makefu/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

machines: rip unused systems

Browse source
This commit is contained in:
makefu 2024-05-31 19:02:21 +02:00
parent 039d853747
commit 9eb7c4b941
No known key found for this signature in database
GPG key ID: 36F7711F3FC0F225
56 changed files with 2 additions and 1924 deletions

4
2configs/deployment/buildbot/master.nix
View file

@ -1,6 +1,6 @@
{...}@inputs:
{inputs,config, ...}:
let
domain = "buildbot.euer.krebsco.de";
domain = "build.euer.krebsco.de";
in {
imports = [

4
machines/crapi/README
View file

@ -1,4 +0,0 @@
1. flash arm6 image from https://www.cs.helsinki.fi/u/tmtynkky/nixos-arm/installer/ to sdcard
2. passwd; systemctl start sshd; mkdir /var/src ; touch /var/src/.populate
3. "environment.systemPackages = [ pkgs.rsync pkgs.git ];" in /etc/nixos/configuration.nix
5. nixos-rebuild switch --fast --option binary-caches http://nixos-arm.dezgeg.me/channel --option binary-cache-public-keys nixos-arm.dezgeg.me-1:xBaUKS3n17BZPKeyxL4JfbTqECsT+ysbDJz29kLFRW0=%

15
machines/crapi/config.nix
View file

@ -1,15 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports = [
<stockholm/makefu>
./hardware-config.nix
<stockholm/makefu/2configs>
<stockholm/makefu/2configs/tinc/retiolum.nix>
<stockholm/makefu/2configs/save-diskspace.nix>
];
krebs.build.host = config.krebs.hosts.crapi;
services.openssh.enable = true;
}

39
machines/crapi/hardware-config.nix
View file

@ -1,39 +0,0 @@
{ pkgs, lib, ... }:
{
#raspi1
boot.kernelParams = ["cma=32M" "console=ttyS0,115200n8" "console=tty0" "console=ttyS1,115200n8" ];
boot.loader.grub.enable = false;
boot.loader.raspberryPi.enable = true;
boot.loader.raspberryPi.version = 1;
boot.loader.raspberryPi.uboot.enable = true;
boot.loader.raspberryPi.uboot.configurationLimit = 1;
boot.loader.generationsDir.enable = lib.mkDefault false;
hardware.enableRedistributableFirmware = true;
boot.cleanTmpDir = true;
environment.systemPackages = [ pkgs.raspberrypi-tools ];
boot.kernelPackages = pkgs.linuxPackages_rpi;
nix.binaryCaches = [ "http://nixos-arm.dezgeg.me/channel" ];
nix.binaryCachePublicKeys = [ "nixos-arm.dezgeg.me-1:xBaUKS3n17BZPKeyxL4JfbTqECsT+ysbDJz29kLFRW0=%" ];
fileSystems = {
"/boot" = {
device = "/dev/disk/by-label/NIXOS_BOOT";
fsType = "vfat";
};
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
};
system.activationScripts.create-swap = ''
if [ ! -e /swapfile ]; then
fallocate -l 2G /swapfile
mkswap /swapfile
chmod 600 /swapfile
fi
'';
swapDevices = [ { device = "/swapfile"; size = 4096; } ];
}

3
machines/crapi/source.nix
View file

@ -1,3 +0,0 @@
{
arm6 = true;
}

76
machines/darth/config.nix
View file

@ -1,76 +0,0 @@
{ config, pkgs, lib, ... }:
with pkgs.stockholm.lib;
let
# all the good stuff resides in /data
byid = dev: "/dev/disk/by-id/" + dev;
rootDisk = byid "ata-INTEL_SSDSC2BW480H6_CVTR53120385480EGN";
bootPart = rootDisk + "-part1";
rootPart = rootDisk + "-part2";
allDisks = [ rootDisk ]; # auxDisk
in {
imports = [
<stockholm/makefu>
<stockholm/makefu/2configs/fs/sda-crypto-root.nix>
<stockholm/makefu/2configs/sshd-totp.nix>
<stockholm/makefu/2configs/zsh-user.nix>
<stockholm/makefu/2configs/smart-monitor.nix>
<stockholm/makefu/2configs/exim-retiolum.nix>
# <stockholm/makefu/2configs/virtualisation/libvirt.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix>
<stockholm/makefu/2configs/tools/core.nix>
<stockholm/makefu/2configs/stats/client.nix>
# <stockholm/makefu/2configs/nsupdate-data.nix>
<stockholm/makefu/2configs/share/anon-ftp.nix>
# lan party
<stockholm/makefu/2configs/lanparty/lancache.nix>
<stockholm/makefu/2configs/lanparty/lancache-dns.nix>
<stockholm/makefu/2configs/lanparty/samba.nix>
<stockholm/makefu/2configs/lanparty/mumble-server.nix>
<stockholm/makefu/2configs/virtualisation/libvirt.nix>
];
#networking.firewall.enable = false;
makefu.server.primary-itf = "enp0s25";
# krebs.hidden-ssh.enable = true;
boot.kernelModules = [ "coretemp" "f71882fg" ];
hardware.enableRedistributableFirmware = true;
nixpkgs.config.allowUnfree = true;
networking = {
wireless.enable = true;
firewall = {
allowPing = true;
logRefusedConnections = false;
# trustedInterfaces = [ "eno1" ];
allowedUDPPorts = [ 80 655 1655 67 ];
allowedTCPPorts = [ 80 655 1655 ];
};
# fallback connection to the internal virtual network
# interfaces.virbr3.ip4 = [{
# address = "10.8.8.2";
# prefixLength = 24;
# }];
};
# TODO smartd omo darth gum all-in-one
services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
boot.loader.grub.device = rootDisk;
boot.initrd.luks.devices = [
{ name = "luksroot";
device = rootPart;
allowDiscards = true;
keyFileSize = 4096;
keyFile = "/dev/sdb";
}
];
krebs.build.host = config.krebs.hosts.darth;
}

3
machines/darth/source.nix
View file

@ -1,3 +0,0 @@
{
name="darth";
}

40
machines/drop/config.nix
View file

@ -1,40 +0,0 @@
{ config, pkgs, ... }:
let
external-ip = "45.55.145.62";
default-gw = "45.55.128.1";
prefixLength = 18;
in {
imports = [
<stockholm/makefu>
<stockholm/makefu/2configs/hw/CAC.nix>
<stockholm/makefu/2configs/save-diskspace.nix>
<stockholm/makefu/2configs/torrent.nix>
];
krebs = {
enable = true;
tinc.retiolum.enable = true;
build.host = config.krebs.hosts.drop;
};
boot.loader.grub.device = "/dev/vda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" "virtio_net" "virtio_scsi" ];
fileSystems."/" = {
device = "/dev/vda1";
fsType = "ext4";
};
networking = {
firewall = {
allowPing = true;
logRefusedConnections = false;
allowedTCPPorts = [ ];
allowedUDPPorts = [ 655 ];
};
interfaces.enp0s3.ipv4.addresses = [{
address = external-ip;
inherit prefixLength;
}];
defaultGateway = default-gw;
nameservers = [ "8.8.8.8" ];
};
}

4
machines/drop/source.nix
View file

@ -1,4 +0,0 @@
{
name="drop";
torrent = true;
}

174
machines/fileleech/config.nix
View file

@ -1,174 +0,0 @@
{ config, pkgs, lib, ... }:
let
toMapper = id: "/media/crypt${builtins.toString id}";
byid = dev: "/dev/disk/by-id/" + dev;
keyFile = byid "usb-Intuix_DiskOnKey_09A07360336198F8-0:0";
rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN";
rootPartition = rootDisk + "-part3";
dataDisks = let
idpart = dev: byid dev + "-part1";
in [
{ name = "crypt0"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GDLJEF";}
{ name = "crypt1"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GGWG8F";}
{ name = "crypt2"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GH5NAF";}
{ name = "crypt3"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GJWGDF";}
{ name = "crypt4"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXHF";}
{ name = "crypt5"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXVF";}
{ name = "crypt6"; device = idpart "scsi-1ATA_HUA722020ALA330_YAJJ8WRV";}
{ name = "crypt7"; device = idpart "scsi-1ATA_HUA722020ALA330_YBKTUS4F";} # parity
];
disks = [ { name = "luksroot"; device = rootPartition; } ] ++ dataDisks;
in {
imports = [
<stockholm/makefu>
<stockholm/makefu/2configs/tinc/retiolum.nix>
<stockholm/makefu/2configs/disable_v6.nix>
<stockholm/makefu/2configs/torrent.nix>
<stockholm/makefu/2configs/fs/sda-crypto-root.nix>
#<stockholm/makefu/2configs/elchos/irc-token.nix>
# <stockholm/makefu/2configs/elchos/log.nix>
# <stockholm/makefu/2configs/elchos/search.nix>
# <stockholm/makefu/2configs/elchos/stats.nix>
];
systemd.services.grafana.serviceConfig.LimitNOFILE=10032;
systemd.services.graphiteApi.serviceConfig.LimitNOFILE=10032;
systemd.services.carbonCache.serviceConfig.LimitNOFILE=10032;
makefu.server.primary-itf = "enp8s0f0";
krebs = {
enable = true;
build.host = config.krebs.hosts.fileleech;
};
# git clone https://github.com/makefu/docker-pyload
# docker build .
# docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P docker-pyload
virtualisation.docker.enable = true; # for pyload
networking.firewall.allowPing = true;
networking.firewall.logRefusedConnections = false;
networking.firewall.allowedTCPPorts = [
51412 # torrent
8112 # rutorrent-web
8113 # pyload
8080 # sabnzbd
9090 # sabnzbd-ssl
655 # tinc
21 # ftp
];
services.nginx.virtualHosts._download = {
default = true;
root = config.makefu.dl-dir;
extraConfig = ''
autoindex on;
'';
basicAuth = import <secrets/kibana-auth.nix>;
};
networking.firewall.allowedUDPPorts = [
655 # tinc
51412 # torrent
];
services.vsftpd.enable = true;
services.vsftpd.localUsers = true;
services.vsftpd.userlist = [ "download" ];
services.vsftpd.userlistEnable = true;
# services.vsftpd.chrootlocalUser = true;
services.sabnzbd.enable = true;
systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
# TODO use users.motd and pam.services.sshd.showMotd
services.openssh.extraConfig = let banner = pkgs.writeText "openssh-banner" ''
Services:
ssh://download@fileleech - ssh via filebitch
ftp://download@fileleech - access to ${config.makefu.dl-dir}
http://fileleech:8112 - rutorrent
http://fileleech:8113 - pyload
https://fileleech:9090 - sabnzb
''; in "Banner ${banner}";
boot.initrd.luks = {
devices = let
usbkey = name: device: {
inherit name device keyFile;
keyFileSize = 4096;
allowDiscards = true;
};
in builtins.map (x: usbkey x.name x.device) disks;
};
environment.systemPackages = with pkgs;[ mergerfs ];
fileSystems = let
cryptMount = name:
{ "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };};
in cryptMount "crypt0"
// cryptMount "crypt1"
// cryptMount "crypt2"
// cryptMount "crypt3"
// cryptMount "crypt4"
// cryptMount "crypt5"
// cryptMount "crypt6"
// cryptMount "crypt7"
# this entry sometimes creates issues
// { "/media/cryptX" = {
device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 3 4 5 6 ]);
fsType = "mergerfs";
noCheck = true;
options = [ "defaults" "nofail" "allow_other" "nonempty" ]; };
}
;
makefu.dl-dir = "/media/cryptX";
users.users.download = {
useDefaultShell = true;
# name = "download";
# createHome = true;
openssh.authorizedKeys.keys = [
config.krebs.users.makefu.pubkey
config.krebs.users.lass.pubkey
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7betFnMWVeBYRhJ+2f0B5WbDdbpteIVg/BlyimXbx79R7lZ7nUq5GyMLrp7B00frUuA0su8oFFN3ODPJDstgBslBIP7kWPR2zW8NOXorrbFo3J2fKvlO77k6/wD5/M11m5nS01/aVJgAgMGLg2W12G7EMf5Wq75YsQJC/S9p8kMca589djMPRuQETu7fWq0t/Gmwq+2ELLL0csRK87LvybA92JYkAIneRnGzIlCguOXq0Vcq6pGQ1J1PfVEP76Do33X29l2hZc/+vR9ExW6s2g7fs5/5LDX9Wnq7+AEsxiEf4IOeL0hCG4/CGGCN23J+6cDrNKOP94AHO1si0O2lxFsxgNU2vdVWPNgSLottiUFBPPNEZFD++sZyutzH6PIz6D90hB2Q52X6WN9ZUtlDfQ91rHd+S2BhR6f4dAqiRDXlI5MNNDdoTT4S5R0wU/UrNwjiV/xiu/hWZYGQK7YgY4grFRblr378r8FqjLvumPDFMDLVa9eJKq1ad1x/GV5tZpsttzWj4nbixaKlZOg+TN2GHboujLx3bANz1Jqfvfto8UOeKTtA8pkb8E1PJPpBMOZcA7oHaqJrp6Vuf/SkmglHnQvGbi60OK3s61nuRmIcBiTXd+4qeAJpq1QyEDj3X/+hV0Gwz8rCo6JGkF1ETW37ZYvqU9rxNXjS+/Pfktw== jules@kvasir-2015-02-13"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDINUD+p2yrc9KoTbCiuYhdfLlRu/eNX6BftToSMLs8O9qWQORjgXbDn8M9iUWXCHzdUZ9sm6Rz8TMdEV0jZq/nB01zYnW4NhMrt+NGtrmGqDa+eYrRZ4G7Rx8AYzM/ZSwERKX10txAVugV44xswRxWvFbCedujjXyWsxelf1ngb+Hiy9/CPuWNYEhTZs/YuvNkupCui2BuKuoSivJAkLhGk5YqwwcllCr39YXa/tFJWsgoQNcB9hwpzfhFm6Cc7m5DhmTWSVhQHEWyaas8Lukmd4v+mRY+KZpuhbomCHWzkxqzdBun8SXiiAKlgem9rtBIgeTEfz9OtOfF3/6VfqE7 toerb@mittagspause ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0IP143FAHBHWjEEKGOnM8SSTIgNF1MJxGCMKaJvTHf momo@k2.local"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1ZJSpBb7Cxo+c2r2JJIcbYOTm/sJxOv2NFRoDfjxGS9CCwzRbzrwJcv2d23j35mu97x3+fUvo8DyMFLvLvume2PFCijqhMDzZZvjYXZdvXA+hnh53nqZf+Pjq8Xc3tSWBHQxUokaBmZbd4LlKHh8NgKVrP2zve6OPZMzo/Es93v37KEmT8d/PfVMrQEMPZzFrCVdq2RbpdQ1nhx09zRFW7OJOazgotafjx6IYXbVq2VDnjffXInsE9ZxDzYq1cNKIH0c2BLpTd3mv76iD9i+nD6W6s48+usFQnVLt2TY1uKkfMr7043E6jBxx5kNHBe5Xxr6Zs0SkR8kKOEhMO//4ucviUYKZJn8wk2SLkAyMYVBexx8jrTdlI4xgQ7RLpSIDTCm9dfbZY/YhZDJ21lsWduQqu7DFWMe05gg4NZDjf2kwYQOzATyqISGA7ttSEPT1iymr/ffAOgLBLSqWQAteUbI2U5cnflWZGwm33JF/Pyb4S3k3/f2mIBKiRx2lsGv6mx1w0SaYRtJxDWqGYMHuFiNYbq9r/bZfLqV3Fy9kRODFJTfJh8mcTnC4zabpiQ7fnqbh1qHu0WrrBSgFW0PR2WWCJ0e5Btj1yRgXp0+d5OuxxlVInRs+l2HogdxjonMhAHrTCzJtI8UJTKXKN0FBPRDRcepeExhvNqcOUz4Kvw== me@andreaskist.de"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo2z8zsI+YF3ho0hvYzzCZi05mNyjk4iFK08+nNFCdXSG07jmRROWzTcC2ysTKZ56XD2al2abLxy4FZfmDcu9b2zJoPnIiXv/Jw0TKeZ71OyN3bILtv+6Xj1FTJ+kAUMXBfEew7UCgZZ8u8RQsFmlhqB9XqCBXmzP7I2EM1wWSzwEAgG/k6C+Ir054JjAj+fLr/wBduD1GAe8bXXF3Ojiky8OMs2oJaoGV96mrVAtVN+ftfWSvHCK31Y/KgCoPDE4LdoTir1IRfx2pZUMPkyzRW/etXT0PKD96I+/3d1xNPzNNjFpd6GqADC3xnfY3WslNgjL7gqwsC9SlEyuT1Xkd lotho@mercurius"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClaVl9Fwp4wdGLeTZdfy5MpJf+hM6fpL1k6UmtYXWgVYU7tgmStdlpLlbyMQspoFRtT7/76n4kPwCmM0c82xNXaJJMuWa98pwMp+bAwSSdOGAP/vjfzL/TUAX+Xtrw6ehF7r1O+zqw/E/bWt6UezKj08wDLWjByzdDQwslJV6lrGek4mmYRdgmHHeZ1oG89ePEZJZOM6jcZqv0AfIj0NID3ir9Z0kz9uSSXb1279Qt4953mfjs5xwhtc1B7vrxJ3qtTZUsBoAkUkLeulUEIjkfn60wvDGu/66GP5ZClXyk2gck/ZNmtFYrQoqx9EtF1KK02cC17A0nfRySQy5BnfWn root@filebitch"
];
};
makefu.snapraid = {
enable = true;
disks = map toMapper [ 0 1 2 3 4 5 6 ];
parity = toMapper 7;
};
networking.nameservers = [ "8.8.8.8" ];
# SPF
networking.defaultGateway = "151.217.176.1";
networking.interfaces.enp6s0f0.ipv4.addresses = [{
address = "151.217.178.63";
prefixLength = 22;
}];
# Gigabit
networking.interfaces.enp8s0f1.ipv4.addresses = [{
address = "192.168.126.1";
prefixLength = 24;
}];
#interfaces.enp6s0f1.ip4 = [{
# address = external-ip;
# prefixLength = 22;
#}];
boot.loader.grub.device = rootDisk;
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "aacraid" "usb_storage" "usbhid" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
# http://blog.hackathon.de/using-unsupported-sfp-modules-with-linux.html
boot.extraModprobeConfig = ''
options ixgbe allow_unsupported_sfp=1
'';
}

4
machines/fileleech/source.nix
View file

@ -1,4 +0,0 @@
{
name = "fileleech";
torrent = true;
}

25
machines/firecracker/config.nix
View file

@ -1,25 +0,0 @@
{ config, lib, pkgs, ... }:
let
primaryInterface = "eth0";
in {
imports = [
<stockholm/makefu>
./hardware-config.nix
# <stockholm/makefu/2configs/tools/core.nix>
{ environment.systemPackages = with pkgs;[ rsync screen curl git ];}
<stockholm/makefu/2configs/binary-cache/nixos.nix>
#<stockholm/makefu/2configs/support-nixos.nix>
# configure your hw:
# <stockholm/makefu/2configs/save-diskspace.nix>
];
krebs = {
enable = true;
tinc.retiolum.enable = true;
build.host = config.krebs.hosts.firecracker;
};
networking.firewall.trustedInterfaces = [ primaryInterface ];
documentation.info.enable = false;
documentation.man.enable = false;
services.nixosManual.enable = false;
sound.enable = false;
}

30
machines/firecracker/hardware-config.nix
View file

@ -1,30 +0,0 @@
{ pkgs, lib, ... }:
{
boot.kernelParams = lib.mkForce ["console=ttyS2,1500000n8" "earlycon=uart8250,mmio32,0xff1a0000" "earlyprintk"];
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.loader.generic-extlinux-compatible.configurationLimit = 1;
boot.loader.generationsDir.enable = lib.mkDefault false;
boot.supportedFilesystems = lib.mkForce [ "vfat" ];
boot.tmp.useTmpfs = lib.mkForce false;
boot.cleanTmpDir = true;
hardware.enableRedistributableFirmware = true;
## wifi not working, will be fixed with https://github.com/NixOS/nixpkgs/pull/53747
boot.kernelPackages = pkgs.linuxPackages_latest;
networking.wireless.enable = true;
# File systems configuration for using the installer's partition layout
swapDevices = [ { device = "/var/swap"; size = 4096; } ];
fileSystems = {
"/boot" = {
device = "/dev/disk/by-label/NIXOS_BOOT";
fsType = "vfat";
};
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
};
}

4
machines/firecracker/source.nix
View file

@ -1,4 +0,0 @@
{
name="cake";
full = true;
}

23
machines/hardware/tsp-disk.json
View file

@ -1,23 +0,0 @@
{
"type": "devices",
"content": {
"sda": {
"type": "table",
"format": "msdos",
"partitions": [
{ "type": "partition",
"part-type": "primary",
"start": "1M",
"end": "100%",
"bootable": true,
"content": {
"type": "filesystem",
"format": "ext4",
"mountpoint": "/"
}
}
]
}
}
}

72
machines/iso/config.nix
View file

@ -1,72 +0,0 @@
{ config, pkgs, lib, ... }:
with pkgs.stockholm.lib;
{
imports = [
#<stockholm/makefu>
<nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
<nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>
# <stockholm/makefu/2configs/tools/core.nix>
./justdoit.nix
{
environment.systemPackages = [ (pkgs.writeScriptBin "network-setup" ''
#!/bin/sh
ip addr add 178.254.30.202/255.255.252.0 dev ens3
ip route add default via 178.254.28.1
echo nameserver 1.1.1.1 > /etc/resolv.conf
'')];
kexec.justdoit = {
bootSize = 512;
rootDevice = "/dev/vda";
bootType = "vfat";
luksEncrypt = false;
uefi = false;
};
}
];
# boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
# TODO: NIX_PATH and nix.nixPath are being set by default.nix right now
# cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso/config.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos
#krebs.build.host = { cores = 0; };
isoImage.isoBaseName = lib.mkForce "stockholm";
#krebs.hidden-ssh.enable = true;
# environment.systemPackages = with pkgs; [
# aria2
# ddrescue
# ];
environment.extraInit = ''
EDITOR=vim
'';
# iso-specific
services.openssh = {
enable = true;
hostKeys = [
{ bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
};
# enable ssh in the iso boot process
systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
# hack `tee` behavior
#nixpkgs.config.packageOverrides = super: {
# irc-announce = super.callPackage <stockholm/krebs/5pkgs/simple/irc-announce> {
# pkgs = pkgs // {
# coreutils = pkgs.symlinkJoin {
# name = "coreutils-hack";
# paths = [
# pkgs.coreutils
# (pkgs.writeDashBin "tee" ''
# if test "$1" = /dev/stderr; then
# while read -r line; do
# echo "$line"
# echo "$line" >&2
# done
# else
# ${super.coreutils}/bin/tee "$@"
# fi
# '')
# ];
# };
# };
# };
#};
}

120
machines/iso/justdoit.nix
View file

@ -1,120 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.kexec.justdoit;
x = if cfg.nvme then "p" else "";
in {
options = {
kexec.justdoit = {
rootDevice = mkOption {
type = types.str;
default = "/dev/sda";
description = "the root block device that justdoit will nuke from orbit and force nixos onto";
};
bootSize = mkOption {
type = types.int;
default = 256;
description = "size of /boot in mb";
};
bootType = mkOption {
type = types.enum [ "ext4" "vfat" "zfs" ];
default = "ext4";
};
swapSize = mkOption {
type = types.int;
default = 1024;
description = "size of swap in mb";
};
poolName = mkOption {
type = types.str;
default = "tank";
description = "zfs pool name";
};
luksEncrypt = mkOption {
type = types.bool;
default = false;
description = "encrypt all of zfs and swap";
};
uefi = mkOption {
type = types.bool;
default = false;
description = "create a uefi install";
};
nvme = mkOption {
type = types.bool;
default = false;
description = "rootDevice is nvme";
};
};
};
config = let
mkBootTable = {
ext4 = "mkfs.ext4 $NIXOS_BOOT -L NIXOS_BOOT";
vfat = "mkfs.vfat $NIXOS_BOOT -n NIXOS_BOOT";
zfs = "";
};
in lib.mkIf true {
system.build.justdoit = pkgs.writeScriptBin "justdoit" ''
#!${pkgs.stdenv.shell}
set -e
vgchange -a n
wipefs -a ${cfg.rootDevice}
dd if=/dev/zero of=${cfg.rootDevice} bs=512 count=10000
sfdisk ${cfg.rootDevice} <<EOF
label: gpt
device: ${cfg.rootDevice}
unit: sectors
${lib.optionalString (cfg.bootType != "zfs") "1 : size=${toString (2048 * cfg.bootSize)}, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4"}
${lib.optionalString (! cfg.uefi) "4 : size=4096, type=21686148-6449-6E6F-744E-656564454649"}
2 : type=0FC63DAF-8483-4772-8E79-3D69D8477DE4
EOF
${if cfg.luksEncrypt then ''
cryptsetup luksFormat ${cfg.rootDevice}${x}2
cryptsetup open --type luks ${cfg.rootDevice}${x}2 root
export ROOT_DEVICE=/dev/mapper/root
'' else ''
export ROOT_DEVICE=${cfg.rootDevice}${x}2
''}
${lib.optionalString (cfg.bootType != "zfs") "export NIXOS_BOOT=${cfg.rootDevice}${x}1"}
mkdir -p /mnt
${mkBootTable.${cfg.bootType}}
zpool create -o ashift=12 -o altroot=/mnt ${cfg.poolName} $ROOT_DEVICE
zfs create -o mountpoint=legacy ${cfg.poolName}/root
zfs create -o mountpoint=legacy ${cfg.poolName}/home
zfs create -o mountpoint=legacy ${cfg.poolName}/nix
mount -t zfs ${cfg.poolName}/root /mnt/
mkdir /mnt/{home,nix,boot}
mount -t zfs ${cfg.poolName}/home /mnt/home/
mount -t zfs ${cfg.poolName}/nix /mnt/nix/
${lib.optionalString (cfg.bootType != "zfs") "mount $NIXOS_BOOT /mnt/boot/"}
nixos-generate-config --root /mnt/
hostId=$(echo $(head -c4 /dev/urandom | od -A none -t x4))
cp ${./target-config.nix} /mnt/etc/nixos/configuration.nix
cat > /mnt/etc/nixos/generated.nix <<EOF
{ ... }:
{
${if cfg.uefi then ''
boot.loader.grub.efiInstallAsRemovable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.device = "nodev";
'' else ''
boot.loader.grub.device = "${cfg.rootDevice}";
''}
networking.hostId = "$hostId"; # required for zfs use
${lib.optionalString cfg.luksEncrypt ''
boot.initrd.luks.devices = [
{ name = "root"; device = "${cfg.rootDevice}${x}2"; preLVM = true; }
];
''}
}
EOF
nixos-install
umount /mnt/home /mnt/nix ${lib.optionalString (cfg.bootType != "zfs") "/mnt/boot"} /mnt
zpool export ${cfg.poolName}
'';
environment.systemPackages = [ config.system.build.justdoit ];
boot.supportedFilesystems = [ "zfs" ];
users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb" ];
};
}

3
machines/iso/source.nix
View file

@ -1,3 +0,0 @@
{
name="iso";
}

45
machines/iso/target-config.nix
View file

@ -1,45 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [ ./hardware-configuration.nix ./generated.nix ];
boot.loader.grub.enable = true;
boot.zfs.devNodes = "/dev"; # fixes some virtualmachine issues
#boot.zfs.forceImportRoot = false;
#boot.zfs.forceImportAll = false;
boot.kernelParams = [
"boot.shell_on_fail"
"panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
];
users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb" ];
boot.tmp.useTmpfs = true;
programs.bash.enableCompletion = true;
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
'';
environment.systemPackages = [ (pkgs.writeScriptBin "network-setup" ''
#!/bin/sh
ip addr add 178.254.30.202/255.255.252.0 dev ens3
ip route add default via 178.254.28.1
echo nameserver 1.1.1.1 > /etc/resolv.conf
'')];
# minimal
boot.supportedFilesystems = [ "zfs" ];
programs.command-not-found.enable = false;
time.timeZone = "Europe/Berlin";
programs.ssh.startAgent = false;
nix.useSandbox = true;
users.mutableUsers = false;
networking.firewall.rejectPackets = true;
networking.firewall.allowPing = true;
services.openssh.enable = true;
i18n = {
consoleKeyMap = "us";
defaultLocale = "en_US.UTF-8";
};
boot.kernel.sysctl = {
"net.ipv6.conf.all.use_tempaddr" = lib.mkDefault "2";
"net.ipv6.conf.default.use_tempaddr" = lib.mkDefault "2";
};
}

25
machines/kexec/config.nix
View file

@ -1,25 +0,0 @@
{ config, pkgs, lib, ... }:
with pkgs.stockholm.lib;
{
imports = [
<stockholm/makefu>
# <stockholm/makefu/2configs/tools/core.nix>
<nixpkgs/nixos/modules/installer/netboot/netboot-minimal.nix>
<clever_kexec/kexec/kexec.nix>
];
# cd ~/stockholm ; nix-build '<nixpkgs/nixos>' -A config.system.build.kexec_tarball -j 4 -I nixos-config=makefu/1systems/iso.nix -I secrets=/home/makefu/secrets/iso
krebs.build.host = config.krebs.hosts.iso;
krebs.hidden-ssh.enable = true;
environment.extraInit = ''
EDITOR=vim
'';
services.openssh = {
enable = true;
hostKeys = [
{ bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
};
systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
}

3
machines/kexec/source.nix
View file

@ -1,3 +0,0 @@
{
name="iso";
}

49
machines/latte/1blu/default.nix
View file

@ -1,49 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ ./network.nix
(modulesPath + "/profiles/qemu-guest.nix")
];
# Disk
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "tank/root";
fsType = "zfs";
};
fileSystems."/home" =
{ device = "tank/home";
fsType = "zfs";
};
fileSystems."/nix" =
{ device = "tank/nix";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/AEF3-A486";
fsType = "vfat";
};
swapDevices = [ ];
boot.loader.grub.device = "/dev/vda";
networking.hostId = "3150697c"; # required for zfs use
boot.tmp.useTmpfs = true;
boot.supportedFilesystems = [ "zfs" ];
boot.loader.grub.enable = true;
boot.loader.grub.copyKernels = true;
boot.zfs.devNodes = "/dev"; # fixes some virtualmachine issues
boot.kernelParams = [
"boot.shell_on_fail"
"panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
];
}

32
machines/latte/1blu/network.nix
View file

@ -1,32 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
let
external-mac = "c4:37:72:55:4e:1c";
external-gw = "178.254.28.1";
external-ip = "178.254.30.202";
external-ip6 = "2a00:6800:3:18c::2";
external-gw6 = "2a00:6800:3::1";
external-netmask = 22;
external-netmask6 = 64;
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
ext-if = "et0"; # gets renamed on the fly
in
{
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="${external-mac}", NAME="${ext-if}"
'';
networking = {
interfaces."${ext-if}" = {
ipv4.addresses = [{
address = external-ip;
prefixLength = external-netmask;
}];
ipv6.addresses = [{
address = external-ip6;
prefixLength = external-netmask6;
}];
};
defaultGateway6 = { address = external-gw6; interface = ext-if; };
defaultGateway = external-gw;
nameservers = [ "1.1.1.1" ];
};
}

67
machines/latte/config.nix
View file

@ -1,67 +0,0 @@
{ config, lib, pkgs, ... }:
let
# external-ip = config.krebs.build.host.nets.internet.ip4.addr;
# internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
# default-gw = "185.215.224.1";
# prefixLength = 24;
# external-mac = "46:5b:fc:f4:44:c9";
# ext-if = "et0";
in {
imports = [
./1blu
<stockholm/makefu>
# common
<stockholm/makefu/2configs/nur.nix>
<stockholm/makefu/2configs/home-manager>
<stockholm/makefu/2configs/home-manager/cli.nix>
# Security
<stockholm/makefu/2configs/sshd-totp.nix>
# Tools
<stockholm/makefu/2configs/tools/core.nix>
<stockholm/makefu/2configs/zsh-user.nix>
# NixOS Build
<stockholm/makefu/2configs/remote-build/slave.nix>
# Storage
<stockholm/makefu/2configs/share>
# <stockholm/makefu/2configs/share/hetzner-client.nix>
# torrent is managed by gum
# <stockholm/makefu/2configs/torrent/rtorrent.nix>
## Web
# local usage:
<stockholm/makefu/2configs/mosh.nix>
# Supervision
<stockholm/makefu/2configs/nix-community/supervision.nix>
# Krebs
<stockholm/makefu/2configs/tinc/retiolum.nix>
# backup
<stockholm/makefu/2configs/backup/state.nix>
# migrated:
# <stockholm/makefu/2configs/bitlbee.nix>
];
krebs = {
enable = true;
build.host = config.krebs.hosts.latte;
};
makefu.dl-dir = "/media/cloud/download";
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

5
machines/latte/source.nix
View file

@ -1,5 +0,0 @@
{
name = "latte";
torrent = true;
home-manager = true;
}

27
machines/minicake/config.nix
View file

@ -1,27 +0,0 @@
{ config,nixpkgsPath, pkgs, lib, ... }:
{
krebs = {
enable = true;
dns.providers.lan = "hosts";
build.user = config.krebs.users.makefu;
};
imports = [
(nixpkgsPath + "/nixos/modules/profiles/minimal.nix")
(nixpkgsPath + "/nixos/modules/profiles/installation-device.nix")
];
# cifs-utils fails to cross-compile
# Let's simplify this by removing all unneeded filesystems from the image.
boot.supportedFilesystems = lib.mkForce [ "vfat" ];
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
users.users = {
root = {
openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
};
};
services.openssh.enable = true;
}

28
machines/mrdavid/config.nix
View file

@ -1,28 +0,0 @@
{ config, pkgs, lib, self, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware.nix
../../2configs/default.nix
# ../../2configs/nur.nix
../../2configs/home-manager
../../2configs/main-laptop.nix
../../2configs/editor/neovim
../../2configs/tools/core.nix
# ../../2configs/tools/all.nix
((import ../../2configs/fs/disko/single-disk-ext4.nix ) { disk = "/dev/sda"; })
# hardware specifics are in here
../../2configs/zsh-user.nix
../../2configs/home-manager
../../2configs/home-manager/desktop.nix
../../2configs/home-manager/cli.nix
# ../../2configs/tinc/retiolum.nix
];
krebs.build.host.name = "mrdavid";
}

5
machines/mrdavid/hardware.nix
View file

@ -1,5 +0,0 @@
{ lib, ... }:
{
imports = [ ];
hardware.enableRedistributableFirmware = true;
}

50
machines/pnp/config.nix
View file

@ -1,50 +0,0 @@
# Usage:
# NIX_PATH=secrets=/home/makefu/secrets/wry:nixpkgs=/var/src/nixpkgs nix-build -A users.makefu.pnp.config.system.build.vm
# result/bin/run-pnp-vm -virtfs local,path=/home/makefu/secrets/pnp,security_model=none,mount_tag=secrets
{ config, pkgs, ... }:
{
imports =
[
<stockholm/makefu>
<stockholm/makefu/2configs/headless.nix>
# these will be overwritten by qemu-vm.nix but will be used if the system
# is directly deployed
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
<stockholm/makefu/2configs/fs/vm-single-partition.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix>
# config.system.build.vm
(toString <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>)
];
virtualisation.graphics = false;
# also export secrets, see Usage above
fileSystems = pkgs.lib.mkVMOverride {
"${builtins.toString <secrets>}" =
{ device = "secrets";
fsType = "9p";
options = [ "trans=virtio" "version=9p2000.L" "cache=loose" ];
neededForBoot = true;
};
};
krebs.Reaktor.debug = {
debug = true;
extraEnviron = {
# TODO: remove hard-coded server
REAKTOR_HOST = "irc.r";
};
plugins = with pkgs.ReaktorPlugins; [ stockholm-issue nixos-version sed-plugin ];
channels = [ "#xxx" ];
};
krebs.build.host = config.krebs.hosts.pnp;
networking.firewall.allowedTCPPorts = [
25
];
}

3
machines/pnp/source.nix
View file

@ -1,3 +0,0 @@
{
name="pnp";
}

39
machines/repunit/config.nix
View file

@ -1,39 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
<stockholm/makefu>
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
<stockholm/makefu/2configs/git/cgit-retiolum.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix>
];
krebs.build.host = config.krebs.hosts.repunit;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
hardware.enableRedistributableFirmware = true;
hardware.cpu.amd.updateMicrocode = true;
# networking.firewall is enabled by default
networking.firewall.allowedTCPPorts = [ 80 ];
networking.firewall.allowPing = true;
fileSystems."/" =
{ device = "/dev/disk/by-label/nixos";
fsType = "ext4";
};
# $ nix-env -qaP | grep wget
environment.systemPackages = with pkgs; [
jq
];
}

3
machines/repunit/source.nix
View file

@ -1,3 +0,0 @@
{
name="repunit";
}

40
machines/sdcard/config.nix
View file

@ -1,40 +0,0 @@
{ config, pkgs, lib, ... }:
let
kernel = pkgs.callPackage ./kernel.nix {
kernelPatches = with pkgs.kernelPatches; [
# kernelPatches.bridge_stp_helper
# kernelPatches.modinst_arg_list_too_long
];
};
in
{
imports = [
<nixpkgs/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix>
# <stockholm/makefu/2configs/minimal.nix>
];
# TODO: NIX_PATH and nix.nixPath are being set by default.nix right now
# cd ~/stockholm ; nix build config.system.build.sdImage -I nixos-config=makefu/1systems/sdcard/config.nix -f /home/makefu/nixpkgs/nixos
boot.kernelParams = ["console=ttyS2,1500000" "earlycon=uart8250,mmio32,0xff1a0000"];
# boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelPackages = pkgs.linuxPackagesFor kernel;
boot.supportedFilesystems = lib.mkForce [ "vfat" "f2fs" "xfs" "ntfs" "cifs" ];
# krebs.hidden-ssh.enable = true;
environment.systemPackages = with pkgs; [
aria2
ddrescue
];
environment.extraInit = ''
EDITOR=vim
'';
# iso-specific
services.openssh = {
enable = true;
hostKeys = [
{ bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
};
# enable ssh in the iso boot process
systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
}

15
machines/sdcard/kernel.nix
View file

@ -1,15 +0,0 @@
{ fetchFromGitLab, buildLinux, ... } @ args:
buildLinux (args // rec {
version = "4.4.55";
modDirVersion = "4.4.55";
extraMeta.branch = "4.4";
defconfig = "firefly_linux_defconfig";
src = fetchFromGitLab {
owner = "TeeFirefly";
repo = "linux-kernel";
rev = "firefly_0821_release";
sha256 = "1fwj9cm5ysz286znrr3fyrhfn903m84i7py4rv3y3h9avxb3zl1r";
};
extraMeta.platforms = [ "aarch64-linux" ];
} // (args.argsOverride or {}))

3
machines/sdcard/source.nix
View file

@ -1,3 +0,0 @@
{
name="iso";
}

54
machines/sdev/config.nix
View file

@ -1,54 +0,0 @@
{ lib, config, pkgs, ... }:
{
krebs.build.host = config.krebs.hosts.sdev;
makefu.awesome.modkey = "Mod1";
imports =
[ # Include the results of the hardware scan.
<stockholm/makefu>
<stockholm/makefu/2configs/home-manager>
# <stockholm/makefu/2configs/hw/vbox-guest.nix> # broken since 2019-04-18
{ # until virtualbox-image is fixed
imports = [
<stockholm/makefu/2configs/fs/single-partition-ext4.nix>
];
boot.loader.grub.device = lib.mkForce "/dev/sda";
}
<stockholm/makefu/2configs/main-laptop.nix>
# <secrets/extra-hosts.nix>
# environment
<stockholm/makefu/2configs/tinc/retiolum.nix>
<stockholm/makefu/2configs/virtualisation/docker.nix>
];
# allow sdev to deploy self
users.extraUsers = {
root = {
openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey ];
};
};
# corefonts
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs;[
ppp xclip
get
passwdqc-utils
gnupg
populate
# 20.09: torbrowser is broken
#(pkgs.writeScriptBin "tor-browser" ''
# #! /bin/sh
# TOR_SKIP_LAUNCH=1 ${torbrowser}/bin/tor-browser
#'')
];
networking.firewall.allowedTCPPorts = [
25
80
8010
];
}

7
machines/sdev/source.nix
View file

@ -1,7 +0,0 @@
{
name="sdev";
home-manager = true;
hw = true;
mic92 = true;
unstable = true;
}

49
machines/shack-autoinstall/config.nix
View file

@ -1,49 +0,0 @@
{ config, pkgs, lib, ... }:
with pkgs.stockholm.lib;
let
disk = "/dev/sda";
in {
imports = [
<stockholm/makefu>
<nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
<nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>
<stockholm/makefu/2configs/tools/core.nix>
];
# TODO: NIX_PATH and nix.nixPath are being set by default.nix right now
# cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos
krebs.build.host = config.krebs.hosts.iso;
krebs.hidden-ssh.enable = true;
environment.extraInit = ''
EDITOR=vim
'';
# iso-specific
boot.kernelParams = [ "copytoram" ];
environment.systemPackages = [
pkgs.parted
( pkgs.writeScriptBin "shack-install" ''
#! /bin/sh
echo "go ahead and try NIX_PATH=/root/.nix-defexpr/channels/ nixos-install"
'')
];
systemd.services.wpa_supplicant.wantedBy = lib.mkForce [ "multi-user.target" ];
networking.wireless = {
enable = true;
networks.shack.psk = "welcome2shack";
};
services.openssh = {
enable = true;
hostKeys = [
{ bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
};
# enable ssh in the iso boot process
systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
}

5
machines/shack-autoinstall/grub-partition.sh
View file

@ -1,5 +0,0 @@
#!/bin/sh
set -euf
parted -s ${disk} mklabel msdos
parted -s ${disk} -- mkpart primary linux-swap 1M 4096M
parted -s ${disk} -- mkpart primary ext2 4096M 100%

230
machines/shack-autoinstall/shack-config.nix
View file

@ -1,230 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
# TODO:
];
# shacks-specific
networking.wireless = {
enable = true;
networks.shack.psk = "181471eb97eb23f12c6871227bc4a7b13c8f6af56dcc0d0e8b71f4d7a510cb4e";
};
networking.hostName = "shackbook";
boot.tmp.useTmpfs = true;
users.users.shack = {
createHome = true;
useDefaultShell = true;
home = "/home/shack";
uid = 9001;
packages = with pkgs;[
chromium
firefox
];
extraGroups = [ "audio" "wheel" ];
hashedPassword = "$6$KIxlQTLEnKl7cwC$LrmbwZ64Mlm7zqUUZ0EObPJMES3C0mQ6Sw7ynTuXzUo7d9EWg/k5XCGkDHMFvL/Pz19Awcv0knHB1j3dHT6fh/" ;
};
environment.variables = let
ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
in {
EDITOR = lib.mkForce "vim";
CURL_CA_BUNDLE = ca-bundle;
GIT_SSL_CAINFO = ca-bundle;
SSL_CERT_FILE = ca-bundle;
};
services.printing = {
enable = true;
# TODO: shack-printer
};
environment.systemPackages = with pkgs;[
parted
ddrescue
tmux
jq git gnumake htop rxvt_unicode.terminfo
(pkgs.vim_configurable.customize {
name = "vim";
vimrcConfig.customRC = ''
set nocompatible
syntax on
set list
set listchars=tab:\
"set list listchars=tab:>-,trail:.,extends:>
filetype off
filetype plugin indent on
colorscheme darkblue
set background=dark
set number
set relativenumber
set mouse=a
set ignorecase
set incsearch
set wildignore=*.o,*.obj,*.bak,*.exe,*.os
set textwidth=79
set shiftwidth=2
set expandtab
set softtabstop=2
set shiftround
set smarttab
set tabstop=2
set et
set autoindent
set backspace=indent,eol,start
inoremap <F1> <ESC>
nnoremap <F1> <ESC>
vnoremap <F1> <ESC>
nnoremap <F5> :UndotreeToggle<CR>
set undodir =~/.vim/undo
set undofile
"maximum number of changes that can be undone
set undolevels=1000000
"maximum number lines to save for undo on a buffer reload
set undoreload=10000000
nnoremap <F2> :set invpaste paste?<CR>
set pastetoggle=<F2>
set showmode
set showmatch
set matchtime=3
set hlsearch
autocmd ColorScheme * highlight ExtraWhitespace ctermbg=red guibg=red
" save on focus lost
au FocusLost * :wa
autocmd BufRead *.json set filetype=json
au BufNewFile,BufRead *.mustache set syntax=mustache
cnoremap SudoWrite w !sudo tee > /dev/null %
" create Backup/tmp/undo dirs
set backupdir=~/.vim/backup
set directory=~/.vim/tmp
function! InitBackupDir()
let l:parent = $HOME . '/.vim/'
let l:backup = l:parent . 'backup/'
let l:tmpdir = l:parent . 'tmp/'
let l:undodir= l:parent . 'undo/'
if !isdirectory(l:parent)
call mkdir(l:parent)
endif
if !isdirectory(l:backup)
call mkdir(l:backup)
endif
if !isdirectory(l:tmpdir)
call mkdir(l:tmpdir)
endif
if !isdirectory(l:undodir)
call mkdir(l:undodir)
endif
endfunction
call InitBackupDir()
augroup Binary
" edit binaries in xxd-output, xxd is part of vim
au!
au BufReadPre *.bin let &bin=1
au BufReadPost *.bin if &bin | %!xxd
au BufReadPost *.bin set ft=xxd | endif
au BufWritePre *.bin if &bin | %!xxd -r
au BufWritePre *.bin endif
au BufWritePost *.bin if &bin | %!xxd
au BufWritePost *.bin set nomod | endif
augroup END
'';
vimrcConfig.vam.knownPlugins = pkgs.vimPlugins;
vimrcConfig.vam.pluginDictionaries = [
{ names = [ "undotree" ]; }
# vim-nix handles indentation better but does not perform sanity
{ names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; }
];
})
];
programs.bash = {
enableCompletion = true;
interactiveShellInit = ''
HISTCONTROL='erasedups:ignorespace'
HISTSIZE=900001
HISTFILESIZE=$HISTSIZE
shopt -s checkhash
shopt -s histappend histreedit histverify
shopt -s no_empty_cmd_completion
PS1='\[\e[1;32m\]\w\[\e[0m\] '
'';
};
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
'';
nix = {
package = pkgs.nixUnstable;
optimise.automatic = true;
useSandbox = true;
gc.automatic = true;
};
system.autoUpgrade.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];
# gui and stuff
i18n = {
consoleFont = "Lat2-Terminus16";
consoleKeyMap = "us";
defaultLocale = "en_US.UTF-8";
};
fonts = {
enableFontDir = true;
enableGhostscriptFonts = true;
fonts = [ pkgs.terminus_font ];
};
time.timeZone = "Europe/Berlin";
services.timesyncd.enable = true;
# GUI
hardware.pulseaudio.enable = true;
services.xserver = {
enable = true;
displayManager.auto.enable = true;
displayManager.auto.user = "shack";
desktopManager.xfce.enable = true;
layout = "us";
xkbVariant = "altgr-intl";
xkbOptions = "ctrl:nocaps, eurosign:e";
};
services.openssh = {
enable = true;
hostKeys = [
{ bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
};
}

3
machines/shack-autoinstall/source.nix
View file

@ -1,3 +0,0 @@
{
name="iso";
}

24
machines/shack-autoinstall/uefi-partition.sh
View file

@ -1,24 +0,0 @@
#!/bin/sh
set -euf
p(){
parted -s ${disk} -- $@
}
p mklabel gpt
p mkpart primary fat32 1M 551M
p set 1 boot on
p mkpart primary linux-swap 51M 4647M
p mkpart primary ext2 4647M 100%
udevadm settle
mkfs.fat -nboot -F32 /dev/sda1
udevadm settle
mkswap ${disk}2 -L swap
swapon -L swap
mkfs.ext4 -L nixos ${disk}3
mount LABEL=nixos /mnt
mkdir /mnt/boot
mount LABEL=boot /mnt/boot
mkdir -p /mnt/etc/nixos
cp ${./shack-config.nix} /mnt/etc/nixos/configuration.nix
nixos-generate-config --root /mnt

62
machines/shoney/config.nix
View file

@ -1,62 +0,0 @@
{ config, pkgs, ... }:
let
tinc-siem-ip = "10.8.10.1";
ip = "64.137.234.215";
alt-ip = "64.137.234.210"; # honeydrive honeyd
extra-ip1 = "64.137.234.114"; # floating tinc.siem
extra-ip2 = "64.137.234.232"; # honeydrive
gw = "64.137.234.1";
in {
imports = [
<stockholm/makefu>
<stockholm/makefu/2configs/save-diskspace.nix>
<stockholm/makefu/2configs/hw/CAC.nix>
<stockholm/makefu/2configs/fs/CAC-CentOS-7-64bit.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix>
];
krebs = {
enable = true;
build.host = config.krebs.hosts.shoney;
tinc_graphs = {
enable = true;
network = "siem";
hostsPath = "/etc/tinc/siem/hosts";
nginx = {
enable = true;
# TODO: remove hard-coded hostname
anonymous-domain = "localhost.localdomain";
anonymous.extraConfig = "return 403;";
complete = {
serverAliases = [ "graph.siem" ];
extraConfig = ''
if ( $server_addr = "${ip}" ) {
return 403;
}
'';
};
};
};
};
makefu.forward-journal = {
enable = true;
src = "10.8.10.1";
dst = "10.8.10.6";
};
networking = {
interfaces.enp2s1.ipv4.addresses = [
{ address = ip; prefixLength = 24; }
# { address = alt-ip; prefixLength = 24; }
];
defaultGateway = gw;
nameservers = [ "8.8.8.8" ];
firewall = {
trustedInterfaces = [ "tinc.siem" ];
allowedUDPPorts = [ 655 1655 ];
allowedTCPPorts = [ 655 1655 ];
};
};
}

3
machines/shoney/source.nix
View file

@ -1,3 +0,0 @@
{
name="shoney";
}

26
machines/snake/config.nix
View file

@ -1,26 +0,0 @@
{ config, lib, pkgs, ... }:
let
primaryInterface = "eth0";
in {
imports = [
<stockholm/makefu>
./hardware-config.nix
<stockholm/makefu/2configs/home-manager>
<stockholm/makefu/2configs/tools/core.nix>
<stockholm/makefu/2configs/binary-cache/nixos.nix>
<stockholm/makefu/2configs/home/rhasspy>
# <stockholm/makefu/2configs/hw/pseyecam.nix>
];
krebs = {
enable = true;
tinc.retiolum.enable = true;
build.host = config.krebs.hosts.snake;
};
# ensure disk usage is limited
services.journald.extraConfig = "Storage=volatile";
networking.firewall.trustedInterfaces = [ primaryInterface ];
documentation.info.enable = false;
documentation.man.enable = false;
documentation.nixos.enable = false;
}

64
machines/snake/disk.nix
View file

@ -1,64 +0,0 @@
{ disks ? [ "/dev/sda" ], ... }: {
disk = {
x = {
type = "disk";
device = "/dev/sda";
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "boot";
type = "partition";
start = "0";
end = "1M";
part-type = "primary";
flags = ["bios_grub"];
}
{
type = "partition";
name = "ESP";
start = "1M";
end = "512MiB";
fs-type = "fat32";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
}
{
type = "partition";
name = "zfs";
start = "512MiB";
end = "100%";
content = {
type = "zfs";
pool = "zroot";
};
}
];
};
};
};
zpool = {
zroot = {
type = "zpool";
rootFsOptions.compression = "lz4";
mountpoint = "/";
datasets = {
home = {
zfs_type = "filesystem";
mountpoint = "/home";
options.mountpoint = "legacy";
};
reserved = {
zfs_type = "filesystem";
options.refreservation = "1G";
};
};
};
};
}

23
machines/snake/hardware-config.nix
View file

@ -1,23 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
./wifi.nix
./sound.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.device = "/dev/sda";
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ];
boot.kernelModules = [ "kvm-amd" ];
disko.devices = import ./disk.nix;
hardware.enableRedistributableFirmware = true;
hardware.cpu.amd.updateMicrocode = true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
boot.kernelParams = [ "net.ifnames=0" ];
networking.hostId = "0123AABB";
}

51
machines/snake/sound.nix
View file

@ -1,51 +0,0 @@
{ lib, ... }: {
imports = [
<stockholm/makefu/2configs/gui/snake-kiosk.nix>
];
nixpkgs.config.allowUnfree = true;
networking.networkmanager.enable = lib.mkForce false;
# sound.enable = true;
#hardware.pulseaudio = {
# enable = true;
# systemWide = true;
# tcp = {
# enable = true;
# anonymousClients.allowAll = true;
# };
#};
#users.users.makefu = {
# extraGroups = [ "pipewire" "audio" ];
#};
#services.xserver = {
# enable = true;
# # desktopManager.xterm.enable = true;
# desktopManager.xfce = {
# enable = true;
# noDesktop = true;
# };
# displayManager.autoLogin = {
# enable = true;
# user = "makefu";
# };
#};
hardware.pulseaudio.enable = lib.mkForce false;
security.rtkit.enable = true;
#services.pipewire = {
# enable = true;
# systemWide = true;
# socketActivation = false;
# alsa.enable = true;
# alsa.support32Bit = true;
# pulse.enable = true;
# config.pipewire-pulse = {
# "pulse.properties"."server.address" = [ "unix:native" "tcp:4713" ];
# };
#};
}

6
machines/snake/source.nix
View file

@ -1,6 +0,0 @@
{
name="cake";
full = true;
home-manager = true;
hw = true;
}

6
machines/snake/wifi.nix
View file

@ -1,6 +0,0 @@
{
networking.wireless = {
enable = true;
networks = import <secrets/wifi.nix>;
};
}

75
machines/studio/config.nix
View file

@ -1,75 +0,0 @@
{ config, pkgs, ... }:
{
imports = [
<stockholm/makefu>
<stockholm/makefu/2configs/vncserver.nix>
<stockholm/makefu/2configs/disable_v6.nix>
<stockholm/makefu/2configs/audio/jack-on-pulse.nix>
<stockholm/makefu/2configs/audio/realtime-audio.nix>
<stockholm/makefu/2configs/gui/studio.nix>
<stockholm/makefu/2configs/binary-cache/lass.nix>
];
makefu.gui.user = "user"; # we use an extra user
krebs = {
enable = true;
tinc.retiolum.enable = true;
build.host = config.krebs.hosts.studio;
};
networking.firewall.allowedTCPPorts = [ 655 ];
networking.firewall.allowedUDPPorts = [ 655 ];
environment.systemPackages = with pkgs;[
# audio foo
## pulseaudio
pavucontrol
paprefs
pamixer
# extra alsa tools
alsa-hdspconf
alsa-hdspmixer
alsa-hdsploader
# recording
darkice
(mumble.override { jackSupport = true; })
# browsing
firefox
chromium
];
nixpkgs.config.allowUnfree = true;
fonts = {
enableCoreFonts = true;
enableFontDir = true;
enableGhostscriptFonts = true;
fonts = [ ];
};
# ingos favorite display manager
# hardware
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "usb_storage" "sd_mod" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/0aeda516-230e-4c54-9e27-13515c2f3f21";
fsType = "ext4";
};
swapDevices = [ { device = "/dev/disk/by-uuid/1914af67-5a8f-41d3-a1c2-211c39605da9"; } ];
users.users.user = {
isNormalUser = true;
extraGroups = [ "wheel" "audio" ];
uid = 1000;
openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
};
}

4
machines/studio/source.nix
View file

@ -1,4 +0,0 @@
{
name="studio";
musnix = true;
}

91
machines/vbob/config.nix
View file

@ -1,91 +0,0 @@
{ lib, config, pkgs, ... }:
{
krebs.build.host = config.krebs.hosts.vbob;
makefu.awesome.modkey = "Mod1";
imports =
[
<stockholm/makefu>
{
imports = [<stockholm/makefu/2configs/fs/single-partition-ext4.nix> ];
boot.loader.grub.device = "/dev/sda";
}
# <stockholm/makefu/2configs/hw/vbox-guest.nix>
# <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
# base gui
# <stockholm/makefu/2configs/main-laptop.nix>
# <stockholm/makefu/2configs/tools/core-gui.nix>
<stockholm/makefu/2configs/zsh-user.nix>
# security
<stockholm/makefu/2configs/sshd-totp.nix>
# Tools
<stockholm/makefu/2configs/tools/core.nix>
<stockholm/makefu/2configs/tools/dev.nix>
# <stockholm/makefu/2configs/tools/extra-gui.nix>
# <stockholm/makefu/2configs/tools/sec.nix>
# environment
<stockholm/makefu/2configs/tinc/retiolum.nix>
(let
gum-ip = config.krebs.hosts.gum.nets.internet.ip4.addr;
gateway = "10.0.2.2";
in {
# make sure the route to gum gets added after the network is online
systemd.services.wireguard-wg0.after = [ "network-online.target" ];
networking.wireguard.interfaces.wg0 = {
ips = [ "10.244.0.3/24" ];
privateKeyFile = (toString <secrets>) + "/wireguard.key";
# explicit route via eth0 to gum
preSetup = ["${pkgs.iproute}/bin/ip route add ${gum-ip} via ${gateway}"];
peers = [
{ # gum
endpoint = "${gum-ip}:51820";
allowedIPs = [ "0.0.0.0/0" "10.244.0.0/24" ];
publicKey = "yAKvxTvcEVdn+MeKsmptZkR3XSEue+wSyLxwcjBYxxo=";
persistentKeepalive = 25;
}
];
};
})
];
networking.extraHosts = import (toString <secrets/extra-hosts.nix>);
# allow vbob to deploy self
users.extraUsers.root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey ];
environment.shellAliases = {
forti = "cat ~/vpn/pw.txt | xclip; sudo forticlientsslvpn";
};
system.activationScripts.prepare-fortclientvpnssl = ''
# TODO: for forticlientsslpn
mkdir -p /usr/{s,}bin
ln -fs ${pkgs.ppp}/bin/pppd /usr/sbin/pppd
ln -fs ${pkgs.coreutils}/bin/tail /usr/bin/tail
'';
# for forticlient
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs;[
fortclientsslvpn ppp xclip
get
logstash
#devpi-web
#devpi-client
ansible
];
networking.firewall.allowedTCPPorts = [
25
80
8010
];
# required for qemu
systemd.services."serial-getty@ttyS0".enable = true;
}

4
machines/vbob/source.nix
View file

@ -1,4 +0,0 @@
{
name="vbob";
# musnix = true;
}

54
machines/wry/config.nix
View file

@ -1,54 +0,0 @@
{ config, lib, pkgs, ... }:
with pkgs.stockholm.lib;
let
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
in {
imports = [
<stockholm/makefu>
# TODO: copy this config or move to krebs
<stockholm/makefu/2configs/hw/CAC.nix>
<stockholm/makefu/2configs/fs/CAC-CentOS-7-64bit.nix>
<stockholm/makefu/2configs/save-diskspace.nix>
# <stockholm/makefu/2configs/bepasty-dual.nix>
<stockholm/makefu/2configs/iodined.nix>
<stockholm/makefu/2configs/backup.nix>
# other nginx
# <stockholm/makefu/2configs/nginx/euer.test.nix>
# collectd
<stockholm/makefu/2configs/stats/client.nix>
<stockholm/makefu/2configs/logging/client.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix>
# <stockholm/makefu/2configs/torrent.nix>
];
krebs.build.host = config.krebs.hosts.wry;
# prepare graphs
services.nginx.enable = true;
krebs.retiolum-bootstrap.enable = true;
networking = {
firewall = {
allowPing = true;
logRefusedConnections = false;
allowedTCPPorts = [ 53 80 443 ];
allowedUDPPorts = [ 655 53 ];
};
interfaces.enp2s1.ipv4.addresses = [{
address = external-ip;
prefixLength = 24;
}];
defaultGateway = "104.233.87.1";
nameservers = [ "8.8.8.8" ];
};
environment.systemPackages = [ pkgs.screen ];
}

3
machines/wry/source.nix
View file

@ -1,3 +0,0 @@
{
name="wry";
}