diff options
| author | polwex <polwex@sortug.com> | 2024-07-21 01:09:48 +0700 |
|---|---|---|
| committer | polwex <polwex@sortug.com> | 2024-07-21 01:09:48 +0700 |
| commit | 78907aa98c1af8624a62ca123d088c6c16424f41 (patch) | |
| tree | 477fe923810522acc211b7514e4931af80f33ed7 /hosts | |
init
Diffstat (limited to 'hosts')
83 files changed, 4222 insertions, 0 deletions
diff --git a/hosts/adguard.nix b/hosts/adguard.nix new file mode 100644 index 0000000..c956189 --- /dev/null +++ b/hosts/adguard.nix @@ -0,0 +1,17 @@ +{...}: +{ + services.adguardhome = { + enable = true; + openFirewall = true; + settings = { + bind_port: 3001; + dns = { + bind_host = "0.0.0.0"; + bootstrap_dns = [ + "1.1.1.1" + "1.0.0.1" + ]; + }; + }; + }; +} diff --git a/hosts/android.nix b/hosts/android.nix new file mode 100644 index 0000000..6abf253 --- /dev/null +++ b/hosts/android.nix @@ -0,0 +1,40 @@ +{pkgs, ...}: let + androidComposition = pkgs.androidenv.composeAndroidPackages { + # cmdLineToolsVersion = "8.0"; + # toolsVersion = "26.1.1"; + # platformToolsVersion = "34.0.0"; + # buildToolsVersions = [ "34.0.0" ]; + # includeEmulator = false; + # emulatorVersion = "30.3.4"; + # platformVersions = [ "28" "29" "30" ]; + # includeSources = false; + # includeSystemImages = false; + # systemImageTypes = [ "google_apis_playstore" ]; + # abiVersions = [ "armeabi-v7a" "arm64-v8a" ]; + # cmakeVersions = [ "3.10.2" ]; + # includeNDK = true; + # ndkVersions = ["22.0.7026061"]; + # useGoogleAPIs = false; + # useGoogleTVAddOns = false; + # includeExtras = [ + # "extras;google;gcm" + # ]; + }; +in { + # allow unfree + environment.systemPackages = [ + pkgs.android-studio-full + androidComposition.androidsdk + ]; + services.udev.packages = [ + pkgs.android-udev-rules + ]; + programs.adb.enable = true; + users.users.y.extraGroups = ["adbusers" "kvm"]; + environment.variables = { + ANDROID_HOME = "${androidComposition.androidsdk}/libexec/android-sdk"; + LOL = "LMAO"; + }; + + nixpkgs.config.android_sdk.accept_license = true; +} diff --git a/hosts/base.nix b/hosts/base.nix new file mode 100644 index 0000000..e1e421b --- /dev/null +++ b/hosts/base.nix @@ -0,0 +1,22 @@ +{ + config, + lib, + pkgs, + unfreePkgs, + ... +}: { + # enable flakes + nix = { + package = pkgs.nixFlakes; + extraOptions = '' + experimental-features = nix-command flakes + ''; + settings = { + keep-outputs = true; + keep-derivations = true; + }; + }; + + #direnv + # programs.direnv.enable = true; +} diff --git a/hosts/cloud/bkk/configuration.nix b/hosts/cloud/bkk/configuration.nix new file mode 100644 index 0000000..42f6b2c --- /dev/null +++ b/hosts/cloud/bkk/configuration.nix @@ -0,0 +1,49 @@ +{ modulesPath, lib, pkgs, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./nginx.nix + ]; + boot = { + loader.grub = { + enable = true; + device = "/dev/vda"; + }; + }; + users.users.root.openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes" ]; + + # enable flakes + nix = { + package = pkgs.nixFlakes; + extraOptions = '' + experimental-features = nix-command flakes + ''; + settings = { + keep-outputs = true; + keep-derivations = true; + }; + }; + + services.openssh = { + enable = true; + passwordAuthentication = false; + # ports = [5522]; + }; + networking = { + hostName = "yn-bkk"; # use Digital Ocean metadata server + }; + networking.firewall = { + enable = false; + # allowedTCPPorts = [ 993 465 40308 80 443 53 51820 5522 ]; + # allowedUDPPorts = [ 993 465 40308 80 443 53 50000 50001 50002 50003 50004 50005 50006 50007 50008 50009 50010 51820 5522 ]; + }; + services.ntfy-sh = { + enable = true; + settings = { + base-url = "https://n.urbit.men"; + listen-http = ":8090"; + }; + }; + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/cloud/bkk/hardware-configuration.nix b/hosts/cloud/bkk/hardware-configuration.nix new file mode 100644 index 0000000..736857a --- /dev/null +++ b/hosts/cloud/bkk/hardware-configuration.nix @@ -0,0 +1,34 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/22436064-dc92-4aea-8e58-0dc2ce872baa"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/9726a4b6-5c40-4863-9a21-07f0100dea8d"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens6.useDHCP = lib.mkDefault true; + # networking.interfaces.ens7.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/cloud/bkk/nginx.nix b/hosts/cloud/bkk/nginx.nix new file mode 100644 index 0000000..f948e0e --- /dev/null +++ b/hosts/cloud/bkk/nginx.nix @@ -0,0 +1,62 @@ +{ config, pkgs, ... }: { + + security.acme.acceptTerms = true; + security.acme.defaults.email = "security@urbit.cam"; + services.nginx = { + enable = true; + virtualHosts."u.urbit.men" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8080"; + # proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + extraConfig = '' + chunked_transfer_encoding off; + proxy_http_version 1.1; + proxy_buffering off; + proxy_cache off; + ''; + }; + virtualHosts."n.urbit.men" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8090"; + # proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + extraConfig = '' + chunked_transfer_encoding off; + proxy_http_version 1.1; + proxy_buffering off; + proxy_cache off; + ''; + }; + # virtualHosts."t.urbit.men" = { + # enableACME = true; + # forceSSL = true; + # locations."/" = { + # proxyPass = "http://127.0.0.1:8081"; + # # proxyWebsockets = true; # needed if you need to use WebSocket + # extraConfig = '' + # proxy_set_header Host $host; + # proxy_set_header Forwarded $proxy_add_x_forwarded_for; + # ''; + # }; + # extraConfig = '' + # chunked_transfer_encoding off; + # proxy_http_version 1.1; + # proxy_buffering off; + # proxy_cache off; + # ''; + # }; + }; +} diff --git a/hosts/cloud/flake.lock b/hosts/cloud/flake.lock new file mode 100644 index 0000000..7b53099 --- /dev/null +++ b/hosts/cloud/flake.lock @@ -0,0 +1,48 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719401812, + "narHash": "sha256-QONBQ/arBsKZNJuSd3sMIkSYFlBoRJpvf1jGlMfcOuI=", + "owner": "nix-community", + "repo": "disko", + "rev": "b6a1262796b2990ec3cc60bb2ec23583f35b2f43", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1719379843, + "narHash": "sha256-u+D+IOAMMl70+CJ9NKB+RMrASjInuIWMHzjLWQjPZ6c=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b3f3c1b13fb08f3828442ee86630362e81136bbc", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/hosts/cloud/flake.nix b/hosts/cloud/flake.nix new file mode 100644 index 0000000..84ad8d0 --- /dev/null +++ b/hosts/cloud/flake.nix @@ -0,0 +1,67 @@ +{ + inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + inputs.disko.url = "github:nix-community/disko"; + inputs.disko.inputs.nixpkgs.follows = "nixpkgs"; + + outputs = { nixpkgs, disko, ... }: + { + nixosConfigurations.sortug = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + disko.nixosModules.disko + ./sortug/configuration.nix + ./packages.nix + ./users.nix + ]; + }; + nixosConfigurations.osortug = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + disko.nixosModules.disko + ./oldsortug/configuration.nix + ./packages.nix + ./users.nix + ]; + }; + nixosConfigurations.jeet = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + disko.nixosModules.disko + ./jeet/configuration.nix + # ./packages.nix + ./users.nix + ]; + }; + nixosConfigurations.bkk = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + disko.nixosModules.disko + ./bkk/configuration.nix + ./packages.nix + ./users.nix + ]; + }; + nixosConfigurations.sing = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + disko.nixosModules.disko + ./sing/configuration.nix + ./packages.nix + ./users.nix + ./sing/omail.nix + ./sing/nginx.nix + ./sing/jellyfin.nix + ]; + }; + nixosConfigurations.spanmail= nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./spanm/configuration.nix + ./spanm/users.nix + ./spanm/mail.nix + ./spanm/packages.nix + ./spanm/nginx.nix + ]; + }; + }; +} diff --git a/hosts/cloud/install-script.sh b/hosts/cloud/install-script.sh new file mode 100644 index 0000000..1f9a54e --- /dev/null +++ b/hosts/cloud/install-script.sh @@ -0,0 +1,170 @@ +# The disk that will be used +# NOTE: If installing on an nvme drive (ie: /dev/nvme0n1), you'll need to replace all occurrences of ${DISK}# with ${DISK}p# where # is the partition number. +# Don't forget to also replace all occurences of $(echo $DISK | cut -f1 -d\ )# with $(echo $DISK | cut -f1 -d\ )p# +export DISK='/dev/vda' + +export LUKS_KEY_DISK=cryptkey +export KEYFILE_LOCATION=/cryptkey +export KEY_DISK=/dev/mapper/cryptkey + +# we use parted here since it does a good job with adding BIOS protective MBR to GPT disk +# since we are booting in BIOS mode, we get a max of 4 primary partitions +# BIOS MBR partition (1MB) +# /boot partition (1GB) +# LUKS key partition (20MB) +# LUKS swap partition (2GB) +# ZFS root partition (Remaining space) +# NOTE: Make the ZFS root partition your last partition, so that if you resize the disk it will be easy to get ZFS to use the extra space +parted --script $DISK mklabel gpt +parted --script --align optimal $DISK -- mklabel gpt mkpart 'BIOS-boot' 1MB 2MB set 1 bios_grub on mkpart 'boot' 2MB 1026MB mkpart 'luks-key' 1026MB 1046MB mkpart 'luks-swap' 1046MB 3094MB mkpart 'zfs-pool' 3094MB '100%' + +# tr -d '\n' < /dev/urandom | dd of=/dev/disk/by-partlabel/key +# Create an encrypted disk to hold our key, the key to this drive +# is what you'll type in to unlock the rest of your drives... so, +# remember it: +export DISK1_KEY=$(echo $DISK | cut -f1 -d\ )3 +cryptsetup luksFormat $DISK1_KEY +cryptsetup luksOpen $DISK1_KEY cryptkey + +# Write the key right to the decrypted LUKS partition, as raw bytes +echo "" > newline +dd if=/dev/zero bs=1 count=1 seek=1 of=newline +dd if=/dev/urandom bs=32 count=1 | od -A none -t x | tr -d '[:space:]' | cat - newline > hdd.key +dd if=/dev/zero of=$KEY_DISK +dd if=hdd.key of=$KEY_DISK +dd if=$KEY_DISK bs=64 count=1 + +# Format swap as encrypted LUKS and mount the partition +export DISK1_SWAP=$(echo $DISK | cut -f1 -d\ )4 +cryptsetup luksFormat --key-file=$KEY_DISK --keyfile-size=64 $DISK1_SWAP +cryptsetup open --key-file=$KEY_DISK --keyfile-size=64 $DISK1_SWAP cryptswap +mkswap /dev/mapper/cryptswap +swapon /dev/mapper/cryptswap + +# Create root pool +zpool create -f \ + -o ashift=12 \ + -o autotrim=on \ + -R /mnt \ + -O acltype=posixacl \ + -O compression=zstd \ + -O dnodesize=auto \ + -O normalization=formD \ + -O xattr=sa \ + -O atime=off \ + -O canmount=off \ + -O mountpoint=none \ + -O encryption=aes-256-gcm \ + -O keylocation=file://$KEY_DISK \ + -O keyformat=hex \ + rpool \ + ${DISK}5 + +# Create root system containers +zfs create \ + -o canmount=off \ + -o mountpoint=none \ + rpool/local +zfs create \ + -o canmount=off \ + -o mountpoint=none \ + rpool/safe + +# Create and mount dataset for `/` +zfs create -p -o mountpoint=legacy rpool/local/root +# Create a blank snapshot +zfs snapshot rpool/local/root@blank +# Mount root ZFS dataset +mount -t zfs rpool/local/root /mnt + +# Create and mount dataset for `/nix` +zfs create -p -o mountpoint=legacy rpool/local/nix +mkdir -p /mnt/nix +mount -t zfs rpool/local/nix /mnt/nix + +# Create and mount dataset for `/home` +zfs create -p -o mountpoint=legacy rpool/safe/home +mkdir -p /mnt/home +mount -t zfs rpool/safe/home /mnt/home + +# Create and mount dataset for `/persist` +zfs create -p -o mountpoint=legacy rpool/safe/persist +mkdir -p /mnt/persist +mount -t zfs rpool/safe/persist /mnt/persist + +# Create and mount dataset for `/services` +zfs create -p -o mountpoint=legacy rpool/safe/services +mkdir -p /mnt/services +mount -t zfs rpool/safe/services /mnt/services + +# create and mount boot partition +mkdir -p /mnt/boot +mkfs.vfat -F32 $(echo $DISK | cut -f1 -d\ )2 +mount -t vfat $(echo $DISK | cut -f1 -d\ )2 /mnt/boot + +# Generate initial system configuration +nixos-generate-config --root /mnt + +export CRYPTKEY="$(blkid -o export "$DISK1_KEY" | grep "^UUID=")" +export CRYPTKEY="${CRYPTKEY#UUID=*}" + +export CRYPTSWAP="$(blkid -o export "$DISK1_SWAP" | grep "^UUID=")" +export CRYPTSWAP="${CRYPTSWAP#UUID=*}" + +export RPOOL_PARTUUID="$(blkid -o export $(echo $DISK | cut -f1 -d\ )5 | grep "^PARTUUID=")" +export RPOOL_PARTUUID="${RPOOL_PARTUUID#PARTUUID=*}" + +# Import ZFS/boot-specific configuration +sed -i "s|./hardware-configuration.nix|./hardware-configuration.nix ./boot.nix|g" /mnt/etc/nixos/configuration.nix + +# Set root password +export rootPwd=$(mkpasswd -m SHA-512 -s "VerySecurePassword") +# Write boot.nix configuration +tee -a /mnt/etc/nixos/boot.nix <<EOF +{ config, pkgs, lib, ... }: + +{ boot.supportedFilesystems = [ "zfs" ]; + # Kernel modules needed for mounting LUKS devices in initrd stage + boot.initrd.availableKernelModules = [ "aesni_intel" "cryptd" ]; + + boot.initrd.luks.devices = { + cryptkey = { + device = "/dev/disk/by-uuid/$CRYPTKEY"; + }; + + cryptswap = { + device = "/dev/disk/by-uuid/$CRYPTSWAP"; + keyFile = "$KEY_DISK"; + keyFileSize = 64; + }; + }; + + boot.zfs.devNodes = "/dev/disk/by-partuuid/$RPOOL_PARTUUID"; + boot.zfs.forceImportAll = true; + + # ZFS ARC Size 64MB + boot.kernelParams = [ "zfs.zfs_arc_max=268435456" ]; + + networking.hostId = "$(head -c 8 /etc/machine-id)"; + boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + + boot.loader.grub = { + enable = true; + copyKernels = true; + zfsSupport = true; + device = "/dev/vda2"; + }; + + users.users.root.initialHashedPassword = "$rootPwd"; +} +EOF + +# Install system and apply configuration +nixos-install -v --show-trace --no-root-passwd --root /mnt + +# Unmount filesystems +umount -Rl /mnt +zpool export -a + +# Reboot +reboot diff --git a/hosts/cloud/jeet/configuration.nix b/hosts/cloud/jeet/configuration.nix new file mode 100644 index 0000000..1d470e2 --- /dev/null +++ b/hosts/cloud/jeet/configuration.nix @@ -0,0 +1,75 @@ +{ modulesPath, pkgs, ... }: +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ./disk-config.nix + ./hardware-configuration.nix + ]; + + boot.loader.grub.enable = true; + # enable flakes + nix = { + package = pkgs.nixFlakes; + extraOptions = '' + experimental-features = nix-command flakes + ''; + settings = { + keep-outputs = true; + keep-derivations = true; + }; + }; + + services.openssh = { + enable = true; + passwordAuthentication = false; + # ports = [5522]; + }; + services.do-agent.enable = true; + networking = { + firewall.enable = false; + hostName = "yn-ind"; # use Digital Ocean metadata server + networkmanager.enable = true; + useDHCP = false; + interfaces.eth0.ipv4.addresses = [ + {address = "93.127.194.223"; prefixLength = 32;} + ]; + interfaces.eth0.ipv6.addresses = [ + {address = "2a02:4780:12:413b::1"; prefixLength = 64;} + ]; + defaultGateway = { + address = "169.254.0.1"; + interface = "eth0"; + }; + defaultGateway6 = { + address = "fe80:1"; + interface = "eth0"; + }; + interfaces.ens18.ipv4.addresses = [ + {address = "93.127.194.223"; prefixLength = 32;} + ]; + interfaces.ens18.ipv6.addresses = [ + {address = "2a02:4780:12:413b::1"; prefixLength = 64;} + ]; + # defaultGateway = { + # address = "169.254.0.1"; + # interface = "ens18"; + # }; + # defaultGateway6 = { + # address = "fe80:1"; + # interface = "ens18"; + # }; + nameservers = [ + "217.21.86.10" + "8.8.4.4" + "1.1.1.1" + ]; + }; + + users.users.root.openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes" ]; + # networking.firewall = { + # enable = true; + # allowedTCPPorts = [ 993 465 40308 80 443 53 51820 5522 ]; + # allowedUDPPorts = [ 993 465 40308 80 443 53 50000 50001 50002 50003 50004 50005 50006 50007 50008 50009 50010 51820 5522 ]; + # }; +} diff --git a/hosts/cloud/jeet/disk-config.nix b/hosts/cloud/jeet/disk-config.nix new file mode 100644 index 0000000..d1a1d90 --- /dev/null +++ b/hosts/cloud/jeet/disk-config.nix @@ -0,0 +1,52 @@ +# Example to create a bios compatible gpt partition +{ lib, ... }: +{ +# Disk /dev/sda: 200 GiB, 214748364800 bytes, 419430400 sectors +# Disk model: QEMU HARDDISK +# Units: sectors of 1 * 512 = 512 bytes +# Sector size (logical/physical): 512 bytes / 512 bytes +# I/O size (minimum/optimal): 512 bytes / 512 bytes +# Disklabel type: gpt +# Disk identifier: CED6435C-56EF-4699-BEE9-19280C444BCA +# +# Device Start End Sectors Size Type +# /dev/sda1 2048 4095 2048 1M BIOS boot +# /dev/sda2 4096 4194303 4190208 2G Linux filesystem +# /dev/sda3 4194304 419428351 415234048 198G Linux filesystem +# + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; # Allocates the remainder of the disk, minus the sizes of the other partitions + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/cloud/jeet/hardware-configuration.nix b/hosts/cloud/jeet/hardware-configuration.nix new file mode 100644 index 0000000..bb83c96 --- /dev/null +++ b/hosts/cloud/jeet/hardware-configuration.nix @@ -0,0 +1,24 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/cloud/oldsortug/configuration.nix b/hosts/cloud/oldsortug/configuration.nix new file mode 100644 index 0000000..1c1866e --- /dev/null +++ b/hosts/cloud/oldsortug/configuration.nix @@ -0,0 +1,46 @@ +{ modulesPath, lib, ... }: +{ + imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [ + ./hardware-configuration.nix + ./gitea.nix + ./nginx.nix + ./coturn.nix + ]; + boot = { + growPartition = true; + kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ]; + initrd.kernelModules = [ "virtio_scsi" ]; + kernelModules = [ "virtio_pci" "virtio_net" ]; + loader = { + grub.device = "/dev/sda"; + timeout = 0; + grub.configurationLimit = 0; + }; + }; + services.openssh = { + enable = true; + passwordAuthentication = false; + ports = [5522]; + }; + services.do-agent.enable = true; + networking = { + hostName = "sortug"; # use Digital Ocean metadata server + }; + networking.firewall = { + enable = true; + allowedTCPPorts = [ 40308 80 443 53 51820 5522 ]; + allowedUDPPorts = [ 40308 80 443 53 51820 5522 + 50000 + 50001 + 50002 + 50003 + 50004 + 50005 + 50006 + 50007 + 50008 + 50009 + 50010 + ]; + }; +} diff --git a/hosts/cloud/oldsortug/coturn.nix b/hosts/cloud/oldsortug/coturn.nix new file mode 100644 index 0000000..aaf097c --- /dev/null +++ b/hosts/cloud/oldsortug/coturn.nix @@ -0,0 +1,60 @@ +{ ... }: + +{ + services.coturn = { + enable = true; + lt-cred-mech = true; + # use-auth-secret = true; + # static-auth-secret = "GHhc4i7Hwto0KxoDgNioYgWgkc1iLbEE8t45G6voTzD07vKvFsK6R4b8kShVZEhC"; + realm = "turn.sortug.com"; + # relay-ips = [ + # "<public-server-ip>" + # ]; + # no-tcp-relay = true; + extraConfig = " + cipher-list=\"HIGH\" + no-loopback-peers + no-multicast-peers + "; + # secure-stun = true; + cert = "/var/lib/acme/turn.sortug.com/fullchain.pem"; + pkey = "/var/lib/acme/turn.sortug.com/key.pem"; + min-port = 49152; + max-port = 49999; + }; + + # Open ports in the firewall. + networking.firewall = { + enable = true; + allowPing = false; + allowedTCPPorts = [ + 5349 # STUN tls + 5350 # STUN tls alt + 80 # http + 443 # https + ]; + allowedUDPPortRanges = [ + { from=49152; to=49999; } # TURN relay + ]; + }; + + # setup certs + services.nginx = { + enable = true; + virtualHosts = { + "turn.sortug.com" = { + forceSSL = true; + enableACME = true; + }; + }; + }; + users.groups.turnserver.members = ["nginx" "coturn"]; + + # share certs with coturn and restart on renewal + security.acme.certs = { + "turn.sortug.com" = { + postRun = "systemctl reload nginx.service; systemctl restart coturn.service"; + }; + }; +} + diff --git a/hosts/cloud/oldsortug/gitea.nix b/hosts/cloud/oldsortug/gitea.nix new file mode 100644 index 0000000..a25773a --- /dev/null +++ b/hosts/cloud/oldsortug/gitea.nix @@ -0,0 +1,27 @@ +{ config, ...}: +{ + services.gitea = { + enable = true; + user = "git"; + appName = "Sortug Git"; + settings.server = { + domain = "git.sortug.com"; + ROOT_URL = "https://git.sortug.com/"; + SSH_PORT = 5522; + }; + lfs.enable = true; + }; + + users.users = { + git = { + description = "Gitea Service"; + home = "/var/lib/gitea"; + useDefaultShell = true; + group = "gitea"; + isSystemUser = true; + }; + }; + + + +} diff --git a/hosts/cloud/oldsortug/hardware-configuration.nix b/hosts/cloud/oldsortug/hardware-configuration.nix new file mode 100644 index 0000000..f46db2a --- /dev/null +++ b/hosts/cloud/oldsortug/hardware-configuration.nix @@ -0,0 +1,31 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/32e438fa-ead6-47d5-8ebe-75f6b1d0c1a6"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/cloud/oldsortug/nginx.nix b/hosts/cloud/oldsortug/nginx.nix new file mode 100644 index 0000000..ba64539 --- /dev/null +++ b/hosts/cloud/oldsortug/nginx.nix @@ -0,0 +1,21 @@ +{ ... }: { + + security.acme.acceptTerms = true; + security.acme.defaults.email = "security@sortug.com"; + users.users.y.homeMode = "750"; + services.nginx = { + enable = true; + virtualHosts."old.sortug.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:9000"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $Host; + ''; + # actually important + }; + }; + }; +} diff --git a/hosts/cloud/oldsortug/packages.nix b/hosts/cloud/oldsortug/packages.nix new file mode 100644 index 0000000..6985acb --- /dev/null +++ b/hosts/cloud/oldsortug/packages.nix @@ -0,0 +1,53 @@ +{ config, pkgs, ... }: + +{ + nixpkgs.config = { + allowUnfree = true; + }; + + environment.systemPackages = with pkgs; [ + neovim + fish + # unix utilities + tmux + bat # cat replacement written in Rust + colordiff + direnv # Per-directory environment variables + lsd + fd # find replacement written in Rust + fzf # Fuzzy finder + git + glibcLocales + gnumake + htop # Resource monitoring + jq # JSON parsing for the CLI + lsof + ripgrep # grep replacement written in Rust + sd # Fancy sed replacement + silver-searcher + skim # High-powered fuzzy finder written in Rust + strace # debug stack trace + tealdeer # tldr for various shell tools + testdisk + tokei # Handy tool to see lines of code by language + watchexec # Fileystem watcher/executor useful for speedy development + xsv # CSV file parsing utility + just # Intriguing new make replacement + mdcat # Markdown converter/reader for the CLI + tree + unzip + zip + + # networking + curl + caddy # simple web server made with go + innernet + + # s3 + minio + # databases + # postgresql + # sqlite + ]; +} + diff --git a/hosts/cloud/oldsortug/users.nix b/hosts/cloud/oldsortug/users.nix new file mode 100644 index 0000000..b3515c1 --- /dev/null +++ b/hosts/cloud/oldsortug/users.nix @@ -0,0 +1,56 @@ +{ config, pkgs, ... }: + + +let shellAliases = { + l = "lsd -lAh"; + la = "lsd -lAh"; + ports = "sudo lsof -i -P -n | grep LISTEN"; + gco = "git checkout"; + gcob = "git checkout -b"; +}; + +in { + programs.fish = { + inherit shellAliases; + enable = true; +# plugins = [{ +# name="foreign-env"; +# src = pkgs.fetchFromGitHub { +# owner = "oh-my-fish"; +# repo = "plugin-foreign-env"; +# rev = "dddd9213272a0ab848d474d0cbde12ad034e65bc"; +# sha256 = "00xqlyl3lffc5l0viin1nyp819wf81fncqyz87jx8ljjdhilmgbs"; +# }; +# }]; +}; + + users = { + extraUsers = { + y = { + group = "users"; + isNormalUser = true; + extraGroups = [ + "systemd-journal" + "wheel" + ]; + createHome = true; + home = "/home/y"; + isSystemUser = false; + shell = pkgs.fish; + openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes" ]; + }; +# urbit = { +# group = "users"; +# isNormalUser = true; +# createHome = true; +# isSystemUser = false; +# openssh.authorizedKeys.keys = +# [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/VzXbaX1CLqQfPCkRdMHzAKsbS//2B0qlw3ROnR74tgl7jrBP2qeYhydcNECqC5WWO+KLZrbOWdVLATLW6z6oLlMx6E6WCfRVx/F7coMd/FBYqHwJ2Z1PbG0YSjWH07GyVYU2Nc9HfW459aXpGQ2LlTjYP14i7DqvSesCIkfbPfHzwAkyDxj4oIMXS3LMQlh4u69YKoXS/LPU+1Qv+bT5alRc2Uw+/9/q1IfDDxIiKqt3EVNEM6p5QssXtlFhk0+7zXRApWbpYLbjAVHDHbFoPAXeKLQvpgnz1K84fOGNlXj9nISYfDba8NVWQbetKnVxmQNDUKk3jOcBFmjgHvYv pkova@Pyrys-MacBook-Pro.local" ]; +# }; + }; + }; +} + + + diff --git a/hosts/cloud/packages.nix b/hosts/cloud/packages.nix new file mode 100644 index 0000000..fe7065b --- /dev/null +++ b/hosts/cloud/packages.nix @@ -0,0 +1,55 @@ +{ config, pkgs, ... }: + +{ + nixpkgs.config = { + allowUnfree = true; + }; + + environment.systemPackages = with pkgs; [ + helix + fish + # unix utilities + tmux + bat # cat replacement written in Rust + colordiff + direnv # Per-directory environment variables + lsd + fd # find replacement written in Rust + fzf # Fuzzy finder + git + glibcLocales + gnumake + htop # Resource monitoring + jq # JSON parsing for the CLI + lsof + ripgrep # grep replacement written in Rust + sd # Fancy sed replacement + silver-searcher + skim # High-powered fuzzy finder written in Rust + strace # debug stack trace + tealdeer # tldr for various shell tools + testdisk + tokei # Handy tool to see lines of code by language + watchexec # Fileystem watcher/executor useful for speedy development + xsv # CSV file parsing utility + just # Intriguing new make replacement + mdcat # Markdown converter/reader for the CLI + tree + unzip + zip + + # networking + curl + caddy # simple web server made with go + innernet + + # s3 + minio + # streaming + ffmpeg_5 + # databases + # postgresql + # sqlite + ]; +} + diff --git a/hosts/cloud/sing/configuration.nix b/hosts/cloud/sing/configuration.nix new file mode 100644 index 0000000..8428b10 --- /dev/null +++ b/hosts/cloud/sing/configuration.nix @@ -0,0 +1,38 @@ +{ modulesPath, pkgs, ... }: +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + ./disk-config.nix + ]; + boot.loader.grub = { + efiSupport = true; + }; + + # enable flakes + nix = { + package = pkgs.nixFlakes; + extraOptions = '' + experimental-features = nix-command flakes + ''; + settings = { + keep-outputs = true; + keep-derivations = true; + }; + }; + + services.openssh = { + enable = true; + passwordAuthentication = false; + ports = [5522]; + }; + services.do-agent.enable = true; + networking = { + hostName = "yagonet-sing"; # use Digital Ocean metadata server + }; + networking.firewall = { + enable = true; + allowedTCPPorts = [ 993 465 40308 80 443 53 51820 5522 ]; + allowedUDPPorts = [ 993 465 40308 80 443 53 50000 50001 50002 50003 50004 50005 50006 50007 50008 50009 50010 51820 5522 ]; + }; +} diff --git a/hosts/cloud/sing/disk-config.nix b/hosts/cloud/sing/disk-config.nix new file mode 100644 index 0000000..d1a1d90 --- /dev/null +++ b/hosts/cloud/sing/disk-config.nix @@ -0,0 +1,52 @@ +# Example to create a bios compatible gpt partition +{ lib, ... }: +{ +# Disk /dev/sda: 200 GiB, 214748364800 bytes, 419430400 sectors +# Disk model: QEMU HARDDISK +# Units: sectors of 1 * 512 = 512 bytes +# Sector size (logical/physical): 512 bytes / 512 bytes +# I/O size (minimum/optimal): 512 bytes / 512 bytes +# Disklabel type: gpt +# Disk identifier: CED6435C-56EF-4699-BEE9-19280C444BCA +# +# Device Start End Sectors Size Type +# /dev/sda1 2048 4095 2048 1M BIOS boot +# /dev/sda2 4096 4194303 4190208 2G Linux filesystem +# /dev/sda3 4194304 419428351 415234048 198G Linux filesystem +# + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; # Allocates the remainder of the disk, minus the sizes of the other partitions + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/cloud/sing/hardware-configuration.nix b/hosts/cloud/sing/hardware-configuration.nix new file mode 100644 index 0000000..04d76e5 --- /dev/null +++ b/hosts/cloud/sing/hardware-configuration.nix @@ -0,0 +1,20 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/cloud/sing/init.nix b/hosts/cloud/sing/init.nix new file mode 100644 index 0000000..361fac8 --- /dev/null +++ b/hosts/cloud/sing/init.nix @@ -0,0 +1,42 @@ +{ modulesPath, config, lib, pkgs, ... }: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + ./disk-config.nix + ]; + + # boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.loader.grub = { + # no need to set devices, disko will add all devices that have a EF02 partition to the list already + # devices = [ ]; + efiSupport = true; + efiInstallAsRemovable = true; + }; + services.openssh = { + enable = true; + }; + + users.users.root.initialHashedPassword = "$y$j9T$pCnKvY2ASrwPgAlZhqK9A/$Ro7mKqBTHjKhn5GN82fEUBNnUrdP.SxN9bBIl7QxY./"; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q" + ]; + users.users.y = { + group = "users"; + isNormalUser = true; + extraGroups = [ + "systemd-journal" + "wheel" + "networkmanager" + "input" + "uinput" + "docker" + ]; + createHome = true; + home = "/home/y"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes" + ]; + }; + + system.stateVersion = "23.11"; +} diff --git a/hosts/cloud/sing/jellyfin.nix b/hosts/cloud/sing/jellyfin.nix new file mode 100644 index 0000000..c9c8b9e --- /dev/null +++ b/hosts/cloud/sing/jellyfin.nix @@ -0,0 +1,7 @@ +{ config, pkgs, ... }: { + + services.jellyfin = { + enable = true; + openFirewall = true; + }; +} diff --git a/hosts/cloud/sing/mail.key b/hosts/cloud/sing/mail.key new file mode 100644 index 0000000..ece0485 --- /dev/null +++ b/hosts/cloud/sing/mail.key @@ -0,0 +1 @@ +$2b$05$iw93ciS7B.5DfqxQ4XcAVuXF5d9qksmlg0I7FmMMa8vb1JIxN1f1e diff --git a/hosts/cloud/sing/mail.nix b/hosts/cloud/sing/mail.nix new file mode 100644 index 0000000..09a070d --- /dev/null +++ b/hosts/cloud/sing/mail.nix @@ -0,0 +1,68 @@ +{ + mailserver = { + enable = true; + fqdn = "mail.sortug.com"; + domains = [ "sortug.com" ]; + + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' + loginAccounts = { + "zh@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "jp@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "th@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "bd@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "info@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "admin@sortug.com" = { # legal and banking + hashedPasswordFile = "/home/y/mail.key"; + }; + "internal@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "billing@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "polwex@sortug.com" = { + hashedPasswordFile = "/home/y/mail2.key"; + }; + "kinode@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "hosting@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "support@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + }; + + # Use Let's Encrypt certificates. Note that this needs to set up a stripped + # down nginx and opens port 80. + certificateScheme = "acme-nginx"; + }; + security.acme.acceptTerms = true; + security.acme.defaults.email = "security@sortug.com"; + # services.roundcube = { + # enable = true; + # # this is the url of the vhost, not necessarily the same as the fqdn of + # # the mailserver + # hostName = "mail.sortug.com"; + # extraConfig = '' + # # starttls needed for authentication, so the fqdn required to match + # # the certificate + # $config['smtp_server'] = "tls://${config.mailserver.fqdn}"; + # $config['smtp_user'] = "%u"; + # $config['smtp_pass'] = "%p"; + # ''; + # }; + services.nginx.enable = true; +} diff --git a/hosts/cloud/sing/mail2.key b/hosts/cloud/sing/mail2.key new file mode 100644 index 0000000..ba2fd93 --- /dev/null +++ b/hosts/cloud/sing/mail2.key @@ -0,0 +1 @@ +$2b$05$RDNpiqLeEGZjCb0z13R0tenPIr/r1ps1LPmIbGRkdSSmvFwgCVm6i diff --git a/hosts/cloud/sing/nginx.nix b/hosts/cloud/sing/nginx.nix new file mode 100644 index 0000000..501c4ee --- /dev/null +++ b/hosts/cloud/sing/nginx.nix @@ -0,0 +1,129 @@ +{ config, pkgs, ... }: { + + security.acme.acceptTerms = true; + security.acme.defaults.email = "security@urbit.cam"; + services.nginx = { + enable = true; + virtualHosts."s.urbit.cam" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8081"; + # proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + extraConfig = '' + chunked_transfer_encoding off; + proxy_http_version 1.1; + proxy_buffering off; + proxy_cache off; + ''; + }; + virtualHosts."h.urbit.cam" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8080"; + proxyWebsockets = true; # needed if you need to use WebSocket + }; + }; + virtualHosts."f.urbit.cam" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8082"; + proxyWebsockets = true; # needed if you need to use WebSocket + }; + }; + virtualHosts."b.urbit.cam" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8083"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + }; + virtualHosts."k.urbit.cam" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8084"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + }; + virtualHosts."j.urbit.cam" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8096"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + }; + virtualHosts."hls.urbit.cam" = { + enableACME = true; + forceSSL = true; + locations."/" = { + root = "/var/www/hls"; + extraConfig = '' + add_header Cache-control no-cache; + add_header Access-Control-Allow-Origin *; + types { + application/vnd.apple.mpegurl m3u8; + video/mp2t ts; + } + ''; + }; + }; + virtualHosts."leo.urbit.cam" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8090"; + # proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + extraConfig = '' + chunked_transfer_encoding off; + proxy_http_version 1.1; + proxy_buffering off; + proxy_cache off; + ''; + }; + virtualHosts."sayu.urbit.cam" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8091"; + # proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + extraConfig = '' + chunked_transfer_encoding off; + proxy_http_version 1.1; + proxy_buffering off; + proxy_cache off; + ''; + }; + }; +} diff --git a/hosts/cloud/sing/omail.nix b/hosts/cloud/sing/omail.nix new file mode 100644 index 0000000..ccbc847 --- /dev/null +++ b/hosts/cloud/sing/omail.nix @@ -0,0 +1,79 @@ +{ config, lib, ... }: { + imports = [ + (builtins.fetchTarball { + # Pick a release version you are interested in and set its hash, e.g. + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-23.11/nixos-mailserver-nixos-23.11.tar.gz"; + # To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command: + # release="nixos-23.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack + sha256 = "122vm4n3gkvlkqmlskiq749bhwfd0r71v6vcmg1bbyg4998brvx8"; + }) + ]; + + services.dovecot2.sieve.extensions = [ "fileinto" ]; + mailserver = { + enable = true; + fqdn = "mail.sortug.com"; + domains = [ "sortug.com" ]; + + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' + loginAccounts = { + "zh@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "jp@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "th@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "bd@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "info@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "admin@sortug.com" = { # legal and banking + hashedPasswordFile = "/home/y/mail.key"; + }; + "internal@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "billing@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "polwex@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "kinode@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "hosting@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "support@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + }; + + # Use Let's Encrypt certificates. Note that this needs to set up a stripped + # down nginx and opens port 80. + certificateScheme = "acme-nginx"; + }; + security.acme.acceptTerms = true; + security.acme.defaults.email = lib.mkForce "security@sortug.com"; + services.roundcube = { + enable = true; + # this is the url of the vhost, not necessarily the same as the fqdn of + # the mailserver + hostName = "mail.sortug.com"; + extraConfig = '' + # starttls needed for authentication, so the fqdn required to match + # the certificate + $config['smtp_server'] = "tls://${config.mailserver.fqdn}"; + $config['smtp_user'] = "%u"; + $config['smtp_pass'] = "%p"; + ''; + }; + services.nginx.enable = true; +} diff --git a/hosts/cloud/sing/packages.nix b/hosts/cloud/sing/packages.nix new file mode 100644 index 0000000..6985acb --- /dev/null +++ b/hosts/cloud/sing/packages.nix @@ -0,0 +1,53 @@ +{ config, pkgs, ... }: + +{ + nixpkgs.config = { + allowUnfree = true; + }; + + environment.systemPackages = with pkgs; [ + neovim + fish + # unix utilities + tmux + bat # cat replacement written in Rust + colordiff + direnv # Per-directory environment variables + lsd + fd # find replacement written in Rust + fzf # Fuzzy finder + git + glibcLocales + gnumake + htop # Resource monitoring + jq # JSON parsing for the CLI + lsof + ripgrep # grep replacement written in Rust + sd # Fancy sed replacement + silver-searcher + skim # High-powered fuzzy finder written in Rust + strace # debug stack trace + tealdeer # tldr for various shell tools + testdisk + tokei # Handy tool to see lines of code by language + watchexec # Fileystem watcher/executor useful for speedy development + xsv # CSV file parsing utility + just # Intriguing new make replacement + mdcat # Markdown converter/reader for the CLI + tree + unzip + zip + + # networking + curl + caddy # simple web server made with go + innernet + + # s3 + minio + # databases + # postgresql + # sqlite + ]; +} + diff --git a/hosts/cloud/sing/users.nix b/hosts/cloud/sing/users.nix new file mode 100644 index 0000000..4d455ee --- /dev/null +++ b/hosts/cloud/sing/users.nix @@ -0,0 +1,40 @@ +{ config, pkgs, ... }: + + +let shellAliases = { + l = "lsd -lAh"; + la = "lsd -lAh"; + ports = "sudo lsof -i -P -n | grep LISTEN"; + gco = "git checkout"; + gcob = "git checkout -b"; +}; + +in { + programs.fish = { + inherit shellAliases; + enable = true; + }; + + users = { + users = { + y = { + hashedPassword = "$y$j9T$KLRxiAIFO2yLoalaeSmjg/$ZzEQbGvVmRJ6gESNxNuRchNcx0V01QpCxnJVv5pdk/B"; + group = "users"; + isNormalUser = true; + extraGroups = [ + "systemd-journal" + "wheel" + ]; + createHome = true; + home = "/home/y"; + isSystemUser = false; + shell = pkgs.fish; + openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes" ]; + }; + }; + }; +} + + + diff --git a/hosts/cloud/sortug/configuration.nix b/hosts/cloud/sortug/configuration.nix new file mode 100644 index 0000000..da267f6 --- /dev/null +++ b/hosts/cloud/sortug/configuration.nix @@ -0,0 +1,90 @@ +{ modulesPath, lib, ... }: +{ + imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [ + ./hardware-configuration.nix + (modulesPath + "/installer/scan/not-detected.nix") + ./gitea.nix + ./nginx.nix + ./minio.nix + # ./coturn.nix + ./disk-config.nix + # ./mail.nix + ]; + + + boot = { + loader.grub.enable = true; + # loader.grub.device = "/dev/sda"; + }; + + services.openssh = { + enable = true; + passwordAuthentication = false; + ports = [5522]; + }; + + users.users.root.openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes" ]; + + services.do-agent.enable = true; + networking = { + firewall.enable = false; + networkmanager.enable = true; + hostName = "sortug"; # use Digital Ocean metadata server + useDHCP = false; + interfaces.enp3s0.ipv4.addresses = [ + {address = "209.182.234.186"; prefixLength = 24;} + ]; + interfaces.enp3s0.ipv6.addresses = [ + {address = "2602:ff16:14:0:1:f7:0:1"; prefixLength = 64;} + ]; + defaultGateway = { + address = "209.182.234.1"; + interface = "enp3s0"; + }; + defaultGateway6 = { + address = "2602:ff16:14::1"; + interface = "enp3s0"; + }; + nameservers = [ + "8.8.8.8" + "8.8.4.4" + "2001:4860:4860::8888" + "2001:4860:4860::8844" + ]; + }; + + # curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | NIX_CHANNEL=nixos-23.11 bash -x + + services.resolved = { + enable = true; + domains = + [ "2001:4860:4860::8888" "2001:4860:4860::8844" ]; + }; + + # networking.firewall = { + # enable = true; + # allowedTCPPorts = [ 40308 80 443 53 51820 5522 ]; + # allowedUDPPorts = [ 40308 80 443 53 51820 5522 + # 50000 + # 50001 + # 50002 + # 50003 + # 50004 + # 50005 + # 50006 + # 50007 + # 50008 + # 50009 + # 50010 + # ]; + # }; + services.ntfy-sh = { + enable = true; + settings = { + base-url = "https://ntfy.sortug.com"; + listen-http = ":8099"; + }; + }; + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/cloud/sortug/coturn.nix b/hosts/cloud/sortug/coturn.nix new file mode 100644 index 0000000..aaf097c --- /dev/null +++ b/hosts/cloud/sortug/coturn.nix @@ -0,0 +1,60 @@ +{ ... }: + +{ + services.coturn = { + enable = true; + lt-cred-mech = true; + # use-auth-secret = true; + # static-auth-secret = "GHhc4i7Hwto0KxoDgNioYgWgkc1iLbEE8t45G6voTzD07vKvFsK6R4b8kShVZEhC"; + realm = "turn.sortug.com"; + # relay-ips = [ + # "<public-server-ip>" + # ]; + # no-tcp-relay = true; + extraConfig = " + cipher-list=\"HIGH\" + no-loopback-peers + no-multicast-peers + "; + # secure-stun = true; + cert = "/var/lib/acme/turn.sortug.com/fullchain.pem"; + pkey = "/var/lib/acme/turn.sortug.com/key.pem"; + min-port = 49152; + max-port = 49999; + }; + + # Open ports in the firewall. + networking.firewall = { + enable = true; + allowPing = false; + allowedTCPPorts = [ + 5349 # STUN tls + 5350 # STUN tls alt + 80 # http + 443 # https + ]; + allowedUDPPortRanges = [ + { from=49152; to=49999; } # TURN relay + ]; + }; + + # setup certs + services.nginx = { + enable = true; + virtualHosts = { + "turn.sortug.com" = { + forceSSL = true; + enableACME = true; + }; + }; + }; + users.groups.turnserver.members = ["nginx" "coturn"]; + + # share certs with coturn and restart on renewal + security.acme.certs = { + "turn.sortug.com" = { + postRun = "systemctl reload nginx.service; systemctl restart coturn.service"; + }; + }; +} + diff --git a/hosts/cloud/sortug/default.nix b/hosts/cloud/sortug/default.nix new file mode 100644 index 0000000..0307c7b --- /dev/null +++ b/hosts/cloud/sortug/default.nix @@ -0,0 +1,3 @@ +inputs: [ + ./configuration.nix +] diff --git a/hosts/cloud/sortug/disk-config.nix b/hosts/cloud/sortug/disk-config.nix new file mode 100644 index 0000000..75ae234 --- /dev/null +++ b/hosts/cloud/sortug/disk-config.nix @@ -0,0 +1,56 @@ +# Example to create a bios compatible gpt partition +{ lib, ... }: +{ + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/cloud/sortug/fetch/configuration.nix b/hosts/cloud/sortug/fetch/configuration.nix new file mode 100644 index 0000000..11b56bc --- /dev/null +++ b/hosts/cloud/sortug/fetch/configuration.nix @@ -0,0 +1,126 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ config, lib, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + # boot.loader.grub.efiSupport = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + # boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + + # networking.hostName = "nixos"; # Define your hostname. + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + # Set your time zone. + # time.timeZone = "Europe/Amsterdam"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # useXkbConfig = true; # use xkb.options in tty. + # }; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + + + + + # Configure keymap in X11 + # services.xserver.xkb.layout = "us"; + # services.xserver.xkb.options = "eurosign:e,caps:escape"; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + # hardware.pulseaudio.enable = true; + # OR + # services.pipewire = { + # enable = true; + # pulse.enable = true; + # }; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + # users.users.alice = { + # isNormalUser = true; + # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + # packages = with pkgs; [ + # firefox + # tree + # ]; + # }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + # environment.systemPackages = with pkgs; [ + # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + # wget + # ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.05"; # Did you read the comment? + +} + diff --git a/hosts/cloud/sortug/fetch/hardware-configuration.nix b/hosts/cloud/sortug/fetch/hardware-configuration.nix new file mode 100644 index 0000000..119faaf --- /dev/null +++ b/hosts/cloud/sortug/fetch/hardware-configuration.nix @@ -0,0 +1,24 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/cloud/sortug/gitea.nix b/hosts/cloud/sortug/gitea.nix new file mode 100644 index 0000000..a25773a --- /dev/null +++ b/hosts/cloud/sortug/gitea.nix @@ -0,0 +1,27 @@ +{ config, ...}: +{ + services.gitea = { + enable = true; + user = "git"; + appName = "Sortug Git"; + settings.server = { + domain = "git.sortug.com"; + ROOT_URL = "https://git.sortug.com/"; + SSH_PORT = 5522; + }; + lfs.enable = true; + }; + + users.users = { + git = { + description = "Gitea Service"; + home = "/var/lib/gitea"; + useDefaultShell = true; + group = "gitea"; + isSystemUser = true; + }; + }; + + + +} diff --git a/hosts/cloud/sortug/hardware-configuration.nix b/hosts/cloud/sortug/hardware-configuration.nix new file mode 100644 index 0000000..f219647 --- /dev/null +++ b/hosts/cloud/sortug/hardware-configuration.nix @@ -0,0 +1,17 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/cloud/sortug/hardware2.nix b/hosts/cloud/sortug/hardware2.nix new file mode 100644 index 0000000..beece7b --- /dev/null +++ b/hosts/cloud/sortug/hardware2.nix @@ -0,0 +1,29 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + swapDevices = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/bb9bdf23-2368-4452-988d-8b82e64b7fc4"; + fsType = "ext4"; + }; + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/cloud/sortug/legacy.nix b/hosts/cloud/sortug/legacy.nix new file mode 100644 index 0000000..98348ee --- /dev/null +++ b/hosts/cloud/sortug/legacy.nix @@ -0,0 +1,40 @@ +{ + disko.devices = { + disk = { + vdb = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "ESP"; + start = "1M"; + end = "500M"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } + { + name = "root"; + start = "500M"; + end = "100%"; + part-type = "primary"; + bootable = true; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + } + ]; + }; + }; + }; + }; +} + diff --git a/hosts/cloud/sortug/minio.nix b/hosts/cloud/sortug/minio.nix new file mode 100644 index 0000000..13a5ff5 --- /dev/null +++ b/hosts/cloud/sortug/minio.nix @@ -0,0 +1,9 @@ +{...}: { + + services.minio = { + enable = true; + listenAddress = "127.0.0.1:9000"; + consoleAddress = "127.0.0.1:9001"; + rootCredentialsFile = /etc/nixos/minio-creds; + }; +} diff --git a/hosts/cloud/sortug/nginx.nix b/hosts/cloud/sortug/nginx.nix new file mode 100644 index 0000000..a3e5a85 --- /dev/null +++ b/hosts/cloud/sortug/nginx.nix @@ -0,0 +1,124 @@ +{ ... }: { + + security.acme.acceptTerms = true; + security.acme.defaults.email = "security@sortug.com"; + services.nginx = { + enable = true; + virtualHosts."sortug.com" = { + enableACME = true; + forceSSL = true; + root = "/var/www/sortug"; + # root = "/home/y/www"; + }; + virtualHosts."cal.sortug.com" = { + enableACME = true; + forceSSL = true; + root = "/var/www/sorcal"; + # root = "/home/y/www"; + }; + virtualHosts."git.sortug.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:3000"; + proxyWebsockets = true; # needed if you need to use WebSocket + }; + }; + virtualHosts."u.sortug.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8082"; + proxyWebsockets = true; # needed if you need to use WebSocket + }; + }; + virtualHosts."p.sortug.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8083"; + # proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + extraConfig = '' + proxy_http_version 1.1; + chunked_transfer_encoding off; + proxy_buffering off; + proxy_cache off; + ''; + }; + virtualHosts."ntfy.sortug.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8099"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + extraConfig = '' + proxy_http_version 1.1; + chunked_transfer_encoding off; + proxy_buffering off; + proxy_cache off; + ''; + }; + virtualHosts."ustj.sortug.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8085"; + # proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + extraConfig = '' + proxy_http_version 1.1; + chunked_transfer_encoding off; + proxy_buffering off; + proxy_cache off; + ''; + }; + virtualHosts."s3.sortug.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:9000"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $Host; + ''; + # actually important + }; + }; + virtualHosts."s3c.sortug.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:9001"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $Host; + ''; + }; + }; + # proxy_http_version 1.1; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection "Upgrade"; + virtualHosts."urbit.s3.sortug.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:9000"; + proxyWebsockets = true; # needed if you need to use WebSocket + }; + }; + }; +} diff --git a/hosts/cloud/sortug/packages.nix b/hosts/cloud/sortug/packages.nix new file mode 100644 index 0000000..6985acb --- /dev/null +++ b/hosts/cloud/sortug/packages.nix @@ -0,0 +1,53 @@ +{ config, pkgs, ... }: + +{ + nixpkgs.config = { + allowUnfree = true; + }; + + environment.systemPackages = with pkgs; [ + neovim + fish + # unix utilities + tmux + bat # cat replacement written in Rust + colordiff + direnv # Per-directory environment variables + lsd + fd # find replacement written in Rust + fzf # Fuzzy finder + git + glibcLocales + gnumake + htop # Resource monitoring + jq # JSON parsing for the CLI + lsof + ripgrep # grep replacement written in Rust + sd # Fancy sed replacement + silver-searcher + skim # High-powered fuzzy finder written in Rust + strace # debug stack trace + tealdeer # tldr for various shell tools + testdisk + tokei # Handy tool to see lines of code by language + watchexec # Fileystem watcher/executor useful for speedy development + xsv # CSV file parsing utility + just # Intriguing new make replacement + mdcat # Markdown converter/reader for the CLI + tree + unzip + zip + + # networking + curl + caddy # simple web server made with go + innernet + + # s3 + minio + # databases + # postgresql + # sqlite + ]; +} + diff --git a/hosts/cloud/sortug/users.nix b/hosts/cloud/sortug/users.nix new file mode 100644 index 0000000..b3515c1 --- /dev/null +++ b/hosts/cloud/sortug/users.nix @@ -0,0 +1,56 @@ +{ config, pkgs, ... }: + + +let shellAliases = { + l = "lsd -lAh"; + la = "lsd -lAh"; + ports = "sudo lsof -i -P -n | grep LISTEN"; + gco = "git checkout"; + gcob = "git checkout -b"; +}; + +in { + programs.fish = { + inherit shellAliases; + enable = true; +# plugins = [{ +# name="foreign-env"; +# src = pkgs.fetchFromGitHub { +# owner = "oh-my-fish"; +# repo = "plugin-foreign-env"; +# rev = "dddd9213272a0ab848d474d0cbde12ad034e65bc"; +# sha256 = "00xqlyl3lffc5l0viin1nyp819wf81fncqyz87jx8ljjdhilmgbs"; +# }; +# }]; +}; + + users = { + extraUsers = { + y = { + group = "users"; + isNormalUser = true; + extraGroups = [ + "systemd-journal" + "wheel" + ]; + createHome = true; + home = "/home/y"; + isSystemUser = false; + shell = pkgs.fish; + openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes" ]; + }; +# urbit = { +# group = "users"; +# isNormalUser = true; +# createHome = true; +# isSystemUser = false; +# openssh.authorizedKeys.keys = +# [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/VzXbaX1CLqQfPCkRdMHzAKsbS//2B0qlw3ROnR74tgl7jrBP2qeYhydcNECqC5WWO+KLZrbOWdVLATLW6z6oLlMx6E6WCfRVx/F7coMd/FBYqHwJ2Z1PbG0YSjWH07GyVYU2Nc9HfW459aXpGQ2LlTjYP14i7DqvSesCIkfbPfHzwAkyDxj4oIMXS3LMQlh4u69YKoXS/LPU+1Qv+bT5alRc2Uw+/9/q1IfDDxIiKqt3EVNEM6p5QssXtlFhk0+7zXRApWbpYLbjAVHDHbFoPAXeKLQvpgnz1K84fOGNlXj9nISYfDba8NVWQbetKnVxmQNDUKk3jOcBFmjgHvYv pkova@Pyrys-MacBook-Pro.local" ]; +# }; + }; + }; +} + + + diff --git a/hosts/cloud/spanm/configuration.nix b/hosts/cloud/spanm/configuration.nix new file mode 100644 index 0000000..0ec8bf2 --- /dev/null +++ b/hosts/cloud/spanm/configuration.nix @@ -0,0 +1,66 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "spanmail"; # Define your hostname. + # + # Enable networking + networking.networkmanager.enable = true; + + networking.interfaces.ens160.ipv4.addresses = [ { + address = "185.32.214.66"; + prefixLength = 22; + } ]; + networking.defaultGateway = "185.32.212.1"; + + networking.nameservers = [ "185.32.212.3" ]; + + # Set your time zone. + time.timeZone = "Europe/Zurich"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKD2DxTdE7vekp+BTifuB9gPoIPdaFSGkgVblA5MbTh" +]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? + +} diff --git a/hosts/cloud/spanm/flake.lock b/hosts/cloud/spanm/flake.lock new file mode 100644 index 0000000..6bc7bd0 --- /dev/null +++ b/hosts/cloud/spanm/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1704008649, + "narHash": "sha256-rGPSWjXTXTurQN9beuHdyJhB8O761w1Zc5BqSSmHvoM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d44d59d2b5bd694cd9d996fd8c51d03e3e9ba7f7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/hosts/cloud/spanm/flake.nix b/hosts/cloud/spanm/flake.nix new file mode 100644 index 0000000..b801212 --- /dev/null +++ b/hosts/cloud/spanm/flake.nix @@ -0,0 +1,16 @@ +{ + inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + + outputs = { nixpkgs, ... }: + { + nixosConfigurations.spanmail = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./configuration.nix + ./users.nix + ./packages.nix + ./mail.nix + ]; + }; + }; +} diff --git a/hosts/cloud/spanm/hardware-configuration.nix b/hosts/cloud/spanm/hardware-configuration.nix new file mode 100644 index 0000000..fad27b2 --- /dev/null +++ b/hosts/cloud/spanm/hardware-configuration.nix @@ -0,0 +1,36 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "mptspi" "ahci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/7a5731fc-56f0-4ce5-9dbe-dec8d1ba25db"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/066C-4E19"; + fsType = "vfat"; + }; + swapDevices = [ { + device = "/var/lib/swapfile"; + size = 4*1024; + } ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens160.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/cloud/spanm/mail.nix b/hosts/cloud/spanm/mail.nix new file mode 100644 index 0000000..d020fec --- /dev/null +++ b/hosts/cloud/spanm/mail.nix @@ -0,0 +1,67 @@ +{ config, pkgs, ... }: { + imports = [ + (builtins.fetchTarball { + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-23.11/nixos-mailserver-nixos-23.11.tar.gz"; + # To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command: + # release="nixos-23.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack + + sha256 = "122vm4n3gkvlkqmlskiq749bhwfd0r71v6vcmg1bbyg4998brvx8"; + }) + ]; + + services.dovecot2.sieve.extensions = [ "fileinto" ]; + mailserver = { + enable = true; + fqdn = "mail.spandrell.ch"; + domains = [ "spandrell.ch" ]; + + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' + loginAccounts = { + "s@spandrell.ch" = { + hashedPasswordFile = "/home/span/mail.key"; + }; + "book@spandrell.ch" = { + hashedPasswordFile = "/home/span/mail.key"; + }; + "site@spandrell.ch" = { + hashedPasswordFile = "/home/span/mail.key"; + }; + "lol@spandrell.ch" = { + hashedPasswordFile = "/home/span/mail.key"; + }; + "sub@spandrell.ch" = { + hashedPasswordFile = "/home/span/mail.key"; + }; + "security@spandrell.ch" = { + hashedPasswordFile = "/home/span/mail.key"; + }; + "parallax@spandrell.ch" = { + hashedPassword = "$2y$12$RVCKyEwpPmQLznKOgtXiBOR3nRy5aT3rFMtypJiDe6xFPfi/r3TXq"; + }; + "finnem@spandrell.ch" = { + hashedPasswordFile = "/home/span/finnem.key"; + }; + }; + + # Use Let's Encrypt certificates. Note that this needs to set up a stripped + # down nginx and opens port 80. + certificateScheme = "acme-nginx"; + }; + security.acme.acceptTerms = true; + security.acme.defaults.email = "security@spandrell.ch"; + services.roundcube = { + enable = true; + # this is the url of the vhost, not necessarily the same as the fqdn of + # the mailserver + hostName = "mail.spandrell.ch"; + extraConfig = '' + # starttls needed for authentication, so the fqdn required to match + # the certificate + $config['smtp_server'] = "tls://${config.mailserver.fqdn}"; + $config['smtp_user'] = "%u"; + $config['smtp_pass'] = "%p"; + ''; + }; + services.nginx.enable = true; +} diff --git a/hosts/cloud/spanm/nginx.nix b/hosts/cloud/spanm/nginx.nix new file mode 100644 index 0000000..cda5ab4 --- /dev/null +++ b/hosts/cloud/spanm/nginx.nix @@ -0,0 +1,46 @@ +{ config, pkgs, ... }: { + + services.nginx = { + enable = true; + appendHttpConfig = '' + limit_req_zone $binary_remote_addr zone=blog:10m rate=10r/s; + ''; + virtualHosts."spandrell.ch" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8080"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + limit_req zone=blog burst=20 nodelay; + proxy_set_header Host $Host; + proxy_set_header Forwarded for=$remote_addr; + ''; + }; + }; + virtualHosts."u.spandrell.ch" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8081"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + limit_req zone=blog burst=20 nodelay; + proxy_set_header Host $Host; + proxy_set_header Forwarded for=$remote_addr; + ''; + }; + }; + virtualHosts."s3.spandrell.ch" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:9000"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $Host; + ''; + }; + }; + }; +} diff --git a/hosts/cloud/spanm/packages.nix b/hosts/cloud/spanm/packages.nix new file mode 100644 index 0000000..6574071 --- /dev/null +++ b/hosts/cloud/spanm/packages.nix @@ -0,0 +1,47 @@ +{ config, pkgs, ... }: + +{ + nixpkgs.config = { + allowUnfree = true; + }; + + environment.systemPackages = with pkgs; [ + vim + helix + fish + # unix utilities + tmux + bat # cat replacement written in Rust + colordiff + direnv # Per-directory environment variables + lsd + fd # find replacement written in Rust + fzf # Fuzzy finder + git + htop # Resource monitoring + jq # JSON parsing for the CLI + lsof + ripgrep # grep replacement written in Rust + sd # Fancy sed replacement + silver-searcher + strace # debug stack trace + tealdeer # tldr for various shell tools + testdisk + tokei # Handy tool to see lines of code by language + watchexec # Fileystem watcher/executor useful for speedy development + xsv # CSV file parsing utility + just # Intriguing new make replacement + mdcat # Markdown converter/reader for the CLI + tree + unzip + zip + + # networking + curl + wget + + minio + ncdu + ]; +} + diff --git a/hosts/cloud/spanm/users.nix b/hosts/cloud/spanm/users.nix new file mode 100644 index 0000000..60e3a5a --- /dev/null +++ b/hosts/cloud/spanm/users.nix @@ -0,0 +1,42 @@ +{ config, pkgs, ... }: + + +let shellAliases = { + l = "lsd -lAh"; + la = "lsd -lAh"; + ports = "sudo lsof -i -P -n | grep LISTEN"; + gco = "git checkout"; + gcob = "git checkout -b"; +}; + +in { + programs.fish = { + inherit shellAliases; + enable = true; + }; + + users = { + users = { + span = { + group = "users"; + isNormalUser = true; + extraGroups = [ + "networkmanager" + "systemd-journal" + "wheel" + ]; + createHome = true; + home = "/home/span"; + isSystemUser = false; + shell = pkgs.fish; + openssh.authorizedKeys.keys = + [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKD2DxTdE7vekp+BTifuB9gPoIPdaFSGkgVblA5MbTh" + ]; + }; + }; + }; +} + + + diff --git a/hosts/cloud/users.nix b/hosts/cloud/users.nix new file mode 100644 index 0000000..7fa3b07 --- /dev/null +++ b/hosts/cloud/users.nix @@ -0,0 +1,41 @@ +{ config, pkgs, ... }: + + +let shellAliases = { + l = "lsd -lAh"; + la = "lsd -lAh"; + ports = "sudo lsof -i -P -n | grep LISTEN"; + gco = "git checkout"; + gcob = "git checkout -b"; +}; + +in { + programs.fish = { + inherit shellAliases; + enable = true; + }; + + users = { + users = { + y = { + hashedPassword = "$y$j9T$KLRxiAIFO2yLoalaeSmjg/$ZzEQbGvVmRJ6gESNxNuRchNcx0V01QpCxnJVv5pdk/B"; + group = "users"; + isNormalUser = true; + extraGroups = [ + "systemd-journal" + "wheel" + "nginx" + ]; + createHome = true; + home = "/home/y"; + isSystemUser = false; + shell = pkgs.fish; + openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes" ]; + }; + }; + }; +} + + + diff --git a/hosts/editors.nix b/hosts/editors.nix new file mode 100644 index 0000000..fec5580 --- /dev/null +++ b/hosts/editors.nix @@ -0,0 +1,12 @@ +{ + pkgs, + inputs, + ... +}: { + environment.variables.EDITOR = "hx"; + environment.systemPackages = [ + pkgs.neovim + # inputs.helix.packages.${pkgs.system}.helix + pkgs.helix + ]; +} diff --git a/hosts/headless/bcn.nix b/hosts/headless/bcn.nix new file mode 100644 index 0000000..2cbf960 --- /dev/null +++ b/hosts/headless/bcn.nix @@ -0,0 +1,70 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ../base.nix + ../linux.nix + ./headless.nix + ]; + + + + nix = { + autoOptimiseStore = true; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + # Free up to 1GiB whenever there is less than 100MiB left. + extraOptions = '' + min-free = ${toString (100 * 1024 * 1024)} + max-free = ${toString (1024 * 1024 * 1024)} + ''; + }; + boot = { + loader = { + systemd-boot.consoleMode = "max"; + grub.enable = false; + generic-extlinux-compatible.enable = true; # settings don't get saved without this!! + #raspberryPi.enable = true; + raspberryPi.version = 4; + raspberryPi.firmwareConfig = '' + dtparam=audio=on + dtoverlay=vc4-kms-3d + ''; + }; + kernelPackages = pkgs.linuxPackages_rpi4; # Mainline doesn't work yet + extraModprobeConfig = '' + options snd_bcm2835 enable_headphones=1 + ''; + }; + + + networking = { + hostName = "yn-bcn"; # Define your hostname. + }; + + + + # Set your time zone. + time.timeZone = "Europe/Madrid"; + + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + + system.stateVersion = "23.11"; # Did you read the comment? + +} + diff --git a/hosts/headless/configuration.nix b/hosts/headless/configuration.nix new file mode 100644 index 0000000..1d18dc5 --- /dev/null +++ b/hosts/headless/configuration.nix @@ -0,0 +1,76 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ../base.nix + ../linux.nix + ./headless.nix + ]; + + + + nix = { + package = pkgs.nixUnstable; + autoOptimiseStore = true; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + # Free up to 1GiB whenever there is less than 100MiB left. + extraOptions = '' + min-free = ${toString (100 * 1024 * 1024)} + max-free = ${toString (1024 * 1024 * 1024)} + ''; + }; + boot = { + loader = { + systemd-boot.consoleMode = "max"; + grub.enable = false; + generic-extlinux-compatible.enable = true; # settings don't get saved without this!! + #raspberryPi.enable = true; + raspberryPi.version = 4; + raspberryPi.firmwareConfig = '' + dtparam=audio=on + dtoverlay=vc4-kms-3d + ''; + }; + kernelPackages = pkgs.linuxPackages_rpi4; # Mainline doesn't work yet + extraModprobeConfig = '' + options snd_bcm2835 enable_headphones=1 + ''; + }; + hardware.raspberry-pi."4" = { + fkms-3d.enable = true; + audio.enable = true; + dwc2.enable = true; + }; + + + networking = { + hostName = "yfs"; # Define your hostname. + }; + + + + # Set your time zone. + time.timeZone = "Asia/Bangkok"; + + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + + system.stateVersion = "22.11"; # Did you read the comment? + +} + diff --git a/hosts/headless/flake.lock b/hosts/headless/flake.lock new file mode 100644 index 0000000..595d2ff --- /dev/null +++ b/hosts/headless/flake.lock @@ -0,0 +1,82 @@ +{ + "nodes": { + "nixos-hardware": { + "locked": { + "lastModified": 1702453208, + "narHash": "sha256-0wRi9SposfE2wHqjuKt8WO2izKB/ASDOV91URunIqgo=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "7763c6fd1f299cb9361ff2abf755ed9619ef01d6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1703068421, + "narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixos-hardware": "nixos-hardware", + "nixpkgs": "nixpkgs", + "unfree": "unfree", + "unstable": "unstable" + } + }, + "unfree": { + "inputs": { + "nixpkgs": [ + "unstable" + ] + }, + "locked": { + "lastModified": 1701957584, + "narHash": "sha256-xEpFaRdrneHl3Xdyzp3emd4QVxML7AR3GC91wuWi0Ok=", + "owner": "numtide", + "repo": "nixpkgs-unfree", + "rev": "127b9b18583de04c6207c2a0e674abf64fc4a3b1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nixpkgs-unfree", + "type": "github" + } + }, + "unstable": { + "locked": { + "lastModified": 1703255338, + "narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "6df37dc6a77654682fe9f071c62b4242b5342e04", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/hosts/headless/flake.nix b/hosts/headless/flake.nix new file mode 100644 index 0000000..d4f58cd --- /dev/null +++ b/hosts/headless/flake.nix @@ -0,0 +1,41 @@ +# my flake!! + +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; + unfree = { + url = "github:numtide/nixpkgs-unfree"; + inputs.nixpkgs.follows = "unstable"; + }; + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + #inputs.cachix.url = "github:cachix/cachix/master"; + #inputs.devenv.url = "github:cachix/devenv/latest"; + }; + + outputs = inputs: + { + nixosConfigurations."yn-bcn" = inputs.nixpkgs.lib.nixosSystem rec { + system = "aarch64-linux"; + specialArgs = { + stablepkgs = inputs.nixpkgs.legacyPackages.${system}; + unstablePkgs = inputs.unstable.legacyPackages.${system}; + unfreePkgs = inputs.unfree.legacyPackages.${system}; + }; + modules = [ + ./bcn.nix + ]; + }; + nixosConfigurations."yfs" = inputs.nixpkgs.lib.nixosSystem rec { + system = "aarch64-linux"; + specialArgs = { + stablepkgs = inputs.nixpkgs.legacyPackages.${system}; + unstablePkgs = inputs.unstable.legacyPackages.${system}; + unfreePkgs = inputs.unfree.legacyPackages.${system}; + }; + modules = [ + ./configuration.nix + ]; + }; + }; +} diff --git a/hosts/headless/hardware-configuration.nix b/hosts/headless/hardware-configuration.nix new file mode 100644 index 0000000..51f1a8f --- /dev/null +++ b/hosts/headless/hardware-configuration.nix @@ -0,0 +1,20 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + + fileSystems."/" = + { device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +} diff --git a/hosts/headless/headless.nix b/hosts/headless/headless.nix new file mode 100644 index 0000000..8c4a2f7 --- /dev/null +++ b/hosts/headless/headless.nix @@ -0,0 +1,4 @@ +{...}: +{ + services.mingetty.autologinUser = "y"; +} diff --git a/hosts/linux.nix b/hosts/linux.nix new file mode 100644 index 0000000..1e092bb --- /dev/null +++ b/hosts/linux.nix @@ -0,0 +1,44 @@ +{pkgs, ...}: { + imports = [ + # Include the results of the hardware scan. + ./users.nix + ./editors.nix + ./pkgs.nix + ./unfree.nix + ./network.nix + # ./yubikey.nix + ]; + + console = { + earlySetup = true; + packages = [pkgs.terminus_font]; + font = "Lat2-Terminus16"; + #font = "${pkgs.terminus_font}/share/consolefonts/ter-i32n.psf.gz"; + keyMap = "us"; + # useXkbConfig = true; # use xkbOptions in tty. + }; + + # docker + virtualisation.docker.enable = true; + + # Select internationalisation properties. + i18n = { + defaultLocale = "en_US.UTF-8"; + supportedLocales = [ + "en_US.UTF-8/UTF-8" + "es_ES.UTF-8/UTF-8" + "zh_CN.UTF-8/UTF-8" + "zh_HK.UTF-8/UTF-8" + "ja_JP.UTF-8/UTF-8" + "th_TH.UTF-8/UTF-8" + ]; + }; + + ## Bluetooth + hardware.enableAllFirmware = true; + hardware.bluetooth.enable = true; + hardware.bluetooth.settings = {General = {Experimental = true;};}; + hardware.bluetooth.disabledPlugins = ["sap"]; + hardware.bluetooth.package = pkgs.bluez; + services.blueman.enable = true; +} diff --git a/hosts/local/fw11/configuration.nix b/hosts/local/fw11/configuration.nix new file mode 100644 index 0000000..b3b6b0f --- /dev/null +++ b/hosts/local/fw11/configuration.nix @@ -0,0 +1,53 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). +{...}: { + imports = [ + # Include the results of the hardware scan. + ../../base.nix + ../../linux.nix + ../wayland.nix + ../../syncthing.nix + ./keyboard.nix + # ../android.nix + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + # boot.supportedFilesystems = ["ntfs"]; + # boot.kernelPackages = lib.mkForce unfreePkgs.linuxKernel.packages.linux_xanmod_latest; + services.fprintd.enable = true; + + networking = { + hostName = "fw-nixos"; # Define your hostname. + firewall.enable = false; + }; + nix.settings.trusted-users = ["root" "y"]; + + # Set your time zone. + time.timeZone = "Asia/Bangkok"; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # List services that you want to enable: + + services.openssh.enable = false; + + # firmware update + services.fwupd.enable = true; + + # android + # programs.adb.enable = true; + # users.users.y.extraGroups = ["adbusers"]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + + system.stateVersion = "23.05"; # Did you read the comment? +} diff --git a/hosts/local/fw11/default.nix b/hosts/local/fw11/default.nix new file mode 100644 index 0000000..b73579e --- /dev/null +++ b/hosts/local/fw11/default.nix @@ -0,0 +1,6 @@ +inputs: [ + inputs.kmonad.nixosModules.default + inputs.nixos-hardware.nixosModules.framework-11th-gen-intel + ./hardware-configuration.nix + ./configuration.nix +] diff --git a/hosts/local/fw11/framework.kbd b/hosts/local/fw11/framework.kbd new file mode 100644 index 0000000..2594bf6 --- /dev/null +++ b/hosts/local/fw11/framework.kbd @@ -0,0 +1,101 @@ +;; one liner comments ';;' +#| Multiline + comments |# + +(defcfg ;; For linux & by-id lists pluggable devices +;; If a key is not bound/left_empty(_) then it will fall back to the previous +;; layer's binding if not then default. +fallthrough true +;; To run system commands. You MIGHT face issues with tiling window managers due to command helpers. +;; allow-cmd true +;; use 'ls /dev/input/by-id/' for detachable keyboards and +;; 'ls /dev/input/by-path/' for builtin keyboards location' +input (device-file "/dev/input/event0") +;; Not sure what this does. Please check the docs. +output (uinput-sink "My KMonad output") +) + +;; This is the real representation of your actual keyboard. We haven't started +;; customizing layouts yet. +(defsrc + esc f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 del + ` 1 2 3 4 5 6 7 8 9 0 - = bspc + tab q w e r t y u i o p [ ] \ + caps a s d f g h j k l ; ' ret + lsft z x c v b n m , . / rsft up + lctl lmet lalt spc ralt rctl left down right +) +;; Aliases + +(defalias +;; Layer toggles +sym (layer-toggle syms) +sym2 (layer-toggle syms2) +cords (sticky-key 1000 (layer-toggle mods)) +;; +hrt (layer-switch homerowmods) +back (layer-switch qwerty) + +;; Homerow keys +a (tap-hold-next-release 280 a lctl) +s (tap-hold-next-release 280 s lalt) +d (tap-hold-next-release 280 d lmet) +f (tap-hold-next-release 280 f lsft) +;; +j (tap-hold-next-release 280 j rsft) +k (tap-hold-next-release 280 k lmet) +l (tap-hold-next-release 280 l lalt) +semi (tap-hold-next-release 280 ; rctl) + +;; button to launch brave browser +;; veeb (cmd-button "brave") +;; ssf (sticky-key 500 (layer-toggle rshift)) +;; rsf (layer-toggle rshift) +) + +;; The first custom layer is the one that gets activated when kmonad is started +(deflayer qwerty ;; The default layer that'd be read when you launch kmonad + esc f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 del + ` 1 2 3 4 5 6 7 8 9 0 - = bspc + tab q w e r t y u i o p [ ] \ + esc a s d f g h j k l ; ' ret + @sym z x c v b n m , . / rsft up + lctl lmet @sym spc @cords @hrt left down right +) +(deflayer homerowmods + esc f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 del + ` 1 2 3 4 5 6 7 8 9 0 - = bspc + tab q w e r t y u i o p [ ] \ + esc @a @s @d @f g h @j @k @l @semi ' ret + @sym z x c v b n m , . / rsft up + lctl lmet @sym spc lalt @back left down right +) +(deflayer mods + esc f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 del + ` 1 2 3 4 5 6 7 8 9 0 - = bspc + tab q w e r t y u i o p [ ] h + esc lctl lalt lmet lsft g h rsft rmet ralt rctl ' ret + @sym z x c v b n m , . / rsft up + lctl lmet @sym spc lalt @back left down right +) + +;; A layer dedicated to symbols +(deflayer syms + _ _ _ _ _ _ _ _ _ _ _ _ _ _ + _ _ _ _ _ _ _ _ _ _ _ _ _ _ + _ _ _ up _ _ ! @ # $ % _ _ _ + _ _ left down right @sym2 ' ^ & - = _ ret + _ _ _ _ _ _ \( [ { < \ _ _ + _ _ _ _ _ _ _ _ _ +) + + +;; More symbols +(deflayer syms2 + _ _ _ _ _ _ _ _ _ _ _ _ _ _ + _ _ _ _ _ _ _ _ _ _ _ _ _ _ + _ _ _ _ _ _ _ _ _ _ _ _ _ _ + _ _ _ _ _ _ ` ~ * \_ + _ ret + _ _ _ _ _ _ \) ] } > | _ _ + _ _ _ _ _ _ _ _ _ +) diff --git a/hosts/local/fw11/hardware-configuration.nix b/hosts/local/fw11/hardware-configuration.nix new file mode 100644 index 0000000..6b4e8bf --- /dev/null +++ b/hosts/local/fw11/hardware-configuration.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ "i915" "8821cu"]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ config.boot.kernelPackages.rtl8821cu ]; + # to modeswitch usb dongle sudo usb_modeswitch -KW -v 0bda -p 1a2b + + fileSystems."/" = + { device = "/dev/disk/by-uuid/349f55f5-8726-47be-826c-33ae8da92346"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/0739-1303"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/5d13663a-3177-4338-b07a-4b0e10581084"; } + ]; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = lib.mkDefault false; + networking.interfaces.wlp170s0.useDHCP = lib.mkDefault true; + + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/local/fw11/keyboard.nix b/hosts/local/fw11/keyboard.nix new file mode 100644 index 0000000..88f8545 --- /dev/null +++ b/hosts/local/fw11/keyboard.nix @@ -0,0 +1,46 @@ +{ + config, + lib, + pkgs, + ... +}: { + services.logind.extraConfig = '' + # don’t shutdown when power button is short-pressed + HandlePowerKey=ignore + ''; + + # config file keeps getting rewritten but I don't know by who + # i18n.inputMethod = { + # enabled = "fcitx5"; + # fcitx5.addons = with pkgs; [ + # fcitx5-mozc + # # mozc-ut is better, wat do + # fcitx5-gtk + # libsForQt5.fcitx5-qt + # fcitx5-lua + # fcitx5-configtool + # fcitx5-rime + # ]; + # }; + environment.variables = { + GTK_IM_MODULE = "fcitx"; + QT_IM_MODULE = "fcitx"; + XMODIFIERS = "@im=fcitx"; + FCITX_SOCKET = "default"; + }; + + #kmonad + services.kmonad = lib.mkIf (pkgs.system == "x86_64-linux") { + enable = true; + + keyboards.internal = { + device = "/dev/input/by-path/platform-i8042-serio-0-event-kbd"; + config = builtins.readFile ./framework.kbd; + + # defcfg = { + # enable = true; + # fallthrough = true; + # }; + }; + }; +} diff --git a/hosts/local/i3.nix b/hosts/local/i3.nix new file mode 100644 index 0000000..623fcf9 --- /dev/null +++ b/hosts/local/i3.nix @@ -0,0 +1,134 @@ +{pkgs, ...}: { + environment.pathsToLink = ["/libexec"]; + services.xserver = { + xkb.layout = "us"; + xkb.variant = ""; + enable = true; + desktopManager = { + xterm.enable = true; + }; + windowManager.i3 = { + enable = true; + extraPackages = with pkgs; [ + dmenu + i3status + i3lock + i3blocks + ]; + }; + }; + services.displayManager.defaultSession = "none+i3"; + + environment.sessionVariables = { + GTK_IM_MODULE = "fcitx"; + QT_IM_MODULE = "fcitx"; + XMODIFIERS = "@im=fcitx"; + }; + + environment.systemPackages = with pkgs; [ + rofi + + alacritty + signal-desktop + tdesktop + brave + gimp + vlc + thunderbird + kmail + firefox + chromium + pavucontrol + # icons + polkit_gnome + gnome-themes-extra + gtk-engine-murrine + gtk_engines + gsettings-desktop-schemas + lxappearance + adwaita-qt + adwaita-icon-theme + xfce.thunar + libreoffice + qbittorrent + zathura + # + libcamera # pipewire seems to want this + easyeffects + ]; + + # cjk input + i18n = { + inputMethod = { + type = "fcitx5"; + fcitx5.addons = with pkgs; [fcitx5-rime fcitx5-mozc]; + }; + }; + + fonts = { + enableDefaultPackages = true; + fontconfig = { + defaultFonts.emoji = ["Noto Color Emoji"]; + defaultFonts.monospace = ["Hack" "Sarasa Mono SC"]; + defaultFonts.sansSerif = ["DejaVu Sans"]; + defaultFonts.serif = ["DejaVu Serif" "Source Han Serif SC"]; + }; + packages = with pkgs; [ + fira-code + fira + cooper-hewitt + ibm-plex + jetbrains-mono + iosevka + spleen + fira-code-symbols + powerline-fonts + nerdfonts + arphic-ukai + arphic-uming + dejavu_fonts + font-awesome + inconsolata # monospaced + noto-fonts + noto-fonts-cjk + noto-fonts-emoji + noto-fonts-extra + powerline-fonts + source-han-sans-japanese + source-han-sans-korean + source-han-sans-simplified-chinese + source-han-sans-traditional-chinese + source-sans-pro + ubuntu_font_family + wqy_microhei + wqy_zenhei + ]; + }; + + # screen capture + # + + xdg.portal.enable = true; + xdg.portal.config.common.default = "*"; + xdg.portal.wlr.enable = true; + services.dbus.enable = true; + ## Remove sound.enable or set it to false if you had it set previously, as sound.enable is only meant for ALSA-based configurations + + # rtkit is optional but recommended + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + wireplumber.enable = true; + # If you want to use JACK applications, uncomment this + jack.enable = true; + }; + + # pipewire requires these off + # sound.enable = true; + # hardware.pulseaudio.enable = true; + # hardware.bluetooth.enable = true; +} diff --git a/hosts/local/master/configuration.nix b/hosts/local/master/configuration.nix new file mode 100644 index 0000000..19708b8 --- /dev/null +++ b/hosts/local/master/configuration.nix @@ -0,0 +1,61 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). +{pkgs, ...}: { + imports = [ + # Include the results of the hardware scan. + ../../base.nix + ../../linux.nix + ../../unfree.nix + ../../android.nix + ../i3.nix + ../nvidia.nix + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.kernelParams = ["intel_pstate=active"]; + # boot.supportedFilesystems = ["ntfs"]; + services.fprintd.enable = true; + nix.settings.trusted-users = ["root" "y"]; + + networking = { + hostName = "master"; # Define your hostname. + }; + + # Set your time zone. + time.timeZone = "Asia/Bangkok"; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + services.openssh.ports = [5555]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + + system.stateVersion = "23.11"; # Did you read the comment? + + #debugging segfaults + powerManagement.cpufreq.max = 4000000; + powerManagement.cpufreq.min = 800000; + + # Define the systemd service + # systemd.services.my-custom-script = { + # description = "Run my custom script on startup"; + # wantedBy = ["multi-user.target"]; + # after = ["network.target"]; # or any other service you need to wait for + # serviceConfig = { + # ExecStart = "${pkgs.bash}/bin/bash /etc/startup.sh"; + # Type = "oneshot"; + # RemainAfterExit = true; + # }; + # }; + + # Ensure the script is copied to the system + # environment.etc."startup.sh".source = ./startup.sh; +} diff --git a/hosts/local/master/default.nix b/hosts/local/master/default.nix new file mode 100644 index 0000000..91e5016 --- /dev/null +++ b/hosts/local/master/default.nix @@ -0,0 +1,5 @@ +inputs: [ + inputs.kmonad.nixosModules.default + ./hardware-configuration.nix + ./configuration.nix +] diff --git a/hosts/local/master/hardware-configuration.nix b/hosts/local/master/hardware-configuration.nix new file mode 100644 index 0000000..fc5597c --- /dev/null +++ b/hosts/local/master/hardware-configuration.nix @@ -0,0 +1,41 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/13b360be-0528-4690-b7ab-80c89033c5b7"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/92AC-1484"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/0b5d123f-3832-4aa2-b486-c64ed476fcf9"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.docker0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/local/nvidia.nix b/hosts/local/nvidia.nix new file mode 100644 index 0000000..74d5f5d --- /dev/null +++ b/hosts/local/nvidia.nix @@ -0,0 +1,17 @@ +{pkgs, ...}: { + boot.kernelModules = ["nvidia" "nvidia_modeset" "nvidia_uvm" "nvidia_drm"]; + # boot.kernelPackages = lib.mkForce unfreePkgs.linuxKernel.packages.linux_xanmod_latest; + boot.kernelParams = ["video=HDMI-A-1:1920x1080"]; + # hardware.opengl = { + # package = (pkgs.mesa.override { galliumDrivers = [ "i915" "swrast" ]; }).drivers; + # }; + services.xserver = { + videoDrivers = ["nvidia"]; + }; + + hardware.nvidia = { + modesetting.enable = true; + powerManagement.enable = true; + open = true; + }; +} diff --git a/hosts/local/ohira/configuration.nix b/hosts/local/ohira/configuration.nix new file mode 100644 index 0000000..c4a42b0 --- /dev/null +++ b/hosts/local/ohira/configuration.nix @@ -0,0 +1,287 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). +{ + config, + pkgs, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ../../base.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + # freaking wifi dongle thing + + services.udev.extraRules = '' + ACTION=="add", ATTRS{idVendor}=="0bda", ATTRS{idProduct}=="1a2b", RUN+="${pkgs.usb-modeswitch}/bin/usb_modeswitch -KW -v 0bda -p 1a2b", RUN+="${pkgs.coreutils}/bin/sleep 1", RUN+="${pkgs.usb-modeswitch}/bin/usb_modeswitch -KW -v 0bda -p 1a2b" + ''; + networking.hostName = "ohira"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Enable networking + networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "Asia/Tokyo"; + + # Select internationalisation properties. + i18n = { + defaultLocale = "en_US.UTF-8"; + supportedLocales = [ + "en_US.UTF-8/UTF-8" + "zh_CN.UTF-8/UTF-8" + "zh_HK.UTF-8/UTF-8" + "ja_JP.UTF-8/UTF-8" + ]; + extraLocaleSettings = { + LC_ADDRESS = "ja_JP.UTF-8"; + LC_IDENTIFICATION = "ja_JP.UTF-8"; + LC_MEASUREMENT = "ja_JP.UTF-8"; + LC_MONETARY = "ja_JP.UTF-8"; + LC_NAME = "ja_JP.UTF-8"; + LC_NUMERIC = "ja_JP.UTF-8"; + LC_PAPER = "ja_JP.UTF-8"; + LC_TELEPHONE = "ja_JP.UTF-8"; + LC_TIME = "ja_JP.UTF-8"; + }; + }; + + # Enable the X11 windowing system. + services.xserver.enable = true; + + # Enable the GNOME Desktop Environment. + services.xserver.displayManager.gdm.enable = true; + services.xserver.desktopManager.gnome.enable = true; + + # Configure keymap in X11 + services.xserver = { + xkb.layout = "us"; + xkb.variant = ""; + }; + # japanese input + + i18n = { + inputMethod = { + type = "fcitx5"; + fcitx5.addons = with pkgs; [fcitx5-mozc]; + }; + }; + + environment.sessionVariables = { + GTK_IM_MODULE = "fcitx"; + QT_IM_MODULE = "fcitx"; + XMODIFIERS = "@im=fcitx"; + }; + + # Enable CUPS to print documents. + services.printing.enable = true; + + # Enable sound with pipewire. + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + + # use the example session manager (no others are packaged yet so this is enabled by default, + # no need to redefine it in your config for now) + #media-session.enable = true; + }; + + ## Bluetooth + hardware.enableAllFirmware = true; + hardware.bluetooth.enable = true; + hardware.bluetooth.settings = {General = {Experimental = true;};}; + hardware.bluetooth.disabledPlugins = ["sap"]; + hardware.bluetooth.package = pkgs.bluez; + services.blueman.enable = true; + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.y = { + isNormalUser = true; + description = "y"; + extraGroups = ["networkmanager" "wheel"]; + packages = with pkgs; [ + firefox + # thunderbird + ]; + }; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + # programs.steam = { + # enable = true; + # remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play + # dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server + # }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + helix + usbutils + coreutils + wget + htop + bat + gitAndTools.gitFull + lazygit + lsd + lsof + tmux + tmate + minio + minio-client + zip + unzip + jq + tree + # gui stuff + alacritty + brave + deluge + vlc + gimp + libreoffice + # weirding + usb-modeswitch + #network + innernet + iptables + #games + prismlauncher + grapejuice + dosbox + # + gnomeExtensions.kimpanel + ]; + + fonts = { + enableDefaultPackages = true; + fontconfig = { + defaultFonts.emoji = ["Noto Color Emoji"]; + defaultFonts.monospace = ["Hack" "Sarasa Mono SC"]; + defaultFonts.sansSerif = ["DejaVu Sans"]; + defaultFonts.serif = ["DejaVu Serif" "Source Han Serif SC"]; + }; + packages = with pkgs; [ + # fira-code + # fira + # cooper-hewitt + # ibm-plex + # jetbrains-mono + # iosevka + # spleen + # fira-code-symbols + # powerline-fonts + # nerdfonts + # arphic-ukai + # arphic-uming + # dejavu_fonts + # font-awesome + # inconsolata # monospaced + noto-fonts + noto-fonts-cjk + noto-fonts-emoji + noto-fonts-extra + # powerline-fonts + source-han-sans-japanese + # source-han-sans-korean + # source-han-sans-simplified-chinese + # source-han-sans-traditional-chinese + # source-sans-pro + # ubuntu_font_family + # wqy_microhei + # wqy_zenhei + ]; + }; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh = { + enable = true; + # passwordAuthentication = false; + ports = [4410]; + }; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? + + ## screen time limit + + # systemd.user.services = { + # # Shutdown at 10pm to get some sleep + # poweroff = { + # description = "Poweroff Service"; + # startAt = [ "*-*-* 21:30:00" ]; + # serviceConfig = { + # Type = "oneshot"; + # ExecStart = "/run/current-system/sw/bin/poweroff"; + # }; + # }; + # }; + + systemd.timers.shutdown = { + wantedBy = ["timers.target"]; + timerConfig.OnCalendar = "21:30"; + unitConfig.ExecStart = "${pkgs.coreutils}/bin/shutdown now"; + }; + systemd.services.timeCheckShutdown = { + description = "Prevent booting during specific hours"; + wantedBy = ["multi-user.target"]; + after = ["network.target"]; + script = '' + CURRENT_HOUR=$(date +"%H") + if [ "$CURRENT_HOUR" -ge 21 ] || [ "$CURRENT_HOUR" -lt 6 ]; then + /run/current-system/sw/bin/shutdown now + fi + ''; + }; + systemd.services.afterSuspend = { + description = "Check time and shutdown if necessary after suspend"; + wantedBy = ["sleep.target"]; + bindsTo = ["sleep.target"]; + script = '' + CURRENT_HOUR=$(date +"%H") + if [ "$CURRENT_HOUR" -ge 21 ] || [ "$CURRENT_HOUR" -lt 6 ]; then + /run/current-system/sw/bin/shutdown now + fi + ''; + }; +} diff --git a/hosts/local/ohira/default.nix b/hosts/local/ohira/default.nix new file mode 100644 index 0000000..67cd4a5 --- /dev/null +++ b/hosts/local/ohira/default.nix @@ -0,0 +1,4 @@ +inputs: [ + ./hardware-configuration.nix + ./configuration.nix +] diff --git a/hosts/local/ohira/hardware-configuration.nix b/hosts/local/ohira/hardware-configuration.nix new file mode 100644 index 0000000..4b581fd --- /dev/null +++ b/hosts/local/ohira/hardware-configuration.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ "8821cu" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ config.boot.kernelPackages.rtl8821cu ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/1170c84d-4965-4444-a998-23ceef6f7ca9"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/6F38-0465"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/48b04403-6a5e-41f4-a656-5a95f850ccaa"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/local/wayland.nix b/hosts/local/wayland.nix new file mode 100644 index 0000000..c94a1dc --- /dev/null +++ b/hosts/local/wayland.nix @@ -0,0 +1,188 @@ +{pkgs, ...}: { + hardware.graphics = { + enable = true; + enable32Bit = true; + extraPackages = [ + pkgs.mesa.drivers + pkgs.vaapiIntel + pkgs.vaapiVdpau + pkgs.libvdpau-va-gl + pkgs.intel-media-driver + ]; + }; + programs.sway = { + enable = true; + wrapperFeatures.gtk = true; + extraOptions = ["--verbose" "--debug"]; + extraPackages = with pkgs; [ + xdg-utils + xdg-desktop-portal + xdg-desktop-portal-wlr + xdg-desktop-portal-gtk + alacritty + calibre + # nyxt + wofi + imv + swaylock + brightnessctl + swayidle + foot + (waybar.override { + wireplumberSupport = false; + }) + mako + kanshi + grim + slurp + wl-clipboard + wf-recorder + viewnior + playerctl + blueman + wdisplays + ]; + extraSessionCommands = '' + ''; + }; + # environment.loginShellInit = '' + # if [ -z $DISPLAY ] && [ "$(tty)" = "/dev/tty1" ]; then + # exec swayc + # fi + #''; + + environment.sessionVariables = { + NIXOS_OZONE_WL = "1"; + SDL_VIDEODRIVER = "wayland"; + QT_QPA_PLATFORM = "wayland"; + QT_WAYLAND_DISABLE_WINDOWDECORATION = "1"; + _JAVA_AWT_WM_NONREPARENTING = "1"; + MOZ_ENABLE_WAYLAND = "1"; + + # GTK_IM_MODULE = "fcitx"; + # QT_IM_MODULE = "fcitx"; + # SDL_IM_MODULE = "fcitx"; + + XDG_CURRENT_DESKTOP = "sway"; + GDK_BACKEND = "wayland"; + XDG_SESSION_TYPE = "wayland"; + XMODIFIERS = "@im=fcitx"; + }; + + environment.systemPackages = with pkgs; [ + obsidian + signal-desktop + tdesktop + brave + gimp + vlc + mpv + celluloid + thunderbird + kmail + firefox + chromium + pavucontrol + # icons + polkit_gnome + gnome-themes-extra + gtk-engine-murrine + gtk_engines + gsettings-desktop-schemas + lxappearance + adwaita-qt + adwaita-icon-theme + xfce.thunar + libreoffice + qbittorrent + zathura + # + libcamera # pipewire seems to want this + easyeffects + tigervnc + foliate + # code + kompare + meld + # tmp + grapejuice + dosbox + ]; + + # cjk input + i18n = { + inputMethod = { + type = "fcitx5"; + fcitx5 = { + # enabled = true; + addons = with pkgs; [fcitx5-rime fcitx5-mozc]; + waylandFrontend = true; + }; + }; + }; + + fonts = { + enableDefaultPackages = true; + fontconfig = { + defaultFonts.emoji = ["Noto Color Emoji"]; + defaultFonts.monospace = ["Hack" "Sarasa Mono SC"]; + defaultFonts.sansSerif = ["DejaVu Sans"]; + defaultFonts.serif = ["DejaVu Serif" "Source Han Serif SC"]; + }; + packages = with pkgs; [ + fira-code + fira + cooper-hewitt + ibm-plex + jetbrains-mono + iosevka + spleen + fira-code-symbols + powerline-fonts + nerdfonts + arphic-ukai + arphic-uming + dejavu_fonts + font-awesome + inconsolata # monospaced + noto-fonts + noto-fonts-cjk + noto-fonts-emoji + noto-fonts-extra + powerline-fonts + source-han-sans-japanese + source-han-sans-korean + source-han-sans-simplified-chinese + source-han-sans-traditional-chinese + source-sans-pro + ubuntu_font_family + wqy_microhei + wqy_zenhei + ]; + }; + + # screen capture + # + + xdg.portal.enable = true; + xdg.portal.wlr.enable = true; + services.dbus.enable = true; + ## Remove sound.enable or set it to false if you had it set previously, as sound.enable is only meant for ALSA-based configurations + + # rtkit is optional but recommended + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + wireplumber.enable = true; + # If you want to use JACK applications, uncomment this + jack.enable = true; + }; + + # pipewire requires these off + # sound.enable = true; + # hardware.pulseaudio.enable = true; + # hardware.bluetooth.enable = true; +} diff --git a/hosts/network.nix b/hosts/network.nix new file mode 100644 index 0000000..433a206 --- /dev/null +++ b/hosts/network.nix @@ -0,0 +1,32 @@ +{ + pkgs, + config, + lib, + ... +}: { + networking = { + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networkmanager.enable = true; # Easiest to use and most distros use this by default. + nameservers = ["1.1.1.1" "1.0.0.1"]; + #enableIPv6 = false; + # Configure network proxy if necessary + # proxy.default = "http://user:password@proxy:port/"; + # proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + }; + + # Enable the OpenSSH daemon. + networking.firewall = { + enable = false; + # Open ports in the firewall. + # allowedTCPPorts = [ ... ]; + # allowedUDPPorts = [ ... ]; + }; + + environment.systemPackages = [ + pkgs.innernet + pkgs.iptables + ]; + + # services.opensnitch.enable = true; +} diff --git a/hosts/nixos.nix b/hosts/nixos.nix new file mode 100644 index 0000000..c5dc34a --- /dev/null +++ b/hosts/nixos.nix @@ -0,0 +1,21 @@ +inputs: let + mkNixosSystem = system: path: + inputs.nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = {inherit inputs;}; + modules = import (./. + "/${path}") inputs; + }; +in { + fw11 = mkNixosSystem "x86_64-linux" "local/fw11"; + master = mkNixosSystem "x64_64-linux" "local/master"; + # vivo2025 = mkNixosSystem "x64_64-linux" "local/vivo2025"; + ohira = mkNixosSystem "x64_64-linux" "local/ohira"; + # # headless + # r5s = mkNixosSystem "aarch64-linux" "headless/r5s"; + # pi4 = mkNixosSystem "aarch64-linux" "headless/pi4"; + # # cloud boxes + sortug = mkNixosSystem "x64_64-linux" "cloud/sortug"; + # lightnode = mkNixosSystem "x64_64-linux" "cloud/lightnode"; + # hostinger = mkNixosSystem "x64_64-linux" "cloud/hostinger"; + # contabo = mkNixosSystem "x64_64-linux" "cloud/contabo"; +} diff --git a/hosts/pkgs.nix b/hosts/pkgs.nix new file mode 100644 index 0000000..f6c6a6b --- /dev/null +++ b/hosts/pkgs.nix @@ -0,0 +1,70 @@ +{pkgs, ...}: { + environment.systemPackages = with pkgs; [ + alejandra + # nixfmt + # + busybox + usbutils + xdg-utils + rlwrap + wget + htop + btop + bat + gitAndTools.gitFull + lazygit + git-lfs + lsd + lsof + tmux + zellij + tmate + curlFull + ripgrep + ranger + minio + minio-client + zip + unzip + jq + vifm + nnn + fzf + killall + tree + qrcp + deluge + ncdu + edir + bottom + pigz + rclone + gparted + #hardware problems + lm_sensors + linuxKernel.packages.linux_latest_libre.cpupower + # images + sxiv + # audio debug + alsa-firmware + # wine + #wineWowPackages.staging + #wineWowPackages.waylandFull + appimage-run + # code + nil + direnv + nix-direnv + devenv + # scraping + python312Packages.yt-dlp + # markdown lsp + marksman + # disk automount + udiskie + #crypto + # electrum + yacreader + nethogs + ]; +} diff --git a/hosts/syncthing.nix b/hosts/syncthing.nix new file mode 100644 index 0000000..09b0d9b --- /dev/null +++ b/hosts/syncthing.nix @@ -0,0 +1,9 @@ +{ pkgs, ...}: +{ + services.syncthing = { + enable = true; + user = "y"; + dataDir = "/home/y/sync/data"; + configDir = "/home/y/sync/.config"; + }; +} diff --git a/hosts/unfree.nix b/hosts/unfree.nix new file mode 100644 index 0000000..8a74ba9 --- /dev/null +++ b/hosts/unfree.nix @@ -0,0 +1,24 @@ +{pkgs, ...}: { + # allow unfree + nixpkgs.config = { + allowUnfree = true; + chromium.enableWideVine = true; + }; + environment.systemPackages = with pkgs; [ + # opera + spotify + microsoft-edge + vscode + # fonts + corefonts + symbola + ]; + # fucking vscode requires this for github copilot + + services.gnome.gnome-keyring.enable = true; + programs.steam = { + enable = true; + remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play + dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server + }; +} diff --git a/hosts/users.nix b/hosts/users.nix new file mode 100644 index 0000000..6c5394b --- /dev/null +++ b/hosts/users.nix @@ -0,0 +1,55 @@ +{ config, pkgs, ... }: + + +let shellAliases = { + l = "lsd -lAh"; + la = "lsd -lAh"; + ports = "sudo lsof -i -P -n | grep LISTEN"; + gco = "git checkout"; + gcob = "git checkout -b"; + v = "nvim"; + sv = "sudo nvim"; + dotsin = "sh ~/dotfiles/commit.sh"; + sourceit = ". (sed 's/^/export /' .env | psub)"; + sqlite = "rlwrap sqlite3"; + # rsyn = "rsync -zuvaP --filter=':- .gitignore'" +}; + +in { + programs.fish = { + inherit shellAliases; + enable = true; + shellInit = '' + if not functions -q fisher + echo "no fisher" + curl -sL https://raw.githubusercontent.com/jorgebucaran/fisher/main/functions/fisher.fish | source + end + ''; + # fisher install jorgebucaran/fisher + # fisher install IlanCosman/tide@v6 +}; + + users = { + users = { + y = { + group = "users"; + isNormalUser = true; + extraGroups = [ + "systemd-journal" + "wheel" + "networkmanager" + "input" + "uinput" + "docker" + "plugdev" + ]; + createHome = true; + home = "/home/y"; + isSystemUser = false; + shell = pkgs.fish; + }; + }; + }; +} + + |