Merge remote-tracking branch 'lass/master'
This commit is contained in:
commit
29d72c898d
3
.gitmodules
vendored
3
.gitmodules
vendored
@ -4,9 +4,6 @@
|
||||
[submodule "submodules/krops"]
|
||||
path = submodules/krops
|
||||
url = https://cgit.krebsco.de/krops
|
||||
[submodule "lass/5pkgs/autowifi"]
|
||||
path = lass/5pkgs/autowifi
|
||||
url = https://github.com/Lassulus/autowifi
|
||||
[submodule "submodules/disko"]
|
||||
path = submodules/disko
|
||||
url = https://github.com/nix-community/disko
|
||||
|
6
flake.lock
generated
6
flake.lock
generated
@ -18,11 +18,11 @@
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1686135559,
|
||||
"narHash": "sha256-pY8waAV8K/sbHBdLn5diPFnQKpNg0YS9w03MrD2lUGE=",
|
||||
"lastModified": 1693844670,
|
||||
"narHash": "sha256-t69F2nBB8DNQUWHD809oJZJVE+23XBrth4QZuVd6IE0=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "381e92a35e2d196fdd6077680dca0cd0197e75cb",
|
||||
"rev": "3c15feef7770eb5500a4b8792623e2d6f598c9c1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -93,7 +93,10 @@ in {
|
||||
ahuatangata = {
|
||||
nets.wiregrill = {
|
||||
ip4.addr = "10.244.10.246";
|
||||
aliases = [ "ahuatangata" "ndrd.feliks.r" ];
|
||||
aliases = [
|
||||
"ahuatangata.w"
|
||||
"ndrd.feliks.w"
|
||||
];
|
||||
wireguard.pubkey = "QPDGBEYJ1znqUdjy6JWZJ+cqPMcU67dHlOX5beTM6TA=";
|
||||
};
|
||||
};
|
||||
|
@ -165,7 +165,8 @@ in {
|
||||
owner = config.krebs.users.krebs;
|
||||
extraZones = {
|
||||
"krebsco.de" = /* bindzone */ ''
|
||||
krebsco.de. 60 IN A ${config.krebs.hosts.ponte.nets.internet.ip4.addr}
|
||||
@ IN A ${config.krebs.hosts.ponte.nets.internet.ip4.addr}
|
||||
ns1 IN A ${config.krebs.hosts.ponte.nets.internet.ip4.addr}
|
||||
'';
|
||||
};
|
||||
nets = rec {
|
||||
@ -178,6 +179,12 @@ in {
|
||||
"ponte.i"
|
||||
];
|
||||
};
|
||||
intranet = {
|
||||
ip4 = rec {
|
||||
addr = "10.0.0.234";
|
||||
prefix = "${addr}/24";
|
||||
};
|
||||
};
|
||||
retiolum = {
|
||||
via = internet;
|
||||
ip4.addr = "10.243.4.43";
|
||||
|
@ -17,9 +17,8 @@ in {
|
||||
hosts = lib.mapAttrs (_: lib.recursiveUpdate {
|
||||
owner = config.krebs.users.lass;
|
||||
consul = true;
|
||||
ci = true;
|
||||
ci = false;
|
||||
monitoring = true;
|
||||
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
||||
}) (
|
||||
lib.genAttrs hostFiles (host: import (./. + "/${host}.nix") {
|
||||
inherit config lib r6 w6;
|
||||
|
@ -5,6 +5,7 @@
|
||||
<stockholm/krebs>
|
||||
<stockholm/krebs/2configs>
|
||||
<stockholm/krebs/2configs/matterbridge.nix>
|
||||
<stockholm/krebs/2configs/nameserver.nix>
|
||||
];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
@ -30,8 +31,23 @@
|
||||
|
||||
krebs.pages.enable = true;
|
||||
krebs.pages.nginx.addSSL = true;
|
||||
krebs.pages.nginx.enableACME = true;
|
||||
krebs.pages.nginx.useACMEHost = "krebsco.de";
|
||||
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.certs.${config.krebs.pages.domain}.email = "spam@krebsco.de";
|
||||
security.acme.certs."krebsco.de" = {
|
||||
domain = "krebsco.de";
|
||||
extraDomainNames = [
|
||||
"*.krebsco.de"
|
||||
];
|
||||
email = "spam@krebsco.de";
|
||||
reloadServices = [
|
||||
"knsupdate-krebsco.de.service"
|
||||
"nginx.service"
|
||||
];
|
||||
keyType = "ec384";
|
||||
dnsProvider = "rfc2136";
|
||||
credentialsFile = "/var/src/secrets/acme-credentials";
|
||||
};
|
||||
|
||||
users.users.nginx.extraGroups = [ "acme" ];
|
||||
}
|
||||
|
@ -24,7 +24,7 @@ in {
|
||||
path = "/var/lib/step-ca/intermediate_ca.key";
|
||||
owner.name = "root";
|
||||
mode = "1444";
|
||||
source-path = builtins.toString <secrets> + "/acme_ca.key";
|
||||
source-path = "${config.krebs.secret.directory}/acme_ca.key";
|
||||
};
|
||||
services.step-ca = {
|
||||
enable = true;
|
||||
|
@ -108,7 +108,7 @@ in {
|
||||
krebs.secret.files.calendar = {
|
||||
path = "/var/lib/radicale/.ssh/id_ed25519";
|
||||
owner = { name = "radicale"; };
|
||||
source-path = "${<secrets/radicale.id_ed25519>}";
|
||||
source-path = "${config.krebs.secret.directory}/radicale.id_ed25519";
|
||||
};
|
||||
|
||||
security.sudo.extraConfig = ''
|
||||
|
@ -1,6 +1,7 @@
|
||||
{ config, ... }:
|
||||
{
|
||||
krebs.sync-containers3.containers.hotdog = {
|
||||
sshKey = "${toString <secrets>}/hotdog.sync.key";
|
||||
sshKey = "${config.krebs.secret.directory}/hotdog.sync.key";
|
||||
};
|
||||
containers.hotdog.bindMounts."/var/lib" = {
|
||||
hostPath = "/var/lib/sync-containers3/hotdog/state";
|
||||
|
@ -33,8 +33,10 @@
|
||||
];
|
||||
|
||||
environment.systemPackages = [
|
||||
(pkgs.writers.writeDashBin "tootctl" ''
|
||||
sudo -u mastodon /etc/profiles/per-user/mastodon/bin/mastodon-env /etc/profiles/per-user/mastodon/bin/tootctl "$@"
|
||||
(pkgs.writers.writeDashBin "clear-mastodon-cache" ''
|
||||
mastodon-tootctl media remove --prune-profiles --days=14 --concurrency=30
|
||||
mastodon-tootctl media remove-orphans
|
||||
mastodon-tootctl preview_cards remove --days=14
|
||||
'')
|
||||
(pkgs.writers.writeDashBin "create-mastodon-user" ''
|
||||
set -efu
|
||||
|
179
krebs/2configs/nameserver.nix
Normal file
179
krebs/2configs/nameserver.nix
Normal file
@ -0,0 +1,179 @@
|
||||
{ config, lib, pkgs, ... }: let
|
||||
acmeChallenge =
|
||||
{ domain
|
||||
, nameserver
|
||||
, adminEmail
|
||||
, serial ? 0
|
||||
, refresh ? 3600
|
||||
, retry ? 900
|
||||
, expire ? 604800
|
||||
, minimum ? 180
|
||||
}:
|
||||
pkgs.writeText "${domain}.zone" /* bindzone */ ''
|
||||
$TTL 60
|
||||
@ IN SOA ${lib.concatStringsSep " " [
|
||||
"${nameserver}."
|
||||
"${lib.replaceStrings ["@"] ["."] adminEmail}."
|
||||
(toString serial)
|
||||
(toString refresh)
|
||||
(toString retry)
|
||||
(toString expire)
|
||||
(toString minimum)
|
||||
]}
|
||||
@ IN NS ${nameserver}.
|
||||
'';
|
||||
in {
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
53 # domain for AXFR
|
||||
];
|
||||
networking.firewall.allowedUDPPorts = [
|
||||
53 # domain
|
||||
];
|
||||
|
||||
krebs.systemd.services.knot.restartIfCredentialsChange = true;
|
||||
systemd.services.knot.serviceConfig.LoadCredential = [
|
||||
"keys.conf:/var/src/secrets/knot-keys.conf"
|
||||
];
|
||||
|
||||
services.knot = {
|
||||
enable = true;
|
||||
keyFiles = [
|
||||
"/run/credentials/knot.service/keys.conf"
|
||||
];
|
||||
extraConfig = /* yaml */ ''
|
||||
server:
|
||||
udp-max-payload: 4096
|
||||
listen: [ 127.0.0.53@2, ${
|
||||
lib.concatMapStringsSep ", "
|
||||
(addr: "${addr}@53")
|
||||
(
|
||||
config.krebs.build.host.nets.internet.addrs or []
|
||||
++
|
||||
# This is required for hosts at OCI because the default route
|
||||
# provided by DHCP is using the private address.
|
||||
config.krebs.build.host.nets.intranet.addrs or []
|
||||
)
|
||||
} ]
|
||||
|
||||
log:
|
||||
- target: syslog
|
||||
any: debug
|
||||
|
||||
remote:
|
||||
- id: henet_ns1
|
||||
address: 216.218.130.2
|
||||
|
||||
- id: hostingde_ns1
|
||||
address: 134.0.30.178
|
||||
|
||||
- id: krebscode_ni
|
||||
address: ${config.krebs.hosts.ni.nets.internet.ip4.addr}
|
||||
key: krebs_transfer_notify_key
|
||||
|
||||
acl:
|
||||
- id: acme_acl
|
||||
key: acme
|
||||
action: update
|
||||
|
||||
- id: dane_acl
|
||||
key: dane
|
||||
action: update
|
||||
|
||||
- id: transfer_to_henet_secondary
|
||||
key: henet_transfer_key
|
||||
address: [ 216.218.133.2, 2001:470:600::2 ]
|
||||
action: transfer
|
||||
|
||||
# https://www.hosting.de/helpdesk/produkte/dns/dns-master-ips/
|
||||
- id: transfer_to_hostingde_secondary
|
||||
address: [ 134.0.30.178, 194.126.196.2, 2a03:2900:3:1::2, 2a03:2902:3:1::2 ]
|
||||
action: transfer
|
||||
|
||||
- id: transfer_to_krebscode_secondary
|
||||
key: krebs_transfer_notify_key
|
||||
action: transfer
|
||||
|
||||
mod-rrl:
|
||||
- id: default
|
||||
rate-limit: 200 # Allow 200 resp/s for each flow
|
||||
slip: 2 # Every other response slips
|
||||
|
||||
policy:
|
||||
- id: rsa2k
|
||||
algorithm: rsasha256
|
||||
ksk-size: 4096
|
||||
zsk-size: 2048
|
||||
|
||||
template:
|
||||
- id: default
|
||||
global-module: mod-rrl/default
|
||||
semantic-checks: on
|
||||
zonefile-sync: -1
|
||||
zonefile-load: difference-no-serial
|
||||
journal-content: all
|
||||
|
||||
zone:
|
||||
- domain: krebsco.de
|
||||
file: ${pkgs.krebs.zones."krebsco.de"}
|
||||
dnssec-signing: on
|
||||
dnssec-policy: rsa2k
|
||||
notify: henet_ns1
|
||||
notify: hostingde_ns1
|
||||
notify: krebscode_ni
|
||||
acl: transfer_to_henet_secondary
|
||||
acl: transfer_to_hostingde_secondary
|
||||
acl: transfer_to_krebscode_secondary
|
||||
acl: dane_acl
|
||||
|
||||
- domain: _acme-challenge.krebsco.de
|
||||
file: ${acmeChallenge {
|
||||
domain = "_acme-challenge.krebsco.de";
|
||||
nameserver = "ns1.krebsco.de";
|
||||
adminEmail = "spam@krebsco.de";
|
||||
}}
|
||||
acl: acme_acl
|
||||
|
||||
- domain: r
|
||||
file: ${pkgs.krebs.zones.r}
|
||||
|
||||
- domain: w
|
||||
file: ${pkgs.krebs.zones.w}
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services."knsupdate-krebsco.de" = {
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
SyslogIdentifier = "knsupdate-krebsco.de";
|
||||
ExecStart = pkgs.writeDash "knsupdate-krebsco.de" /* sh */ ''
|
||||
set -efu
|
||||
|
||||
mk_certificate_association_data() {
|
||||
${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 < "$1" |
|
||||
${pkgs.coreutils}/bin/cut -d= -f2 |
|
||||
${pkgs.coreutils}/bin/tr -d :
|
||||
}
|
||||
|
||||
certfile=/var/lib/acme/krebsco.de/cert.pem
|
||||
certificate_association_data=$(mk_certificate_association_data "$certfile")
|
||||
keyfile=/var/src/secrets/dane.tsig
|
||||
|
||||
script=$(${pkgs.coreutils}/bin/mktemp -t knsupdate.XXXXXXXX)
|
||||
trap 'rm "$script"' EXIT
|
||||
(
|
||||
exec >"$script"
|
||||
echo server krebsco.de.
|
||||
echo zone krebsco.de.
|
||||
echo origin krebsco.de.
|
||||
echo add _25._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data
|
||||
echo add _443._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data
|
||||
echo show
|
||||
echo send
|
||||
echo answer
|
||||
echo quit
|
||||
)
|
||||
${pkgs.knot-dns}/bin/knsupdate -k "$keyfile" "$script"
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
@ -1,5 +1,6 @@
|
||||
{ config, ... }:
|
||||
{
|
||||
krebs.sync-containers3.containers.news = {
|
||||
sshKey = "${toString <secrets>}/news.sync.key";
|
||||
sshKey = "${config.krebs.secret.directory}/news.sync.key";
|
||||
};
|
||||
}
|
||||
|
@ -98,7 +98,7 @@ in {
|
||||
krebs.secret.files.konsens = {
|
||||
path = "/var/lib/konsens/.ssh/id_ed25519";
|
||||
owner = konsens-user;
|
||||
source-path = "${<secrets/konsens.id_ed25519>}";
|
||||
source-path = "${config.krebs.secret.directory}/konsens.id_ed25519>";
|
||||
};
|
||||
|
||||
imports = [
|
||||
|
@ -10,8 +10,8 @@ in {
|
||||
services.syncthing = {
|
||||
enable = true;
|
||||
configDir = "/var/lib/syncthing";
|
||||
key = toString <secrets/syncthing.key>;
|
||||
cert = toString <secrets/syncthing.cert>;
|
||||
key = "${config.krebs.secret.directory}/syncthing.key";
|
||||
cert = "${config.krebs.secret.directory}/syncthing.cert";
|
||||
# workaround for infinite recursion on unstable, remove in 23.11
|
||||
} // (if builtins.hasAttr "settings" options.services.syncthing then
|
||||
{ settings.devices = mk_peers used_peers; }
|
||||
|
@ -13,12 +13,12 @@
|
||||
config.krebs.users.makefu.pubkey
|
||||
config.krebs.users.tv.pubkey
|
||||
];
|
||||
hostKeys = [ <secrets/initrd/openssh_host_ecdsa_key> ];
|
||||
hostKeys = [ "${config.krebs.secret.directory}/initrd/openssh_host_ecdsa_key" ];
|
||||
};
|
||||
boot.initrd.availableKernelModules = [ "e1000e" ];
|
||||
|
||||
boot.initrd.secrets = {
|
||||
"/etc/tor/onion/bootup" = <secrets/initrd>;
|
||||
"/etc/tor/onion/bootup" = "${config.krebs.secret.directory}/initrd";
|
||||
};
|
||||
|
||||
boot.initrd.extraUtilsCommands = ''
|
||||
|
@ -96,7 +96,7 @@ in
|
||||
krebs.secret.files.gollum = {
|
||||
path = "${config.services.gollum.stateDir}/.ssh/id_ed25519";
|
||||
owner = { name = "gollum"; };
|
||||
source-path = "${<secrets/gollum.id_ed25519>}";
|
||||
source-path = "${config.krebs.secret.directory}/gollum.id_ed25519";
|
||||
};
|
||||
|
||||
security.sudo.extraConfig = ''
|
||||
|
@ -20,14 +20,14 @@ let
|
||||
};
|
||||
|
||||
dkim = mkOption {
|
||||
type = types.listOf (types.submodule ({ config, ... }: {
|
||||
type = types.listOf (types.submodule (dkim: {
|
||||
options = {
|
||||
domain = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
private_key = mkOption {
|
||||
type = types.absolute-pathname;
|
||||
default = toString <secrets> + "/${config.domain}.dkim.priv";
|
||||
default = "${config.krebs.secret.directory}/${dkim.config.domain}.dkim.priv";
|
||||
defaultText = "‹secrets/‹domain›.dkim.priv›";
|
||||
};
|
||||
selector = mkOption {
|
||||
|
@ -40,7 +40,7 @@ let
|
||||
};
|
||||
};
|
||||
|
||||
fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" ''
|
||||
fetchWallpaperScript = pkgs.writers.writeDash "fetchWallpaper" ''
|
||||
set -euf
|
||||
|
||||
mkdir -p ${cfg.stateDir}
|
||||
|
@ -22,7 +22,7 @@ let
|
||||
};
|
||||
ssh-identity-file = mkOption {
|
||||
type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"];
|
||||
default = toString <secrets/github-hosts-sync.ssh.id_ed25519>;
|
||||
default = "${config.krebs.secret.directory}/github-hosts-sync.ssh.id_ed25519";
|
||||
defaultText = "‹secrets/github-hosts-sync.ssh.id_ed25519›";
|
||||
};
|
||||
url = mkOption {
|
||||
|
@ -177,7 +177,7 @@ let
|
||||
${buildTables iptables-version cfg.tables}
|
||||
'';
|
||||
|
||||
startScript = pkgs.writeDash "krebs-iptables_start" ''
|
||||
startScript = pkgs.writers.writeDash "krebs-iptables_start" ''
|
||||
set -euf
|
||||
iptables-restore < ${rules "v4"}
|
||||
ip6tables-restore < ${rules "v6"}
|
||||
|
@ -60,7 +60,7 @@ let
|
||||
};
|
||||
};
|
||||
|
||||
startScript = pkgs.writeDash "power-action" ''
|
||||
startScript = pkgs.writers.writeDash "power-action" ''
|
||||
set -euf
|
||||
|
||||
power="$(${powerlvl})"
|
||||
@ -77,11 +77,11 @@ let
|
||||
writeRule = _: plan:
|
||||
"if [ $power -ge ${toString plan.lowerLimit} ] && [ $power -le ${toString plan.upperLimit} ] ${charging_check plan}; then ${plan.action}; fi";
|
||||
|
||||
powerlvl = pkgs.writeDash "powerlvl" ''
|
||||
powerlvl = pkgs.writers.writeDash "powerlvl" ''
|
||||
cat /sys/class/power_supply/${cfg.battery}/capacity
|
||||
'';
|
||||
|
||||
state = pkgs.writeDash "state" ''
|
||||
state = pkgs.writers.writeDash "state" ''
|
||||
if [ "$(cat /sys/class/power_supply/${cfg.battery}/status)" = "Discharging" ]
|
||||
then echo "false"
|
||||
else echo "true"
|
||||
|
@ -123,7 +123,7 @@ let
|
||||
|
||||
privateKeyFile = mkOption {
|
||||
type = types.absolute-pathname;
|
||||
default = toString <secrets> + "/repo-sync.ssh.key";
|
||||
default = "${config.krebs.secret.directory}/repo-sync.ssh.key";
|
||||
defaultText = "‹secrets/repo-sync.ssh.key›";
|
||||
};
|
||||
|
||||
|
@ -14,12 +14,12 @@ in
|
||||
sslCertificate = mkOption {
|
||||
type = types.str;
|
||||
description = "Certificate file to use for ssl";
|
||||
default = "${toString <secrets>}/tinc.krebsco.de.crt" ;
|
||||
default = "${config.krebs.secret.directory}/tinc.krebsco.de.crt" ;
|
||||
};
|
||||
sslCertificateKey = mkOption {
|
||||
type = types.str;
|
||||
description = "Certificate key to use for ssl";
|
||||
default = "${toString <secrets>}/tinc.krebsco.de.key";
|
||||
default = "${config.krebs.secret.directory}/tinc.krebsco.de.key";
|
||||
};
|
||||
# in use:
|
||||
# <secrets/tinc.krebsco.de.crt>
|
||||
|
@ -4,32 +4,9 @@ let
|
||||
cfg = config.krebs;
|
||||
|
||||
out = {
|
||||
options.krebs = api;
|
||||
config = lib.mkIf cfg.enable imp;
|
||||
};
|
||||
|
||||
api = {
|
||||
zone-head-config = mkOption {
|
||||
type = with types; attrsOf str;
|
||||
description = ''
|
||||
The zone configuration head which is being used to create the
|
||||
zone files. The string for each key is pre-pended to the zone file.
|
||||
'';
|
||||
# TODO: configure the default somewhere else,
|
||||
# maybe use krebs.dns.providers
|
||||
default = {
|
||||
|
||||
# github.io -> 192.30.252.154
|
||||
"krebsco.de" = ''
|
||||
$TTL 86400
|
||||
@ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400)
|
||||
IN NS ns19.ovh.net.
|
||||
IN NS dns19.ovh.net.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
imp = lib.mkMerge [
|
||||
{
|
||||
services.openssh.hostKeys =
|
||||
|
@ -149,7 +149,7 @@ with import ../../lib/pure.nix { inherit lib; }; {
|
||||
|
||||
privkey = mkOption {
|
||||
type = types.absolute-pathname;
|
||||
default = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv";
|
||||
default = "${config.krebs.secret.directory}/${tinc.config.netname}.rsa_key.priv";
|
||||
defaultText = "‹secrets/‹netname›.rsa_key.priv›";
|
||||
};
|
||||
|
||||
@ -158,7 +158,7 @@ with import ../../lib/pure.nix { inherit lib; }; {
|
||||
default =
|
||||
if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null
|
||||
then null
|
||||
else toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv";
|
||||
else "${config.krebs.secret.directory}/${tinc.config.netname}.ed25519_key.priv";
|
||||
defaultText = "‹secrets/‹netname›.ed25519_key.priv›";
|
||||
};
|
||||
|
||||
|
@ -1,6 +1,25 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
with lib; {
|
||||
|
||||
options.krebs.zone-head-config = mkOption {
|
||||
type = lib.types.attrsOf lib.types.str;
|
||||
description = ''
|
||||
The zone configuration head which is being used to create the
|
||||
zone files. The string for each key is pre-pended to the zone file.
|
||||
'';
|
||||
default = {
|
||||
"krebsco.de" = /* bindzone */ ''
|
||||
$TTL 60
|
||||
@ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600
|
||||
@ 3600 IN NS ns1
|
||||
@ 3600 IN NS ni
|
||||
@ 3600 IN NS ns2.he.net.
|
||||
@ 3600 IN NS ns3.he.net.
|
||||
@ 3600 IN NS ns2.hosting.de.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
environment.etc =
|
||||
mapAttrs'
|
||||
|
@ -4,7 +4,7 @@
|
||||
, utf8-string, X11
|
||||
}:
|
||||
mkDerivation {
|
||||
pname = "pager";
|
||||
pname = "desktop-pager";
|
||||
version = "1.0.0";
|
||||
src = fetchgit {
|
||||
url = "https://cgit.krebsco.de/pager";
|
@ -6,11 +6,11 @@
|
||||
}:
|
||||
mkDerivation {
|
||||
pname = "nix-serve-ng";
|
||||
version = "1.0.0";
|
||||
version = "1.0.1";
|
||||
src = fetchgit {
|
||||
url = "https://github.com/aristanetworks/nix-serve-ng";
|
||||
sha256 = "0mqp67z5mi8rsjahdh395n7ppf0b65k8rd3pvnl281g02rbr69y2";
|
||||
rev = "433f70f4daae156b84853f5aaa11987aa5ce7277";
|
||||
sha256 = "sha256-PkzwtjUgYuqfWtCH1nRqVRaajihN1SqMVjWmoSG/CCY=";
|
||||
rev = "9b546864f4090736f3f9069a01ea5d42cf7bab7c";
|
||||
fetchSubmodules = true;
|
||||
};
|
||||
isLibrary = false;
|
||||
|
@ -43,7 +43,7 @@ pkgs.writers.writeDashBin "fzfmenu" ''
|
||||
set -efu
|
||||
|
||||
# Spawn terminal if called without one, like e.g. from a window manager.
|
||||
if [ -z ''${TERM+x} ]; then
|
||||
if [ -z ''${TERM+x} ] || [ $TERM = dumb ]; then
|
||||
exec 3<&0
|
||||
exec 4>&1
|
||||
export FZFMENU_INPUT_FD=3
|
||||
|
@ -1,13 +0,0 @@
|
||||
{ pkgs, ... }:
|
||||
|
||||
pkgs.writeDashBin "krebszones" ''
|
||||
set -efu
|
||||
export OVH_ZONE_CONFIG=''${OVH_ZONE_CONFIG:-$HOME/.secrets/krebs/ovh-zone.conf}
|
||||
case $* in
|
||||
import)
|
||||
set -- import /etc/zones/krebsco.de krebsco.de
|
||||
echo "+ krebszones $*" >&2
|
||||
;;
|
||||
esac
|
||||
exec ${pkgs.ovh-zone}/bin/ovh-zone "$@"
|
||||
''
|
@ -9,7 +9,6 @@ python3Packages.buildPythonPackage rec {
|
||||
name = "ovh-zone-${version}";
|
||||
version = "0.4.4";
|
||||
propagatedBuildInputs = with pkgs.python3Packages;[
|
||||
d2to1 # for setup to work
|
||||
ovh
|
||||
docopt
|
||||
];
|
||||
|
@ -33,7 +33,7 @@ pkgs.symlinkJoin {
|
||||
-ti vt340 \
|
||||
-xrm '*geometry: 32x10' \
|
||||
-xrm '*internalBorder: 2' \
|
||||
-e ${pkgs.haskellPackages.pager}/bin/pager "$@"
|
||||
-e ${pkgs.haskellPackages.desktop-pager}/bin/pager "$@"
|
||||
'')
|
||||
pkgs.haskellPackages.pager
|
||||
];
|
||||
|
@ -18,19 +18,24 @@ def points_to_lines(points):
|
||||
return lines
|
||||
|
||||
|
||||
with open(sys.argv[1]) as f:
|
||||
constellations = json.load(f)['features']
|
||||
def main():
|
||||
with open(sys.argv[1]) as f:
|
||||
constellations = json.load(f)['features']
|
||||
|
||||
output = []
|
||||
output = []
|
||||
|
||||
for const in constellations:
|
||||
for line in const['geometry']['coordinates']:
|
||||
transformed_line = []
|
||||
for point in line:
|
||||
transformed_line.append(convert_to_itrs(point))
|
||||
for const in constellations:
|
||||
for line in const['geometry']['coordinates']:
|
||||
transformed_line = []
|
||||
for point in line:
|
||||
transformed_line.append(convert_to_itrs(point))
|
||||
|
||||
line_combined = points_to_lines(transformed_line)
|
||||
for l in line_combined: # noqa
|
||||
output.append(f'{l[0][0]} {l[0][1]} {l[1][0]} {l[1][1]} # {const["id"]}') # noqa
|
||||
line_combined = points_to_lines(transformed_line)
|
||||
for l in line_combined: # noqa
|
||||
output.append(f'{l[0][0]} {l[0][1]} {l[1][0]} {l[1][1]} # {const["id"]}') # noqa
|
||||
|
||||
print('\n'.join(output))
|
||||
print('\n'.join(output))
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
|
30
krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix
Normal file
30
krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix
Normal file
@ -0,0 +1,30 @@
|
||||
{ pkgs }:
|
||||
pkgs.writers.writeDashBin "renew-intermediate-ca" ''
|
||||
TMPDIR=$(mktemp -d)
|
||||
trap "rm -rf $TMPDIR;" INT TERM EXIT
|
||||
mkdir -p "$TMPDIR/krebs"
|
||||
brain show ca/ca.key > "$TMPDIR/krebs/ca.key"
|
||||
brain show ca/ca.crt > "$TMPDIR/krebs/ca.crt"
|
||||
brain show krebs-secrets/hotdog/acme_ca.key > "$TMPDIR/acme.key"
|
||||
cp ${toString ../../../6assets/krebsAcmeCA.crt} "$TMPDIR/acme.crt"
|
||||
export STEPPATH="$TMPDIR/step"
|
||||
cat << EOF > "$TMPDIR/intermediate.tpl"
|
||||
{
|
||||
"subject": {{ toJson .Subject }},
|
||||
"keyUsage": ["certSign", "crlSign"],
|
||||
"basicConstraints": {
|
||||
"isCA": true,
|
||||
"maxPathLen": 0
|
||||
},
|
||||
"nameConstraints": {
|
||||
"critical": true,
|
||||
"permittedDNSDomains": ["r" ,"w"]
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
${pkgs.step-cli}/bin/step ca renew "$TMPDIR/ca.crt" "$TMPDIR/ca.key" \
|
||||
--offline \
|
||||
--root "$TMPDIR/krebs/ca.crt" \
|
||||
--ca-config "$TMPDIR/intermediate.tpl"
|
||||
''
|
@ -23,7 +23,7 @@ pkgs.writers.writeDashBin "vicuna-chat" ''
|
||||
add_to_context "{\"role\": \"user\", \"content\": \"$PROMPT\"}"
|
||||
response=$(
|
||||
jq -nc --slurpfile context "$CONTEXT" '{
|
||||
model: "vicuna-13b",
|
||||
model: "vicuna-13b-v1.5-16k",
|
||||
messages: $context[0],
|
||||
}' |
|
||||
curl -Ss http://vicuna.r/v1/chat/completions -H 'Content-Type: application/json' -d @-
|
||||
|
@ -1,10 +1,10 @@
|
||||
{
|
||||
"url": "https://github.com/NixOS/nixpkgs",
|
||||
"rev": "66aedfd010204949cb225cf749be08cb13ce1813",
|
||||
"date": "2023-08-02T21:56:37+02:00",
|
||||
"path": "/nix/store/wwmgy3p8svf9ag2s6fimr3fpz5v40mya-nixpkgs",
|
||||
"sha256": "1jspq3g1wzdfgmnp4wzzrwh2cfn9q2w86b25bgwr7ygdcdap3fqd",
|
||||
"hash": "sha256-DbtxVWPt+ZP5W0Usg7jAyTomIM//c3Jtfa59Ht7AV8s=",
|
||||
"rev": "aa8aa7e2ea35ce655297e8322dc82bf77a31d04b",
|
||||
"date": "2023-09-01T18:51:16+08:00",
|
||||
"path": "/nix/store/10xskkarnksmn1fahylswv0y4216c73w-nixpkgs",
|
||||
"sha256": "0bbv3y86kfpn02zh5vvdbkmnqyzagzbc1gzpvvlb6qbvgg639bf9",
|
||||
"hash": "sha256-ya00zHt7YbPo3ve/wNZ/6nts61xt7wK/APa6aZAfey0=",
|
||||
"fetchLFS": false,
|
||||
"fetchSubmodules": false,
|
||||
"deepClone": false,
|
||||
|
@ -1,10 +1,10 @@
|
||||
{
|
||||
"url": "https://github.com/NixOS/nixpkgs",
|
||||
"rev": "bd836ac5e5a7358dea73cb74a013ca32864ccb86",
|
||||
"date": "2023-08-02T00:11:43+02:00",
|
||||
"path": "/nix/store/qj37rmkpa5spmxsr3vb5hrwkahnsn4pm-nixpkgs",
|
||||
"sha256": "1xcg07nmzz74s99ln079rqzlxyiv2gzzz9g71h5337jf4il0560g",
|
||||
"hash": "sha256-D5gCaCROnjEKDOel//8TO/pOP87pAEtT0uT8X+0Bj/U=",
|
||||
"rev": "9075cba53e86dc318d159aee55dc9a7c9a4829c1",
|
||||
"date": "2023-09-02T08:28:47+02:00",
|
||||
"path": "/nix/store/605bv7zssv38j0ii8rbnxkv1m0f0b53p-nixpkgs",
|
||||
"sha256": "0kymzp32d31c0hny2b2f7zfn49nzrxlm963xbm4v0axka6abym36",
|
||||
"hash": "sha256-ZlS/lFGzK7BJXX2YVGnP3yZi3T9OLOEtBCyMJsb91U8=",
|
||||
"fetchLFS": false,
|
||||
"fetchSubmodules": false,
|
||||
"deepClone": false,
|
||||
|
@ -1,148 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/exim-retiolum.nix>
|
||||
<stockholm/lass/2configs/baseX.nix>
|
||||
<stockholm/lass/2configs/pipewire.nix>
|
||||
<stockholm/lass/2configs/browsers.nix>
|
||||
<stockholm/lass/2configs/programs.nix>
|
||||
<stockholm/lass/2configs/network-manager.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/sync/sync.nix>
|
||||
<stockholm/lass/2configs/games.nix>
|
||||
<stockholm/lass/2configs/steam.nix>
|
||||
<stockholm/lass/2configs/wine.nix>
|
||||
<stockholm/lass/2configs/fetchWallpaper.nix>
|
||||
<stockholm/lass/2configs/yellow-mounts/samba.nix>
|
||||
<stockholm/lass/2configs/pass.nix>
|
||||
<stockholm/lass/2configs/mail.nix>
|
||||
<stockholm/lass/2configs/bitcoin.nix>
|
||||
# <stockholm/lass/2configs/xonsh.nix>
|
||||
<stockholm/lass/2configs/review.nix>
|
||||
<stockholm/lass/2configs/dunst.nix>
|
||||
<stockholm/lass/2configs/print.nix>
|
||||
<stockholm/lass/2configs/br.nix>
|
||||
<stockholm/lass/2configs/c-base.nix>
|
||||
# steam-deck like experience https://github.com/Jovian-Experiments/Jovian-NixOS
|
||||
{
|
||||
imports = [
|
||||
"${builtins.fetchTarball "https://github.com/Jovian-Experiments/Jovian-NixOS/archive/master.tar.gz"}/modules"
|
||||
];
|
||||
jovian.steam.enable = true;
|
||||
}
|
||||
{ # autorandrs
|
||||
services.autorandr = {
|
||||
enable = true;
|
||||
hooks.postswitch.reset_usb = ''
|
||||
echo 0 > /sys/bus/usb/devices/usb9/authorized; echo 1 > /sys/bus/usb/devices/usb9/authorized
|
||||
${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert
|
||||
'';
|
||||
profiles = {
|
||||
default = {
|
||||
fingerprint = {
|
||||
eDP = "00ffffffffffff00288931000100000016200104805932780a0dc9a05747982712484c0000000101010101010101010101010101010108700088a1401360c820a300d9870000001ead4a0088a1401360c820a30020c23100001e000000fd0016480f5a1e000a202020202020000000fc0047504431303031480a2020202000cf";
|
||||
};
|
||||
config = {
|
||||
eDP = {
|
||||
enable = true;
|
||||
primary = true;
|
||||
position = "0x0";
|
||||
mode = "2560x1600";
|
||||
rate = "60.01";
|
||||
transform = [
|
||||
[ 0.750000 0.000000 0.000000 ]
|
||||
[ 0.000000 0.750000 0.000000 ]
|
||||
[ 0.000000 0.000000 1.000000 ]
|
||||
];
|
||||
# scale = {
|
||||
# x = 0.599991;
|
||||
# y = 0.599991;
|
||||
# };
|
||||
};
|
||||
};
|
||||
};
|
||||
docked2 = {
|
||||
fingerprint = {
|
||||
eDP = config.services.autorandr.profiles.default.fingerprint.eDP;
|
||||
DisplayPort-8 = "00ffffffffffff0010ac39d14c3346300f200104b5462878fb26f5af4f46a5240f5054a54b00714f8140818081c081009500b300d1c0565e00a0a0a0295030203500b9882100001a000000ff00444342375847330a2020202020000000fc0044454c4c204733323233440a20000000fd0030a5fafa41010a2020202020200181020332f149030212110490131f3f2309070783010000e200eae305c000e606050162622c6d1a0000020b30a50007622c622c5a8780a070384d4030203500b9882100001af4fb0050a0a0285008206800b9882100001a40e7006aa0a0675008209804b9882100001a6fc200a0a0a0555030203500b9882100001a000000000009";
|
||||
DisplayPort-7 = "00ffffffffffff0020a32f00010000000c190103807341780acf74a3574cb02309484c21080081c0814081800101010101010101010104740030f2705a80b0588a00501d7400001e023a801871382d40582c4500501d7400001e000000fc00484953454e53450a2020202020000000fd00324b0f451e000a2020202020200172020333714f5f5e5d01020400101113001f2021222909070715075057070083010000e200f96d030c002000183c200060010203662150b051001b304070360056005300001e011d8018711c1620582c2500c48e2100009e011d007251d01e206e285500c48e2100001800000000000000000000000000000000000000000000ea";
|
||||
};
|
||||
config = {
|
||||
DisplayPort-7 = {
|
||||
enable = true;
|
||||
position = "2560x0";
|
||||
mode = "1920x1080";
|
||||
rate = "60.00";
|
||||
};
|
||||
DisplayPort-8 = config.services.autorandr.profiles.docked1.config.DisplayPort-1;
|
||||
eDP = config.services.autorandr.profiles.docked1.config.eDP;
|
||||
};
|
||||
};
|
||||
docked1 = {
|
||||
fingerprint = {
|
||||
eDP = config.services.autorandr.profiles.default.fingerprint.eDP;
|
||||
DisplayPort-1 = "00ffffffffffff0010ac39d14c3346300f200104b5462878fb26f5af4f46a5240f5054a54b00714f8140818081c081009500b300d1c0565e00a0a0a0295030203500b9882100001a000000ff00444342375847330a2020202020000000fc0044454c4c204733323233440a20000000fd0030a5fafa41010a2020202020200181020332f149030212110490131f3f2309070783010000e200eae305c000e606050162622c6d1a0000020b30a50007622c622c000000000000000000000000000000000000f4fb0050a0a0285008206800b9882100001a40e7006aa0a0675008209804b9882100001a6fc200a0a0a0555030203500b9882100001a000000000040";
|
||||
};
|
||||
config = {
|
||||
DisplayPort-1 = {
|
||||
enable = true;
|
||||
primary = true;
|
||||
position = "0x0";
|
||||
mode = "2560x1440";
|
||||
rate = "165.08";
|
||||
};
|
||||
eDP = config.services.autorandr.profiles.default.config.eDP // {
|
||||
primary = false;
|
||||
position = "640x1440";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
system.stateVersion = "22.11";
|
||||
|
||||
krebs.build.host = config.krebs.hosts.aergia;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
brain
|
||||
bank
|
||||
l-gen-secrets
|
||||
generate-secrets
|
||||
nixpkgs-review
|
||||
pipenv
|
||||
];
|
||||
|
||||
programs.adb.enable = true;
|
||||
|
||||
hardware.bluetooth = {
|
||||
enable = true;
|
||||
powerOnBoot = true;
|
||||
};
|
||||
hardware.pulseaudio.package = pkgs.pulseaudioFull;
|
||||
|
||||
nix.trustedUsers = [ "root" "lass" ];
|
||||
|
||||
# nix.extraOptions = ''
|
||||
# extra-experimental-features = nix-command flakes
|
||||
# '';
|
||||
|
||||
services.tor = {
|
||||
enable = true;
|
||||
client.enable = true;
|
||||
};
|
||||
|
||||
documentation.nixos.enable = true;
|
||||
boot.binfmt.emulatedSystems = [
|
||||
"aarch64-linux"
|
||||
];
|
||||
|
||||
boot.cleanTmpDir = true;
|
||||
programs.noisetorch.enable = true;
|
||||
}
|
@ -1,61 +0,0 @@
|
||||
{ lib, ... }:
|
||||
{
|
||||
disk = {
|
||||
main = {
|
||||
type = "disk";
|
||||
device = "/dev/nvme0n1";
|
||||
content = {
|
||||
type = "table";
|
||||
format = "gpt";
|
||||
partitions = [
|
||||
{
|
||||
name = "boot";
|
||||
start = "0";
|
||||
end = "1M";
|
||||
part-type = "primary";
|
||||
flags = ["bios_grub"];
|
||||
}
|
||||
{
|
||||
name = "ESP";
|
||||
start = "1MiB";
|
||||
end = "1GiB";
|
||||
fs-type = "fat32";
|
||||
bootable = true;
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
};
|
||||
}
|
||||
{
|
||||
name = "root";
|
||||
start = "1GiB";
|
||||
end = "100%";
|
||||
content = {
|
||||
type = "luks";
|
||||
name = "aergia1";
|
||||
content = {
|
||||
type = "btrfs";
|
||||
extraArgs = "-f"; # Override existing partition
|
||||
subvolumes = {
|
||||
# Subvolume name is different from mountpoint
|
||||
"/rootfs" = {
|
||||
mountpoint = "/";
|
||||
};
|
||||
# Mountpoints inferred from subvolume name
|
||||
"/home" = {
|
||||
mountOptions = [];
|
||||
};
|
||||
"/nix" = {
|
||||
mountOptions = [];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -1,3 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
target=$1
|
@ -1,112 +0,0 @@
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
<stockholm/lass/2configs/antimicrox>
|
||||
];
|
||||
disko.devices = import ./disk.nix;
|
||||
|
||||
networking.hostId = "deadbeef";
|
||||
# boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
device = "/dev/nvme0n1";
|
||||
efiSupport = true;
|
||||
efiInstallAsRemovable = true;
|
||||
};
|
||||
|
||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
|
||||
boot.kernelParams = [
|
||||
# use less power with pstate
|
||||
"amd_pstate=passive"
|
||||
|
||||
# suspend
|
||||
"resume_offset=178345675"
|
||||
];
|
||||
|
||||
boot.kernelModules = [
|
||||
# Enables the amd cpu scaling https://www.kernel.org/doc/html/latest/admin-guide/pm/amd-pstate.html
|
||||
# On recent AMD CPUs this can be more energy efficient.
|
||||
"amd-pstate"
|
||||
"kvm-amd"
|
||||
];
|
||||
|
||||
# hardware.cpu.amd.updateMicrocode = true;
|
||||
|
||||
services.xserver.videoDrivers = [
|
||||
"amdgpu"
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [
|
||||
"nvme"
|
||||
"thunderbolt"
|
||||
"xhci_pci"
|
||||
"usbhid"
|
||||
];
|
||||
|
||||
boot.initrd.kernelModules = [
|
||||
"amdgpu"
|
||||
];
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.vulkan-tools
|
||||
(pkgs.writers.writeDashBin "set_tdp" ''
|
||||
set -efux
|
||||
watt=$1
|
||||
value=$(( $watt * 1000 ))
|
||||
${pkgs.ryzenadj}/bin/ryzenadj --stapm-limit="$value" --fast-limit="$value" --slow-limit="$value"
|
||||
'')
|
||||
];
|
||||
|
||||
# corectrl
|
||||
programs.corectrl = {
|
||||
enable = true;
|
||||
gpuOverclock = {
|
||||
enable = true;
|
||||
ppfeaturemask = "0xffffffff";
|
||||
};
|
||||
};
|
||||
users.users.mainUser.extraGroups = [ "corectrl" ];
|
||||
|
||||
# use newer ryzenadj
|
||||
|
||||
# keyboard quirks
|
||||
services.xserver.displayManager.sessionCommands = ''
|
||||
${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert
|
||||
'';
|
||||
services.udev.extraHwdb = /* sh */ ''
|
||||
# disable back buttons
|
||||
evdev:input:b0003v2F24p0135* # /dev/input/event2
|
||||
KEYBOARD_KEY_70026=reserved
|
||||
KEYBOARD_KEY_70027=reserved
|
||||
'';
|
||||
|
||||
# update cpu microcode
|
||||
hardware.cpu.amd.updateMicrocode = true;
|
||||
|
||||
hardware.opengl.enable = true;
|
||||
hardware.opengl.extraPackages = [
|
||||
pkgs.amdvlk
|
||||
pkgs.rocm-opencl-icd
|
||||
pkgs.rocm-opencl-runtime
|
||||
];
|
||||
|
||||
# suspend to disk
|
||||
swapDevices = [{
|
||||
device = "/swapfile";
|
||||
}];
|
||||
boot.resumeDevice = "/dev/mapper/aergia1";
|
||||
services.logind.lidSwitch = "suspend-then-hibernate";
|
||||
services.logind.extraConfig = ''
|
||||
HandlePowerKey=hibernate
|
||||
'';
|
||||
|
||||
# firefox touchscreen support
|
||||
environment.sessionVariables.MOZ_USE_XINPUT2 = "1";
|
||||
# reinit usb after docking station connect
|
||||
services.udev.extraRules = ''
|
||||
SUBSYSTEM=="drm", ACTION=="change", RUN+="${pkgs.dash}/bin/dash -c 'echo 0 > /sys/bus/usb/devices/usb9/authorized; echo 1 > /sys/bus/usb/devices/usb9/authorized'"
|
||||
'';
|
||||
}
|
@ -1,21 +0,0 @@
|
||||
{ lib, pkgs, test, ... }: let
|
||||
npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json;
|
||||
in {
|
||||
nixpkgs = (if test then lib.mkForce ({ derivation = let
|
||||
rev = npkgs.rev;
|
||||
sha256 = npkgs.sha256;
|
||||
in ''
|
||||
with import (builtins.fetchTarball {
|
||||
url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz";
|
||||
sha256 = "${sha256}";
|
||||
}) {};
|
||||
pkgs.fetchFromGitHub {
|
||||
owner = "nixos";
|
||||
repo = "nixpkgs";
|
||||
rev = "${rev}";
|
||||
sha256 = "${sha256}";
|
||||
}
|
||||
''; }) else {
|
||||
git.ref = lib.mkForce npkgs.rev;
|
||||
});
|
||||
}
|
@ -1,22 +0,0 @@
|
||||
with import <stockholm/lib>;
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
<stockholm/lass/2configs>
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/exim-retiolum.nix>
|
||||
|
||||
<stockholm/lass/2configs/blue.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/sync/sync.nix>
|
||||
<stockholm/lass/2configs/sync/decsync.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.blue;
|
||||
|
||||
networking.nameservers = [ "1.1.1.1" ];
|
||||
|
||||
time.timeZone = "Europe/Berlin";
|
||||
users.users.mainUser.openssh.authorizedKeys.keys = [ config.krebs.users.lass-android.pubkey ];
|
||||
}
|
@ -1,7 +0,0 @@
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
];
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
}
|
@ -1,17 +0,0 @@
|
||||
{ lib, pkgs, test, ... }:
|
||||
if test then {} else {
|
||||
nixpkgs = lib.mkIf (! test) (lib.mkForce {
|
||||
file = {
|
||||
path = toString (pkgs.fetchFromGitHub {
|
||||
owner = "nixos";
|
||||
repo = "nixpkgs";
|
||||
rev = (lib.importJSON ../../../krebs/nixpkgs.json).rev;
|
||||
sha256 = (lib.importJSON ../../../krebs/nixpkgs.json).sha256;
|
||||
});
|
||||
useChecksum = true;
|
||||
};
|
||||
});
|
||||
nixpkgs-unstable = lib.mkForce {
|
||||
file.path = "/var/empty";
|
||||
};
|
||||
}
|
@ -1,63 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/exim-retiolum.nix>
|
||||
<stockholm/lass/2configs/baseX.nix>
|
||||
<stockholm/lass/2configs/browsers.nix>
|
||||
<stockholm/lass/2configs/programs.nix>
|
||||
<stockholm/lass/2configs/network-manager.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/sync/sync.nix>
|
||||
<stockholm/lass/2configs/games.nix>
|
||||
<stockholm/lass/2configs/steam.nix>
|
||||
<stockholm/lass/2configs/wine.nix>
|
||||
<stockholm/lass/2configs/fetchWallpaper.nix>
|
||||
<stockholm/lass/2configs/yellow-mounts/samba.nix>
|
||||
<stockholm/lass/2configs/pass.nix>
|
||||
<stockholm/lass/2configs/mail.nix>
|
||||
<stockholm/lass/2configs/bitcoin.nix>
|
||||
<stockholm/lass/2configs/review.nix>
|
||||
<stockholm/lass/2configs/dunst.nix>
|
||||
# <stockholm/krebs/2configs/ircd.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.coaxmetal;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
brain
|
||||
bank
|
||||
l-gen-secrets
|
||||
(pkgs.writeDashBin "deploy" ''
|
||||
set -eu
|
||||
export SYSTEM="$1"
|
||||
$(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy)
|
||||
'')
|
||||
(pkgs.writeDashBin "usb-tether-on" ''
|
||||
adb shell su -c service call connectivity 33 i32 1 s16 text
|
||||
'')
|
||||
(pkgs.writeDashBin "usb-tether-off" ''
|
||||
adb shell su -c service call connectivity 33 i32 0 s16 text
|
||||
'')
|
||||
];
|
||||
|
||||
programs.adb.enable = true;
|
||||
|
||||
hardware.bluetooth = {
|
||||
enable = true;
|
||||
powerOnBoot = true;
|
||||
};
|
||||
hardware.pulseaudio.package = pkgs.pulseaudioFull;
|
||||
|
||||
nix.trustedUsers = [ "root" "lass" ];
|
||||
|
||||
services.tor = {
|
||||
enable = true;
|
||||
client.enable = true;
|
||||
};
|
||||
|
||||
documentation.nixos.enable = true;
|
||||
}
|
@ -1,59 +0,0 @@
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
networking.hostId = "e0c335ea";
|
||||
boot.zfs.requestEncryptionCredentials = true;
|
||||
boot.zfs.enableUnstable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
# device = "/dev/disk/by-id/nvme-WDC_PC_SN730_SDBQNTY-1T00-1001_205349800040";
|
||||
device = "nodev";
|
||||
efiSupport = true;
|
||||
# efiInstallAsRemovable = true;
|
||||
};
|
||||
|
||||
services.xserver.videoDrivers = [
|
||||
"amdgpu"
|
||||
];
|
||||
|
||||
hardware.opengl.extraPackages = [ pkgs.amdvlk ];
|
||||
environment.variables.VK_ICD_FILENAMES =
|
||||
"/run/opengl-driver/share/vulkan/icd.d/amd_icd64.json";
|
||||
|
||||
boot.initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "zpool/root/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/home" = {
|
||||
device = "zpool/root/home";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/50A7-1889";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
services.logind.lidSwitch = "ignore";
|
||||
services.logind.lidSwitchDocked = "ignore";
|
||||
|
||||
# Mouse stuff
|
||||
services.xserver.libinput.enable = lib.mkForce false;
|
||||
services.xserver.synaptics.enable = true;
|
||||
|
||||
services.xserver.displayManager.sessionCommands = ''
|
||||
xinput disable 'ETPS/2 Elantech Touchpad'
|
||||
xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation' 1
|
||||
xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation Button' 2
|
||||
xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation Axes' 6 7 4 5
|
||||
'';
|
||||
}
|
@ -1,21 +0,0 @@
|
||||
{ lib, pkgs, test, ... }: let
|
||||
npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json;
|
||||
in {
|
||||
nixpkgs = (if test then lib.mkForce ({ derivation = let
|
||||
rev = npkgs.rev;
|
||||
sha256 = npkgs.sha256;
|
||||
in ''
|
||||
with import (builtins.fetchTarball {
|
||||
url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz";
|
||||
sha256 = "${sha256}";
|
||||
}) {};
|
||||
pkgs.fetchFromGitHub {
|
||||
owner = "nixos";
|
||||
repo = "nixpkgs";
|
||||
rev = "${rev}";
|
||||
sha256 = "${sha256}";
|
||||
}
|
||||
''; }) else {
|
||||
git.ref = lib.mkForce npkgs.rev;
|
||||
});
|
||||
}
|
@ -1,115 +0,0 @@
|
||||
with import <stockholm/lib>;
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/pipewire.nix>
|
||||
# <stockholm/lass/2configs/nfs-dl.nix>
|
||||
{
|
||||
# bubsy config
|
||||
users.users.bubsy = {
|
||||
uid = genid "bubsy";
|
||||
home = "/home/bubsy";
|
||||
group = "users";
|
||||
createHome = true;
|
||||
extraGroups = [
|
||||
"audio"
|
||||
"networkmanager"
|
||||
"pipewire"
|
||||
# "plugdev"
|
||||
];
|
||||
useDefaultShell = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
networking.networkmanager.enable = true;
|
||||
networking.wireless.enable = mkForce false;
|
||||
# programs.chromium = {
|
||||
# enable = true;
|
||||
# extensions = [
|
||||
# "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
|
||||
# ];
|
||||
# };
|
||||
environment.systemPackages = with pkgs; [
|
||||
ark
|
||||
pavucontrol
|
||||
#firefox
|
||||
chromium
|
||||
hexchat
|
||||
networkmanagerapplet
|
||||
libreoffice
|
||||
audacity
|
||||
zathura
|
||||
skypeforlinux
|
||||
wine
|
||||
geeqie
|
||||
vlc
|
||||
zsnes
|
||||
telegram-desktop
|
||||
];
|
||||
# services.udev.packages = [ pkgs.ledger-udev-rules ];
|
||||
nixpkgs.config.firefox.enableAdobeFlash = true;
|
||||
services.xserver.enable = true;
|
||||
services.xserver.displayManager.lightdm.enable = true;
|
||||
services.xserver.desktopManager.plasma5.enable = true;
|
||||
services.tlp.enable = lib.mkForce false;
|
||||
services.xserver.layout = "de";
|
||||
}
|
||||
{
|
||||
users = {
|
||||
groups.plugdev = {};
|
||||
users = {
|
||||
bitcoin = {
|
||||
name = "bitcoin";
|
||||
description = "user for bitcoin stuff";
|
||||
home = "/home/bitcoin";
|
||||
isNormalUser = true;
|
||||
useDefaultShell = true;
|
||||
createHome = true;
|
||||
extraGroups = [
|
||||
"audio"
|
||||
"networkmanager"
|
||||
"plugdev"
|
||||
];
|
||||
packages = [
|
||||
pkgs.electrum
|
||||
pkgs.electron-cash
|
||||
pkgs.ledger-live-desktop
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
hardware.ledger.enable = true;
|
||||
security.sudo.extraConfig = ''
|
||||
bubsy ALL=(bitcoin) NOPASSWD: ALL
|
||||
'';
|
||||
}
|
||||
{
|
||||
#remote control
|
||||
environment.systemPackages = with pkgs; [
|
||||
x11vnc
|
||||
# torbrowser
|
||||
];
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
{ predicate = "-p tcp -i retiolum --dport 5900"; target = "ACCEPT"; }
|
||||
];
|
||||
}
|
||||
];
|
||||
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
hardware.trackpoint = {
|
||||
enable = true;
|
||||
sensitivity = 220;
|
||||
speed = 0;
|
||||
emulateWheel = true;
|
||||
};
|
||||
|
||||
services.logind.extraConfig = ''
|
||||
HandleLidSwitch=ignore
|
||||
'';
|
||||
|
||||
krebs.build.host = config.krebs.hosts.daedalus;
|
||||
}
|
@ -1,24 +0,0 @@
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
<stockholm/lass/2configs/hw/x220.nix>
|
||||
<stockholm/lass/2configs/boot/coreboot.nix>
|
||||
];
|
||||
|
||||
fileSystems = {
|
||||
"/bku" = {
|
||||
device = "/dev/mapper/pool-bku";
|
||||
fsType = "btrfs";
|
||||
options = ["defaults" "noatime" "ssd" "compress=lzo"];
|
||||
};
|
||||
"/backups" = {
|
||||
device = "/dev/pool/backup";
|
||||
fsType = "ext4";
|
||||
};
|
||||
};
|
||||
|
||||
services.udev.extraRules = ''
|
||||
SUBSYSTEM=="net", ATTR{address}=="08:11:96:0a:5d:6c", NAME="wl0"
|
||||
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0"
|
||||
'';
|
||||
}
|
@ -1,13 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/monitoring/prometheus.nix>
|
||||
<stockholm/lass/2configs/monitoring/telegraf.nix>
|
||||
<stockholm/lass/2configs/consul.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.dishfire;
|
||||
}
|
@ -1,21 +0,0 @@
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
boot.loader.grub.devices = [ "/dev/sda" ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/84053adc-49bc-4e02-8a19-3838bf3a43fd";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
}
|
@ -1,17 +0,0 @@
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/tor-initrd.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/green-host.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.echelon;
|
||||
|
||||
boot.tmpOnTmpfs = true;
|
||||
|
||||
}
|
||||
|
@ -1,33 +0,0 @@
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
# Use the GRUB 2 boot loader.
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.efiSupport = true;
|
||||
boot.loader.grub.efiInstallAsRemovable = true;
|
||||
# Define on which hard drive you want to install Grub.
|
||||
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||
boot.initrd.luks.devices.luksroot.device = "/dev/sda3";
|
||||
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.ens18.useDHCP = true;
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-uuid/5186edb1-9234-48ae-8679-61facb56b818";
|
||||
fsType = "xfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/56D1-34A0";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
}
|
@ -1,76 +0,0 @@
|
||||
with import <stockholm/lib>;
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
<stockholm/lass/2configs>
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/exim-retiolum.nix>
|
||||
<stockholm/lass/2configs/mail.nix>
|
||||
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/sync/sync.nix>
|
||||
<stockholm/lass/2configs/sync/decsync.nix>
|
||||
|
||||
<stockholm/lass/2configs/weechat.nix>
|
||||
<stockholm/lass/2configs/bitlbee.nix>
|
||||
|
||||
<stockholm/lass/2configs/muchsync.nix>
|
||||
<stockholm/lass/2configs/pass.nix>
|
||||
|
||||
<stockholm/lass/2configs/git-brain.nix>
|
||||
<stockholm/lass/2configs/et-server.nix>
|
||||
<stockholm/lass/2configs/consul.nix>
|
||||
|
||||
<stockholm/lass/2configs/atuin-server.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.green;
|
||||
|
||||
krebs.sync-containers3.inContainer = {
|
||||
enable = true;
|
||||
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlUMf943qEQG64ob81p6dgoHq4jUjq7tSvmSdEOEU2y";
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /home/lass/.local/share 0700 lass users -"
|
||||
"d /home/lass/.local 0700 lass users -"
|
||||
"d /home/lass/.config 0700 lass users -"
|
||||
|
||||
"d /var/state/lass_mail 0700 lass users -"
|
||||
"L+ /home/lass/Maildir - - - - ../../var/state/lass_mail"
|
||||
|
||||
"d /var/state/lass_ssh 0700 lass users -"
|
||||
"L+ /home/lass/.ssh - - - - ../../var/state/lass_ssh"
|
||||
"d /var/state/lass_gpg 0700 lass users -"
|
||||
"L+ /home/lass/.gnupg - - - - ../../var/state/lass_gpg"
|
||||
"d /var/state/lass_sync 0700 lass users -"
|
||||
"L+ /home/lass/sync - - - - ../../var/state/lass_sync"
|
||||
|
||||
"d /var/state/git 0700 git nogroup -"
|
||||
"L+ /var/lib/git - - - - ../../var/state/git"
|
||||
];
|
||||
|
||||
users.users.mainUser.openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.lass-android.pubkey
|
||||
config.krebs.users.lass-tablet.pubkey
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKgpZwye6yavIs3gUIYvSi70spDa0apL2yHR0ASW74z8" # weechat ssh tunnel
|
||||
];
|
||||
|
||||
krebs.iptables.tables.nat.PREROUTING.rules = [
|
||||
{ predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; }
|
||||
];
|
||||
|
||||
# workaround for ssh access from yubikey via android
|
||||
services.openssh.extraConfig = ''
|
||||
HostKeyAlgorithms +ssh-rsa
|
||||
PubkeyAcceptedAlgorithms +ssh-rsa
|
||||
'';
|
||||
|
||||
services.dovecot2 = {
|
||||
enable = true;
|
||||
mailLocation = "maildir:~/Maildir";
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 143 ];
|
||||
}
|
@ -1,7 +0,0 @@
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
];
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = true;
|
||||
}
|
@ -1,6 +0,0 @@
|
||||
{ lib, pkgs, test, ... }: let
|
||||
npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json;
|
||||
in if test then {} else {
|
||||
nixpkgs.git.ref = lib.mkForce npkgs.rev;
|
||||
nixpkgs-unstable = lib.mkForce { file = "/var/empty"; };
|
||||
}
|
@ -1,33 +0,0 @@
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/network-manager.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.hilum;
|
||||
|
||||
boot.loader.grub = {
|
||||
extraEntries = ''
|
||||
submenu isos {
|
||||
source /grub/autoiso.cfg
|
||||
}
|
||||
'';
|
||||
extraFiles."/grub/autoiso.cfg" = (pkgs.stdenv.mkDerivation {
|
||||
name = "autoiso.cfg";
|
||||
src = pkgs.grub2.src;
|
||||
phases = [ "unpackPhase" "installPhase" ];
|
||||
installPhase = ''
|
||||
cp docs/autoiso.cfg $out
|
||||
'';
|
||||
});
|
||||
};
|
||||
|
||||
services.logind.lidSwitch = "ignore";
|
||||
services.logind.lidSwitchDocked = "ignore";
|
||||
|
||||
boot.tmpOnTmpfs = true;
|
||||
}
|
@ -1,43 +0,0 @@
|
||||
{ lib, disk, keyFile, ... }:
|
||||
{
|
||||
disk = {
|
||||
main = {
|
||||
type = "disk";
|
||||
device = disk;
|
||||
content = {
|
||||
type = "table";
|
||||
format = "gpt";
|
||||
partitions = [
|
||||
{
|
||||
name = "boot";
|
||||
start = "0";
|
||||
end = "1M";
|
||||
flags = ["bios_grub"];
|
||||
}
|
||||
{
|
||||
name = "ESP";
|
||||
start = "1M";
|
||||
end = "50%";
|
||||
bootable = true;
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
};
|
||||
}
|
||||
{
|
||||
name = "root";
|
||||
start = "50%";
|
||||
end = "100%";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "ext4";
|
||||
mountpoint = "/";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -1,43 +0,0 @@
|
||||
#!/bin/sh
|
||||
set -efux
|
||||
|
||||
disk=$1
|
||||
|
||||
cd "$(dirname "$0")"
|
||||
export NIXPKGS_ALLOW_UNFREE=1
|
||||
(umask 077; pass show admin/hilum/luks > /tmp/hilum.luks)
|
||||
trap 'rm -f /tmp/hilum.luks' EXIT
|
||||
echo "$disk" > /tmp/hilum-disk
|
||||
trap 'rm -f /tmp/hilum-disk' EXIT
|
||||
|
||||
stockholm_root=$(git rev-parse --show-toplevel)
|
||||
ssh root@localhost -t -- $(nix-build \
|
||||
--no-out-link \
|
||||
-I nixpkgs=/var/src/nixpkgs \
|
||||
-I stockholm="$stockholm_root" \
|
||||
-I secrets="$stockholm_root"/lass/2configs/tests/dummy-secrets \
|
||||
-E "with import <nixpkgs> {}; (pkgs.nixos [
|
||||
{
|
||||
luksPassFile = \"/tmp/hilum.luks\";
|
||||
mainDisk = \"$disk\";
|
||||
disko.rootMountPoint = \"/mnt/hilum\";
|
||||
}
|
||||
./physical.nix
|
||||
]).disko"
|
||||
)
|
||||
rm -f /tmp/hilum.luks
|
||||
$(nix-build \
|
||||
--no-out-link \
|
||||
-I nixpkgs=/var/src/nixpkgs \
|
||||
"$stockholm_root"/lass/krops.nix -A populate \
|
||||
--argstr name hilum \
|
||||
--argstr target "root@localhost/mnt/hilum/var/src" \
|
||||
--arg force true
|
||||
)
|
||||
ssh root@localhost << SSH
|
||||
set -efux
|
||||
mkdir -p /mnt/hilum/etc
|
||||
NIXOS_CONFIG=/mnt/hilum/var/src/nixos-config nixos-install --no-bootloader --no-root-password --root /mnt/hilum -I /var/src
|
||||
nixos-enter --root /mnt/hilum -- nixos-rebuild -I /var/src switch --install-bootloader
|
||||
umount -Rv /mnt/hilum
|
||||
SSH
|
@ -1,53 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
|
||||
{
|
||||
# nice hack to carry around state passed impurely at the beginning
|
||||
options.mainDisk = let
|
||||
tryFile = path: default:
|
||||
if lib.elem (builtins.baseNameOf path) (lib.attrNames (builtins.readDir (builtins.dirOf path))) then
|
||||
builtins.readFile path
|
||||
else
|
||||
default
|
||||
;
|
||||
in lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = tryFile "/etc/hilum-disk" (tryFile "/tmp/hilum-disk" "/dev/sdz");
|
||||
};
|
||||
config.environment.etc.hilum-disk.text = config.mainDisk;
|
||||
}
|
||||
{
|
||||
options.luksPassFile = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = null;
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
disko.devices = import ./disk.nix {
|
||||
inherit lib;
|
||||
disk = config.mainDisk;
|
||||
keyFile = config.luksPassFile;
|
||||
};
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
|
||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.efiSupport = true;
|
||||
boot.loader.grub.device = config.mainDisk;
|
||||
boot.loader.grub.efiInstallAsRemovable = true;
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 4;
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
|
||||
#weird bug with nixos-enter
|
||||
services.logrotate.enable = false;
|
||||
}
|
@ -1,36 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with import <stockholm/lib>;
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
|
||||
<stockholm/lass/2configs/mouse.nix>
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/git.nix>
|
||||
<stockholm/lass/2configs/exim-retiolum.nix>
|
||||
<stockholm/lass/2configs/baseX.nix>
|
||||
<stockholm/lass/2configs/pipewire.nix>
|
||||
<stockholm/lass/2configs/browsers.nix>
|
||||
<stockholm/lass/2configs/programs.nix>
|
||||
<stockholm/lass/2configs/fetchWallpaper.nix>
|
||||
<stockholm/lass/2configs/games.nix>
|
||||
<stockholm/lass/2configs/bitcoin.nix>
|
||||
<stockholm/lass/2configs/wine.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/nfs-dl.nix>
|
||||
#<stockholm/lass/2configs/prism-share.nix>
|
||||
<stockholm/lass/2configs/network-manager.nix>
|
||||
<stockholm/lass/2configs/home-media.nix>
|
||||
<stockholm/lass/2configs/snapclient.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.icarus;
|
||||
|
||||
services.xserver.displayManager.lightdm.autoLogin = {
|
||||
enable = true;
|
||||
user = "media";
|
||||
};
|
||||
|
||||
environment.systemPackages = [ pkgs.chromium ];
|
||||
}
|
@ -1,49 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
#<stockholm/lass/2configs/hw/x220.nix>
|
||||
#<stockholm/lass/2configs/boot/universal.nix>
|
||||
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
|
||||
<stockholm/krebs/2configs/hw/x220.nix>
|
||||
];
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.efiSupport = true;
|
||||
boot.loader.grub.efiInstallAsRemovable = true;
|
||||
boot.loader.grub.device = "/dev/disk/by-id/wwn-0x5002538d702f5ac6";
|
||||
boot.initrd.luks.devices.ssd.device = "/dev/disk/by-id/wwn-0x5002538d702f5ac6-part3";
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "sd_mod" "sdhci_pci" ];
|
||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-uuid/298eb635-8db2-4c15-a73d-2e0d6afa10e8";
|
||||
fsType = "xfs";
|
||||
};
|
||||
|
||||
fileSystems."/home" = {
|
||||
device = "/dev/disk/by-uuid/eec94bef-e745-4d95-ad17-4df728f5fd31";
|
||||
fsType = "xfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/D975-2CAB";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 4;
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
|
||||
services.udev.extraRules = ''
|
||||
SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0"
|
||||
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0"
|
||||
'';
|
||||
|
||||
services.logind.lidSwitch = "ignore";
|
||||
}
|
@ -1,25 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
<stockholm/lass/2configs>
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.lasspi;
|
||||
|
||||
networking = {
|
||||
networkmanager = {
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
rxvt-unicode-unwrapped.terminfo
|
||||
];
|
||||
services.openssh.enable = true;
|
||||
|
||||
system.stateVersion = "22.05";
|
||||
}
|
@ -1,45 +0,0 @@
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
{
|
||||
imports = [
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
./config.nix
|
||||
];
|
||||
|
||||
boot = {
|
||||
# kernelPackages = pkgs.linuxPackages_rpi4;
|
||||
tmpOnTmpfs = true;
|
||||
initrd.availableKernelModules = [ "usbhid" "usb_storage" "xhci_pci" ];
|
||||
# ttyAMA0 is the serial console broken out to the GPIO
|
||||
kernelParams = [
|
||||
"8250.nr_uarts=1"
|
||||
"console=ttyAMA0,115200"
|
||||
"console=tty1"
|
||||
# Some gui programs need this
|
||||
"cma=128M"
|
||||
];
|
||||
};
|
||||
|
||||
# boot.loader.raspberryPi = {
|
||||
# enable = true;
|
||||
# version = 4;
|
||||
# # uboot.enable = true;
|
||||
# };
|
||||
boot.loader.grub.enable = false;
|
||||
boot.loader.generic-extlinux-compatible.enable = true;
|
||||
|
||||
# Required for the Wireless firmware
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
|
||||
networking.interfaces.eth0.useDHCP = true;
|
||||
|
||||
# Assuming this is installed on top of the disk image.
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
|
||||
fsType = "ext4";
|
||||
options = [ "noatime" ];
|
||||
};
|
||||
};
|
||||
|
||||
powerManagement.cpuFreqGovernor = "ondemand";
|
||||
}
|
@ -1,30 +0,0 @@
|
||||
with import <stockholm/lib>;
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/blue-host.nix>
|
||||
<stockholm/lass/2configs/green-host.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
];
|
||||
|
||||
networking.networkmanager.enable = true;
|
||||
networking.wireless.enable = mkForce false;
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
hardware.trackpoint = {
|
||||
enable = true;
|
||||
sensitivity = 220;
|
||||
speed = 0;
|
||||
emulateWheel = true;
|
||||
};
|
||||
|
||||
services.logind.extraConfig = ''
|
||||
HandleLidSwitch=ignore
|
||||
'';
|
||||
|
||||
krebs.build.host = config.krebs.hosts.littleT;
|
||||
}
|
@ -1,25 +0,0 @@
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
|
||||
];
|
||||
fileSystems."/" =
|
||||
{ device = "rpool/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/5B2E-3734";
|
||||
fsType = "vfat";
|
||||
};
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.efiSupport = true;
|
||||
boot.loader.grub.efiInstallAsRemovable = true;
|
||||
boot.loader.grub.device = "nodev";
|
||||
networking.hostId = "584248c6";
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
|
||||
}
|
@ -1,145 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with import <stockholm/lib>;
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
|
||||
<stockholm/lass/2configs/mouse.nix>
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/baseX.nix>
|
||||
<stockholm/lass/2configs/pipewire.nix>
|
||||
<stockholm/lass/2configs/exim-retiolum.nix>
|
||||
<stockholm/lass/2configs/programs.nix>
|
||||
<stockholm/lass/2configs/bitcoin.nix>
|
||||
<stockholm/lass/2configs/browsers.nix>
|
||||
<stockholm/lass/2configs/games.nix>
|
||||
<stockholm/lass/2configs/pass.nix>
|
||||
<stockholm/lass/2configs/elster.nix>
|
||||
<stockholm/lass/2configs/steam.nix>
|
||||
<stockholm/lass/2configs/wine.nix>
|
||||
<stockholm/lass/2configs/fetchWallpaper.nix>
|
||||
<stockholm/lass/2configs/mail.nix>
|
||||
<stockholm/lass/2configs/logf.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/sync/sync.nix>
|
||||
<stockholm/lass/2configs/sync/decsync.nix>
|
||||
<stockholm/lass/2configs/sync/weechat.nix>
|
||||
<stockholm/lass/2configs/sync/the_playlist.nix>
|
||||
#<stockholm/lass/2configs/c-base.nix>
|
||||
<stockholm/lass/2configs/br.nix>
|
||||
<stockholm/lass/2configs/ableton.nix>
|
||||
<stockholm/lass/2configs/dunst.nix>
|
||||
<stockholm/lass/2configs/rtl-sdr.nix>
|
||||
<stockholm/lass/2configs/print.nix>
|
||||
<stockholm/lass/2configs/network-manager.nix>
|
||||
<stockholm/lass/2configs/nfs-dl.nix>
|
||||
<stockholm/lass/2configs/green-host.nix>
|
||||
<stockholm/krebs/2configs/news-host.nix>
|
||||
<stockholm/lass/2configs/ppp/x220-modem.nix>
|
||||
<stockholm/lass/2configs/ppp/umts-stick.nix>
|
||||
# <stockholm/lass/2configs/remote-builder/morpheus.nix>
|
||||
# <stockholm/lass/2configs/remote-builder/prism.nix>
|
||||
<stockholm/lass/2configs/autotether.nix>
|
||||
{
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
#risk of rain
|
||||
{ predicate = "-p tcp --dport 11100"; target = "ACCEPT"; }
|
||||
#quake3
|
||||
{ predicate = "-p tcp --dport 27950:27965"; target = "ACCEPT"; }
|
||||
{ predicate = "-p udp --dport 27950:27965"; target = "ACCEPT"; }
|
||||
];
|
||||
}
|
||||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts.default = {
|
||||
default = true;
|
||||
serverAliases = [
|
||||
"localhost"
|
||||
"${config.krebs.build.host.name}"
|
||||
"${config.krebs.build.host.name}.r"
|
||||
];
|
||||
locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
|
||||
alias /home/$1/public_html$2;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
{
|
||||
services.redis.enable = true;
|
||||
}
|
||||
{
|
||||
environment.systemPackages = [
|
||||
pkgs.ovh-zone
|
||||
pkgs.bank
|
||||
pkgs.adb-sync
|
||||
pkgs.transgui
|
||||
];
|
||||
}
|
||||
{
|
||||
services.tor = {
|
||||
enable = true;
|
||||
client.enable = true;
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.mors;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
acronym
|
||||
brain
|
||||
cac-api
|
||||
sshpass
|
||||
get
|
||||
hashPassword
|
||||
urban
|
||||
mk_sql_pair
|
||||
remmina
|
||||
transmission
|
||||
|
||||
macchanger
|
||||
|
||||
dnsutils
|
||||
woeusb
|
||||
(pkgs.writeDashBin "play-on" ''
|
||||
HOST=$(echo 'styx\nshodan' | fzfmenu)
|
||||
ssh -t "$HOST" -- mpv "$@"
|
||||
'')
|
||||
];
|
||||
|
||||
#TODO: fix this shit
|
||||
##fprint stuff
|
||||
##sudo fprintd-enroll $USER to save fingerprints
|
||||
#services.fprintd.enable = true;
|
||||
#security.pam.services.sudo.fprintAuth = true;
|
||||
|
||||
users.extraGroups = {
|
||||
loot = {
|
||||
members = [
|
||||
config.users.extraUsers.mainUser.name
|
||||
"firefox"
|
||||
"chromium"
|
||||
"google"
|
||||
"virtual"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
krebs.repo-sync.timerConfig = {
|
||||
OnCalendar = "00:37";
|
||||
};
|
||||
|
||||
nixpkgs.config.android_sdk.accept_license = true;
|
||||
programs.adb.enable = true;
|
||||
users.users.mainUser.extraGroups = [ "adbusers" "docker" ];
|
||||
virtualisation.docker.enable = true;
|
||||
|
||||
virtualisation.libvirtd.enable = true;
|
||||
|
||||
services.earlyoom = {
|
||||
enable = true;
|
||||
freeMemThreshold = 5;
|
||||
};
|
||||
}
|
@ -1,48 +0,0 @@
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
<stockholm/lass/2configs/hw/x220.nix>
|
||||
<stockholm/lass/2configs/boot/universal.nix>
|
||||
];
|
||||
|
||||
boot.kernelParams = [ "acpi_backlight=native" ];
|
||||
|
||||
fileSystems = {
|
||||
"/bku" = {
|
||||
device = "/dev/mapper/pool-bku";
|
||||
fsType = "btrfs";
|
||||
options = ["defaults" "noatime" "ssd" "compress=lzo"];
|
||||
};
|
||||
"/home/virtual" = {
|
||||
device = "/dev/mapper/pool-virtual";
|
||||
fsType = "ext4";
|
||||
};
|
||||
"/backups" = {
|
||||
device = "/dev/pool/backup";
|
||||
fsType = "ext4";
|
||||
};
|
||||
};
|
||||
|
||||
services.udev.extraRules = ''
|
||||
SUBSYSTEM=="net", DEVPATH=="/devices/pci*/*1c.1/*/net/*", NAME="wl0"
|
||||
SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:37:15:d9", NAME="et0"
|
||||
'';
|
||||
|
||||
#TODO activationScripts seem broken, fix them!
|
||||
#activationScripts
|
||||
#split up and move into base
|
||||
system.activationScripts.powertopTunables = ''
|
||||
#Runtime PMs
|
||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control'
|
||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control'
|
||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control'
|
||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control'
|
||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control'
|
||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control'
|
||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control'
|
||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control'
|
||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control'
|
||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control'
|
||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control'
|
||||
'';
|
||||
}
|
@ -1,21 +0,0 @@
|
||||
{ lib, pkgs, test, ... }: let
|
||||
npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json;
|
||||
in {
|
||||
nixpkgs = (if test then lib.mkForce ({ derivation = let
|
||||
rev = npkgs.rev;
|
||||
sha256 = npkgs.sha256;
|
||||
in ''
|
||||
with import (builtins.fetchTarball {
|
||||
url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz";
|
||||
sha256 = "${sha256}";
|
||||
}) {};
|
||||
pkgs.fetchFromGitHub {
|
||||
owner = "nixos";
|
||||
repo = "nixpkgs";
|
||||
rev = "${rev}";
|
||||
sha256 = "${sha256}";
|
||||
}
|
||||
''; }) else {
|
||||
git.ref = lib.mkForce npkgs.rev;
|
||||
});
|
||||
}
|
@ -1,51 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/mail/internet-gateway.nix>
|
||||
<stockholm/lass/2configs/binary-cache/server.nix>
|
||||
<stockholm/lass/2configs/matrix.nix>
|
||||
<stockholm/lass/2configs/gsm-wiki.nix>
|
||||
|
||||
# sync-containers
|
||||
<stockholm/lass/2configs/consul.nix>
|
||||
<stockholm/lass/2configs/services/flix/container-host.nix>
|
||||
<stockholm/lass/2configs/services/radio/container-host.nix>
|
||||
<stockholm/lass/2configs/ubik-host.nix>
|
||||
<stockholm/lass/2configs/orange-host.nix>
|
||||
<stockholm/krebs/2configs/hotdog-host.nix>
|
||||
|
||||
# other containers
|
||||
<stockholm/lass/2configs/riot.nix>
|
||||
|
||||
# proxying of services
|
||||
<stockholm/lass/2configs/services/radio/proxy.nix>
|
||||
<stockholm/lass/2configs/services/flix/proxy.nix>
|
||||
<stockholm/lass/2configs/services/coms/proxy.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.neoprism;
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email = "acme@lassul.us";
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
||||
enableReload = true;
|
||||
|
||||
virtualHosts.default = {
|
||||
default = true;
|
||||
locations."= /etc/os-release".extraConfig = ''
|
||||
default_type text/plain;
|
||||
alias /etc/os-release;
|
||||
'';
|
||||
locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge";
|
||||
};
|
||||
};
|
||||
}
|
@ -1,118 +0,0 @@
|
||||
{ lib, ... }:
|
||||
{
|
||||
disk = (lib.genAttrs [ "/dev/nvme0n1" "/dev/nvme1n1" ] (disk: {
|
||||
type = "disk";
|
||||
device = disk;
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
boot = {
|
||||
size = "1M";
|
||||
type = "EF02";
|
||||
};
|
||||
ESP = {
|
||||
size = "1G";
|
||||
content = {
|
||||
type = "mdraid";
|
||||
name = "boot";
|
||||
};
|
||||
};
|
||||
zfs = {
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "zfs";
|
||||
pool = "zroot";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
})) // {
|
||||
hdd1 = {
|
||||
type = "disk";
|
||||
device = "/dev/sda";
|
||||
content = {
|
||||
type = "zfs";
|
||||
pool = "tank";
|
||||
};
|
||||
};
|
||||
};
|
||||
mdadm = {
|
||||
boot = {
|
||||
type = "mdadm";
|
||||
level = 1;
|
||||
metadata = "1.0";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
};
|
||||
};
|
||||
};
|
||||
zpool = {
|
||||
zroot = {
|
||||
type = "zpool";
|
||||
mode = "mirror";
|
||||
mountpoint = "/";
|
||||
rootFsOptions = {
|
||||
};
|
||||
datasets.reserved = {
|
||||
type = "zfs_fs";
|
||||
options.refreservation = "1G";
|
||||
};
|
||||
};
|
||||
tank = {
|
||||
type = "zpool";
|
||||
datasets = {
|
||||
reserved = {
|
||||
type = "zfs_fs";
|
||||
options.refreservation = "1G";
|
||||
};
|
||||
containers = {
|
||||
type = "zfs_fs";
|
||||
mountpoint = "/var/lib/containers";
|
||||
options = {
|
||||
canmount = "noauto";
|
||||
};
|
||||
};
|
||||
home = {
|
||||
type = "zfs_fs";
|
||||
mountpoint = "/home";
|
||||
options = {
|
||||
canmount = "noauto";
|
||||
};
|
||||
};
|
||||
srv = {
|
||||
type = "zfs_fs";
|
||||
mountpoint = "/srv";
|
||||
options = {
|
||||
canmount = "noauto";
|
||||
};
|
||||
};
|
||||
libvirt = {
|
||||
type = "zfs_fs";
|
||||
mountpoint = "/var/lib/libvirt";
|
||||
options = {
|
||||
canmount = "noauto";
|
||||
};
|
||||
};
|
||||
# encrypted = {
|
||||
# type = "zfs_fs";
|
||||
# options = {
|
||||
# canmount = "noauto";
|
||||
# mountpoint = "none";
|
||||
# encryption = "aes-256-gcm";
|
||||
# keyformat = "passphrase";
|
||||
# keylocation = "prompt";
|
||||
# };
|
||||
# };
|
||||
# "encrypted/download" = {
|
||||
# type = "zfs_fs";
|
||||
# mountpoint = "/var/download";
|
||||
# options = {
|
||||
# canmount = "noauto";
|
||||
# };
|
||||
# };
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -1,76 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
|
||||
imports = [
|
||||
./config.nix
|
||||
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
|
||||
];
|
||||
|
||||
disko.devices = import ./disk.nix;
|
||||
networking.hostId = "9c0a74ac";
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.efiSupport = true;
|
||||
boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
|
||||
# networking config
|
||||
networking.useNetworkd = true;
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
config = {
|
||||
networkConfig.SpeedMeter = true;
|
||||
};
|
||||
# netdevs.ext-br.netdevConfig = {
|
||||
# Kind = "bridge";
|
||||
# Name = "ext-br";
|
||||
# MACAddress = "a8:a1:59:0f:2d:69";
|
||||
# };
|
||||
# networks.ext-br = {
|
||||
# name = "ext-br";
|
||||
# address = [
|
||||
# "95.217.192.59/26"
|
||||
# "2a01:4f9:4a:4f1a::1/64"
|
||||
# ];
|
||||
# gateway = [
|
||||
# "95.217.192.1"
|
||||
# "fe80::1"
|
||||
# ];
|
||||
# };
|
||||
networks.eth0 = {
|
||||
#bridge = [ "ext-br" ];
|
||||
matchConfig.Name = "eth0";
|
||||
address = [
|
||||
"95.217.192.59/26"
|
||||
"2a01:4f9:4a:4f1a::1/64"
|
||||
];
|
||||
gateway = [
|
||||
"95.217.192.1"
|
||||
"fe80::1"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
networking.useDHCP = false;
|
||||
boot.initrd.network = {
|
||||
enable = true;
|
||||
ssh = {
|
||||
enable = true;
|
||||
authorizedKeys = [ config.krebs.users.lass.pubkey ];
|
||||
port = 2222;
|
||||
hostKeys = [
|
||||
(toString <secrets/ssh.id_ed25519>)
|
||||
(toString <secrets/ssh.id_rsa>)
|
||||
];
|
||||
};
|
||||
};
|
||||
boot.kernelParams = [
|
||||
"net.ifnames=0"
|
||||
"ip=dhcp"
|
||||
"boot.trace"
|
||||
];
|
||||
}
|
@ -1,25 +0,0 @@
|
||||
with import <stockholm/lib>;
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
<stockholm/lass/2configs>
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/mumble-reminder.nix>
|
||||
<stockholm/lass/2configs/services/git>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.orange;
|
||||
|
||||
services.nginx.enable = true;
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "acme@lassul.us";
|
||||
};
|
||||
|
||||
krebs.sync-containers3.inContainer = {
|
||||
enable = true;
|
||||
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWzKuXrwQopBc1mzb2VpljmwAs7Y8bRl9a8hBXLC+l";
|
||||
};
|
||||
}
|
@ -1,7 +0,0 @@
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
];
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = true;
|
||||
}
|
@ -1,488 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
with import <stockholm/lib>;
|
||||
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/libvirt.nix>
|
||||
<stockholm/lass/2configs/tv.nix>
|
||||
<stockholm/lass/2configs/websites/lassulus.nix>
|
||||
<stockholm/lass/2configs/telegraf.nix>
|
||||
{
|
||||
services.nginx.enable = true;
|
||||
imports = [
|
||||
<stockholm/lass/2configs/websites/domsen.nix>
|
||||
];
|
||||
# needed by domsen.nix ^^
|
||||
lass.usershadow = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
{ predicate = "-p tcp --dport http"; target = "ACCEPT"; }
|
||||
{ predicate = "-p tcp --dport https"; target = "ACCEPT"; }
|
||||
];
|
||||
}
|
||||
{ # TODO make new hfos.nix out of this vv
|
||||
users.users.riot = {
|
||||
uid = genid_uint31 "riot";
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "libvirtd" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
|
||||
];
|
||||
};
|
||||
krebs.iptables.tables.filter.FORWARD.rules = mkBefore [
|
||||
{ v6 = false; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
|
||||
{ v6 = false; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
|
||||
];
|
||||
}
|
||||
{
|
||||
users.users.tv = {
|
||||
uid = genid_uint31 "tv";
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.tv.pubkey
|
||||
];
|
||||
};
|
||||
users.users.makefu = {
|
||||
uid = genid_uint31 "makefu";
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.makefu.pubkey
|
||||
];
|
||||
};
|
||||
users.extraUsers.dritter = {
|
||||
uid = genid_uint31 "dritter";
|
||||
isNormalUser = true;
|
||||
extraGroups = [
|
||||
"download"
|
||||
];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOWDDk7QkSAvrSLkEoz7dY22+xPyv5JDn2zlfUndfavmTMfZvPx9REMjgULbcCSM4m3Ncf40yUjciDpVleGoEz82+p/ObHAkVWPQyXRS3ZRM2IJJultBHEFc61+61Pi8k3p5pBhPPaig6VncJ4uUuuNqen9jqLesSTVXNtdntU2IvnC8B8k1Kq6fu9q1T2yEOMxkD31D5hVHlqAly0LdRiYvtsRIoCSmRvlpGl70uvPprhQxhtoiEUeDqmIL7BG9x7gU0Swdl7R0/HtFXlFuOwSlNYDmOf/Zrb1jhOpj4AlCliGUkM0iKIJhgH0tnJna6kfkGKHDwuzITGIh6SpZ dritter@Janeway"
|
||||
];
|
||||
};
|
||||
users.extraUsers.juhulian = {
|
||||
uid = 1339;
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian"
|
||||
];
|
||||
};
|
||||
users.users.hellrazor = {
|
||||
uid = genid_uint31 "hellrazor";
|
||||
isNormalUser = true;
|
||||
extraGroups = [
|
||||
"download"
|
||||
];
|
||||
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQFaYOWRUvHP6I37q9Dd4PJOq8FNQqAeJZ8pLx0G62uC450kbPGcG80rHHvXmk7HqQP6biJmMg48bOsvXAScPot2Qhp1Qc35CuUqVhLiTvUAsi8l/iJjhjZ23yRGDCAmW5+JIOzIvECkcbMnG7YoYAQ9trNGHe9qwGzQGhpt3QVClE23WtE3PVKRLQx1VbiabSnAm6tXVd2zpUoSdpWt8Gpi2taM4XXJ5+l744MNxFHvDapN5xqpYzwrA34Ii13jNLWcGbtgxESpR+VjnamdWByrkBsW4X5/xn2K1I1FrujaM/DBHV1QMaDKst9V8+uL5X7aYNt0OUBu2eyZdg6aujY2BYovB9uRyR1JIuSbA/a54MM96yN9WirMUufJF/YZrV0L631t9EW8ORyWUo1GRzMuBHVHQlfApj7NCU/jEddUuTqKgwyRgTmMFMUI4M0tRULAB/7pBE1Vbcx9tg6RsKIk8VkskfbBJW9Y6Sx6YoFlxPdgMNIrBefqEjIV62piP7YLMlvfIDCJ7TNd9dLN86XGggZ/nD5zt6SL1o61vVnw9If8pHosppxADPJsJvcdN6fOe16/tFAeE0JRo0jTcyFVTBGfhpey+rFfuW8wtUyuO5WPUxkOn7xMHGMWHJAtWX2vwVIDtLxvqn48B4SmEOpPD6ii+vcpwqAex3ycqBUQ==" ];
|
||||
};
|
||||
}
|
||||
{
|
||||
#hotdog
|
||||
systemd.services."container@hotdog".reloadIfChanged = mkForce false;
|
||||
containers.hotdog = {
|
||||
config = { ... }: {
|
||||
environment.systemPackages = [ pkgs.git ];
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.lass.pubkey
|
||||
];
|
||||
};
|
||||
autoStart = false;
|
||||
enableTun = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "10.233.2.1";
|
||||
localAddress = "10.233.2.2";
|
||||
};
|
||||
}
|
||||
{
|
||||
services.nginx.virtualHosts."radio.lassul.us" = {
|
||||
enableACME = true;
|
||||
addSSL = true;
|
||||
locations."/" = {
|
||||
# recommendedProxySettings = true;
|
||||
proxyWebsockets = true;
|
||||
proxyPass = "http://radio.r";
|
||||
extraConfig = ''
|
||||
proxy_set_header Host radio.r;
|
||||
# get source ip for weather reports
|
||||
proxy_set_header user-agent "$http_user_agent; client-ip=$remote_addr";
|
||||
'';
|
||||
};
|
||||
};
|
||||
krebs.htgen.radio-redirect = {
|
||||
port = 8000;
|
||||
scriptFile = pkgs.writers.writeDash "redir" ''
|
||||
printf 'HTTP/1.1 301 Moved Permanently\r\n'
|
||||
printf "Location: http://radio.lassul.us''${Request_URI}\r\n"
|
||||
printf '\r\n'
|
||||
'';
|
||||
};
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
{ predicate = "-p tcp --dport 8000"; target = "ACCEPT"; }
|
||||
];
|
||||
}
|
||||
<stockholm/lass/2configs/exim-smarthost.nix>
|
||||
<stockholm/lass/2configs/privoxy-retiolum.nix>
|
||||
<stockholm/lass/2configs/binary-cache/server.nix>
|
||||
<stockholm/lass/2configs/binary-cache/proxy.nix>
|
||||
<stockholm/lass/2configs/iodined.nix>
|
||||
<stockholm/lass/2configs/paste.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/green-host.nix>
|
||||
<stockholm/lass/2configs/reaktor-coders.nix>
|
||||
<stockholm/lass/2configs/ciko.nix>
|
||||
<stockholm/lass/2configs/container-networking.nix>
|
||||
<stockholm/lass/2configs/services/coms/jitsi.nix>
|
||||
<stockholm/lass/2configs/fysiirc.nix>
|
||||
<stockholm/lass/2configs/bgt-bot>
|
||||
<stockholm/lass/2configs/matrix.nix>
|
||||
<stockholm/krebs/2configs/mastodon-proxy.nix>
|
||||
{
|
||||
services.tor = {
|
||||
enable = true;
|
||||
};
|
||||
}
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass/2configs/realwallpaper.nix>
|
||||
];
|
||||
services.nginx.virtualHosts."lassul.us".locations = {
|
||||
"= /wallpaper-marker.png".extraConfig = ''
|
||||
alias /var/realwallpaper/realwallpaper-marker.png;
|
||||
'';
|
||||
"= /wallpaper.png".extraConfig = ''
|
||||
alias /var/realwallpaper/realwallpaper.png;
|
||||
'';
|
||||
};
|
||||
}
|
||||
{
|
||||
users.users.jeschli = {
|
||||
uid = genid_uint31 "jeschli";
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = with config.krebs.users; [
|
||||
jeschli.pubkey
|
||||
jeschli-bln.pubkey
|
||||
jeschli-bolide.pubkey
|
||||
jeschli-brauerei.pubkey
|
||||
];
|
||||
};
|
||||
krebs.git.rules = [
|
||||
{
|
||||
user = with config.krebs.users; [
|
||||
jeschli
|
||||
jeschli-bln
|
||||
jeschli-bolide
|
||||
jeschli-brauerei
|
||||
];
|
||||
repo = [ config.krebs.git.repos.xmonad-stockholm ];
|
||||
perm = with git; push "refs/heads/jeschli*" [ fast-forward non-fast-forward create delete merge ];
|
||||
}
|
||||
{
|
||||
user = with config.krebs.users; [
|
||||
jeschli
|
||||
jeschli-bln
|
||||
jeschli-bolide
|
||||
jeschli-brauerei
|
||||
];
|
||||
repo = [ config.krebs.git.repos.stockholm ];
|
||||
perm = with git; push "refs/heads/staging/jeschli*" [ fast-forward non-fast-forward create delete merge ];
|
||||
}
|
||||
];
|
||||
}
|
||||
{
|
||||
krebs.repo-sync.repos.stockholm.timerConfig = {
|
||||
OnBootSec = "5min";
|
||||
OnUnitInactiveSec = "2min";
|
||||
RandomizedDelaySec = "2min";
|
||||
};
|
||||
}
|
||||
<stockholm/lass/2configs/minecraft.nix>
|
||||
<stockholm/lass/2configs/codimd.nix>
|
||||
<stockholm/lass/2configs/searx.nix>
|
||||
{
|
||||
services.taskserver = {
|
||||
enable = true;
|
||||
fqdn = "lassul.us";
|
||||
listenHost = "::";
|
||||
listenPort = 53589;
|
||||
organisations.lass.users = [ "lass" "android" ];
|
||||
};
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
{ predicate = "-p tcp --dport 53589"; target = "ACCEPT"; }
|
||||
];
|
||||
}
|
||||
<stockholm/lass/2configs/go.nix>
|
||||
{
|
||||
environment.systemPackages = [ pkgs.cryptsetup ];
|
||||
systemd.services."container@red".reloadIfChanged = mkForce false;
|
||||
containers.red = {
|
||||
config = { ... }: {
|
||||
environment.systemPackages = [ pkgs.git ];
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.lass.pubkey
|
||||
];
|
||||
};
|
||||
autoStart = false;
|
||||
enableTun = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "10.233.2.3";
|
||||
localAddress = "10.233.2.4";
|
||||
};
|
||||
}
|
||||
{
|
||||
users.users.download.openssh.authorizedKeys.keys = [
|
||||
];
|
||||
}
|
||||
{
|
||||
lass.nichtparasoup.enable = true;
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."lol.lassul.us" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass http://localhost:5001;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass/2configs/wiregrill.nix>
|
||||
];
|
||||
krebs.iptables.tables.nat.PREROUTING.rules = mkOrder 999 [
|
||||
{ v6 = false; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
|
||||
{ v4 = false; predicate = "-s 42:1::/32"; target = "ACCEPT"; }
|
||||
];
|
||||
krebs.iptables.tables.filter.FORWARD.rules = mkBefore [
|
||||
{ predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; }
|
||||
{ predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; }
|
||||
];
|
||||
krebs.iptables.tables.nat.POSTROUTING.rules = [
|
||||
{ v4 = false; predicate = "-s 42:1::/32 ! -d 42:1::/48"; target = "MASQUERADE"; }
|
||||
{ v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
|
||||
];
|
||||
services.dnsmasq = {
|
||||
enable = true;
|
||||
resolveLocalQueries = false;
|
||||
|
||||
extraConfig= ''
|
||||
listen-address=42:1:ce16::1,10.244.1.103
|
||||
except-interface=lo
|
||||
interface=wiregrill
|
||||
'';
|
||||
};
|
||||
}
|
||||
{
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
{ predicate = "-p udp --dport 60000:61000"; target = "ACCEPT"; }
|
||||
];
|
||||
}
|
||||
<stockholm/lass/2configs/services/coms/murmur.nix>
|
||||
<stockholm/lass/2configs/docker.nix>
|
||||
{
|
||||
systemd.services."container@yellow".reloadIfChanged = mkForce false;
|
||||
containers.yellow = {
|
||||
config = { ... }: {
|
||||
environment.systemPackages = [ pkgs.git ];
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.lass.pubkey
|
||||
];
|
||||
};
|
||||
autoStart = false;
|
||||
enableTun = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "10.233.2.13";
|
||||
localAddress = "10.233.2.14";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."jelly.r" = {
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass http://10.233.2.14:8096/;
|
||||
proxy_set_header Accept-Encoding "";
|
||||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."flix.r" = {
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass http://10.233.2.14:80/;
|
||||
proxy_set_header Accept-Encoding "";
|
||||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."lassul.us" = {
|
||||
locations."^~ /flix/".extraConfig = ''
|
||||
if ($scheme != "https") {
|
||||
rewrite ^ https://$host$request_uri permanent;
|
||||
}
|
||||
auth_basic "Restricted Content";
|
||||
auth_basic_user_file ${pkgs.writeText "flix-user-pass" ''
|
||||
krebs:$apr1$1Fwt/4T0$YwcUn3OBmtmsGiEPlYWyq0
|
||||
''};
|
||||
proxy_pass http://10.233.2.14:80/;
|
||||
proxy_set_header Accept-Encoding "";
|
||||
sub_filter "https://lassul.us/" "https://lassul.us/flix/";
|
||||
sub_filter_once off;
|
||||
'';
|
||||
locations."^~ /chatty/".extraConfig = ''
|
||||
rewrite ^ https://$host/flix/$request_uri permanent;
|
||||
'';
|
||||
#locations."^~ /transmission".return = "301 https://$host/transmission/web/";
|
||||
locations."^~ /transmission/".extraConfig = ''
|
||||
if ($scheme != "https") {
|
||||
rewrite ^ https://$host$request_uri permanent;
|
||||
}
|
||||
auth_basic "Restricted Content";
|
||||
auth_basic_user_file ${pkgs.writeText "transmission-user-pass" ''
|
||||
krebs:$apr1$1Fwt/4T0$YwcUn3OBmtmsGiEPlYWyq0
|
||||
''};
|
||||
proxy_pass_header X-Transmission-Session-Id;
|
||||
proxy_pass http://10.233.2.14:9091;
|
||||
'';
|
||||
};
|
||||
|
||||
users.groups.download = {};
|
||||
users.users = {
|
||||
download = {
|
||||
createHome = true;
|
||||
group = "download";
|
||||
name = "download";
|
||||
home = "/var/download";
|
||||
useDefaultShell = true;
|
||||
uid = genid "download";
|
||||
isSystemUser = true;
|
||||
openssh.authorizedKeys.keys = with config.krebs.users; [
|
||||
lass.pubkey
|
||||
lass-android.pubkey
|
||||
makefu.pubkey
|
||||
palo.pubkey
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos"
|
||||
"AAAAB3NzaC1yc2EAAAADAQABAAABgQC4ECL9NSCWqs4KVe+FF+2BPtl5Bv5aQPHqnXllCyiESZykwRKLx6/AbF5SbUAUMVZtp9oDSdp28m3BvVeWJ/q7hAbIxUtfd/jp+JBRZ8Kj6K5GzUO7Bhgl/o0A7xEjAeOKHiYuLjdPMcFUyl6Ah4ey/mcQYf6AdU0+hYUDeUlKe/YxxYD6202W0GJq2xGdIqs/TbopT9iaX+sv0wdXDVfFY72nFqOUwJW3u6O2viKKRugrz/eo50Eo3ts7pYz/FpDXExrUvV9Vu/bQ34pa8nKgF3/AKQHgmzljNQSVZKyAV8OY0UFonjBMXCBg2tXtwfnlzdx2SyuQVv55x+0AuRKsi85G2xLpXu1A3921pseBTW6Q6kbYK9eqxAay2c/kNbwNqFnO+nCvQ6Ier/hvGddOtItMu96IuU2E7mPN6WgvM8/3fjJRFWnZxFxqu/k7iH+yYT8qwRgdiSqZc76qvkYEuabdk2itstTRY0A3SpI3hFMZDw/7bxgMZtqpfyoRk5s= philip@shiki11:15 <Profpatsch> AAAAB3NzaC1yc2EAAAADAQABAAABgQC4ECL9NSCWqs4KVe+FF+2BPtl5Bv5aQPHqnXllCyiESZykwRKLx6/AbF5SbUAUMVZtp9oDSdp28m3BvVeWJ/q7hAbIxUtfd/jp+JBRZ8Kj6K5GzUO7Bhgl/o0A7xEjAeOKHiYuLjdPMcFUyl6Ah4ey/mcQYf6AdU0+hYUDeUlKe/YxxYD6202W0GJq2xGdIqs/TbopT9iaX+sv0wdXDVfFY72nFqOUwJW3u6O2viKKRugrz/eo50Eo3ts7pYz/FpDXExrUvV9Vu/bQ34pa8nKgF3/AKQHgmzljNQSVZKyAV8OY0UFonjBMXCBg2tXtwfnlzdx2SyuQVv55x+0AuRKsi85G2xLpXu1A3921pseBTW6Q6kbYK9eqxAay2c/kNbwNqFnO+nCvQ6Ier/hvGddOtItMu96IuU2E7mPN6WgvM8/3fjJRFWnZxFxqu/k7iH+yYT8qwRgdiSqZc76qvkYEuabdk2itstTRY0A3SpI3hFMZDw/7bxgMZtqpfyoRk5s= philip@shiki"
|
||||
mic92.pubkey
|
||||
qubasa.pubkey
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
system.activationScripts.downloadFolder = ''
|
||||
mkdir -p /var/download
|
||||
chmod 775 /var/download
|
||||
ln -fnsT /var/lib/containers/yellow/var/download/finished /var/download/finished || :
|
||||
chown download: /var/download/finished
|
||||
'';
|
||||
|
||||
fileSystems."/export/download" = {
|
||||
device = "/var/lib/containers/yellow/var/download/finished";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
services.nfs.server = {
|
||||
enable = true;
|
||||
exports = ''
|
||||
/export 42::/16(insecure,ro,crossmnt)
|
||||
'';
|
||||
lockdPort = 4001;
|
||||
mountdPort = 4002;
|
||||
statdPort = 4000;
|
||||
};
|
||||
|
||||
services.samba = {
|
||||
enable = true;
|
||||
enableNmbd = false;
|
||||
extraConfig = ''
|
||||
workgroup = WORKGROUP
|
||||
netbios name = PRISM
|
||||
server string = ${config.networking.hostName}
|
||||
# only allow retiolum addresses
|
||||
hosts allow = 42::/16 10.243.0.0/16
|
||||
|
||||
# Use sendfile() for performance gain
|
||||
use sendfile = true
|
||||
|
||||
# No NetBIOS is needed
|
||||
disable netbios = true
|
||||
|
||||
# Only mangle non-valid NTFS names, don't care about DOS support
|
||||
mangled names = illegal
|
||||
|
||||
# Performance optimizations
|
||||
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
|
||||
|
||||
# Disable all printing
|
||||
load printers = false
|
||||
disable spoolss = true
|
||||
printcap name = /dev/null
|
||||
|
||||
map to guest = Bad User
|
||||
max log size = 50
|
||||
dns proxy = no
|
||||
security = user
|
||||
|
||||
[global]
|
||||
syslog only = yes
|
||||
'';
|
||||
shares.public = {
|
||||
comment = "Warez";
|
||||
path = "/export";
|
||||
public = "yes";
|
||||
"only guest" = "yes";
|
||||
"create mask" = "0644";
|
||||
"directory mask" = "2777";
|
||||
writable = "no";
|
||||
printable = "no";
|
||||
};
|
||||
};
|
||||
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
# smbd
|
||||
{ predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; }
|
||||
|
||||
{ predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; }
|
||||
{ predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; }
|
||||
{ predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; }
|
||||
{ predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; }
|
||||
{ predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; }
|
||||
{ predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; }
|
||||
{ predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; }
|
||||
{ predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; }
|
||||
{ predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; }
|
||||
{ predicate = "-i wiregrill -p udp --dport 2049"; target = "ACCEPT"; }
|
||||
{ predicate = "-i wiregrill -p tcp --dport 4000:4002"; target = "ACCEPT"; }
|
||||
{ predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; }
|
||||
];
|
||||
}
|
||||
{
|
||||
users.users.shannan = {
|
||||
uid = genid_uint31 "shannan";
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.shannan.pubkey
|
||||
];
|
||||
};
|
||||
}
|
||||
{
|
||||
nix.trustedUsers = [ "mic92" ];
|
||||
users.users.mic92 = {
|
||||
uid = genid_uint31 "mic92";
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.mic92.pubkey
|
||||
];
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.prism;
|
||||
services.earlyoom = {
|
||||
enable = true;
|
||||
freeMemThreshold = 5;
|
||||
};
|
||||
|
||||
# prism rsa hack
|
||||
services.openssh.hostKeys = [{
|
||||
path = toString <secrets> + "ssh.id_rsa";
|
||||
type = "rsa";
|
||||
}];
|
||||
}
|
@ -1,111 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
|
||||
imports = [
|
||||
./config.nix
|
||||
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "rpool/root/nixos";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/d155d6ff-8e89-4876-a9e7-d1b7ba6a4804";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/backups" = {
|
||||
device = "tank/backups";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/srv/http" = {
|
||||
device = "tank/srv-http";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/download" = {
|
||||
device = "tank/download";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/containers" = {
|
||||
device = "tank/containers";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/home" = {
|
||||
device = "tank/home";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/nextcloud" = {
|
||||
device = "tank/nextcloud";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/libvirt" = {
|
||||
device = "tank/libvirt";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/realwallpaper/archive" = {
|
||||
device = "tank/wallpaper";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/home/xanf" = {
|
||||
device = "/dev/disk/by-id/wwn-0x500a07511becb076";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
# silence mdmonitor.service failures
|
||||
# https://github.com/NixOS/nixpkgs/issues/72394
|
||||
environment.etc."mdadm.conf".text = ''
|
||||
MAILADDR root
|
||||
'';
|
||||
|
||||
nix.maxJobs = lib.mkDefault 8;
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ];
|
||||
|
||||
# we don't pay for power there and this might solve a problem we observed at least once
|
||||
# https://www.thomas-krenn.com/de/wiki/PCIe_Bus_Error_Status_00001100_beheben
|
||||
boot.kernelParams = [ "pcie_aspm=off" "net.ifnames=0" ];
|
||||
networking.dhcpcd.enable = false;
|
||||
|
||||
|
||||
networking.useNetworkd = lib.mkForce false;
|
||||
systemd.network.enable = lib.mkForce false;
|
||||
# bridge config
|
||||
networking.bridges."ext-br".interfaces = [ "eth0" ];
|
||||
networking = {
|
||||
hostId = "2283aaae";
|
||||
defaultGateway = "95.216.1.129";
|
||||
defaultGateway6 = { address = "fe80::1"; interface = "ext-br"; };
|
||||
# Use google's public DNS server
|
||||
nameservers = [ "8.8.8.8" ];
|
||||
interfaces.ext-br.ipv4.addresses = [
|
||||
{
|
||||
address = "95.216.1.150";
|
||||
prefixLength = 26;
|
||||
}
|
||||
];
|
||||
interfaces.ext-br.ipv6.addresses = [
|
||||
{
|
||||
address = "2a01:4f9:2a:1e9::1";
|
||||
prefixLength = 64;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
}
|
@ -1,24 +0,0 @@
|
||||
with import <stockholm/lib>;
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
<stockholm/lass/2configs>
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/services/radio>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.radio;
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "acme@lassul.us";
|
||||
};
|
||||
|
||||
krebs.sync-containers3.inContainer = {
|
||||
enable = true;
|
||||
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvPKdbVwMEFCDMyNAzR8NdVjTbQL2G+03Xomxn6KKFt";
|
||||
};
|
||||
}
|
@ -1,7 +0,0 @@
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
];
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = true;
|
||||
}
|
@ -1,6 +0,0 @@
|
||||
{ lib, pkgs, test, ... }: let
|
||||
npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json;
|
||||
in if test then {} else {
|
||||
nixpkgs.git.ref = lib.mkForce npkgs.rev;
|
||||
nixpkgs-unstable = lib.mkForce { file = "/var/empty"; };
|
||||
}
|
@ -1,30 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
|
||||
<stockholm/lass/2configs/mouse.nix>
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/baseX.nix>
|
||||
<stockholm/lass/2configs/pipewire.nix>
|
||||
<stockholm/lass/2configs/exim-retiolum.nix>
|
||||
<stockholm/lass/2configs/browsers.nix>
|
||||
<stockholm/lass/2configs/programs.nix>
|
||||
<stockholm/lass/2configs/wine.nix>
|
||||
<stockholm/lass/2configs/bitcoin.nix>
|
||||
<stockholm/lass/2configs/blue-host.nix>
|
||||
<stockholm/lass/2configs/green-host.nix>
|
||||
<stockholm/krebs/2configs/news-host.nix>
|
||||
<stockholm/lass/2configs/yellow-mounts/samba.nix>
|
||||
<stockholm/lass/2configs/fetchWallpaper.nix>
|
||||
<stockholm/lass/2configs/consul.nix>
|
||||
<stockholm/lass/2configs/red-host.nix>
|
||||
<stockholm/lass/2configs/snapclient.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.shodan;
|
||||
|
||||
services.logind.lidSwitch = "ignore";
|
||||
services.logind.lidSwitchDocked = "ignore";
|
||||
}
|
@ -1,45 +0,0 @@
|
||||
{
|
||||
#TODO reinstall with correct layout and use lass/hw/x220
|
||||
imports = [
|
||||
./config.nix
|
||||
<stockholm/krebs/2configs/hw/x220.nix>
|
||||
];
|
||||
|
||||
boot = {
|
||||
loader.grub.enable = true;
|
||||
loader.grub.version = 2;
|
||||
loader.grub.device = "/dev/sda";
|
||||
|
||||
initrd.luks.devices.lusksroot.device = "/dev/sda2";
|
||||
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
|
||||
};
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/pool/nix";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
"/boot" = {
|
||||
device = "/dev/sda1";
|
||||
};
|
||||
"/home" = {
|
||||
device = "/dev/mapper/pool-home";
|
||||
fsType = "btrfs";
|
||||
options = ["defaults" "noatime" "ssd" "compress=lzo"];
|
||||
};
|
||||
"/bku" = {
|
||||
device = "/dev/pool/bku";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
"/backups" = {
|
||||
device = "/dev/pool/backup";
|
||||
fsType = "ext4";
|
||||
};
|
||||
};
|
||||
|
||||
services.udev.extraRules = ''
|
||||
SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0"
|
||||
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0"
|
||||
SUBSYSTEM=="net", ATTR{address}=="00:e0:4c:69:ea:71", NAME="int0"
|
||||
'';
|
||||
}
|
@ -1,41 +0,0 @@
|
||||
{ config, pkgs, ... }:
|
||||
with import <stockholm/lib>;
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/blue-host.nix>
|
||||
<stockholm/lass/2configs/green-host.nix>
|
||||
<stockholm/lass/2configs/power-action.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
{
|
||||
services.xserver.enable = true;
|
||||
services.xserver.desktopManager.xfce.enable = true;
|
||||
|
||||
users.users.discordius = {
|
||||
uid = genid "diskordius";
|
||||
isNormalUser = true;
|
||||
extraGroups = [
|
||||
"audio"
|
||||
"networkmanager"
|
||||
];
|
||||
};
|
||||
environment.systemPackages = with pkgs; [
|
||||
google-chrome
|
||||
];
|
||||
hardware.pulseaudio = {
|
||||
enable = true;
|
||||
systemWide = true;
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.skynet;
|
||||
|
||||
networking.wireless.enable = false;
|
||||
networking.networkmanager.enable = true;
|
||||
|
||||
services.logind.lidSwitch = "ignore";
|
||||
services.logind.lidSwitchDocked = "ignore";
|
||||
}
|
@ -1,29 +0,0 @@
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
<stockholm/krebs/2configs/hw/x220.nix>
|
||||
];
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.efiSupport = true;
|
||||
boot.loader.grub.efiInstallAsRemovable = true;
|
||||
boot.loader.grub.device = "nodev";
|
||||
|
||||
networking.hostId = "06442b9a";
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "rpool/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/0876-B308";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
services.udev.extraRules = ''
|
||||
SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0"
|
||||
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0"
|
||||
'';
|
||||
}
|
@ -1,116 +0,0 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
with import <stockholm/lib>;
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
|
||||
<stockholm/lass/2configs/mouse.nix>
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/baseX.nix>
|
||||
<stockholm/lass/2configs/pipewire.nix>
|
||||
<stockholm/lass/2configs/exim-retiolum.nix>
|
||||
<stockholm/lass/2configs/browsers.nix>
|
||||
<stockholm/lass/2configs/programs.nix>
|
||||
<stockholm/lass/2configs/nfs-dl.nix>
|
||||
<stockholm/lass/2configs/yellow-mounts/samba.nix>
|
||||
<stockholm/lass/2configs/gg23.nix>
|
||||
<stockholm/lass/2configs/hass>
|
||||
<stockholm/lass/2configs/green-host.nix>
|
||||
<stockholm/krebs/2configs/news-host.nix>
|
||||
# <stockholm/lass/2configs/br.nix>
|
||||
<stockholm/lass/2configs/fetchWallpaper.nix>
|
||||
<stockholm/lass/2configs/home-media.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/sync/sync.nix>
|
||||
# <stockholm/lass/2configs/idc.nix>
|
||||
<stockholm/lass/2configs/ppp/umts-stick.nix>
|
||||
<stockholm/lass/2configs/snapserver.nix>
|
||||
<stockholm/lass/2configs/snapclient.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.styx;
|
||||
|
||||
networking.firewall.interfaces.int0.allowedTCPPorts = [ config.services.smokeping.port ];
|
||||
networking.firewall.interfaces.retiolum.allowedTCPPorts = [ config.services.smokeping.port ];
|
||||
networking.firewall.interfaces.wiregrill.allowedTCPPorts = [ config.services.smokeping.port ];
|
||||
krebs.power-action.enable = mkForce false;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
wol
|
||||
(writeDashBin "wake-alien" ''
|
||||
${wol}/bin/wol -h 10.42.0.255 10:65:30:68:83:a3
|
||||
'')
|
||||
(writers.writeDashBin "iptv" ''
|
||||
set -efu
|
||||
/run/current-system/sw/bin/mpv \
|
||||
--audio-display=no --audio-channels=stereo \
|
||||
--audio-samplerate=48000 --audio-format=s16 \
|
||||
--ao-pcm-file=/run/snapserver/snapfifo --ao=pcm \
|
||||
--audio-delay=-1 \
|
||||
--playlist=https://iptv-org.github.io/iptv/index.nsfw.m3u \
|
||||
--idle=yes \
|
||||
--input-ipc-server=/tmp/mpv.ipc \
|
||||
"$@"
|
||||
'')
|
||||
];
|
||||
|
||||
users.users.mainUser.openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.lass-android.pubkey
|
||||
];
|
||||
# http://10.42.0.1:8081/smokeping.fcgi
|
||||
services.smokeping = {
|
||||
enable = true;
|
||||
host = null;
|
||||
targetConfig = ''
|
||||
probe = FPing
|
||||
menu = top
|
||||
title = top
|
||||
|
||||
+ Local
|
||||
menu = Local
|
||||
title = Local Network
|
||||
++ LocalMachine
|
||||
menu = Local Machine
|
||||
title = This host
|
||||
host = localhost
|
||||
|
||||
+ Internet
|
||||
menu = internet
|
||||
title = internet
|
||||
|
||||
++ CloudflareDNS
|
||||
menu = Cloudflare DNS
|
||||
title = Cloudflare DNS server
|
||||
host = 1.1.1.1
|
||||
|
||||
++ GoogleDNS
|
||||
menu = Google DNS
|
||||
title = Google DNS server
|
||||
host = 8.8.8.8
|
||||
|
||||
+ retiolum
|
||||
menu = retiolum
|
||||
title = retiolum
|
||||
|
||||
++ gum
|
||||
menu = gum.r
|
||||
title = gum.r
|
||||
host = gum.r
|
||||
|
||||
++ ni
|
||||
menu = ni.r
|
||||
title = ni.r
|
||||
host = ni.r
|
||||
|
||||
++ prism
|
||||
menu = prism.r
|
||||
title = prism.r
|
||||
host = prism.r
|
||||
'';
|
||||
};
|
||||
|
||||
# for usb internet
|
||||
hardware.usbWwan.enable = true;
|
||||
}
|
||||
|
@ -1,39 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.efiSupport = true;
|
||||
boot.loader.grub.device = "/dev/disk/by-id/ata-SanDisk_SSD_G5_BICS4_20248F446514";
|
||||
boot.loader.grub.efiInstallAsRemovable = true;
|
||||
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/ee5c9099-17fa-401e-852e-67cb4ae068f4";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/EAA5-88A9";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 4;
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
|
||||
services.udev.extraRules = ''
|
||||
SUBSYSTEM=="net", ATTR{address}=="3c:7c:3f:7e:e2:39", NAME="et0"
|
||||
SUBSYSTEM=="net", ATTR{address}=="00:e0:4c:78:91:50", NAME="int0"
|
||||
'';
|
||||
}
|
@ -1,276 +0,0 @@
|
||||
with import <stockholm/lib>;
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
<stockholm/lass/2configs>
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.ubik;
|
||||
|
||||
krebs.sync-containers3.inContainer = {
|
||||
enable = true;
|
||||
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBFGMjH0+Dco6DVFZbByENMci8CFTLXCL7j53yctPnM";
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "acme@lassul.us";
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
||||
# nextcloud
|
||||
services.nginx.virtualHosts."c.apanowicz.de" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
enableBrokenCiphersForSSE = false;
|
||||
hostName = "c.apanowicz.de";
|
||||
package = pkgs.nextcloud25;
|
||||
config.adminpassFile = "/run/nextcloud.pw";
|
||||
https = true;
|
||||
maxUploadSize = "9001M";
|
||||
};
|
||||
systemd.services.nextcloud-setup.serviceConfig.ExecStartPre = [
|
||||
"+${pkgs.writeDash "copy-pw" ''
|
||||
${pkgs.rsync}/bin/rsync \
|
||||
--chown nextcloud:nextcloud \
|
||||
--chmod 0700 \
|
||||
/var/src/secrets/nextcloud.pw /run/nextcloud.pw
|
||||
''}"
|
||||
];
|
||||
|
||||
# mail
|
||||
lass.usershadow.enable = true;
|
||||
services.nginx.virtualHosts."mail.ubikmedia.eu" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
services.roundcube = {
|
||||
enable = true;
|
||||
hostName = "mail.ubikmedia.eu";
|
||||
extraConfig = ''
|
||||
$config['smtp_debug'] = true;
|
||||
$config['smtp_host'] = "localhost:25";
|
||||
'';
|
||||
};
|
||||
services.dovecot2 = {
|
||||
enable = true;
|
||||
showPAMFailure = true;
|
||||
mailLocation = "maildir:~/Mail";
|
||||
sslServerCert = "/var/lib/acme/mail.ubikmedia.eu/fullchain.pem";
|
||||
sslServerKey = "/var/lib/acme/mail.ubikmedia.eu/key.pem";
|
||||
};
|
||||
krebs.exim-smarthost = {
|
||||
ssl_cert = "/var/lib/acme/mail.ubikmedia.eu/fullchain.pem";
|
||||
ssl_key = "/var/lib/acme/mail.ubikmedia.eu/key.pem";
|
||||
authenticators.PLAIN = ''
|
||||
driver = plaintext
|
||||
public_name = PLAIN
|
||||
server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
|
||||
'';
|
||||
authenticators.LOGIN = ''
|
||||
driver = plaintext
|
||||
public_name = LOGIN
|
||||
server_prompts = "Username:: : Password::"
|
||||
server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}}
|
||||
# server_condition = ''${run{/run/current-system/sw/bin/debug_exim ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}}
|
||||
'';
|
||||
internet-aliases = [
|
||||
{ from = "dma@ubikmedia.de"; to = "domsen"; }
|
||||
{ from = "dma@ubikmedia.eu"; to = "domsen"; }
|
||||
{ from = "hallo@apanowicz.de"; to = "domsen"; }
|
||||
{ from = "bruno@apanowicz.de"; to = "bruno"; }
|
||||
{ from = "mail@jla-trading.com"; to = "jla-trading"; }
|
||||
{ from = "jms@ubikmedia.eu"; to = "jms"; }
|
||||
{ from = "ms@ubikmedia.eu"; to = "ms"; }
|
||||
{ from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; }
|
||||
{ from = "kontakt@alewis.de"; to ="klabusterbeere"; }
|
||||
{ from = "hallo@jarugadesign.de"; to ="kasia"; }
|
||||
{ from = "noreply@beeshmooth.ch"; to ="besmooth@gmx.ch"; }
|
||||
|
||||
{ from = "testuser@ubikmedia.eu"; to = "testuser"; }
|
||||
];
|
||||
sender_domains = [
|
||||
"jla-trading.com"
|
||||
"ubikmedia.eu"
|
||||
"ubikmedia.de"
|
||||
"apanowicz.de"
|
||||
"alewis.de"
|
||||
"jarugadesign.de"
|
||||
"beesmooth.ch"
|
||||
"event-extra.de"
|
||||
];
|
||||
dkim = [
|
||||
{ domain = "ubikmedia.eu"; }
|
||||
{ domain = "apanowicz.de"; }
|
||||
{ domain = "beesmooth.ch"; }
|
||||
];
|
||||
};
|
||||
|
||||
# users
|
||||
users.users.UBIK-SFTP = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "UBIK-SFTP";
|
||||
home = "/home/UBIK-SFTP";
|
||||
useDefaultShell = true;
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
users.users.xanf = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "xanf";
|
||||
group = "xanf";
|
||||
home = "/home/xanf";
|
||||
useDefaultShell = true;
|
||||
createHome = false; # creathome forces permissions
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
users.users.domsen = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "domsen";
|
||||
description = "maintenance acc for domsen";
|
||||
home = "/home/domsen";
|
||||
useDefaultShell = true;
|
||||
extraGroups = [ "syncthing" "download" "xanf" ];
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
users.users.bruno = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "bruno";
|
||||
home = "/home/bruno";
|
||||
useDefaultShell = true;
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
users.users.jla-trading = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "jla-trading";
|
||||
home = "/home/jla-trading";
|
||||
useDefaultShell = true;
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
users.users.jms = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "jms";
|
||||
home = "/home/jms";
|
||||
useDefaultShell = true;
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
users.users.ms = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "ms";
|
||||
home = "/home/ms";
|
||||
useDefaultShell = true;
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
users.users.testuser = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "testuser";
|
||||
home = "/home/testuser";
|
||||
useDefaultShell = true;
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
users.users.bui = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "bui";
|
||||
home = "/home/bui";
|
||||
useDefaultShell = true;
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
users.users.klabusterbeere = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "klabusterbeere";
|
||||
home = "/home/klabusterbeere";
|
||||
useDefaultShell = true;
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
users.users.kasia = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "kasia";
|
||||
home = "/home/kasia";
|
||||
useDefaultShell = true;
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
users.users.XANF_TEAM = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "XANF_TEAM";
|
||||
group = "xanf";
|
||||
home = "/home/XANF_TEAM";
|
||||
useDefaultShell = true;
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
users.users.dif = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "dif";
|
||||
home = "/home/dif";
|
||||
useDefaultShell = true;
|
||||
extraGroups = [ "xanf" ];
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
users.users.lavafilms = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "lavafilms";
|
||||
home = "/home/lavafilms";
|
||||
useDefaultShell = true;
|
||||
extraGroups = [ "xanf" ];
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
users.users.movematchers = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "movematchers";
|
||||
home = "/home/movematchers";
|
||||
useDefaultShell = true;
|
||||
extraGroups = [ "xanf" ];
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
users.users.blackphoton = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "blackphoton";
|
||||
home = "/home/blackphoton";
|
||||
useDefaultShell = true;
|
||||
extraGroups = [ "xanf" ];
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
users.users.line = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "line";
|
||||
home = "/home/line";
|
||||
useDefaultShell = true;
|
||||
# extraGroups = [ "xanf" ];
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
users.users.avada = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "avada";
|
||||
home = "/home/avada";
|
||||
useDefaultShell = true;
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
users.users.familienrat = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "familienrat";
|
||||
home = "/home/familienrat";
|
||||
useDefaultShell = true;
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
}
|
@ -1,7 +0,0 @@
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
];
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = true;
|
||||
}
|
@ -1,286 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
with import <stockholm/lib>;
|
||||
|
||||
let
|
||||
|
||||
icon = pkgs.writeText "icon" ''
|
||||
//
|
||||
//
|
||||
_ //
|
||||
.' . // '.
|
||||
'_ '_\/_' `_
|
||||
. . \\ . .
|
||||
.==. ` \\' .'
|
||||
.\| //bd\\ \,
|
||||
\_'`._\\__//_.'`.;
|
||||
`.__ __,' \\
|
||||
| | \\
|
||||
| | `
|
||||
| |
|
||||
| |
|
||||
|____|
|
||||
l42 ==' '==
|
||||
'';
|
||||
|
||||
messenger = pkgs.writeText "message" ''
|
||||
.
|
||||
| \/|
|
||||
(\ _ ) )|/|
|
||||
(/ _----. /.'.'
|
||||
.-._________.. .' @ _\ .'
|
||||
'.._______. '. / (_| .')
|
||||
'._____. / '-/ | _.'
|
||||
'.______ ( ) ) \
|
||||
'..____ '._ ) )
|
||||
.' __.--\ , , // ((
|
||||
'.' mrf| \/ (_.'(
|
||||
' \ .'
|
||||
\ (
|
||||
\ '.
|
||||
\ \ '.)
|
||||
'-'-'
|
||||
'';
|
||||
|
||||
waiting = pkgs.writeText "waiting" ''
|
||||
Z
|
||||
Z
|
||||
z
|
||||
z
|
||||
* '
|
||||
/ \
|
||||
/___\
|
||||
( - - )
|
||||
) L ( .--------------.
|
||||
__()(-)()__ | \ |
|
||||
.~~ )()()() ~. | . :
|
||||
/ )()() ` | `-.__________)
|
||||
| )() ~ | : :
|
||||
| ) | : |
|
||||
| _ | | [ ## :
|
||||
\ ~~-. | , oo_______.'
|
||||
`_ ( \) _____/~~~~ `--___
|
||||
| ~`-) ) `-. `--- ( - a:f -
|
||||
| '///` | `-.
|
||||
| | | | `-.
|
||||
| | | | `-.
|
||||
| | |\ |
|
||||
| | | \|
|
||||
`-. | | |
|
||||
`-| '
|
||||
'';
|
||||
|
||||
wizard = pkgs.writers.writeDash "wizard" ''
|
||||
cat ${icon}
|
||||
|
||||
echo -n '${''
|
||||
welcome to the computer wizard
|
||||
first we will check for internet connectivity
|
||||
|
||||
''}'
|
||||
|
||||
read -p '(press enter to continue...)' key
|
||||
until ping -c1 8.8.8.8; do
|
||||
${pkgs.nm-dmenu}/bin/nm-dmenu
|
||||
done
|
||||
|
||||
mode=$(echo -n '${''
|
||||
1. Help of the wizard
|
||||
2. Install NixOS
|
||||
3. I know what I need to do
|
||||
''}' | ${pkgs.fzf}/bin/fzf --reverse)
|
||||
case "$mode" in
|
||||
1*)
|
||||
echo 'mode_1' > /tmp/mode
|
||||
clear
|
||||
echo 'waiting for the messenger to reach the wizard'
|
||||
cat ${messenger}
|
||||
|
||||
# get pubkeys
|
||||
mkdir -p /root/.ssh/
|
||||
touch /root/.ssh/authorized_keys
|
||||
curl -Ss 'https://lassul.us/mors.pub' >> /root/.ssh/authorized_keys
|
||||
curl -Ss 'https://lassul.us/blue.pub' >> /root/.ssh/authorized_keys
|
||||
curl -Ss 'https://lassul.us/yubi.pub' >> /root/.ssh/authorized_keys
|
||||
|
||||
# write via irc
|
||||
systemctl start hidden-ssh-announce.service
|
||||
tmux new-session -s help ${pkgs.writers.writeDash "waiting" ''
|
||||
cat ${waiting}
|
||||
read -p 'waiting for the wizard to wake up' key
|
||||
${pkgs.bashInteractive}/bin/bash
|
||||
''}
|
||||
;;
|
||||
2*)
|
||||
echo 'mode_2' > /tmp/mode
|
||||
${pkgs.nixos-installer}/bin/nixos-installer
|
||||
;;
|
||||
3*)
|
||||
echo 'mode_3' > /tmp/mode
|
||||
;;
|
||||
*)
|
||||
echo 'no mode selected'
|
||||
;;
|
||||
esac
|
||||
'';
|
||||
|
||||
in {
|
||||
imports = [
|
||||
<stockholm/krebs>
|
||||
<stockholm/lass/3modules>
|
||||
<stockholm/lass/2configs/vim.nix>
|
||||
# <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-base.nix>
|
||||
{
|
||||
nixpkgs.config.packageOverrides = import <stockholm/lass/5pkgs> pkgs;
|
||||
krebs.enable = true;
|
||||
krebs.build.user = config.krebs.users.lass;
|
||||
krebs.build.host = {};
|
||||
}
|
||||
# {
|
||||
# systemd.services.wizard = {
|
||||
# description = "Computer Wizard";
|
||||
# wantedBy = [ "multi-user.target" ];
|
||||
# serviceConfig = {
|
||||
# ExecStart = pkgs.writers.writeDash "wizard" ''
|
||||
# set -efu
|
||||
# cat <<EOF
|
||||
# welcome to the computer wizard
|
||||
# you can choose between the following modes
|
||||
# echo -n '1\n2\n3' | ${pkgs.fzf}/bin/fzf
|
||||
# EOF
|
||||
# '';
|
||||
# StandardInput = "tty";
|
||||
# StandardOutput = "tty";
|
||||
# # TTYPath = "/dev/tty1";
|
||||
# TTYPath = "/dev/ttyS0";
|
||||
# TTYReset = true;
|
||||
# TTYVTDisallocate = true;
|
||||
# Restart = "always";
|
||||
# };
|
||||
# };
|
||||
# }
|
||||
];
|
||||
|
||||
networking.hostName = "wizard";
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
# users.extraUsers = {
|
||||
# root = {
|
||||
# openssh.authorizedKeys.keys = [
|
||||
# config.krebs.users.lass.pubkey
|
||||
# config.krebs.users.lass-mors.pubkey
|
||||
# ];
|
||||
# };
|
||||
# };
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
#stockholm
|
||||
git
|
||||
gnumake
|
||||
jq
|
||||
parallel
|
||||
proot
|
||||
populate
|
||||
|
||||
#style
|
||||
most
|
||||
rxvt_unicode.terminfo
|
||||
|
||||
#monitoring tools
|
||||
htop
|
||||
iotop
|
||||
|
||||
#network
|
||||
iptables
|
||||
iftop
|
||||
|
||||
#stuff for dl
|
||||
aria2
|
||||
|
||||
#neat utils
|
||||
chntpw
|
||||
hashPassword
|
||||
krebspaste
|
||||
pciutils
|
||||
psmisc
|
||||
tmux
|
||||
usbutils
|
||||
|
||||
#unpack stuff
|
||||
p7zip
|
||||
unzip
|
||||
unrar
|
||||
|
||||
#data recovery
|
||||
ddrescue
|
||||
ntfs3g
|
||||
dosfstools
|
||||
|
||||
nixos-installer
|
||||
];
|
||||
|
||||
environment.extraInit = ''
|
||||
EDITOR=vim
|
||||
'';
|
||||
|
||||
programs.bash = {
|
||||
enableCompletion = true;
|
||||
interactiveShellInit = ''
|
||||
HISTCONTROL='erasedups:ignorespace'
|
||||
HISTSIZE=65536
|
||||
HISTFILESIZE=$HISTSIZE
|
||||
|
||||
shopt -s checkhash
|
||||
shopt -s histappend histreedit histverify
|
||||
shopt -s no_empty_cmd_completion
|
||||
complete -d cd
|
||||
'';
|
||||
promptInit = ''
|
||||
if test $UID = 0; then
|
||||
PS1='\[\033[1;31m\]\w\[\033[0m\] '
|
||||
PROMPT_COMMAND='echo -ne "\033]0;$$ $USER@$PWD\007"'
|
||||
elif test $UID = 1337; then
|
||||
PS1='\[\033[1;32m\]\w\[\033[0m\] '
|
||||
PROMPT_COMMAND='echo -ne "\033]0;$$ $PWD\007"'
|
||||
else
|
||||
PS1='\[\033[1;33m\]\u@\w\[\033[0m\] '
|
||||
PROMPT_COMMAND='echo -ne "\033]0;$$ $USER@$PWD\007"'
|
||||
fi
|
||||
if test -n "$SSH_CLIENT"; then
|
||||
PS1='\[\033[35m\]\h'" $PS1"
|
||||
PROMPT_COMMAND='echo -ne "\033]0;$$ $HOSTNAME $USER@$PWD\007"'
|
||||
fi
|
||||
if ! test -e /tmp/mode; then
|
||||
${wizard}
|
||||
fi
|
||||
'';
|
||||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
systemd.services.sshd.wantedBy = mkForce [ "multi-user.target" ];
|
||||
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
allowedTCPPorts = [ 22 ];
|
||||
};
|
||||
networking.networkmanager.enable = true;
|
||||
networking.wireless.enable = mkForce false;
|
||||
|
||||
krebs.hidden-ssh = {
|
||||
enable = true;
|
||||
channel = "##lassulus-wizard";
|
||||
message = "lassulus: torify sshn root@";
|
||||
};
|
||||
systemd.services.hidden-ssh-announce.wantedBy = mkForce [];
|
||||
services.getty.autologinUser = lib.mkForce "root";
|
||||
|
||||
nixpkgs.config.packageOverrides = super: {
|
||||
dmenu = pkgs.writeDashBin "dmenu" ''
|
||||
${pkgs.fzf}/bin/fzf \
|
||||
--history=/dev/null \
|
||||
--print-query \
|
||||
--prompt=\"$PROMPT\"
|
||||
'';
|
||||
};
|
||||
|
||||
boot.tmpOnTmpfs = true;
|
||||
}
|
@ -1,7 +0,0 @@
|
||||
#!/usr/bin/env nix-shell
|
||||
#! nix-shell -i bash -p nixos-generators
|
||||
|
||||
set -xefu
|
||||
|
||||
WD=$(dirname "$0")
|
||||
nixos-generate -I stockholm="$WD"/../../.. -c "$WD"/config.nix -f install-iso
|
@ -1,7 +0,0 @@
|
||||
#!/usr/bin/env nix-shell
|
||||
#! nix-shell -i bash -p nixos-generators
|
||||
|
||||
set -efu
|
||||
|
||||
WD=$(dirname "$0")
|
||||
nixos-generate -I stockholm="$WD"/../../.. -c "$WD"/config.nix -f vm-nogui --run
|
@ -1,10 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
];
|
||||
virtualisation.emptyDiskImages = [
|
||||
8000
|
||||
];
|
||||
virtualisation.memorySize = 1024;
|
||||
}
|
@ -1,95 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/exim-retiolum.nix>
|
||||
<stockholm/lass/2configs/baseX.nix>
|
||||
<stockholm/lass/2configs/browsers.nix>
|
||||
<stockholm/lass/2configs/programs.nix>
|
||||
<stockholm/lass/2configs/network-manager.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/sync/sync.nix>
|
||||
<stockholm/lass/2configs/games.nix>
|
||||
<stockholm/lass/2configs/steam.nix>
|
||||
<stockholm/lass/2configs/wine.nix>
|
||||
<stockholm/lass/2configs/fetchWallpaper.nix>
|
||||
<stockholm/lass/2configs/nfs-dl.nix>
|
||||
<stockholm/lass/2configs/pass.nix>
|
||||
<stockholm/lass/2configs/mail.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.xerxes;
|
||||
|
||||
environment.shellAliases = {
|
||||
deploy = pkgs.writeDash "deploy" ''
|
||||
set -eu
|
||||
export SYSTEM="$1"
|
||||
$(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy)
|
||||
'';
|
||||
usb-tether-on = pkgs.writeDash "usb-tether-on" ''
|
||||
adb shell su -c service call connectivity 33 i32 1 s16 text
|
||||
'';
|
||||
usb-tether-off = pkgs.writeDash "usb-tether-off" ''
|
||||
adb shell su -c service call connectivity 33 i32 0 s16 text
|
||||
'';
|
||||
};
|
||||
|
||||
services.xserver = {
|
||||
displayManager.lightdm.autoLogin.enable = true;
|
||||
displayManager.lightdm.autoLogin.user = "lass";
|
||||
};
|
||||
|
||||
boot.blacklistedKernelModules = [ "xpad" ];
|
||||
systemd.services.xboxdrv = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
script = ''
|
||||
${pkgs.xboxdrv.overrideAttrs(o: {
|
||||
patches = o.patches ++ [ (pkgs.fetchurl {
|
||||
url = "https://patch-diff.githubusercontent.com/raw/xboxdrv/xboxdrv/pull/251.patch";
|
||||
sha256 = "17784y20mxqrlhgvwvszh8lprxrvgmb7ah9dknmbhj5jhkjl8wq5";
|
||||
}) ];
|
||||
})}/bin/xboxdrv --type xbox360 --dbus disabled -D
|
||||
'';
|
||||
};
|
||||
|
||||
programs.adb.enable = true;
|
||||
|
||||
services.logind.lidSwitch = "suspend";
|
||||
lass.screenlock.enable = lib.mkForce false;
|
||||
|
||||
systemd.services.suspend-again = {
|
||||
after = [ "suspend.target" ];
|
||||
requiredBy = [ "suspend.target" ];
|
||||
# environment = {
|
||||
# DISPLAY = ":${toString config.services.xserver.display}";
|
||||
# };
|
||||
serviceConfig = {
|
||||
ExecStart = pkgs.writeDash "suspend-again" ''
|
||||
${pkgs.gnugrep}/bin/grep -q closed /proc/acpi/button/lid/LID0/state
|
||||
if [ "$?" -eq 0 ]; then
|
||||
echo 'wakeup with closed lid'
|
||||
${pkgs.systemd}/bin/systemctl suspend
|
||||
fi
|
||||
'';
|
||||
Type = "simple";
|
||||
};
|
||||
};
|
||||
|
||||
hardware.bluetooth = {
|
||||
enable = true;
|
||||
powerOnBoot = true;
|
||||
};
|
||||
hardware.pulseaudio.package = pkgs.pulseaudioFull;
|
||||
# hardware.pulseaudio.configFile = pkgs.writeText "default.pa" ''
|
||||
# load-module module-bluetooth-policy
|
||||
# load-module module-bluetooth-discover
|
||||
# ## module fails to load with
|
||||
# ## module-bluez5-device.c: Failed to get device path from module arguments
|
||||
# ## module.c: Failed to load module "module-bluez5-device" (argument: ""): initialization failed.
|
||||
# # load-module module-bluez5-device
|
||||
# # load-module module-bluez5-discover
|
||||
# '';
|
||||
}
|
@ -1,73 +0,0 @@
|
||||
{ pkgs, lib, ... }:
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
|
||||
];
|
||||
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
device = "/dev/sda";
|
||||
efiSupport = true;
|
||||
efiInstallAsRemovable = true;
|
||||
};
|
||||
|
||||
boot.blacklistedKernelModules = [
|
||||
"sdhci_pci"
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
|
||||
boot.initrd.luks.devices.crypted.device = "/dev/sda3";
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.kernelParams = [
|
||||
"fbcon=rotate:1"
|
||||
"boot.shell_on_fail"
|
||||
];
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-uuid/8efd0c22-f712-46bf-baad-1fbf19d9ec25";
|
||||
fsType = "xfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/7F23-DDB4";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
boot.extraModprobeConfig = ''
|
||||
options zfs zfs_arc_max=107374182
|
||||
'';
|
||||
|
||||
nix.maxJobs = lib.mkDefault 4;
|
||||
|
||||
networking.hostId = "9b0a74ac";
|
||||
networking.networkmanager.enable = true;
|
||||
|
||||
hardware.opengl.enable = true;
|
||||
|
||||
services.tlp.enable = true;
|
||||
services.tlp.extraConfig = ''
|
||||
CPU_SCALING_GOVERNOR_ON_AC=ondemand
|
||||
CPU_SCALING_GOVERNOR_ON_BAT=powersave
|
||||
CPU_MIN_PERF_ON_AC=0
|
||||
CPU_MAX_PERF_ON_AC=100
|
||||
CPU_MIN_PERF_ON_BAT=0
|
||||
CPU_MAX_PERF_ON_BAT=30
|
||||
'';
|
||||
|
||||
services.logind.extraConfig = ''
|
||||
HandlePowerKey=suspend
|
||||
IdleAction=suspend
|
||||
IdleActionSec=300
|
||||
'';
|
||||
|
||||
services.xserver = {
|
||||
videoDrivers = [ "intel" ];
|
||||
displayManager.sessionCommands = ''
|
||||
(sleep 2 && ${pkgs.xorg.xrandr}/bin/xrandr --output eDP1 --rotate right)
|
||||
(sleep 2 && ${pkgs.xorg.xinput}/bin/xinput set-prop "pointer:Goodix Capacitive TouchScreen" --type=float "Coordinate Transformation Matrix" 0 1 0 -1 0 1 0 0 1)
|
||||
'';
|
||||
};
|
||||
}
|
@ -1,45 +0,0 @@
|
||||
{ config, lib, pkgs, ... }: let
|
||||
vpnPort = 1637;
|
||||
torrentport = 56709; # port forwarded in airvpn webinterface
|
||||
in {
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
<stockholm/lass/2configs>
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/services/flix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.yellow;
|
||||
|
||||
krebs.sync-containers3.inContainer = {
|
||||
enable = true;
|
||||
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL";
|
||||
};
|
||||
|
||||
networking.useHostResolvConf = false;
|
||||
networking.useNetworkd = true;
|
||||
|
||||
networking.wg-quick.interfaces.airvpn.configFile = "/var/src/secrets/airvpn.conf";
|
||||
services.transmission.settings.peer-port = torrentport;
|
||||
|
||||
# only allow traffic through openvpn
|
||||
krebs.iptables = {
|
||||
enable = true;
|
||||
tables.filter.INPUT.rules = [
|
||||
{ predicate = "-i airvpn -p tcp --dport ${toString torrentport}"; target = "ACCEPT"; }
|
||||
{ predicate = "-i airvpn -p udp --dport ${toString torrentport}"; target = "ACCEPT"; }
|
||||
];
|
||||
tables.filter.OUTPUT = {
|
||||
policy = "DROP";
|
||||
rules = [
|
||||
{ predicate = "-o lo"; target = "ACCEPT"; }
|
||||
{ predicate = "-p udp --dport ${toString vpnPort}"; target = "ACCEPT"; }
|
||||
{ predicate = "-o airvpn"; target = "ACCEPT"; }
|
||||
{ predicate = "-o retiolum"; target = "ACCEPT"; }
|
||||
{ v6 = false; predicate = "-d 1.1.1.1/32"; target = "ACCEPT"; }
|
||||
{ v6 = false; predicate = "-d 1.0.0.1/32"; target = "ACCEPT"; }
|
||||
{ v6 = false; predicate = "-o eth0 -d 10.233.2.0/24"; target = "ACCEPT"; }
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
@ -1,7 +0,0 @@
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
];
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
}
|
@ -1,83 +0,0 @@
|
||||
{ config, pkgs, ... }:
|
||||
with import <stockholm/lib>;
|
||||
let
|
||||
wifi = "wlp0s29u1u2";
|
||||
in {
|
||||
boot.extraModulePackages = [
|
||||
pkgs.linuxPackages.rtl8814au
|
||||
];
|
||||
networking.networkmanager.unmanaged = [ wifi "et0" ];
|
||||
|
||||
systemd.services.hostapd = {
|
||||
description = "hostapd wireless AP";
|
||||
path = [ pkgs.hostapd ];
|
||||
wantedBy = [ "network.target" ];
|
||||
|
||||
after = [ "${wifi}-cfg.service" "nat.service" "bind.service" "dhcpd.service" "sys-subsystem-net-devices-${wifi}.device" ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.hostapd}/bin/hostapd ${pkgs.writeText "hostapd.conf" ''
|
||||
interface=${wifi}
|
||||
hw_mode=a
|
||||
channel=36
|
||||
ieee80211d=1
|
||||
country_code=DE
|
||||
ieee80211n=1
|
||||
ieee80211ac=1
|
||||
wmm_enabled=1
|
||||
|
||||
# 5ghz
|
||||
ssid=krebsing
|
||||
auth_algs=1
|
||||
wpa=2
|
||||
wpa_key_mgmt=WPA-PSK
|
||||
rsn_pairwise=CCMP
|
||||
wpa_passphrase=aidsballz
|
||||
''}";
|
||||
Restart = "always";
|
||||
};
|
||||
};
|
||||
|
||||
networking.bridges.br0.interfaces = [
|
||||
wifi
|
||||
"et0"
|
||||
];
|
||||
|
||||
networking.interfaces.br0.ipv4.addresses = [
|
||||
{ address = "10.99.0.1"; prefixLength = 24; }
|
||||
];
|
||||
services.dhcpd4 = {
|
||||
enable = true;
|
||||
interfaces = [ "br0" ];
|
||||
extraConfig = ''
|
||||
option subnet-mask 255.255.255.0;
|
||||
option routers 10.99.0.1;
|
||||
option domain-name-servers 1.1.1.1, 8.8.8.8;
|
||||
subnet 10.99.0.0 netmask 255.255.255.0 {
|
||||
range 10.99.0.100 10.99.0.200;
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
|
||||
krebs.iptables.tables.filter.FORWARD.rules = [
|
||||
{ v6 = false; predicate = "-d 10.99.0.0/24 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
|
||||
{ v6 = false; predicate = "-s 10.99.0.0/24 -i br0"; target = "ACCEPT"; }
|
||||
{ v6 = false; predicate = "-i br0 -o br0"; target = "ACCEPT"; }
|
||||
{ v6 = false; predicate = "-i br0 -o br0"; target = "ACCEPT"; }
|
||||
{ v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
|
||||
{ v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
|
||||
];
|
||||
krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [
|
||||
{ v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; }
|
||||
];
|
||||
krebs.iptables.tables.nat.POSTROUTING.rules = [
|
||||
#TODO find out what this is about?
|
||||
{ v6 = false; predicate = "-s 10.99.0.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
|
||||
{ v6 = false; predicate = "-s 10.99.0.0/24 -d 255.255.255.255"; target = "RETURN"; }
|
||||
|
||||
{ v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24"; target = "MASQUERADE"; }
|
||||
{ v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
|
||||
{ v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
|
||||
];
|
||||
}
|
@ -1,38 +0,0 @@
|
||||
with (import <stockholm/lib>);
|
||||
{ config, lib, pkgs, ... }: let
|
||||
weechat = pkgs.weechat.override {
|
||||
configure = { availablePlugins, ... }: {
|
||||
scripts = with pkgs.weechatScripts; [
|
||||
weechat-matrix
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
tmux = "/run/current-system/sw/bin/tmux";
|
||||
|
||||
in {
|
||||
imports = [
|
||||
./bitlbee.nix
|
||||
];
|
||||
environment.systemPackages = [ weechat ];
|
||||
systemd.services.chat = {
|
||||
description = "chat environment setup";
|
||||
environment.WEECHAT_HOME = "\$HOME/.weechat";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
restartIfChanged = false;
|
||||
|
||||
path = [
|
||||
pkgs.rxvt-unicode-unwrapped.terminfo
|
||||
];
|
||||
|
||||
serviceConfig = {
|
||||
User = "lass";
|
||||
RemainAfterExit = true;
|
||||
Type = "oneshot";
|
||||
ExecStart = "${tmux} -2 new-session -d -s IM ${weechat}/bin/weechat";
|
||||
ExecStop = "${tmux} kill-session -t IM"; # TODO run save in weechat
|
||||
};
|
||||
};
|
||||
}
|
@ -1,20 +0,0 @@
|
||||
{ config, pkgs, ... }: let
|
||||
mainUser = config.users.extraUsers.mainUser;
|
||||
in {
|
||||
users.users= {
|
||||
ableton = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [
|
||||
"audio"
|
||||
"video"
|
||||
];
|
||||
packages = [
|
||||
pkgs.wine
|
||||
pkgs.winetricks
|
||||
];
|
||||
};
|
||||
};
|
||||
security.sudo.extraConfig = ''
|
||||
${mainUser.name} ALL=(ableton) NOPASSWD: ALL
|
||||
'';
|
||||
}
|
@ -1,133 +0,0 @@
|
||||
{ config, lib, pkgs, ... }: let
|
||||
|
||||
alacritty-cfg = extrVals: builtins.toJSON ({
|
||||
font = let
|
||||
family = "Iosevka";
|
||||
in {
|
||||
normal = {
|
||||
family = family;
|
||||
style = "Regular";
|
||||
};
|
||||
bold = {
|
||||
family = family;
|
||||
style = "Bold";
|
||||
};
|
||||
italic = {
|
||||
family = family;
|
||||
style = "Italic";
|
||||
};
|
||||
bold_italic = {
|
||||
family = family;
|
||||
style = "Bold Italic";
|
||||
};
|
||||
size = 8;
|
||||
};
|
||||
live_config_reload = true;
|
||||
window.dimensions = {
|
||||
columns = 80;
|
||||
lines = 20;
|
||||
};
|
||||
# window.opacity = 0;
|
||||
hints.enabled = [
|
||||
{
|
||||
regex = ''(mailto:|gemini:|gopher:|https:|http:|news:|file:|git:|ssh:|ftp:)[^\u0000-\u001F\u007F-\u009F<>"\s{-}\^⟨⟩`]+'';
|
||||
command = "/run/current-system/sw/bin/xdg-open";
|
||||
post_processing = true;
|
||||
mouse.enabled = true;
|
||||
binding = {
|
||||
key = "U";
|
||||
mods = "Alt";
|
||||
};
|
||||
}
|
||||
];
|
||||
} // extrVals);
|
||||
|
||||
alacritty = pkgs.symlinkJoin {
|
||||
name = "alacritty";
|
||||
paths = [
|
||||
(pkgs.writeDashBin "alacritty" ''
|
||||
${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yaml msg create-window "$@" ||
|
||||
${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yaml "$@"
|
||||
'')
|
||||
pkgs.alacritty
|
||||
];
|
||||
};
|
||||
|
||||
in {
|
||||
environment.etc = {
|
||||
"themes/light/alacritty.yaml".text = alacritty-cfg {
|
||||
colors = {
|
||||
# Default colors
|
||||
primary = {
|
||||
# hard contrast: background = '#f9f5d7'
|
||||
# background = "#fbf1c7";
|
||||
background = "#f9f5d7";
|
||||
# soft contrast: background = '#f2e5bc'
|
||||
foreground = "#3c3836";
|
||||
};
|
||||
|
||||
# Normal colors
|
||||
normal = {
|
||||
black = "#fbf1c7";
|
||||
red = "#cc241d";
|
||||
green = "#98971a";
|
||||
yellow = "#d79921";
|
||||
blue = "#458588";
|
||||
magenta = "#b16286";
|
||||
cyan = "#689d6a";
|
||||
white = "#7c6f64";
|
||||
};
|
||||
|
||||
# Bright colors
|
||||
bright = {
|
||||
black = "#928374";
|
||||
red = "#9d0006";
|
||||
green = "#79740e";
|
||||
yellow = "#b57614";
|
||||
blue = "#076678";
|
||||
magenta = "#8f3f71";
|
||||
cyan = "#427b58";
|
||||
white = "#3c3836";
|
||||
};
|
||||
};
|
||||
};
|
||||
"themes/dark/alacritty.yaml".text = alacritty-cfg {
|
||||
colors = {
|
||||
# Default colors
|
||||
primary = {
|
||||
background = "0x000000";
|
||||
foreground = "0xffffff";
|
||||
};
|
||||
cursor = {
|
||||
text = "0xF81CE5";
|
||||
cursor = "0xffffff";
|
||||
};
|
||||
|
||||
# Normal colors
|
||||
normal = {
|
||||
black = "0x000000";
|
||||
red = "0xfe0100";
|
||||
green = "0x33ff00";
|
||||
yellow = "0xfeff00";
|
||||
blue = "0x0066ff";
|
||||
magenta = "0xcc00ff";
|
||||
cyan = "0x00ffff";
|
||||
white = "0xd0d0d0";
|
||||
};
|
||||
|
||||
# Bright colors
|
||||
bright = {
|
||||
black = "0x808080";
|
||||
red = "0xfe0100";
|
||||
green = "0x33ff00";
|
||||
yellow = "0xfeff00";
|
||||
blue = "0x0066ff";
|
||||
magenta = "0xcc00ff";
|
||||
cyan = "0x00ffff";
|
||||
white = "0xFFFFFF";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
environment.systemPackages = [ alacritty ];
|
||||
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user