Merge remote-tracking branch 'gum/master'

This commit is contained in:
lassulus 2023-07-28 23:59:58 +02:00
commit 02e790c9fb
655 changed files with 20 additions and 25577 deletions

View File

@ -9,6 +9,7 @@
hostDefaults = hostName: host: foldl' recursiveUpdate {} [
{
ci = false;
owner = config.krebs.users.makefu;
}
# Retiolum defaults
@ -60,13 +61,11 @@
in {
hosts = mapAttrs hostDefaults {
cake = rec {
ci = false;
nets = {
retiolum.ip4.addr = "10.243.136.236";
};
};
crapi = rec { # raspi1
ci = false;
nets = {
retiolum.ip4.addr = "10.243.136.237";
};
@ -83,25 +82,21 @@ in {
};
studio = rec {
ci = false;
nets = {
retiolum.ip4.addr = "10.243.227.163";
};
};
fileleech = rec {
ci = false;
nets = {
retiolum.ip4.addr = "10.243.113.98";
};
};
tsp = {
ci = true;
nets = {
retiolum.ip4.addr = "10.243.0.212";
};
};
x = {
ci = true;
syncthing.id = "OA36OF6-JEFCUJQ-OEYVTMH-DPCACQI-3AJRE5G-BFVMOUG-RPYJQE3-4ZCUWA5";
nets = {
retiolum.ip4.addr = "10.243.0.91";
@ -113,14 +108,12 @@ in {
};
filepimp = rec {
ci = false;
nets = {
retiolum.ip4.addr = "10.243.153.102";
};
};
omo = rec {
ci = true;
syncthing.id = "Y5OTK3S-JOJLAUU-KTBXKUW-M7S5UEQ-MMQPUK2-7CXO5V6-NOUDLKP-PRGAFAK";
nets = {
wiregrill = {
@ -143,7 +136,6 @@ in {
};
};
wbob = rec {
ci = true;
nets = {
retiolum = {
ip4.addr = "10.243.214.15";
@ -163,7 +155,6 @@ in {
};
latte = rec {
ci = true;
extraZones = {
"krebsco.de" = ''
latte.euer IN A ${nets.internet.ip4.addr}
@ -201,7 +192,6 @@ in {
};
};
gum = rec {
ci = true;
extraZones = {
"krebsco.de" = ''
rss.euer IN A ${nets.internet.ip4.addr}
@ -305,7 +295,6 @@ in {
};
sdev = rec {
ci = true;
nets = {
retiolum.ip4.addr = "10.243.83.237";
};

View File

@ -1,3 +0,0 @@
{
user = "password";
}

View File

@ -1 +0,0 @@
"derp"

View File

@ -1 +0,0 @@
dickbutt2342.onion

View File

@ -1,4 +0,0 @@
{
MATRIX_TOKEN="a";
MATRIX_ID="b";
}

View File

@ -1 +0,0 @@
""

View File

@ -1,2 +0,0 @@
{
}

View File

@ -1 +0,0 @@
""

View File

@ -1,5 +0,0 @@
{
adminUser = "dick";
adminPassword = "butt";
}

View File

@ -1,5 +0,0 @@
{
username = "bob";
password = "rob";
}

View File

@ -1 +0,0 @@
{}

View File

@ -1 +0,0 @@
""

View File

@ -1,5 +0,0 @@
{
"platform": "polling",
"api_key": "1:A",
"allowed_chat_ids": [ 0, 1 ]
}

View File

@ -1,4 +0,0 @@
{
username = "lol";
password = "wut";
}

View File

@ -1 +0,0 @@
"derp"

View File

@ -1,4 +0,0 @@
{
"dick" = "butt";
}

View File

@ -1 +0,0 @@
"derp"

View File

@ -1 +0,0 @@
{ "lol" = "wut"; }

View File

@ -1 +0,0 @@
{ "lol" = "wut"; }

View File

@ -1,3 +0,0 @@
{
"dick.nsupdate.info" = "butt";
}

View File

@ -1,4 +0,0 @@
{
db.username = "photoprism";
db.password = "photoprism";
}

View File

@ -1,6 +0,0 @@
{
number = "+1dotdotdot";
home = "group.ABCDE";
felix = "group.ABCDE";
}

View File

@ -1,2 +0,0 @@
TONIE_AUDIO_MATCH_USER=
TONIE_AUDIO_MATCH_PASS=

View File

@ -1 +0,0 @@
"$6$lol"

View File

@ -1,6 +0,0 @@
{
mqtt.password = "hass";
mqtt.username = "hass";
zigbee.network_key = [ 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ];
}

View File

@ -1,38 +0,0 @@
{ config, lib, pkgs, ... }:
let
primaryInterface = "eth0";
in {
imports = [
<stockholm/makefu>
./hardware-config.nix
<stockholm/makefu/2configs/home-manager>
<stockholm/makefu/2configs/home/3dprint.nix>
#./hardware-config.nix
{ environment.systemPackages = with pkgs;[ rsync screen curl git tmux picocom mosh ];}
# <stockholm/makefu/2configs/tools/core.nix>
<stockholm/makefu/2configs/binary-cache/nixos.nix>
#<stockholm/makefu/2configs/support-nixos.nix>
# <stockholm/makefu/2configs/homeautomation/default.nix>
# <stockholm/makefu/2configs/homeautomation/google-muell.nix>
# <stockholm/makefu/2configs/hw/pseyecam.nix>
# configure your hw:
# <stockholm/makefu/2configs/save-diskspace.nix>
# directly use the alsa device instead of attaching to pulse
<stockholm/makefu/2configs/audio/respeaker.nix>
<stockholm/makefu/2configs/home/rhasspy/default.nix>
<stockholm/makefu/2configs/home/rhasspy/led-control.nix>
];
krebs = {
enable = true;
tinc.retiolum.enable = true;
build.host = config.krebs.hosts.cake;
};
# ensure disk usage is limited
services.journald.extraConfig = "Storage=volatile";
networking.firewall.trustedInterfaces = [ primaryInterface ];
documentation.info.enable = false;
documentation.man.enable = false;
documentation.nixos.enable = false;
}

View File

@ -1,15 +0,0 @@
{ pkgs, lib, ... }:
{
environment.systemPackages = [ pkgs.libraspberrypi ];
imports = [ <nixos-hardware/raspberry-pi/4> ];
boot.kernelPackages = pkgs.linuxPackages_rpi4;
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = [ "noatime" ];
};
};
hardware.raspberry-pi."4".fkms-3d.enable = true;
hardware.raspberry-pi."4".audio.enable = true;
}

View File

@ -1,6 +0,0 @@
{
name="cake";
full = true;
home-manager = true;
hw = true;
}

View File

@ -1,4 +0,0 @@
1. flash arm6 image from https://www.cs.helsinki.fi/u/tmtynkky/nixos-arm/installer/ to sdcard
2. passwd; systemctl start sshd; mkdir /var/src ; touch /var/src/.populate
3. "environment.systemPackages = [ pkgs.rsync pkgs.git ];" in /etc/nixos/configuration.nix
5. nixos-rebuild switch --fast --option binary-caches http://nixos-arm.dezgeg.me/channel --option binary-cache-public-keys nixos-arm.dezgeg.me-1:xBaUKS3n17BZPKeyxL4JfbTqECsT+ysbDJz29kLFRW0=%

View File

@ -1,15 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports = [
<stockholm/makefu>
./hardware-config.nix
<stockholm/makefu/2configs>
<stockholm/makefu/2configs/tinc/retiolum.nix>
<stockholm/makefu/2configs/save-diskspace.nix>
];
krebs.build.host = config.krebs.hosts.crapi;
services.openssh.enable = true;
}

View File

@ -1,39 +0,0 @@
{ pkgs, lib, ... }:
{
#raspi1
boot.kernelParams = ["cma=32M" "console=ttyS0,115200n8" "console=tty0" "console=ttyS1,115200n8" ];
boot.loader.grub.enable = false;
boot.loader.raspberryPi.enable = true;
boot.loader.raspberryPi.version = 1;
boot.loader.raspberryPi.uboot.enable = true;
boot.loader.raspberryPi.uboot.configurationLimit = 1;
boot.loader.generationsDir.enable = lib.mkDefault false;
hardware.enableRedistributableFirmware = true;
boot.cleanTmpDir = true;
environment.systemPackages = [ pkgs.raspberrypi-tools ];
boot.kernelPackages = pkgs.linuxPackages_rpi;
nix.binaryCaches = [ "http://nixos-arm.dezgeg.me/channel" ];
nix.binaryCachePublicKeys = [ "nixos-arm.dezgeg.me-1:xBaUKS3n17BZPKeyxL4JfbTqECsT+ysbDJz29kLFRW0=%" ];
fileSystems = {
"/boot" = {
device = "/dev/disk/by-label/NIXOS_BOOT";
fsType = "vfat";
};
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
};
system.activationScripts.create-swap = ''
if [ ! -e /swapfile ]; then
fallocate -l 2G /swapfile
mkswap /swapfile
chmod 600 /swapfile
fi
'';
swapDevices = [ { device = "/swapfile"; size = 4096; } ];
}

View File

@ -1,3 +0,0 @@
{
arm6 = true;
}

View File

@ -1,76 +0,0 @@
{ config, pkgs, lib, ... }:
with import <stockholm/lib>;
let
# all the good stuff resides in /data
byid = dev: "/dev/disk/by-id/" + dev;
rootDisk = byid "ata-INTEL_SSDSC2BW480H6_CVTR53120385480EGN";
bootPart = rootDisk + "-part1";
rootPart = rootDisk + "-part2";
allDisks = [ rootDisk ]; # auxDisk
in {
imports = [
<stockholm/makefu>
<stockholm/makefu/2configs/fs/sda-crypto-root.nix>
<stockholm/makefu/2configs/sshd-totp.nix>
<stockholm/makefu/2configs/zsh-user.nix>
<stockholm/makefu/2configs/smart-monitor.nix>
<stockholm/makefu/2configs/exim-retiolum.nix>
# <stockholm/makefu/2configs/virtualisation/libvirt.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix>
<stockholm/makefu/2configs/tools/core.nix>
<stockholm/makefu/2configs/stats/client.nix>
# <stockholm/makefu/2configs/nsupdate-data.nix>
<stockholm/makefu/2configs/share/anon-ftp.nix>
# lan party
<stockholm/makefu/2configs/lanparty/lancache.nix>
<stockholm/makefu/2configs/lanparty/lancache-dns.nix>
<stockholm/makefu/2configs/lanparty/samba.nix>
<stockholm/makefu/2configs/lanparty/mumble-server.nix>
<stockholm/makefu/2configs/virtualisation/libvirt.nix>
];
#networking.firewall.enable = false;
makefu.server.primary-itf = "enp0s25";
# krebs.hidden-ssh.enable = true;
boot.kernelModules = [ "coretemp" "f71882fg" ];
hardware.enableRedistributableFirmware = true;
nixpkgs.config.allowUnfree = true;
networking = {
wireless.enable = true;
firewall = {
allowPing = true;
logRefusedConnections = false;
# trustedInterfaces = [ "eno1" ];
allowedUDPPorts = [ 80 655 1655 67 ];
allowedTCPPorts = [ 80 655 1655 ];
};
# fallback connection to the internal virtual network
# interfaces.virbr3.ip4 = [{
# address = "10.8.8.2";
# prefixLength = 24;
# }];
};
# TODO smartd omo darth gum all-in-one
services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
boot.loader.grub.device = rootDisk;
boot.initrd.luks.devices = [
{ name = "luksroot";
device = rootPart;
allowDiscards = true;
keyFileSize = 4096;
keyFile = "/dev/sdb";
}
];
krebs.build.host = config.krebs.hosts.darth;
}

View File

@ -1,3 +0,0 @@
{
name="darth";
}

View File

@ -1,40 +0,0 @@
{ config, pkgs, ... }:
let
external-ip = "45.55.145.62";
default-gw = "45.55.128.1";
prefixLength = 18;
in {
imports = [
<stockholm/makefu>
<stockholm/makefu/2configs/hw/CAC.nix>
<stockholm/makefu/2configs/save-diskspace.nix>
<stockholm/makefu/2configs/torrent.nix>
];
krebs = {
enable = true;
tinc.retiolum.enable = true;
build.host = config.krebs.hosts.drop;
};
boot.loader.grub.device = "/dev/vda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" "virtio_net" "virtio_scsi" ];
fileSystems."/" = {
device = "/dev/vda1";
fsType = "ext4";
};
networking = {
firewall = {
allowPing = true;
logRefusedConnections = false;
allowedTCPPorts = [ ];
allowedUDPPorts = [ 655 ];
};
interfaces.enp0s3.ipv4.addresses = [{
address = external-ip;
inherit prefixLength;
}];
defaultGateway = default-gw;
nameservers = [ "8.8.8.8" ];
};
}

View File

@ -1,4 +0,0 @@
{
name="drop";
torrent = true;
}

View File

@ -1,174 +0,0 @@
{ config, pkgs, lib, ... }:
let
toMapper = id: "/media/crypt${builtins.toString id}";
byid = dev: "/dev/disk/by-id/" + dev;
keyFile = byid "usb-Intuix_DiskOnKey_09A07360336198F8-0:0";
rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN";
rootPartition = rootDisk + "-part3";
dataDisks = let
idpart = dev: byid dev + "-part1";
in [
{ name = "crypt0"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GDLJEF";}
{ name = "crypt1"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GGWG8F";}
{ name = "crypt2"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GH5NAF";}
{ name = "crypt3"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GJWGDF";}
{ name = "crypt4"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXHF";}
{ name = "crypt5"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXVF";}
{ name = "crypt6"; device = idpart "scsi-1ATA_HUA722020ALA330_YAJJ8WRV";}
{ name = "crypt7"; device = idpart "scsi-1ATA_HUA722020ALA330_YBKTUS4F";} # parity
];
disks = [ { name = "luksroot"; device = rootPartition; } ] ++ dataDisks;
in {
imports = [
<stockholm/makefu>
<stockholm/makefu/2configs/tinc/retiolum.nix>
<stockholm/makefu/2configs/disable_v6.nix>
<stockholm/makefu/2configs/torrent.nix>
<stockholm/makefu/2configs/fs/sda-crypto-root.nix>
#<stockholm/makefu/2configs/elchos/irc-token.nix>
# <stockholm/makefu/2configs/elchos/log.nix>
# <stockholm/makefu/2configs/elchos/search.nix>
# <stockholm/makefu/2configs/elchos/stats.nix>
];
systemd.services.grafana.serviceConfig.LimitNOFILE=10032;
systemd.services.graphiteApi.serviceConfig.LimitNOFILE=10032;
systemd.services.carbonCache.serviceConfig.LimitNOFILE=10032;
makefu.server.primary-itf = "enp8s0f0";
krebs = {
enable = true;
build.host = config.krebs.hosts.fileleech;
};
# git clone https://github.com/makefu/docker-pyload
# docker build .
# docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P docker-pyload
virtualisation.docker.enable = true; # for pyload
networking.firewall.allowPing = true;
networking.firewall.logRefusedConnections = false;
networking.firewall.allowedTCPPorts = [
51412 # torrent
8112 # rutorrent-web
8113 # pyload
8080 # sabnzbd
9090 # sabnzbd-ssl
655 # tinc
21 # ftp
];
services.nginx.virtualHosts._download = {
default = true;
root = config.makefu.dl-dir;
extraConfig = ''
autoindex on;
'';
basicAuth = import <secrets/kibana-auth.nix>;
};
networking.firewall.allowedUDPPorts = [
655 # tinc
51412 # torrent
];
services.vsftpd.enable = true;
services.vsftpd.localUsers = true;
services.vsftpd.userlist = [ "download" ];
services.vsftpd.userlistEnable = true;
# services.vsftpd.chrootlocalUser = true;
services.sabnzbd.enable = true;
systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
# TODO use users.motd and pam.services.sshd.showMotd
services.openssh.extraConfig = let banner = pkgs.writeText "openssh-banner" ''
Services:
ssh://download@fileleech - ssh via filebitch
ftp://download@fileleech - access to ${config.makefu.dl-dir}
http://fileleech:8112 - rutorrent
http://fileleech:8113 - pyload
https://fileleech:9090 - sabnzb
''; in "Banner ${banner}";
boot.initrd.luks = {
devices = let
usbkey = name: device: {
inherit name device keyFile;
keyFileSize = 4096;
allowDiscards = true;
};
in builtins.map (x: usbkey x.name x.device) disks;
};
environment.systemPackages = with pkgs;[ mergerfs ];
fileSystems = let
cryptMount = name:
{ "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };};
in cryptMount "crypt0"
// cryptMount "crypt1"
// cryptMount "crypt2"
// cryptMount "crypt3"
// cryptMount "crypt4"
// cryptMount "crypt5"
// cryptMount "crypt6"
// cryptMount "crypt7"
# this entry sometimes creates issues
// { "/media/cryptX" = {
device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 3 4 5 6 ]);
fsType = "mergerfs";
noCheck = true;
options = [ "defaults" "nofail" "allow_other" "nonempty" ]; };
}
;
makefu.dl-dir = "/media/cryptX";
users.users.download = {
useDefaultShell = true;
# name = "download";
# createHome = true;
openssh.authorizedKeys.keys = [
config.krebs.users.makefu.pubkey
config.krebs.users.lass.pubkey
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7betFnMWVeBYRhJ+2f0B5WbDdbpteIVg/BlyimXbx79R7lZ7nUq5GyMLrp7B00frUuA0su8oFFN3ODPJDstgBslBIP7kWPR2zW8NOXorrbFo3J2fKvlO77k6/wD5/M11m5nS01/aVJgAgMGLg2W12G7EMf5Wq75YsQJC/S9p8kMca589djMPRuQETu7fWq0t/Gmwq+2ELLL0csRK87LvybA92JYkAIneRnGzIlCguOXq0Vcq6pGQ1J1PfVEP76Do33X29l2hZc/+vR9ExW6s2g7fs5/5LDX9Wnq7+AEsxiEf4IOeL0hCG4/CGGCN23J+6cDrNKOP94AHO1si0O2lxFsxgNU2vdVWPNgSLottiUFBPPNEZFD++sZyutzH6PIz6D90hB2Q52X6WN9ZUtlDfQ91rHd+S2BhR6f4dAqiRDXlI5MNNDdoTT4S5R0wU/UrNwjiV/xiu/hWZYGQK7YgY4grFRblr378r8FqjLvumPDFMDLVa9eJKq1ad1x/GV5tZpsttzWj4nbixaKlZOg+TN2GHboujLx3bANz1Jqfvfto8UOeKTtA8pkb8E1PJPpBMOZcA7oHaqJrp6Vuf/SkmglHnQvGbi60OK3s61nuRmIcBiTXd+4qeAJpq1QyEDj3X/+hV0Gwz8rCo6JGkF1ETW37ZYvqU9rxNXjS+/Pfktw== jules@kvasir-2015-02-13"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDINUD+p2yrc9KoTbCiuYhdfLlRu/eNX6BftToSMLs8O9qWQORjgXbDn8M9iUWXCHzdUZ9sm6Rz8TMdEV0jZq/nB01zYnW4NhMrt+NGtrmGqDa+eYrRZ4G7Rx8AYzM/ZSwERKX10txAVugV44xswRxWvFbCedujjXyWsxelf1ngb+Hiy9/CPuWNYEhTZs/YuvNkupCui2BuKuoSivJAkLhGk5YqwwcllCr39YXa/tFJWsgoQNcB9hwpzfhFm6Cc7m5DhmTWSVhQHEWyaas8Lukmd4v+mRY+KZpuhbomCHWzkxqzdBun8SXiiAKlgem9rtBIgeTEfz9OtOfF3/6VfqE7 toerb@mittagspause ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0IP143FAHBHWjEEKGOnM8SSTIgNF1MJxGCMKaJvTHf momo@k2.local"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1ZJSpBb7Cxo+c2r2JJIcbYOTm/sJxOv2NFRoDfjxGS9CCwzRbzrwJcv2d23j35mu97x3+fUvo8DyMFLvLvume2PFCijqhMDzZZvjYXZdvXA+hnh53nqZf+Pjq8Xc3tSWBHQxUokaBmZbd4LlKHh8NgKVrP2zve6OPZMzo/Es93v37KEmT8d/PfVMrQEMPZzFrCVdq2RbpdQ1nhx09zRFW7OJOazgotafjx6IYXbVq2VDnjffXInsE9ZxDzYq1cNKIH0c2BLpTd3mv76iD9i+nD6W6s48+usFQnVLt2TY1uKkfMr7043E6jBxx5kNHBe5Xxr6Zs0SkR8kKOEhMO//4ucviUYKZJn8wk2SLkAyMYVBexx8jrTdlI4xgQ7RLpSIDTCm9dfbZY/YhZDJ21lsWduQqu7DFWMe05gg4NZDjf2kwYQOzATyqISGA7ttSEPT1iymr/ffAOgLBLSqWQAteUbI2U5cnflWZGwm33JF/Pyb4S3k3/f2mIBKiRx2lsGv6mx1w0SaYRtJxDWqGYMHuFiNYbq9r/bZfLqV3Fy9kRODFJTfJh8mcTnC4zabpiQ7fnqbh1qHu0WrrBSgFW0PR2WWCJ0e5Btj1yRgXp0+d5OuxxlVInRs+l2HogdxjonMhAHrTCzJtI8UJTKXKN0FBPRDRcepeExhvNqcOUz4Kvw== me@andreaskist.de"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo2z8zsI+YF3ho0hvYzzCZi05mNyjk4iFK08+nNFCdXSG07jmRROWzTcC2ysTKZ56XD2al2abLxy4FZfmDcu9b2zJoPnIiXv/Jw0TKeZ71OyN3bILtv+6Xj1FTJ+kAUMXBfEew7UCgZZ8u8RQsFmlhqB9XqCBXmzP7I2EM1wWSzwEAgG/k6C+Ir054JjAj+fLr/wBduD1GAe8bXXF3Ojiky8OMs2oJaoGV96mrVAtVN+ftfWSvHCK31Y/KgCoPDE4LdoTir1IRfx2pZUMPkyzRW/etXT0PKD96I+/3d1xNPzNNjFpd6GqADC3xnfY3WslNgjL7gqwsC9SlEyuT1Xkd lotho@mercurius"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClaVl9Fwp4wdGLeTZdfy5MpJf+hM6fpL1k6UmtYXWgVYU7tgmStdlpLlbyMQspoFRtT7/76n4kPwCmM0c82xNXaJJMuWa98pwMp+bAwSSdOGAP/vjfzL/TUAX+Xtrw6ehF7r1O+zqw/E/bWt6UezKj08wDLWjByzdDQwslJV6lrGek4mmYRdgmHHeZ1oG89ePEZJZOM6jcZqv0AfIj0NID3ir9Z0kz9uSSXb1279Qt4953mfjs5xwhtc1B7vrxJ3qtTZUsBoAkUkLeulUEIjkfn60wvDGu/66GP5ZClXyk2gck/ZNmtFYrQoqx9EtF1KK02cC17A0nfRySQy5BnfWn root@filebitch"
];
};
makefu.snapraid = {
enable = true;
disks = map toMapper [ 0 1 2 3 4 5 6 ];
parity = toMapper 7;
};
networking.nameservers = [ "8.8.8.8" ];
# SPF
networking.defaultGateway = "151.217.176.1";
networking.interfaces.enp6s0f0.ipv4.addresses = [{
address = "151.217.178.63";
prefixLength = 22;
}];
# Gigabit
networking.interfaces.enp8s0f1.ipv4.addresses = [{
address = "192.168.126.1";
prefixLength = 24;
}];
#interfaces.enp6s0f1.ip4 = [{
# address = external-ip;
# prefixLength = 22;
#}];
boot.loader.grub.device = rootDisk;
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "aacraid" "usb_storage" "usbhid" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
# http://blog.hackathon.de/using-unsupported-sfp-modules-with-linux.html
boot.extraModprobeConfig = ''
options ixgbe allow_unsupported_sfp=1
'';
}

View File

@ -1,4 +0,0 @@
{
name = "fileleech";
torrent = true;
}

View File

@ -1,22 +0,0 @@
{ config, pkgs, lib, ... }:
# nix-shell -p wol --run 'wol C8:CB:B8:CF:E4:DC --passwd=CA-FE-BA-BE-13-37'
let
itf = config.makefu.server.primary-itf;
in {
imports =
[ # Include the results of the hardware scan.
./hw.nix
<stockholm/makefu>
<stockholm/makefu/2configs/home-manager>
<stockholm/makefu/2configs/fs/single-partition-ext4.nix>
<stockholm/makefu/2configs/smart-monitor.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix>
<stockholm/makefu/2configs/filepimp-share.nix>
];
krebs.build.host = config.krebs.hosts.filepimp;
networking.firewall.trustedInterfaces = [ itf ];
networking.interfaces.${itf}.wakeOnLan.enable = true;
}

View File

@ -1,83 +0,0 @@
{ config, pkgs, lib, ... }:
let
byid = dev: "/dev/disk/by-id/" + dev;
part1 = disk: disk + "-part1";
rootDisk = byid "ata-SanDisk_SDSSDP064G_140237402890";
primary-interface = "enp3s0"; # c8:cb:b8:cf:e4:dc
# N54L Chassis:
# ____________________
# |______FRONT_______|
# | [ ]|
# | [ d1 d0 d3 d4 ]|
# |___[_____________]|
jDisk1 = byid "ata-ST4000DM000-1F2168_Z3040NEA";
# transfer to omo
jDisk0 = byid "ata-ST4000DM000-1F2168_Z303HVSG";
jDisk2 = byid "ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E0621363";
jDisk3 = byid "ata-TOSHIBA_MD04ACA400_156GK89OFSBA";
allDisks = [ rootDisk jDisk0 jDisk1 jDisk2 jDisk3 ];
in {
boot = {
loader.grub.device = rootDisk;
initrd.availableKernelModules = [
"ahci"
"ohci_pci"
"ehci_pci"
"pata_atiixp"
"usb_storage"
"usbhid"
];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
makefu.server.primary-itf = primary-interface;
hardware.enableRedistributableFirmware = true;
hardware.cpu.amd.updateMicrocode = true;
zramSwap.enable = true;
makefu.snapraid = let
toMedia = name: "/media/" + name;
in {
enable = true;
# todo combine creation when enabling the mount point
disks = map toMedia [
"j0"
"j1"
"j2"
];
parity = toMedia "par0";
};
# TODO: refactor, copy-paste from omo
services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
powerManagement.powerUpCommands = lib.concatStrings (map (disk: ''
${pkgs.hdparm}/sbin/hdparm -S 100 ${disk}
${pkgs.hdparm}/sbin/hdparm -B 127 ${disk}
${pkgs.hdparm}/sbin/hdparm -y ${disk}
'') allDisks);
fileSystems = let
xfsmount = name: dev:
{ "/media/${name}" = {
device = dev; fsType = "xfs";
options = [ "nofail" ];
}; };
tomedia = id: "/media/${id}";
in
(xfsmount "j0" (part1 jDisk0)) //
(xfsmount "j1" (part1 jDisk1)) //
(xfsmount "j2" (part1 jDisk2)) //
(xfsmount "par0" (part1 jDisk3)) //
{ "/media/jX" = {
device = (lib.concatMapStringsSep ":" (d: (tomedia d)) ["j0" "j1" "j2" ]);
fsType = "mergerfs";
noCheck = true;
options = [ "defaults" "allow_other" "nofail" "nonempty" ];
};
};
environment.systemPackages = [ pkgs.mergerfs ];
}

View File

@ -1,4 +0,0 @@
{
name="filepimp";
home-manager = true;
}

View File

@ -1,25 +0,0 @@
{ config, lib, pkgs, ... }:
let
primaryInterface = "eth0";
in {
imports = [
<stockholm/makefu>
./hardware-config.nix
# <stockholm/makefu/2configs/tools/core.nix>
{ environment.systemPackages = with pkgs;[ rsync screen curl git ];}
<stockholm/makefu/2configs/binary-cache/nixos.nix>
#<stockholm/makefu/2configs/support-nixos.nix>
# configure your hw:
# <stockholm/makefu/2configs/save-diskspace.nix>
];
krebs = {
enable = true;
tinc.retiolum.enable = true;
build.host = config.krebs.hosts.firecracker;
};
networking.firewall.trustedInterfaces = [ primaryInterface ];
documentation.info.enable = false;
documentation.man.enable = false;
services.nixosManual.enable = false;
sound.enable = false;
}

View File

@ -1,30 +0,0 @@
{ pkgs, lib, ... }:
{
boot.kernelParams = lib.mkForce ["console=ttyS2,1500000n8" "earlycon=uart8250,mmio32,0xff1a0000" "earlyprintk"];
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.loader.generic-extlinux-compatible.configurationLimit = 1;
boot.loader.generationsDir.enable = lib.mkDefault false;
boot.supportedFilesystems = lib.mkForce [ "vfat" ];
boot.tmpOnTmpfs = lib.mkForce false;
boot.cleanTmpDir = true;
hardware.enableRedistributableFirmware = true;
## wifi not working, will be fixed with https://github.com/NixOS/nixpkgs/pull/53747
boot.kernelPackages = pkgs.linuxPackages_latest;
networking.wireless.enable = true;
# File systems configuration for using the installer's partition layout
swapDevices = [ { device = "/var/swap"; size = 4096; } ];
fileSystems = {
"/boot" = {
device = "/dev/disk/by-label/NIXOS_BOOT";
fsType = "vfat";
};
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
};
}

View File

@ -1,4 +0,0 @@
{
name="cake";
full = true;
}

View File

@ -1,261 +0,0 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
ext-if = config.makefu.server.primary-itf;
allDisks = [ "/dev/sda" "/dev/sdb" ];
in {
imports = [
<stockholm/makefu>
./hetznercloud
{
# wait for mount
systemd.services.rtorrent.wantedBy = lib.mkForce [];
systemd.services.phpfpm-nextcloud.wantedBy = lib.mkForce [];
systemd.services.samba-smbd.wantedBy = lib.mkForce [];
}
{
users.users.lass = {
uid = 19002;
isNormalUser = true;
createHome = true;
useDefaultShell = true;
openssh.authorizedKeys.keys = with config.krebs.users; [
lass.pubkey
makefu.pubkey
];
};
}
<stockholm/makefu/2configs/nur.nix>
<stockholm/makefu/2configs/support-nixos.nix>
<stockholm/makefu/2configs/nix-community/supervision.nix>
<stockholm/makefu/2configs/home-manager>
<stockholm/makefu/2configs/home-manager/cli.nix>
# <stockholm/makefu/2configs/stats/client.nix>
<stockholm/makefu/2configs/share>
<stockholm/makefu/2configs/share/hetzner-client.nix>
# <stockholm/makefu/2configs/stats/netdata-server.nix>
<stockholm/makefu/2configs/headless.nix>
# Security
<stockholm/makefu/2configs/sshd-totp.nix>
# Tools
<stockholm/makefu/2configs/tools/core.nix>
<stockholm/makefu/2configs/tools/dev.nix>
<stockholm/makefu/2configs/tools/sec.nix>
#<stockholm/makefu/2configs/tools/desktop.nix>
<stockholm/makefu/2configs/zsh-user.nix>
<stockholm/makefu/2configs/mosh.nix>
<stockholm/makefu/2configs/storj/forward-port.nix>
# <stockholm/makefu/2configs/gui/xpra.nix>
# networking
# <stockholm/makefu/2configs/vpn/vpnws/server.nix>
#<stockholm/makefu/2configs/dnscrypt/server.nix>
# <stockholm/makefu/2configs/iodined.nix>
# <stockholm/makefu/2configs/backup.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix>
{ # bonus retiolum config for connecting more hosts
krebs.tinc.retiolum = {
#extraConfig = lib.mkForce ''
# ListenAddress = ${external-ip} 53
# ListenAddress = ${external-ip} 655
# ListenAddress = ${external-ip} 21031
# StrictSubnets = yes
# LocalDiscovery = no
#'';
connectTo = [
"prism" "ni" "enklave" "eve" "dishfire"
];
};
networking.firewall = {
allowedTCPPorts =
[
53
655
21031
];
allowedUDPPorts =
[
53
655
21031
];
};
}
# ci
# <stockholm/makefu/2configs/exim-retiolum.nix>
<stockholm/makefu/2configs/git/cgit-retiolum.nix>
### systemdUltras ###
<stockholm/makefu/2configs/systemdultras/ircbot.nix>
###### Shack #####
# <stockholm/makefu/2configs/shack/events-publisher>
# <stockholm/makefu/2configs/shack/gitlab-runner>
<stockholm/makefu/2configs/remote-build/slave.nix>
<stockholm/makefu/2configs/remote-build/aarch64-community.nix>
<stockholm/makefu/2configs/taskd.nix>
# services
<stockholm/makefu/2configs/bitlbee.nix> # postgres backend
# <stockholm/makefu/2configs/sabnzbd.nix>
# <stockholm/makefu/2configs/mail/mail.euer.nix>
{ krebs.exim.enable = mkDefault true; }
<stockholm/makefu/2configs/nix-community/mediawiki-matrix-bot.nix>
# sharing
<stockholm/makefu/2configs/share/gum.nix> # samba sahre
<stockholm/makefu/2configs/torrent/rtorrent.nix>
# <stockholm/makefu/2configs/sickbeard>
{ nixpkgs.config.allowUnfree = true; }
#<stockholm/makefu/2configs/retroshare.nix>
## <stockholm/makefu/2configs/ipfs.nix>
#<stockholm/makefu/2configs/syncthing.nix>
# <stockholm/makefu/2configs/sync>
# <stockholm/makefu/2configs/opentracker.nix>
## network
# <stockholm/makefu/2configs/vpn/openvpn-server.nix>
# <stockholm/makefu/2configs/vpn/vpnws/server.nix>
<stockholm/makefu/2configs/binary-cache/server.nix>
{ makefu.backup.server.repo = "/var/backup/borg"; }
<stockholm/makefu/2configs/backup/server.nix>
<stockholm/makefu/2configs/backup/state.nix>
<stockholm/makefu/2configs/wireguard/server.nix>
<stockholm/makefu/2configs/wireguard/wiregrill.nix>
{ # recent changes mediawiki bot
networking.firewall.allowedUDPPorts = [ 5005 5006 ];
}
# Removed until move: no extra mails
# <stockholm/makefu/2configs/urlwatch>
# Removed until move: avoid letsencrypt ban
### Web
<stockholm/makefu/2configs/bitwarden.nix> # postgres backend
<stockholm/makefu/2configs/deployment/rss/rss.euer.krebsco.de.nix> # postgres backend
<stockholm/makefu/2configs/deployment/rss/ratt.nix>
<stockholm/makefu/2configs/deployment/ntfysh.nix>
<stockholm/makefu/2configs/deployment/owncloud.nix> #postgres backend
### Moving owncloud data dir to /media/cloud/nextcloud-data
{
users.users.nextcloud.extraGroups = [ "download" ];
# nextcloud-setup fails as it cannot set permissions for nextcloud
systemd.services.nextcloud-setup.serviceConfig.SuccessExitStatus = "0 1";
systemd.tmpfiles.rules = [
"L /var/lib/nextcloud/data - - - - /media/cloud/nextcloud-data"
"L /var/backup - - - - /media/cloud/gum-backup"
];
#fileSystems."/var/lib/nextcloud/data" = {
# device = "/media/cloud/nextcloud-data";
# options = [ "bind" ];
#};
#fileSystems."/var/backup" = {
# device = "/media/cloud/gum-backup";
# options = [ "bind" ];
#};
}
<stockholm/makefu/2configs/nginx/dl.euer.krebsco.de.nix>
#<stockholm/makefu/2configs/nginx/euer.test.nix>
<stockholm/makefu/2configs/nginx/euer.mon.nix>
<stockholm/makefu/2configs/nginx/euer.wiki.nix>
<stockholm/makefu/2configs/nginx/euer.blog.nix>
<stockholm/makefu/2configs/nginx/music.euer.nix>
## <stockholm/makefu/2configs/nginx/gum.krebsco.de.nix>
#<stockholm/makefu/2configs/nginx/public_html.nix>
#<stockholm/makefu/2configs/nginx/update.connector.one.nix>
<stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix>
# <stockholm/makefu/2configs/nginx/gold.krebsco.de.nix>
# <stockholm/makefu/2configs/nginx/iso.euer.nix>
# <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
# <stockholm/makefu/2configs/deployment/graphs.nix>
#<stockholm/makefu/2configs/deployment/owncloud.nix>
# <stockholm/makefu/2configs/deployment/board.euer.krebsco.de.nix>
#<stockholm/makefu/2configs/deployment/feed.euer.krebsco.de>
<stockholm/makefu/2configs/deployment/boot-euer.nix>
<stockholm/makefu/2configs/deployment/gecloudpad>
#<stockholm/makefu/2configs/deployment/docker/archiveteam-warrior.nix>
<stockholm/makefu/2configs/deployment/mediengewitter.de.nix>
<stockholm/makefu/2configs/bgt/etherpad.euer.krebsco.de.nix>
# <stockholm/makefu/2configs/deployment/systemdultras-rss.nix>
<stockholm/makefu/2configs/shiori.nix>
#<stockholm/makefu/2configs/workadventure>
<stockholm/makefu/2configs/bgt/download.binaergewitter.de.nix>
<stockholm/makefu/2configs/bgt/hidden_service.nix>
<stockholm/makefu/2configs/bgt/backup.nix>
# <stockholm/makefu/2configs/bgt/social-to-irc.nix>
# <stockholm/makefu/2configs/logging/client.nix>
# sharing
<stockholm/makefu/2configs/dcpp/airdcpp.nix>
{ krebs.airdcpp.dcpp.shares = {
download.path = config.makefu.dl-dir + "/finished";
sorted.path = config.makefu.dl-dir + "/sorted";
};
}
<stockholm/makefu/2configs/dcpp/hub.nix>
## Temporary:
# <stockholm/makefu/2configs/temp/rst-issue.nix>
# <stockholm/makefu/2configs/virtualisation/docker.nix>
#<stockholm/makefu/2configs/virtualisation/libvirt.nix>
# krebs infrastructure services
# <stockholm/makefu/2configs/stats/server.nix>
];
# makefu.dl-dir = "/var/download";
makefu.dl-dir = "/media/cloud/download/finished";
services.openssh.hostKeys = lib.mkForce [
{ bits = 4096; path = (toString <secrets/ssh_host_rsa_key>); type = "rsa"; }
{ path = (toString <secrets/ssh_host_ed25519_key>); type = "ed25519"; } ];
###### stable
security.acme.certs."cgit.euer.krebsco.de" = {
email = "letsencrypt@syntax-fehler.de";
webroot = "/var/lib/acme/acme-challenge";
group = "nginx";
};
services.nginx.virtualHosts."cgit" = {
serverAliases = [ "cgit.euer.krebsco.de" ];
addSSL = true;
sslCertificate = "/var/lib/acme/cgit.euer.krebsco.de/fullchain.pem";
sslCertificateKey = "/var/lib/acme/cgit.euer.krebsco.de/key.pem";
locations."/.well-known/acme-challenge".extraConfig = ''
root /var/lib/acme/acme-challenge;
'';
};
krebs.build.host = config.krebs.hosts.gum;
# Network
networking = {
firewall = {
allowedTCPPorts = [
80 443
28967 # storj
];
allowPing = true;
logRefusedConnections = false;
};
nameservers = [ "8.8.8.8" ];
};
users.users.makefu.extraGroups = [ "download" "nginx" ];
state = [ "/home/makefu/.weechat" ];
}

View File

@ -1,116 +0,0 @@
{ config, ... }:
let
external-mac = "50:46:5d:9f:63:6b";
main-disk = "/dev/disk/by-id/ata-TOSHIBA_DT01ACA300_13H8863AS";
sec-disk = "/dev/disk/by-id/ata-TOSHIBA_DT01ACA300_23OJ2GJAS";
external-gw = "144.76.26.225";
# single partition, label "nixos"
# cd /var/src; curl https://github.com/nixos/nixpkgs/tarball/809cf38 -L | tar zx ; mv * nixpkgs && touch .populate
# static
external-ip = "144.76.26.247";
external-ip6 = "2a01:4f8:191:12f6::2";
external-gw6 = "fe80::1";
external-netmask = 27;
external-netmask6 = 64;
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
ext-if = "et0"; # gets renamed on the fly
in {
imports = [
<stockholm/makefu/2configs/smart-monitor.nix>
{ services.smartd.devices = builtins.map (x: { device = x; }) allDisks; }
];
makefu.server.primary-itf = ext-if;
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="${external-mac}", NAME="${ext-if}"
'';
networking = {
interfaces."${ext-if}" = {
ipv4.addresses = [{
address = external-ip;
prefixLength = external-netmask;
}];
ipv6.addresses = [{
address = external-ip6;
prefixLength = external-netmask6;
}];
};
defaultGateway6 = { address = external-gw6; interface = ext-if; };
defaultGateway = external-gw;
};
boot.kernelParams = [ ];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.devices = [ main-disk ];
boot.initrd.kernelModules = [ "dm-raid" "dm_cache" "dm-thin-pool" ];
boot.initrd.availableKernelModules = [
"ata_piix" "vmw_pvscsi" "virtio_pci" "sd_mod" "ahci"
"xhci_pci" "ehci_pci" "ahci" "sd_mod"
];
boot.kernelModules = [ "dm-raid" "dm_cache" "dm-thin-pool" "kvm-intel" ];
hardware.enableRedistributableFirmware = true;
fileSystems."/" = {
device = "/dev/nixos/root";
fsType = "ext4";
};
fileSystems."/var/lib" = {
device = "/dev/nixos/lib";
fsType = "ext4";
};
fileSystems."/var/log" = {
device = "/dev/nixos/log";
fsType = "ext4";
};
fileSystems."/var/download" = {
device = "/dev/nixos/download";
fsType = "ext4";
};
fileSystems."/var/www/binaergewitter" = {
device = "/dev/nixos/binaergewitter";
fsType = "ext4";
options = [ "nofail" ];
};
fileSystems."/var/lib/nextcloud/data" = {
device = "/dev/nixos/nextcloud";
fsType = "ext4";
options = [ "nofail" ];
};
fileSystems."/var/lib/borgbackup" = {
device = "/dev/nixos/backup";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/sda2";
fsType = "vfat";
};
# parted -s -a optimal "$disk" \
# mklabel gpt \
# mkpart no-fs 0 1024KiB \
# set 1 bios_grub on \
# mkpart ESP fat32 1025KiB 1024MiB set 2 boot on \
# mkpart primary 1025MiB 100%
# parted -s -a optimal "/dev/sdb" \
# mklabel gpt \
# mkpart primary 1M 100%
#mkfs.vfat /dev/sda2
#pvcreate /dev/sda3
#pvcreate /dev/sdb1
#vgcreate nixos /dev/sda3 /dev/sdb1
#lvcreate -L 120G -m 1 -n root nixos
#lvcreate -L 50G -m 1 -n lib nixos
#lvcreate -L 100G -n download nixos
#lvcreate -L 100G -n backup nixos
#mkfs.ext4 /dev/mapper/nixos-root
#mkfs.ext4 /dev/mapper/nixos-lib
#mkfs.ext4 /dev/mapper/nixos-download
#mkfs.ext4 /dev/mapper/nixos-borgbackup
#mount /dev/mapper/nixos-root /mnt
#mkdir /mnt/boot
#mount /dev/sda2 /mnt/boot
#mkdir -p /mnt/var/src
#touch /mnt/var/src/.populate
}

View File

@ -1,50 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ ./network.nix
(modulesPath + "/profiles/qemu-guest.nix")
];
# Disk
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "rpool/root";
fsType = "zfs";
};
fileSystems."/home" =
{ device = "rpool/home";
fsType = "zfs";
};
fileSystems."/nix" =
{ device = "rpool/nix";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/sda1";
fsType = "vfat";
};
swapDevices = [ ];
boot.loader.grub.device = "/dev/sda";
networking.hostId = "3150697b"; # required for zfs use
boot.tmpOnTmpfs = true;
boot.supportedFilesystems = [ "zfs" ];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.copyKernels = true;
boot.zfs.devNodes = "/dev"; # fixes some virtualmachine issues
boot.kernelParams = [
"boot.shell_on_fail"
"panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
];
}

View File

@ -1,13 +0,0 @@
ROOT_DEVICE=/dev/sda2
NIXOS_BOOT=/dev/sda1
zpool create -o ashift=12 -o altroot=/mnt rpool $ROOT_DEVICE
zfs create -o mountpoint=legacy rpool/root
zfs create -o mountpoint=legacy rpool/home
zfs create -o mountpoint=legacy rpool/nix
mount -t zfs rpool/root /mnt
mkdir /mnt/{home,nix,boot}
mount -t zfs rpool/home /mnt/home
mount -t zfs rpool/nix /mnt/nix
mount $NIXOS_BOOT /mnt/boot/

View File

@ -1,36 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
let
external-mac = "96:00:01:24:33:f4";
external-gw = "172.31.1.1";
external-ip = "142.132.189.140";
external-ip6 = "2a01:4f8:1c17:5cdf::2";
external-gw6 = "fe80::1";
external-netmask = 32;
external-netmask6 = 64;
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
ext-if = "et0"; # gets renamed on the fly
in
{
makefu.server.primary-itf = ext-if;
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="${external-mac}", NAME="${ext-if}"
'';
networking = {
enableIPv6 = true;
nat.enableIPv6 = true;
interfaces."${ext-if}" = {
useDHCP = true;
ipv6.addresses = [{
address = external-ip6;
prefixLength = external-netmask6;
}];
};
#ipv4.addresses = [{
# address = external-ip;
# prefixLength = external-netmask;
#}];
defaultGateway6 = { address = external-gw6; interface = ext-if; };
#defaultGateway = external-gw;
nameservers = [ "1.1.1.1" ];
};
}

View File

@ -1,6 +0,0 @@
label: gpt
device: /dev/sda
unit: sectors
1 : size=524288 type=0FC63DAF-8483-4772-8E79-3D69D8477DE4
4 : size=4096 type=21686148-6449-6E6F-744E-656564454649
2 : type=0FC63DAF-8483-4772-8E79-3D69D8477DE4

View File

@ -1,15 +0,0 @@
ssh gum.i -o StrictHostKeyChecking=no
mount /dev/mapper/nixos-root /mnt
mount /dev/sda2 /mnt/boot
chroot-prepare /mnt
chroot /mnt /bin/sh
journalctl -D /mnt/var/log/journal --since today # find the active system (or check grub)
# ... activating ...
export PATH=/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/sw/bin
/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/activate
/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/sw/bin/nixos-rebuild

View File

@ -1,6 +0,0 @@
{
name="gum";
torrent = true;
clever_kexec = true;
home-manager = true;
}

View File

@ -1,23 +0,0 @@
{
"type": "devices",
"content": {
"sda": {
"type": "table",
"format": "msdos",
"partitions": [
{ "type": "partition",
"part-type": "primary",
"start": "1M",
"end": "100%",
"bootable": true,
"content": {
"type": "filesystem",
"format": "ext4",
"mountpoint": "/"
}
}
]
}
}
}

View File

@ -1,72 +0,0 @@
{ config, pkgs, lib, ... }:
with import <stockholm/lib>;
{
imports = [
#<stockholm/makefu>
<nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
<nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>
# <stockholm/makefu/2configs/tools/core.nix>
./justdoit.nix
{
environment.systemPackages = [ (pkgs.writeScriptBin "network-setup" ''
#!/bin/sh
ip addr add 178.254.30.202/255.255.252.0 dev ens3
ip route add default via 178.254.28.1
echo nameserver 1.1.1.1 > /etc/resolv.conf
'')];
kexec.justdoit = {
bootSize = 512;
rootDevice = "/dev/vda";
bootType = "vfat";
luksEncrypt = false;
uefi = false;
};
}
];
# boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
# TODO: NIX_PATH and nix.nixPath are being set by default.nix right now
# cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso/config.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos
#krebs.build.host = { cores = 0; };
isoImage.isoBaseName = lib.mkForce "stockholm";
#krebs.hidden-ssh.enable = true;
# environment.systemPackages = with pkgs; [
# aria2
# ddrescue
# ];
environment.extraInit = ''
EDITOR=vim
'';
# iso-specific
services.openssh = {
enable = true;
hostKeys = [
{ bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
};
# enable ssh in the iso boot process
systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
# hack `tee` behavior
nixpkgs.config.packageOverrides = super: {
irc-announce = super.callPackage <stockholm/krebs/5pkgs/simple/irc-announce> {
pkgs = pkgs // {
coreutils = pkgs.symlinkJoin {
name = "coreutils-hack";
paths = [
pkgs.coreutils
(pkgs.writeDashBin "tee" ''
if test "$1" = /dev/stderr; then
while read -r line; do
echo "$line"
echo "$line" >&2
done
else
${super.coreutils}/bin/tee "$@"
fi
'')
];
};
};
};
};
}

View File

@ -1,120 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.kexec.justdoit;
x = if cfg.nvme then "p" else "";
in {
options = {
kexec.justdoit = {
rootDevice = mkOption {
type = types.str;
default = "/dev/sda";
description = "the root block device that justdoit will nuke from orbit and force nixos onto";
};
bootSize = mkOption {
type = types.int;
default = 256;
description = "size of /boot in mb";
};
bootType = mkOption {
type = types.enum [ "ext4" "vfat" "zfs" ];
default = "ext4";
};
swapSize = mkOption {
type = types.int;
default = 1024;
description = "size of swap in mb";
};
poolName = mkOption {
type = types.str;
default = "tank";
description = "zfs pool name";
};
luksEncrypt = mkOption {
type = types.bool;
default = false;
description = "encrypt all of zfs and swap";
};
uefi = mkOption {
type = types.bool;
default = false;
description = "create a uefi install";
};
nvme = mkOption {
type = types.bool;
default = false;
description = "rootDevice is nvme";
};
};
};
config = let
mkBootTable = {
ext4 = "mkfs.ext4 $NIXOS_BOOT -L NIXOS_BOOT";
vfat = "mkfs.vfat $NIXOS_BOOT -n NIXOS_BOOT";
zfs = "";
};
in lib.mkIf true {
system.build.justdoit = pkgs.writeScriptBin "justdoit" ''
#!${pkgs.stdenv.shell}
set -e
vgchange -a n
wipefs -a ${cfg.rootDevice}
dd if=/dev/zero of=${cfg.rootDevice} bs=512 count=10000
sfdisk ${cfg.rootDevice} <<EOF
label: gpt
device: ${cfg.rootDevice}
unit: sectors
${lib.optionalString (cfg.bootType != "zfs") "1 : size=${toString (2048 * cfg.bootSize)}, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4"}
${lib.optionalString (! cfg.uefi) "4 : size=4096, type=21686148-6449-6E6F-744E-656564454649"}
2 : type=0FC63DAF-8483-4772-8E79-3D69D8477DE4
EOF
${if cfg.luksEncrypt then ''
cryptsetup luksFormat ${cfg.rootDevice}${x}2
cryptsetup open --type luks ${cfg.rootDevice}${x}2 root
export ROOT_DEVICE=/dev/mapper/root
'' else ''
export ROOT_DEVICE=${cfg.rootDevice}${x}2
''}
${lib.optionalString (cfg.bootType != "zfs") "export NIXOS_BOOT=${cfg.rootDevice}${x}1"}
mkdir -p /mnt
${mkBootTable.${cfg.bootType}}
zpool create -o ashift=12 -o altroot=/mnt ${cfg.poolName} $ROOT_DEVICE
zfs create -o mountpoint=legacy ${cfg.poolName}/root
zfs create -o mountpoint=legacy ${cfg.poolName}/home
zfs create -o mountpoint=legacy ${cfg.poolName}/nix
mount -t zfs ${cfg.poolName}/root /mnt/
mkdir /mnt/{home,nix,boot}
mount -t zfs ${cfg.poolName}/home /mnt/home/
mount -t zfs ${cfg.poolName}/nix /mnt/nix/
${lib.optionalString (cfg.bootType != "zfs") "mount $NIXOS_BOOT /mnt/boot/"}
nixos-generate-config --root /mnt/
hostId=$(echo $(head -c4 /dev/urandom | od -A none -t x4))
cp ${./target-config.nix} /mnt/etc/nixos/configuration.nix
cat > /mnt/etc/nixos/generated.nix <<EOF
{ ... }:
{
${if cfg.uefi then ''
boot.loader.grub.efiInstallAsRemovable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.device = "nodev";
'' else ''
boot.loader.grub.device = "${cfg.rootDevice}";
''}
networking.hostId = "$hostId"; # required for zfs use
${lib.optionalString cfg.luksEncrypt ''
boot.initrd.luks.devices = [
{ name = "root"; device = "${cfg.rootDevice}${x}2"; preLVM = true; }
];
''}
}
EOF
nixos-install
umount /mnt/home /mnt/nix ${lib.optionalString (cfg.bootType != "zfs") "/mnt/boot"} /mnt
zpool export ${cfg.poolName}
'';
environment.systemPackages = [ config.system.build.justdoit ];
boot.supportedFilesystems = [ "zfs" ];
users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb" ];
};
}

View File

@ -1,3 +0,0 @@
{
name="iso";
}

View File

@ -1,46 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [ ./hardware-configuration.nix ./generated.nix ];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.zfs.devNodes = "/dev"; # fixes some virtualmachine issues
#boot.zfs.forceImportRoot = false;
#boot.zfs.forceImportAll = false;
boot.kernelParams = [
"boot.shell_on_fail"
"panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
];
users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb" ];
boot.tmpOnTmpfs = true;
programs.bash.enableCompletion = true;
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
'';
environment.systemPackages = [ (pkgs.writeScriptBin "network-setup" ''
#!/bin/sh
ip addr add 178.254.30.202/255.255.252.0 dev ens3
ip route add default via 178.254.28.1
echo nameserver 1.1.1.1 > /etc/resolv.conf
'')];
# minimal
boot.supportedFilesystems = [ "zfs" ];
programs.command-not-found.enable = false;
time.timeZone = "Europe/Berlin";
programs.ssh.startAgent = false;
nix.useSandbox = true;
users.mutableUsers = false;
networking.firewall.rejectPackets = true;
networking.firewall.allowPing = true;
services.openssh.enable = true;
i18n = {
consoleKeyMap = "us";
defaultLocale = "en_US.UTF-8";
};
boot.kernel.sysctl = {
"net.ipv6.conf.all.use_tempaddr" = lib.mkDefault "2";
"net.ipv6.conf.default.use_tempaddr" = lib.mkDefault "2";
};
}

View File

@ -1,25 +0,0 @@
{ config, pkgs, lib, ... }:
with import <stockholm/lib>;
{
imports = [
<stockholm/makefu>
# <stockholm/makefu/2configs/tools/core.nix>
<nixpkgs/nixos/modules/installer/netboot/netboot-minimal.nix>
<clever_kexec/kexec/kexec.nix>
];
# cd ~/stockholm ; nix-build '<nixpkgs/nixos>' -A config.system.build.kexec_tarball -j 4 -I nixos-config=makefu/1systems/iso.nix -I secrets=/home/makefu/secrets/iso
krebs.build.host = config.krebs.hosts.iso;
krebs.hidden-ssh.enable = true;
environment.extraInit = ''
EDITOR=vim
'';
services.openssh = {
enable = true;
hostKeys = [
{ bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
};
systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
}

View File

@ -1,3 +0,0 @@
{
name="iso";
}

View File

@ -1,50 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ ./network.nix
(modulesPath + "/profiles/qemu-guest.nix")
];
# Disk
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "tank/root";
fsType = "zfs";
};
fileSystems."/home" =
{ device = "tank/home";
fsType = "zfs";
};
fileSystems."/nix" =
{ device = "tank/nix";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/AEF3-A486";
fsType = "vfat";
};
swapDevices = [ ];
boot.loader.grub.device = "/dev/vda";
networking.hostId = "3150697c"; # required for zfs use
boot.tmpOnTmpfs = true;
boot.supportedFilesystems = [ "zfs" ];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.copyKernels = true;
boot.zfs.devNodes = "/dev"; # fixes some virtualmachine issues
boot.kernelParams = [
"boot.shell_on_fail"
"panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
];
}

View File

@ -1,32 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
let
external-mac = "c4:37:72:55:4e:1c";
external-gw = "178.254.28.1";
external-ip = "178.254.30.202";
external-ip6 = "2a00:6800:3:18c::2";
external-gw6 = "2a00:6800:3::1";
external-netmask = 22;
external-netmask6 = 64;
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
ext-if = "et0"; # gets renamed on the fly
in
{
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="${external-mac}", NAME="${ext-if}"
'';
networking = {
interfaces."${ext-if}" = {
ipv4.addresses = [{
address = external-ip;
prefixLength = external-netmask;
}];
ipv6.addresses = [{
address = external-ip6;
prefixLength = external-netmask6;
}];
};
defaultGateway6 = { address = external-gw6; interface = ext-if; };
defaultGateway = external-gw;
nameservers = [ "1.1.1.1" ];
};
}

View File

@ -1,67 +0,0 @@
{ config, lib, pkgs, ... }:
let
# external-ip = config.krebs.build.host.nets.internet.ip4.addr;
# internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
# default-gw = "185.215.224.1";
# prefixLength = 24;
# external-mac = "46:5b:fc:f4:44:c9";
# ext-if = "et0";
in {
imports = [
./1blu
<stockholm/makefu>
# common
<stockholm/makefu/2configs/nur.nix>
<stockholm/makefu/2configs/home-manager>
<stockholm/makefu/2configs/home-manager/cli.nix>
# Security
<stockholm/makefu/2configs/sshd-totp.nix>
# Tools
<stockholm/makefu/2configs/tools/core.nix>
<stockholm/makefu/2configs/zsh-user.nix>
# NixOS Build
<stockholm/makefu/2configs/remote-build/slave.nix>
# Storage
<stockholm/makefu/2configs/share>
# <stockholm/makefu/2configs/share/hetzner-client.nix>
# torrent is managed by gum
# <stockholm/makefu/2configs/torrent/rtorrent.nix>
## Web
# local usage:
<stockholm/makefu/2configs/mosh.nix>
# Supervision
<stockholm/makefu/2configs/nix-community/supervision.nix>
# Krebs
<stockholm/makefu/2configs/tinc/retiolum.nix>
# backup
<stockholm/makefu/2configs/backup/state.nix>
# migrated:
# <stockholm/makefu/2configs/bitlbee.nix>
];
krebs = {
enable = true;
build.host = config.krebs.hosts.latte;
};
makefu.dl-dir = "/media/cloud/download";
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

View File

@ -1,5 +0,0 @@
{
name = "latte";
torrent = true;
home-manager = true;
}

Some files were not shown because too many files have changed in this diff Show More