axeman/pub-solar-os
1
0
Fork 0
forked from pub-solar/os
Code Issues Pull requests Packages Projects Releases Wiki Activity

add hosts

Browse source
This commit is contained in:
Hendrik Sokolowski 2022-08-22 00:53:04 +02:00
parent a236fd9664
commit c0f3d1dfb7
53 changed files with 1926 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
flake.nix
View file

@ -45,6 +45,8 @@
# hensoko additions
musnix.url = "github:musnix/musnix";
musnix.inputs.nixpkgs.follows = "nixos";
nixpkgs-hensoko.url = "git+https://git.b12f.io/hensoko/nixpkgs";
};
outputs =
@ -107,7 +109,6 @@
digga.nixosModules.nixConfig
home.nixosModules.home-manager
agenix.nixosModules.age
musnix.nixosModules.musnix
];
};
@ -124,6 +125,27 @@
(import ./tests/first-test.nix { pkgs = nixos.legacyPackages.x86_64-linux; lib = nixos.lib; })
];
};
companion = {
system = "aarch64-linux";
};
cox = {
system = "aarch64-linux";
};
falcone = {
system = "aarch64-linux";
};
giggles = {
system = "aarch64-linux";
};
norman = { };
harrison = {
modules = [
musnix.nixosModules.musnix
];
};
};
importables = rec {
profiles = digga.lib.rakeLeaves ./profiles // {
@ -134,7 +156,6 @@
iso = base ++ [ base-user graphical pub-solar-iso ];
pubsolaros = [ base-user users.root ];
anonymous = [ pubsolaros users.pub-solar ];
pubsolaros-light = [ core-light base-user users.root ];
hensoko = pubsolaros ++ [ users.hensoko ];
hensoko-iot = [ server base-user users.root users.iot ];
@ -151,6 +172,15 @@
# vm
redpanda = hensoko;
# home pc
harrison = hensoko ++ [ daw graphical non-free social work ];
# work laptop
norman = hensoko ++ [ graphical non-free social virtualisation work ];
# cm4
falcone = hensoko-iot;
};
};
};
@ -186,6 +216,14 @@
path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.hensoko;
};
};
companion = { sshUser = "iot"; };
cox = { };
giggles = { };
ringo = { };
cube = {
sshUser = "iot";
};
};
};
}

16
hosts/companion/companion.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
config = {
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
};
}

63
hosts/companion/configuration.nix Normal file
View file

@ -0,0 +1,63 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[
./hardware-configuration.nix
./home-controller.nix
];
boot.loader.timeout = lib.mkForce 0;
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
boot.loader.grub = {
enable = lib.mkForce true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.wlan0.useDHCP = false;
networking.networkmanager.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false;
nix = {
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
wget
];
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 2380 6443 ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

6
hosts/companion/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./companion.nix
] ++ suites.companion;
}

61
hosts/companion/hardware-configuration.nix Normal file
View file

@ -0,0 +1,61 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.supportedFilesystems = [ "zfs" ];
boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
boot.initrd.luks.devices = {
cryptroot = {
device = "/dev/disk/by-uuid/3bbde916-e12a-46a7-9eea-4f5e2aef7883";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04017028021722045451-0:0-part1";
bypassWorkqueues = true;
fallbackToPassword = true;
};
};
fileSystems."/" =
{
device = "zroot/root";
fsType = "zfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/5552-1B21";
fsType = "vfat";
};
fileSystems."/var/lib/rancher/k3s/storage" =
{
device = "zroot/kubernetes-localstorage";
fsType = "zfs";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/0545db4a-0494-44d7-927a-4c78351c4303"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
networking.hostId = "71f2d82a";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

55
hosts/companion/home-controller.nix Normal file
View file

@ -0,0 +1,55 @@
{ self, config, pkgs, ... }:
{
config = {
age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
role = "server";
ownIp = "10.0.1.13";
k3s = {
serverAddr = "https://api.kube:6443";
tokenFile = "/run/agenix/home_controller_k3s_token";
enableLocalStorage = true;
enableZfs = true;
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# cube
publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
allowedIPs = [ "10.0.1.5/32" ];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = [ "10.0.1.11/32" ];
endpoint = "giggles.local:51899";
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = [ "10.0.1.12/32" ];
endpoint = "cox.local:51899";
persistentKeepalive = 25;
}
{
# ringo
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
allowedIPs = [ "10.0.1.21/32" ];
endpoint = "ringo.local:51899";
persistentKeepalive = 25;
}
];
};
};
};
}

64
hosts/cox/configuration.nix Normal file
View file

@ -0,0 +1,64 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[
./hardware-configuration.nix
./home-controller.nix
];
boot.loader.timeout = 0;
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.wlan0.useDHCP = false;
networking.networkmanager.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false;
nix = {
#package = pkgs.nixFlakes;
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
wget
];
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 2380 6443 ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

16
hosts/cox/cox.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
config = {
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
};
}

6
hosts/cox/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./cox.nix
] ++ suites.cox;
}

61
hosts/cox/hardware-configuration.nix Normal file
View file

@ -0,0 +1,61 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.supportedFilesystems = [ "zfs" ];
boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
boot.initrd.luks.devices = {
cryptroot = {
device = "/dev/disk/by-uuid/bf333b74-875f-4187-922e-4b433fb53aa2";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03024516121421043657-0:0-part1";
bypassWorkqueues = true;
fallbackToPassword = true;
};
};
fileSystems."/" =
{
device = "zroot/root";
fsType = "zfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/6CB3-6DB8";
fsType = "vfat";
};
fileSystems."/var/lib/rancher/k3s/storage" =
{
device = "zroot/kubernetes-localstorage";
fsType = "zfs";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/7ef4a3f8-f4a6-42f5-a57d-21f502ed3dba"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
networking.hostId = "71f2d82a";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

55
hosts/cox/home-controller.nix Normal file
View file

@ -0,0 +1,55 @@
{ self, config, pkgs, ... }:
{
config = {
age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
role = "server";
ownIp = "10.0.1.12";
k3s = {
serverAddr = "https://api.kube:6443";
tokenFile = "/run/agenix/home_controller_k3s_token";
enableLocalStorage = true;
enableZfs = true;
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# cube
publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
allowedIPs = [ "10.0.1.5/32" ];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = [ "10.0.1.11/32" ];
endpoint = "giggles.local:51899";
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = [ "10.0.1.13/32" ];
endpoint = "companion.local:51899";
persistentKeepalive = 25;
}
{
# ringo
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
allowedIPs = [ "10.0.1.21/32" ];
endpoint = "ringo.local:51899";
persistentKeepalive = 25;
}
];
};
};
};
}

8
hosts/cube/acme.nix Normal file
View file

@ -0,0 +1,8 @@
{ pkgs, config, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "hensoko@gssws.de";
};
}

34
hosts/cube/backup.nix Normal file
View file

@ -0,0 +1,34 @@
{ config, lib, self, ... }:
{
age.secrets.restic_repository_password.file = "${self}/secrets/cube_restic_repository_password.age";
age.secrets.restic_ssh_private_key.file = "${self}/secrets/cube_restic_ssh_private_key.age";
programs.ssh.extraConfig = ''
Host backup
HostName 10.0.1.12
Port 32222
User backup
IdentityFile /run/agenix/restic_ssh_private_key
'';
services.postgresqlBackup = {
enable = true;
backupAll = true;
compression = "zstd";
};
services.restic.backups = {
cox = {
passwordFile = "/run/agenix/restic_repository_password";
paths = [
"/mnt/internal/nextcloud"
"/var/backup/postgresql"
];
repository = "sftp:backup:/data/hdd/restic";
timerConfig = {
OnCalendar = "02:00";
};
};
};
}

55
hosts/cube/configuration.nix Normal file
View file

@ -0,0 +1,55 @@
{ config, lib, pkgs, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
./acme.nix
./backup.nix
./drone.nix
./home-assistant.nix
./nextcloud.nix
#./whiteboard.nix
./wireguard.nix
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/disk/by-id/usb-HP_iLO_Internal_SD-CARD_000002660A01-0:0";
boot.loader.systemd-boot.enable = lib.mkForce false;
time.timeZone = "Europe/Berlin";
networking = {
useDHCP = false;
interfaces.eno1.ipv4.addresses = [{
address = "80.244.242.2";
prefixLength = 29;
}];
defaultGateway = "80.244.242.1";
nameservers = [ "95.129.51.51" "80.244.244.244" ];
};
nix = {
trustedUsers = [ "ci-cache-nix-store" ];
};
services.openssh.ports = [ 2222 ];
networking.nat.enable = true;
networking.nat.internalIPs = [ "10.10.42.0/24" ];
networking.nat.externalInterface = "eno1";
networking.firewall.allowedTCPPorts = [ 80 443 2222 ];
networking.firewall.allowedUDPPorts = [ 51899 ];
networking.firewall.enable = lib.mkForce true;
system.stateVersion = "21.05"; # Did you read the comment?
}

15
hosts/cube/cube.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, pkgs, lib, ... }:
with lib;
with pkgs;
let
psCfg = config.pub-solar;
in
{
imports = [
./configuration.nix
];
pub-solar.core.disk-encryption-active = false;
networking.networkmanager.enable = lib.mkForce false;
}

6
hosts/cube/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./cube.nix
] ++ suites.cube;
}

21
hosts/cube/drone.nix Normal file
View file

@ -0,0 +1,21 @@
{ self, config, pkgs, ... }:
{
age.secrets.drone_exec_runner_config = {
file = "${self}/secrets/cube_drone_exec_runner_config.age";
owner = "999";
};
pub-solar.ci-runner = {
enable = true;
enableKvm = true;
nixCacheLocation = "/mnt/internal/ci-cache-nix-store/nix";
runnerEnvironment = {
DRONE_RUNNER_CAPACITY = "1";
DRONE_RUNNER_LABELS = "hosttype:baremetal";
};
runnerVarsFile = "/run/agenix/drone_exec_runner_config";
};
}

38
hosts/cube/hardware-configuration.nix Normal file
View file

@ -0,0 +1,38 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "uhci_hcd" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.extraModprobeConfig = "options kvm_intel nested=1";
fileSystems."/" =
{
device = "/dev/disk/by-uuid/715ef65c-6cb3-4455-99ed-fe7408935d00";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/e76a2e82-bf17-4287-967c-bd0f16d16875";
fsType = "ext2";
};
fileSystems."/mnt/internal" =
{
device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a";
fsType = "ext4";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/4b0b445b-ae72-439a-8aeb-cbd6a3ed73b9"; }];
}

19
hosts/cube/home-assistant.nix Normal file
View file

@ -0,0 +1,19 @@
{ self, pkgs, config, ... }:
{
# HTTP
services.nginx = {
virtualHosts."ha.gssws.de" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://10.0.1.254:8123";
proxyWebsockets = true;
extraConfig =
"proxy_ssl_server_name on;" +
"proxy_pass_header Authorization;"
;
};
};
};
}

156
hosts/cube/nextcloud-apps.nix Normal file
View file

@ -0,0 +1,156 @@
{ self, pkgs, config, lib, ... }:
{
services.nextcloud.extraApps = {
"bookmarks" = pkgs.fetchNextcloudApp {
name = "bookmarks";
sha256 = "+Lon8Bbu1O6axALYFDQUkBw5K0fNonEehY51ZSqOiZA=";
url = "https://github.com/nextcloud/bookmarks/releases/download/v11.0.3/bookmarks-11.0.3.tar.gz";
version = "11.0.3";
};
"bruteforcesettings" = pkgs.fetchNextcloudApp {
name = "bruteforcesettings";
sha256 = "cy1Fg6kCiolkDtPF8u/n4JvPrdJadRv4FVMr1zB/Lmk=";
url = "https://github.com/nextcloud-releases/bruteforcesettings/releases/download/v2.4.0/bruteforcesettings-v2.4.0.tar.gz";
version = "2.4.0";
};
"calendar" = pkgs.fetchNextcloudApp {
name = "calendar";
sha256 = "+LRGl9h40AQdWN9SW+NqGwTafAGwV07Af8nVs3pUCm0=";
url = "https://github.com/nextcloud-releases/calendar/releases/download/v3.5.0/calendar-v3.5.0.tar.gz";
version = "3.5.0";
};
"contacts" = pkgs.fetchNextcloudApp {
name = "contacts";
sha256 = "GTiyZsUHBXPgQ17DHAihmt2W/ZnAjDwfgwnujkRwk6A=";
url = "https://github.com/nextcloud-releases/contacts/releases/download/v4.2.2/contacts-v4.2.2.tar.gz";
version = "4.2.2";
};
"cookbook" = pkgs.fetchNextcloudApp {
name = "cookbook";
sha256 = "v64rLGyMQOdStyivpJsKrNxwumVQvyK3CnHtZ+K+elE=";
url = "https://github.com/nextcloud/cookbook/releases/download/v0.9.15/Cookbook-0.9.15.tar.gz";
version = "0.9.15";
};
"cospend" = pkgs.fetchNextcloudApp {
name = "cospend";
sha256 = "VyTo7jii40a0m2hLuUH5PFJXzogECTfGq+2oifMtNNI=";
url = "https://github.com/eneiluj/cospend-nc/releases/download/v1.4.10/cospend-1.4.10.tar.gz";
version = "1.4.10";
};
"deck" = pkgs.fetchNextcloudApp {
name = "deck";
sha256 = "G4v1B5XHYuKEZxNhkd7Fu5OSbzwcS7yFaDkUkydpdPU=";
url = "https://github.com/nextcloud-releases/deck/releases/download/v1.7.1/deck-v1.7.1.tar.gz";
version = "1.7.1";
};
"files_accesscontrol" = pkgs.fetchNextcloudApp {
name = "files_accesscontrol";
sha256 = "7vfN3FF8pfQ3iQib/3EbG7r5HNyrQXjwgwJ9Cna6nT0=";
url = "https://github.com/nextcloud-releases/files_accesscontrol/releases/download/v1.14.1/files_accesscontrol-v1.14.1.tar.gz";
version = "1.14.1";
};
"files_automatedtagging" = pkgs.fetchNextcloudApp {
name = "files_automatedtagging";
sha256 = "C59NQNxox4gyTqIwQX5Yi8D0VwNqoorPli6CE7bl/P0=";
url = "https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.14.0/files_automatedtagging-v1.14.0.tar.gz";
version = "1.14.0";
};
"files_fulltextsearch" = pkgs.fetchNextcloudApp {
name = "files_fulltextsearch";
sha256 = "+cKu9kvsPxajGzyZhu+DDqsxWKrpZmMMxAKg0tyZdBw=";
url = "https://github.com/nextcloud-releases/files_fulltextsearch/releases/download/v24.0.1/files_fulltextsearch-v24.0.1.tar.gz";
version = "24.0.1";
};
"files_markdown" = pkgs.fetchNextcloudApp {
name = "files_markdown";
sha256 = "6vrPNKcPmJ4DuMXN8/oRMr/B/dTlJn2GGi/w4t2wimk=";
url = "https://github.com/icewind1991/files_markdown/releases/download/v2.3.6/files_markdown.tar.gz";
version = "2.3.6";
};
"files_mindmap" = pkgs.fetchNextcloudApp {
name = "files_mindmap";
sha256 = "GcJqn90n9+3VDndNuiohLMDx9fmmMyMkNVNb/bB7ksM=";
url = "https://github.com/ACTom/files_mindmap/releases/download/v0.0.26/files_mindmap-0.0.26.tar.gz";
version = "0.0.26";
};
"fulltextsearch" = pkgs.fetchNextcloudApp {
name = "fulltextsearch";
sha256 = "7Yp+ZELZf2tqKoZ0td2CgPNym7EbLXyxbVKF8OdpNqs=";
url = "https://github.com/nextcloud-releases/fulltextsearch/releases/download/v24.0.0/fulltextsearch-v24.0.0.tar.gz";
version = "24.0.0";
};
"groupfolders" = pkgs.fetchNextcloudApp {
name = "groupfolders";
sha256 = "RHkvpAWH4HbKbM4ZoUy1HCzydVdw2SYQJvzO02sZEVQ=";
url = "https://github.com/nextcloud/groupfolders/releases/download/v12.0.2/groupfolders.tar.gz";
version = "12.0.2";
};
"impersonate" = pkgs.fetchNextcloudApp {
name = "impersonate";
sha256 = "ww11Rfcy0yXU5+8w/rOXRxH+7eD6G8RAm3fZ3PpXgdM=";
url = "https://github.com/nextcloud-releases/impersonate/releases/download/v1.11.0/impersonate-v1.11.0.tar.gz";
version = "1.11.0";
};
"keeweb" = pkgs.fetchNextcloudApp {
name = "keeweb";
sha256 = "idftaF9EU/f61HmL1gijeuKD4yPuf0MJPth4Xr9WgFs=";
url = "https://github.com/jhass/nextcloud-keeweb/releases/download/v0.6.9/keeweb-0.6.9.tar.gz";
version = "0.6.9";
};
"maps" = pkgs.fetchNextcloudApp {
name = "maps";
sha256 = "6dTNNGHKu97LZvRvg7452e2fw+2loUchtRuv31vLIgY=";
url = "https://github.com/nextcloud/maps/releases/download/v0.2.1/maps-0.2.1.tar.gz";
version = "0.2.1";
};
"news" = pkgs.fetchNextcloudApp {
name = "news";
sha256 = "eS0cFwJmYfGGJmA02AOWO/OXfqfyI71u2GataDj18DE=";
url = "https://github.com/nextcloud/news/releases/download/18.2.0/news.tar.gz";
version = "18.2.0";
};
"notes" = pkgs.fetchNextcloudApp {
name = "notes";
sha256 = "rd3uVkVtARX4enRAWm1ivV468lboYZnYe7/zsqaHYpk=";
url = "https://github.com/nextcloud/notes/releases/download/v4.5.1/notes.tar.gz";
version = "4.5.1";
};
"quota_warning" = pkgs.fetchNextcloudApp {
name = "quota_warning";
sha256 = "UaURF2NIj0h+81vbbFxZuyFX7B9QsicUMK5RKtG5O04=";
url = "https://github.com/nextcloud-releases/quota_warning/releases/download/v1.14.0/quota_warning-v1.14.0.tar.gz";
version = "1.14.0";
};
"richdocuments" = pkgs.fetchNextcloudApp {
name = "richdocuments";
sha256 = "nov6GQX4FEg1MAxuTvWxuk9yAPuWHtE1rsbM1B/1Dgk=";
url = "https://github.com/nextcloud-releases/richdocuments/releases/download/v6.2.0/richdocuments-v6.2.0.tar.gz";
version = "6.2.0";
};
#"richdocumentscode" = pkgs.fetchNextcloudApp {
# name = "richdocumentscode";
# sha256 = "URbEB3I02SjoVlRI+gjoNi+/o5Oe4snmoKQUff4T9+A=";
# url = "https://github.com/CollaboraOnline/richdocumentscode/releases/download/22.5.502/richdocumentscode.tar.gz";
# version = "22.5.502";
#};
"spreed" = pkgs.fetchNextcloudApp {
name = "spreed";
sha256 = "wg4BYhcbWCaz1OE4sIVlV1r0cUX5Z923ej7Y/Meands=";
url = "https://github.com/nextcloud-releases/spreed/releases/download/v14.0.5/spreed-v14.0.5.tar.gz";
version = "14.0.5";
};
"tasks" = pkgs.fetchNextcloudApp {
name = "tasks";
sha256 = "kXXUzzODi/qRi2NqtJyiS1GmLTx0kFAwtH1p0rCdnRM=";
url = "https://github.com/nextcloud/tasks/releases/download/v0.14.4/tasks.tar.gz";
version = "0.14.4";
};
"twofactor_totp" = pkgs.fetchNextcloudApp {
name = "twofactor_totp";
sha256 = "cRtpRs1s31l8xG84YkZIuR3C3pg2kQFNlrY2f5NTSBo=";
url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.0/twofactor_totp-v6.4.0.tar.gz";
version = "6.4.0";
};
};
}

142
hosts/cube/nextcloud.nix Normal file
View file

@ -0,0 +1,142 @@
{ self, pkgs, config, lib, ... }:
{
imports = [
./nextcloud-apps.nix
];
age.secrets.nextcloud_db_pass = {
owner = "nextcloud";
group = "nextcloud";
file = "${self}/secrets/cube_nextcloud_db_pass.age";
};
age.secrets.nextcloud_admin_pass = {
owner = "nextcloud";
group = "nextcloud";
file = "${self}/secrets/cube_nextcloud_admin_pass.age";
};
# HTTP
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
virtualHosts."data.gssws.de" = {
enableACME = true;
forceSSL = true;
};
};
# DATABASES
services.postgresql = {
enable = true;
package = pkgs.postgresql_11;
ensureDatabases = [ "nextcloud" ];
ensureUsers = [
{
name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}
];
};
# REDIS
services.redis.servers = {
"nextcloud".enable = true;
};
users.groups."redis-nextcloud".members = [ "nextcloud" ];
# Collabora Code server
virtualisation.oci-containers.containers."nextcloud-collabora-code" = {
image = "collabora/code";
autoStart = true;
ports = [ "127.0.0.1:9980:9980" ];
environment.domain = "data\\.gssws\\.de";
extraOptions = [ "--cap-add" "MKNOD" ];
};
services.nginx.virtualHosts."office.gssws.de" =
let
proxyPass = "https://127.0.0.1:9980";
extraConfig = "proxy_ssl_verify off;";
in
{
enableACME = true;
forceSSL = true;
locations."^~ /browser" = {
inherit proxyPass extraConfig;
};
locations."^~ /hosting/discovery" = {
inherit proxyPass extraConfig;
};
locations."^~ /hosting/capabilities" = {
inherit proxyPass extraConfig;
};
locations."~ ^/cool/(.*)/ws''$" = {
inherit proxyPass extraConfig;
proxyWebsockets = true;
};
locations."~ ^/(c|l)ool" = {
inherit proxyPass extraConfig;
};
locations."^~ /cool/adminws" = {
inherit proxyPass extraConfig;
proxyWebsockets = true;
};
};
# NEXTCLOUD
systemd.services."nextcloud-setup" = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud24;
hostName = "data.gssws.de";
https = true;
datadir = "/mnt/internal/nextcloud";
caching.apcu = true;
caching.redis = true;
phpPackage = lib.mkForce pkgs.php81;
phpOptions = {
short_open_tag = "Off";
expose_php = "Off";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
display_errors = "stderr";
"opcache.enable_cli" = "1";
"opcache.interned_strings_buffer" = "32";
"opcache.max_accelerated_files" = "100000";
"opcache.memory_consumption" = "256";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "1";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
};
config = {
overwriteProtocol = "https";
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
dbpassFile = "/run/agenix/nextcloud_db_pass";
adminpassFile = "/run/agenix/nextcloud_admin_pass";
adminuser = "admin";
trustedProxies = [ "80.244.242.2" ];
defaultPhoneRegion = "DE";
};
};
}

63
hosts/cube/wireguard.nix Normal file
View file

@ -0,0 +1,63 @@
{ self, config, pkgs, ... }:
{
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cube_wireguard_key.age";
systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
# Enable WireGuard
networking.wireguard.interfaces = {
wg1 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
ips = [ "10.0.1.5" ];
listenPort = 51899; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = [ "10.0.1.11/32" ];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = [ "10.0.1.12/32" ];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = [ "10.0.1.13/32" ];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{
# hsha
publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
allowedIPs = [ "10.0.1.254/32" ];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
};
}

57
hosts/falcone/configuration.nix Normal file
View file

@ -0,0 +1,57 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, pkgs, builtins, config, lib, ... }:
{
imports =
[
./hardware-configuration.nix
];
pub-solar.core.disk-encryption-active = false;
boot.loader.timeout = lib.mkForce 0;
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
boot.loader.grub = {
enable = lib.mkForce true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
extraInstallCommands = ''
cp -r ${inputs.nixpkgs-hensoko.packages.aarch64-linux.raspberrypi4_firmware_uefi}/share/raspberrypi4-firmware-uefi/* /boot/
'';
};
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.wlan0.useDHCP = false;
networking.networkmanager.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false;
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 2380 6443 ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

6
hosts/falcone/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./falcone.nix
] ++ suites.falcone;
}

16
hosts/falcone/falcone.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
config = {
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
};
}

35
hosts/falcone/hardware-configuration.nix Normal file
View file

@ -0,0 +1,35 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
#boot.initrd.supportedFilesystems = [ "zfs" ];
#boot.supportedFilesystems = [ "zfs" ];
#boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
fileSystems."/" =
{ device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

65
hosts/giggles/configuration.nix Normal file
View file

@ -0,0 +1,65 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
./home-controller.nix
];
boot.loader.timeout = 0;
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.wlan0.useDHCP = false;
networking.networkmanager.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false;
nix = {
#package = pkgs.nixFlakes;
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
wget
];
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 2380 6443 ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

6
hosts/giggles/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./giggles.nix
] ++ suites.giggles;
}

16
hosts/giggles/giggles.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
config = {
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
};
}

61
hosts/giggles/hardware-configuration.nix Normal file
View file

@ -0,0 +1,61 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.supportedFilesystems = [ "zfs" ];
boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
boot.initrd.luks.devices = {
cryptroot = {
device = "/dev/disk/by-uuid/ef5804e2-2b07-4434-8144-6ae7d9f615e2";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1";
bypassWorkqueues = true;
fallbackToPassword = true;
};
};
fileSystems."/" =
{
device = "zroot/root";
fsType = "zfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/2F05-9B4A";
fsType = "vfat";
};
fileSystems."/var/lib/rancher/k3s/storage" =
{
device = "zroot/kubernetes-localstorage";
fsType = "zfs";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/ddad2310-57b5-4851-a7bd-280d7182bcec"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
networking.hostId = "71f2d82a";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

53
hosts/giggles/home-controller.nix Normal file
View file

@ -0,0 +1,53 @@
{ self, config, pkgs, ... }:
{
config = {
age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_giggles_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
role = "server";
ownIp = "10.0.1.11";
k3s = {
enableLocalStorage = true;
enableZfs = true;
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# cube
publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
allowedIPs = [ "10.0.1.5/32" ];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = [ "10.0.1.12/32" ];
endpoint = "cox.local:51899";
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = [ "10.0.1.13/32" ];
endpoint = "companion.local:51899";
persistentKeepalive = 25;
}
{
# ringo
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
allowedIPs = [ "10.0.1.21/32" ];
endpoint = "ringo.local:51899";
persistentKeepalive = 25;
}
];
};
};
};
}

19
hosts/harrison/.config/sway/config.d/screens.conf Normal file
View file

@ -0,0 +1,19 @@
set $left 'Dell Inc. DELL S2721DS D0SVQ43'
set $middle 'Samsung Electric Company SMBX2450L 0x00003231'
set $right 'Eizo Nanao Corporation EV2316W 39117013'
output $left {
scale 1
pos 0 0
transform 270
}
output $middle {
scale 1
pos 1440 1150
}
output $right {
scale 1
pos 3360 1150
}

49
hosts/harrison/configuration.nix Normal file
View file

@ -0,0 +1,49 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Set your time zone.
time.timeZone = "Europe/Berlin";
time.hardwareClockInLocalTime = true; # easiest quirk for windows time offset feature
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.dhcpcd.wait = "background";
networking.useDHCP = false;
networking.interfaces.eno1 = {
useDHCP = true;
wakeOnLan = {
enable = true;
};
};
networking.networkmanager.enable = lib.mkForce false;
nixpkgs.config.allowUnsupportedSystem = true;
# List services that you want to enable:
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 22 ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}

6
hosts/harrison/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./harrison.nix
] ++ suites.harrison;
}

70
hosts/harrison/hardware-configuration.nix Normal file
View file

@ -0,0 +1,70 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" "raid1" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/e3a0394d-8bb5-4049-bf65-90d7202163cd";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04011806021722115743-0:0-part1";
fallbackToPassword = true;
bypassWorkqueues = true;
};
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
boot.loader.grub = {
efiSupport = true;
enable = lib.mkForce true;
extraEntries = ''
menuentry "Windows" {
insmod part_gpt
insmod fat
insmod search_fs_uuid
insmod chain
search --fs-uuid --set=root 02DB-F12C
chainloader /efi/Microsoft/Boot/bootmgfw.efi
}
'';
devices = [ "nodev" ];
};
fileSystems = {
"/" =
{
device = "/dev/disk/by-uuid/4ad4db6d-543e-4cc5-a781-396e3b527a05";
fsType = "ext4";
};
"/boot" =
{
device = "/dev/disk/by-uuid/4B4A-B1B4";
fsType = "vfat";
};
"/boot2" =
{
device = "/dev/disk/by-uuid/4B2C-385A";
fsType = "vfat";
};
};
swapDevices =
[{ device = "/dev/mapper/vg0-swap"; }];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

21
hosts/harrison/harrison.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, pkgs, lib, ... }:
with lib;
with pkgs;
let
psCfg = config.pub-solar;
in
{
imports = [
./configuration.nix
];
config = {
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
"sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
};
services.teamviewer.enable = true;
};
}

16
hosts/norman/.config/sway/config.d/custom-keybindings.conf Normal file
View file

@ -0,0 +1,16 @@
# Screen brightness controls
bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')"
bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ { print $4}')"
# Keyboard backlight brightness controls
bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ { print $4}')"
bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ { print $4}')"
# Pulse Audio controls
bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume
bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume
bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound
# Media player controls
bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"

13
hosts/norman/.config/sway/config.d/screens.conf Normal file
View file

@ -0,0 +1,13 @@
set $left 'Dell Inc. DELL S2721DS D0SVQ43'
set $middle 'Samsung Electric Company SMBX2450L 0x00003231'
output $left {
scale 1
pos 0 0
transform 270
}
output $middle {
scale 1
pos 1440 1050
}

63
hosts/norman/configuration.nix Normal file
View file

@ -0,0 +1,63 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
./wireguard.nix
];
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.firewall = {
allowedUDPPorts = [
51820
51821
]; # Clients and peers can use the same port, see listenport
};
hardware.nitrokey.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
services.tlp = {
enable = true;
settings = {
CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
CPU_SCALING_GOVERNOR_ON_AC = "performance";
# The following prevents the battery from charging fully to
# preserve lifetime. Run `tlp fullcharge` to temporarily force
# full charge.
# https://linrunner.de/tlp/faq/battery.html#how-to-choose-good-battery-charge-thresholds
START_CHARGE_THRESH_BAT0 = 40;
STOP_CHARGE_THRESH_BAT0 = 80;
# 100 being the maximum, limit the speed of my CPU to reduce
# heat and increase battery usage:
CPU_MAX_PERF_ON_AC = 100;
CPU_MAX_PERF_ON_BAT = 30;
};
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}

6
hosts/norman/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./norman.nix
] ++ suites.norman;
}

46
hosts/norman/hardware-configuration.nix Normal file
View file

@ -0,0 +1,46 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "uas" "sdhci_pci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.loader.grub.trustedBoot = {
enable = true;
systemHasTPM = "YES_TPM_is_activated";
};
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/cdc29f0f-5b18-4ee7-8d38-1f4bac80b1e6";
bypassWorkqueues = true;
};
fileSystems."/" =
{
device = "/dev/disk/by-uuid/5b441f8f-d7eb-44f8-8df2-7354b3314a61";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/84CD-91B6";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9"; }];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.trackpoint = {
enable = true;
device = "TPPS/2 ALPS TrackPoint";
emulateWheel = true;
};
}

22
hosts/norman/norman.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
config = {
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
pub-solar.audio.bluetooth.enable = false;
home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
"sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
"sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
};
};
}

93
hosts/norman/wireguard.nix Normal file
View file

@ -0,0 +1,93 @@
{ config, pkgs, ... }:
{
systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
systemd.services.wireguard-wg1.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wg1.serviceConfig.RestartSec = "5s";
# Enable WireGuard
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
ips = [
"10.0.0.13/32"
"fc00:200::13/128"
];
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/home/hensoko/.config/wireguard/hosting-de.private";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
# Public key of the server (not a file path).
publicKey = "02/MRPduMGx1as7yS4G7GpL4+pQjsjpyS/tD9iPu8X0=";
# Forward all the traffic via VPN.
allowedIPs = [
"10.0.0.0/24"
"192.168.50.0/24"
"192.168.200.0/24"
"10.20.30.0/24"
"fc00:200::/120"
"95.129.51.5"
"95.129.54.43"
"134.0.28.89"
"134.0.27.108"
"134.0.25.181"
];
# Set this to the server IP and port.
endpoint = "134.0.30.154:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
wg1 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
ips = [
"10.7.0.21"
];
listenPort = 51821; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/home/hensoko/.config/wireguard/data-gssws-de.private";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
# Public key of the server (not a file path).
publicKey = "RwMocdha7fyx+MGTtQpZhZQGJY4WU79YgpspYBclK3c=";
# Forward all the traffic via VPN.
allowedIPs = [
"10.7.0.0/24"
];
# Set this to the server IP and port.
endpoint = "80.244.242.2:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
};
}

35
hosts/ringo/configuration.nix Normal file
View file

@ -0,0 +1,35 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[
./hardware-configuration.nix
./home-controller.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.enp0s25.useDHCP = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}

6
hosts/ringo/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./ringo.nix
] ++ suites.ringo;
}

43
hosts/ringo/hardware-configuration.nix Normal file
View file

@ -0,0 +1,43 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/bd1ebf98-adc1-4868-842f-3d2c6ee04e13";
keyFile = "/dev/disk/by-partuuid/9ff6ebf7-01";
fallbackToPassword = true;
bypassWorkqueues = true;
};
fileSystems."/" =
{
device = "/dev/disk/by-uuid/1999ec2e-4564-4f5a-8333-6eb23ae03c8b";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/47ED-2F0B";
fsType = "vfat";
};
fileSystems."/home" =
{
device = "/dev/disk/by-uuid/69c89392-be11-4bd4-8f3b-6b7db20c716e";
fsType = "ext4";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/4ef0cdbc-38f4-4dcb-8fe8-553bbdb06192"; }];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

43
hosts/ringo/home-controller.nix Normal file
View file

@ -0,0 +1,43 @@
{ self, config, pkgs, ... }:
{
config = {
age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_ringo_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
role = "agent";
ownIp = "10.0.1.21";
k3s = {
serverAddr = "https://api.kube:6443";
tokenFile = "/run/agenix/home_controller_k3s_token";
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = [ "10.0.1.11/32" ];
endpoint = "giggles.local:51899";
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = [ "10.0.1.12/32" ];
endpoint = "cox.local:51899";
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = [ "10.0.1.13/32" ];
endpoint = "companion.local:51899";
}
];
};
};
};
}

13
hosts/ringo/ringo.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
config.pub-solar.core.lite = true;
}

0
modules/core/bluetooth.nix Normal file
View file

BIN
secrets/cube_drone_exec_runner_config.age Normal file
View file

Binary file not shown.

21
secrets/cube_restic_repository_password.age Normal file
View file

@ -0,0 +1,21 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw +rkFPrQE8peUim4x6Ky9ZOq1th5ClCoBGZnHpyUpdhg
RUg+Iy9Tr/rYLac2QZXHgEIXVeUgzThkknHKXw0zcc8
-> ssh-ed25519 YFSOsg f+9e0azb6BGCW2BAqzY0jeGX35SOg5H8esxKnslo1Bw
zTrfb7rz9rtlGL+RYF+k0bPTJrCCj3sIiRpjqkNwktY
-> ssh-rsa 42S2Dw
E0CKXcPmBbOGFjsKpzr6XD2wiK6X6bACpHxO6qdRfN1vntoRLRsrMlHhiB9nbn3V
wyVou0OtIXoEuW7X/AZDatB2zQp4gs/C6j7jX3MhtzC60qrGpqxZ+qSRwsybbMHl
23ceddRQfudIkojKolpuZj6LhmqHo7psg8HF+OMMMvq8AU2/FLULOoWy5pjtfZTf
FrhbjSHJPe8CDGhHVANd7nmhuNYLf/HoO3/VNCmF5g5FVdTl+oIbV/lG+h9XEkMV
Brmew59jOUNZQkKixA8Qs+Q9jmozVKUfdVNt5214NucExbPkgznOmtp5XyfIZUHP
fcOAonVVoSTsEP2YiPSOkg
-> ssh-ed25519 iHV63A RchzJvnl56NtfqNJ4BclwhEnxmxveeXmdKsk5anyoGY
838Yzcs0Y/d4aRGGpaIUe4HlncnHB/90KPl4Jc6M6gc
-> ssh-ed25519 uTVbSg yUxd7jAji+mUlayh3HAmtt15LT0qIijFdZfxm/QXJ1A
B03YY7feAxzquD55hkqdjfjp7F3UOgPws3CHz6vq5/E
-> s-grease
sVUB69ht3umxJ0/t3sgli+GG1jJYbRH3NAYRXxyjM7cD7kwimAwa0Cv8briHBncF
CXY
--- +656WjsF5wgufRPmpuHmh4BWdHsLLu2R0ZJ9Ryml35k
—»¢ à£mbjôò%ÞöǪµüƒÜò¯^S¸ÅÒ0„ðžË ¾Ðgu÷Z“UŸz¸ _˜²¶ÛGv„=³6Œ@ã’³Öâ¥ðÒ{0<>n

22
secrets/cube_restic_ssh_private_key.age Normal file
View file

@ -0,0 +1,22 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw +A6/Q0jkgCU8oT8UwEOXm+ilWBZSkPheytu+qWJ8ow0
kBztg+HTVR8tNJR9cws2wAfXf/p+SlDZ/HoXYyhSP5Q
-> ssh-ed25519 YFSOsg RlxOjmi/X/nXaN1pur/YkOeNMfaNjaeRlhuIy8Xg/C4
rXLCp5cOgqg97NlsIhNOtReLro3ELEfcfEFmeh5QmXg
-> ssh-rsa 42S2Dw
ivPg0J88URraGg/P1pYwPbHAPcLRxOEEGhIve858Wv0TJxyeSLFMEgyal6fKnxQN
bE+SuV9ZAWRx4LCmaxq35exfXJAclcC4zg+WOui3uojeWf6Yo/Q0OXGYhS5uHMHm
SJnIKoIKsdrD7g+0hoTKKztrjliK/zw8ooBPP8c6KGKncIhWGWfvS+eBzYkQp0VE
mMplI6YGTGtKavR7w5X9NG9rb5Ot0jdTuM+Q1URhtXbER1ZJWnEQMfdGeHEYKTXA
cJR08iiMY3J/XeYnv+I8B8FBCfWZurMDeH72t7TjObaZEBz/gKl6sk1+FuEBLQR0
r1Fqd9w06fgMcuVLLdFZQg
-> ssh-ed25519 iHV63A a27f4SrL8d4VTA/zf0ZFN+gRZEZYjfXxGRkK+0BvFBI
FPY1Vl6t1KMdmLMuhrF0NZptzrwGNyEgw+IHxvZkNT4
-> ssh-ed25519 uTVbSg cNe3wLmtGYd8E/mVT4nnGc9uKwVfKeLkPOA4iWH/n00
zUGfMmyqVA8+wH4U9e3aLCOyUn7JQbvd2hFViCGkAZs
-> ;y-K-grease 'D %/|`ff=t
EIllMsZQ7AqFv1F9F8SOleLU4Q1PKLJIdw7FL1fveIuPdnBPguvrcyw1kQeCzZ7M
F2LCYbb0cJUlJi1Mo+LxFEC4cCS0NI1hlMtbh5c4cxy7Ay/cpzCxhY9yVV8
--- fXi80THZW40z8KwPZUmXCYcp3zjgI/P0SyOGbI6SEOI
tã_öcO¿9¿<EFBFBD>ÀD:EŒ¯aCXûU¦Åãà×ì´ÐŘí-wØÄ<ÔÚÕâsFw¥{íclœ<6C>×ÙÍЮ?Zô¦{œ¥%þ1XÝh<C39D>‡çÖÚ`™>`)!ÔÏ9DO+bð<âþ9¨÷4\˜¸ËÒeæ5v<35>ö=kJ”%sðŽÏ|a#ÞºÎ!PIçZ°£•êGlªh:j©”ÅO¦`1dqÓ$0ýRFɦð.ݽwù˜]!¸¢<C2B8>Mnøo|ägPšÌ|רÒ^Ð"£2òÛÅhB…¬øiÑ«§Òá¨<18>!~f[zü¿;`ÑHpÅH F~–§ëýK<C3BD>ÁJRÖñT~5¬Ag†<67>v•œªR3öf©¼lÁD/7ÔY2ÚÍb<7F><E284A2>SáO­»=)¦8£(±ÅýÛF.ÁÑ+ì<$* 0×Ç<C387>@¬#R]]±¢Öš8Ç9?ñW·%¯Õñ중ë!ƒÝ,;Qåͺ¥£±®ØŠÝÙNÒ~ÿx¸±¥fM*?Úð˜ áå<C3A1>¾Èì'x½ÝÏpØCߪËU
<>ü_ N.éŽÈ

4
secrets/secrets.nix
View file

@ -26,6 +26,10 @@ in
"home_controller_cube_wireguard_key.age".publicKeys = users ++ [ system_cube ];
"cube_nextcloud_admin_pass.age".publicKeys = users ++ [ system_cube ];
"cube_nextcloud_db_pass.age".publicKeys = users ++ [ system_cube ];
"cube_restic_ssh_private_key.age".publicKeys = users ++ [ system_cube ];
"cube_restic_repository_password.age".publicKeys = users ++ [ system_cube ];
"cube_drone_exec_runner_config.age".publicKeys = users ++ [ system_cube ];
"home_controller_ringo_wireguard_key.age".publicKeys = users ++ [ system_ringo ];