From 599122d3af20e1523ac9db0f771434e39ae15e81 Mon Sep 17 00:00:00 2001 From: chaos Date: Mon, 18 Sep 2023 03:56:58 +0100 Subject: [PATCH] major tidy --- data/chaosInternalWireGuard.nix | 29 ++ data/chaosInternalWireGuardPubKeys.json | 5 + data/chaos_wireguard_internal.nix | 29 -- data/dual_drive_data.nix | 1 - data/encryptedUSB.nix | 30 +++ data/normalEncryptedDrive.nix | 23 ++ data/normal_drive_data.nix | 23 -- data/raspberryExternalDrive.nix | 16 ++ data/raspberry_ext_drive.nix | 16 -- data/serverIPs.nix | 10 + data/usb_data.nix | 28 -- deployNodes.nix | 52 ---- extras/internal-wireguard-lib.nix | 95 ------- extras/mk-dual-enc-ssd.nix | 35 --- extras/mk-dual-enc-ssd.sh | 63 ----- extras/mk-enc-usb.nix | 74 ++++-- extras/mk-enc-usb.sh | 49 ---- extras/mk-normal-enc-ssd.nix | 81 ++++-- extras/mk-normal-enc-ssd.sh | 57 ---- extras/mk-raspberry-ext-drive.nix | 88 +++++-- extras/mk-raspberry-ext-drive.sh | 65 ----- extras/shenanigans-hotspot.nix | 96 ------- flake.lock | 27 -- flake.nix | 8 - home/apps/{file-roller.nix => fileRoller.nix} | 0 home/apps/firefox.nix | 29 +- home/base/ssh.nix | 22 +- home/base/zsh.nix | 14 +- home/dev/all/deploy-rs.nix | 1 - home/dev/all/extra.nix | 1 - home/dev/small/small.nix | 2 +- home/gui/base/gtk.nix | 11 +- home/gui/environments/gnome/default.nix | 24 +- home/gui/environments/sway/sway.nix | 17 +- home/manual-backup-apps.nix | 4 +- home/programming/editors/vscode.nix | 17 +- home/ssh-usb.nix | 11 - home/sshUSB.nix | 11 + hosts/buildbox/buildbox.nix | 116 -------- hosts/buildbox/hardware.nix | 25 -- hosts/buildbox/networking.nix | 25 -- hosts/buildbox/secrets.nix | 15 -- hosts/darwin.nix | 35 --- hosts/default.nix | 1 - hosts/hetzner-vm/containers/mail/default.nix | 30 ++- .../mail/modules/mailserver/default.nix | 223 +++++++++------- .../mail/modules/mailserver/dovecot.nix | 119 +++++---- .../mail/modules/mailserver/firewall.nix | 6 +- .../mail/modules/mailserver/opendkim.nix | 61 ++--- .../mail/modules/mailserver/postfix.nix | 185 +++++++------ .../mail/modules/mailserver/rspamd.nix | 15 +- .../mail/modules/mailserver/ssl.nix | 14 +- .../mail/modules/mailserver/vmail.nix | 90 ++++--- .../mail/modules/mailserver/webmail.nix | 27 +- .../containers/mail/profiles/mailserver.nix | 74 +++--- .../containers/mail/profiles/restic.nix | 12 +- .../containers/music/data/ports.nix | 2 +- hosts/hetzner-vm/containers/music/default.nix | 117 +++++---- .../containers/music/profiles/mpd.nix | 15 +- .../{music-sync.nix => musicSync.nix} | 32 ++- .../containers/music/profiles/soulseek.nix | 6 +- .../containers/piped/data/ports.nix | 6 +- hosts/hetzner-vm/containers/piped/default.nix | 140 ++++------ .../containers/piped/profiles/cockroachDB.nix | 20 ++ .../containers/piped/profiles/cockroachdb.nix | 16 -- .../containers/piped/profiles/piped.nix | 82 +++--- .../containers/piped/profiles/restic.nix | 35 +-- .../hetzner-vm/containers/quassel/default.nix | 70 ++--- .../containers/quassel/profiles/quassel.nix | 21 +- .../containers/quassel/profiles/restic.nix | 4 +- .../hetzner-vm/containers/social/default.nix | 12 +- .../containers/social/profiles/backups.nix | 11 +- .../containers/social/profiles/gotosocial.nix | 14 +- .../containers/storage/data/ports.nix | 4 +- .../hetzner-vm/containers/storage/default.nix | 31 ++- .../storage/profiles/auto-secrets.nix | 21 -- .../{rclone-configs.nix => rcloneConfigs.nix} | 0 .../{rclone-serve.nix => rcloneServe.nix} | 59 ++--- .../{rclone-sync.nix => rcloneSync.nix} | 31 ++- .../storage/profiles/storage-mount.nix | 21 -- .../hetzner-vm/containers/storage/secrets.nix | 46 +++- ...r-addresses.nix => containerAddresses.nix} | 3 +- hosts/hetzner-vm/hardware.nix | 12 +- hosts/hetzner-vm/hetzner-vm.nix | 68 +---- hosts/hetzner-vm/networking.nix | 22 -- ...static-sites.nix => gitlabStaticSites.nix} | 0 hosts/hetzner-vm/profiles/nginx-misc.nix | 12 - .../profiles/{vaultui.nix => vaultUI.nix} | 0 hosts/hetzner-vm/secrets.nix | 36 ++- hosts/lappy-t495/hardware.nix | 4 +- hosts/lappy-t495/lappy-t495.nix | 5 +- hosts/lappy-t495/profiles/wireguard.nix | 32 --- hosts/macmini/default.nix | 19 -- hosts/nixos-live/nixos-live.nix | 15 +- hosts/nixos.nix | 106 +++----- hosts/raspberry/boot.nix | 26 +- .../raspberry/data/wifi-nmconnection.template | 22 -- ...age-backups.nix => autoStorageBackups.nix} | 0 hosts/raspberry/profiles/cockroachDB.nix | 23 ++ hosts/raspberry/profiles/cockroachdb.nix | 22 -- hosts/raspberry/profiles/external-drive.nix | 44 ---- hosts/raspberry/profiles/externalDrive.nix | 48 ++++ hosts/raspberry/profiles/piped.nix | 21 +- hosts/raspberry/profiles/wireguard.nix | 35 --- hosts/raspberry/raspberry.nix | 59 +---- hosts/raspberry/secrets.nix | 34 +-- hosts/tablet/hardware.nix | 19 -- hosts/tablet/secrets.nix | 40 --- hosts/tablet/tablet.nix | 43 --- hosts/vault/hardware.nix | 10 - hosts/vault/networking.nix | 19 -- hosts/vault/secrets.nix | 13 + hosts/vault/vault.nix | 36 ++- lib/containerLib.nix | 41 +++ lib/internalWireGuardLib.nix | 66 +++++ modules/nixos/cockroachdb-bin.nix | 248 ++++++++++++++++++ modules/nixos/rclone-serve.nix | 61 +++-- modules/nixos/rclone-sync.nix | 37 +-- modules/nixos/secrets.nix | 149 ++++++++--- .../nixos/{secrets-lib => secretsLib}/lib.nix | 59 ++++- outputs.nix | 117 ++++----- overlay/default.nix | 4 - overlay/gobar/default.nix | 2 - overlay/roc-send-pcm/default.nix | 9 - overlay/roc-toolkit-patched/default.nix | 63 ----- overlay/zar/default.nix | 28 -- presets/nixos/containerBase.nix | 42 +++ .../{desktop-base.nix => desktopBase.nix} | 6 +- .../{desktop-gnome.nix => desktopGnome.nix} | 2 +- .../{desktop-sway.nix => desktopSway.nix} | 2 +- presets/nixos/dual-encrypted-drive.nix | 84 ------ presets/nixos/encrypted-usb.nix | 4 - presets/nixos/encryptedUSB.nix | 6 + presets/nixos/laptop.nix | 13 +- ...ted-drive.nix => normalEncryptedDrive.nix} | 43 +-- presets/nixos/serverBase.nix | 34 +++ ...ted-drive.nix => serverEncryptedDrive.nix} | 8 +- presets/nixos/serverHetzner.nix | 61 +++++ profiles/base-darwin/fonts.nix | 6 - profiles/base-darwin/home.nix | 24 -- profiles/base-darwin/nix.nix | 23 -- profiles/base-darwin/terminals.nix | 3 - .../{console-locale.nix => consoleLocale.nix} | 0 profiles/base/hardware.nix | 8 +- profiles/base/home.nix | 3 +- profiles/base/nix.nix | 2 - profiles/chaos-internal-wireguard/secrets.nix | 43 --- profiles/chaosInternalWireGuard/secrets.nix | 21 ++ .../wireguard.nix | 22 +- profiles/cockroachdb-bin-fix.nix | 60 ----- .../connectivity/{ios => iOS}/default.nix | 0 .../nm.nix | 0 .../aria2c.nix | 0 .../httpCommon.nix} | 0 .../soulseek.nix | 0 profiles/firewallAllow/ssh.nix | 2 + profiles/force_dns/force_dns.nix | 9 - profiles/kernels/latest.nix | 1 - profiles/nginx.nix | 6 +- profiles/{nix-gc.nix => nixGC.nix} | 0 ...remote-builders.nix => remoteBuilders.nix} | 16 +- profiles/serverExtras.nix | 47 ++++ profiles/sound/pulseaudio/pulse-48000.nix | 1 - profiles/sound/pulseaudio/pulse-bluetooth.nix | 16 -- .../pulse-recv-native-localhost.nix | 7 - profiles/sound/pulseaudio/pulse-recv-rtp.nix | 7 - .../sound/pulseaudio/pulse-systemwide.nix | 7 - profiles/sound/pulseaudio/pulse.nix | 13 - profiles/tlp.nix | 3 - .../{usb-automount.nix => usbAutoMount.nix} | 17 +- scripts/buildPipedBackendAArch64.sh | 1 + scripts/deploy/hetzner-vm.sh | 2 - scripts/deploy/raspberry.sh | 5 +- scripts/deploy/vault.sh | 2 - scripts/{deploy-all.sh => deployAll.sh} | 0 .../{deploy-secrets.sh => deploySecrets.sh} | 0 treeConfig.nix | 38 +-- 177 files changed, 2412 insertions(+), 3093 deletions(-) create mode 100644 data/chaosInternalWireGuard.nix create mode 100644 data/chaosInternalWireGuardPubKeys.json delete mode 100644 data/chaos_wireguard_internal.nix delete mode 100644 data/dual_drive_data.nix create mode 100644 data/encryptedUSB.nix create mode 100644 data/normalEncryptedDrive.nix delete mode 100644 data/normal_drive_data.nix create mode 100644 data/raspberryExternalDrive.nix delete mode 100644 data/raspberry_ext_drive.nix create mode 100644 data/serverIPs.nix delete mode 100644 data/usb_data.nix delete mode 100644 deployNodes.nix delete mode 100644 extras/internal-wireguard-lib.nix delete mode 100644 extras/mk-dual-enc-ssd.nix delete mode 100644 extras/mk-dual-enc-ssd.sh delete mode 100644 extras/mk-enc-usb.sh delete mode 100644 extras/mk-normal-enc-ssd.sh delete mode 100644 extras/mk-raspberry-ext-drive.sh delete mode 100644 extras/shenanigans-hotspot.nix rename home/apps/{file-roller.nix => fileRoller.nix} (100%) delete mode 100644 home/dev/all/deploy-rs.nix delete mode 100644 home/ssh-usb.nix create mode 100644 home/sshUSB.nix delete mode 100644 hosts/buildbox/buildbox.nix delete mode 100644 hosts/buildbox/hardware.nix delete mode 100644 hosts/buildbox/networking.nix delete mode 100644 hosts/buildbox/secrets.nix delete mode 100644 hosts/darwin.nix rename hosts/hetzner-vm/containers/music/profiles/{music-sync.nix => musicSync.nix} (52%) create mode 100644 hosts/hetzner-vm/containers/piped/profiles/cockroachDB.nix delete mode 100644 hosts/hetzner-vm/containers/piped/profiles/cockroachdb.nix delete mode 100644 hosts/hetzner-vm/containers/storage/profiles/auto-secrets.nix rename hosts/hetzner-vm/containers/storage/profiles/{rclone-configs.nix => rcloneConfigs.nix} (100%) rename hosts/hetzner-vm/containers/storage/profiles/{rclone-serve.nix => rcloneServe.nix} (78%) rename hosts/hetzner-vm/containers/storage/profiles/{rclone-sync.nix => rcloneSync.nix} (81%) delete mode 100644 hosts/hetzner-vm/containers/storage/profiles/storage-mount.nix rename hosts/hetzner-vm/data/{container-addresses.nix => containerAddresses.nix} (85%) delete mode 100644 hosts/hetzner-vm/networking.nix rename hosts/hetzner-vm/profiles/{gitlab-static-sites.nix => gitlabStaticSites.nix} (100%) delete mode 100644 hosts/hetzner-vm/profiles/nginx-misc.nix rename hosts/hetzner-vm/profiles/{vaultui.nix => vaultUI.nix} (100%) delete mode 100644 hosts/lappy-t495/profiles/wireguard.nix delete mode 100644 hosts/macmini/default.nix delete mode 100644 hosts/raspberry/data/wifi-nmconnection.template rename hosts/raspberry/profiles/{auto-storage-backups.nix => autoStorageBackups.nix} (100%) create mode 100644 hosts/raspberry/profiles/cockroachDB.nix delete mode 100644 hosts/raspberry/profiles/cockroachdb.nix delete mode 100644 hosts/raspberry/profiles/external-drive.nix create mode 100644 hosts/raspberry/profiles/externalDrive.nix delete mode 100644 hosts/raspberry/profiles/wireguard.nix delete mode 100644 hosts/tablet/hardware.nix delete mode 100644 hosts/tablet/secrets.nix delete mode 100644 hosts/tablet/tablet.nix delete mode 100644 hosts/vault/hardware.nix delete mode 100644 hosts/vault/networking.nix create mode 100644 lib/containerLib.nix create mode 100644 lib/internalWireGuardLib.nix create mode 100644 modules/nixos/cockroachdb-bin.nix rename modules/nixos/{secrets-lib => secretsLib}/lib.nix (84%) delete mode 100644 overlay/roc-send-pcm/default.nix delete mode 100644 overlay/roc-toolkit-patched/default.nix delete mode 100644 overlay/zar/default.nix create mode 100644 presets/nixos/containerBase.nix rename presets/nixos/{desktop-base.nix => desktopBase.nix} (87%) rename presets/nixos/{desktop-gnome.nix => desktopGnome.nix} (85%) rename presets/nixos/{desktop-sway.nix => desktopSway.nix} (85%) delete mode 100644 presets/nixos/dual-encrypted-drive.nix delete mode 100644 presets/nixos/encrypted-usb.nix create mode 100644 presets/nixos/encryptedUSB.nix rename presets/nixos/{normal-encrypted-drive.nix => normalEncryptedDrive.nix} (51%) create mode 100644 presets/nixos/serverBase.nix rename presets/nixos/{server-encrypted-drive.nix => serverEncryptedDrive.nix} (94%) create mode 100644 presets/nixos/serverHetzner.nix delete mode 100644 profiles/base-darwin/fonts.nix delete mode 100644 profiles/base-darwin/home.nix delete mode 100644 profiles/base-darwin/nix.nix delete mode 100644 profiles/base-darwin/terminals.nix rename profiles/base/{console-locale.nix => consoleLocale.nix} (100%) delete mode 100644 profiles/chaos-internal-wireguard/secrets.nix create mode 100644 profiles/chaosInternalWireGuard/secrets.nix rename profiles/{chaos-internal-wireguard => chaosInternalWireGuard}/wireguard.nix (69%) delete mode 100644 profiles/cockroachdb-bin-fix.nix rename profiles/connectivity/{ios => iOS}/default.nix (100%) rename profiles/connectivity/{network_manager => networkManager}/nm.nix (100%) rename profiles/{firewall-allow => firewallAllow}/aria2c.nix (100%) rename profiles/{nginx-firewall.nix => firewallAllow/httpCommon.nix} (100%) rename profiles/{firewall-allow => firewallAllow}/soulseek.nix (100%) create mode 100644 profiles/firewallAllow/ssh.nix delete mode 100644 profiles/force_dns/force_dns.nix delete mode 100644 profiles/kernels/latest.nix rename profiles/{nix-gc.nix => nixGC.nix} (100%) rename profiles/{remote-builders.nix => remoteBuilders.nix} (75%) create mode 100644 profiles/serverExtras.nix delete mode 100644 profiles/sound/pulseaudio/pulse-48000.nix delete mode 100644 profiles/sound/pulseaudio/pulse-bluetooth.nix delete mode 100644 profiles/sound/pulseaudio/pulse-recv-native-localhost.nix delete mode 100644 profiles/sound/pulseaudio/pulse-recv-rtp.nix delete mode 100644 profiles/sound/pulseaudio/pulse-systemwide.nix delete mode 100644 profiles/sound/pulseaudio/pulse.nix delete mode 100644 profiles/tlp.nix rename profiles/{usb-automount.nix => usbAutoMount.nix} (54%) create mode 100755 scripts/buildPipedBackendAArch64.sh rename scripts/{deploy-all.sh => deployAll.sh} (100%) rename scripts/{deploy-secrets.sh => deploySecrets.sh} (100%) diff --git a/data/chaosInternalWireGuard.nix b/data/chaosInternalWireGuard.nix new file mode 100644 index 0000000..2a7b7b9 --- /dev/null +++ b/data/chaosInternalWireGuard.nix @@ -0,0 +1,29 @@ +let + pubkeys = builtins.fromJSON (builtins.readFile ./chaosInternalWireGuardPubKeys.json); +in rec { + hosts = { + "hetzner-vm" = { + ip = "10.69.42.1"; + public = pubkeys."hetzner-vm"; + endpoint = "hetzner-vm.servers.genderfucked.monster:51820"; + }; + "vault" = { + ip = "10.69.42.2"; + public = pubkeys."vault"; + endpoint = "vault.servers.genderfucked.monster:51820"; + }; + #"iphone8" = { + # ip = "10.69.42.3"; + # public = "PEBw7EI5uogB433cp8eSfJ5DCEiYj+YG2dZd0XkIV1c="; + #}; + #"lappy-t495" = { + # ip = "10.69.42.4"; + # public = "BR23xeK/nTgw8Ad001wz9wrfS6gTknTpCKZBLG9bnHM="; + #}; + "raspberry" = { + ip = "10.69.42.5"; + public = pubkeys."raspberry"; + endpoint = "raspberry.servers.genderfucked.monster:51820"; + }; + }; +} diff --git a/data/chaosInternalWireGuardPubKeys.json b/data/chaosInternalWireGuardPubKeys.json new file mode 100644 index 0000000..a9c51ee --- /dev/null +++ b/data/chaosInternalWireGuardPubKeys.json @@ -0,0 +1,5 @@ +{ + "hetzner-vm": "xgOQQcZQXftPC25+A7Iyf/XK6/iSo3Osyx6kTrZKdzw=", + "vault": "u8hSeht8xR48O9AN+0cSsXPK0ZZFNcnPhOxdc+rsrlI=", + "raspberry": "Ghrs0ps2RCsg0My9seLq+8ZFZCM4NLZWE8RiY3g9/RU=" +} diff --git a/data/chaos_wireguard_internal.nix b/data/chaos_wireguard_internal.nix deleted file mode 100644 index b662258..0000000 --- a/data/chaos_wireguard_internal.nix +++ /dev/null @@ -1,29 +0,0 @@ -{}: rec { - all = "10.69.42.1/24"; - - hosts = { - hetzner-vm = { - ip = "10.69.42.1"; - public = "liO33kMSEwuaaH4i6qDuorWssd9s/EfTBKBHQEbaDXE="; - endpoint = "hetzner-vm.servers.genderfucked.monster:51820"; - }; - vault = { - ip = "10.69.42.2"; - public = "GJ/IQ5W2Ch2vSiqcciKkrBA+pVycY2cibhvF1SFzi0I="; - #endpoint = "vault.servers.genderfucked.monster:51820"; - }; - iphone8 = { - ip = "10.69.42.3"; - public = "PEBw7EI5uogB433cp8eSfJ5DCEiYj+YG2dZd0XkIV1c="; - }; - lappy-t495 = { - ip = "10.69.42.4"; - public = "BR23xeK/nTgw8Ad001wz9wrfS6gTknTpCKZBLG9bnHM="; - }; - raspberry = { - ip = "10.69.42.5"; - public = "ld5XI4l/Gmr5JWg8r5midy7MTIgZkWVhMPsJqzIonng="; - endpoint = "raspberry.servers.genderfucked.monster:51820"; - }; - }; -} diff --git a/data/dual_drive_data.nix b/data/dual_drive_data.nix deleted file mode 100644 index 51fc81d..0000000 --- a/data/dual_drive_data.nix +++ /dev/null @@ -1 +0,0 @@ -{}: (import ./normal_drive_data.nix {}) diff --git a/data/encryptedUSB.nix b/data/encryptedUSB.nix new file mode 100644 index 0000000..8850c9f --- /dev/null +++ b/data/encryptedUSB.nix @@ -0,0 +1,30 @@ +rec { + # Mountpoints + mountpoint = "/usb"; + + # Partition Labels + encryptedPartLabel = "usb"; + unencryptedLabel = "usb_unencrypted"; + + # Partition Filesystems + unencryptedFSType = "ext4"; + + # Mapper Information + mapperName = "usb_unencrypted"; + preBootMapperName = "usb_unencrypted_preboot"; + + # FS Paths + encryptedPath = "/dev/disk/by-partlabel/${encryptedPartLabel}"; + unencryptedPath = "/dev/disk/by-label/${unencryptedLabel}"; + mapperPath = "/dev/mapper/${mapperName}"; + preBootMapperPath = "/dev/mapper/${preBootMapperName}"; + + # Paths to some important files + encryptionKeysPath = "${mountpoint}/encryption-keys"; + + chaosAgePrivateKeyPath = "${mountpoint}/age-keys/chaoskey.priv"; + chaosAgePublicKeyPath = "${mountpoint}/age-keys/chaoskey.pub"; + + sshPrivateKeyPath = "${mountpoint}/ssh-keys/chaos.priv"; + sshPublicKeyPath = "${mountpoint}/ssh-keys/chaos.pub"; +} diff --git a/data/normalEncryptedDrive.nix b/data/normalEncryptedDrive.nix new file mode 100644 index 0000000..9c7e358 --- /dev/null +++ b/data/normalEncryptedDrive.nix @@ -0,0 +1,23 @@ +rec { + # Mountpoints + mountpoint = "/"; + bootMountpoint = "/boot"; + + # Partition Labels + bootLabel = "nixboot"; + unencryptedLabel = "nixos"; + encryptedPartLabel = "nixos_encrypted"; + + # Partition Filesystems + unencryptedFSType = "ext4"; + bootFSType = "vfat"; + + # Mapper Name + mapperName = "cryptroot"; + + # FS Paths + encryptedPath = "/dev/disk/by-partlabel/${encryptedPartLabel}"; + decryptedPath = "/dev/mapper/${mapperName}"; + + bootPath = "/dev/disk/by-label/${bootLabel}"; +} diff --git a/data/normal_drive_data.nix b/data/normal_drive_data.nix deleted file mode 100644 index 223a614..0000000 --- a/data/normal_drive_data.nix +++ /dev/null @@ -1,23 +0,0 @@ -{}: rec { - # Mountpoints - root_mountpoint = "/"; - boot_mountpoint = "/boot"; - - # Partition Labels - boot_label = "nixboot"; - unencrypted_root_label = "nixos"; - encrypted_root_partlabel = "nixos_encrypted"; - - # Partition Filesystems - unencrypted_root_fs_type = "ext4"; - boot_fs_type = "vfat"; - - # Mapper Name - root_mapper_name = "cryptroot"; - - # FS Paths - encrypted_root_path = "/dev/disk/by-partlabel/${encrypted_root_partlabel}"; - decrypted_root_path = "/dev/mapper/${root_mapper_name}"; - - boot_path = "/dev/disk/by-label/${boot_label}"; -} diff --git a/data/raspberryExternalDrive.nix b/data/raspberryExternalDrive.nix new file mode 100644 index 0000000..cf56720 --- /dev/null +++ b/data/raspberryExternalDrive.nix @@ -0,0 +1,16 @@ +rec { + encryptedLabel = "raspberry_encrypted"; + unencryptedLabel = "raspberry_drive"; + + mapperName = "raspberry_external_drive"; + + mountpoint = "/external_drive"; + + encryptedPath = "/dev/disk/by-label/${encryptedLabel}"; + unencryptedPath = "/dev/disk/by-label/${unencryptedLabel}"; + mapperPath = "/dev/mapper/${mapperName}"; + + backupsPath = "${mountpoint}/backups"; + storagePath = "${mountpoint}/storage"; + extrasPath = "${mountpoint}/extras"; +} diff --git a/data/raspberry_ext_drive.nix b/data/raspberry_ext_drive.nix deleted file mode 100644 index df0d81a..0000000 --- a/data/raspberry_ext_drive.nix +++ /dev/null @@ -1,16 +0,0 @@ -{}: rec { - encrypted_label = "raspberry_encrypted"; - unencrypted_label = "raspberry_drive"; - - mapper_name = "raspberry_external_drive"; - - mountpoint = "/external_drive"; - - backups_path = "${mountpoint}/backups"; - storage_path = "${mountpoint}/storage"; - extras_path = "${mountpoint}/extras"; - - encrypted_path = "/dev/disk/by-label/${encrypted_label}"; - unencrypted_path = "/dev/disk/by-label/${unencrypted_label}"; - mapper_path = "/dev/mapper/${mapper_name}"; -} diff --git a/data/serverIPs.nix b/data/serverIPs.nix new file mode 100644 index 0000000..72bb22b --- /dev/null +++ b/data/serverIPs.nix @@ -0,0 +1,10 @@ +rec { + "hetzner-vm" = { + ipv4 = "65.21.182.73"; + ipv6 = "2a01:4f9:c010:8beb::1"; + }; + "vault" = { + ipv4 = "65.21.145.62"; + ipv6 = "2a01:4f9:c010:6a89::1"; + }; +} diff --git a/data/usb_data.nix b/data/usb_data.nix deleted file mode 100644 index 9fda4a7..0000000 --- a/data/usb_data.nix +++ /dev/null @@ -1,28 +0,0 @@ -{}: rec { - # Mountpoints - mountpoint = "/usb"; - - # Partition Labels - encrypted_partlabel = "usb"; - unencrypted_label = "usb_unencrypted"; - - # Partition Filesystems - unencrypted_fs_type = "ext4"; - - # Mapper Information - mapper_name = "usb_unencrypted"; - - # FS Paths - encrypted_path = "/dev/disk/by-partlabel/${encrypted_partlabel}"; - unencrypted_path = "/dev/disk/by-label/${unencrypted_label}"; - mapper_path = "/dev/mapper/${mapper_name}"; - - # Paths to some important files - encryption_keys_path = "${mountpoint}/encryption-keys"; - - chaos_age_privkey_path = "${mountpoint}/age-keys/chaoskey.priv"; - chaos_age_pubkey_path = "${mountpoint}/age-keys/chaoskey.pub"; - - ssh_priv_path = "${mountpoint}/ssh-keys/chaos.priv"; - ssh_pub_path = "${mountpoint}/ssh-keys/chaos.pub"; -} diff --git a/deployNodes.nix b/deployNodes.nix deleted file mode 100644 index 1ea97f3..0000000 --- a/deployNodes.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ - nixosConfigurations, - deploy-rs, - ... -}: let - activateNixOS_x64_64-linux = deploy-rs.lib.x86_64-linux.activate.nixos; -in { - tablet = { - hostname = "tablet.internal.genderfucked.monster"; - profiles.system = { - user = "root"; - sshUser = "root"; - path = activateNixOS_x64_64-linux nixosConfigurations.tablet; - }; - }; - hetzner-vm = { - hostname = "hetzner-vm.servers.genderfucked.monster"; - username = "root"; - profiles.system = { - user = "root"; - sshUser = "root"; - path = activateNixOS_x64_64-linux nixosConfigurations.hetzner-vm; - }; - }; - storage = { - hostname = "storage.servers.genderfucked.monster"; - username = "root"; - profiles.system = { - user = "root"; - sshUser = "root"; - path = activateNixOS_x64_64-linux nixosConfigurations.storage; - }; - }; - vault = { - hostname = "vault.servers.genderfucked.monster"; - username = "root"; - profiles.system = { - user = "root"; - sshUser = "root"; - path = activateNixOS_x64_64-linux nixosConfigurations.vault; - }; - }; - buildbox = { - hostname = "buildbox.servers.genderfucked.monster"; - username = "root"; - profiles.system = { - user = "root"; - sshUser = "root"; - path = activateNixOS_x64_64-linux nixosConfigurations.buildbox; - }; - }; -} diff --git a/extras/internal-wireguard-lib.nix b/extras/internal-wireguard-lib.nix deleted file mode 100644 index a89285f..0000000 --- a/extras/internal-wireguard-lib.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ - lib, - pkgs, - ... -}: let - wireguard_data = import ../data/chaos_wireguard_internal.nix {}; - wireguard_hosts = wireguard_data.hosts; - - inherit (pkgs) writeShellScriptBin; - inherit (lib.lists) forEach filter; - inherit (builtins) hasAttr attrNames; - - kvPathForHost = host: "/private-public-keys/wireguard/chaos-internal/${host}"; -in rec { - initAllScript = writeShellScriptBin "wg-keys-init-all" (let - vault = "${pkgs.vault-bin}/bin/vault"; - jq = "${pkgs.jq}/bin/jq"; - in '' - - ${lib.concatStringsSep "\n" (lib.forEach (attrNames wireguard_hosts) (hostName: '' - if [ -z "$PRESHARED_ONLY" ]; then - echo "{}" | vault kv put "${kvPathForHost hostName}" - 2>/dev/null - fi - ''))} - - ${lib.concatStringsSep "\n" (lib.forEach (attrNames wireguard_hosts) (hostName: '' - echo "Deploying keys for ${hostName}" - - "${genInitScript hostName}/bin/wg-keys-init-${hostName}" - ''))} - - ${lib.concatStringsSep "\n" (lib.forEach (attrNames wireguard_hosts) (hostName: '' - echo - - PUBLIC=$(${vault} kv get -format=json "${kvPathForHost hostName}" | ${jq} .data.data.public) - echo "Public Key for ${hostName}: $PUBLIC" - ''))} - ''); - - genInitScript = systemHostName: (writeShellScriptBin "wg-keys-init-${systemHostName}" (let - vault = "${pkgs.vault-bin}/bin/vault"; - jq = "${pkgs.jq}/bin/jq"; - wg = "${pkgs.wireguard-tools}/bin/wg"; - sponge = "${pkgs.moreutils}/bin/sponge"; - - hostsWithEndpoints = filter (hostName: (hostName != systemHostName && hasAttr "endpoint" wireguard_hosts.${hostName})) (attrNames wireguard_hosts); - in '' - PRIVATE=$(${wg} genkey) - PUBLIC=$(echo "$PRIVATE" | ${wg} pubkey) - - TMP_DIR=$(mktemp -d) - pushd "$TMP_DIR" - - echo "{}" > currentHost.json - if [ -z "$PRESHARED_ONLY" ]; then - ${jq} ".public = \"$PUBLIC\"" currentHost.json | ${sponge} currentHost.json - ${jq} ".private = \"$PRIVATE\"" currentHost.json | ${sponge} currentHost.json - fi - - ${jq} '.preshared_keys = {}' currentHost.json | ${sponge} currentHost.json - - ${lib.concatStringsSep "\n" (lib.forEach hostsWithEndpoints (hostName: '' - echo "Generating preshared key for ${hostName}" - - PSK=$(${wg} genpsk) - ${jq} ".preshared_keys.\"${hostName}\" = \"$PSK\"" currentHost.json | ${sponge} currentHost.json - ''))} - - - ${lib.concatStringsSep "\n" (lib.forEach hostsWithEndpoints (hostName: '' - echo "Deploying preshared key for ${hostName}" - - PSK=$(jq -r '.preshared_keys."${hostName}"' currentHost.json) - - ${vault} kv get -format=json "${kvPathForHost hostName}" 2>/dev/null | jq -r .data.data > otherHost.json - ${jq} ".preshared_keys.\"${systemHostName}\" = \"$PSK\"" otherHost.json | ${sponge} otherHost.json - cat otherHost.json | vault kv put "${kvPathForHost hostName}" - 2>/dev/null - - rm otherHost.json - ''))} - - if [ -z "$PRESHARED_ONLY" ]; then - cat currentHost.json | ${vault} kv put "${kvPathForHost systemHostName}" - 2>/dev/null - cat currentHost.json | jq - fi - rm currentHost.json - - - popd - - rm -rf "$TMP_DIR" - - echo "Public Key for ${systemHostName}: $PUBLIC" - '')); -} diff --git a/extras/mk-dual-enc-ssd.nix b/extras/mk-dual-enc-ssd.nix deleted file mode 100644 index 9c4f24d..0000000 --- a/extras/mk-dual-enc-ssd.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ - stdenv, - bash, - parted, - cryptsetup, - e2fsprogs, - dosfstools, -}: let - ssd_data = import ../data/dual_drive_data.nix {}; -in - stdenv.mkDerivation { - name = "mk-dual-enc-ssd"; - src = ./mk-dual-enc-ssd.sh; - unpackPhase = '' - for srcFile in $src; do - cp $srcFile $(stripHash $srcFile) - done - ''; - - inherit bash parted cryptsetup e2fsprogs dosfstools; - - patchPhase = '' - substituteAllInPlace mk-dual-enc-ssd.sh - substituteInPlace mk-dual-enc-ssd.sh \ - --replace "@SSD_ENCRYPTED_PARTLABEL@" "${ssd_data.encrypted_root_partlabel}" \ - --replace "@SSD_UNENCRYPTED_LABEL@" "${ssd_data.unencrypted_root_label}" \ - --replace "@SSD_BOOT_LABEL@" "${ssd_data.boot_label}" - ''; - - installPhase = '' - mkdir -p $out/bin - cp mk-dual-enc-ssd.sh $out/bin/mk-dual-enc-ssd - chmod +x $out/bin/mk-dual-enc-ssd - ''; - } diff --git a/extras/mk-dual-enc-ssd.sh b/extras/mk-dual-enc-ssd.sh deleted file mode 100644 index b8bf7f3..0000000 --- a/extras/mk-dual-enc-ssd.sh +++ /dev/null @@ -1,63 +0,0 @@ -#! @bash@/bin/sh - -set -e - -# e.g /dev/nvme0n1 -SSD_PATH=$1 -KEY_FILE=$2 -NIXOS_SIZE=$3 - -if echo "$SSD_PATH" | grep -q "[0-9]$"; then - PARTITION_SEPARATOR="p" -else - PARTITION_SEPARATOR="" -fi - -if [ -z "$SSD_PATH" ]; then - echo "Please specify a path to device as first argument" - exit 1 -fi - -if [ -z "$KEY_FILE" ]; then - echo "Please specify a key file to use" - exit 1 -fi - -if [ -z "$NIXOS_SIZE" ]; then - echo "Please specify how big to make the NixOS partition" - exit 1 -fi - -if [ "$EUID" -ne 0 ]; then - echo "Please run as root" - exit -fi - -# encrypted partition label -SSD_ENCRYPTED_PARTLABEL=@SSD_ENCRYPTED_PARTLABEL@ -# unencrypted filesystem label -SSD_UNENCRYPTED_LABEL=@SSD_UNENCRYPTED_LABEL@ -# ssd boot label -SSD_BOOT_LABEL=@SSD_BOOT_LABEL@ - -echo "Creating Partitions..." -@parted@/bin/parted ${SSD_PATH} -- mklabel gpt -@parted@/bin/parted ${SSD_PATH} -- mkpart ESP fat32 1MiB 1024MiB -@parted@/bin/parted ${SSD_PATH} -- mkpart primary 1072MiB "${NIXOS_SIZE}" -@parted@/bin/parted ${SSD_PATH} -- set 1 esp on -@parted@/bin/parted ${SSD_PATH} -- name 1 "${SSD_BOOT_LABEL}" -@parted@/bin/parted ${SSD_PATH} -- name 2 "${SSD_ENCRYPTED_PARTLABEL}" - -echo "Formatting boot partition" -@dosfstools@/bin/mkfs.fat -n "${SSD_BOOT_LABEL}" "${SSD_PATH}${PARTITION_SEPARATOR}1" - -echo "Creating Encrypted Partition" -@cryptsetup@/bin/cryptsetup luksFormat "${SSD_PATH}${PARTITION_SEPARATOR}2" --key-file "${KEY_FILE}" - -echo "Opening Encrypted Partition" -@cryptsetup@/bin/cryptsetup open "${SSD_PATH}${PARTITION_SEPARATOR}2" "mk_dual_enc_ssd" --key-file "${KEY_FILE}" - -echo "Formatting Encrypted Root Filesystem" -@e2fsprogs@/bin/mkfs.ext4 -L "${SSD_UNENCRYPTED_LABEL}" /dev/mapper/mk_dual_enc_ssd - -echo "mount /dev/mapper/mk_dual_enc_ssd to install" \ No newline at end of file diff --git a/extras/mk-enc-usb.nix b/extras/mk-enc-usb.nix index 58f37da..e8cce4c 100644 --- a/extras/mk-enc-usb.nix +++ b/extras/mk-enc-usb.nix @@ -1,33 +1,57 @@ { - stdenv, - bash, parted, cryptsetup, e2fsprogs, + writeShellApplication, }: let - usb_data = import ../data/usb_data.nix {}; -in - stdenv.mkDerivation { - name = "mk-enc-usb"; - src = ./mk-enc-usb.sh; - unpackPhase = '' - for srcFile in $src; do - cp $srcFile $(stripHash $srcFile) - done - ''; + encryptedUSBData = import ../data/encryptedUSB.nix; +in (writeShellApplication { + name = "mk-enc-usb"; + runtimeInputs = [ + parted + cryptsetup + e2fsprogs + ]; + text = '' + if [ -z "''${1-}" ]; then + echo "Please specify a path to device as first argument" + exit 1 + fi - inherit bash parted cryptsetup e2fsprogs; + # e.g /dev/sdb + USB_DEVICE=$1 - patchPhase = '' - substituteAllInPlace mk-enc-usb.sh - substituteInPlace mk-enc-usb.sh \ - --replace "@USB_ENCRYPTED_PARTLABEL@" "${usb_data.encrypted_partlabel}" \ - --replace "@USB_UNENCRYPTED_LABEL@" "${usb_data.unencrypted_label}" - ''; + if echo "$USB_DEVICE" | grep -q "[0-9]$"; then + PARTITION_SEPARATOR="p" + else + PARTITION_SEPARATOR="" + fi - installPhase = '' - mkdir -p $out/bin - cp mk-enc-usb.sh $out/bin/mk-enc-usb - chmod +x $out/bin/mk-enc-usb - ''; - } + if [ "$EUID" -ne 0 ]; then + echo "Please run as root" + exit + fi + + echo "Creating Encrypted USB." + + echo "Creating Partitions..." + parted "$USB_DEVICE" -- mklabel gpt + parted "$USB_DEVICE" -- mkpart primary 0% 100% + + echo "Creating Encrypted Partition" + cryptsetup luksFormat "''${USB_DEVICE}''${PARTITION_SEPARATOR}1" + + echo "Opening Encrypted Partition" + cryptsetup open "''${USB_DEVICE}''${PARTITION_SEPARATOR}1" "mk_enc_usb" + + echo "Making Encrypted Filesystem" + mkfs.ext4 -L "${encryptedUSBData.unencryptedLabel}" /dev/mapper/mk_enc_usb + + echo "Closing Encrypted Partition" + cryptsetup close "mk_enc_usb" + + # Do this now so that i can run the damn script with usb-automount and stop it trying to mount + echo "Naming Partitions" + parted "$USB_DEVICE" -- name 1 ${encryptedUSBData.encryptedPartLabel} + ''; +}) diff --git a/extras/mk-enc-usb.sh b/extras/mk-enc-usb.sh deleted file mode 100644 index 8c8eb85..0000000 --- a/extras/mk-enc-usb.sh +++ /dev/null @@ -1,49 +0,0 @@ -#! @bash@/bin/sh - -set -e - -# e.g /dev/sdb -USB_DEVICE=$1 - -if echo "$USB_DEVICE" | grep -q "[0-9]$"; then - PARTITION_SEPARATOR="p" -else - PARTITION_SEPARATOR="" -fi - -if [ -z "$USB_DEVICE" ]; then - echo "Please specify a path to device as first argument" - exit 1 -fi - -if [ "$EUID" -ne 0 ]; then - echo "Please run as root" - exit -fi - -# encrypted partition label -USB_ENCRYPTED_PARTLABEL=@USB_ENCRYPTED_PARTLABEL@ -# unencrypted filesystem label -USB_UNENCRYPTED_LABEL=@USB_UNENCRYPTED_LABEL@ - -echo "Creating Encrypted USB." - -echo "Creating Partitions..." -@parted@/bin/parted ${USB_DEVICE} -- mklabel gpt -@parted@/bin/parted ${USB_DEVICE} -- mkpart primary 0% 100% - -echo "Creating Encrypted Partition" -@cryptsetup@/bin/cryptsetup luksFormat "${USB_DEVICE}${PARTITION_SEPARATOR}1" - -echo "Opening Encrypted Partition" -@cryptsetup@/bin/cryptsetup open "${USB_DEVICE}${PARTITION_SEPARATOR}1" "mk_enc_usb" - -echo "Making Encrypted Filesystem" -@e2fsprogs@/bin/mkfs.ext4 -L "${USB_UNENCRYPTED_LABEL}" /dev/mapper/mk_enc_usb - -echo "Closing Encrypted Partition" -@cryptsetup@/bin/cryptsetup close "mk_enc_usb" - -# Do this now so that i can run the damn script with usb-automount and stop it trying to mount -echo "Naming Partitions" -@parted@/bin/parted ${USB_DEVICE} -- name 1 "${USB_ENCRYPTED_PARTLABEL}" diff --git a/extras/mk-normal-enc-ssd.nix b/extras/mk-normal-enc-ssd.nix index 4b817e7..0a2f082 100644 --- a/extras/mk-normal-enc-ssd.nix +++ b/extras/mk-normal-enc-ssd.nix @@ -1,35 +1,64 @@ { - stdenv, - bash, parted, cryptsetup, e2fsprogs, dosfstools, + writeShellApplication, }: let - ssd_data = import ../data/normal_drive_data.nix {}; -in - stdenv.mkDerivation { - name = "mk-normal-enc-ssd"; - src = ./mk-normal-enc-ssd.sh; - unpackPhase = '' - for srcFile in $src; do - cp $srcFile $(stripHash $srcFile) - done - ''; + ssdData = import ../data/normalEncryptedDrive.nix; +in (writeShellApplication { + name = "mk-normal-enc-ssd"; + runtimeInputs = [ + parted + cryptsetup + e2fsprogs + dosfstools + ]; + text = '' + if [ -z "''${1-}" ]; then + echo "Please specify a path to device as first argument" + exit 1 + fi - inherit bash parted cryptsetup e2fsprogs dosfstools; + if [ -z "''${2-}" ]; then + echo "Please specify a path to key file as second argument" + exit 1 + fi - patchPhase = '' - substituteAllInPlace mk-normal-enc-ssd.sh - substituteInPlace mk-normal-enc-ssd.sh \ - --replace "@SSD_ENCRYPTED_PARTLABEL@" "${ssd_data.encrypted_root_partlabel}" \ - --replace "@SSD_UNENCRYPTED_LABEL@" "${ssd_data.unencrypted_root_label}" \ - --replace "@SSD_BOOT_LABEL@" "${ssd_data.boot_label}" - ''; + SSD_PATH=$1 + KEY_FILE=$2 - installPhase = '' - mkdir -p $out/bin - cp mk-normal-enc-ssd.sh $out/bin/mk-normal-enc-ssd - chmod +x $out/bin/mk-normal-enc-ssd - ''; - } + if echo "$SSD_PATH" | grep -q "[0-9]$"; then + PARTITION_SEPARATOR="p" + else + PARTITION_SEPARATOR="" + fi + + if [ "$EUID" -ne 0 ]; then + echo "Please run as root" + exit + fi + + echo "Creating Partitions..." + parted "$SSD_PATH" -- mklabel gpt + parted "$SSD_PATH" -- mkpart ESP fat32 1MiB 512MiB + parted "$SSD_PATH" -- mkpart primary 620MiB -1MiB + parted "$SSD_PATH" -- set 1 esp on + parted "$SSD_PATH" -- name 1 "${ssdData.bootLabel}" + parted "$SSD_PATH" -- name 2 "${ssdData.encryptedPartLabel}" + + echo "Formatting boot partition" + mkfs.fat -n "${ssdData.bootLabel}" "''${SSD_PATH}''${PARTITION_SEPARATOR}1" + + echo "Creating Encrypted Partition" + cryptsetup luksFormat "''${SSD_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" + + echo "Opening Encrypted Partition" + cryptsetup open "''${SSD_PATH}''${PARTITION_SEPARATOR}2" "mk_normal_enc_ssd" --key-file "$KEY_FILE" + + echo "Formatting Encrypted Root Filesystem" + mkfs.ext4 -L "${ssdData.unencryptedLabel}" /dev/mapper/mk_normal_enc_ssd + + echo "mount /dev/mapper/mk_normal_enc_ssd to install" + ''; +}) diff --git a/extras/mk-normal-enc-ssd.sh b/extras/mk-normal-enc-ssd.sh deleted file mode 100644 index 0960f78..0000000 --- a/extras/mk-normal-enc-ssd.sh +++ /dev/null @@ -1,57 +0,0 @@ -#! @bash@/bin/sh - -set -e - -# e.g /dev/nvme0n1 -SSD_PATH=$1 -KEY_FILE=$2 - -if echo "$SSD_PATH" | grep -q "[0-9]$"; then - PARTITION_SEPARATOR="p" -else - PARTITION_SEPARATOR="" -fi - -if [ -z "$SSD_PATH" ]; then - echo "Please specify a path to device as first argument" - exit 1 -fi - -if [ -z "$KEY_FILE" ]; then - echo "Please specify a key file to use" - exit 1 -fi - -if [ "$EUID" -ne 0 ]; then - echo "Please run as root" - exit -fi - -# encrypted partition label -SSD_ENCRYPTED_PARTLABEL=@SSD_ENCRYPTED_PARTLABEL@ -# unencrypted filesystem label -SSD_UNENCRYPTED_LABEL=@SSD_UNENCRYPTED_LABEL@ -# ssd boot label -SSD_BOOT_LABEL=@SSD_BOOT_LABEL@ - -echo "Creating Partitions..." -@parted@/bin/parted ${SSD_PATH} -- mklabel gpt -@parted@/bin/parted ${SSD_PATH} -- mkpart ESP fat32 1MiB 512MiB -@parted@/bin/parted ${SSD_PATH} -- mkpart primary 620MiB -1MiB -@parted@/bin/parted ${SSD_PATH} -- set 1 esp on -@parted@/bin/parted ${SSD_PATH} -- name 1 "${SSD_BOOT_LABEL}" -@parted@/bin/parted ${SSD_PATH} -- name 2 "${SSD_ENCRYPTED_PARTLABEL}" - -echo "Formatting boot partition" -@dosfstools@/bin/mkfs.fat -n "${SSD_BOOT_LABEL}" "${SSD_PATH}${PARTITION_SEPARATOR}1" - -echo "Creating Encrypted Partition" -@cryptsetup@/bin/cryptsetup luksFormat "${SSD_PATH}${PARTITION_SEPARATOR}2" --key-file "${KEY_FILE}" - -echo "Opening Encrypted Partition" -@cryptsetup@/bin/cryptsetup open "${SSD_PATH}${PARTITION_SEPARATOR}2" "mk_normal_enc_ssd" --key-file "${KEY_FILE}" - -echo "Formatting Encrypted Root Filesystem" -@e2fsprogs@/bin/mkfs.ext4 -L "${SSD_UNENCRYPTED_LABEL}" /dev/mapper/mk_normal_enc_ssd - -echo "mount /dev/mapper/mk_normal_enc_ssd to install" \ No newline at end of file diff --git a/extras/mk-raspberry-ext-drive.nix b/extras/mk-raspberry-ext-drive.nix index e7dddc4..95d5646 100644 --- a/extras/mk-raspberry-ext-drive.nix +++ b/extras/mk-raspberry-ext-drive.nix @@ -1,35 +1,67 @@ { - stdenv, - bash, util-linux, cryptsetup, btrfs-progs, + writeShellApplication, }: let - external_drive_data = import ../data/raspberry_ext_drive.nix {}; -in - stdenv.mkDerivation { - name = "mk-raspberry-ext-drive"; - src = ./mk-raspberry-ext-drive.sh; - unpackPhase = '' - for srcFile in $src; do - cp $srcFile $(stripHash $srcFile) - done - ''; + externalDriveData = import ../data/raspberryExternalDrive.nix; +in (writeShellApplication { + name = "mk-raspberry-ext-drive"; + runtimeInputs = [ + util-linux + cryptsetup + btrfs-progs + ]; + text = '' + if [ -z "''${1-}" ]; then + echo "Please specify a path to device as first argument" + exit 1 + fi - patchPhase = '' - substituteAllInPlace mk-raspberry-ext-drive.sh - substituteInPlace mk-raspberry-ext-drive.sh \ - --replace "@util-linux@" "${util-linux}" \ - --replace "@btrfs-progs@" "${btrfs-progs}" \ - --replace "@cryptsetup@" "${cryptsetup}" \ - --replace "@bash@" "${bash}" \ - --replace "@ENCRYPTED_LABEL@" "${external_drive_data.encrypted_label}" \ - --replace "@UNENCRYPTED_LABEL@" "${external_drive_data.unencrypted_label}" - ''; + DRIVE_PATH=$1 - installPhase = '' - mkdir -p $out/bin - cp mk-raspberry-ext-drive.sh $out/bin/mk-raspberry-ext-drive - chmod +x $out/bin/mk-raspberry-ext-drive - ''; - } + if [ -z "''${2-}" ]; then + echo "Please specify a key file to use" + exit 1 + fi + + KEY_FILE=$2 + + if [ -z "''${3-}" ]; then + echo "Please specify a temp mountpoint to use" + exit 1 + fi + + TEMP_MOUNTPOINT=$3 + + if [ "$EUID" -ne 0 ]; then + echo "Please run as root" + exit + fi + echo "Wiping Partitions..." + wipefs --all "$DRIVE_PATH" + + echo "Creating Encrypted Partition" + cryptsetup luksFormat "$DRIVE_PATH" --key-file "$KEY_FILE" --label "${externalDriveData.encryptedLabel}" + + echo "Opening Encrypted Partition" + cryptsetup open "$DRIVE_PATH" "mk-raspberry-ext-drive" --key-file "$KEY_FILE" + + echo "Formatting Encrypted Filesystem" + mkfs.btrfs -L "${externalDriveData.unencryptedLabel}" /dev/mapper/mk-raspberry-ext-drive + + echo "Mounting Partition" + mount -t btrfs /dev/mapper/mk-raspberry-ext-drive "$TEMP_MOUNTPOINT" + + echo "Creating Folders" + mkdir "$TEMP_MOUNTPOINT/backups" + mkdir "$TEMP_MOUNTPOINT/storage" + mkdir "$TEMP_MOUNTPOINT/extras" + + echo "Unmounting" + umount "$TEMP_MOUNTPOINT" + + echo "Closing mapper device" + cryptsetup close "mk-raspberry-ext-drive" + ''; +}) diff --git a/extras/mk-raspberry-ext-drive.sh b/extras/mk-raspberry-ext-drive.sh deleted file mode 100644 index e332208..0000000 --- a/extras/mk-raspberry-ext-drive.sh +++ /dev/null @@ -1,65 +0,0 @@ -#! @bash@/bin/sh - -set -e - -# e.g /dev/nvme0n1 -DRIVE_PATH=$1 -KEY_FILE=$2 -TEMP_MOUNTPOINT=$3 - -if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then - PARTITION_SEPARATOR="p" -else - PARTITION_SEPARATOR="" -fi - -if [ -z "$DRIVE_PATH" ]; then - echo "Please specify a path to device as first argument" - exit 1 -fi - -if [ -z "$KEY_FILE" ]; then - echo "Please specify a key file to use" - exit 1 -fi - -if [ -z "$TEMP_MOUNTPOINT" ]; then - echo "Please specify a temp mountpoint to use" - exit 1 -fi - -if [ "$EUID" -ne 0 ]; then - echo "Please run as root" - exit -fi - -# encrypted partition label -ENCRYPTED_LABEL=@ENCRYPTED_LABEL@ -# unencrypted filesystem label -UNENCRYPTED_LABEL=@UNENCRYPTED_LABEL@ - -echo "Wiping Partitions..." -@util-linux@/bin/wipefs --all ${DRIVE_PATH} - -echo "Creating Encrypted Partition" -@cryptsetup@/bin/cryptsetup luksFormat "${DRIVE_PATH}" --key-file "${KEY_FILE}" --label "${ENCRYPTED_LABEL}" - -echo "Opening Encrypted Partition" -@cryptsetup@/bin/cryptsetup open "${DRIVE_PATH}" "mk-raspberry-ext-drive" --key-file "${KEY_FILE}" - -echo "Formatting Encrypted Filesystem" -@btrfs-progs@/bin/mkfs.btrfs -L "${UNENCRYPTED_LABEL}" /dev/mapper/mk-raspberry-ext-drive - -echo "Mounting Partition" -mount -t btrfs /dev/mapper/mk-raspberry-ext-drive "$TEMP_MOUNTPOINT" - -echo "Creating Folders" -mkdir "$TEMP_MOUNTPOINT/backups" -mkdir "$TEMP_MOUNTPOINT/storage" -mkdir "$TEMP_MOUNTPOINT/extras" - -echo "Unmounting" -umount "$TEMP_MOUNTPOINT" - -echo "Closing mapper device" -@cryptsetup@/bin/cryptsetup close "mk-raspberry-ext-drive" diff --git a/extras/shenanigans-hotspot.nix b/extras/shenanigans-hotspot.nix deleted file mode 100644 index 8fc87bf..0000000 --- a/extras/shenanigans-hotspot.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ - lib, - pkgs, - nixpkgs, - config, - ... -}: let - wifiInterface = "shenanigans0"; - wifiMac = "00:0F:55:A8:2B:8E"; - - usbethInterface = "shenanigans1"; - usbethMac = "d0:37:45:88:9a:49"; - - ssid = "Shenanigans"; - password = "password123"; -in { - boot.extraModulePackages = with config.boot.kernelPackages; [rtl8812au]; - nixpkgs.config.allowBroken = true; - - services.udev.extraRules = '' - KERNEL=="wlan*", ATTR{address}=="${ - lib.toLower wifiMac - }", NAME="${wifiInterface}" - KERNEL=="eth*", ACTION=="add", ATTR{address}=="${ - lib.toLower usbethMac - }", NAME="${usbethInterface}" - ''; - - networking.interfaces."${wifiInterface}".ipv4.addresses = [ - { - address = "192.168.2.1"; - prefixLength = 24; - } - ]; - - networking.interfaces."${usbethInterface}".ipv4.addresses = [ - { - address = "192.168.2.1"; - prefixLength = 24; - } - ]; - - networking.networkmanager.unmanaged = [ - # Wifi - "interface-name:${wifiInterface}" - "mac:${wifiMac}" - "interface-name:${usbethInterface}" - "mac:${usbethMac}" - ]; - - systemd.services.wifi-relay = let - inherit (pkgs) iptables; - in { - description = "iptables rules for wifi-relay"; - after = ["dhcpd4.service"]; - wantedBy = ["multi-user.target"]; - script = '' - ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o ${wifiInterface} -j MASQUERADE - ${iptables}/bin/iptables -w -I FORWARD -i ${wifiInterface} -s 192.168.2.0/24 -j ACCEPT - ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o ${usbethInterface} -j MASQUERADE - ${iptables}/bin/iptables -w -I FORWARD -i ${usbethInterface} -s 192.168.2.0/24 -j ACCEPT - #${iptables}/bin/iptables -t nat -A PREROUTING -i ${wifiInterface} -p tcp --dport 80 -j REDIRECT --to-port 8080 - #${iptables}/bin/iptables -t nat -A PREROUTING -i ${wifiInterface} -p tcp --dport 443 -j REDIRECT --to-port 8080 - ''; - }; - - networking.firewall = { - trustedInterfaces = [wifiInterface usbethInterface]; - checkReversePath = lib.mkForce false; - allowedTCPPorts = [53 80 443]; - }; - - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - networking.firewall.allowedUDPPorts = [53 67]; - - services.hostapd = { - enable = true; - interface = wifiInterface; - inherit ssid; - wpaPassphrase = password; - }; - - services.dhcpd4 = { - enable = true; - interfaces = ["${usbethInterface}"]; - extraConfig = '' - subnet 192.168.2.0 netmask 255.255.255.0 { - range 192.168.2.100 192.168.2.200; - option subnet-mask 255.255.255.0; - option broadcast-address 192.168.2.255; - option routers 192.168.2.1; - option domain-name-servers 192.168.2.1; - } - ''; - }; -} diff --git a/flake.lock b/flake.lock index aa04c62..a48b41d 100644 --- a/flake.lock +++ b/flake.lock @@ -1,31 +1,5 @@ { "nodes": { - "deploy-rs": { - "inputs": { - "flake-compat": [ - "flake-compat" - ], - "nixpkgs": [ - "nixpkgs-unstable" - ], - "utils": [ - "flake-utils" - ] - }, - "locked": { - "lastModified": 1694513707, - "narHash": "sha256-wE5kHco3+FQjc+MwTPwLVqYz4hM7uno2CgXDXUFMCpc=", - "owner": "serokell", - "repo": "deploy-rs", - "rev": "31c32fb2959103a796e07bbe47e0a5e287c343a8", - "type": "github" - }, - "original": { - "owner": "serokell", - "repo": "deploy-rs", - "type": "github" - } - }, "flake-compat": { "flake": false, "locked": { @@ -217,7 +191,6 @@ }, "root": { "inputs": { - "deploy-rs": "deploy-rs", "flake-compat": "flake-compat", "flake-utils": "flake-utils", "gitlab_archiver": "gitlab_archiver", diff --git a/flake.nix b/flake.nix index e8961ad..5444688 100644 --- a/flake.nix +++ b/flake.nix @@ -16,19 +16,11 @@ home-manager-unstable.url = "github:nix-community/home-manager"; home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable"; - #nix-darwin-unstable.url = "github:lnl7/nix-darwin/master"; - #nix-darwin-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable"; - tree-input.url = "github:kittywitch/tree"; tree-input.inputs.nixpkgs.follows = "nixpkgs-unstable"; nur.url = "github:nix-community/NUR"; - deploy-rs.url = "github:serokell/deploy-rs"; - deploy-rs.inputs.nixpkgs.follows = "nixpkgs-unstable"; - deploy-rs.inputs.utils.follows = "flake-utils"; - deploy-rs.inputs.flake-compat.follows = "flake-compat"; - vaultui.url = "gitlab:ChaotiCryptidz/VaultUI"; vaultui.inputs.nixpkgs.follows = "nixpkgs-unstable"; vaultui.inputs.utils.follows = "flake-utils"; diff --git a/home/apps/file-roller.nix b/home/apps/fileRoller.nix similarity index 100% rename from home/apps/file-roller.nix rename to home/apps/fileRoller.nix diff --git a/home/apps/firefox.nix b/home/apps/firefox.nix index 28197c4..fb86da3 100644 --- a/home/apps/firefox.nix +++ b/home/apps/firefox.nix @@ -1,20 +1,27 @@ { + inputs, nixosConfig, pkgs, ... }: let + nur = import inputs.nur { + nurpkgs = pkgs; + inherit pkgs; + }; + isGnome = nixosConfig.services.xserver.desktopManager.gnome.enable; - extensions = with nixosConfig.nur; [ - repos.rycee.firefox-addons.ublock-origin - repos.rycee.firefox-addons.stylus - repos.rycee.firefox-addons.tampermonkey - repos.rycee.firefox-addons.search-engines-helper - #repos.rycee.firefox-addons.search-by-image - repos.rycee.firefox-addons.offline-qr-code-generator - repos.rycee.firefox-addons.i-dont-care-about-cookies - repos.rycee.firefox-addons.don-t-fuck-with-paste - repos.rycee.firefox-addons.amp2html - repos.rycee.firefox-addons.a11ycss + + extensions = with nur.repos.rycee.firefox-addons; [ + ublock-origin + stylus + tampermonkey + search-engines-helper + search-by-image + offline-qr-code-generator + i-dont-care-about-cookies + don-t-fuck-with-paste + amp2html + a11ycss ]; in { programs.firefox = { diff --git a/home/base/ssh.nix b/home/base/ssh.nix index 9dcc467..788d0a7 100644 --- a/home/base/ssh.nix +++ b/home/base/ssh.nix @@ -1,19 +1,27 @@ -{lib, ...}: let - container-addresses = import ../../hosts/hetzner-vm/data/container-addresses.nix {}; +{ + self, + lib, + ... +}: let + inherit (lib.modules) mkMerge; + inherit (lib.lists) forEach; + inherit (builtins) attrNames; + + containerAddresses = import "${self}/hosts/hetzner-vm/data/containerAddresses.nix"; in { programs.ssh.enable = true; programs.ssh.matchBlocks = - lib.mkMerge - ((lib.forEach ["hetzner-vm" "vault" "raspberry" "vault-decrypt"] (hostname: { + mkMerge + ((forEach ["hetzner-vm" "vault" "raspberry" "vault-decrypt"] (hostname: { "${hostname}" = { user = "root"; hostname = "${hostname}.servers.genderfucked.monster"; }; })) - ++ (lib.forEach (lib.attrNames container-addresses.containers) (name: { - "container-${name}" = { + ++ (forEach (attrNames containerAddresses.containers) (name: { + "hetzner-vm-container-${name}" = { user = "root"; - hostname = "${container-addresses.containers.${name}}"; + hostname = "${containerAddresses.containers.${name}}"; proxyJump = "hetzner-vm"; }; })) diff --git a/home/base/zsh.nix b/home/base/zsh.nix index b37ee22..fb45700 100644 --- a/home/base/zsh.nix +++ b/home/base/zsh.nix @@ -1,5 +1,9 @@ -{pkgs, ...}: let - usb_data = import ../../data/usb_data.nix {}; +{ + self, + pkgs, + ... +}: let + encryptedUSBData = import "${self}/data/encryptedUSB.nix"; in { home.packages = with pkgs; [eza bat ripgrep vault-bin libarchive age]; programs.zsh = { @@ -27,9 +31,9 @@ in { log = "journalctl"; dmesg = "dmesg -HP"; hg = "history 0 | rg"; - chaos_age = "age -i ${usb_data.chaos_age_privkey_path}"; - chaos_age_encrypt = "age -a -e -i ${usb_data.chaos_age_privkey_path}"; - chaos_pub = "cat ${usb_data.chaos_age_pubkey_path}"; + chaos_age = "age -i ${encryptedUSBData.chaosAgePrivateKeyPath}"; + chaos_age_encrypt = "age -a -e -i ${encryptedUSBData.chaosAgePrivateKeyPath}"; + chaos_pub = "cat ${encryptedUSBData.chaosAgePublicKeyPath}"; }; envExtra = '' export VAULT_ADDR="https://vault.owo.monster" diff --git a/home/dev/all/deploy-rs.nix b/home/dev/all/deploy-rs.nix deleted file mode 100644 index 7f3aea3..0000000 --- a/home/dev/all/deploy-rs.nix +++ /dev/null @@ -1 +0,0 @@ -{pkgs, ...}: {home.packages = with pkgs.deploy-rs; [deploy-rs];} diff --git a/home/dev/all/extra.nix b/home/dev/all/extra.nix index 9ea7ebc..f48b440 100644 --- a/home/dev/all/extra.nix +++ b/home/dev/all/extra.nix @@ -18,7 +18,6 @@ mk-enc-usb mk-normal-enc-ssd - mk-dual-enc-ssd mk-raspberry-ext-drive ]; } diff --git a/home/dev/small/small.nix b/home/dev/small/small.nix index ce76551..1ad696b 100644 --- a/home/dev/small/small.nix +++ b/home/dev/small/small.nix @@ -1,5 +1,5 @@ {tree, ...}: { - # basically everything apart from home.all.dev.debugging and home.all.dev.deploy-rs and extra archives + # basically everything apart from home.all.dev.debugging and extra archives imports = with tree; [ home.dev.all.archives.common home.dev.all.compression diff --git a/home/gui/base/gtk.nix b/home/gui/base/gtk.nix index 57d894a..1177520 100644 --- a/home/gui/base/gtk.nix +++ b/home/gui/base/gtk.nix @@ -1,8 +1,4 @@ -{ - nixosConfig, - pkgs, - ... -}: { +{pkgs, ...}: { gtk = { enable = true; iconTheme = { @@ -15,10 +11,7 @@ }; font = { name = "Comic Code"; - size = - if nixosConfig.networking.hostName == "tablet" - then 10 - else 16; + size = 16; package = pkgs.comic-code; }; }; diff --git a/home/gui/environments/gnome/default.nix b/home/gui/environments/gnome/default.nix index a79911f..fc2bce8 100644 --- a/home/gui/environments/gnome/default.nix +++ b/home/gui/environments/gnome/default.nix @@ -5,23 +5,19 @@ inputs, ... }: let - hm-lib = inputs.home-manager.lib.hm; + homeManagerLib = inputs.home-manager.lib.hm; - font-sizes-all = { + fontSizesAll = { default = { small = "14"; medium = "16"; }; - tablet = { - small = "8"; - medium = "10"; - }; }; - font-sizes = - if nixosConfig.networking.hostName == "tablet" - then font-sizes-all.tablet - else font-sizes-all.default; + fontSizes = + if fontSizesAll ? nixosConfig.networking.hostName + then fontSizesAll.${nixosConfig.networking.hostName} + else fontSizesAll.default; in { imports = with tree; [home.apps.kitty home.apps.rofi]; @@ -54,13 +50,13 @@ in { # TODO: Maybe do this with fontconfig too? font-antialiasing = "rgba"; font-hinting = "full"; - font-name = "Comic Code ${font-sizes.medium}"; - monospace-font-name = "Comic Code ${font-sizes.small}"; + font-name = "Comic Code ${fontSizes.medium}"; + monospace-font-name = "Comic Code ${fontSizes.small}"; color-scheme = "prefer-dark"; }; "org/gnome/desktop/input-sources" = { # TODO: see if this changes when using gnome wayland? - sources = [(hm-lib.gvariant.mkTuple ["xkb" "gb"])]; + sources = [(homeManagerLib.gvariant.mkTuple ["xkb" "gb"])]; per-window = false; }; "org/gnome/desktop/media-handling" = { @@ -122,7 +118,7 @@ in { }; "org/gnome/desktop/wm/preferences" = { num-workspaces = 9; - titlebar-font = "Comic Code Medium ${font-sizes.small}"; + titlebar-font = "Comic Code Medium ${fontSizes.small}"; titlebar-uses-system-font = true; }; "org/gnome/settings-daemon/plugins/media-keys" = { diff --git a/home/gui/environments/sway/sway.nix b/home/gui/environments/sway/sway.nix index 82f19f1..1ce2f9c 100644 --- a/home/gui/environments/sway/sway.nix +++ b/home/gui/environments/sway/sway.nix @@ -4,7 +4,10 @@ lib, tree, ... -}: { +}: let + inherit (lib.modules) mkMerge; + inherit (lib.strings) escapeShellArgs; +in { # import default terminal imports = with tree; [home.apps.kitty home.apps.rofi]; @@ -64,11 +67,11 @@ names = ["Comic Code"]; size = 14.0; }; - statusCommand = lib.escapeShellArgs [ - "/home/chaos/Projects/rustbar/target/debug/rustbar" - #"${pkgs.gobar}/bin/gobar" - #"-config" - #"cpu\\|mem\\|weather\\(Leighton\\ Buzzard\\)\\|bat\\(BAT0\\)\\|time" + statusCommand = escapeShellArgs [ + #"/home/chaos/Projects/rustbar/target/debug/rustbar" + "${pkgs.gobar}/bin/gobar" + "-config" + "cpu\\|mem\\|weather\\(Leighton\\ Buzzard\\)\\|bat\\(BAT0\\)\\|time" ]; } {command = "${pkgs.waybar}/bin/waybar";} @@ -149,7 +152,7 @@ "${cfg.modifier}+r" = "mode resize"; } - // (lib.foldl lib.recursiveUpdate {} (map (workspace: { + // (mkMerge (map (workspace: { "${cfg.modifier}+${workspace}" = "workspace ${workspace}"; "${cfg.modifier}+Shift+${workspace}" = "move container to workspace ${workspace}"; }) ["1" "2" "3" "4" "5" "6" "7" "8" "9"])); diff --git a/home/manual-backup-apps.nix b/home/manual-backup-apps.nix index 7401297..ec1f604 100644 --- a/home/manual-backup-apps.nix +++ b/home/manual-backup-apps.nix @@ -7,8 +7,8 @@ # expected to be in default locations # Incase home.apps.manual-backup-apps is running in container which passes secrets in from host secrets = - if builtins.elem "host_secrets" (builtins.attrNames file_inputs) - then file_inputs.host_secrets + if file_inputs ? "hostSecrets" + then file_inputs.hostSecrets else nixosConfig.services.secrets.secrets; in { home.packages = with pkgs; [ diff --git a/home/programming/editors/vscode.nix b/home/programming/editors/vscode.nix index 67f35ae..d1943b1 100644 --- a/home/programming/editors/vscode.nix +++ b/home/programming/editors/vscode.nix @@ -1,27 +1,18 @@ -{nixosConfig, ...}: let - font-size = - if nixosConfig.networking.hostName == "tablet" - then 18 - else 24; - zoom-level = - if nixosConfig.networking.hostName == "tablet" - then -2 - else 0; -in { +{...}: { programs.vscode-mod = { enable = true; userSettings = { "terminal.integrated.shellIntegration.enabled" = false; "github.gitAuthentication" = false; - "editor.fontSize" = font-size; + "editor.fontSize" = 24; "editor.fontFamily" = "'Comic Code'"; - "terminal.integrated.fontSize" = font-size; + "terminal.integrated.fontSize" = 18; "editor.codeLensFontFamily" = "'Comic Code'"; "editor.inlayHints.fontFamily" = "'Comic Code'"; "markdown.preview.fontFamily" = "'Comic Code'"; "terminal.integrated.fontFamily" = "'Comic Code'"; "files.autoSave" = "afterDelay"; - "window.zoomLevel" = zoom-level; + "window.zoomLevel" = 0; "editor.tabSize" = 2; }; }; diff --git a/home/ssh-usb.nix b/home/ssh-usb.nix deleted file mode 100644 index ffe6bdf..0000000 --- a/home/ssh-usb.nix +++ /dev/null @@ -1,11 +0,0 @@ -{...}: let - usb_data = import ../data/usb_data.nix {}; -in { - programs.ssh.matchBlocks."*".identityFile = "${usb_data.ssh_priv_path}"; - programs.git.extraConfig = { - gpg.format = "ssh"; - commit.gpgsign = "true"; - tag.gpgsign = "true"; - user = {signingKey = "${usb_data.ssh_priv_path}";}; - }; -} diff --git a/home/sshUSB.nix b/home/sshUSB.nix new file mode 100644 index 0000000..5706237 --- /dev/null +++ b/home/sshUSB.nix @@ -0,0 +1,11 @@ +{...}: let + encryptedUSBData = import ../data/encryptedUSB.nix; +in { + programs.ssh.matchBlocks."*".identityFile = "${encryptedUSBData.sshPrivateKeyPath}"; + programs.git.extraConfig = { + gpg.format = "ssh"; + commit.gpgsign = "true"; + tag.gpgsign = "true"; + user.signingKey = "${encryptedUSBData.sshPrivateKeyPath}"; + }; +} diff --git a/hosts/buildbox/buildbox.nix b/hosts/buildbox/buildbox.nix deleted file mode 100644 index 23a77a1..0000000 --- a/hosts/buildbox/buildbox.nix +++ /dev/null @@ -1,116 +0,0 @@ -{ - tree, - config, - pkgs, - ... -}: let - secrets = config.services.secrets.secrets; -in { - imports = with tree; [ - users.root - - profiles.base - profiles.sshd - profiles.nix-gc - - ./hardware.nix - ./networking.nix - ./secrets.nix - ]; - - environment.etc."mdadm.conf".text = '' - HOMEHOST - PROGRAM /run/current-system/sw/bin/mdadm-notify - ''; - - # some taken from https://github.com/hunleyd/mdadm_notify/blob/master/mdadm_notify - environment.systemPackages = [ - (pkgs.writeShellScriptBin "mdadm-notify" '' - event=$1 - md_device=$2 - device=$3 - - case $event in - DegradedArray) - msg="$md_device is running in DEGRADED MODE" - ;; - DeviceDisappeared) - msg="$md_device has DISAPPEARED" - ;; - Fail) - msg="$md_device had an ACTIVE component FAIL ($device)" - ;; - FailSpare) - msg="$md_device had a SPARE component FAIL during rebuild ($device)" - ;; - MoveSpare) - msg="SPARE device $device has been MOVED to a new array ($md_device)" - ;; - NewArray) - # silence NewArray - exit 0 - msg="$md_device has APPEARED" - ;; - Rebuild??) - msg="$md_device REBUILD is now `echo $event|sed 's/Rebuild//'`% complete" - ;; - RebuildFinished) - msg="REBUILD of $md_device is COMPLETE or ABORTED" - ;; - RebuildStarted) - msg="RECONSTRUCTION of $md_device has STARTED" - ;; - SpareActive) - msg="$device has become an ACTIVE COMPONENT of $md_device" - ;; - SparesMissing) - msg="$md_device is MISSING one or more SPARE devices" - ;; - TestMessage) - msg="TEST MESSAGE generated for $md_device" - ;; - esac - - printf "Subject: BuildBox mdadm: $event\n\n$msg" | msmtp "all@owo.monster" - '') - ]; - - programs.msmtp = { - enable = true; - accounts = { - default = { - auth = true; - tls = true; - protocol = "smtp"; - host = "mail.owo.monster"; - port = 587; - from = "system@owo.monster"; - user = "system@owo.monster"; - passwordeval = "cat ${secrets.system_mail_password.path}"; - }; - }; - }; - - systemd.services.mdmonitor = { - requires = ["network.target"]; - wantedBy = ["multi-user.target"]; - path = with pkgs; [mdadm msmtp]; - script = '' - exec mdadm --monitor --scan - ''; - serviceConfig = { - Restart = "always"; - StartLimitAction = "none"; - }; - }; - - home-manager.users.root = { - imports = with tree; [home.base home.dev.small]; - home.stateVersion = "23.05"; - }; - - networking.hostName = "buildbox"; - time.timeZone = "Europe/London"; - - system.stateVersion = "23.05"; -} diff --git a/hosts/buildbox/hardware.nix b/hosts/buildbox/hardware.nix deleted file mode 100644 index 4f42e67..0000000 --- a/hosts/buildbox/hardware.nix +++ /dev/null @@ -1,25 +0,0 @@ -{config, ...}: { - boot.initrd.kernelModules = ["dm-snapshot"]; - boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; - boot.kernelModules = ["kvm-amd"]; - - boot.initrd.services.swraid.mdadmConf = - config.environment.etc."mdadm.conf".text; - - fileSystems."/" = { - device = "/dev/disk/by-label/root"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-label/boot"; - fsType = "ext4"; - }; - - boot.loader.grub = { - enable = true; - efiSupport = false; - device = "nodev"; - devices = ["/dev/sda" "/dev/sdb"]; - }; -} diff --git a/hosts/buildbox/networking.nix b/hosts/buildbox/networking.nix deleted file mode 100644 index 245ba69..0000000 --- a/hosts/buildbox/networking.nix +++ /dev/null @@ -1,25 +0,0 @@ -{lib, ...}: { - systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; - - networking = { - resolvconf.useLocalResolver = false; - networkmanager.dns = "none"; - }; - networking.nameservers = ["1.1.1.1"]; - - networking.firewall.enable = true; - networking.firewall.allowPing = true; - networking.firewall.allowedTCPPorts = [22]; - - networking.enableIPv6 = true; - networking.usePredictableInterfaceNames = false; - networking.dhcpcd.enable = false; - systemd.network = { - enable = true; - networks.eth0 = { - name = "eth0"; - address = ["144.76.97.18"]; - gateway = ["144.76.97.1"]; - }; - }; -} diff --git a/hosts/buildbox/secrets.nix b/hosts/buildbox/secrets.nix deleted file mode 100644 index 5781548..0000000 --- a/hosts/buildbox/secrets.nix +++ /dev/null @@ -1,15 +0,0 @@ -{...}: { - services.secrets = { - enable = true; - - secrets = { - system_mail_password = { - user = "root"; - group = "root"; - fetchScript = '' - simple_get "/api-keys/chaos_mail/system" .password > "$secretFile" - ''; - }; - }; - }; -} diff --git a/hosts/darwin.nix b/hosts/darwin.nix deleted file mode 100644 index 3fbc342..0000000 --- a/hosts/darwin.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ - nixpkgs-unstable, - nix-darwin-unstable, - tree, - ... -} @ inputs: let - defaultSpecialArgs = - defaults.defaultSpecialArgs - // { - inputs = - inputs - // { - # set these to the correct versions from inputs - nixpkgs = inputs.nixpkgs-unstable; - home-manager = inputs.home-manager-unstable; - darwin = inputs.nix-darwin-unstable; - }; - }; - - defaultModules = - defaults.defaultModules - ++ [ - # NO_INLINE - tree.impure.profiles.base-darwin - inputs.home-manager-unstable.darwinModules.home-manager - ]; - - darwinSystem = nix-darwin-unstable.lib.darwinSystem; -in { - "MacMini" = darwinSystem { - specialArgs = defaultSpecialArgs; - system = "aarch64-darwin"; - modules = defaultModules ++ [./macmini/default.nix]; - }; -} diff --git a/hosts/default.nix b/hosts/default.nix index d384f04..108304c 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -1,4 +1,3 @@ {...} @ inputs: { nixosConfigurations = import ./nixos.nix inputs; - #darwinConfigurations = import ./darwin.nix inputs; } diff --git a/hosts/hetzner-vm/containers/mail/default.nix b/hosts/hetzner-vm/containers/mail/default.nix index 96702b6..729fdd0 100644 --- a/hosts/hetzner-vm/containers/mail/default.nix +++ b/hosts/hetzner-vm/containers/mail/default.nix @@ -1,11 +1,16 @@ { + self, tree, lib, inputs, config, pkgs, + hostPath, ... }: let + inherit (lib.modules) mkMerge; + inherit (lib.lists) forEach; + ports = [ # SMTP 25 @@ -21,9 +26,13 @@ 4190 ]; + containerLib = import "${self}/lib/containerLib.nix" { + inherit lib; + }; + # Using secrets from Host secrets = config.services.secrets.secrets; - secrets_list = [ + secretsList = [ "mail_restic_password" "mail_restic_env" "private_mail_aliases" @@ -31,7 +40,7 @@ "system_mail_passwd" "gotosocial_mail_passwd" ]; - shared_files = [ + sharedFiles = [ "/var/lib/acme/mail.owo.monster/fullchain.pem" "/var/lib/acme/mail.owo.monster/key.pem" ]; @@ -39,15 +48,10 @@ in { containers.mail = { autoStart = true; - bindMounts = lib.mkMerge [ - (lib.mkMerge (lib.forEach secrets_list (secret_name: let - path = "${secrets.${secret_name}.path}"; - in { - "${path}" = { - hostPath = "${path}"; - }; - }))) - (lib.mkMerge (lib.forEach shared_files (file: { + bindMounts = mkMerge [ + (containerLib.genBindHostsForSecrets secrets secretsList) + + (mkMerge (forEach sharedFiles (file: { "${file}" = { hostPath = "${file}"; }; @@ -57,7 +61,9 @@ in { specialArgs = { inherit inputs; inherit tree; - host_secrets = secrets; + inherit self; + inherit hostPath; + hostSecrets = secrets; }; config = {config, ...}: { diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/default.nix b/hosts/hetzner-vm/containers/mail/modules/mailserver/default.nix index 73979dd..34a7326 100644 --- a/hosts/hetzner-vm/containers/mail/modules/mailserver/default.nix +++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/default.nix @@ -1,134 +1,173 @@ { config, + pkgs, lib, ... -}: -with lib; let +}: let + inherit (lib) types; + inherit (lib.options) mkEnableOption mkOption mkPackageOption; + cfg = config.services.mailserver; in { options.services.mailserver = { enable = mkEnableOption "mailserver"; - fqdn = mkOption {type = types.str;}; - - domains = mkOption {type = types.listOf types.str;}; - - ssl_config = mkOption { - type = types.submodule { - options = { - useACME = mkOption { - type = types.bool; - default = true; - }; - cert = mkOption { - type = types.str; - default = "/var/lib/acme/${cfg.fqdn}/fullchain.pem"; - }; - key = mkOption { - type = types.str; - default = "/var/lib/acme/${cfg.fqdn}/key.pem"; - }; - }; - }; - default = {}; + fqdn = mkOption { + type = types.str; + description = "domain used for mx records"; }; - debug_mode = mkOption { + domains = mkOption { + type = types.listOf types.str; + description = "all domains for receiving mail on"; + }; + + debugMode = mkOption { type = types.bool; default = false; + description = "enable debug logging on everything"; }; - enable_roundcube = mkOption { - type = types.bool; - default = true; + sslConfig = { + useACME = mkOption { + type = types.bool; + default = true; + }; + cert = mkOption { + type = types.str; + default = "/var/lib/acme/${cfg.fqdn}/fullchain.pem"; + }; + key = mkOption { + type = types.str; + default = "/var/lib/acme/${cfg.fqdn}/key.pem"; + }; }; - roundcube_url = mkOption { - type = types.str; - default = "${cfg.fqdn}"; + roundcube = { + enable = mkOption { + type = types.bool; + default = true; + }; + package = mkPackageOption pkgs "roundcube" {}; + domain = mkOption { + type = types.str; + default = "${cfg.fqdn}"; + }; + plugins = mkOption { + type = types.listOf types.str; + default = []; + }; + extraConfig = mkOption { + type = types.lines; + default = ""; + }; + forceSSL = mkOption { + type = types.bool; + default = true; + }; + enableACME = mkOption { + type = types.bool; + default = true; + }; }; - force_roundcube_ssl = mkOption { - type = types.bool; - default = true; + spf = { + enable = mkOption { + type = types.bool; + default = true; + }; + policydConfig = mkOption { + type = types.str; + default = ""; + }; }; - force_roundcube_acme = mkOption { - type = types.bool; - default = true; + rspamd = { + enable = mkOption { + type = types.bool; + default = true; + }; + extraConfig = mkOption { + type = types.lines; + default = ""; + }; + redisPort = mkOption { + type = types.number; + default = 6380; + }; }; accounts = mkOption { - # where name = email for login - type = types.attrsOf (types.submodule ({name, ...}: { + # where attrName = email for login + default = {}; + type = types.attrsOf (types.submodule { options = { - name = mkOption { + passwordHashFile = mkOption { type = types.str; - default = name; + description = '' + a file containing the hashed password for user, loaded at runtime + + ''; + }; + aliases = mkOption { + type = types.listOf types.str; + default = []; + description = "a list of aliases for receiving/sending mail"; + }; + sieveScript = mkOption { + type = types.nullOr types.lines; + default = null; + description = "a default sieve script for filtering mail"; }; - passwordFile = mkOption {type = types.str;}; - aliases = mkOption {type = types.listOf types.str;}; - sieveScript = mkOption {type = types.nullOr types.lines;}; }; - })); + }); }; - extra_aliases_file = mkOption { + extraAliasesFile = mkOption { type = types.nullOr types.str; default = null; + description = "file containing postfix aliases for receiving, loaded at runtime"; }; - sieve_directory = mkOption { + sieveDirectory = mkOption { type = types.str; default = "/var/sieve"; + description = "path used for storing sieve scripts"; }; - dkim_directory = mkOption { - type = types.str; - default = "/var/dkim"; - }; - - policyd_config = mkOption { - type = types.lines; - default = ""; - }; - - extra_roundcube_config = mkOption { - type = types.lines; - default = ""; - }; - - rspamd_redis_port = mkOption { - type = types.number; - default = 6380; - }; - - vmail_config = mkOption { - type = types.submodule { - options = { - user = mkOption { - type = types.str; - default = "vmail"; - }; - group = mkOption { - type = types.str; - default = "${cfg.vmail_config.user}"; - }; - user_id = mkOption { - type = types.number; - default = 5000; - }; - group_id = mkOption { - type = types.number; - default = cfg.vmail_config.user_id; - }; - directory = mkOption { - type = types.str; - default = "/home/${cfg.vmail_config.user}"; - }; - }; + dkim = { + enable = mkOption { + type = types.bool; + default = true; + }; + directory = mkOption { + type = types.str; + default = "/var/dkim"; + description = "path used for storing dkim signing keys, make sure to keep this backed up"; + }; + }; + + vmail = { + user = mkOption { + type = types.str; + default = "vmail"; + }; + group = mkOption { + type = types.str; + default = "${cfg.vmail.user}"; + }; + userID = mkOption { + type = types.number; + default = 5000; + }; + groupID = mkOption { + type = types.number; + default = cfg.vmail.userID; + }; + directory = mkOption { + type = types.str; + default = "/home/${cfg.vmail.user}"; }; - default = {}; }; }; } diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/dovecot.nix b/hosts/hetzner-vm/containers/mail/modules/mailserver/dovecot.nix index d306611..9afc71c 100644 --- a/hosts/hetzner-vm/containers/mail/modules/mailserver/dovecot.nix +++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/dovecot.nix @@ -4,64 +4,39 @@ lib, ... }: let - mail_config = config.services.mailserver; + inherit (lib.modules) mkIf; + inherit (lib.attrsets) mapAttrsToList; + inherit (lib.strings) concatStringsSep optionalString; - vmail_config = mail_config.vmail_config; - - passwdDir = "/run/dovecot2"; - passwdFile = "${passwdDir}/passwd"; + mailConfig = config.services.mailserver; + vmailConfig = mailConfig.vmail; postfixCfg = config.services.postfix; + dovecotRuntimeDir = "/run/dovecot2"; + passwdFile = "${dovecotRuntimeDir}/passwd"; + genPasswdScript = pkgs.writeScript "generate-password-file" '' #!${pkgs.stdenv.shell} set -euo pipefail - if (! test -d "${passwdDir}"); then - mkdir "${passwdDir}" - chmod 755 "${passwdDir}" - fi - - for f in ${ - builtins.toString - (lib.mapAttrsToList (_: value: value.passwordFile) - mail_config.accounts) - }; do - if [ ! -f "$f" ]; then - echo "Expected password hash file $f does not exist!" + ${concatStringsSep "\n" (map (userPasswdFile: '' + if [ ! -f "${userPasswdFile}" ]; then + echo "Expected password hash file ${userPasswdFile} does not exist!" exit 1 fi - done + '') (mapAttrsToList (_email: config: config.passwordHashFile) mailConfig.accounts))} cat < ${passwdFile} - ${ - lib.concatStringsSep "\n" - (lib.mapAttrsToList (name: value: "${name}:$(head -n 1 ${value.passwordFile})") mail_config.accounts) - } + ${concatStringsSep "\n" (mapAttrsToList ( + email: config: "${email}:$(head -n 1 ${config.passwordHashFile})" + ) + mailConfig.accounts)} EOF - - chmod 600 ${passwdFile} ''; - - pipeBin = pkgs.stdenv.mkDerivation { - name = "pipe_bin"; - src = ./pipe_bin; - buildInputs = with pkgs; [makeWrapper coreutils bash rspamd]; - buildCommand = '' - mkdir -p $out/pipe/bin - cp $src/* $out/pipe/bin/ - chmod a+x $out/pipe/bin/* - patchShebangs $out/pipe/bin - - for file in $out/pipe/bin/*; do - wrapProgram $file \ - --set PATH "${pkgs.coreutils}/bin:${pkgs.rspamd}/bin" - done - ''; - }; in { - config = lib.mkIf (mail_config.enable) { + config = mkIf (mailConfig.enable) { services.dovecot2 = { enable = true; enableImap = true; @@ -70,12 +45,12 @@ in { enablePop3 = false; enablePAM = false; # Not using PAM for Auth - mailUser = vmail_config.user; - mailGroup = vmail_config.group; - mailLocation = "maildir:${vmail_config.directory}/%d/%n"; + mailUser = vmailConfig.user; + mailGroup = vmailConfig.group; + mailLocation = "maildir:${vmailConfig.directory}/%d/%n"; - sslServerCert = mail_config.ssl_config.cert; - sslServerKey = mail_config.ssl_config.key; + sslServerCert = mailConfig.sslConfig.cert; + sslServerKey = mailConfig.sslConfig.key; # For Sieve modules = with pkgs; [dovecot_pigeonhole]; @@ -112,7 +87,7 @@ in { }; extraConfig = '' - ${lib.optionalString mail_config.debug_mode '' + ${optionalString mailConfig.debugMode '' mail_debug = yes auth_debug = yes verbose_ssl = yes @@ -152,11 +127,11 @@ in { mail_plugins = $mail_plugins sieve } - mail_access_groups = "${vmail_config.group}" + mail_access_groups = "${vmailConfig.group}" userdb { driver = static - args = uid=${toString vmail_config.user_id} gid=${toString vmail_config.group_id} + args = uid=${toString vmailConfig.userID} gid=${toString vmailConfig.groupID} } passdb { @@ -181,8 +156,8 @@ in { plugin { sieve_plugins = sieve_imapsieve sieve_extprograms - sieve = file:${mail_config.sieve_directory}/%u/scripts;active=${mail_config.sieve_directory}/%u/active.sieve - sieve_default = file:${mail_config.sieve_directory}/%u/default.sieve + sieve = file:${mailConfig.sieveDirectory}/%u/scripts;active=${mailConfig.sieveDirectory}/%u/active.sieve + sieve_default = file:${mailConfig.sieveDirectory}/%u/default.sieve sieve_default_name = default # From elsewhere to Spam folder @@ -196,20 +171,44 @@ in { imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_before = file:${./spam_sieve/report-ham.sieve} - sieve_pipe_bin_dir = ${pipeBin}/pipe/bin - sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment + ${optionalString mailConfig.rspamd.enable (let + pipeBin = pkgs.stdenv.mkDerivation { + name = "pipe_bin"; + src = ./pipe_bin; + buildInputs = with pkgs; [makeWrapper coreutils bash rspamd]; + buildCommand = '' + mkdir -p $out/pipe/bin + cp $src/* $out/pipe/bin/ + chmod a+x $out/pipe/bin/* + patchShebangs $out/pipe/bin + + for file in $out/pipe/bin/*; do + wrapProgram $file \ + --set PATH "${pkgs.coreutils}/bin:${pkgs.rspamd}/bin" + done + ''; + }; + in '' + sieve_pipe_bin_dir = ${pipeBin}/pipe/bin + '')} + + sieve_global_extensions = ${optionalString mailConfig.rspamd.enable "+vnd.dovecot.pipe"} +vnd.dovecot.environment } lda_mailbox_autosubscribe = yes lda_mailbox_autocreate = yes ''; }; - systemd.services.dovecot2 = { - preStart = '' - ${genPasswdScript} - ''; + systemd = { + tmpfiles.rules = [ + "f ${passwdFile} 600 dovecot2 dovecot2" + ]; + services = { + dovecot2.preStart = '' + ${genPasswdScript} + ''; + postfix.restartTriggers = [genPasswdScript]; + }; }; - - systemd.services.postfix.restartTriggers = [genPasswdScript]; }; } diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/firewall.nix b/hosts/hetzner-vm/containers/mail/modules/mailserver/firewall.nix index 0602a9a..53e640f 100644 --- a/hosts/hetzner-vm/containers/mail/modules/mailserver/firewall.nix +++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/firewall.nix @@ -3,9 +3,11 @@ config, ... }: let - mail_config = config.services.mailserver; + inherit (lib.modules) mkIf; + + mailConfig = config.services.mailserver; in { - config = lib.mkIf mail_config.enable { + config = mkIf mailConfig.enable { networking.firewall = { allowedTCPPorts = [ # SMTP diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/opendkim.nix b/hosts/hetzner-vm/containers/mail/modules/mailserver/opendkim.nix index 32e2481..c87f3c3 100644 --- a/hosts/hetzner-vm/containers/mail/modules/mailserver/opendkim.nix +++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/opendkim.nix @@ -3,82 +3,83 @@ lib, pkgs, ... -}: -with lib; let - mail_config = config.services.mailserver; - dkimUser = config.services.opendkim.user; - dkimGroup = config.services.opendkim.group; +}: let + inherit (lib.modules) mkIf mkForce; + inherit (lib.trivial) flip; + inherit (lib.strings) optionalString escapeShellArgs; + inherit (builtins) toFile concatStringsSep; - keyDir = mail_config.dkim_directory; + mailConfig = config.services.mailserver; + + opendkimConfig = config.services.opendkim; + opendkimArgs = ["-f" "-l" "-x" opendkimConfig.configFile]; + dkimUser = opendkimConfig.user; + dkimGroup = opendkimConfig.group; + + keyDir = mailConfig.dkim.directory; selector = "mail"; - domains = mail_config.domains; + domains = mailConfig.domains; createDomainDkimCert = dom: let - dkim_key = "${keyDir}/${dom}.${selector}.key"; - dkim_txt = "${keyDir}/${dom}.${selector}.txt"; + dkimKey = "${keyDir}/${dom}.${selector}.key"; + dkimDNSFile = "${keyDir}/${dom}.${selector}.txt"; in '' - if [ ! -f "${dkim_key}" ] + if [ ! -f "${dkimKey}" ] then ${pkgs.opendkim}/bin/opendkim-genkey -s "${selector}" \ -d "${dom}" \ --bits="1024" \ --directory="${keyDir}" - mv "${keyDir}/${selector}.private" "${dkim_key}" - mv "${keyDir}/${selector}.txt" "${dkim_txt}" + mv "${keyDir}/${selector}.private" "${dkimKey}" + mv "${keyDir}/${selector}.txt" "${dkimDNSFile}" echo "Generated key for domain ${dom} selector ${selector}" fi ''; createAllCerts = - concatStringsSep "\n" (map createDomainDkimCert mail_config.domains); + concatStringsSep "\n" (map createDomainDkimCert mailConfig.domains); - keyTable = pkgs.writeText "opendkim-KeyTable" (concatStringsSep "\n" + keyTable = toFile "opendkim-KeyTable" (concatStringsSep "\n" (flip map domains (dom: "${dom} ${dom}:${selector}:${keyDir}/${dom}.${selector}.key"))); signingTable = - pkgs.writeText "opendkim-SigningTable" + toFile "opendkim-SigningTable" (concatStringsSep "\n" (flip map domains (dom: "${dom} ${dom}"))); - - dkim = config.services.opendkim; - args = - ["-f" "-l"] - ++ optionals (dkim.configFile != null) ["-x" dkim.configFile]; in { - config = mkIf (mail_config.enable) { + config = mkIf (mailConfig.enable && mailConfig.dkim.enable) { services.opendkim = { enable = true; selector = selector; keyPath = keyDir; - domains = "csl:${builtins.concatStringsSep "," domains}"; - configFile = pkgs.writeText "opendkim.conf" ('' + domains = "csl:${concatStringsSep "," domains}"; + configFile = toFile "opendkim.conf" ('' Canonicalization relaxed/relaxed UMask 0002 - Socket ${dkim.socket} + Socket ${opendkimConfig.socket} KeyTable file:${keyTable} SigningTable file:${signingTable} '' - + (optionalString mail_config.debug_mode '' + + (optionalString mailConfig.debugMode '' Syslog yes SyslogSuccess yes LogWhy yes '')); }; - users.users = optionalAttrs (config.services.postfix.user == "postfix") { - postfix.extraGroups = ["${dkimGroup}"]; - }; + systemd.tmpfiles.rules = ["d '${keyDir}' - ${dkimUser} ${dkimGroup} - -"]; + + users.users.postfix.extraGroups = ["${dkimGroup}"]; systemd.services.opendkim = { preStart = mkForce createAllCerts; serviceConfig = { ExecStart = mkForce - "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}"; + "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs opendkimArgs}"; PermissionsStartOnly = mkForce false; }; }; - systemd.tmpfiles.rules = ["d '${keyDir}' - ${dkimUser} ${dkimGroup} - -"]; }; } diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/postfix.nix b/hosts/hetzner-vm/containers/mail/modules/mailserver/postfix.nix index b795a26..bf29016 100644 --- a/hosts/hetzner-vm/containers/mail/modules/mailserver/postfix.nix +++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/postfix.nix @@ -4,114 +4,101 @@ lib, ... }: let - mail_config = config.services.mailserver; - submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" '' - /^Received:/ IGNORE - /^X-Originating-IP:/ IGNORE - /^X-Mailer:/ IGNORE - /^User-Agent:/ IGNORE - /^X-Enigmail:/ IGNORE - /^Message-ID:\s+<(.*?)@.*?>/ REPLACE Message-ID: <$1@${mail_config.fqdn}> - ''; + inherit (lib.modules) mkIf; + inherit (lib.strings) concatStringsSep; + inherit (lib.lists) flatten optional; + inherit (lib.attrsets) mapAttrsToList; + inherit (builtins) toFile; - # Merge several lookup tables. A lookup table is a attribute set where - # - the key is an address (user@example.com) or a domain (@example.com) - # - the value is a list of addresses - mergeLookupTables = tables: lib.zipAttrsWith (_: v: lib.flatten v) tables; - - # valiases_postfix :: Map String [String] - valiases_postfix = mergeLookupTables (lib.flatten (lib.mapAttrsToList - (name: value: let - to = name; - in - map (from: {"${from}" = to;}) (value.aliases ++ lib.singleton name)) - mail_config.accounts)); - - # all_valiases_postfix :: Map String [String] - all_valiases_postfix = mergeLookupTables [valiases_postfix]; - - # lookupTableToString :: Map String [String] -> String - lookupTableToString = attrs: let - valueToString = value: lib.concatStringsSep ", " value; - in - lib.concatStringsSep "\n" - (lib.mapAttrsToList (name: value: "${name} ${valueToString value}") attrs); - - vhosts_file = - builtins.toFile "vhosts" (lib.concatStringsSep "\n" mail_config.domains); - - aliases_accounts_file = let - content = lookupTableToString (mergeLookupTables [all_valiases_postfix]); - in - builtins.toFile "aliases_accounts" content; - - mappedFile = name: "hash:/var/lib/postfix/conf/${name}"; - - policyd-spf = pkgs.writeText "policyd-spf.conf" mail_config.policyd_config; - - submissionOptions = { - smtpd_tls_security_level = "encrypt"; - smtpd_sasl_auth_enable = "yes"; - smtpd_sasl_type = "dovecot"; - smtpd_sasl_path = "/run/dovecot2/auth"; - smtpd_sasl_security_options = "noanonymous"; - smtpd_sasl_local_domain = "$myhostname"; - smtpd_client_restrictions = "permit_sasl_authenticated,reject"; - smtpd_sender_login_maps = mappedFile "aliases_accounts"; - smtpd_sender_restrictions = "reject_sender_login_mismatch"; - smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject"; - cleanup_service_name = "submission-header-cleanup"; - }; + mailConfig = config.services.mailserver; tls_allowed = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3"; tls_disallow = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL"; + + sendingReceivingAliases = concatStringsSep "\n" (flatten [ + (mapAttrsToList (email: config: + map ( + alias: "${alias} ${email} " + ) + config.aliases) + mailConfig.accounts) + (mapAttrsToList (email: _config: [ + # i dont know if this is actually needed + "${email} ${email}" + ]) + mailConfig.accounts) + ]); + + sendingReceivingAliasesMappedName = "sending_receiving_aliases"; + sendingReceivingAliasesFile = toFile "${sendingReceivingAliasesMappedName}" sendingReceivingAliases; + + extraAliasesCombinedFilePath = "/run/postfix_sending_receiving_aliases"; in { - config = lib.mkIf (mail_config.enable) { - systemd.tmpfiles.rules = lib.mkIf (mail_config.extra_aliases_file != null) [ - # folder to store the extra aliases file - "f /run/postfix_extra_aliases 660 root root" + config = mkIf (mailConfig.enable) { + systemd.tmpfiles.rules = mkIf (mailConfig.extraAliasesFile != null) [ + "f ${extraAliasesCombinedFilePath} 660 root root" ]; - systemd.services.postfix-extra-aliases-setup = lib.mkIf (mail_config.extra_aliases_file != null) { + systemd.services.postfix-extra-aliases-setup = mkIf (mailConfig.extraAliasesFile != null) { wantedBy = ["multi-user.target"]; partOf = ["postfix.service"]; before = ["postfix-setup.service"]; script = '' - cat ${aliases_accounts_file} > /run/postfix_extra_aliases - echo >> /run/postfix_extra_aliases - cat ${mail_config.extra_aliases_file} >> /run/postfix_extra_aliases + cat "${sendingReceivingAliasesFile}" > ${extraAliasesCombinedFilePath} + echo >> ${extraAliasesCombinedFilePath} + cat "${mailConfig.extraAliasesFile}" >> ${extraAliasesCombinedFilePath} ''; }; - services.postfix = { + services.postfix = let + mappedFile = name: "hash:/var/lib/postfix/conf/${name}"; + + sendingReceivingAliasesMappedFile = mappedFile sendingReceivingAliasesMappedName; + + submissionOptions = { + smtpd_tls_security_level = "encrypt"; + smtpd_sasl_auth_enable = "yes"; + smtpd_sasl_type = "dovecot"; + smtpd_sasl_path = "/run/dovecot2/auth"; + smtpd_sasl_security_options = "noanonymous"; + smtpd_sasl_local_domain = "$myhostname"; + smtpd_client_restrictions = "permit_sasl_authenticated,reject"; + smtpd_sender_login_maps = sendingReceivingAliasesMappedFile; + smtpd_sender_restrictions = "reject_sender_login_mismatch"; + smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject"; + cleanup_service_name = "submission-header-cleanup"; + }; + in { enable = true; - hostname = "${mail_config.fqdn}"; + hostname = "${mailConfig.fqdn}"; networksStyle = "host"; - mapFiles."aliases_accounts" = - if (mail_config.extra_aliases_file == null) - then aliases_accounts_file - else "/run/postfix_extra_aliases"; + mapFiles = { + "sending_receiving_aliases" = + if (mailConfig.extraAliasesFile == null) + then sendingReceivingAliasesFile + else "${extraAliasesCombinedFilePath}"; + }; - sslCert = mail_config.ssl_config.cert; - sslKey = mail_config.ssl_config.key; enableSubmission = true; enableSubmissions = true; + sslCert = mailConfig.sslConfig.cert; + sslKey = mailConfig.sslConfig.key; config = { # Extra Config mydestination = ""; recipient_delimiter = "+"; - smtpd_banner = "${mail_config.fqdn} ESMTP NO UCE"; + smtpd_banner = "${mailConfig.fqdn} ESMTP NO UCE"; disable_vrfy_command = true; message_size_limit = "20971520"; - virtual_uid_maps = "static:${toString mail_config.vmail_config.user_id}"; - virtual_gid_maps = "static:${toString mail_config.vmail_config.group_id}"; - virtual_mailbox_base = "${mail_config.vmail_config.directory}"; - virtual_mailbox_domains = vhosts_file; - virtual_mailbox_maps = mappedFile "aliases_accounts"; - virtual_alias_maps = mappedFile "aliases_accounts"; + virtual_uid_maps = "static:${toString mailConfig.vmail.userID}"; + virtual_gid_maps = "static:${toString mailConfig.vmail.groupID}"; + virtual_mailbox_base = "${mailConfig.vmail.directory}"; + virtual_mailbox_domains = toFile "vhosts" (concatStringsSep "\n" mailConfig.domains); + virtual_mailbox_maps = sendingReceivingAliasesMappedFile; + virtual_alias_maps = sendingReceivingAliasesMappedFile; virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp"; lmtp_destination_recipient_limit = "1"; @@ -124,12 +111,10 @@ in { "reject_unauth_destination" ]; - policy-spf_time_limit = "3600s"; + policy-spf_time_limit = mkIf (mailConfig.spf.enable) "3600s"; - smtpd_recipient_restrictions = [ - #"check_recipient_access ${mappedFile "denied_recipients"}" - #"check_recipient_access ${mappedFile "reject_recipients"}" - "check_policy_service unix:private/policy-spf" + smtpd_recipient_restrictions = flatten [ + (optional mailConfig.spf.enable "check_policy_service unix:private/policy-spf") ]; smtpd_tls_security_level = "may"; @@ -161,11 +146,14 @@ in { milter_default_action = "quarantine"; - smtpd_milters = [ - "unix:/run/opendkim/opendkim.sock" - "unix:/run/rspamd/rspamd-milter.sock" + smtpd_milters = flatten [ + (optional mailConfig.dkim.enable "unix:/run/opendkim/opendkim.sock") + (optional mailConfig.rspamd.enable "unix:/run/rspamd/rspamd-milter.sock") + ]; + + non_smtpd_milters = flatten [ + (optional mailConfig.dkim.enable "unix:/run/opendkim/opendkim.sock") ]; - non_smtpd_milters = ["unix:/run/opendkim/opendkim.sock"]; milter_protocol = "6"; milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}"; @@ -180,15 +168,17 @@ in { # D => Delivered-To, O => X-Original-To, R => Return-Path args = ["flags=O"]; }; - "policy-spf" = { + "policy-spf" = mkIf (mailConfig.spf.enable) { type = "unix"; privileged = true; chroot = false; command = "spawn"; - args = [ + args = let + policydConfig = toFile "policyd-spf.conf" mailConfig.spf.policydConfig; + in [ "user=nobody" "argv=${pkgs.pypolicyd-spf}/bin/policyd-spf" - "${policyd-spf}" + "${policydConfig}" ]; }; "submission-header-cleanup" = { @@ -197,7 +187,16 @@ in { chroot = false; maxproc = 0; command = "cleanup"; - args = ["-o" "header_checks=pcre:${submissionHeaderCleanupRules}"]; + args = let + submissionHeaderCleanupRules = toFile "submission_header_cleanup_rules" '' + /^Received:/ IGNORE + /^X-Originating-IP:/ IGNORE + /^X-Mailer:/ IGNORE + /^User-Agent:/ IGNORE + /^X-Enigmail:/ IGNORE + /^Message-ID:\s+<(.*?)@.*?>/ REPLACE Message-ID: <$1@${mailConfig.fqdn}> + ''; + in ["-o" "header_checks=pcre:${submissionHeaderCleanupRules}"]; }; }; }; diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/rspamd.nix b/hosts/hetzner-vm/containers/mail/modules/mailserver/rspamd.nix index be9ae1e..91f3caa 100644 --- a/hosts/hetzner-vm/containers/mail/modules/mailserver/rspamd.nix +++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/rspamd.nix @@ -3,16 +3,17 @@ lib, ... }: let - mail_config = config.services.mailserver; + inherit (lib.modules) mkIf; + + mailConfig = config.services.mailserver; - postfixCfg = config.services.postfix; rspamdCfg = config.services.rspamd; rspamdSocket = "rspamd.service"; in { - config = lib.mkIf (mail_config.enable) { + config = mkIf (mailConfig.enable && mailConfig.rspamd.enable) { services.rspamd = { enable = true; - debug = mail_config.debug_mode; + debug = mailConfig.debugMode; locals = { "milter_headers.conf" = { text = '' @@ -21,7 +22,7 @@ in { }; "redis.conf" = { text = '' - servers = "127.0.0.1:${toString mail_config.rspamd_redis_port}"; + servers = "127.0.0.1:${toString mailConfig.rspamd.redisPort}"; ''; }; "classifier-bayes.conf" = { @@ -82,7 +83,7 @@ in { services.redis.servers.rspamd = { enable = true; - port = mail_config.rspamd_redis_port; + port = mailConfig.rspamd.redisPort; }; systemd.services.rspamd = { @@ -95,6 +96,6 @@ in { requires = [rspamdSocket]; }; - users.extraUsers.${postfixCfg.user}.extraGroups = [rspamdCfg.group]; + users.extraUsers.postfix.extraGroups = [rspamdCfg.group]; }; } diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/ssl.nix b/hosts/hetzner-vm/containers/mail/modules/mailserver/ssl.nix index c7d7a61..575646a 100644 --- a/hosts/hetzner-vm/containers/mail/modules/mailserver/ssl.nix +++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/ssl.nix @@ -3,22 +3,24 @@ lib, ... }: let - mail_config = config.services.mailserver; + inherit (lib.modules) mkIf; + + mailConfig = config.services.mailserver; acmeRoot = "/var/lib/acme/acme-challenge"; in { - config = lib.mkIf (mail_config.enable && mail_config.ssl_config.useACME) { + config = mkIf (mailConfig.enable && mailConfig.sslConfig.useACME) { services.nginx = { enable = true; - virtualHosts."${mail_config.fqdn}" = { - serverName = mail_config.fqdn; - serverAliases = mail_config.domains; + virtualHosts."${mailConfig.fqdn}" = { + serverName = mailConfig.fqdn; + serverAliases = mailConfig.domains; forceSSL = true; enableACME = true; acmeRoot = acmeRoot; }; }; - security.acme.certs."${mail_config.fqdn}" = { + security.acme.certs."${mailConfig.fqdn}" = { reloadServices = ["postfix.service" "dovecot2.service"]; }; }; diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/vmail.nix b/hosts/hetzner-vm/containers/mail/modules/mailserver/vmail.nix index 44a4e42..f0689a0 100644 --- a/hosts/hetzner-vm/containers/mail/modules/mailserver/vmail.nix +++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/vmail.nix @@ -4,70 +4,68 @@ lib, ... }: let - mail_config = config.services.mailserver; + inherit (lib.modules) mkIf; + inherit (lib.strings) concatStringsSep; + inherit (lib.attrsets) mapAttrsToList; - vmail_config = mail_config.vmail_config; - vmail_user = vmail_config.user; - vmail_group = vmail_config.group; + mailConfig = config.services.mailserver; - sieve_directory = mail_config.sieve_directory; + vmail = mailConfig.vmail; + vmailUser = vmail.user; + vmailGroup = vmail.group; + + sieveDirectory = mailConfig.sieveDirectory; + + scriptForUser = name: config: + if builtins.isString config.sieveScript + then '' + cat ${builtins.toFile "default.sieve" config.sieveScript} > "${sieveDirectory}/${name}/default.sieve" + chown "${vmailUser}:${vmailGroup}" "${sieveDirectory}/${name}/default.sieve" + '' + else '' + if [ -f "${sieveDirectory}/${name}/default.sieve" ]; then + rm "${sieveDirectory}/${name}/default.sieve" + fi + if [ -f "${sieveDirectory}/${name}.svbin" ]; then + rm "${sieveDirectory}/${name}/default.svbin" + fi + ''; virtualMailUsersActivationScript = pkgs.writeScript "activate-virtual-mail-users" '' #!${pkgs.stdenv.shell} set -euo pipefail - # Create directory to store user sieve scripts if it doesn't exist - if (! test -d "${sieve_directory}"); then - mkdir "${sieve_directory}" - chown "${vmail_user}:${vmail_group}" "${sieve_directory}" - chmod 770 "${sieve_directory}" - fi - - # Copy user's sieve script to the correct location (if it exists). If it - # is null, remove the file. - ${lib.concatMapStringsSep "\n" ({ - name, - sieveScript, - }: - if lib.isString sieveScript - then '' - if (! test -d "${sieve_directory}/${name}"); then - mkdir -p "${sieve_directory}/${name}" - chown "${vmail_user}:${vmail_group}" "${sieve_directory}/${name}" - chmod 770 "${sieve_directory}/${name}" - fi - cat << 'EOF' > "${sieve_directory}/${name}/default.sieve" - ${sieveScript} - EOF - chown "${vmail_user}:${vmail_group}" "${sieve_directory}/${name}/default.sieve" - '' - else '' - if (test -f "${sieve_directory}/${name}/default.sieve"); then - rm "${sieve_directory}/${name}/default.sieve" - fi - if (test -f "${sieve_directory}/${name}.svbin"); then - rm "${sieve_directory}/${name}/default.svbin" - fi - '') (map (user: {inherit (user) name sieveScript;}) - (lib.attrValues mail_config.accounts))} + ${concatStringsSep "\n" (mapAttrsToList (name: config: scriptForUser name config) mailConfig.accounts)} ''; in { - config = lib.mkIf (mail_config.enable) { - users.users."${vmail_user}" = { + config = mkIf (mailConfig.enable) { + users.users."${vmailUser}" = { isSystemUser = true; - home = vmail_config.directory; + home = vmail.directory; createHome = true; - uid = vmail_config.user_id; - group = "${vmail_group}"; + uid = vmail.userID; + group = "${vmailGroup}"; }; - users.groups."${vmail_group}" = {gid = vmail_config.group_id;}; + + users.groups."${vmailGroup}" = { + gid = vmail.groupID; + }; + + systemd.tmpfiles.rules = + [ + "d '${sieveDirectory}' - ${vmailUser} ${vmailGroup} - -" + ] + ++ (map ( + email: "d '${sieveDirectory}/${email}' 770 ${vmailUser} ${vmailGroup} - -" + ) (builtins.attrNames mailConfig.accounts)); + systemd.services.activate-virtual-mail-users = { wantedBy = ["multi-user.target"]; before = ["dovecot2.service"]; - serviceConfig = {ExecStart = virtualMailUsersActivationScript;}; + serviceConfig.ExecStart = virtualMailUsersActivationScript; enable = true; }; }; diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/webmail.nix b/hosts/hetzner-vm/containers/mail/modules/mailserver/webmail.nix index e38e194..77fa9a3 100644 --- a/hosts/hetzner-vm/containers/mail/modules/mailserver/webmail.nix +++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/webmail.nix @@ -3,25 +3,32 @@ lib, ... }: let - mail_config = config.services.mailserver; + inherit (lib.modules) mkIf mkForce; + + mailConfig = config.services.mailserver; in { - config = lib.mkIf (mail_config.enable && mail_config.enable_roundcube) { + config = mkIf (mailConfig.enable && mailConfig.roundcube.enable) { services.roundcube = { enable = true; - hostName = "${mail_config.roundcube_url}"; + package = mailConfig.roundcube.package; + plugins = + mailConfig.roundcube.plugins + ++ [ + "managesieve" + ]; + hostName = "${mailConfig.roundcube.domain}"; extraConfig = '' - $config['smtp_server'] = "tls://${mail_config.fqdn}"; + $config['smtp_server'] = "tls://${mailConfig.fqdn}"; $config['smtp_user'] = "%u"; $config['smtp_pass'] = "%p"; - $config['plugins'] = ["managesieve"]; - $config['managesieve_host'] = 'tls://${mail_config.fqdn}'; - ${mail_config.extra_roundcube_config} + $config['managesieve_host'] = 'tls://${mailConfig.fqdn}'; + ${mailConfig.roundcube.extraConfig} ''; }; - services.nginx.virtualHosts."${mail_config.roundcube_url}" = { - forceSSL = mail_config.force_roundcube_ssl; - enableACME = mail_config.force_roundcube_acme; + services.nginx.virtualHosts."${mailConfig.roundcube.domain}" = { + forceSSL = mkForce mailConfig.roundcube.forceSSL; + enableACME = mkForce mailConfig.roundcube.enableACME; }; }; } diff --git a/hosts/hetzner-vm/containers/mail/profiles/mailserver.nix b/hosts/hetzner-vm/containers/mail/profiles/mailserver.nix index e6268f2..8f0caeb 100644 --- a/hosts/hetzner-vm/containers/mail/profiles/mailserver.nix +++ b/hosts/hetzner-vm/containers/mail/profiles/mailserver.nix @@ -1,63 +1,67 @@ { pkgs, - host_secrets, + hostSecrets, ... }: let - secrets = host_secrets; + secrets = hostSecrets; in { services.mailserver = { enable = true; fqdn = "mail.owo.monster"; domains = ["owo.monster"]; + debugMode = true; - ssl_config = { + sslConfig = { useACME = false; cert = "/var/lib/acme/mail.owo.monster/fullchain.pem"; key = "/var/lib/acme/mail.owo.monster/key.pem"; }; - enable_roundcube = true; - force_roundcube_ssl = false; - force_roundcube_acme = false; - - debug_mode = true; - - extra_roundcube_config = '' - $config['session_lifetime'] = (60 * 24 * 7 * 2); # 2 Weeks - $config['product_name'] = 'Chaos Mail'; - $config['username_domain'] = "owo.monster"; - $config['username_domain_forced'] = true; - $config['log_driver'] = 'syslog'; - $config['smtp_debug'] = true; - ''; - - extra_aliases_file = "${secrets.private_mail_aliases.path}"; + rspamd.enable = true; + spf.enable = false; accounts = { "chaos@owo.monster" = { - name = "chaos@owo.monster"; - passwordFile = "${secrets.chaos_mail_passwd.path}"; + passwordHashFile = "${secrets.chaos_mail_passwd.path}"; aliases = [ "all@owo.monster" "chaoticryptidz@owo.monster" ]; - sieveScript = null; }; "system@owo.monster" = { - name = "system@owo.monster"; - passwordFile = "${secrets.system_mail_passwd.path}"; - aliases = []; - sieveScript = null; + passwordHashFile = "${secrets.system_mail_passwd.path}"; }; "gotosocial@owo.monster" = { - name = "gotosocial@owo.monster"; - passwordFile = "${secrets.gotosocial_mail_passwd.path}"; - aliases = []; - sieveScript = null; + passwordHashFile = "${secrets.gotosocial_mail_passwd.path}"; }; }; + + extraAliasesFile = "${secrets.private_mail_aliases.path}"; + + roundcube = { + enable = true; + + package = pkgs.roundcube.withPlugins (_plugins: + with pkgs.roundcubePlugins; [ + persistent_login + ]); + plugins = ["persistent_login"]; + + # running in container, passing socket to host + forceSSL = false; + enableACME = false; + + extraConfig = '' + $config['session_lifetime'] = (60 * 24 * 7 * 2); # 2 Weeks + $config['product_name'] = 'Chaos Mail'; + $config['username_domain'] = "owo.monster"; + $config['username_domain_forced'] = true; + $config['log_driver'] = 'syslog'; + $config['smtp_debug'] = true; + ''; + }; }; systemd.tmpfiles.rules = [ @@ -68,15 +72,9 @@ in { "/var/sockets" ]; - services.roundcube = { - package = pkgs.roundcube.withPlugins (_plugins: - with pkgs.roundcubePlugins; [ - persistent_login - ]); - plugins = ["persistent_login"]; - }; - services.nginx.virtualHosts."mail.owo.monster" = { + # running in privateNetwork + # required so nginx doesn't try listening on port 80 listen = [ { addr = "127.0.0.1"; diff --git a/hosts/hetzner-vm/containers/mail/profiles/restic.nix b/hosts/hetzner-vm/containers/mail/profiles/restic.nix index a8d432c..77e5632 100644 --- a/hosts/hetzner-vm/containers/mail/profiles/restic.nix +++ b/hosts/hetzner-vm/containers/mail/profiles/restic.nix @@ -1,11 +1,11 @@ { pkgs, config, - host_secrets, + hostSecrets, ... }: let - secrets = host_secrets; - mail_config = config.services.mailserver; + secrets = hostSecrets; + mailConfig = config.services.mailserver; backupPrepareCommand = "${ (pkgs.writeShellScriptBin "backupPrepareCommand" '' systemctl start postgresqlBackup-roundcube --wait @@ -27,9 +27,9 @@ in { paths = [ "/var/backup/postgresql" - mail_config.vmail_config.directory - mail_config.sieve_directory - mail_config.dkim_directory + mailConfig.vmail.directory + mailConfig.sieveDirectory + mailConfig.dkim.directory "/var/lib/redis-rspamd" ]; diff --git a/hosts/hetzner-vm/containers/music/data/ports.nix b/hosts/hetzner-vm/containers/music/data/ports.nix index eb14726..c8e15c5 100644 --- a/hosts/hetzner-vm/containers/music/data/ports.nix +++ b/hosts/hetzner-vm/containers/music/data/ports.nix @@ -1,4 +1,4 @@ -{}: { +{ mpd = 6600; mpd-opus-low = 4242; mpd-opus-medium = 4243; diff --git a/hosts/hetzner-vm/containers/music/default.nix b/hosts/hetzner-vm/containers/music/default.nix index f6bbaea..9168698 100644 --- a/hosts/hetzner-vm/containers/music/default.nix +++ b/hosts/hetzner-vm/containers/music/default.nix @@ -1,4 +1,6 @@ { + self, + hostPath, tree, lib, inputs, @@ -6,46 +8,43 @@ pkgs, ... }: let - container-addresses = import ../../data/container-addresses.nix {}; - hostIP = container-addresses.host; - containerIP = container-addresses.containers.music; + inherit (lib.modules) mkMerge; + inherit (lib.lists) forEach; + + containerAddresses = import "${hostPath}/data/containerAddresses.nix"; + + hostIP = containerAddresses.host; + containerIP = containerAddresses.containers.${containerName}; + + containerName = "music"; + containerConfig = config.containers.${containerName}.config; + + containerLib = import "${self}/lib/containerLib.nix" { + inherit lib; + }; # Using secrets from Host secrets = config.services.secrets.secrets; - - ports = import ./data/ports.nix {}; -in { - networking.nat.forwardPorts = [ - { - sourcePort = ports.mpd; - destination = "${containerIP}\:${toString ports.mpd}"; - } - { - sourcePort = ports.slskd; - destination = "${containerIP}\:${toString ports.slskd}"; - } + secretsList = [ + "mpd_control_password" + "slskd_env" ]; + ports = import ./data/ports.nix; +in { containers.music = { autoStart = true; privateNetwork = true; hostAddress = hostIP; localAddress = containerIP; - bindMounts = lib.mkMerge (lib.forEach [ - "mpd_control_password" - "slskd_env" - ] (secret_name: let - path = "${secrets.${secret_name}.path}"; - in { - "${path}" = { - hostPath = "${path}"; - }; - })); + bindMounts = containerLib.genBindHostsForSecrets secrets secretsList; specialArgs = { inherit inputs; inherit tree; - host_secrets = secrets; + inherit self; + inherit hostPath; + hostSecrets = secrets; }; config = {config, ...}: { @@ -53,40 +52,35 @@ in { imports = with tree; [ - profiles.base - inputs.home-manager-unstable.nixosModules.home-manager - + presets.nixos.containerBase profiles.sshd + profiles.firewallAllow.ssh + profiles.nginx - - modules.nixos.secrets - - users.root + profiles.firewallAllow.httpCommon ] ++ (with hosts.hetzner-vm.containers.music; [ - profiles.music-sync profiles.mpd + profiles.musicSync profiles.soulseek ]); + networking.firewall.allowedTCPPorts = with ports; [ + mpd + mpd-opus-low + mpd-opus-medium + mpd-opus-high + mpd-flac + slskd + slskd-web + ]; + # For Shared Secrets systemd.tmpfiles.rules = [ "d ${config.services.secrets.secretsDir} - root root" ]; - networking.firewall = { - enable = true; - allowedTCPPorts = [22] ++ lib.mapAttrsToList (_name: value: value) ports; - }; - - home-manager.users.root = { - imports = with tree; [home.base home.dev.small]; - home.stateVersion = "23.05"; - }; - - # Manually configure nameserver. Using resolved inside the container seems to fail - # currently - environment.etc."resolv.conf".text = "nameserver 8.8.8.8"; + home-manager.users.root.home.stateVersion = "23.05"; system.stateVersion = "23.05"; }; }; @@ -108,7 +102,7 @@ in { in { forceSSL = true; enableACME = true; - locations = lib.mkMerge ([ + locations = mkMerge ([ { "/mpd/flac" = { proxyPass = "http://${containerIP}:${toString ports.mpd-flac}"; @@ -116,7 +110,7 @@ in { }; } ] - ++ (lib.forEach ["low" "medium" "high"] (quality: { + ++ (forEach ["low" "medium" "high"] (quality: { "/mpd/opus-${quality}" = { proxyPass = "http://${containerIP}:${toString ports."mpd-opus-${quality}"}"; inherit extraConfig; @@ -126,15 +120,28 @@ in { # For permissions of secrets users.users."mpd" = { - uid = config.ids.uids.mpd; + uid = containerConfig.ids.uids.mpd; group = "mpd"; }; users.groups."mpd" = { - gid = config.ids.gids.mpd; + gid = containerConfig.ids.gids.mpd; }; - networking.firewall.allowedTCPPorts = with ports; [ - mpd - slskd - ]; + networking = { + nat.forwardPorts = [ + { + sourcePort = ports.mpd; + destination = "${containerIP}\:${toString ports.mpd}"; + } + { + sourcePort = ports.slskd; + destination = "${containerIP}\:${toString ports.slskd}"; + } + ]; + + firewall.allowedTCPPorts = with ports; [ + mpd + slskd + ]; + }; } diff --git a/hosts/hetzner-vm/containers/music/profiles/mpd.nix b/hosts/hetzner-vm/containers/music/profiles/mpd.nix index f00ef7f..ea60f26 100644 --- a/hosts/hetzner-vm/containers/music/profiles/mpd.nix +++ b/hosts/hetzner-vm/containers/music/profiles/mpd.nix @@ -1,13 +1,18 @@ { lib, pkgs, - host_secrets, + hostSecrets, ... }: let - ports = import ../data/ports.nix {}; - secrets = host_secrets; + inherit (lib.strings) concatStringsSep; + inherit (lib.lists) forEach; + + ports = import ../data/ports.nix; + secrets = hostSecrets; in { - environment.systemPackages = with pkgs; [mpc_cli]; + environment.systemPackages = with pkgs; [ + mpc_cli + ]; services.mpd = { enable = true; @@ -29,7 +34,7 @@ in { replaygain "track" audio_output_format "44100:16:2" '' - + lib.concatStringsSep "\n" (lib.forEach ["low" "medium" "high"] (quality: let + + concatStringsSep "\n" (forEach ["low" "medium" "high"] (quality: let bitrates = { "low" = "64"; "medium" = "96"; diff --git a/hosts/hetzner-vm/containers/music/profiles/music-sync.nix b/hosts/hetzner-vm/containers/music/profiles/musicSync.nix similarity index 52% rename from hosts/hetzner-vm/containers/music/profiles/music-sync.nix rename to hosts/hetzner-vm/containers/music/profiles/musicSync.nix index 922fb68..b01ab94 100644 --- a/hosts/hetzner-vm/containers/music/profiles/music-sync.nix +++ b/hosts/hetzner-vm/containers/music/profiles/musicSync.nix @@ -1,4 +1,20 @@ -{pkgs, ...}: { +{pkgs, ...}: let + inherit (pkgs) writeShellScriptBin; + inherit (builtins) toFile; + + rcloneConfig = toFile "rclone.conf" '' + [Music] + type = webdav + url = https://storage-webdav.owo.monster/MusicRO/ + vendor = other + ''; +in { + environment.systemPackages = [ + (writeShellScriptBin "rclone-music" '' + rclone --config ${rcloneConfig} "$@" + '') + ]; + systemd.tmpfiles.rules = [ "d /Music - mpd mpd" ]; @@ -8,17 +24,11 @@ after = ["network.target"]; partOf = ["mpd.service"]; - path = with pkgs; [bash rclone mount umount]; - script = let - rclone_config = pkgs.writeText "rclone.conf" '' - [Music] - type = webdav - url = https://storage-webdav.owo.monster/MusicRO/ - vendor = other - ''; - in '' + path = with pkgs; [bash rclone]; + + script = '' set -e - rclone --config ${rclone_config} sync Music: /Music + rclone --config ${rcloneConfig} sync Music: /Music chown -R mpd:mpd /Music ''; }; diff --git a/hosts/hetzner-vm/containers/music/profiles/soulseek.nix b/hosts/hetzner-vm/containers/music/profiles/soulseek.nix index bfa46ee..9994e66 100644 --- a/hosts/hetzner-vm/containers/music/profiles/soulseek.nix +++ b/hosts/hetzner-vm/containers/music/profiles/soulseek.nix @@ -1,10 +1,10 @@ { lib, - host_secrets, + hostSecrets, ... }: let - ports = import ../data/ports.nix {}; - secrets = host_secrets; + ports = import ../data/ports.nix; + secrets = hostSecrets; inherit (lib.modules) mkForce; in { diff --git a/hosts/hetzner-vm/containers/piped/data/ports.nix b/hosts/hetzner-vm/containers/piped/data/ports.nix index be26c62..64a13df 100644 --- a/hosts/hetzner-vm/containers/piped/data/ports.nix +++ b/hosts/hetzner-vm/containers/piped/data/ports.nix @@ -1,6 +1,6 @@ -{}: { - piped-backend = 3012; - piped-proxy = 3013; +{ + internal-piped-backend = 3012; + internal-piped-proxy = 3013; cockroachdb = 26257; cockroachdb-http = 3014; diff --git a/hosts/hetzner-vm/containers/piped/default.nix b/hosts/hetzner-vm/containers/piped/default.nix index 6e2ad5e..de3fb8f 100644 --- a/hosts/hetzner-vm/containers/piped/default.nix +++ b/hosts/hetzner-vm/containers/piped/default.nix @@ -1,4 +1,6 @@ { + self, + hostPath, tree, lib, inputs, @@ -6,18 +8,23 @@ pkgs, ... }: let - #container-addresses = import ../../data/container-addresses.nix {}; - #hostIP = container-addresses.host; - #containerIP = container-addresses.containers.piped; - containerConfig = config.containers.piped.config; + containerAddresses = import "${hostPath}/data/containerAddresses.nix"; - ports = import ./data/ports.nix {}; + hostIP = containerAddresses.host; + containerIP = containerAddresses.containers.${containerName}; + + containerName = "piped"; + containerConfig = config.containers.${containerName}.config; + + containerLib = import "${self}/lib/containerLib.nix" { + inherit lib; + }; # Using secrets from Host secrets = config.services.secrets.secrets; - secrets_list = [ - "piped_restic_env" - "piped_restic_password" + secretsList = [ + "piped_finland_restic_env" + "piped_finland_restic_password" { name = "piped_cockroachdb_ca_certificate"; path = "/var/lib/cockroachdb-certs/ca.crt"; @@ -32,11 +39,51 @@ } ]; - containerName = "piped"; pipedSocketForComponent = ( component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock" ); in { + containers.piped = { + autoStart = true; + privateNetwork = false; + hostAddress = hostIP; + localAddress = containerIP; + bindMounts = containerLib.genBindHostsForSecrets secrets secretsList; + + specialArgs = { + inherit inputs; + inherit tree; + inherit self; + inherit hostPath; + hostSecrets = secrets; + }; + + config = {config, ...}: { + nixpkgs.pkgs = pkgs; + + imports = with tree; + [ + presets.nixos.containerBase + + profiles.nginx + profiles.firewallAllow.httpCommon + ] + ++ (with hosts.hetzner-vm.containers.piped.profiles; [ + piped + restic + cockroachDB + ]); + + # For Shared Secrets + systemd.tmpfiles.rules = [ + "d ${config.services.secrets.secretsDir} - root root" + ]; + + home-manager.users.root.home.stateVersion = "23.05"; + system.stateVersion = "23.05"; + }; + }; + # Create this directory outside the container so the bind mounts work systemd.tmpfiles.rules = [ "d /var/lib/nixos-containers/${containerName}/var/lib/cockroachdb-certs - root root" @@ -50,81 +97,6 @@ in { gid = containerConfig.users.groups.cockroachdb.gid; }; - containers.piped = { - autoStart = true; - #privateNetwork = false; - #hostAddress = hostIP; - #localAddress = containerIP; - - bindMounts = lib.mkMerge (lib.forEach secrets_list (secret_item: let - secret = - if builtins.isString secret_item - then secrets.${secret_item} - else secrets.${secret_item.name}; - - hostPath = secret.path; - containerPath = - if builtins.isString secret_item - then hostPath - else secret_item.path; - in { - "${containerPath}" = { - inherit hostPath; - }; - })); - - specialArgs = { - inherit inputs; - inherit tree; - host_secrets = secrets; - }; - - config = {config, ...}: { - nixpkgs.pkgs = pkgs; - - imports = with tree; - [ - profiles.base - inputs.home-manager-unstable.nixosModules.home-manager - - #profiles.sshd - profiles.nginx - profiles.cockroachdb-bin-fix - - modules.nixos.secrets - inputs.piped-flake.nixosModules.default - - users.root - ] - ++ (with hosts.hetzner-vm.containers.piped.profiles; [ - piped - restic - cockroachdb - ]); - - # For Shared Secrets - systemd.tmpfiles.rules = [ - "d ${config.services.secrets.secretsDir} - root root" - ]; - - networking.firewall = { - enable = true; - allowedTCPPorts = [22] ++ (lib.attrValues ports); - }; - - home-manager.users.root = { - imports = with tree; [home.base home.dev.small]; - - home.stateVersion = "23.05"; - }; - - # Manually configure nameserver. Using resolved inside the container seems to fail - # currently - environment.etc."resolv.conf".text = "nameserver 8.8.8.8"; - system.stateVersion = "23.05"; - }; - }; - services.nginx.virtualHosts."piped-fi.owo.monster" = { forceSSL = true; enableACME = true; diff --git a/hosts/hetzner-vm/containers/piped/profiles/cockroachDB.nix b/hosts/hetzner-vm/containers/piped/profiles/cockroachDB.nix new file mode 100644 index 0000000..7206392 --- /dev/null +++ b/hosts/hetzner-vm/containers/piped/profiles/cockroachDB.nix @@ -0,0 +1,20 @@ +{self, ...}: let + internalWireGuard = import "${self}/data/chaosInternalWireGuard.nix"; + ports = import ../data/ports.nix; +in { + services.cockroachdb-bin = { + enable = true; + certsDir = "/var/lib/cockroachdb-certs"; + join = "localhost:${toString ports.cockroachdb},${internalWireGuard.hosts.raspberry.ip}:26257"; + # ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 raspberry + extraArgs = ["--advertise-addr=${internalWireGuard.hosts.hetzner-vm.ip}:26257"]; + listen = { + port = ports.cockroachdb; + address = "0.0.0.0"; + }; + http = { + address = "0.0.0.0"; + port = ports.cockroachdb-http; + }; + }; +} diff --git a/hosts/hetzner-vm/containers/piped/profiles/cockroachdb.nix b/hosts/hetzner-vm/containers/piped/profiles/cockroachdb.nix deleted file mode 100644 index 20fe48d..0000000 --- a/hosts/hetzner-vm/containers/piped/profiles/cockroachdb.nix +++ /dev/null @@ -1,16 +0,0 @@ -{...}: let - ports = import ../data/ports.nix {}; - internal_wireguard = import ../../../../../data/chaos_wireguard_internal.nix {}; -in { - services.cockroachdb = { - enable = true; - certsDir = "/var/lib/cockroachdb-certs"; - join = "localhost:${toString ports.cockroachdb},${internal_wireguard.hosts.raspberry.ip}:26257"; - # ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 hetzner-vm - listen.port = ports.cockroachdb; - http = { - address = "0.0.0.0"; - port = ports.cockroachdb-http; - }; - }; -} diff --git a/hosts/hetzner-vm/containers/piped/profiles/piped.nix b/hosts/hetzner-vm/containers/piped/profiles/piped.nix index bc8c98a..bb0ec13 100644 --- a/hosts/hetzner-vm/containers/piped/profiles/piped.nix +++ b/hosts/hetzner-vm/containers/piped/profiles/piped.nix @@ -1,15 +1,16 @@ {config, ...}: let - ports = import ../data/ports.nix {}; - piped_config = config.services.piped; + ports = import ../data/ports.nix; + pipedConfig = config.services.piped; in { - config.services.piped = { + services.piped = { enable = true; frontendDomain = "piped-fi.owo.monster"; backendDomain = "backend.piped-fi.owo.monster"; proxyDomain = "proxy.piped-fi.owo.monster"; - disableRegistrations = false; + disableRegistrations = true; + # TODO: change these creds to be read from file before opening DB to firewall postgresDBName = "piped"; postgresDBUsername = "piped"; postgresDBPassword = "piped"; @@ -23,43 +24,54 @@ in { # Do not set proxyNginxExtraConfig here as needs be set in outside of container - internalBackendPort = ports.piped-backend; - internalProxyPort = ports.piped-proxy; + internalBackendPort = ports.internal-piped-backend; + internalProxyPort = ports.internal-piped-proxy; }; - config.systemd.tmpfiles.rules = [ + systemd.tmpfiles.rules = [ "d /var/sockets - nginx nginx" ]; - config.systemd.services.nginx.serviceConfig.ReadWritePaths = [ - "/var/sockets" - ]; + systemd.services.nginx = { + serviceConfig.ReadWritePaths = [ + "/var/sockets" + ]; + }; - config.services.nginx.virtualHosts."${piped_config.frontendDomain}" = { - extraConfig = "listen unix:/var/sockets/piped-frontend.sock;"; - listen = [ - { - addr = "127.0.0.1"; - port = 9080; - } - ]; + systemd.services.piped-backend = { + after = ["cockroachdb.service"]; + wants = ["cockroachdb.service"]; }; - config.services.nginx.virtualHosts."${piped_config.backendDomain}" = { - extraConfig = "listen unix:/var/sockets/piped-backend.sock;"; - listen = [ - { - addr = "127.0.0.1"; - port = 9080; - } - ]; - }; - config.services.nginx.virtualHosts."${piped_config.proxyDomain}" = { - extraConfig = "listen unix:/var/sockets/piped-proxy.sock;"; - listen = [ - { - addr = "127.0.0.1"; - port = 9080; - } - ]; + + services.nginx.virtualHosts = let + componentPath = component: "/var/sockets/piped-${component}.sock"; + in { + "${pipedConfig.frontendDomain}" = { + listen = [ + { + addr = "127.0.0.1"; + port = 8091; + } + ]; + extraConfig = "listen unix:${componentPath "frontend"};"; + }; + "${pipedConfig.backendDomain}" = { + extraConfig = "listen unix:${componentPath "backend"};"; + listen = [ + { + addr = "127.0.0.1"; + port = 8092; + } + ]; + }; + "${pipedConfig.proxyDomain}" = { + extraConfig = "listen unix:${componentPath "proxy"};"; + listen = [ + { + addr = "127.0.0.1"; + port = 8093; + } + ]; + }; }; } diff --git a/hosts/hetzner-vm/containers/piped/profiles/restic.nix b/hosts/hetzner-vm/containers/piped/profiles/restic.nix index 3d962a7..bdc8fb8 100644 --- a/hosts/hetzner-vm/containers/piped/profiles/restic.nix +++ b/hosts/hetzner-vm/containers/piped/profiles/restic.nix @@ -1,36 +1,32 @@ { pkgs, - host_secrets, + hostSecrets, ... }: let - secrets = host_secrets; - #backupPrepareCommand = "${ - # (pkgs.writeShellScriptBin "backupPrepareCommand" '' - # systemctl start postgresqlBackup-piped --wait - # '') - #}/bin/backupPrepareCommand"; + secrets = hostSecrets; in { environment.systemPackages = with pkgs; [ restic - (pkgs.writeShellScriptBin "restic-piped" '' + (pkgs.writeShellScriptBin "restic-piped-finland" '' env \ - RESTIC_PASSWORD_FILE=${secrets.piped_restic_password.path} \ - $(cat ${secrets.piped_restic_env.path}) \ + RESTIC_PASSWORD_FILE=${secrets.piped_finland_restic_password.path} \ + $(cat ${secrets.piped_finland_restic_env.path}) \ ${pkgs.restic}/bin/restic $@ '') ]; - services.restic.backups.piped = { + services.restic.backups.piped-finland = { user = "root"; paths = [ - #"/var/backup/postgresql" + "/var/lib/cockroachdb" + "/var/lib/cockroachdb-certs" ]; # repository is overrided in environmentFile to contain auth # make sure to keep up to date when changing repository - repository = "rest:https://storage-restic.owo.monster/Piped"; - passwordFile = "${secrets.piped_restic_password.path}"; - environmentFile = "${secrets.piped_restic_env.path}"; + repository = "rest:https://storage-restic.owo.monster/Piped-Finland"; + passwordFile = "${secrets.piped_finland_restic_password.path}"; + environmentFile = "${secrets.piped_finland_restic_env.path}"; pruneOpts = [ "--keep-last 5" @@ -40,14 +36,5 @@ in { OnBootSec = "1m"; OnCalendar = "daily"; }; - - #inherit backupPrepareCommand; }; - - #services.postgresqlBackup = { - # enable = true; - # backupAll = false; - # databases = ["piped"]; - # compression = "zstd"; - #}; } diff --git a/hosts/hetzner-vm/containers/quassel/default.nix b/hosts/hetzner-vm/containers/quassel/default.nix index c70241a..86e5654 100644 --- a/hosts/hetzner-vm/containers/quassel/default.nix +++ b/hosts/hetzner-vm/containers/quassel/default.nix @@ -1,4 +1,6 @@ { + self, + hostPath, tree, lib, inputs, @@ -6,41 +8,34 @@ pkgs, ... }: let - container-addresses = import ../../data/container-addresses.nix {}; - hostIP = container-addresses.host; - containerIP = container-addresses.containers.quassel; + containerAddresses = import "${hostPath}/data/containerAddresses.nix"; + hostIP = containerAddresses.host; + containerIP = containerAddresses.containers.quassel; + + containerLib = import "${self}/lib/containerLib.nix" { + inherit lib; + }; # Using secrets from Host secrets = config.services.secrets.secrets; - secrets_list = [ + secretsList = [ "quassel_restic_env" "quassel_restic_password" ]; in { - networking.nat.forwardPorts = [ - { - sourcePort = 4242; - destination = "${containerIP}\:4242"; - } - ]; - containers.quassel = { autoStart = true; privateNetwork = true; hostAddress = hostIP; localAddress = containerIP; - bindMounts = lib.mkMerge (lib.forEach secrets_list (secret_name: let - path = "${secrets.${secret_name}.path}"; - in { - "${path}" = { - hostPath = "${path}"; - }; - })); + bindMounts = containerLib.genBindHostsForSecrets secrets secretsList; specialArgs = { inherit inputs; inherit tree; - host_secrets = secrets; + inherit self; + inherit hostPath; + hostSecrets = secrets; }; config = {config, ...}: { @@ -48,18 +43,13 @@ in { imports = with tree; [ - profiles.base - inputs.home-manager-unstable.nixosModules.home-manager - + presets.nixos.containerBase profiles.sshd - - modules.nixos.secrets - - users.root + profiles.firewallAllow.ssh ] - ++ (with hosts.hetzner-vm.containers.quassel; [ - profiles.quassel - profiles.restic + ++ (with hosts.hetzner-vm.containers.quassel.profiles; [ + quassel + restic ]); # For Shared Secrets @@ -67,23 +57,19 @@ in { "d ${config.services.secrets.secretsDir} - root root" ]; - networking.firewall = { - enable = true; - allowedTCPPorts = [22 4242]; - }; + networking.firewall.allowedTCPPorts = [4242]; - home-manager.users.root = { - imports = with tree; [home.base home.dev.small]; - - home.stateVersion = "23.05"; - }; - - # Manually configure nameserver. Using resolved inside the container seems to fail - # currently - environment.etc."resolv.conf".text = "nameserver 8.8.8.8"; + home-manager.users.root.home.stateVersion = "23.05"; system.stateVersion = "23.05"; }; }; + networking.nat.forwardPorts = [ + { + sourcePort = 4242; + destination = "${containerIP}\:4242"; + } + ]; + networking.firewall.allowedTCPPorts = [4242]; } diff --git a/hosts/hetzner-vm/containers/quassel/profiles/quassel.nix b/hosts/hetzner-vm/containers/quassel/profiles/quassel.nix index 88f22cf..22a7bba 100644 --- a/hosts/hetzner-vm/containers/quassel/profiles/quassel.nix +++ b/hosts/hetzner-vm/containers/quassel/profiles/quassel.nix @@ -4,15 +4,16 @@ interfaces = ["0.0.0.0"]; }; - services.postgresql.enable = true; - services.postgresql.ensureDatabases = ["quassel"]; - services.postgresql.ensureUsers = [ - { - name = "quassel"; - ensurePermissions."DATABASE quassel" = "ALL PRIVILEGES"; - } - ]; + services.postgresql = { + enable = true; + ensureDatabases = ["quassel"]; + ensureUsers = [ + { + name = "quassel"; + ensurePermissions."DATABASE quassel" = "ALL PRIVILEGES"; + } + ]; - services.postgresql.authentication = "host quassel quassel localhost trust"; - networking.firewall.allowedTCPPorts = [4242]; + authentication = "host quassel quassel localhost trust"; + }; } diff --git a/hosts/hetzner-vm/containers/quassel/profiles/restic.nix b/hosts/hetzner-vm/containers/quassel/profiles/restic.nix index 8fe7fed..3819175 100644 --- a/hosts/hetzner-vm/containers/quassel/profiles/restic.nix +++ b/hosts/hetzner-vm/containers/quassel/profiles/restic.nix @@ -1,9 +1,9 @@ { pkgs, - host_secrets, + hostSecrets, ... }: let - secrets = host_secrets; + secrets = hostSecrets; backupPrepareCommand = "${ (pkgs.writeShellScriptBin "backupPrepareCommand" '' diff --git a/hosts/hetzner-vm/containers/social/default.nix b/hosts/hetzner-vm/containers/social/default.nix index 3eaa41f..d65deb7 100644 --- a/hosts/hetzner-vm/containers/social/default.nix +++ b/hosts/hetzner-vm/containers/social/default.nix @@ -1,13 +1,15 @@ { + self, + hostPath, tree, inputs, config, pkgs, ... }: let - container-addresses = import ../../data/container-addresses.nix {}; - hostIP = container-addresses.host; - containerIP = container-addresses.containers.social; + containerAddresses = import "${hostPath}/data/containerAddresses.nix"; + hostIP = containerAddresses.host; + containerIP = containerAddresses.containers.social; # Using secrets from Host secrets = config.services.secrets.secrets; @@ -32,7 +34,9 @@ in { specialArgs = { inherit inputs; inherit tree; - host_secrets = secrets; + inherit self; + inherit hostPath; + hostSecrets = secrets; }; config = {config, ...}: { diff --git a/hosts/hetzner-vm/containers/social/profiles/backups.nix b/hosts/hetzner-vm/containers/social/profiles/backups.nix index 5e70ca1..19ef053 100644 --- a/hosts/hetzner-vm/containers/social/profiles/backups.nix +++ b/hosts/hetzner-vm/containers/social/profiles/backups.nix @@ -2,10 +2,13 @@ pkgs, config, lib, - host_secrets, + hostSecrets, ... }: let - secrets = host_secrets; + inherit (lib.strings) concatStringsSep; + inherit (lib.lists) forEach; + + secrets = hostSecrets; # Because gotosocial-admin isn't a seporate package we need to generate a seperate config # and duplicate the wrapper for use in a systemd unit @@ -22,8 +25,8 @@ backupPrepareCommand = "${ (pkgs.writeShellScriptBin "backupPrepareCommand" '' systemctl start ${ - lib.concatStringsSep " " - (lib.forEach config.services.postgresqlBackup.databases + concatStringsSep " " + (forEach config.services.postgresqlBackup.databases (db: "postgresqlBackup-${db}")) } --wait diff --git a/hosts/hetzner-vm/containers/social/profiles/gotosocial.nix b/hosts/hetzner-vm/containers/social/profiles/gotosocial.nix index c13ee0b..853fd1a 100644 --- a/hosts/hetzner-vm/containers/social/profiles/gotosocial.nix +++ b/hosts/hetzner-vm/containers/social/profiles/gotosocial.nix @@ -1,9 +1,13 @@ -{host_secrets, ...}: let - container-addresses = import ../../../data/container-addresses.nix {}; - hostIP = container-addresses.host; - containerIP = container-addresses.containers.social; +{ + hostPath, + hostSecrets, + ... +}: let + containerAddresses = import "${hostPath}/data/containerAddresses.nix"; + hostIP = containerAddresses.host; + containerIP = containerAddresses.containers.social; - secrets = host_secrets; + secrets = hostSecrets; in { services.gotosocial = { enable = true; diff --git a/hosts/hetzner-vm/containers/storage/data/ports.nix b/hosts/hetzner-vm/containers/storage/data/ports.nix index 9725698..e2c7780 100644 --- a/hosts/hetzner-vm/containers/storage/data/ports.nix +++ b/hosts/hetzner-vm/containers/storage/data/ports.nix @@ -1,4 +1,4 @@ -{...}: { +{ rclone_serve_webdav_main = 4200; rclone_serve_webdav_media = 4201; rclone_serve_webdav_music_ro = 4202; @@ -7,7 +7,7 @@ rclone_serve_restic_vault = 4211; rclone_serve_restic_social = 4212; rclone_serve_restic_quassel = 4213; - rclone_serve_restic_piped = 4214; + rclone_serve_restic_piped_finland = 4214; rclone_serve_restic_mail = 4215; rclone_serve_http_music = 4220; diff --git a/hosts/hetzner-vm/containers/storage/default.nix b/hosts/hetzner-vm/containers/storage/default.nix index 8cbaa63..c622939 100644 --- a/hosts/hetzner-vm/containers/storage/default.nix +++ b/hosts/hetzner-vm/containers/storage/default.nix @@ -1,18 +1,22 @@ { + self, + hostPath, tree, lib, inputs, pkgs, ... }: let - container-addresses = import ../../data/container-addresses.nix {}; - hostIP = container-addresses.host; - containerIP = container-addresses.containers.storage; + inherit (lib.attrsets) attrValues; + + containerAddresses = import "${hostPath}/data/containerAddresses.nix"; + hostIP = containerAddresses.host; + containerIP = containerAddresses.containers.storage; # 32GB clientMaxBodySize = "${toString (8192 * 4)}M"; - ports = import ./data/ports.nix {}; + ports = import ./data/ports.nix; in { containers.storage = { autoStart = true; @@ -23,6 +27,8 @@ in { specialArgs = { inherit inputs; inherit tree; + inherit self; + inherit hostPath; }; config = {...}: { @@ -43,14 +49,11 @@ in { users.root ] - ++ (with hosts.hetzner-vm.containers.storage; [ - profiles.auto-secrets - profiles.rclone-configs - profiles.rclone-serve - profiles.rclone-sync - # doesn't work in container - # profiles.storage-mount - profiles.users + ++ (with hosts.hetzner-vm.containers.storage.profiles; [ + rcloneConfigs + rcloneServe + rcloneSync + users ]); environment.systemPackages = with pkgs; [rclone]; @@ -63,7 +66,7 @@ in { networking.firewall = { enable = true; - allowedTCPPorts = [22] ++ lib.mapAttrsToList (_name: value: value) ports; + allowedTCPPorts = attrValues ports; }; # Manually configure nameserver. Using resolved inside the container seems to fail @@ -106,7 +109,7 @@ in { "/Vault/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_vault}"; "/Social/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_social}"; "/Quassel/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_quassel}"; - "/Piped/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped}"; + "/Piped-Finland/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped_finland}"; "/Mail/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_mail}"; }; extraConfig = '' diff --git a/hosts/hetzner-vm/containers/storage/profiles/auto-secrets.nix b/hosts/hetzner-vm/containers/storage/profiles/auto-secrets.nix deleted file mode 100644 index 26a945e..0000000 --- a/hosts/hetzner-vm/containers/storage/profiles/auto-secrets.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - pkgs, - config, - ... -}: let - secrets = config.services.secrets.secrets; -in { - systemd.services.auto-secrets = { - wantedBy = ["multi-user.target"]; - after = ["network.target"]; - path = with pkgs; [bash vault-bin getent]; - script = let - vault_username = "storage"; - vault_password_file = "${secrets.vault_password.path}"; - in '' - VAULT_ADDR="https://vault.owo.monster" \ - vault login -no-print -method=userpass username=${vault_username} password=$(cat ${vault_password_file}) - /run/current-system/sw/bin/secrets-init - ''; - }; -} diff --git a/hosts/hetzner-vm/containers/storage/profiles/rclone-configs.nix b/hosts/hetzner-vm/containers/storage/profiles/rcloneConfigs.nix similarity index 100% rename from hosts/hetzner-vm/containers/storage/profiles/rclone-configs.nix rename to hosts/hetzner-vm/containers/storage/profiles/rcloneConfigs.nix diff --git a/hosts/hetzner-vm/containers/storage/profiles/rclone-serve.nix b/hosts/hetzner-vm/containers/storage/profiles/rcloneServe.nix similarity index 78% rename from hosts/hetzner-vm/containers/storage/profiles/rclone-serve.nix rename to hosts/hetzner-vm/containers/storage/profiles/rcloneServe.nix index b539657..e9901b1 100644 --- a/hosts/hetzner-vm/containers/storage/profiles/rclone-serve.nix +++ b/hosts/hetzner-vm/containers/storage/profiles/rcloneServe.nix @@ -1,6 +1,6 @@ {config, ...}: let secrets = config.services.secrets.secrets; - ports = import ../data/ports.nix {}; + ports = import ../data/ports.nix; in { systemd.tmpfiles.rules = [ "d /caches - storage storage" @@ -8,16 +8,20 @@ in { "d /caches/media_webdav_serve - storage storage" ]; - services.rclone-serve = let - serviceConfig = { - after = ["auto-secrets.service"]; - partOf = ["auto-secrets.service"]; - }; - in { + services.rclone-serve = { enable = true; - remotes = [ + remotes = map (remote: { user = "storage"; + serviceConfig = { + after = ["auto-secrets.service"]; + wants = ["auto-secrets.service"]; + partOf = ["auto-secrets.service"]; + }; + } + // remote) [ + { + id = "main"; remote = "StorageBox:"; type = "webdav"; extraArgs = [ @@ -27,10 +31,9 @@ in { "--cache-dir=/caches/main_webdav_serve" "--vfs-cache-mode=full" ]; - inherit serviceConfig; } { - user = "storage"; + id = "media-combine"; remote = "Media-Combine-Serve:"; type = "webdav"; extraArgs = [ @@ -42,10 +45,9 @@ in { "--vfs-cache-max-size=5g" "--vfs-cache-mode=full" ]; - inherit serviceConfig; } { - user = "storage"; + id = "music-ro"; remote = "StorageBox:Music"; type = "webdav"; extraArgs = [ @@ -53,10 +55,9 @@ in { "--read-only" "--baseurl=/MusicRO/" ]; - inherit serviceConfig; } { - user = "storage"; + id = "music-ro"; remote = "StorageBox:Music"; type = "http"; extraArgs = [ @@ -64,10 +65,9 @@ in { "--baseurl=/Music/" "--read-only" ]; - inherit serviceConfig; } { - user = "storage"; + id = "public"; remote = "StorageBox:Public"; type = "http"; extraArgs = [ @@ -75,10 +75,9 @@ in { "--baseurl=/Public/" "--read-only" ]; - inherit serviceConfig; } { - user = "storage"; + id = "restic-music"; remote = "StorageBox:Backups/Restic/Music"; type = "restic"; extraArgs = [ @@ -86,10 +85,9 @@ in { "--htpasswd=${secrets.restic_music_htpasswd.path}" "--baseurl=/Music/" ]; - inherit serviceConfig; } { - user = "storage"; + id = "restic-vault"; remote = "StorageBox:Backups/Restic/Vault"; type = "restic"; extraArgs = [ @@ -97,10 +95,9 @@ in { "--htpasswd=${secrets.restic_vault_htpasswd.path}" "--baseurl=/Vault/" ]; - inherit serviceConfig; } { - user = "storage"; + id = "restic-social"; remote = "StorageBox:Backups/Restic/Social"; type = "restic"; extraArgs = [ @@ -108,10 +105,9 @@ in { "--htpasswd=${secrets.restic_social_htpasswd.path}" "--baseurl=/Social/" ]; - inherit serviceConfig; } { - user = "storage"; + id = "restic-quassel"; remote = "StorageBox:Backups/Restic/Quassel"; type = "restic"; extraArgs = [ @@ -119,21 +115,19 @@ in { "--htpasswd=${secrets.restic_quassel_htpasswd.path}" "--baseurl=/Quassel/" ]; - inherit serviceConfig; } { - user = "storage"; - remote = "StorageBox:Backups/Restic/Piped"; + id = "restic-piped-finland"; + remote = "StorageBox:Backups/Restic/Piped-Finland"; type = "restic"; extraArgs = [ - "--addr=0.0.0.0:${toString ports.rclone_serve_restic_piped}" - "--htpasswd=${secrets.restic_piped_htpasswd.path}" - "--baseurl=/Piped/" + "--addr=0.0.0.0:${toString ports.rclone_serve_restic_piped_finland}" + "--htpasswd=${secrets.restic_piped_finland_htpasswd.path}" + "--baseurl=/Piped-Finland/" ]; - inherit serviceConfig; } { - user = "storage"; + id = "restic-mail"; remote = "StorageBox:Backups/Restic/Mail"; type = "restic"; extraArgs = [ @@ -141,7 +135,6 @@ in { "--htpasswd=${secrets.restic_mail_htpasswd.path}" "--baseurl=/Mail/" ]; - inherit serviceConfig; } ]; }; diff --git a/hosts/hetzner-vm/containers/storage/profiles/rclone-sync.nix b/hosts/hetzner-vm/containers/storage/profiles/rcloneSync.nix similarity index 81% rename from hosts/hetzner-vm/containers/storage/profiles/rclone-sync.nix rename to hosts/hetzner-vm/containers/storage/profiles/rcloneSync.nix index 7621e20..706fe30 100644 --- a/hosts/hetzner-vm/containers/storage/profiles/rclone-sync.nix +++ b/hosts/hetzner-vm/containers/storage/profiles/rcloneSync.nix @@ -1,19 +1,22 @@ -{lib, ...}: { - services.rclone-sync = let - sync_defaults = { - serviceConfig = {after = ["auto-secrets.service"];}; - timerConfig = { - OnStartupSec = "60"; - OnCalendar = "4h"; - }; - extraArgs = [ - "--fast-list" - ]; - }; - in { +{...}: { + services.rclone-sync = { enable = true; user = "storage"; - sync_jobs = map (x: lib.mkMerge [x sync_defaults]) [ + syncJobs = map (syncJob: + syncJob + // { + serviceConfig = { + after = ["auto-secrets.service"]; + wants = ["auto-secrets.service"]; + }; + timerConfig = { + OnStartupSec = "60"; + OnCalendar = "4h"; + }; + extraArgs = [ + "--fast-list" + ]; + }) [ # My B2 { source = "StorageBox:Backups"; diff --git a/hosts/hetzner-vm/containers/storage/profiles/storage-mount.nix b/hosts/hetzner-vm/containers/storage/profiles/storage-mount.nix deleted file mode 100644 index da31e60..0000000 --- a/hosts/hetzner-vm/containers/storage/profiles/storage-mount.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - pkgs, - config, - ... -}: let - secrets = config.services.secrets.secrets; -in { - systemd.services.storage-mount = { - wantedBy = ["multi-user.target"]; - after = ["network.target" "auto-secrets.service"]; - partOf = ["auto-secrets.service"]; - - path = with pkgs; [bash rclone mount umount]; - script = '' - set -e - umount /storage -fl || true - sleep 2 - rclone --config ${secrets.rclone_config.path} mount StorageBox: /storage --allow-non-empty - ''; - }; -} diff --git a/hosts/hetzner-vm/containers/storage/secrets.nix b/hosts/hetzner-vm/containers/storage/secrets.nix index 1eec6e6..26a82fa 100644 --- a/hosts/hetzner-vm/containers/storage/secrets.nix +++ b/hosts/hetzner-vm/containers/storage/secrets.nix @@ -2,10 +2,48 @@ config, pkgs, ... -}: { +}: let + cfg = config.services.secrets; +in { services.secrets = { enable = true; + vaultLogin = { + enable = true; + loginUsername = "hetzner-vm-container-storage"; + loginPasswordFile = cfg.secrets.vault_password.path; + }; + + autoSecrets = { + enable = true; + }; + + requiredVaultPaths = [ + "api-keys/data/hetzner/storagebox" + + "api-keys/data/putio" + + "api-keys/data/backblaze/Chaos-Backups" + "api-keys/data/backblaze/Chaos-Photos" + "api-keys/data/backblaze/Chaos-Music" + "api-keys/data/backblaze/Chaos-Personal" + "api-keys/data/backblaze/Chaos-Public" + "api-keys/data/backblaze/Chaos-Media" + "api-keys/data/backblaze/Phoenix-Cryptidz-Storage" + + "api-keys/data/storage/restic/Music" + "api-keys/data/storage/restic/Vault" + "api-keys/data/storage/restic/Social" + "api-keys/data/storage/restic/Quassel" + "api-keys/data/storage/restic/Piped-Finland" + "api-keys/data/storage/restic/Mail" + + "api-keys/data/storage/webdav/main" + "api-keys/data/storage/webdav/media" + + "private-public-keys/data/rclone/Chaos-Media-Crypt" + ]; + packages = with pkgs; [ # for music & mail passwd files apacheHttpd @@ -94,12 +132,12 @@ ''; }; - restic_piped_htpasswd = { + restic_piped_finland_htpasswd = { user = "storage"; group = "storage"; fetchScript = '' - username=$(simple_get "/api-keys/storage/restic/Piped" .username) - password=$(simple_get "/api-keys/storage/restic/Piped" .password) + username=$(simple_get "/api-keys/storage/restic/Piped-Finland" .username) + password=$(simple_get "/api-keys/storage/restic/Piped-Finland" .password) htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null ''; }; diff --git a/hosts/hetzner-vm/data/container-addresses.nix b/hosts/hetzner-vm/data/containerAddresses.nix similarity index 85% rename from hosts/hetzner-vm/data/container-addresses.nix rename to hosts/hetzner-vm/data/containerAddresses.nix index 896c9d9..cda8486 100644 --- a/hosts/hetzner-vm/data/container-addresses.nix +++ b/hosts/hetzner-vm/data/containerAddresses.nix @@ -1,4 +1,4 @@ -{}: { +{ host = "192.168.100.10"; containers = { storage = "192.168.100.11"; @@ -6,6 +6,5 @@ music = "192.168.100.13"; quassel = "192.168.100.14"; piped = "192.168.100.15"; - mail = "192.168.100.16"; }; } diff --git a/hosts/hetzner-vm/hardware.nix b/hosts/hetzner-vm/hardware.nix index 8351784..24b42fb 100644 --- a/hosts/hetzner-vm/hardware.nix +++ b/hosts/hetzner-vm/hardware.nix @@ -1,9 +1,13 @@ -{modulesPath, ...}: { - imports = [(modulesPath + "/profiles/qemu-guest.nix")]; +{...}: { + boot.loader = { + grub = { + enable = true; + device = "/dev/sda"; + }; + }; - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/sda"; boot.initrd.kernelModules = ["nvme"]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; diff --git a/hosts/hetzner-vm/hetzner-vm.nix b/hosts/hetzner-vm/hetzner-vm.nix index 9ba7962..5611017 100644 --- a/hosts/hetzner-vm/hetzner-vm.nix +++ b/hosts/hetzner-vm/hetzner-vm.nix @@ -1,27 +1,25 @@ { tree, lib, - pkgs, - config, ... -}: { +}: let + inherit (lib.lists) forEach; +in { imports = with tree; [ - users.root + presets.nixos.serverBase + presets.nixos.serverHetzner - profiles.base - profiles.sshd profiles.nginx - profiles.nginx-firewall - profiles.nix-gc - profiles.cross.arm64 - profiles.chaos-internal-wireguard + profiles.firewallAllow.httpCommon + + profiles.cross.arm64 + profiles.chaosInternalWireGuard - ./networking.nix ./hardware.nix ./secrets.nix ] - ++ (lib.forEach [ + ++ (forEach [ "social" "storage" "music" @@ -30,45 +28,10 @@ "mail" ] (name: ./containers + "/${name}")) ++ (with hosts.hetzner-vm.profiles; [ - vaultui - gitlab-static-sites - nginx-misc + vaultUI + gitlabStaticSites ]); - boot.kernel.sysctl = { - "fs.inotify.max_user_watches" = 1024 * 64 * 4; - }; - - environment.systemPackages = with pkgs; - [ - (pkgs.writeShellScriptBin "journalctl-vaccum-all" '' - journalctl --vacuum-size=100M - ${lib.concatStringsSep "\n" (lib.forEach (lib.attrNames config.containers) (name: '' - journalctl --vacuum-size=100M --root /var/lib/nixos-containers/${name} - ''))} - '') - (pkgs.writeShellScriptBin "systemctl-list-failed-all" '' - echo "Host: " - systemctl --failed - ${lib.concatStringsSep "\n" (lib.forEach (lib.attrNames config.containers) (name: '' - echo "Container: ${name}" - systemctl -M ${name} --failed - ''))} - '') - ] - ++ lib.forEach (lib.attrNames config.containers) (name: (pkgs.writeShellScriptBin "journalctl-vaccum-${name}" '' - journalctl --vacuum-size=100M --root /var/lib/nixos-containers/${name} - '')) - ++ lib.forEach (lib.attrNames config.containers) (name: (pkgs.writeShellScriptBin "systemctl-machine-${name}" '' - systemctl -M ${name} $@ - '')) - ++ lib.forEach (lib.attrNames config.containers) (name: (pkgs.writeShellScriptBin "journalctl-machine-${name}" '' - journalctl -M ${name} $@ - '')) - ++ lib.forEach (lib.attrNames config.containers) (name: (pkgs.writeShellScriptBin "shell-enter-${name}" '' - machinectl shell ${name} - '')); - # For Containers networking.nat = { enable = true; @@ -76,13 +39,8 @@ externalInterface = "eth0"; }; - home-manager.users.root = { - imports = with tree; [home.base home.dev.small]; - home.stateVersion = "23.05"; - }; - networking.hostName = "hetzner-vm"; - time.timeZone = "Europe/London"; + home-manager.users.root.home.stateVersion = "23.05"; system.stateVersion = "23.05"; } diff --git a/hosts/hetzner-vm/networking.nix b/hosts/hetzner-vm/networking.nix deleted file mode 100644 index 421aaf7..0000000 --- a/hosts/hetzner-vm/networking.nix +++ /dev/null @@ -1,22 +0,0 @@ -{lib, ...}: { - systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; - - networking.firewall.enable = true; - networking.firewall.allowPing = true; - networking.firewall.allowedTCPPorts = [22]; - - services.resolved.enable = false; - environment.etc."resolv.conf".text = "nameserver 8.8.8.8"; - - networking.enableIPv6 = true; - networking.usePredictableInterfaceNames = false; - networking.dhcpcd.enable = true; - systemd.network = { - enable = true; - networks.eth0 = { - name = "eth0"; - address = ["2a01:4f9:c010:8beb::1/64"]; - gateway = ["fe80::1"]; - }; - }; -} diff --git a/hosts/hetzner-vm/profiles/gitlab-static-sites.nix b/hosts/hetzner-vm/profiles/gitlabStaticSites.nix similarity index 100% rename from hosts/hetzner-vm/profiles/gitlab-static-sites.nix rename to hosts/hetzner-vm/profiles/gitlabStaticSites.nix diff --git a/hosts/hetzner-vm/profiles/nginx-misc.nix b/hosts/hetzner-vm/profiles/nginx-misc.nix deleted file mode 100644 index 31bc7e3..0000000 --- a/hosts/hetzner-vm/profiles/nginx-misc.nix +++ /dev/null @@ -1,12 +0,0 @@ -{...}: { - services.nginx.virtualHosts."tablet-dev.owo.monster" = { - forceSSL = true; - enableACME = true; - locations = { - "/" = { - proxyPass = "http://10.69.42.2:8088"; - proxyWebsockets = true; - }; - }; - }; -} diff --git a/hosts/hetzner-vm/profiles/vaultui.nix b/hosts/hetzner-vm/profiles/vaultUI.nix similarity index 100% rename from hosts/hetzner-vm/profiles/vaultui.nix rename to hosts/hetzner-vm/profiles/vaultUI.nix diff --git a/hosts/hetzner-vm/secrets.nix b/hosts/hetzner-vm/secrets.nix index a3a256f..209e13b 100644 --- a/hosts/hetzner-vm/secrets.nix +++ b/hosts/hetzner-vm/secrets.nix @@ -13,6 +13,22 @@ in { services.secrets = { enable = true; + vaultLogin = { + enable = true; + loginUsername = "hetzner-vm"; + }; + + autoSecrets = { + enable = true; + affectedSystemdServices = [ + "wg-quick-wg0" + "container@music" + "container@social" + "container@quassel" + "container@piped" + ]; + }; + packages = with pkgs; [ # for music & mail passwd files apacheHttpd @@ -41,7 +57,7 @@ in { "api-keys/data/storage/restic/Mail" "api-keys/data/storage/restic/Social" "api-keys/data/storage/restic/Quassel" - "api-keys/data/storage/restic/Piped" + "api-keys/data/storage/restic/Piped-Finland" "api-keys/data/chaos_mail/system" "api-keys/data/chaos_mail/gotosocial" @@ -57,12 +73,16 @@ in { "private-public-keys/data/restic/Mail" "private-public-keys/data/restic/Social" "private-public-keys/data/restic/Quassel" - "private-public-keys/data/restic/Piped" + "private-public-keys/data/restic/Piped-Finland" "infra/data/private-mail-aliases" ]; secrets = { + vault_password = { + manual = true; + }; + # Used directly by server # for fetching gitlab static sites gitlab_env = { @@ -205,16 +225,16 @@ in { }; # Container: piped - piped_restic_password = { + piped_finland_restic_password = { fetchScript = '' - simple_get "/private-public-keys/restic/Piped" .password > "$secretFile" + simple_get "/private-public-keys/restic/Piped-Finland" .password > "$secretFile" ''; }; - piped_restic_env = { + piped_finland_restic_env = { fetchScript = '' - RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Piped" .username) - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Piped" .password) - echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped" > "$secretFile" + RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Piped-Finland" .username) + RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Piped-Finland" .password) + echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped-Finland" > "$secretFile" ''; }; piped_cockroachdb_ca_certificate = { diff --git a/hosts/lappy-t495/hardware.nix b/hosts/lappy-t495/hardware.nix index 78efb19..a773085 100644 --- a/hosts/lappy-t495/hardware.nix +++ b/hosts/lappy-t495/hardware.nix @@ -1,4 +1,6 @@ {tree, ...}: { + imports = with tree; [presets.nixos.normalEncryptedDrive]; + boot = { loader = { systemd-boot.enable = true; @@ -21,6 +23,4 @@ services.tlp.settings = { RUNTIME_PM_BLACKLIST = "05:00.3 05:00.4"; }; - - imports = with tree; [presets.nixos.dual-encrypted-drive]; } diff --git a/hosts/lappy-t495/lappy-t495.nix b/hosts/lappy-t495/lappy-t495.nix index 38e4b0d..d3753b9 100644 --- a/hosts/lappy-t495/lappy-t495.nix +++ b/hosts/lappy-t495/lappy-t495.nix @@ -3,11 +3,10 @@ users.root users.chaos profiles.sshd - profiles.kernels.latest - presets.nixos.desktop-sway + presets.nixos.desktopSway presets.nixos.laptop - presets.nixos.encrypted-usb + presets.nixos.encryptedUSB profiles.cross.arm64 #profiles.remote-builders diff --git a/hosts/lappy-t495/profiles/wireguard.nix b/hosts/lappy-t495/profiles/wireguard.nix deleted file mode 100644 index c7649b5..0000000 --- a/hosts/lappy-t495/profiles/wireguard.nix +++ /dev/null @@ -1,32 +0,0 @@ -{config, ...}: let - secrets = config.services.secrets.secrets; - data = import ../../../data/chaos_wireguard_internal.nix {}; -in { - networking.firewall.trustedInterfaces = ["wg0"]; - networking.wg-quick.interfaces = { - wg0 = { - autostart = false; - address = ["${data.hosts.lappy-t495.ip}/32"]; - privateKeyFile = "${secrets.wg_priv.path}"; - - peers = [ - # hetzner-vm - { - publicKey = "${data.hosts.hetzner-vm.public}"; - presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}"; - allowedIPs = ["${data.hosts.hetzner-vm.ip}/24"]; - endpoint = "${data.hosts.hetzner-vm.endpoint}"; - persistentKeepalive = 25; - } - # vault - { - publicKey = "${data.hosts.vault.public}"; - presharedKeyFile = "${secrets.wg_preshared_vault.path}"; - allowedIPs = ["${data.hosts.vault.ip}/32"]; - endpoint = "${data.hosts.vault.endpoint}"; - persistentKeepalive = 25; - } - ]; - }; - }; -} diff --git a/hosts/macmini/default.nix b/hosts/macmini/default.nix deleted file mode 100644 index b152c6d..0000000 --- a/hosts/macmini/default.nix +++ /dev/null @@ -1,19 +0,0 @@ -{tree, ...}: { - users.users.chaos = { - name = "chaos"; - home = "/Users/chaos"; - }; - home-manager.users.chaos = { - programs.zsh.envExtra = '' - export PATH=/run/current-system/sw/bin:$PATH - ''; - imports = with tree; [ - # NOINLINE - home.base - home.dev - home.programming.editors.vscode - home.programming.languages.nix - home.apps.mpv - ]; - }; -} diff --git a/hosts/nixos-live/nixos-live.nix b/hosts/nixos-live/nixos-live.nix index 5eb9647..6409149 100644 --- a/hosts/nixos-live/nixos-live.nix +++ b/hosts/nixos-live/nixos-live.nix @@ -4,7 +4,9 @@ modulesPath, lib, ... -}: { +}: let + inherit (lib.modules) mkForce; +in { imports = with tree; [ (modulesPath + "/installer/cd-dvd/installation-cd-graphical-gnome.nix") (modulesPath + "/installer/cd-dvd/channel.nix") @@ -12,9 +14,8 @@ users.root profiles.base profiles.sshd - profiles.kernels.latest - profiles.connectivity.ios - profiles.connectivity.network_manager + profiles.connectivity.iOS + profiles.connectivity.networkManager ]; # disable zfs @@ -26,18 +27,16 @@ }) ]; - networking.wireless.enable = lib.mkForce false; + networking.wireless.enable = mkForce false; nixpkgs.config.allowBroken = true; home-manager.users.root = { imports = with tree; [home.base home.dev]; - home.stateVersion = "23.05"; }; home-manager.users.nixos = { imports = with tree; [home.base home.dev]; - home.stateVersion = "23.05"; }; isoImage = { @@ -46,5 +45,5 @@ squashfsCompression = "zstd -Xcompression-level 1"; }; - services.openssh.settings.PermitRootLogin = lib.mkForce "yes"; + services.openssh.settings.PermitRootLogin = mkForce "yes"; } diff --git a/hosts/nixos.nix b/hosts/nixos.nix index 34e0d66..ce7d21a 100644 --- a/hosts/nixos.nix +++ b/hosts/nixos.nix @@ -30,8 +30,6 @@ inputs.home-manager-unstable.nixosModules.home-manager - inputs.nur.nixosModules.nur - inputs.vaultui.nixosModules.default inputs.gitlab_artifacts_sync.nixosModules.default inputs.piped-flake.nixosModules.default @@ -39,90 +37,66 @@ tree.modules.nixos.rclone-serve tree.modules.nixos.rclone-sync tree.modules.nixos.secrets + tree.modules.nixos.cockroachdb-bin ]; nixosUnstableSystem = nixpkgs-unstable.lib.nixosSystem; + + nixosX86_64LiveWithExtraDepsForMachines = machines: + nixosUnstableSystem { + specialArgs = + defaultSpecialArgs + // { + hostPath = ./nixos-live; + }; + system = "x86_64-linux"; + modules = + defaultModules + ++ [ + ./nixos-live/nixos-live.nix + ({...}: { + system.extraDependencies = + forEach machines (system: + self.nixosConfigurations.${system}.config.system.build.toplevel); + }) + ]; + }; in { - tablet = nixosUnstableSystem { - specialArgs = defaultSpecialArgs; - system = "x86_64-linux"; - modules = defaultModules ++ [./tablet/tablet.nix ./tablet/hardware.nix]; - }; lappy-t495 = nixosUnstableSystem { - specialArgs = defaultSpecialArgs; + specialArgs = + defaultSpecialArgs + // { + hostPath = ./lappy-t495; + }; system = "x86_64-linux"; modules = defaultModules ++ [./lappy-t495/lappy-t495.nix ./lappy-t495/hardware.nix]; }; hetzner-vm = nixosUnstableSystem { - specialArgs = defaultSpecialArgs; + specialArgs = + defaultSpecialArgs + // { + hostPath = ./hetzner-vm; + }; system = "x86_64-linux"; modules = defaultModules ++ [./hetzner-vm/hetzner-vm.nix]; }; vault = nixosUnstableSystem { - specialArgs = defaultSpecialArgs; + specialArgs = + defaultSpecialArgs + // { + hostPath = ./vault; + }; system = "x86_64-linux"; modules = defaultModules ++ [./vault/vault.nix]; }; - buildbox = nixosUnstableSystem { - specialArgs = defaultSpecialArgs; - system = "x86_64-linux"; - modules = defaultModules ++ [./buildbox/buildbox.nix]; - }; - # nix build .#nixosConfigurations.nixos-live-x86_64.config.system.build.isoImage - nixos-live-x86_64 = nixosUnstableSystem { - specialArgs = defaultSpecialArgs; - system = "x86_64-linux"; - modules = defaultModules ++ [./nixos-live/nixos-live.nix]; - }; - - nixos-live-x86_64-laptops = nixosUnstableSystem { - specialArgs = defaultSpecialArgs; - system = "x86_64-linux"; - modules = - defaultModules - ++ [ - ./nixos-live/nixos-live.nix - ({...}: { - system.extraDependencies = - forEach ["lappy-t495" "tablet"] (system: - self.nixosConfigurations.${system}.config.system.build.toplevel); - }) - ]; - }; - - nixos-live-x86_64-servers = nixosUnstableSystem { - specialArgs = defaultSpecialArgs; - system = "x86_64-linux"; - modules = - defaultModules - ++ [ - ./nixos-live/nixos-live.nix - ({...}: { - system.extraDependencies = - forEach ["vault" "hetzner-vm"] (system: - self.nixosConfigurations.${system}.config.system.build.toplevel); - }) - ]; - }; - - nixos-live-x86_64-all = nixosUnstableSystem { - specialArgs = defaultSpecialArgs; - system = "x86_64-linux"; - modules = - defaultModules - ++ [ - ./nixos-live/nixos-live.nix - ({...}: { - system.extraDependencies = - forEach ["lappy-t495" "tablet" "vault" "hetzner-vm"] (system: - self.nixosConfigurations.${system}.config.system.build.toplevel); - }) - ]; - }; + nixos-live-x86_64 = nixosX86_64LiveWithExtraDepsForMachines []; + nixos-live-x86_64-laptops = nixosX86_64LiveWithExtraDepsForMachines ["lappy-t495"]; + nixos-live-x86_64-servers = nixosX86_64LiveWithExtraDepsForMachines ["hetzner-vm" "vault"]; + nixos-live-x86_64-all = nixosX86_64LiveWithExtraDepsForMachines ["lappy-t495" "vault" "hetzner-vm"]; # nix --no-sandbox build .#nixosConfigurations.raspberry.config.system.build.sdImage raspberry = nixosUnstableSystem { diff --git a/hosts/raspberry/boot.nix b/hosts/raspberry/boot.nix index 57d84c9..5a40dc1 100644 --- a/hosts/raspberry/boot.nix +++ b/hosts/raspberry/boot.nix @@ -2,18 +2,30 @@ lib, pkgs, config, + modulesPath, ... -}: { - boot.loader.grub.enable = false; - boot.loader.generic-extlinux-compatible.enable = true; +}: let + inherit (lib.modules) mkForce mkDefault; + inherit (builtins) toFile; +in { + imports = [ + (modulesPath + "/installer/sd-card/sd-image.nix") + ]; - boot.consoleLogLevel = lib.mkDefault 7; - - boot.kernelParams = ["console=tty0"]; + boot = { + supportedFilesystems = mkForce ["vfat"]; + consoleLogLevel = mkDefault 7; + kernelParams = ["console=tty0"]; + loader = { + grub.enable = false; + generic-extlinux-compatible.enable = true; + }; + }; sdImage = { + compressImage = mkForce false; populateFirmwareCommands = let - configTxt = pkgs.writeText "config.txt" '' + configTxt = toFile "config.txt" '' [pi3] kernel=u-boot-rpi3.bin [pi4] diff --git a/hosts/raspberry/data/wifi-nmconnection.template b/hosts/raspberry/data/wifi-nmconnection.template deleted file mode 100644 index 410624a..0000000 --- a/hosts/raspberry/data/wifi-nmconnection.template +++ /dev/null @@ -1,22 +0,0 @@ -[connection] -id=WIFI_ID -uuid=554e0eeb-840a-4106-84c3-01c0e9d69569 -type=wifi - -[wifi] -mode=infrastructure -ssid=WIFI_SSID - -[wifi-security] -auth-alg=open -key-mgmt=wpa-psk -psk=WIFI_PASSWORD - -[ipv4] -method=auto - -[ipv6] -addr-gen-mode=default -method=auto - -[proxy] \ No newline at end of file diff --git a/hosts/raspberry/profiles/auto-storage-backups.nix b/hosts/raspberry/profiles/autoStorageBackups.nix similarity index 100% rename from hosts/raspberry/profiles/auto-storage-backups.nix rename to hosts/raspberry/profiles/autoStorageBackups.nix diff --git a/hosts/raspberry/profiles/cockroachDB.nix b/hosts/raspberry/profiles/cockroachDB.nix new file mode 100644 index 0000000..b77dc0e --- /dev/null +++ b/hosts/raspberry/profiles/cockroachDB.nix @@ -0,0 +1,23 @@ +{self, ...}: let + internalWireGuard = import "${self}/data/chaosInternalWireGuard.nix"; +in { + systemd.tmpfiles.rules = [ + "d /var/lib/cockroachdb-certs - root root" + ]; + + services.cockroachdb-bin = { + enable = true; + certsDir = "/var/lib/cockroachdb-certs"; + join = "localhost:26257,${internalWireGuard.hosts.hetzner-vm.ip}:26257"; + # ssh -L 8080:127.0.0.1:8080 -L 26257:127.0.0.1:26257 raspberry + extraArgs = ["--advertise-addr=${internalWireGuard.hosts.raspberry.ip}:26257"]; + listen = { + port = 26257; + address = "0.0.0.0"; + }; + http = { + address = "0.0.0.0"; + port = 8080; + }; + }; +} diff --git a/hosts/raspberry/profiles/cockroachdb.nix b/hosts/raspberry/profiles/cockroachdb.nix deleted file mode 100644 index 1e1169c..0000000 --- a/hosts/raspberry/profiles/cockroachdb.nix +++ /dev/null @@ -1,22 +0,0 @@ -{tree, ...}: let - internal_wireguard = import ../../../data/chaos_wireguard_internal.nix {}; -in { - imports = with tree; [ - profiles.cockroachdb-bin-fix - ]; - - systemd.tmpfiles.rules = [ - "d /var/lib/cockroachdb-certs - root root" - ]; - - services.cockroachdb = { - enable = true; - certsDir = "/var/lib/cockroachdb-certs"; - join = "localhost:26257,${internal_wireguard.hosts.hetzner-vm.ip}:26257"; - # ssh -L 8080:127.0.0.1:8080 -L 26257:127.0.0.1:26257 raspberry - http = { - address = "0.0.0.0"; - port = 8080; - }; - }; -} diff --git a/hosts/raspberry/profiles/external-drive.nix b/hosts/raspberry/profiles/external-drive.nix deleted file mode 100644 index 85a1831..0000000 --- a/hosts/raspberry/profiles/external-drive.nix +++ /dev/null @@ -1,44 +0,0 @@ -{pkgs, ...}: let - external_drive_data = import ../../../data/raspberry_ext_drive.nix {}; - - mount_external_drive = let - jq = "${pkgs.jq}/bin/jq"; - vault = "${pkgs.vault-bin}/bin/vault"; - cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup"; - in - pkgs.writeShellScriptBin "mount_external_drive" '' - ${unmount_external_drive}/bin/unmount_external_drive - - vault-login - - ${vault} kv get -format json "/private-public-keys/cryptsetup/raspberry-ext-drive" \ - | ${jq} -r ".data.data.key" \ - | base64 -d \ - | ${cryptsetup} open ${external_drive_data.encrypted_path} ${external_drive_data.mapper_name} --key-file=/dev/stdin - mount ${external_drive_data.mapper_path} -o rw,compress=zstd ${external_drive_data.mountpoint} - ''; - - unmount_external_drive = let - cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup"; - in - pkgs.writeShellScriptBin "unmount_external_drive" '' - umount -flR ${external_drive_data.mountpoint} || true - ${cryptsetup} close ${external_drive_data.mapper_name} || true - ''; -in { - environment.systemPackages = - (with pkgs; [ - cryptsetup - ]) - ++ [ - mount_external_drive - unmount_external_drive - ]; - - systemd.tmpfiles.rules = ["d ${external_drive_data.mountpoint} - root root"]; - - #services.udev.extraRules = '' - # ACTION=="add", ENV{PARTLABEL}=="${external_drive_data.encrypted_label}", ENV{SYSTEMD_WANTS}="mount-external-drive.service" - # ACTION=="remove", ENV{PARTLABEL}=="${external_drive_data.encrypted_label}", ENV{SYSTEMD_WANTS}="unmount-external-drive.service" - #''; -} diff --git a/hosts/raspberry/profiles/externalDrive.nix b/hosts/raspberry/profiles/externalDrive.nix new file mode 100644 index 0000000..ecd34e8 --- /dev/null +++ b/hosts/raspberry/profiles/externalDrive.nix @@ -0,0 +1,48 @@ +{ + self, + pkgs, + ... +}: let + externalDriveData = import "${self}/data/raspberryExternalDrive.nix"; + + mountExternalDrive = let + jq = "${pkgs.jq}/bin/jq"; + vault = "${pkgs.vault-bin}/bin/vault"; + cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup"; + in + pkgs.writeShellScriptBin "mount_external_drive" '' + ${unmountExternalDrive}/bin/unmount_external_drive + + vault-login + + ${vault} kv get -format json "/private-public-keys/cryptsetup/raspberry-ext-drive" \ + | ${jq} -r ".data.data.key" \ + | base64 -d \ + | ${cryptsetup} open ${externalDriveData.encryptedPath} ${externalDriveData.mapperName} --key-file=/dev/stdin + mount ${externalDriveData.mapperPath} -o rw,compress=zstd ${externalDriveData.mountpoint} + ''; + + unmountExternalDrive = let + cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup"; + in + pkgs.writeShellScriptBin "unmount_external_drive" '' + umount -flR ${externalDriveData.mountpoint} || true + ${cryptsetup} close ${externalDriveData.mapperName} || true + ''; +in { + environment.systemPackages = + (with pkgs; [ + cryptsetup + ]) + ++ [ + mountExternalDrive + unmountExternalDrive + ]; + + systemd.tmpfiles.rules = ["d ${externalDriveData.mountpoint} - root root"]; + + #services.udev.extraRules = '' + # ACTION=="add", ENV{PARTLABEL}=="${externalDriveData.encryptedLabel}", ENV{SYSTEMD_WANTS}="mount-external-drive.service" + # ACTION=="remove", ENV{PARTLABEL}=="${externalDriveData.encryptedLabel}", ENV{SYSTEMD_WANTS}="unmount-external-drive.service" + #''; +} diff --git a/hosts/raspberry/profiles/piped.nix b/hosts/raspberry/profiles/piped.nix index d274a5c..3ac216d 100644 --- a/hosts/raspberry/profiles/piped.nix +++ b/hosts/raspberry/profiles/piped.nix @@ -3,7 +3,7 @@ pkgs, ... }: { - config.services.piped = { + services.piped = { enable = true; # Takes too much time to compile otherwise, idm extra bandwidth @@ -17,9 +17,22 @@ doCheck = false; buildType = "debug"; }; - proxyDomain = "proxy.piped.owo.monster"; - disableBackend = true; - disableFrontend = true; + postgresDBName = "piped"; + postgresDBUsername = "piped"; + postgresDBPassword = "piped"; + postgresDBHost = "127.0.0.1"; + postgresDBPort = 26257; + databaseDialect = "org.hibernate.dialect.CockroachDialect"; + disablePostgresDB = true; + + frontendDomain = "piped-uk.owo.monster"; + backendDomain = "backend.piped-uk.owo.monster"; + proxyDomain = "proxy.piped-uk.owo.monster"; + }; + + systemd.services.piped-backend = { + after = ["cockroachdb.service"]; + wants = ["cockroachdb.service"]; }; } diff --git a/hosts/raspberry/profiles/wireguard.nix b/hosts/raspberry/profiles/wireguard.nix deleted file mode 100644 index 31ddcea..0000000 --- a/hosts/raspberry/profiles/wireguard.nix +++ /dev/null @@ -1,35 +0,0 @@ -{config, ...}: let - secrets = config.services.secrets.secrets; - data = import ../../../data/chaos_wireguard_internal.nix {}; - - persistentKeepalive = 15; -in { - networking.firewall.trustedInterfaces = ["wg0" "wlan0"]; - networking.firewall.allowedUDPPorts = [51820]; - networking.wg-quick.interfaces = { - wg0 = { - address = ["${data.hosts.raspberry.ip}/24"]; - listenPort = 51820; - privateKeyFile = "${secrets.wg_priv.path}"; - - peers = [ - # hetzner-vm - { - publicKey = "${data.hosts.hetzner-vm.public}"; - presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}"; - allowedIPs = ["${data.hosts.hetzner-vm.ip}/32"]; - endpoint = "${data.hosts.hetzner-vm.endpoint}"; - inherit persistentKeepalive; - } - # vault - { - publicKey = "${data.hosts.vault.public}"; - presharedKeyFile = "${secrets.wg_preshared_vault.path}"; - allowedIPs = ["${data.hosts.vault.ip}/32"]; - endpoint = "${data.hosts.vault.endpoint}"; - inherit persistentKeepalive; - } - ]; - }; - }; -} diff --git a/hosts/raspberry/raspberry.nix b/hosts/raspberry/raspberry.nix index 40f3e6a..b64364d 100644 --- a/hosts/raspberry/raspberry.nix +++ b/hosts/raspberry/raspberry.nix @@ -1,67 +1,30 @@ -{ - tree, - modulesPath, - config, - pkgs, - lib, - ... -}: let - secrets = config.services.secrets.secrets; -in { - networking.firewall.enable = true; - networking.firewall.allowPing = true; - +{tree, ...}: { imports = with tree; [ - users.root - users.chaos + presets.nixos.serverBase - profiles.base - profiles.sshd profiles.nginx - profiles.nginx-firewall + profiles.firewallAllow.httpCommon - profiles.connectivity.network_manager - profiles.connectivity.bluetooth - profiles.connectivity.ios + profiles.chaosInternalWireGuard ./secrets.nix - ./boot.nix - (modulesPath + "/installer/sd-card/sd-image.nix") ] ++ (with hosts.raspberry.profiles; [ - external-drive - wireguard - cockroachdb + externalDrive + cockroachDB piped - auto-storage-backups + autoStorageBackups rclone ]); - environment.systemPackages = [ - (pkgs.writeShellScriptBin "vault-login" '' - ${pkgs.vault-bin}/bin/vault login -method=userpass username=raspberry password=$(cat ${secrets.vault_login_password.path}) - '') - ]; - - home-manager.users.root = { - imports = with tree; [home.base home.dev.small]; - home.stateVersion = "23.05"; - }; - - home-manager.users.chaos = { - imports = with tree; [home.base home.dev.small]; - home.stateVersion = "23.05"; - }; - - boot.supportedFilesystems = lib.mkForce ["vfat"]; - boot.kernelPackages = pkgs.linuxPackages_latest; + networking.enableIPv6 = true; + networking.useDHCP = true; networking.hostName = "raspberry"; time.timeZone = "Europe/London"; - sdImage.compressImage = lib.mkForce false; - - system.stateVersion = "21.11"; + home-manager.users.root.home.stateVersion = "23.05"; + system.stateVersion = "23.05"; } diff --git a/hosts/raspberry/secrets.nix b/hosts/raspberry/secrets.nix index c44e766..b87db25 100644 --- a/hosts/raspberry/secrets.nix +++ b/hosts/raspberry/secrets.nix @@ -4,6 +4,16 @@ packages = with pkgs; [rclone]; + vaultLogin = { + enable = true; + loginUsername = "raspberry"; + }; + + autoSecrets = { + enable = true; + affectedSystemdServices = ["wg-quick-wg0" "cockroachdb"]; + }; + extraFunctions = '' simple_get_obscure() { rclone obscure "$(simple_get "$@")" @@ -22,32 +32,10 @@ # Used for fetching the encryption drive's key at runtime # can be revoked in case of hardware theft # Can also run vault-login on host before secrets-init to fetch secrets using raspberry's login - vault_login_password = { + vault_password = { manual = true; }; - home-wifi-password = { - user = "root"; - group = "root"; - permissions = "600"; - path = "/etc/NetworkManager/system-connections/Home-WiFi.nmconnection"; - - fetchScript = '' - ssid=$(simple_get "/passwords/wifi/parentals-home" .ssid) - password=$(simple_get "/passwords/wifi/parentals-home" .password) - - # Create path to if doesn't exist, useful for when using secrets-init on another host - if [ ! -d "$SYSROOT/etc/NetworkManager/system-connections" ]; then - mkdir -p "$SYSROOT/etc/NetworkManager/system-connections" - fi - - cp ${./data/wifi-nmconnection.template} "$secretFile" - sed -i "s/WIFI_ID/Home-WiFi/" "$secretFile" - sed -i "s/WIFI_SSID/$ssid/" "$secretFile" - sed -i "s/WIFI_PASSWORD/$password/" "$secretFile" - ''; - }; - piped_cockroachdb_ca_certificate = { user = "cockroachdb"; group = "cockroachdb"; diff --git a/hosts/tablet/hardware.nix b/hosts/tablet/hardware.nix deleted file mode 100644 index 7baa81e..0000000 --- a/hosts/tablet/hardware.nix +++ /dev/null @@ -1,19 +0,0 @@ -{tree, ...}: { - boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - initrd.availableKernelModules = [ - # defaults from nixos-generate-config - "xhci_pci" - "nvme" - "usbhid" - "usb_storage" - "sd_mod" - "rtsx_pci_sdmmc" - ]; - kernelModules = ["kvm-intel"]; - }; - imports = with tree; [presets.nixos.normal-encrypted-drive]; -} diff --git a/hosts/tablet/secrets.nix b/hosts/tablet/secrets.nix deleted file mode 100644 index 23d93a2..0000000 --- a/hosts/tablet/secrets.nix +++ /dev/null @@ -1,40 +0,0 @@ -{...}: { - services.secrets = { - enable = true; - secrets = { - usb_encryption_passphrase = {manual = true;}; - music_stream_password = { - user = "chaos"; - group = "users"; - fetchScript = '' - simple_get "/api-keys/music-stream" .password > "$secretFile" - ''; - }; - # Required for home.apps.manual-backup-apps - gitlab_archiver_token = { - user = "chaos"; - group = "users"; - - fetchScript = '' - simple_get "/api-keys/gitlab/gitlab_archiver" .token > "$secretFile" - ''; - }; - - # Required for home.apps.manual-backup-apps - restic_music_env = { - user = "chaos"; - group = "users"; - - fetchScript = '' - api_username=$(simple_get "/api-keys/storage/restic/Music" .username) - api_password=$(simple_get "/api-keys/storage/restic/Music" .password) - restic_password=$(simple_get "/private-public-keys/restic/Music" .password) - - echo > "$secretFile" - echo "RESTIC_REPOSITORY=rest:https://''${api_username}:''${api_password}@storage-restic.owo.monster/Music" >> "$secretFile" - echo "RESTIC_PASSWORD=''${restic_password}" >> "$secretFile" - ''; - }; - }; - }; -} diff --git a/hosts/tablet/tablet.nix b/hosts/tablet/tablet.nix deleted file mode 100644 index 5d8ad16..0000000 --- a/hosts/tablet/tablet.nix +++ /dev/null @@ -1,43 +0,0 @@ -{tree, ...}: { - imports = with tree; [ - users.root - users.chaos - profiles.sshd - profiles.kernels.latest - - presets.nixos.desktop-gnome - presets.nixos.laptop - presets.nixos.encrypted-usb - - ./secrets.nix - ]; - - home-manager.users.root = { - imports = with tree; [home.base]; - home.stateVersion = "23.05"; - }; - - home-manager.users.chaos = { - imports = with tree; [ - home.base - home.dev.all - home.home-folders - home.manual-backup-apps - - home.programming.editors.vscode - home.programming.languages.rust - home.programming.languages.nix - ]; - home.stateVersion = "23.05"; - }; - - networking.firewall.enable = true; - networking.firewall.allowPing = true; - - networking.firewall.allowedTCPPorts = [8088]; - - networking.hostName = "tablet"; - time.timeZone = "Europe/London"; - - system.stateVersion = "23.05"; -} diff --git a/hosts/vault/hardware.nix b/hosts/vault/hardware.nix deleted file mode 100644 index 2980106..0000000 --- a/hosts/vault/hardware.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ - modulesPath, - tree, - ... -}: { - imports = with tree; [ - (modulesPath + "/profiles/qemu-guest.nix") - presets.nixos.server-encrypted-drive - ]; -} diff --git a/hosts/vault/networking.nix b/hosts/vault/networking.nix deleted file mode 100644 index 4b39839..0000000 --- a/hosts/vault/networking.nix +++ /dev/null @@ -1,19 +0,0 @@ -{lib, ...}: { - systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; - - networking.firewall.enable = true; - networking.firewall.allowPing = true; - networking.firewall.allowedTCPPorts = [22]; - - networking.enableIPv6 = true; - networking.usePredictableInterfaceNames = false; - networking.dhcpcd.enable = true; - systemd.network = { - enable = true; - networks.eth0 = { - name = "eth0"; - address = ["2a01:4f9:c010:6a89::1/64"]; - gateway = ["fe80::1"]; - }; - }; -} diff --git a/hosts/vault/secrets.nix b/hosts/vault/secrets.nix index 50ed79c..3c37325 100644 --- a/hosts/vault/secrets.nix +++ b/hosts/vault/secrets.nix @@ -2,6 +2,15 @@ services.secrets = { enable = true; + vaultLogin = { + enable = true; + loginUsername = "vault"; + }; + + autoSecrets = { + enable = true; + }; + requiredVaultPaths = [ "private-public-keys/data/restic/Vault" @@ -9,6 +18,10 @@ ]; secrets = { + vault_password = { + manual = true; + }; + restic_password = { fetchScript = '' simple_get "/private-public-keys/restic/Vault" .password > "$secretFile" diff --git a/hosts/vault/vault.nix b/hosts/vault/vault.nix index 0d7f366..38bb617 100644 --- a/hosts/vault/vault.nix +++ b/hosts/vault/vault.nix @@ -1,29 +1,23 @@ {tree, ...}: { - imports = with tree; [ - users.root + imports = with tree; + [ + presets.nixos.serverBase + presets.nixos.serverHetzner + presets.nixos.serverEncryptedDrive - profiles.base - profiles.sshd - profiles.nix-gc - profiles.nginx - profiles.nginx-firewall - profiles.chaos-internal-wireguard + profiles.nginx + profiles.firewallAllow.httpCommon + profiles.chaosInternalWireGuard - hosts.vault.profiles.vault - hosts.vault.profiles.restic - - ./hardware.nix - ./networking.nix - ./secrets.nix - ]; - - home-manager.users.root = { - imports = with tree; [home.base home.dev.small]; - home.stateVersion = "23.05"; - }; + ./secrets.nix + ] + ++ (with hosts.vault.profiles; [ + vault + restic + ]); networking.hostName = "vault"; - time.timeZone = "Europe/London"; + home-manager.users.root.home.stateVersion = "23.05"; system.stateVersion = "23.05"; } diff --git a/lib/containerLib.nix b/lib/containerLib.nix new file mode 100644 index 0000000..a2137f1 --- /dev/null +++ b/lib/containerLib.nix @@ -0,0 +1,41 @@ +{lib, ...}: let + inherit (lib.lists) forEach; + inherit (lib.modules) mkMerge; + inherit (builtins) isString; +in rec { + genBindMountForSecret = secrets: secretItem: let + secret = + if isString secretItem + then secrets.${secretItem} + else secrets.${secretItem.name}; + + hostPath = secret.path; + + containerPath = + if isString secretItem + then hostPath + else secretItem.path; + + writable = + if isString secretItem + then + ( + if secretItem ? "writable" + then secretItem.writable + else false + ) + else false; + in { + "${containerPath}" = { + inherit hostPath; + isReadOnly = !writable; + }; + }; + + genBindHostsForSecrets = secrets: secrets_list: ( + mkMerge (forEach secrets_list ( + secretItem: + genBindMountForSecret secrets secretItem + )) + ); +} diff --git a/lib/internalWireGuardLib.nix b/lib/internalWireGuardLib.nix new file mode 100644 index 0000000..dc9722c --- /dev/null +++ b/lib/internalWireGuardLib.nix @@ -0,0 +1,66 @@ +{ + lib, + pkgs, + ... +}: let + inherit (pkgs) writeShellScriptBin; + inherit (lib.lists) forEach; + inherit (lib.strings) concatStringsSep; + inherit (builtins) attrNames; + + wireguardData = import ../data/chaosInternalWireGuard.nix; + wireguardHosts = wireguardData.hosts; + + kvPathForHost = host: "/private-public-keys/wireguard/chaos-internal/${host}"; +in rec { + initAllScript = writeShellScriptBin "wg-keys-init-all" (let + vault = "${pkgs.vault-bin}/bin/vault"; + in '' + + PUBKEYS_FILE=$1 + if [ -z "$PUBKEYS_FILE" ]; then + echo "please provide path to file with pubkeys" + exit 1 + fi + + ${concatStringsSep "\n" (forEach (attrNames wireguardHosts) (hostName: '' + echo "{}" | ${vault} kv put "${kvPathForHost hostName}" - 2>/dev/null + ''))} + + ${concatStringsSep "\n" (forEach (attrNames wireguardHosts) (hostName: '' + echo "Deploying keys for ${hostName}" + + "${genInitScript hostName}/bin/wg-keys-init-${hostName}" "$PUBKEYS_FILE" + ''))} + ''); + + genInitScript = systemHostName: (writeShellScriptBin "wg-keys-init-${systemHostName}" (let + vault = "${pkgs.vault-bin}/bin/vault"; + jq = "${pkgs.jq}/bin/jq"; + wg = "${pkgs.wireguard-tools}/bin/wg"; + sponge = "${pkgs.moreutils}/bin/sponge"; + in '' + + PUBKEYS_FILE=$1 + if [ -z "$PUBKEYS_FILE" ]; then + echo "please provide path to file with pubkeys" + exit 1 + fi + + PRIVATE=$(${wg} genkey) + PUBLIC=$(echo "$PRIVATE" | ${wg} pubkey) + + TMP_DIR=$(mktemp -d) + pushd "$TMP_DIR" + echo "{}" > currentHost.json + ${jq} ".public = \"$PUBLIC\"" currentHost.json | ${sponge} currentHost.json + ${jq} ".private = \"$PRIVATE\"" currentHost.json | ${sponge} currentHost.json + cat currentHost.json | ${vault} kv put "${kvPathForHost systemHostName}" - 2>/dev/null + cat currentHost.json | jq + popd + + rm -rf "$TMP_DIR" + + ${jq} ".\"${systemHostName}\" = \"$PUBLIC\"" "$PUBKEYS_FILE" | ${sponge} "$PUBKEYS_FILE" + '')); +} diff --git a/modules/nixos/cockroachdb-bin.nix b/modules/nixos/cockroachdb-bin.nix new file mode 100644 index 0000000..39b1906 --- /dev/null +++ b/modules/nixos/cockroachdb-bin.nix @@ -0,0 +1,248 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.services.cockroachdb-bin; + crdb = cfg.package; + + escapeSystemdExecArg = arg: let + s = + if builtins.isPath arg + then "${arg}" + else if builtins.isString arg + then arg + else if builtins.isInt arg || builtins.isFloat arg + then toString arg + else throw "escapeSystemdExecArg only allows strings, paths and numbers"; + in + lib.replaceStrings ["%" "$"] ["%%" "$$"] (builtins.toJSON s); + + # Quotes a list of arguments into a single string for use in a Exec* + # line. + escapeSystemdExecArgs = lib.concatMapStringsSep " " escapeSystemdExecArg; + + startupCommand = + escapeSystemdExecArgs + ([ + # Basic startup + "${crdb}/bin/cockroach" + ( + if (cfg.join != null) + then "start" + else "start-single-node" + ) + "--logtostderr" + "--store=/var/lib/cockroachdb" + + # WebUI settings + "--http-addr=${cfg.http.address}:${toString cfg.http.port}" + + # Cluster listen address + "--listen-addr=${cfg.listen.address}:${toString cfg.listen.port}" + + # Cache and memory settings. + "--cache=${cfg.cache}" + "--max-sql-memory=${cfg.maxSqlMemory}" + + # Certificate/security settings. + ( + if cfg.insecure + then "--insecure" + else "--certs-dir=${cfg.certsDir}" + ) + ] + ++ lib.optional (cfg.join != null) "--join=${cfg.join}" + ++ lib.optional (cfg.locality != null) "--locality=${cfg.locality}" + ++ cfg.extraArgs); + + addressOption = descr: defaultPort: { + address = mkOption { + type = types.str; + default = "localhost"; + description = lib.mdDoc "Address to bind to for ${descr}"; + }; + + port = mkOption { + type = types.port; + default = defaultPort; + description = lib.mdDoc "Port to bind to for ${descr}"; + }; + }; +in { + options = { + services.cockroachdb-bin = { + enable = mkEnableOption (lib.mdDoc "CockroachDB Server"); + + listen = addressOption "intra-cluster communication" 26257; + + http = addressOption "http-based Admin UI" 8080; + + locality = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + An ordered, comma-separated list of key-value pairs that describe the + topography of the machine. Topography might include country, + datacenter or rack designations. Data is automatically replicated to + maximize diversities of each tier. The order of tiers is used to + determine the priority of the diversity, so the more inclusive + localities like country should come before less inclusive localities + like datacenter. The tiers and order must be the same on all nodes. + Including more tiers is better than including fewer. For example: + + ``` + country=us,region=us-west,datacenter=us-west-1b,rack=12 + country=ca,region=ca-east,datacenter=ca-east-2,rack=4 + + planet=earth,province=manitoba,colo=secondary,power=3 + ``` + ''; + }; + + join = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc "The addresses for connecting the node to a cluster."; + }; + + insecure = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Run in insecure mode."; + }; + + certsDir = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mdDoc "The path to the certificate directory."; + }; + + user = mkOption { + type = types.str; + default = "cockroachdb"; + description = lib.mdDoc "User account under which CockroachDB runs"; + }; + + group = mkOption { + type = types.str; + default = "cockroachdb"; + description = lib.mdDoc "User account under which CockroachDB runs"; + }; + + openPorts = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Open firewall ports for cluster communication by default"; + }; + + cache = mkOption { + type = types.str; + default = "25%"; + description = lib.mdDoc '' + The total size for caches. + + This can be a percentage, expressed with a fraction sign or as a + decimal-point number, or any bytes-based unit. For example, + `"25%"`, `"0.25"` both represent + 25% of the available system memory. The values + `"1000000000"` and `"1GB"` both + represent 1 gigabyte of memory. + + ''; + }; + + maxSqlMemory = mkOption { + type = types.str; + default = "25%"; + description = lib.mdDoc '' + The maximum in-memory storage capacity available to store temporary + data for SQL queries. + + This can be a percentage, expressed with a fraction sign or as a + decimal-point number, or any bytes-based unit. For example, + `"25%"`, `"0.25"` both represent + 25% of the available system memory. The values + `"1000000000"` and `"1GB"` both + represent 1 gigabyte of memory. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.cockroachdb-bin; + defaultText = literalExpression "pkgs.cockroachdb-bin"; + description = lib.mdDoc '' + The CockroachDB derivation to use for running the service. + ''; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + example = ["--advertise-addr" "[fe80::f6f2:::]"]; + description = lib.mdDoc '' + Extra CLI arguments passed to {command}`cockroach start`. + For the full list of supported arguments, check + ''; + }; + }; + }; + + config = mkIf config.services.cockroachdb-bin.enable { + assertions = [ + { + assertion = !cfg.insecure -> cfg.certsDir != null; + message = "CockroachDB must have a set of SSL certificates (.certsDir), or run in Insecure Mode (.insecure = true)"; + } + ]; + + environment.systemPackages = [crdb]; + + users.users = optionalAttrs (cfg.user == "cockroachdb") { + cockroachdb = { + description = "CockroachDB Server User"; + uid = config.ids.uids.cockroachdb; + group = cfg.group; + }; + }; + + users.groups = optionalAttrs (cfg.group == "cockroachdb") { + cockroachdb.gid = config.ids.gids.cockroachdb; + }; + + networking.firewall.allowedTCPPorts = + lib.optionals cfg.openPorts + [cfg.http.port cfg.listen.port]; + + systemd.services.cockroachdb = { + description = "CockroachDB Server"; + documentation = ["man:cockroach(1)" "https://www.cockroachlabs.com"]; + + after = ["network.target" "time-sync.target"]; + requires = ["time-sync.target"]; + wantedBy = ["multi-user.target"]; + + unitConfig.RequiresMountsFor = "/var/lib/cockroachdb"; + + serviceConfig = { + ExecStart = startupCommand; + Type = "notify"; + User = cfg.user; + StateDirectory = "cockroachdb"; + StateDirectoryMode = "0700"; + + Restart = "always"; + + # A conservative-ish timeout is alright here, because for Type=notify + # cockroach will send systemd pings during startup to keep it alive + TimeoutStopSec = 60; + RestartSec = 10; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [thoughtpolice]; +} diff --git a/modules/nixos/rclone-serve.nix b/modules/nixos/rclone-serve.nix index 164c3a8..5997441 100644 --- a/modules/nixos/rclone-serve.nix +++ b/modules/nixos/rclone-serve.nix @@ -3,36 +3,35 @@ lib, pkgs, ... -}: -with lib; let +}: let + inherit (lib.modules) mkIf mkMerge; + inherit (lib.options) mkOption; + inherit (lib.strings) concatStringsSep; + inherit (lib) types; + inherit (builtins) listToAttrs; + cfg = config.services.rclone-serve; - makeNameSafe = name: builtins.replaceStrings ["/"] ["-"] name; - - daemonService = serve_config: + daemonService = serveConfig: mkMerge [ { wantedBy = ["multi-user.target"]; - after = ["network.target"]; wants = ["network.target"]; serviceConfig = { Type = "simple"; Restart = "on-failure"; - RestartSec = "5s"; + RestartSec = "10s"; - User = - if serve_config.user != null - then "${serve_config.user}" - else "root"; + User = serveConfig.user; - ExecStart = "${pkgs.rclone}/bin/rclone serve ${serve_config.type} ${serve_config.remote} ${ - concatStringsSep " " serve_config.extraArgs + ExecStart = "${pkgs.rclone}/bin/rclone serve ${serveConfig.type} ${serveConfig.remote} ${ + concatStringsSep " " serveConfig.extraArgs }"; }; } - serve_config.serviceConfig + serveConfig.serviceConfig ]; in { options = { @@ -45,12 +44,30 @@ in { remotes = mkOption { type = types.listOf (types.submodule { options = { - remote = mkOption {type = types.str;}; - type = mkOption {type = types.str;}; - user = mkOption {type = types.str;}; - serviceConfig = mkOption {type = types.attrs;}; - - extraArgs = mkOption {type = types.listOf types.str;}; + id = mkOption { + type = types.str; + # TODO: add a assertion for this + description = "ID for the serve systemd unit; doesn't need to be unique as long as there is no other with same ID and same remote"; + }; + remote = mkOption { + type = types.str; + }; + type = mkOption { + type = types.str; + default = "webdav"; + }; + user = mkOption { + type = types.str; + default = "root"; + }; + serviceConfig = mkOption { + type = types.attrs; + default = {}; + }; + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + }; }; }); default = []; @@ -61,9 +78,7 @@ in { config = mkMerge [ (mkIf (cfg.enable && cfg.remotes != []) { systemd.services = listToAttrs (map (remote: { - name = "rclone-serve-${makeNameSafe remote.type}-${ - makeNameSafe remote.remote - }"; + name = "rclone-serve-${remote.type}-${remote.id}"; value = daemonService remote; }) cfg.remotes); diff --git a/modules/nixos/rclone-sync.nix b/modules/nixos/rclone-sync.nix index 38ca022..95f3f33 100644 --- a/modules/nixos/rclone-sync.nix +++ b/modules/nixos/rclone-sync.nix @@ -3,12 +3,17 @@ lib, pkgs, ... -}: -with lib; let +}: let + inherit (lib.modules) mkIf mkMerge; + inherit (lib.options) mkOption; + inherit (lib.strings) concatStringsSep; + inherit (lib) types; + inherit (builtins) listToAttrs; + cfg = config.services.rclone-sync; - daemonService = sync_config: { - serviceConfig = lib.mkMerge [ + daemonService = syncConfig: { + serviceConfig = mkMerge [ { Type = "oneshot"; @@ -17,14 +22,14 @@ with lib; let then "${cfg.user}" else "root"; - ExecStart = "${pkgs.rclone}/bin/rclone sync ${sync_config.source} ${sync_config.dest} ${lib.concatStringsSep " " sync_config.extraArgs} -P"; + ExecStart = "${pkgs.rclone}/bin/rclone sync ${syncConfig.source} ${syncConfig.dest} ${concatStringsSep " " syncConfig.extraArgs} -P"; } - (lib.mkIf sync_config.autoRestart { + (mkIf syncConfig.autoRestart { TimeoutSec = 60; Restart = "on-failure"; }) - sync_config.serviceConfig + syncConfig.serviceConfig ]; }; in { @@ -40,7 +45,7 @@ in { default = null; }; - sync_jobs = mkOption { + syncJobs = mkOption { type = types.listOf (types.submodule { options = { source = mkOption {type = types.str;}; @@ -76,31 +81,31 @@ in { }; config = mkMerge [ - (mkIf (cfg.enable && cfg.sync_jobs != []) { + (mkIf (cfg.enable && cfg.syncJobs != []) { environment.systemPackages = [ - (pkgs.writeShellScriptBin "rclone-sync-all" (lib.concatStringsSep "\n" (map ( + (pkgs.writeShellScriptBin "rclone-sync-all" (concatStringsSep "\n" (map ( job: '' - ${pkgs.rclone}/bin/rclone sync ${job.source} ${job.dest} ${lib.concatStringsSep " " job.extraArgs} -P $@ + ${pkgs.rclone}/bin/rclone sync ${job.source} ${job.dest} ${concatStringsSep " " job.extraArgs} -P $@ '' ) - cfg.sync_jobs))) + cfg.syncJobs))) ] ++ ( map ( job: pkgs.writeShellScriptBin "rclone-manual-sync-${job.id}" '' - exec ${pkgs.rclone}/bin/rclone sync ${job.source} ${job.dest} ${lib.concatStringsSep " " job.extraArgs} -P $@ + exec ${pkgs.rclone}/bin/rclone sync ${job.source} ${job.dest} ${concatStringsSep " " job.extraArgs} -P $@ '' ) - cfg.sync_jobs + cfg.syncJobs ); systemd.services = listToAttrs (map (job: { name = "rclone-sync-${job.id}"; value = daemonService job; }) - cfg.sync_jobs); + cfg.syncJobs); systemd.timers = listToAttrs (map (job: let name = "rclone-sync-${job.id}"; @@ -112,7 +117,7 @@ in { timerConfig = job.timerConfig; }; }) - cfg.sync_jobs); + cfg.syncJobs); }) ]; } diff --git a/modules/nixos/secrets.nix b/modules/nixos/secrets.nix index ec233c3..2985abc 100644 --- a/modules/nixos/secrets.nix +++ b/modules/nixos/secrets.nix @@ -5,22 +5,19 @@ ... }: let inherit (lib.modules) mkIf mkMerge; - inherit (lib.options) mkOption; + inherit (lib.options) mkOption mkEnableOption; inherit (lib) types; - inherit (pkgs) writeShellApplication; + inherit (builtins) isString listToAttrs; cfg = config.services.secrets; - secretsLib = import ./secrets-lib/lib.nix { + secretsLib = import ./secretsLib/lib.nix { inherit lib pkgs; }; in { options = { services.secrets = { - enable = mkOption { - type = types.bool; - default = false; - }; + enable = mkEnableOption "secrets"; debug = mkOption { type = types.bool; @@ -47,6 +44,48 @@ in { default = "/secrets"; }; + vaultLogin = { + enable = mkOption { + type = types.bool; + default = false; + }; + vaultURL = mkOption { + type = types.str; + default = cfg.vaultURL; + }; + loginUsername = mkOption { + type = types.str; + }; + loginPasswordFile = mkOption { + type = types.nullOr types.path; + default = + if cfg.secrets ? "vault_password" + then cfg.secrets."vault_password".path + else null; + }; + }; + + autoSecrets = { + enable = mkEnableOption "autoSecrets"; + affectedSystemdServices = mkOption { + type = types.listOf (types.either (types.str) (types.submodule { + options = { + name = mkOption { + type = types.str; + }; + withPartOf = mkOption { + type = types.bool; + default = true; + description = "add auto-secrets.service to the service's PartOf; this may not be wanted for stuff on a timer such as backups"; + }; + }; + default = {}; + })); + default = []; + description = "systemd target names to be restarted with and start after auto-secrets has run, without the .service suffix"; + }; + }; + requiredVaultPaths = mkOption { type = types.listOf (types.oneOf [ types.str @@ -143,29 +182,79 @@ in { }; }; - config = mkMerge [ - (mkIf (cfg.enable) (let - scripts = secretsLib.genScripts cfg; - defaultPackages = with pkgs; [vault-bin jq]; - in { - environment.systemPackages = [ - (writeShellApplication { - name = "secrets-init"; - runtimeInputs = defaultPackages ++ cfg.packages; - text = scripts.initScript; - }) - (writeShellApplication { - name = "secrets-check"; - runtimeInputs = defaultPackages ++ cfg.packages; - text = scripts.checkScript; - }) + config = + { + assertions = [ + { + assertion = !(cfg.autoSecrets.enable && !cfg.vaultLogin.enable); + message = "vaultLogin needs to be enabled and configured for autoSecrets to work"; + } + { + assertion = !(cfg.vaultLogin.enable && !cfg.vaultLogin.loginPasswordFile == null); + message = "loginPasswordFile needs to be set or a secret called vault_password needs to be configured for vaultLogin to work"; + } ]; - })) + } + // (mkMerge [ + (mkIf (cfg.enable) { + environment.systemPackages = [ + (secretsLib.mkSecretsInitScript cfg) + (secretsLib.mkSecretsCheckScript cfg) + ]; + }) - (mkIf (cfg.enable && cfg.createSecretsDir) { - systemd.tmpfiles.rules = [ - "d ${cfg.secretsDir} - ${toString cfg.secretsDirUser} ${toString cfg.secretsDirGroup}" - ]; - }) - ]; + (mkIf (cfg.enable && cfg.vaultLogin.enable) { + environment.systemPackages = [ + (secretsLib.mkVaultLoginScript cfg) + ]; + }) + + (mkIf (cfg.enable && cfg.autoSecrets.enable) { + systemd = let + # normalise this to make next part easier + affectedSystemdServices = + map (unit: let + name = + if isString unit + then unit + else unit.name; + withPartOf = + if isString unit + then true + else unit.withPartOf; + in { + inherit name withPartOf; + }) + cfg.autoSecrets.affectedSystemdServices; + in { + services = listToAttrs (map (unitConfig: { + name = unitConfig.name; + value = { + after = ["auto-secrets.service"]; + wants = ["auto-secrets.service"]; + partOf = mkIf unitConfig.withPartOf ["auto-secrets.service"]; + }; + }) + affectedSystemdServices); + }; + }) + + (mkIf (cfg.enable && cfg.autoSecrets.enable) { + systemd.services.auto-secrets = { + wantedBy = ["multi-user.target"]; + after = ["network.target"]; + path = with pkgs; [bash vault-bin getent]; + script = '' + ${secretsLib.mkVaultLoginScript cfg}/bin/vault-login + ${secretsLib.mkSecretsInitScript cfg}/bin/secrets-init + ''; + }; + }) + + (mkIf (cfg.enable && cfg.createSecretsDir) { + systemd.tmpfiles.rules = [ + "d ${cfg.secretsDir} - ${toString cfg.secretsDirUser} ${toString cfg.secretsDirGroup}" + ]; + }) + ]); } diff --git a/modules/nixos/secrets-lib/lib.nix b/modules/nixos/secretsLib/lib.nix similarity index 84% rename from modules/nixos/secrets-lib/lib.nix rename to modules/nixos/secretsLib/lib.nix index 38f6bad..4d4b86d 100644 --- a/modules/nixos/secrets-lib/lib.nix +++ b/modules/nixos/secretsLib/lib.nix @@ -3,11 +3,11 @@ lib, ... }: let - inherit (builtins) attrNames hasAttr isString; - inherit (lib.lists) forEach unique flatten; + inherit (builtins) attrNames hasAttr isString toFile; + inherit (lib.lists) forEach unique flatten filter; inherit (lib.strings) concatStringsSep optionalString; inherit (lib.attrsets) mapAttrsToList filterAttrs; - inherit (pkgs) writeShellApplication writeText; + inherit (pkgs) writeShellApplication; genScripts = cfg: let scriptBase = '' @@ -74,11 +74,11 @@ forEach (attrNames cfg.secrets) (name: cfg.secrets.${name}.group) )); - allUsersByName = lib.filter isString allUsers; - allGroupsByName = lib.filter isString allGroups; + allUsersByName = filter isString allUsers; + allGroupsByName = filter isString allGroups; - allUsersNotMappedToUID = lib.filter (name: !(hasAttr name cfg.uidMap)) allUsersByName; - allGroupsNotMappedToGID = lib.filter (name: !(hasAttr name cfg.gidMap)) allGroupsByName; + allUsersNotMappedToUID = filter (name: !(hasAttr name cfg.uidMap)) allUsersByName; + allGroupsNotMappedToGID = filter (name: !(hasAttr name cfg.gidMap)) allGroupsByName; isUserMapped = name: (hasAttr name cfg.uidMap); isGroupMapped = name: (hasAttr name cfg.gidMap); @@ -276,19 +276,54 @@ }; defaultPackages = with pkgs; [vault-bin jq]; -in { - inherit genScripts; +in rec { + mkVaultLoginScript = cfg: + writeShellApplication { + name = "vault-login"; + runtimeInputs = with pkgs; [ + vault-bin + getent + ]; + text = let + vaultLoginConfig = cfg.vaultLogin; + in '' + VAULT_ADDR="${vaultLoginConfig.vaultURL}" \ + vault login -no-print -method=userpass \ + username=${vaultLoginConfig.loginUsername} \ + password="$(cat ${vaultLoginConfig.loginPasswordFile})" + ''; + }; - mkSecretsInitScript = ( + mkSecretsInitScript = cfg: mkSecretsInitScriptWithName cfg null; + mkSecretsInitScriptWithName = ( cfg: name: let + scriptName = + if name == null + then "secrets-init" + else "secrets-init-${name}"; scripts = genScripts cfg; in (writeShellApplication { - name = "secrets-init-${name}"; + name = scriptName; runtimeInputs = defaultPackages ++ cfg.packages; text = scripts.initScript; }) ); + mkSecretsCheckScript = cfg: mkSecretsCheckScriptWithName cfg null; + mkSecretsCheckScriptWithName = ( + cfg: name: let + scriptName = + if name == null + then "secrets-check" + else "secrets-check-${name}"; + scripts = genScripts cfg; + in (writeShellApplication { + name = scriptName; + runtimeInputs = defaultPackages ++ cfg.packages; + text = scripts.checkScript; + }) + ); + genVaultPolicy = ( cfg: name: let inherit (cfg) requiredVaultPaths; @@ -309,7 +344,7 @@ in { capabilities = [${concatStringsSep "," (forEach capabilities escapeString)}] } ''); - in (writeText "vault-policy-${name}.hcl" '' + in (toFile "vault-policy-${name}.hcl" '' ${concatStringsSep "\n" policies} '') ); diff --git a/outputs.nix b/outputs.nix index 8d52cef..b221272 100644 --- a/outputs.nix +++ b/outputs.nix @@ -2,18 +2,13 @@ nixpkgs = inputs.nixpkgs-unstable; lib = nixpkgs.lib; - inherit (lib.attrsets) mergeAttrsList; + inherit (lib.attrsets) mergeAttrsList recursiveUpdate; + inherit (lib.lists) foldl' forEach filter; hosts = import ./hosts inputs; in { nixosConfigurations = hosts.nixosConfigurations; - #darwinConfigurations = hosts.darswinConfigurations; - - deploy.nodes = import ./deployNodes.nix { - nixosConfigurations = self.nixosConfigurations; - deploy-rs = inputs.deploy-rs; - }; } // (inputs.flake-utils.lib.eachDefaultSystem ( system: let @@ -22,10 +17,11 @@ in config.allowUnfree = true; overlays = [ (import ./overlay) + inputs.piped-flake.overlays.default ]; }; in - lib.foldl' lib.recursiveUpdate {} [ + foldl' recursiveUpdate {} [ { # we expose nixpkgs.${system} so that we can nix run/build stuff # from nixpkgs from flake's input versions @@ -46,126 +42,123 @@ in ++ (with self.packages."${system}"; [ mk-enc-usb mk-normal-enc-ssd - mk-dual-enc-ssd mk-raspberry-ext-drive ]); }; packages = { inherit (pkgs) comic-code comic-sans; - inherit (pkgs) mk-enc-usb mk-normal-enc-ssd mk-dual-enc-ssd mk-raspberry-ext-drive; + inherit (pkgs) mk-enc-usb mk-normal-enc-ssd mk-raspberry-ext-drive; inherit (pkgs) gotosocial; inherit (pkgs) cockroachdb; + inherit (pkgs) piped-backend piped-frontend piped-proxy; }; } # internal wireguard scripts (let - internalWireguardLib = import ./extras/internal-wireguard-lib.nix { + internalWireGuardLib = import ./lib/internalWireGuardLib.nix { inherit (nixpkgs) lib; inherit pkgs; }; - wireguard_data = import ./data/chaos_wireguard_internal.nix {}; - hostsWithWireguard = builtins.attrNames wireguard_data.hosts; + wireguardData = import ./data/chaosInternalWireGuard.nix; + hostsWithWireGuard = builtins.attrNames wireguardData.hosts; in { packages = mergeAttrsList [ (mergeAttrsList ( - lib.forEach hostsWithWireguard (hostName: { - "wg-keys-init-${hostName}" = internalWireguardLib.genInitScript hostName; + forEach hostsWithWireGuard (hostName: { + "wg-keys-init-${hostName}" = internalWireGuardLib.genInitScript hostName; }) )) { - "wg-keys-init-all" = internalWireguardLib.initAllScript; + "wg-keys-init-all" = internalWireGuardLib.initAllScript; } ]; }) # secrets-init, secrets-check and vault-policy for machines and containers (let - secretsLib = import ./modules/nixos/secrets-lib/lib.nix { + secretsLib = import ./modules/nixos/secretsLib/lib.nix { inherit (nixpkgs) lib; inherit pkgs; }; - systemConfigForSystem = system_name: self.nixosConfigurations.${system_name}.config; - secretsConfigForSystem = system_name: let - systemConfig = systemConfigForSystem system_name; + systemConfigForSystem = systemName: self.nixosConfigurations.${systemName}.config; + + secretsConfigForSystem = systemName: let + systemConfig = systemConfigForSystem systemName; in systemConfig.services.secrets; - systemConfigForContainer = system_name: container_name: let - systemConfig = systemConfigForSystem system_name; + systemConfigForContainer = systemName: containerName: let + systemConfig = systemConfigForSystem systemName; in - systemConfig.containers.${container_name}.config; + systemConfig.containers.${containerName}.config; - secretsConfigForContainer = system_name: container_name: let - systemConfig = systemConfigForContainer system_name container_name; + secretsConfigForContainer = systemName: containerName: let + systemConfig = systemConfigForContainer systemName containerName; in systemConfig.services.secrets; - secretsInitScriptForSystem = system_name: let - secretsConfig = secretsConfigForSystem system_name; + secretsInitScriptForSystem = systemName: let + secretsConfig = secretsConfigForSystem systemName; in - secretsLib.mkSecretsInitScript secretsConfig "${system_name}"; + secretsLib.mkSecretsInitScriptWithName secretsConfig "${systemName}"; - secretsInitScriptForContainer = system_name: container_name: let - secretsConfig = secretsConfigForContainer system_name container_name; + secretsInitScriptForContainer = systemName: containerName: let + secretsConfig = secretsConfigForContainer systemName containerName; in - secretsLib.mkSecretsInitScript secretsConfig "${system_name}-container-${container_name}"; + secretsLib.mkSecretsInitScriptWithName secretsConfig "${systemName}-container-${containerName}"; - vaultPolicyForSystem = system_name: let - secretsConfig = secretsConfigForSystem system_name; + vaultPolicyForSystem = systemName: let + secretsConfig = secretsConfigForSystem systemName; in - secretsLib.genVaultPolicy secretsConfig "${system_name}"; + secretsLib.genVaultPolicy secretsConfig "${systemName}"; - vaultPolicyForContainer = system_name: container_name: let - secretsConfig = secretsConfigForContainer system_name container_name; + vaultPolicyForContainer = systemName: containerName: let + secretsConfig = secretsConfigForContainer systemName containerName; in - secretsLib.genVaultPolicy secretsConfig "${system_name}-container-${container_name}"; + secretsLib.genVaultPolicy secretsConfig "${systemName}-container-${containerName}"; # All machines/containers with secrets.nix - machines = let - defaults = { - hasHostSecrets = true; - containers = []; - }; - in { + machines = { "hetzner-vm" = { - inherit (defaults) hasHostSecrets; containers = ["storage"]; + sshAddress = "hetzner-vm.servers.genderfucked.monster"; }; "vault" = { - inherit (defaults) hasHostSecrets containers; + sshAddress = "vault.servers.genderfucked.monster"; }; "raspberry" = { - inherit (defaults) hasHostSecrets containers; - }; - "lappy-t495" = { - inherit (defaults) hasHostSecrets containers; - }; - "tablet" = { - inherit (defaults) hasHostSecrets containers; + sshAddress = "raspberry.servers.genderfucked.monster"; }; + "lappy-t495" = {}; + "tablet" = {}; }; - machinesWithHostSecrets = lib.filter (machine: machines.${machine}.hasHostSecrets) (builtins.attrNames machines); - machinesWithContainers = lib.filter (machine: (builtins.length machines.${machine}.containers) != 0) (builtins.attrNames machines); + machinesWithHostSecrets = filter ( + machine: (machines.${machine}.hasHostSecrets or true) + ) (builtins.attrNames machines); + + machinesWithContainers = filter ( + machine: machines.${machine} ? "containers" + ) (builtins.attrNames machines); in { packages = mergeAttrsList [ (mergeAttrsList ( - lib.forEach machinesWithHostSecrets (machine_name: { - "secrets-init-${machine_name}" = secretsInitScriptForSystem machine_name; - "vault-policy-${machine_name}" = vaultPolicyForSystem machine_name; + forEach machinesWithHostSecrets (machineName: { + "secrets-init-${machineName}" = secretsInitScriptForSystem machineName; + "vault-policy-${machineName}" = vaultPolicyForSystem machineName; }) )) - (mergeAttrsList (lib.forEach machinesWithContainers (machine_name: let - machine = machines.${machine_name}; + (mergeAttrsList (forEach machinesWithContainers (machineName: let + machine = machines.${machineName}; containers = machine.containers; - in (mergeAttrsList (lib.forEach containers (container_name: { - "secrets-init-${machine_name}-container-${container_name}" = secretsInitScriptForContainer machine_name container_name; - "vault-policy-${machine_name}-container-${container_name}" = vaultPolicyForContainer machine_name container_name; + in (mergeAttrsList (forEach containers (containerName: { + "secrets-init-${machineName}-container-${containerName}" = secretsInitScriptForContainer machineName containerName; + "vault-policy-${machineName}-container-${containerName}" = vaultPolicyForContainer machineName containerName; })))))) ]; }) diff --git a/overlay/default.nix b/overlay/default.nix index 7f67c4d..d85de6f 100644 --- a/overlay/default.nix +++ b/overlay/default.nix @@ -4,12 +4,8 @@ final: prev: rec { gobar = final.callPackage ./gobar {}; - roc-toolkit-patched = final.callPackage ./roc-toolkit-patched {}; - roc-send-pcm = final.callPackage ./roc-send-pcm {}; - mk-enc-usb = final.callPackage ../extras/mk-enc-usb.nix {}; mk-normal-enc-ssd = final.callPackage ../extras/mk-normal-enc-ssd.nix {}; - mk-dual-enc-ssd = final.callPackage ../extras/mk-dual-enc-ssd.nix {}; mk-raspberry-ext-drive = final.callPackage ../extras/mk-raspberry-ext-drive.nix {}; cockroachdb-bin = final.callPackage ./cockroachdb-bin {}; diff --git a/overlay/gobar/default.nix b/overlay/gobar/default.nix index f9d2cea..6c9dc7b 100644 --- a/overlay/gobar/default.nix +++ b/overlay/gobar/default.nix @@ -11,12 +11,10 @@ buildGoModule rec { repo = "gobar"; rev = "34c807423e5ea1420dbe2c08574cdc234f9b0789"; sha256 = "sha256-H+CjnkMde3rx7CoLKOluxHlYrhZGqzTnU8oOgkDEwsc="; - #sha256 = lib.fakeSha256; }; runVend = false; vendorSha256 = "sha256-37QYc+gLzCW1jefAQNy4AbabckJ4jO1sDOiUZTsLgWo="; - #vendorSha256 = lib.fakeSha256; preBuild = '' export HOME=$TMPDIR diff --git a/overlay/roc-send-pcm/default.nix b/overlay/roc-send-pcm/default.nix deleted file mode 100644 index a1b3d33..0000000 --- a/overlay/roc-send-pcm/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{pkgs, ...}: -pkgs.writeShellScriptBin "roc-send-pcm" '' - FORMAT=$1 - RATE=$2 - CHANNELS=$3 - IP_ADDR=$4 - - ${pkgs.ffmpeg}/bin/ffmpeg -f $FORMAT -ar $RATE -ac $CHANNELS -i /dev/stdin -f wav -y /dev/stdout | ${pkgs.roc-toolkit-patched}/bin/roc-send --source "rtp:$IP_ADDR:10001" --driver wav /dev/stdin -'' diff --git a/overlay/roc-toolkit-patched/default.nix b/overlay/roc-toolkit-patched/default.nix deleted file mode 100644 index 3c1aed1..0000000 --- a/overlay/roc-toolkit-patched/default.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ - stdenv, - lib, - fetchFromGitHub, - sconsPackages, - ragel, - gengetopt, - pkg-config, - libuv, - openfecSupport ? true, - openfec, - libunwindSupport ? true, - libunwind, - pulseaudioSupport ? true, - libpulseaudio, - soxSupport ? true, - sox, -}: -stdenv.mkDerivation rec { - pname = "roc-toolkit"; - version = "0.1.5"; - - src = fetchFromGitHub { - owner = "roc-streaming"; - repo = "roc-toolkit"; - rev = "v${version}"; - sha256 = "sha256:1pld340zfch4p3qaf5anrspq7vmxrgf9ddsdsq92pk49axaaz19w"; - }; - - nativeBuildInputs = [sconsPackages.scons_3_0_1 ragel gengetopt pkg-config]; - - buildInputs = [libuv libunwind openfec libpulseaudio sox]; - - sconsFlags = - [ - "--build=${stdenv.buildPlatform.config}" - "--host=${stdenv.hostPlatform.config}" - "--prefix=${placeholder "out"}" - "--disable-tests" - ] - ++ lib.optional (!soxSupport) "--disable-sox" - ++ lib.optional (!libunwindSupport) "--disable-libunwind" - ++ lib.optional (!pulseaudioSupport) "--disable-pulseaudio" - ++ ( - if (!openfecSupport) - then ["--disable-openfec"] - else [ - "--with-libraries=${openfec}/lib" - "--with-openfec-includes=${openfec.dev}/include" - ] - ); - - prePatch = - lib.optionalString stdenv.isAarch64 "sed -i 's/c++98/c++11/g' SConstruct"; - - meta = with lib; { - description = "Roc is a toolkit for real-time audio streaming over the network"; - homepage = "https://github.com/roc-streaming/roc-toolkit"; - license = licenses.mpl20; - maintainers = with maintainers; [bgamari]; - platforms = platforms.unix; - }; -} diff --git a/overlay/zar/default.nix b/overlay/zar/default.nix deleted file mode 100644 index 2e7fd72..0000000 --- a/overlay/zar/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - stdenv, - fetchFromGitLab, - zig, -}: -stdenv.mkDerivation rec { - pname = "zar"; - version = "latest-1"; - - src = fetchFromGitLab { - owner = "ChaotiCryptidz"; - repo = "zar"; - rev = "5f2d473ef89c0cbf77c2a66a22ba457fe4390dd9"; - sha256 = "sha256-w0qXFJEL+Zbmsl9vUmrnG2P59zVo7RQdi+Fbvb3ucgw="; - #sha256 = lib.fakeSha256; - fetchSubmodules = true; - }; - - nativeBuildInputs = [zig]; - - preBuild = '' - export HOME=$TMPDIR - ''; - - installPhase = '' - zig build -Drelease-safe --prefix $out install - ''; -} diff --git a/presets/nixos/containerBase.nix b/presets/nixos/containerBase.nix new file mode 100644 index 0000000..08f1b5a --- /dev/null +++ b/presets/nixos/containerBase.nix @@ -0,0 +1,42 @@ +{ + tree, + inputs, + ... +}: { + imports = + (with tree; [ + profiles.base + users.root + + modules.nixos.rclone-serve + modules.nixos.rclone-sync + modules.nixos.secrets + modules.nixos.cockroachdb-bin + ]) + ++ [ + # Default modules which are usually included in nixos.nix + inputs.home-manager-unstable.nixosModules.home-manager + inputs.vaultui.nixosModules.default + inputs.gitlab_artifacts_sync.nixosModules.default + inputs.piped-flake.nixosModules.default + ]; + + home-manager.users.root = { + imports = with tree; [home.base home.dev.small]; + }; + + networking.firewall = { + enable = true; + allowPing = true; + checkReversePath = "loose"; + }; + + # TODO: Better DNS setup + services.resolved.enable = false; + environment.etc."resolv.conf".text = '' + nameserver 8.8.8.8 + nameserver 8.8.4.4 + ''; + + time.timeZone = "Europe/London"; +} diff --git a/presets/nixos/desktop-base.nix b/presets/nixos/desktopBase.nix similarity index 87% rename from presets/nixos/desktop-base.nix rename to presets/nixos/desktopBase.nix index a609397..ef673bb 100644 --- a/presets/nixos/desktop-base.nix +++ b/presets/nixos/desktopBase.nix @@ -3,8 +3,8 @@ profiles.sound.pipewire profiles.gui.base - profiles.firewall-allow.aria2c - profiles.firewall-allow.soulseek + profiles.firewallAllow.aria2c + profiles.firewallAllow.soulseek profiles.mullvad ]; @@ -14,7 +14,7 @@ imports = with tree; [ home.gui.base - home.apps.file-roller + home.apps.fileRoller home.apps.nautilus home.apps.pavucontrol home.apps.mpv diff --git a/presets/nixos/desktop-gnome.nix b/presets/nixos/desktopGnome.nix similarity index 85% rename from presets/nixos/desktop-gnome.nix rename to presets/nixos/desktopGnome.nix index c968420..2cc6e9e 100644 --- a/presets/nixos/desktop-gnome.nix +++ b/presets/nixos/desktopGnome.nix @@ -1,6 +1,6 @@ {tree, ...}: { imports = with tree; [ - presets.nixos.desktop-base + presets.nixos.desktopBase profiles.gui.environments.gnome ]; home-manager.users.chaos = { diff --git a/presets/nixos/desktop-sway.nix b/presets/nixos/desktopSway.nix similarity index 85% rename from presets/nixos/desktop-sway.nix rename to presets/nixos/desktopSway.nix index d0294bc..71fe4ee 100644 --- a/presets/nixos/desktop-sway.nix +++ b/presets/nixos/desktopSway.nix @@ -1,6 +1,6 @@ {tree, ...}: { imports = with tree; [ - presets.nixos.desktop-base + presets.nixos.desktopBase profiles.gui.environments.sway ]; home-manager.users.chaos = { diff --git a/presets/nixos/dual-encrypted-drive.nix b/presets/nixos/dual-encrypted-drive.nix deleted file mode 100644 index 594a2e4..0000000 --- a/presets/nixos/dual-encrypted-drive.nix +++ /dev/null @@ -1,84 +0,0 @@ -{ - config, - pkgs, - ... -}: let - usb_data = import ../../data/usb_data.nix {}; - drive_data = import ../../data/dual_drive_data.nix {}; -in { - config.boot = { - initrd.availableKernelModules = [ - # For USB w/ Encryption Key - "usb_storage" - "usbcore" - "uas" - "sd_mod" - # For USB Keyboards - "usbhid" - # For Cryptography - "aesni_intel" - "cryptd" - ]; - initrd.postDeviceCommands = pkgs.lib.mkBefore '' - mkdir -m 0755 -p /keys - mkdir -m 0755 -p ${usb_data.mountpoint} - - while !(test -b ${usb_data.encrypted_path}) - do - ${ - if config.boot.plymouth.enable - then '' - ${pkgs.plymouth}/bin/plymouth display-message --text="Please Plug In USB" - '' - else '' - echo "Please Plug In USB" - '' - } - sleep 1 - done - - ${ - if config.boot.plymouth.enable - then '' - ${pkgs.plymouth}/bin/plymouth hide-message --text="Please Plug In USB" - - ${pkgs.plymouth}/bin/plymouth ask-for-password \ - --prompt="Please Decrypt USB" \ - --command="cryptsetup -T1 open ${usb_data.encrypted_path} ${usb_data.mapper_name}" \ - --number-of-tries=3 - '' - else '' - echo "Please Decrypt USB" - cryptsetup open ${usb_data.encrypted_path} ${usb_data.mapper_name} - '' - } - - mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint} - - cp ${usb_data.encryption_keys_path}/${config.networking.hostName}.key /keys - - umount -f ${usb_data.mountpoint} - - cryptsetup close ${usb_data.mapper_name} - ''; - - initrd.luks.devices = { - "${drive_data.root_mapper_name}" = { - device = "${drive_data.encrypted_root_path}"; - keyFile = "/keys/${config.networking.hostName}.key"; - preLVM = false; - allowDiscards = true; - }; - }; - }; - config.fileSystems = { - "/" = { - device = "${drive_data.decrypted_root_path}"; - fsType = "${drive_data.unencrypted_root_fs_type}"; - }; - "/boot" = { - device = "${drive_data.boot_path}"; - fsType = "${drive_data.boot_fs_type}"; - }; - }; -} diff --git a/presets/nixos/encrypted-usb.nix b/presets/nixos/encrypted-usb.nix deleted file mode 100644 index e986975..0000000 --- a/presets/nixos/encrypted-usb.nix +++ /dev/null @@ -1,4 +0,0 @@ -{tree, ...}: { - imports = with tree; [profiles.usb-automount]; - home-manager.users.chaos = {imports = with tree; [home.ssh-usb];}; -} diff --git a/presets/nixos/encryptedUSB.nix b/presets/nixos/encryptedUSB.nix new file mode 100644 index 0000000..a0246f6 --- /dev/null +++ b/presets/nixos/encryptedUSB.nix @@ -0,0 +1,6 @@ +{tree, ...}: { + imports = with tree; [profiles.usbAutoMount]; + home-manager.users.chaos = { + imports = with tree; [home.sshUSB]; + }; +} diff --git a/presets/nixos/laptop.nix b/presets/nixos/laptop.nix index 33b38d9..686988f 100644 --- a/presets/nixos/laptop.nix +++ b/presets/nixos/laptop.nix @@ -2,12 +2,19 @@ imports = with tree; [ profiles.laptop - profiles.connectivity.network_manager - profiles.connectivity.ios + profiles.connectivity.networkManager + profiles.connectivity.iOS - profiles.force_dns profiles.tor ]; + + # TODO: Better DNS setup + services.resolved.enable = false; + environment.etc."resolv.conf".text = '' + nameserver 8.8.8.8 + nameserver 8.8.4.4 + ''; + services.fstrim.enable = true; systemd.services.NetworkManager-wait-online.enable = false; } diff --git a/presets/nixos/normal-encrypted-drive.nix b/presets/nixos/normalEncryptedDrive.nix similarity index 51% rename from presets/nixos/normal-encrypted-drive.nix rename to presets/nixos/normalEncryptedDrive.nix index 43cec38..1d4ffa0 100644 --- a/presets/nixos/normal-encrypted-drive.nix +++ b/presets/nixos/normalEncryptedDrive.nix @@ -1,12 +1,16 @@ { + self, config, pkgs, + lib, ... }: let - usb_data = import ../../data/usb_data.nix {}; - drive_data = import ../../data/normal_drive_data.nix {}; + inherit (lib.modules) mkBefore; + + encryptedUSB = import "${self}/data/encryptedUSB.nix"; + driveData = import "${self}/data/normalEncryptedDrive.nix"; in { - config.boot = { + boot = { initrd.availableKernelModules = [ # For USB w/ Encryption Key "usb_storage" @@ -19,11 +23,11 @@ in { "aesni_intel" "cryptd" ]; - initrd.postDeviceCommands = pkgs.lib.mkBefore '' + initrd.postDeviceCommands = mkBefore '' mkdir -m 0755 -p /keys - mkdir -m 0755 -p ${usb_data.mountpoint} + mkdir -m 0755 -p ${encryptedUSB.mountpoint} - while !(test -b ${usb_data.encrypted_path}) + while !(test -b ${encryptedUSB.encryptedPath}) do ${ if config.boot.plymouth.enable @@ -44,41 +48,42 @@ in { ${pkgs.plymouth}/bin/plymouth ask-for-password \ --prompt="Please Decrypt USB" \ - --command="cryptsetup -T1 open ${usb_data.encrypted_path} ${usb_data.mapper_name}" \ + --command="cryptsetup -T1 open ${encryptedUSB.encryptedPath} ${encryptedUSB.mapperName}" \ --number-of-tries=3 '' else '' echo "Please Decrypt USB" - cryptsetup open ${usb_data.encrypted_path} ${usb_data.mapper_name} + cryptsetup open ${encryptedUSB.encryptedPath} ${encryptedUSB.preBootMapperName} '' } - mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint} + mount -n -t ${encryptedUSB.unencryptedFSType} -o ro ${encryptedUSB.preBootMapperPath} ${encryptedUSB.mountpoint} - cp ${usb_data.encryption_keys_path}/${config.networking.hostName}.key /keys + cp ${encryptedUSB.encryptionKeysPath}/${config.networking.hostName}.key /keys - umount -f ${usb_data.mountpoint} + umount -f ${encryptedUSB.mountpoint} - cryptsetup close ${usb_data.mapper_name} + cryptsetup close ${encryptedUSB.preBootMapperName} ''; initrd.luks.devices = { - "${drive_data.root_mapper_name}" = { - device = "${drive_data.encrypted_root_path}"; + "${driveData.mapperName}" = { + device = "${driveData.encryptedPath}"; keyFile = "/keys/${config.networking.hostName}.key"; preLVM = false; allowDiscards = true; }; }; }; - config.fileSystems = { + + fileSystems = { "/" = { - device = "${drive_data.decrypted_root_path}"; - fsType = "${drive_data.unencrypted_root_fs_type}"; + device = "${driveData.decryptedPath}"; + fsType = "${driveData.unencryptedFSType}"; }; "/boot" = { - device = "${drive_data.boot_path}"; - fsType = "${drive_data.boot_fs_type}"; + device = "${driveData.bootPath}"; + fsType = "${driveData.bootFSType}"; }; }; } diff --git a/presets/nixos/serverBase.nix b/presets/nixos/serverBase.nix new file mode 100644 index 0000000..f0b90ec --- /dev/null +++ b/presets/nixos/serverBase.nix @@ -0,0 +1,34 @@ +{tree, ...}: { + imports = with tree; [ + users.root + + profiles.sshd + profiles.firewallAllow.ssh + + profiles.nixGC + profiles.serverExtras + ]; + + home-manager.users.root = { + imports = with tree; [home.base home.dev.small]; + }; + + networking.firewall = { + enable = true; + allowPing = true; + checkReversePath = "loose"; + }; + + # TODO: Better DNS setup + services.resolved.enable = false; + environment.etc."resolv.conf".text = '' + nameserver 8.8.8.8 + nameserver 8.8.4.4 + ''; + + boot.kernel.sysctl = { + "fs.inotify.max_user_watches" = 1024 * 64 * 16; + }; + + time.timeZone = "Europe/London"; +} diff --git a/presets/nixos/server-encrypted-drive.nix b/presets/nixos/serverEncryptedDrive.nix similarity index 94% rename from presets/nixos/server-encrypted-drive.nix rename to presets/nixos/serverEncryptedDrive.nix index 035e7c0..d0a52b8 100644 --- a/presets/nixos/server-encrypted-drive.nix +++ b/presets/nixos/serverEncryptedDrive.nix @@ -3,9 +3,11 @@ tree, ... }: { - imports = with tree; [profiles.sshd]; + imports = with tree; [ + profiles.sshd + ]; - config.boot = { + boot = { loader.systemd-boot.enable = false; loader.grub = { @@ -57,7 +59,7 @@ }; }; - config.fileSystems = { + fileSystems = { "/" = { device = "/dev/mapper/nixos_unencrypted"; fsType = "ext4"; diff --git a/presets/nixos/serverHetzner.nix b/presets/nixos/serverHetzner.nix new file mode 100644 index 0000000..ea35751 --- /dev/null +++ b/presets/nixos/serverHetzner.nix @@ -0,0 +1,61 @@ +{ + self, + config, + modulesPath, + lib, + ... +}: let + inherit (lib.modules) mkForce; + + container-ips = import "${self}/data/serverIPs.nix"; + + hostName = config.networking.hostName; + serverIPs = container-ips.${hostName}; +in { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + systemd.services = { + systemd-networkd-wait-online.enable = mkForce false; + }; + + networking = { + usePredictableInterfaceNames = false; + dhcpcd.enable = false; + }; + + systemd.network = { + enable = true; + networks."eth0" = { + name = "eth0"; + networkConfig.DHCP = "no"; + address = [ + # v4 + "${serverIPs.ipv4}/32" + + # v6 + "${serverIPs.ipv6}/64" + ]; + + routes = [ + # v4 + { + routeConfig = { + Destination = "172.31.1.1"; + }; + } + { + routeConfig = { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + }; + } + # v6 + { + routeConfig.Gateway = "fe80::1"; + } + ]; + }; + }; +} diff --git a/profiles/base-darwin/fonts.nix b/profiles/base-darwin/fonts.nix deleted file mode 100644 index b4e3b20..0000000 --- a/profiles/base-darwin/fonts.nix +++ /dev/null @@ -1,6 +0,0 @@ -{pkgs, ...}: { - fonts = { - enableFontDir = true; - fonts = with pkgs; [comic-sans comic-code]; - }; -} diff --git a/profiles/base-darwin/home.nix b/profiles/base-darwin/home.nix deleted file mode 100644 index 234af1a..0000000 --- a/profiles/base-darwin/home.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ - inputs, - tree, - config, - lib, - ... -}: -with lib; { - options.home-manager.users = mkOption { - type = types.attrsOf (types.submoduleWith { - modules = []; - specialArgs = { - inherit inputs tree; - nixos = config; - }; - }); - }; - config = { - home-manager = { - useGlobalPkgs = true; - #useUserPackages = true; - }; - }; -} diff --git a/profiles/base-darwin/nix.nix b/profiles/base-darwin/nix.nix deleted file mode 100644 index 925f53c..0000000 --- a/profiles/base-darwin/nix.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ - inputs, - pkgs, - config, - ... -}: { - nix = { - package = pkgs.nixFlakes; - useDaemon = true; - nixPath = ["nixpkgs=${inputs.nixpkgs}"]; - extraOptions = '' - experimental-features = nix-command flakes - ''; - }; - nixpkgs = { - config = {allowUnfree = true;}; - overlays = [ - (import ../../overlay) - inputs.musicutil.overlay - inputs.deploy-rs.overlay - ]; - }; -} diff --git a/profiles/base-darwin/terminals.nix b/profiles/base-darwin/terminals.nix deleted file mode 100644 index 3d80ee7..0000000 --- a/profiles/base-darwin/terminals.nix +++ /dev/null @@ -1,3 +0,0 @@ -{pkgs, ...}: { - environment.systemPackages = with pkgs; [buildPackages.buildPackages.kitty.terminfo]; -} diff --git a/profiles/base/console-locale.nix b/profiles/base/consoleLocale.nix similarity index 100% rename from profiles/base/console-locale.nix rename to profiles/base/consoleLocale.nix diff --git a/profiles/base/hardware.nix b/profiles/base/hardware.nix index 8a90618..64fd3a6 100644 --- a/profiles/base/hardware.nix +++ b/profiles/base/hardware.nix @@ -2,12 +2,14 @@ lib, pkgs, ... -}: { +}: let + inherit (lib.modules) mkIf; +in { hardware.enableRedistributableFirmware = true; hardware.enableAllFirmware = true; hardware.cpu.intel.updateMicrocode = - lib.mkIf ("${pkgs.system}" == "x86_64-linux") true; + mkIf ("${pkgs.system}" == "x86_64-linux") true; hardware.cpu.amd.updateMicrocode = - lib.mkIf ("${pkgs.system}" == "x86_64-linux") true; + mkIf ("${pkgs.system}" == "x86_64-linux") true; hardware.wirelessRegulatoryDatabase = true; } diff --git a/profiles/base/home.nix b/profiles/base/home.nix index 298b87c..80c1c15 100644 --- a/profiles/base/home.nix +++ b/profiles/base/home.nix @@ -1,4 +1,5 @@ { + self, inputs, tree, config, @@ -14,7 +15,7 @@ in { type = attrsOf (submoduleWith { modules = []; specialArgs = { - inherit inputs tree; + inherit inputs tree self; }; }); }; diff --git a/profiles/base/nix.nix b/profiles/base/nix.nix index 0b6dd90..c46699c 100644 --- a/profiles/base/nix.nix +++ b/profiles/base/nix.nix @@ -30,8 +30,6 @@ in { inputs.gitlab_artifacts_sync.overlays.default inputs.gitlab_archiver.overlays.default inputs.piped-flake.overlays.default - - inputs.deploy-rs.overlay ]; }; environment.etc."nixpkgs-commit".text = inputs.nixpkgs-unstable.rev; diff --git a/profiles/chaos-internal-wireguard/secrets.nix b/profiles/chaos-internal-wireguard/secrets.nix deleted file mode 100644 index bd50a8a..0000000 --- a/profiles/chaos-internal-wireguard/secrets.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ - lib, - config, - ... -}: let - inherit (lib.modules) mkMerge; - inherit (lib.lists) forEach filter; - inherit (builtins) hasAttr; - - wireguard_data = import ../../data/chaos_wireguard_internal.nix {}; - wireguard_hosts = wireguard_data.hosts; - - currentHostName = config.networking.hostName; - currentHostConfig = wireguard_hosts.${currentHostName}; -in { - services.secrets = { - enable = true; - - requiredVaultPaths = [ - "private-public-keys/data/wireguard/chaos-internal/${currentHostName}" - ]; - - secrets = mkMerge ([ - { - wg_priv = { - fetchScript = '' - simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .private > "$secretFile" - ''; - }; - } - ] - ++ (forEach (filter (hostName: (hostName != currentHostName && hasAttr "endpoint" wireguard_hosts.${hostName})) (builtins.attrNames wireguard_hosts)) ( - hostName: let - in { - "wg_preshared_${hostName}" = { - fetchScript = '' - simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" ".preshared_keys.\"${hostName}\"" > "$secretFile" - ''; - }; - } - ))); - }; -} diff --git a/profiles/chaosInternalWireGuard/secrets.nix b/profiles/chaosInternalWireGuard/secrets.nix new file mode 100644 index 0000000..caef7b6 --- /dev/null +++ b/profiles/chaosInternalWireGuard/secrets.nix @@ -0,0 +1,21 @@ +{config, ...}: let + #wireguardData = import "${self}/data/chaosInternalWireGuard.nix"; + #wireguardHosts = wireguardData.hosts; + currentHostName = config.networking.hostName; +in { + services.secrets = { + enable = true; + + requiredVaultPaths = [ + "private-public-keys/data/wireguard/chaos-internal/${currentHostName}" + ]; + + secrets = { + wg_priv = { + fetchScript = '' + simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .private > "$secretFile" + ''; + }; + }; + }; +} diff --git a/profiles/chaos-internal-wireguard/wireguard.nix b/profiles/chaosInternalWireGuard/wireguard.nix similarity index 69% rename from profiles/chaos-internal-wireguard/wireguard.nix rename to profiles/chaosInternalWireGuard/wireguard.nix index c55b6a1..6058e6f 100644 --- a/profiles/chaos-internal-wireguard/wireguard.nix +++ b/profiles/chaosInternalWireGuard/wireguard.nix @@ -1,7 +1,7 @@ { + self, lib, config, - pkgs, ... }: let inherit (lib.modules) mkIf; @@ -10,12 +10,13 @@ # Assume this to be set secrets = config.services.secrets.secrets; - wireguard_data = import ../../data/chaos_wireguard_internal.nix {}; - wireguard_hosts = wireguard_data.hosts; + wireguardData = import "${self}/data/chaosInternalWireGuard.nix"; + wireguardHosts = wireguardData.hosts; currentHostName = config.networking.hostName; - currentHostConfig = wireguard_hosts.${currentHostName}; + currentHostConfig = wireguardHosts.${currentHostName}; in { + networking.firewall.trustedInterfaces = ["wg0"]; networking.firewall.allowPing = true; networking.firewall.allowedUDPPorts = mkIf (hasAttr "endpoint" currentHostConfig) [51820]; @@ -36,20 +37,25 @@ in { peers = [ # hetzner-vm (mkIf (currentHostName != "hetzner-vm") (let - host = wireguard_hosts."hetzner-vm"; + host = wireguardHosts."hetzner-vm"; in { allowedIPs = ["${host.ip}/32"]; publicKey = host.public; - #presharedKeyFile = secrets.wg_preshared_hetzner-vm.path; endpoint = host.endpoint or null; })) # vault (mkIf (currentHostName != "vault") (let - host = wireguard_hosts."vault"; + host = wireguardHosts."vault"; + in { + allowedIPs = ["${host.ip}/32"]; + publicKey = host.public; + endpoint = host.endpoint or null; + })) + (mkIf (currentHostName != "raspberry") (let + host = wireguardHosts."raspberry"; in { allowedIPs = ["${host.ip}/32"]; publicKey = host.public; - #presharedKeyFile = secrets.wg_preshared_vault.path; endpoint = host.endpoint or null; })) ]; diff --git a/profiles/cockroachdb-bin-fix.nix b/profiles/cockroachdb-bin-fix.nix deleted file mode 100644 index 873595a..0000000 --- a/profiles/cockroachdb-bin-fix.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ - config, - lib, - ... -}: let - escapeSystemdExecArg = arg: let - s = - if builtins.isPath arg - then "${arg}" - else if builtins.isString arg - then arg - else if builtins.isInt arg || builtins.isFloat arg - then toString arg - else throw "escapeSystemdExecArg only allows strings, paths and numbers"; - in - lib.replaceStrings ["%" "$"] ["%%" "$$"] (builtins.toJSON s); - - # Quotes a list of arguments into a single string for use in a Exec* - # line. - escapeSystemdExecArgs = lib.concatMapStringsSep " " escapeSystemdExecArg; - - cfg = config.services.cockroachdb; - crdb = cfg.package; - - startupCommand = - escapeSystemdExecArgs - ([ - # Basic startup - "${crdb}/bin/cockroach" - ( - if (cfg.join != null) - then "start" - else "start-single-node" - ) - "--logtostderr" - "--store=/var/lib/cockroachdb" - - # WebUI settings - "--http-addr=${cfg.http.address}:${toString cfg.http.port}" - - # Cluster listen address - "--listen-addr=${cfg.listen.address}:${toString cfg.listen.port}" - - # Cache and memory settings. - "--cache=${cfg.cache}" - "--max-sql-memory=${cfg.maxSqlMemory}" - - # Certificate/security settings. - ( - if cfg.insecure - then "--insecure" - else "--certs-dir=${cfg.certsDir}" - ) - ] - ++ lib.optional (cfg.join != null) "--join=${cfg.join}" - ++ lib.optional (cfg.locality != null) "--locality=${cfg.locality}" - ++ cfg.extraArgs); -in { - systemd.services.cockroachdb.serviceConfig.ExecStart = lib.mkForce startupCommand; -} diff --git a/profiles/connectivity/ios/default.nix b/profiles/connectivity/iOS/default.nix similarity index 100% rename from profiles/connectivity/ios/default.nix rename to profiles/connectivity/iOS/default.nix diff --git a/profiles/connectivity/network_manager/nm.nix b/profiles/connectivity/networkManager/nm.nix similarity index 100% rename from profiles/connectivity/network_manager/nm.nix rename to profiles/connectivity/networkManager/nm.nix diff --git a/profiles/firewall-allow/aria2c.nix b/profiles/firewallAllow/aria2c.nix similarity index 100% rename from profiles/firewall-allow/aria2c.nix rename to profiles/firewallAllow/aria2c.nix diff --git a/profiles/nginx-firewall.nix b/profiles/firewallAllow/httpCommon.nix similarity index 100% rename from profiles/nginx-firewall.nix rename to profiles/firewallAllow/httpCommon.nix diff --git a/profiles/firewall-allow/soulseek.nix b/profiles/firewallAllow/soulseek.nix similarity index 100% rename from profiles/firewall-allow/soulseek.nix rename to profiles/firewallAllow/soulseek.nix diff --git a/profiles/firewallAllow/ssh.nix b/profiles/firewallAllow/ssh.nix new file mode 100644 index 0000000..ea8f50d --- /dev/null +++ b/profiles/firewallAllow/ssh.nix @@ -0,0 +1,2 @@ +{...}: { +} diff --git a/profiles/force_dns/force_dns.nix b/profiles/force_dns/force_dns.nix deleted file mode 100644 index a8bed28..0000000 --- a/profiles/force_dns/force_dns.nix +++ /dev/null @@ -1,9 +0,0 @@ -{lib, ...}: let - inherit (lib.modules) mkForce; -in { - networking = { - resolvconf.useLocalResolver = false; - networkmanager.dns = "none"; - }; - networking.nameservers = mkForce ["1.1.1.1"]; -} diff --git a/profiles/kernels/latest.nix b/profiles/kernels/latest.nix deleted file mode 100644 index f24b775..0000000 --- a/profiles/kernels/latest.nix +++ /dev/null @@ -1 +0,0 @@ -{pkgs, ...}: {boot.kernelPackages = pkgs.linuxPackages_latest;} diff --git a/profiles/nginx.nix b/profiles/nginx.nix index 5e38390..e1b113e 100644 --- a/profiles/nginx.nix +++ b/profiles/nginx.nix @@ -17,7 +17,9 @@ in { config = { security.acme = { - defaults = {email = "chaoticryptidz@owo.monster";}; + defaults = { + email = "chaoticryptidz@owo.monster"; + }; acceptTerms = true; }; @@ -30,7 +32,7 @@ in { recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; - clientMaxBodySize = lib.mkDefault "512m"; + clientMaxBodySize = mkDefault "512m"; serverNamesHashBucketSize = 1024; appendHttpConfig = '' proxy_headers_hash_max_size 1024; diff --git a/profiles/nix-gc.nix b/profiles/nixGC.nix similarity index 100% rename from profiles/nix-gc.nix rename to profiles/nixGC.nix diff --git a/profiles/remote-builders.nix b/profiles/remoteBuilders.nix similarity index 75% rename from profiles/remote-builders.nix rename to profiles/remoteBuilders.nix index 5bfbb2c..1d20299 100644 --- a/profiles/remote-builders.nix +++ b/profiles/remoteBuilders.nix @@ -5,28 +5,28 @@ }: let inherit (lib.modules) mkIf; - current_machine_hostname = config.networking.hostName; + currentHostname = config.networking.hostName; - usb_ssh_key_file = "/usb/ssh-keys/chaos.priv"; + usbSSHKeyFile = "/usb/ssh-keys/chaos.priv"; - ssh_key_file = + sshKeyFile = if - builtins.elem current_machine_hostname [ + builtins.elem currentHostname [ "lappy-t495" "tablet" ] - then usb_ssh_key_file + then usbSSHKeyFile else throw "host isn't configured for remote-builders"; builderDefaults = { sshUser = "root"; - sshKey = ssh_key_file; + sshKey = sshKeyFile; supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"]; mandatoryFeatures = []; }; in { nix.buildMachines = [ - (mkIf (current_machine_hostname != "hetzner-vm") (builderDefaults + (mkIf (currentHostname != "hetzner-vm") (builderDefaults // { hostName = "hetzner-vm.servers.genderfucked.monster"; systems = ["x86_64-linux" "aarch64-linux"]; @@ -34,7 +34,7 @@ in { maxJobs = 3; speedFactor = 2; })) - (mkIf (current_machine_hostname != "vault") (builderDefaults + (mkIf (currentHostname != "vault") (builderDefaults // { hostName = "vault.servers.genderfucked.monster"; systems = ["x86_64-linux"]; diff --git a/profiles/serverExtras.nix b/profiles/serverExtras.nix new file mode 100644 index 0000000..c61ac63 --- /dev/null +++ b/profiles/serverExtras.nix @@ -0,0 +1,47 @@ +{ + pkgs, + lib, + config, + ... +}: let + inherit (lib.strings) concatStringsSep; + inherit (lib.lists) forEach; + + inherit (builtins) attrNames; + + inherit (pkgs) writeShellScriptBin; + + containerNames = attrNames config.containers; + + vaccumSize = "50MB"; +in { + environment.systemPackages = + [ + (writeShellScriptBin "journalctl-vaccum-all" '' + journalctl --vacuum-size=${vaccumSize} + ${concatStringsSep "\n" (forEach containerNames (name: '' + journalctl --vacuum-size=${vaccumSize} --root /var/lib/nixos-containers/${name} + ''))} + '') + (writeShellScriptBin "systemctl-list-failed-all" '' + echo "Host: " + systemctl --failed + ${concatStringsSep "\n" (forEach containerNames (name: '' + echo "Container: ${name}" + systemctl -M ${name} --failed + ''))} + '') + ] + ++ forEach containerNames (name: (writeShellScriptBin "journalctl-vaccum-${name}" '' + journalctl --vacuum-size=${vaccumSize} --root /var/lib/nixos-containers/${name} + '')) + ++ forEach containerNames (name: (writeShellScriptBin "systemctl-container-${name}" '' + systemctl -M ${name} "$@" + '')) + ++ forEach containerNames (name: (writeShellScriptBin "journalctl-container-${name}" '' + journalctl -M ${name} "$@" + '')) + ++ forEach containerNames (name: (writeShellScriptBin "shell-enter-${name}" '' + machinectl shell ${name} + '')); +} diff --git a/profiles/sound/pulseaudio/pulse-48000.nix b/profiles/sound/pulseaudio/pulse-48000.nix deleted file mode 100644 index f9b8302..0000000 --- a/profiles/sound/pulseaudio/pulse-48000.nix +++ /dev/null @@ -1 +0,0 @@ -_: {hardware.pulseaudio.daemon.config = {default-sample-rate = "48000";};} diff --git a/profiles/sound/pulseaudio/pulse-bluetooth.nix b/profiles/sound/pulseaudio/pulse-bluetooth.nix deleted file mode 100644 index 4607592..0000000 --- a/profiles/sound/pulseaudio/pulse-bluetooth.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ - pkgs, - tree, - lib, - ... -}: let - inherit (lib.modules) mkForce; -in { - imports = with tree; [profiles.connectivity.bluetooth]; - - hardware.pulseaudio = { - extraModules = with pkgs; [pkgs.pulseaudio-modules-bt]; - package = mkForce pkgs.pulseaudioFull; - extraConfig = "load-module module-switch-on-connect"; - }; -} diff --git a/profiles/sound/pulseaudio/pulse-recv-native-localhost.nix b/profiles/sound/pulseaudio/pulse-recv-native-localhost.nix deleted file mode 100644 index 6051d05..0000000 --- a/profiles/sound/pulseaudio/pulse-recv-native-localhost.nix +++ /dev/null @@ -1,7 +0,0 @@ -_: { - hardware.pulseaudio = { - extraConfig = '' - load-module module-native-protocol-tcp auth-anonymous=1 auth-ip-acl=127.0.0.1;192.168.1.0/24;100.115.10.34 - ''; - }; -} diff --git a/profiles/sound/pulseaudio/pulse-recv-rtp.nix b/profiles/sound/pulseaudio/pulse-recv-rtp.nix deleted file mode 100644 index 0195fbd..0000000 --- a/profiles/sound/pulseaudio/pulse-recv-rtp.nix +++ /dev/null @@ -1,7 +0,0 @@ -_: { - hardware.pulseaudio = { - extraConfig = '' - load-module module-rtp-recv latency_msec=5000 sap_address=0.0.0.0 - ''; - }; -} diff --git a/profiles/sound/pulseaudio/pulse-systemwide.nix b/profiles/sound/pulseaudio/pulse-systemwide.nix deleted file mode 100644 index 551637b..0000000 --- a/profiles/sound/pulseaudio/pulse-systemwide.nix +++ /dev/null @@ -1,7 +0,0 @@ -{tree, ...}: { - imports = with tree; [profiles.sound.pulseaudio.pulse]; - hardware.pulseaudio = { - systemWide = true; - enable = true; - }; -} diff --git a/profiles/sound/pulseaudio/pulse.nix b/profiles/sound/pulseaudio/pulse.nix deleted file mode 100644 index 818e008..0000000 --- a/profiles/sound/pulseaudio/pulse.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - config, - pkgs, - ... -}: { - sound.enable = true; - nixpkgs.config.pulseaudio = true; - hardware.pulseaudio = { - enable = true; - package = pkgs.pulseaudioFull; - support32Bit = true; - }; -} diff --git a/profiles/tlp.nix b/profiles/tlp.nix deleted file mode 100644 index d93d613..0000000 --- a/profiles/tlp.nix +++ /dev/null @@ -1,3 +0,0 @@ -{...}: { - services.tlp.enable = true; -} diff --git a/profiles/usb-automount.nix b/profiles/usbAutoMount.nix similarity index 54% rename from profiles/usb-automount.nix rename to profiles/usbAutoMount.nix index ca8e95a..ede9287 100644 --- a/profiles/usb-automount.nix +++ b/profiles/usbAutoMount.nix @@ -1,21 +1,22 @@ {pkgs, ...}: let - usb_data = import ../data/usb_data.nix {}; + encryptedUSB = import ../data/encryptedUSB.nix; + enc_usb_mount = pkgs.writeShellScriptBin "enc_usb_mount" '' set -x ${enc_usb_unmount}/bin/enc_usb_unmount - cat /secrets/usb_encryption_passphrase | cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name}_afterboot - - mount ${usb_data.mapper_path}_afterboot -o rw ${usb_data.mountpoint} + cat /secrets/usb_encryption_passphrase | cryptsetup luksOpen ${encryptedUSB.encryptedPath} ${encryptedUSB.mapperName} - + mount ${encryptedUSB.mapperPath} -o rw ${encryptedUSB.mountpoint} ''; enc_usb_unmount = pkgs.writeShellScriptBin "enc_usb_unmount" '' set -x - umount -flR ${usb_data.mountpoint} || true - cryptsetup close ${usb_data.mapper_name}_afterboot || true + umount -flR ${encryptedUSB.mountpoint} || true + cryptsetup close ${encryptedUSB.mapperName} || true ''; in { environment.systemPackages = [enc_usb_mount enc_usb_unmount]; - systemd.tmpfiles.rules = ["d ${usb_data.mountpoint} - chaos root"]; + systemd.tmpfiles.rules = ["d ${encryptedUSB.mountpoint} - chaos root"]; systemd.services.enc-usb-mount = { path = [pkgs.util-linux pkgs.cryptsetup]; @@ -33,7 +34,7 @@ in { }; services.udev.extraRules = '' - ACTION=="add", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="enc-usb-mount.service", ENV{UDISKS_PRESENTATION_HIDE}="1" - ACTION=="remove", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="enc-usb-unmount.service" + ACTION=="add", ENV{PARTNAME}=="${encryptedUSB.encryptedPartLabel}", ENV{SYSTEMD_WANTS}="enc-usb-mount.service", ENV{UDISKS_PRESENTATION_HIDE}="1" + ACTION=="remove", ENV{PARTNAME}=="${encryptedUSB.encryptedPartLabel}", ENV{SYSTEMD_WANTS}="enc-usb-unmount.service" ''; } diff --git a/scripts/buildPipedBackendAArch64.sh b/scripts/buildPipedBackendAArch64.sh new file mode 100755 index 0000000..8320d0e --- /dev/null +++ b/scripts/buildPipedBackendAArch64.sh @@ -0,0 +1 @@ +nix build --system aarch64-linux .#piped-backend --builders "ssh://root@raspberry.servers.genderfucked.monster?ssh-key=/usb/ssh-keys/chaos.priv aarch64-linux - 2 2 nixos-test,benchmark,big-parallel,kvm - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUJhZlp5bitQcUtBclVYZ1VNdCszaDQvRU5kbWVUNWx3YXBPUm5lZXZ2eVIgcm9vdEByYXNwYmVycnkK#" --max-jobs 0 --builders-use-substitutes \ No newline at end of file diff --git a/scripts/deploy/hetzner-vm.sh b/scripts/deploy/hetzner-vm.sh index c60c5f5..1474509 100755 --- a/scripts/deploy/hetzner-vm.sh +++ b/scripts/deploy/hetzner-vm.sh @@ -1,7 +1,5 @@ #!/usr/bin/env bash -set -e - SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) cd $SCRIPT_DIR cd $(git rev-parse --show-toplevel) diff --git a/scripts/deploy/raspberry.sh b/scripts/deploy/raspberry.sh index 1330182..8fe0d45 100755 --- a/scripts/deploy/raspberry.sh +++ b/scripts/deploy/raspberry.sh @@ -1,9 +1,8 @@ #!/usr/bin/env bash -set -e - SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) cd $SCRIPT_DIR cd $(git rev-parse --show-toplevel) -nixos-rebuild switch --flake .#raspberry --target-host raspberry -s "$@" \ No newline at end of file +[ -n "$NO_BUILD_PIPED_BACKEND" ] && ./scripts/buildPipedBackendAArch64.nix +nixos-rebuild switch --flake .#raspberry --target-host raspberry -s "$@" diff --git a/scripts/deploy/vault.sh b/scripts/deploy/vault.sh index 036c644..b4739d5 100755 --- a/scripts/deploy/vault.sh +++ b/scripts/deploy/vault.sh @@ -1,7 +1,5 @@ #!/usr/bin/env bash -set -e - SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) cd $SCRIPT_DIR cd $(git rev-parse --show-toplevel) diff --git a/scripts/deploy-all.sh b/scripts/deployAll.sh similarity index 100% rename from scripts/deploy-all.sh rename to scripts/deployAll.sh diff --git a/scripts/deploy-secrets.sh b/scripts/deploySecrets.sh similarity index 100% rename from scripts/deploy-secrets.sh rename to scripts/deploySecrets.sh diff --git a/treeConfig.nix b/treeConfig.nix index 0619ffa..5afc849 100644 --- a/treeConfig.nix +++ b/treeConfig.nix @@ -1,47 +1,10 @@ {}: { folder = ./.; config = { - # Data Files & Nix Generated Scripts - "data/*".functor.enable = true; - "extras/*".functor.enable = true; - - # Per host home-manager, profiles & containers "hosts/*".functor.enable = true; - "hosts/*/home".functor.enable = true; - "hosts/*/profiles".functor.enable = true; - "hosts/*/containers".functor.enable = true; - - # Extra modules/home/profiles/containers - "hosts/hetzner-vm/modules/mailserver".functor.enable = true; - - "hosts/hetzner-vm".functor.enable = true; - "hosts/hetzner-vm/containers/storage/profiles".functor.enable = true; - "hosts/hetzner-vm/containers/social/profiles".functor.enable = true; - "hosts/hetzner-vm/containers/quassel/profiles".functor.enable = true; - "hosts/hetzner-vm/containers/piped/profiles".functor.enable = true; - - # Profiles "profiles/*".functor.enable = true; - "profiles/sound/*".functor.enable = true; - "profiles/sound/pulseaudio/*".functor.enable = true; - "profiles/connectivity/*".functor.enable = true; - "profiles/gaming/*".functor.enable = true; - "profiles/gui/environments/*".functor.enable = true; - "profiles/firewall-allow/*".functor.enable = true; - - # Users "users/*".functor.enable = true; - - # Home-Manager "home/*".functor.enable = true; - "home/gui/environments/*".functor.enable = true; - "home/apps/*".functor.enable = true; - "home/gaming/emulators/*".functor.enable = true; - "home/gaming/games/*".functor.enable = true; - "home/gaming/platforms/*".functor.enable = true; - "home/programming/languages/*".functor.enable = true; - - # Presets "presets/nixos/*".functor.enable = true; "modules/nixos" = { @@ -50,6 +13,7 @@ external = []; }; }; + "modules/home" = { functor = { enable = true;