@ +{ config, pkgs, lib, ... }: +with lib; +let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; +in +{ + imports = [ + ./configuration.nix + ]; + + config = { + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + + pub-solar.audio.bluetooth.enable = false; + + home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable { + "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf; + "sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf; + }; + }; +} diff --git a/hosts/norman/wireguard.nix b/hosts/norman/wireguard.nix new file mode 100644 index 00000000..cbb194d2 --- /dev/null +++ b/hosts/norman/wireguard.nix @@ -0,0 +1,93 @@ +{ config, pkgs, ... }: + +{ + systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure"; + systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s"; + systemd.services.wireguard-wg1.serviceConfig.Restart = "on-failure"; + systemd.services.wireguard-wg1.serviceConfig.RestartSec = "5s"; + + # Enable WireGuard + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the client's end of the tunnel interface. + ips = [ + "10.0.0.13/32" + "fc00:200::13/128" + ]; + listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/home/hensoko/.config/wireguard/hosting-de.private"; + + peers = [ + # For a client configuration, one peer entry for the server will suffice. + + { + # Public key of the server (not a file path). + publicKey = "02/MRPduMGx1as7yS4G7GpL4+pQjsjpyS/tD9iPu8X0="; + + # Forward all the traffic via VPN. + allowedIPs = [ + "10.0.0.0/24" + "192.168.50.0/24" + "192.168.200.0/24" + "10.20.30.0/24" + "fc00:200::/120" + "95.129.51.5" + "95.129.54.43" + "134.0.28.89" + "134.0.27.108" + "134.0.25.181" + ]; + + # Set this to the server IP and port. + endpoint = "134.0.30.154:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + ]; + }; + wg1 = { + # Determines the IP address and subnet of the client's end of the tunnel interface. + ips = [ + "10.7.0.21" + ]; + listenPort = 51821; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/home/hensoko/.config/wireguard/data-gssws-de.private"; + + peers = [ + # For a client configuration, one peer entry for the server will suffice. + + { + # Public key of the server (not a file path). + publicKey = "RwMocdha7fyx+MGTtQpZhZQGJY4WU79YgpspYBclK3c="; + + # Forward all the traffic via VPN. + allowedIPs = [ + "10.7.0.0/24" + ]; + + # Set this to the server IP and port. + endpoint = "80.244.242.2:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + ]; + + }; + }; +} + diff --git a/hosts/ringo/configuration.nix b/hosts/ringo/configuration.nix new file mode 100644 index 00000000..5a57fe2d --- /dev/null +++ b/hosts/ringo/configuration.nix @@ -0,0 +1,35 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./home-controller.nix + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.enp0s25.useDHCP = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? +} + diff --git a/hosts/ringo/default.nix b/hosts/ringo/default.nix new file mode 100644 index 00000000..ff5a8251 --- /dev/null +++ b/hosts/ringo/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./ringo.nix + ] ++ suites.ringo; +} diff --git a/hosts/ringo/hardware-configuration.nix b/hosts/ringo/hardware-configuration.nix new file mode 100644 index 00000000..d16bc928 --- /dev/null +++ b/hosts/ringo/hardware-configuration.nix @@ -0,0 +1,43 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + boot.initrd.luks.devices."cryptroot" = { + device = "/dev/disk/by-uuid/bd1ebf98-adc1-4868-842f-3d2c6ee04e13"; + keyFile = "/dev/disk/by-partuuid/9ff6ebf7-01"; + fallbackToPassword = true; + bypassWorkqueues = true; + }; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/1999ec2e-4564-4f5a-8333-6eb23ae03c8b"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/47ED-2F0B"; + fsType = "vfat"; + }; + + fileSystems."/home" = + { + device = "/dev/disk/by-uuid/69c89392-be11-4bd4-8f3b-6b7db20c716e"; + fsType = "ext4"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/4ef0cdbc-38f4-4dcb-8fe8-553bbdb06192"; }]; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/ringo/home-controller.nix b/hosts/ringo/home-controller.nix new file mode 100644 index 00000000..3f679ba4 --- /dev/null +++ b/hosts/ringo/home-controller.nix @@ -0,0 +1,43 @@ +{ self, config, pkgs, ... }: + +{ + config = { + age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age"; + age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_ringo_wireguard_key.age"; + + pub-solar.home-controller = { + enable = true; + role = "agent"; + ownIp = "10.0.1.21"; + + k3s = { + serverAddr = "https://api.kube:6443"; + tokenFile = "/run/agenix/home_controller_k3s_token"; + }; + + wireguard = { + privateKeyFile = "/run/agenix/home_controller_wireguard"; + peers = [ + { + # giggles + publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; + allowedIPs = [ "10.0.1.11/32" ]; + endpoint = "giggles.local:51899"; + } + { + # cox + publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; + allowedIPs = [ "10.0.1.12/32" ]; + endpoint = "cox.local:51899"; + } + { + # companion + publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; + allowedIPs = [ "10.0.1.13/32" ]; + endpoint = "companion.local:51899"; + } + ]; + }; + }; + }; +} diff --git a/hosts/ringo/ringo.nix b/hosts/ringo/ringo.nix new file mode 100644 index 00000000..00fea36d --- /dev/null +++ b/hosts/ringo/ringo.nix @@ -0,0 +1,13 @@ +{ config, pkgs, lib, ... }: +with lib; +let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; +in +{ + imports = [ + ./configuration.nix + ]; + + config.pub-solar.core.lite = true; +} diff --git a/modules/core/bluetooth.nix b/modules/core/bluetooth.nix new file mode 100644 index 00000000..e69de29b diff --git a/secrets/cube_drone_exec_runner_config.age b/secrets/cube_drone_exec_runner_config.age new file mode 100644 index 0000000000000000000000000000000000000000..949f716e9c7afcee848c24b98d6d54151c0205d0 GIT binary patch literal 1211 zcmZ9~%j??&0KoCh!IZee*vVtnxiLa*nn#lil_hP{Jet1JCT+IK(lkkv=AAZ=s!UPm zn48Mbi(WPn8E!s?9>zcqDv0QBhbekg7>Gld^MOu$pa{F{FZjThuVxu#!`I^?T-t$u ze-K-hv# z(IYZ(=0HF!`i-t6FD;{5EfTGrG};Z(WSX`=wERVjP=_cus=;KaWVdP)M(QS3sUNdm zHb|G8OogZpI%679-Ra8gh9R*9rtUt9&Y(2|J0wh@@A^VB99EFk(i= zJf3uIIxxYpD*J`vHg9TiqLolsf*Tp23aFsNwM6srFm3ZAJYg2Bo#bYo%1GFW3B{f$ z(Ey3Ffx!-;`Ent|G&fmBcqLyJ4G(~pqB|5&!eK~Ikd2m9Nttv!F|3de*D&6;#tc`3 z(6QCwhOQnD##F-lRA<)UR7!! zpcaT3){>;NDj>yO>G4F;YbljtK#@D_T<{E6h+C92rOob)7G&R5ySO%`At|WWrCuK+ zBLWmewGO&Qkhp!;s5ev!oGz+>s*l#W$KiF==wg1~SJ;%0jNY85thOdLkQNh|eM#*1 zU}kMCS8Z>uHEX8P8q@HU4B-IqlNCEyWR?eWtZn6TM-mCzx>@_?Nj59j5UNyFEe68_ zay?@ULsTf9Uq=l>x6t}R&$*>Tx)DN2BO7#efXOTUxtUEkG9krYYVtZ>_!_6rJSJOL z(#|9&dJcrtmc{5+Z8emql2u}HM;ZnQHS8AMiU==hy)Z4#rMW?G+{FY>NpM=Hk+3=# z0hrTIK*t2l8SVRf2V*H={IeMs;6xjOjy%!Gcxc0daUdvPI(qH$wQWa`gHflVJoodlb+Bi1 zjgDWqK7IM^OPjV3A3b|Vc-p!xK794nZ{$Cp*t-AT(NoZy3?=@0>cii8jePX%JC}FX zPQ7vZkpIB ssh-ed25519 hPyiJw +rkFPrQE8peUim4x6Ky9ZOq1th5ClCoBGZnHpyUpdhg +RUg+Iy9Tr/rYLac2QZXHgEIXVeUgzThkknHKXw0zcc8 +-> ssh-ed25519 YFSOsg f+9e0azb6BGCW2BAqzY0jeGX35SOg5H8esxKnslo1Bw +zTrfb7rz9rtlGL+RYF+k0bPTJrCCj3sIiRpjqkNwktY +-> ssh-rsa 42S2Dw +E0CKXcPmBbOGFjsKpzr6XD2wiK6X6bACpHxO6qdRfN1vntoRLRsrMlHhiB9nbn3V +wyVou0OtIXoEuW7X/AZDatB2zQp4gs/C6j7jX3MhtzC60qrGpqxZ+qSRwsybbMHl +23ceddRQfudIkojKolpuZj6LhmqHo7psg8HF+OMMMvq8AU2/FLULOoWy5pjtfZTf +FrhbjSHJPe8CDGhHVANd7nmhuNYLf/HoO3/VNCmF5g5FVdTl+oIbV/lG+h9XEkMV +Brmew59jOUNZQkKixA8Qs+Q9jmozVKUfdVNt5214NucExbPkgznOmtp5XyfIZUHP +fcOAonVVoSTsEP2YiPSOkg +-> ssh-ed25519 iHV63A RchzJvnl56NtfqNJ4BclwhEnxmxveeXmdKsk5anyoGY +838Yzcs0Y/d4aRGGpaIUe4HlncnHB/90KPl4Jc6M6gc +-> ssh-ed25519 uTVbSg yUxd7jAji+mUlayh3HAmtt15LT0qIijFdZfxm/QXJ1A +B03YY7feAxzquD55hkqdjfjp7F3UOgPws3CHz6vq5/E +-> s-grease +sVUB69ht3umxJ0/t3sgli+GG1jJYbRH3NAYRXxyjM7cD7kwimAwa0Cv8briHBncF +CXY +--- +656WjsF5wgufRPmpuHmh4BWdHsLLu2R0ZJ9Ryml35k + mbj%^S0ˠguZUz _Gv=6@㒳{0nj \ No newline at end of file diff --git a/secrets/cube_restic_ssh_private_key.age b/secrets/cube_restic_ssh_private_key.age new file mode 100644 index 00000000..dd6a8dcb --- /dev/null +++ b/secrets/cube_restic_ssh_private_key.age @@ -0,0 +1,22 @@ +age-encryption.org/v1 +-> ssh-ed25519 hPyiJw +A6/Q0jkgCU8oT8UwEOXm+ilWBZSkPheytu+qWJ8ow0 +kBztg+HTVR8tNJR9cws2wAfXf/p+SlDZ/HoXYyhSP5Q +-> ssh-ed25519 YFSOsg RlxOjmi/X/nXaN1pur/YkOeNMfaNjaeRlhuIy8Xg/C4 +rXLCp5cOgqg97NlsIhNOtReLro3ELEfcfEFmeh5QmXg +-> ssh-rsa 42S2Dw +ivPg0J88URraGg/P1pYwPbHAPcLRxOEEGhIve858Wv0TJxyeSLFMEgyal6fKnxQN +bE+SuV9ZAWRx4LCmaxq35exfXJAclcC4zg+WOui3uojeWf6Yo/Q0OXGYhS5uHMHm +SJnIKoIKsdrD7g+0hoTKKztrjliK/zw8ooBPP8c6KGKncIhWGWfvS+eBzYkQp0VE +mMplI6YGTGtKavR7w5X9NG9rb5Ot0jdTuM+Q1URhtXbER1ZJWnEQMfdGeHEYKTXA +cJR08iiMY3J/XeYnv+I8B8FBCfWZurMDeH72t7TjObaZEBz/gKl6sk1+FuEBLQR0 +r1Fqd9w06fgMcuVLLdFZQg +-> ssh-ed25519 iHV63A a27f4SrL8d4VTA/zf0ZFN+gRZEZYjfXxGRkK+0BvFBI +FPY1Vl6t1KMdmLMuhrF0NZptzrwGNyEgw+IHxvZkNT4 +-> ssh-ed25519 uTVbSg cNe3wLmtGYd8E/mVT4nnGc9uKwVfKeLkPOA4iWH/n00 +zUGfMmyqVA8+wH4U9e3aLCOyUn7JQbvd2hFViCGkAZs +-> ;y-K-grease 'D %/|`ff=t +EIllMsZQ7AqFv1F9F8SOleLU4Q1PKLJIdw7FL1fveIuPdnBPguvrcyw1kQeCzZ7M +F2LCYbb0cJUlJi1Mo+LxFEC4cCS0NI1hlMtbh5c4cxy7Ay/cpzCxhY9yVV8 +--- fXi80THZW40z8KwPZUmXCYcp3zjgI/P0SyOGbI6SEOI +t_cO9D:EaCXUŘ-w`)!9DO+b<94\e5v=kJ%s|a#޺!PIZGlh:jO`1dq$0RFɦ.w˜]!Mno|gP|ר^"2hBiѫ!~f[z;`HpHF~KJRT~5AgvR3flD/7Y2bSO=)8(F.+<$* 0ǒ@#R]]֚89?W%중!,;Q؊N~xfM*? 吾'xpCU +_ N. \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 9a649db0..50099206 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -26,6 +26,10 @@ in "home_controller_cube_wireguard_key.age".publicKeys = users ++ [ system_cube ]; "cube_nextcloud_admin_pass.age".publicKeys = users ++ [ system_cube ]; "cube_nextcloud_db_pass.age".publicKeys = users ++ [ system_cube ]; + "cube_restic_ssh_private_key.age".publicKeys = users ++ [ system_cube ]; + "cube_restic_repository_password.age".publicKeys = users ++ [ system_cube ]; + + "cube_drone_exec_runner_config.age".publicKeys = users ++ [ system_cube ]; "home_controller_ringo_wireguard_key.age".publicKeys = users ++ [ system_ringo ];