From 508b2365b7dc8759454a9800db2c9c297466cf43 Mon Sep 17 00:00:00 2001 From: cw Date: Sun, 30 Apr 2023 02:28:51 -0500 Subject: [PATCH 1/1] Initial Commit --- .gitignore | 59 +++++ flake.lock | 434 ++++++++++++++++++++++++++++++++ flake.nix | 167 ++++++++++++ modules/charm.nix | 25 ++ modules/pelican.nix | 92 +++++++ modules/webservice.nix | 84 +++++++ overlays/unstable.nix | 18 ++ profiles/gitea.nix | 31 +++ profiles/gitweb.nix | 20 ++ profiles/i2p.nix | 4 + profiles/i3wm.nix | 27 ++ profiles/invidious.nix | 15 ++ profiles/jellyfin.nix | 14 ++ profiles/libreddit.nix | 10 + profiles/mail.nix | 43 ++++ profiles/matrix.nix | 130 ++++++++++ profiles/mumble.nix | 10 + profiles/nitter.nix | 19 ++ profiles/photogrammetry.nix | 13 + profiles/plik.nix | 19 ++ profiles/syncthing.nix | 15 ++ profiles/twtxt.nix | 29 +++ profiles/yggdrasil.nix | 34 +++ specialisations/hardened.nix | 49 ++++ specialisations/lowpower.nix | 18 ++ specialisations/performance.nix | 14 ++ 26 files changed, 1393 insertions(+) create mode 100644 .gitignore create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 modules/charm.nix create mode 100644 modules/pelican.nix create mode 100644 modules/webservice.nix create mode 100644 overlays/unstable.nix create mode 100644 profiles/gitea.nix create mode 100644 profiles/gitweb.nix create mode 100644 profiles/i2p.nix create mode 100644 profiles/i3wm.nix create mode 100644 profiles/invidious.nix create mode 100644 profiles/jellyfin.nix create mode 100644 profiles/libreddit.nix create mode 100644 profiles/mail.nix create mode 100644 profiles/matrix.nix create mode 100644 profiles/mumble.nix create mode 100644 profiles/nitter.nix create mode 100644 profiles/photogrammetry.nix create mode 100644 profiles/plik.nix create mode 100644 profiles/syncthing.nix create mode 100644 profiles/twtxt.nix create mode 100644 profiles/yggdrasil.nix create mode 100644 specialisations/hardened.nix create mode 100644 specialisations/lowpower.nix create mode 100644 specialisations/performance.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1dcd87f --- /dev/null +++ b/.gitignore @@ -0,0 +1,59 @@ +secrets.nix +secrets/ +result +hosts/*.ygg +WIP/ + +*.save +# ---> Emacs +# -*- mode: gitignore; -*- +*~ +*~undo-tree~ +\#*\# +/.emacs.desktop +/.emacs.desktop.lock +*.elc +auto-save-list +tramp +.\#* + +# Org-mode +.org-id-locations +*_archive + +# flymake-mode +*_flymake.* + +# eshell files +/eshell/history +/eshell/lastdir + +# elpa packages +/elpa/ + +# reftex files +*.rel + +# AUCTeX auto folder +/auto/ + +# cask packages +.cask/ +dist/ + +# Flycheck +flycheck_*.el + +# server auth directory +/server/ + +# projectiles files +.projectile + +# directory configuration +.dir-locals.el + +# network security +/network-security.data + + diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..e0864d8 --- /dev/null +++ b/flake.lock @@ -0,0 +1,434 @@ +{ + "nodes": { + "base16": { + "inputs": { + "nixpkgs": [ + "stylix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1658847131, + "narHash": "sha256-X6Mml7cT0YR3WCD5fkUhpRVV5ZPcwdcDsND8r8xMqTE=", + "owner": "SenchoPens", + "repo": "base16.nix", + "rev": "6b404cda2e04ca3cf5ca7b877af9c469e1386acb", + "type": "github" + }, + "original": { + "owner": "SenchoPens", + "repo": "base16.nix", + "type": "github" + } + }, + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "utils": "utils" + }, + "locked": { + "lastModified": 1680555990, + "narHash": "sha256-Tu/i5sd0hk4c4VtWO8XpY3c9KmHDcOWF5Y2GSCh3LXA=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "d6f3ba090ed090ae664ab5bac329654093aae725", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-22.11", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "stylix", + "nixpkgs" + ], + "utils": "utils_3" + }, + "locked": { + "lastModified": 1680000368, + "narHash": "sha256-TlgC4IJ7aotynUdkGRtaAVxquaiddO38Ws89nB7VGY8=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "765e4007b6f9f111469a25d1df6540e8e0ca73a6", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "libcamera-apps-src": { + "flake": false, + "locked": { + "lastModified": 1674645888, + "narHash": "sha256-UBTDHN0lMj02enB8im4Q+f/MCm/G2mFPP3pLImrZc5A=", + "owner": "raspberrypi", + "repo": "libcamera-apps", + "rev": "9f08463997b82c4bf60e12c4ea43577959a8ae15", + "type": "github" + }, + "original": { + "owner": "raspberrypi", + "ref": "v1.1.1", + "repo": "libcamera-apps", + "type": "github" + } + }, + "nixlib": { + "locked": { + "lastModified": 1680397293, + "narHash": "sha256-wBpJ73+tJ8fZSWb4tzNbAVahC4HSo2QG3nICDy4ExBQ=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "b18d328214ca3c627d3cc3f51fd9d1397fdbcd7a", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1680764424, + "narHash": "sha256-2tNAE9zWbAK3JvQnhlnB1uzHzhwbA9zF6A17CoTjnbk=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "15ae4065acbf414989a8677097804326fe7c0532", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1680665430, + "narHash": "sha256-MTVhTukwza1Jlq2gECITZPFnhROmylP2uv3O3cSqQCE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5233fd2ba76a3accb5aaa999c00509a11fd0793c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-22_11": { + "locked": { + "lastModified": 1669558522, + "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-22.11", + "type": "indirect" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1680669251, + "narHash": "sha256-AVNE+0u4HlI3v96KCXE9risH7NKqj0QDLLfSckYXIbA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "9c8ff8b426a8b07b9e0a131ac3218740dc85ba1e", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1669542132, + "narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a115bb9bd56831941be3776c8a94005867f316a7", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, + "raspberry-pi-nix": { + "inputs": { + "libcamera-apps-src": "libcamera-apps-src", + "rpi-bluez-firmware-src": "rpi-bluez-firmware-src", + "rpi-firmware-nonfree-src": "rpi-firmware-nonfree-src", + "rpi-firmware-stable-src": "rpi-firmware-stable-src", + "rpi-linux-5_15-src": "rpi-linux-5_15-src", + "u-boot-src": "u-boot-src" + }, + "locked": { + "lastModified": 1678801763, + "narHash": "sha256-yELOVlxvXouMpoosFQlnk8bFzs48pBl5goiUh8d2tnU=", + "owner": "tstat", + "repo": "raspberry-pi-nix", + "rev": "3ca8c6898ae3bc4d5527a75d9f499018afeb65dc", + "type": "github" + }, + "original": { + "owner": "tstat", + "repo": "raspberry-pi-nix", + "type": "github" + } + }, + "root": { + "inputs": { + "home-manager": "home-manager", + "nixos-generators": "nixos-generators", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "raspberry-pi-nix": "raspberry-pi-nix", + "simple-nixos-mailserver": "simple-nixos-mailserver", + "stylix": "stylix", + "zero": "zero" + } + }, + "rpi-bluez-firmware-src": { + "flake": false, + "locked": { + "lastModified": 1672928175, + "narHash": "sha256-gKGK0XzNrws5REkKg/JP6SZx3KsJduu53SfH3Dichkc=", + "owner": "RPi-Distro", + "repo": "bluez-firmware", + "rev": "9556b08ace2a1735127894642cc8ea6529c04c90", + "type": "github" + }, + "original": { + "owner": "RPi-Distro", + "repo": "bluez-firmware", + "type": "github" + } + }, + "rpi-firmware-nonfree-src": { + "flake": false, + "locked": { + "lastModified": 1674638139, + "narHash": "sha256-54JKmwypD7PRQdd7k6IcF7wL8ifMavEM0UwZwmA24O4=", + "owner": "RPi-Distro", + "repo": "firmware-nonfree", + "rev": "7f29411baead874b859eda53efdc2472345ea454", + "type": "github" + }, + "original": { + "owner": "RPi-Distro", + "repo": "firmware-nonfree", + "type": "github" + } + }, + "rpi-firmware-stable-src": { + "flake": false, + "locked": { + "lastModified": 1673003776, + "narHash": "sha256-tdaH+zZwmILNFBge2gMqtzj/1Hydj9cxhPvhw+7jTrU=", + "owner": "raspberrypi", + "repo": "firmware", + "rev": "78852e166b4cf3ebb31d051e996d54792f0994b0", + "type": "github" + }, + "original": { + "owner": "raspberrypi", + "ref": "stable", + "repo": "firmware", + "type": "github" + } + }, + "rpi-linux-5_15-src": { + "flake": false, + "locked": { + "lastModified": 1675874870, + "narHash": "sha256-oy+VgoB4IdFZjGwkx88dDSpwWZj2D5t3PyXPIwDsY1Q=", + "owner": "raspberrypi", + "repo": "linux", + "rev": "14b35093ca68bf2c81bbc90aace5007142b40b40", + "type": "github" + }, + "original": { + "owner": "raspberrypi", + "ref": "rpi-5.15.y", + "repo": "linux", + "type": "github" + } + }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "nixpkgs": "nixpkgs_2", + "nixpkgs-22_11": "nixpkgs-22_11", + "utils": "utils_2" + }, + "locked": { + "lastModified": 1671659164, + "narHash": "sha256-DbpT+v1POwFOInbrDL+vMbYV3mVbTkMxmJ5j50QnOcA=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "bc667fb6afc45f6cc2d118ab77658faf2227cffd", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "nixos-22.11", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, + "stylix": { + "inputs": { + "base16": "base16", + "flake-compat": "flake-compat", + "home-manager": "home-manager_2", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1680432579, + "narHash": "sha256-sIcl3DvrDdQZM5kBWY25ocxJsIQFPV4gm54l79ZysB0=", + "owner": "danth", + "repo": "stylix", + "rev": "4205a141bfcc0b9d1c04932ec7fdf0f86f99aaf6", + "type": "github" + }, + "original": { + "owner": "danth", + "repo": "stylix", + "type": "github" + } + }, + "u-boot-src": { + "flake": false, + "locked": { + "narHash": "sha256-30fe8klLHRsEtEQ1VpYh4S+AflG5yCQYWlGmpWyFL8w=", + "type": "tarball", + "url": "https://ftp.denx.de/pub/u-boot/u-boot-2023.01.tar.bz2" + }, + "original": { + "type": "tarball", + "url": "https://ftp.denx.de/pub/u-boot/u-boot-2023.01.tar.bz2" + } + }, + "utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "utils_2": { + "locked": { + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "utils_3": { + "locked": { + "lastModified": 1676283394, + "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "zero": { + "flake": false, + "locked": { + "lastModified": 1672452192, + "narHash": "sha256-MId839OmZiiXkt9qAOM8WzKZMZ9WLpfd9enI0QoejOg=", + "type": "git", + "url": "file:/home/cw/0x00" + }, + "original": { + "type": "git", + "url": "file:/home/cw/0x00" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..4013ced --- /dev/null +++ b/flake.nix @@ -0,0 +1,167 @@ +# This can be built with nixos-rebuild --flake .#myhost build +{ + description = "the simplest flake for nixos-rebuild"; + + inputs = { + nixpkgs = { + url = "github:NixOS/nixpkgs/nixos-22.11"; + }; + # inputs.emacs-overlay.url = "github:nix-community/emacs-overlay"; + # inputs.coricamu.url = "github:danth/coricamu"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.11"; + home-manager = { + url = "github:nix-community/home-manager/release-22.11"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + # alfis.url = "github:Revertron/Alfis"; + stylix = { + url = "github:danth/stylix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nixos-generators = { + url = "github:nix-community/nixos-generators"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + raspberry-pi-nix.url = "github:tstat/raspberry-pi-nix"; + }; + + # Outputs can be anything, but the wiki + some commands define their own + # specific keys. Wiki page: https://nixos.wiki/wiki/Flakes#Output_schema + outputs = { + self, + nixpkgs, + nixpkgs-unstable, + home-manager, + nixos-generators, + # hm-unstable, + stylix, + # alfis, + # colmena, + # coricamu, + # deploy-rs, + zero, + raspberry-pi-nix, + simple-nixos-mailserver, + ... + } @inputs: + let + system = "x86_64-linux"; + overlay-unstable = final: prev: { + # unstable = nixpkgs-unstable.legacyPackages.${prev.system}; + unstable = import nixpkgs-unstable { + inherit system; + config.allowUnfree = true; + }; + }; + in { + overlays = import ./overlays/unstable.nix { inherit inputs; }; + nixosConfigurations = { + powerbook = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = self.colmena.meta.specialArgs; + # Import our old system configuration.nix + modules = self.colmena.powerbook.imports; + }; + marigold = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = self.colmena.meta.specialArgs; + # Import our old system configuration.nix + modules = self.colmena.marigold.imports; + }; + }; + packages."x86_64-linux" = { + marigold-install-iso = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + modules = [ + ./hosts/iso.nix + stylix.nixosModules.stylix + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.cw = import ./users/home.nix { user = "cw"; pkgs = nixpkgs.legacyPackages.x86_64-linux; }; + } + ]; + format = "install-iso"; + }; + marigold-iso = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + pkgs = nixpkgs.legacyPackages.x86_64-linux; + modules = [ + ./hosts/iso.nix + stylix.nixosModules.stylix + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.cw = import ./users/home.nix { user = "cw"; pkgs = nixpkgs.legacyPackages.x86_64-linux; }; + } + ]; + format = "iso"; + }; + }; + colmena = { + meta = { + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + overlays = []; + }; + nodeNixpkgs.bike = import nixpkgs { + system = "aarch64-linux"; + }; + specialArgs = inputs; + }; + marigold = { + imports = [ + ./WIP/hosts/marigold.nix + ]; + deployment.targetHost = "marigold.cw.ygg"; + }; + moto = { + imports = [ + ./WIP/hosts/moto.nix + ]; + deployment.targetHost = "moto.cw.ygg"; + }; + powerbook = { + imports = [ + ./WIP/hosts/powerbook.nix + ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) + home-manager.nixosModules.home-manager + ]; + deployment = { + allowLocalDeployment = true; + targetHost = null; + }; + }; + kernelpanic = { + imports = [ + ./WIP/hosts/kernelpanic.nix + home-manager.nixosModules.home-manager + stylix.nixosModules.stylix + simple-nixos-mailserver.nixosModule + ]; + deployment = { + targetHost = "kernelpanic.cw.ygg"; + keys = { + "yggdrasil.conf.secret" = { + keyFile = "./secrets/yggdrasil-kernelpanic.conf"; + uploadAt = "pre-activation"; + }; + }; + }; + }; + telescreen = { + imports = [ + ./WIP/hosts/telescreen.nix + home-manager.nixosModules.home-manager + stylix.nixosModules.stylix + ]; + deployment = { + targetHost = "telescreen.cw.ygg"; + }; + }; + }; + }; +} diff --git a/modules/charm.nix b/modules/charm.nix new file mode 100644 index 0000000..4557bbd --- /dev/null +++ b/modules/charm.nix @@ -0,0 +1,25 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.services.charm; +in { + options.services.charm = { + enable = lib.mkEnableOption "Charm cloud server"; + }; + config = lib.mkIf cfg.enable { + systemd.services.charm = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + description = "The Cloud"; + serviceConfig = { + DynamicUser = true; + ExecStart = ''${pkgs.charm}/bin/charm serve''; + Restart = "always"; + Type = "simple"; + RestartSec = 1; + Environment = "CHARM_SERVER_DATA_DIR=/var/lib/charm"; + StateDirectory = "charm"; + WorkingDirectory = "/var/lib/charm"; + }; + }; + }; +} diff --git a/modules/pelican.nix b/modules/pelican.nix new file mode 100644 index 0000000..e15bed3 --- /dev/null +++ b/modules/pelican.nix @@ -0,0 +1,92 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.helpers.pelican; +in +{ + options.helpers.pelican = lib.mkOption { + description = "Pelican SSG helper"; + default = {}; + type = with lib.types; attrsOf (submodule { + options = { + path = lib.mkOption { + type = str; + }; + # auth = lib.mkOption { + # type = bool; + # default = true; + # }; + }; + }); + }; + config = { + networking.hosts."127.0.0.1" = builtins.attrNames cfg; + + + # lifted from https://nixos.wiki/wiki/Nginx#Authentication_via_PAM + # also https://github.com/NixOS/nixpkgs/issues/117578 + # Have not tested to see which of these can be re-enabled. Not a fan of killing all that stuff just for pam. + # Maybe copy /etc/shadow to /run/keys via colmena? + # security.pam.services.nginx.setEnvironment = false; + # systemd.services.nginx.serviceConfig = { + # SupplementaryGroups = [ "shadow" ]; + # NoNewPrivileges = lib.mkForce false; + # PrivateDevices = lib.mkForce false; + # ProtectHostname = lib.mkForce false; + # ProtectKernelTunables = lib.mkForce false; + # ProtectKernelModules = lib.mkForce false; + # RestrictAddressFamilies = lib.mkForce [ ]; + # LockPersonality = lib.mkForce false; + # MemoryDenyWriteExecute = lib.mkForce false; + # RestrictRealtime = lib.mkForce false; + # RestrictSUIDSGID = lib.mkForce false; + # SystemCallArchitectures = lib.mkForce ""; + # ProtectClock = lib.mkForce false; + # ProtectKernelLogs = lib.mkForce false; + # RestrictNamespaces = lib.mkForce false; + # SystemCallFilter = lib.mkForce ""; + # }; + + + # services.nginx.virtualHosts."nfo".locations."/subdomain" + services.nginx = { + enable = lib.mkDefault true; + additionalModules = [ pkgs.nginxModules.pam ]; + virtualHosts = lib.attrsets.mapAttrs (fqdn: name: { + enableACME = config.security.acme.acceptTerms; + forceSSL = config.security.acme.acceptTerms; + locations."/" = { + root = "${name.path}/output"; + # extraConfig = lib.mkIf name.localOnly '' + # allow 127.0.0.1; + # deny all; + # ''; + }; + # extraConfig = lib.mkIf name.auth '' + # auth_pam "Password Required"; + # auth_pam_service_name "nginx"; + # ''; + }) cfg; + }; + systemd.services = lib.attrsets.mapAttrs' (fqdn: name: lib.attrsets.nameValuePair "${fqdn}-reloader" { + after = [ "networking.target" ]; + script = '' + exec ${pkgs.python310Packages.pelican}/bin/pelican content + exec systemd-tmpfiles --create + exec systemctl restart nginx.service + ''; + serviceConfig = { + Type = "oneshot"; + WorkingDirectory = "${name.path}"; + }; + }) cfg; + systemd.paths = lib.attrsets.mapAttrs' (fqdn: name: lib.attrsets.nameValuePair "${fqdn}-watcher" { + wantedBy = [ "multi-user.target" ]; + pathConfig = { + PathModified = "${name.path}/content"; + Unit = "${fqdn}-reloader.service"; + # TriggerLimitIntervalSec = "10s"; + # TriggerLimitBurst = 50; + }; + }) cfg; + }; +} diff --git a/modules/webservice.nix b/modules/webservice.nix new file mode 100644 index 0000000..12a4693 --- /dev/null +++ b/modules/webservice.nix @@ -0,0 +1,84 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.helpers.webservices; +in +{ + options.helpers.webservices = lib.mkOption { + description = "Webservice helper"; + default = {}; + type = with lib.types; attrsOf (submodule { + options = { + port = lib.mkOption { + type = port; + }; + # fqdn = lib.mkOption { + # type = bool; + # default = true; + # }; + # localOnly = lib.mkOption { + # type = bool; + # default = false; + # }; + auth = lib.mkOption { + type = bool; + default = true; + }; + }; + }); + }; + config = { # lib.attrsets.mapAttrs (fqdn: name: { + + # helpers.webservices = (lib.mapAttrs (name: nameAttrs: lib.mkIf nameAttrs.fqdn { + # port = + # }) cfg); + # networking.hosts."127.0.0.1" = (lib.attrsets.mapAttrsToList (name: nameattrs: "${name}") cfg) ++ (lib.attrsets.mapAttrsToList (name: nameattrs: if nameattrs.fqdn then "${name}.${config.networking.fqdn}" else "" ) cfg); + # networking.hosts."127.0.0.1" = builtins.attrNames cfg ++ (lib.mapAttrsToList (name: nameattrs: lib.mkIf nameattrs.fqdn "${name}.${config.networking.fqdn}") cfg); + networking.hosts."127.0.0.1" = builtins.attrNames cfg; + # lifted from https://nixos.wiki/wiki/Nginx#Authentication_via_PAM + # also https://github.com/NixOS/nixpkgs/issues/117578 + # Have not tested to see which of these can be re-enabled. Not a fan of killing all that stuff just for pam. + # Maybe copy /etc/shadow to /run/keys via colmena? + # security.pam.services.nginx.setEnvironment = false; + # systemd.services.nginx.serviceConfig = { + # SupplementaryGroups = [ "shadow" ]; + # NoNewPrivileges = lib.mkForce false; + # PrivateDevices = lib.mkForce false; + # ProtectHostname = lib.mkForce false; + # ProtectKernelTunables = lib.mkForce false; + # ProtectKernelModules = lib.mkForce false; + # RestrictAddressFamilies = lib.mkForce [ ]; + # LockPersonality = lib.mkForce false; + # MemoryDenyWriteExecute = lib.mkForce false; + # RestrictRealtime = lib.mkForce false; + # RestrictSUIDSGID = lib.mkForce false; + # SystemCallArchitectures = lib.mkForce ""; + # ProtectClock = lib.mkForce false; + # ProtectKernelLogs = lib.mkForce false; + # RestrictNamespaces = lib.mkForce false; + # SystemCallFilter = lib.mkForce ""; + # }; + + + # services.nginx.virtualHosts."nfo".locations."/subdomain" + services.nginx = { + enable = lib.mkDefault true; + additionalModules = [ pkgs.nginxModules.pam ]; + virtualHosts = lib.attrsets.mapAttrs (fqdn: name: { + enableACME = config.security.acme.acceptTerms; + forceSSL = config.security.acme.acceptTerms; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString name.port}"; + # extraConfig = lib.mkIf name.localOnly '' + # allow 127.0.0.1; + # deny all; + # ''; + proxyWebsockets = true; + }; + # extraConfig = lib.mkIf name.auth '' + # auth_pam "Password Required"; + # auth_pam_service_name "nginx"; + # ''; + }) cfg; + }; + }; +} diff --git a/overlays/unstable.nix b/overlays/unstable.nix new file mode 100644 index 0000000..9a4faea --- /dev/null +++ b/overlays/unstable.nix @@ -0,0 +1,18 @@ +self: super: +let unstable = self.nixpkgs-unstable.legacyPackages.x86_64-linux; +in +{ + alfis = unstable.alfis; + # yggmail = unstable.yggmail; + charm = unstable.charm; + plik = unstable.plik; + yt-dlp = unstable.yt-dlp; + gallery-dl = unstable.gallery-dl; + zerobin = unstable.zerobin; + freenet = unstable.freenet; + # factorio = unstable.factorio; + openmvs = unstable.openmvs; + wasabibackend = unstable.wasabibackend; + wasabiwallet = unstable.wasabiwallet; +} + diff --git a/profiles/gitea.nix b/profiles/gitea.nix new file mode 100644 index 0000000..267cf5e --- /dev/null +++ b/profiles/gitea.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, ... }: +let + fqdn = "gitea.${config.networking.hostName}.${config.networking.domain}"; +in { + environment.systemPackages = [ pkgs.tea ]; + services.gitea = { + enable = true; + domain = "${fqdn}"; + rootUrl = if config.security.acme.acceptTerms then "https://${fqdn}" else "http://${fqdn}"; + httpAddress = "127.0.0.1"; + disableRegistration = true; + settings = { + server = { + SSH_DOMAIN = "${fqdn}"; + LANDING_PAGE = "explore"; + }; + ui = { + DEFAULT_THEME = "arc-green"; + }; + U2F = { + APP_ID = if config.security.acme.acceptTerms then "https://${fqdn}" else "http://${fqdn}"; + TRUSTED_FACETS = if config.security.acme.acceptTerms then "https://${fqdn}" else "http://${fqdn}"; + }; + }; + }; + helpers.webservices."${fqdn}" = { + port = config.services.gitea.httpPort; + auth = false; + }; +} + diff --git a/profiles/gitweb.nix b/profiles/gitweb.nix new file mode 100644 index 0000000..da20c96 --- /dev/null +++ b/profiles/gitweb.nix @@ -0,0 +1,20 @@ +{ config, ... }: +let + fqdn = "git.${config.networking.fqdn}"; +in +{ + services.nginx.gitweb = { + enable = true; + location = ""; + virtualHost = "${fqdn}"; + }; + # BOILER + # PLATE + networking.hosts."127.0.0.1" = [ "${fqdn}" ]; + # TODO Check perms see if they are g2g. idk about recursive +x + systemd.tmpfiles.rules = [ + "d '${config.services.gitweb.projectroot}' 0775 ${config.services.nginx.user} git" + "Z '${config.services.gitweb.projectroot}' 0775 ${config.services.nginx.user} git" + ]; + users.groups.git = {}; +} diff --git a/profiles/i2p.nix b/profiles/i2p.nix new file mode 100644 index 0000000..9f29693 --- /dev/null +++ b/profiles/i2p.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + services.i2p.enable = true; +} diff --git a/profiles/i3wm.nix b/profiles/i3wm.nix new file mode 100644 index 0000000..a693d17 --- /dev/null +++ b/profiles/i3wm.nix @@ -0,0 +1,27 @@ +# User interface stuffs... +{ config, pkgs, lib, ... }: +lib.mkIf config.services.xserver.enable { + services.xserver = { + displayManager = { + defaultSession = "xfce+i3"; + }; + windowManager.i3 = { + enable = lib.mkIf config.services.xserver.enable true; + package = pkgs.i3-gaps; + extraPackages = with pkgs; [ + dmenu + i3status + i3lock + raiseorlaunch + # xfce.xfce4-clipman-plugin + ]; + }; + desktopManager = { + xfce = { + enable = true; + noDesktop = true; + enableXfwm = false; + }; + }; + }; +} diff --git a/profiles/invidious.nix b/profiles/invidious.nix new file mode 100644 index 0000000..65522ae --- /dev/null +++ b/profiles/invidious.nix @@ -0,0 +1,15 @@ +{ config, lib, ... }: +let + fqdn = "invidious.${config.networking.fqdn}"; +in { + services.invidious = { + enable = true; + port = 3255; + domain = "${fqdn}"; + settings = { + https_only = config.security.acme.acceptTerms; + external_port = if config.security.acme.acceptTerms then 443 else 80; + }; + }; + helpers.webservices."${fqdn}".port = config.services.invidious.port; +} diff --git a/profiles/jellyfin.nix b/profiles/jellyfin.nix new file mode 100644 index 0000000..5951c31 --- /dev/null +++ b/profiles/jellyfin.nix @@ -0,0 +1,14 @@ +{ config, lib, ... }: +let + fqdn = "jellyfin.${config.networking.fqdn}"; +in { + networking.hosts = { + "127.0.0.1" = [ fqdn ]; + }; + helpers.webservices."${fqdn}".port = 8096; + services.jellyfin = { + enable = true; + group = lib.mkDefault "media"; + }; + users.groups.media = {}; +} diff --git a/profiles/libreddit.nix b/profiles/libreddit.nix new file mode 100644 index 0000000..71f3072 --- /dev/null +++ b/profiles/libreddit.nix @@ -0,0 +1,10 @@ +{ config, lib, ... }: +let + fqdn = "libreddit.${config.networking.fqdn}"; +in { + services.libreddit = { + enable = true; + port = 3357; + }; + helpers.webservices."${fqdn}".port = config.services.libreddit.port; +} diff --git a/profiles/mail.nix b/profiles/mail.nix new file mode 100644 index 0000000..45c7005 --- /dev/null +++ b/profiles/mail.nix @@ -0,0 +1,43 @@ +{ config, pkgs, ... }: +let + fqdn = "${config.networking.hostName}.${config.networking.domain}"; +in{ + mailserver = { + enable = true; + fqdn = "mail.${fqdn}"; + domains = [ "${fqdn}" ]; + # A list of all login accounts. To create the password hashes, use + # mkpasswd -m sha-512 "super secret password" + loginAccounts = { + "admin@${fqdn}" = { + # nix-shell -p mkpasswd --run "mkpasswd -m sha-512 easypassword" + hashedPassword = "$6$mwL/Pqv4WZHIP7j.$rU2inAQ8QCICBPCF5MiITptHcbZopBqwHYDudxBHun3zfnaAINqCDaeC/uq7CrzgNtDF2HbFEikz7GYNX6kXZ."; + aliases = [ + "postmaster@${fqdn}" + "webmaster@${fqdn}" + "abuse@${fqdn}" + ]; + }; + }; + # Extra virtual aliases. These are email addresses that are forwarded to + # loginAccounts addresses. + extraVirtualAliases = { + # address = forward address; + #"abuse@${fqdn}" = "postmaster@${fqdn}"; + }; + # Use Let's Encrypt certificates. Note that this needs to set up a stripped + # down nginx and opens port 80. + certificateScheme = 3; + # Enable IMAP and POP3 + enableImap = false; + enableImapSsl = true; + enableSubmission = false; + enableSubmissionSsl = true; + # Enable the ManageSieve protocol + enableManageSieve = true; + # whether to scan inbound emails for viruses (note that this requires at least + # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty) + virusScanning = false; + localDnsResolver = false; + }; +} diff --git a/profiles/matrix.nix b/profiles/matrix.nix new file mode 100644 index 0000000..ded167d --- /dev/null +++ b/profiles/matrix.nix @@ -0,0 +1,130 @@ +{ pkgs, config, lib, ... }: +let + fqdn = "${config.networking.hostName}.${config.networking.domain}"; +in { + + + services.postgresql.enable = true; + services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + + services.nginx = { + enable = true; + clientMaxBodySize = lib.mkDefault "50M"; + # only recommendedProxySettings and recommendedGzipSettings are strictly required, + # but the rest make sense as well + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + virtualHosts = { + # This host section can be placed on a different host than the rest, + # i.e. to delegate from the host being accessible as ${config.networking.domain} + # to another host actually running the Matrix homeserver. + "${fqdn}" = { + enableACME = config.security.acme.acceptTerms; + forceSSL = config.security.acme.acceptTerms; + locations."= /.well-known/matrix/server".extraConfig = + let + # use 443 instead of the default 8448 port to unite + # the client-server and server-server port for simplicity + server = { "m.server" = "matrix.${fqdn}:443"; }; + in '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON server}'; + ''; + locations."= /.well-known/matrix/client".extraConfig = + let + client = { + "m.homeserver" = { "base_url" = "https://matrix.${fqdn}"; }; + #"m.identity_server" = { "base_url" = "https://vector.im"; }; + }; + # ACAO required to allow element-web on any URL to request this json file + in '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON client}'; + ''; + }; + # Reverse proxy for Matrix client-server and server-server communication + "matrix.${fqdn}" = { + enableACME = config.security.acme.acceptTerms; + forceSSL = config.security.acme.acceptTerms; + + # Or do a redirect instead of the 404, or whatever is appropriate for you. + # But do not put a Matrix Web client here! See the Element web section below. + locations."/".extraConfig = '' + return 404; + ''; + + # forward all Matrix API calls to the synapse Matrix homeserver + locations."/_matrix" = { + proxyPass = "http://[::1]:8008"; # without a trailing / + }; + }; + }; + }; + services.matrix-synapse = { + enable = true; + server_name = "${fqdn}"; + plugins = with config.services.matrix-synapse.package.plugins; [ + # matrix-synapse-ldap3 + matrix-synapse-pam + ]; + listeners = [ + { + port = 8008; + bind_address = "::1"; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = false; + } + ]; + } + ]; + extraConfig = '' +public_baseurl: https://matrix.${fqdn} +password_providers: + - module: "pam_auth_provider.PAMAuthProvider" + config: + create_users: true + skip_user_check: false +max_upload_size: 50M + +caches: + global_factor: 1.0 + per_cache_factors: + get_users_who_share_room_with_user: 2.0 + sync_response_cache_duration: 2m + cache_autotuning: + max_cache_memory_usage: 1024M + target_cache_memory_usage: 512M + min_cache_ttl: 5m +''; + }; + + # Element web client + services.nginx.virtualHosts."element.${fqdn}" = { + enableACME = config.security.acme.acceptTerms; + forceSSL = config.security.acme.acceptTerms; + + root = pkgs.element-web.override { + conf = { + default_server_config."m.homeserver" = { + "base_url" = "https://matrix.${fqdn}"; + "server_name" = "${fqdn}"; + }; + }; + }; + }; +} diff --git a/profiles/mumble.nix b/profiles/mumble.nix new file mode 100644 index 0000000..218e8df --- /dev/null +++ b/profiles/mumble.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + services.murmur = { + enable = true; + bonjour = true; + bandwidth = 72000; + logFile = "/var/log/murmur/murmurd.log"; + logDays = 7; + }; +} diff --git a/profiles/nitter.nix b/profiles/nitter.nix new file mode 100644 index 0000000..791008f --- /dev/null +++ b/profiles/nitter.nix @@ -0,0 +1,19 @@ +{ config, lib, ... }: +let + fqdn = "nitter.${config.networking.fqdn}"; +in { + services.nitter = { + enable = true; + server = { + hostname = "${fqdn}"; + address = "127.0.0.1"; + https = config.security.acme.acceptTerms; + }; + preferences = { + replaceTwitter = "${fqdn}"; + replaceInstagram = "farside.link/bibliogram"; + replaceYouTube = if config.services.invidious.enable then "${config.services.invidious.domain}" else "farside.link/invidious"; + }; + }; + helpers.webservices."${fqdn}".port = config.services.nitter.server.port; +} diff --git a/profiles/photogrammetry.nix b/profiles/photogrammetry.nix new file mode 100644 index 0000000..a357422 --- /dev/null +++ b/profiles/photogrammetry.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + unstable.rPackages.multiview # older version + # unstable.rPackages.multiviewtest # newer version + # unstable.python311Packages.opensfm + colmap + # unstable.colmapWithCuda # CUDA support + unstable.openmvs + unstable.openmvg + meshlab + ]; +} diff --git a/profiles/plik.nix b/profiles/plik.nix new file mode 100644 index 0000000..0eb9678 --- /dev/null +++ b/profiles/plik.nix @@ -0,0 +1,19 @@ +{ config, lib, ... }: +let + fqdn = "plik.${config.networking.fqdn}"; +in { + services.plikd = { + enable = true; + openFirewall = true; + settings = { + ListenAddress = "0.0.0.0"; + ListenPort = 8844; + MaxFileSize = lib.mkDefault 1000000000; + MaxTTL = lib.mkDefault 7776000; + }; + }; + helpers.webservices."${fqdn}".port = config.services.plikd.settings.ListenPort; + services.nginx = { + clientMaxBodySize = lib.mkDefault "1000M"; + }; +} diff --git a/profiles/syncthing.nix b/profiles/syncthing.nix new file mode 100644 index 0000000..a86f3df --- /dev/null +++ b/profiles/syncthing.nix @@ -0,0 +1,15 @@ +{ pkgs, config, lib, ... }: +let + hostname = "syncthing.${config.networking.fqdn}"; +in +{ + + services.syncthing = { + enable = true; + # openDefaultPorts = true; + }; + systemd.tmpfiles.rules = lib.mkIf config.services.syncthing.enable [ + "d '/var/lib/syncthing' 0775 ${config.services.syncthing.user} ${config.services.syncthing.group}" + "Z '/var/lib/syncthing' 0775 ${config.services.syncthing.user} ${config.services.syncthing.group}" + ]; +} diff --git a/profiles/twtxt.nix b/profiles/twtxt.nix new file mode 100644 index 0000000..8f5052d --- /dev/null +++ b/profiles/twtxt.nix @@ -0,0 +1,29 @@ +{ pkgs, config, users, lib, ... }: +let + fqdn = "twtxt.${config.networking.fqdn}"; +in +{ + users.groups = { + twtxt = {}; + }; + environment.systemPackages = [ + pkgs.twtxt + ]; + services.nginx = { + enable = lib.mkDefault true; + virtualHosts."${fqdn}" = { + root = "/var/lib/twtxt"; + enableACME = config.security.acme.acceptTerms; + forceSSL = config.security.acme.acceptTerms; + locations = { + "/" = { + tryFiles = "/twtxt.txt =404"; # Read that path out loud three times fast. + }; + }; + }; + }; + systemd.tmpfiles.rules = lib.mkIf config.services.syncthing.enable [ + "d '/var/lib/twtxt' 0774 ${config.services.nginx.user} twtxt" + "Z '/var/lib/twtxt' 0774 ${config.services.nginx.user} twtxt" + ]; +} diff --git a/profiles/yggdrasil.nix b/profiles/yggdrasil.nix new file mode 100644 index 0000000..2c7fc8c --- /dev/null +++ b/profiles/yggdrasil.nix @@ -0,0 +1,34 @@ +{ + services.yggdrasil = { + enable = true; + # persistentKeys = true; + # The NixOS module will generate new keys and a new IPv6 address each time + # it is started if persistentKeys is not enabled. + + config = { + IFName = "ygg0"; + Listen = [ + "tls://0.0.0.0:32333" + "tls://[::]:32333" + ]; + MulticastInterfaces = [ + { + Regex = ".*"; + Beacon = true; + Listen = true; + Port = 32332; + Priority = 0; + } + ]; + Peers = [ + # Yggdrasil will automatically connect and "peer" with other nodes it + # discovers via link-local multicast annoucements. Unless this is the + # case (it probably isn't) a node needs peers within the existing + # network that it can tunnel to. + + # Public Peers: https://github.com/yggdrasil-network/public-peers + ]; + }; + }; + # configFile = "/run/keys/yggdrasil.conf"; +} diff --git a/specialisations/hardened.nix b/specialisations/hardened.nix new file mode 100644 index 0000000..f827487 --- /dev/null +++ b/specialisations/hardened.nix @@ -0,0 +1,49 @@ +{ pkgs, + lib, + config, + ... }: +{ + specialisation.hardened.configuration = { + imports = [ + # This includes a hardened kernel, and limiting the system information available to processes through the /sys and /proc filesystems. It also disables the User Namespaces feature of the kernel, which stops Nix from being able to build anything (this particular setting can be overriden via security.allowUserNamespaces). See the profile source for further detail on which settings are altered. + + # Manual section: https://nixos.org/manual/nixos/stable/index.html#sec-profile-hardened + # profile source: https://github.com/nixos/nixpkgs/tree/master/nixos/modules/profiles/hardened.nix + ]; + + # system.nixos.label = "marigoldOS-${config.system.nixos.release}-hardened"; + # system.nixos.tags = [ "hardened" ]; + + networking.firewall.allowPing = false; + + # doas instead of sudo + security.sudo.enable = false; + security.doas = { + enable = true; + extraRules = [{ + groups = ["wheel"]; + persist = false; + noPass = false; + keepEnv = true; + }]; + }; + # alias + environment.shellAliases = { sudo = "doas "; }; + + # Once this is in a spot where it looks good, move this to the main profile + # security.auditd.enable = true; + # security.audit.enable = true; + # TODO actually make the rules, lel. + # https://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/ + # https://security.blogoverflow.com/2013/09/stump-the-chump-with-auditd-01/ + + # TODO investigate this + # security.allowUserNamespaces + + # TODO Investigate this + # boot.kernel.randstructSeed = "Change this. Also does hiding this from version control provide any (meaningful) security advantages? Maybe from a targeted attack, but enough to matter?"; + + # TODO Read then rip off archbros + # https://wiki.archlinux.org/title/Security + }; +} diff --git a/specialisations/lowpower.nix b/specialisations/lowpower.nix new file mode 100644 index 0000000..1c316bd --- /dev/null +++ b/specialisations/lowpower.nix @@ -0,0 +1,18 @@ +{ config, ... }: +{ + specialisation.lowpower.configuration = { + # system.nixos.label = "marigoldOS-${config.system.nixos.release}-lowPower"; + # system.nixos.tags = [ "lowpower" ]; + services = { + tlp.enable = true; + upower.enable = true; + throttled.enable = true; + }; + + powerManagement = { + enable = true; + cpuFreqGovernor = "powersave"; + powertop.enable = true; + }; + }; +} diff --git a/specialisations/performance.nix b/specialisations/performance.nix new file mode 100644 index 0000000..9dd4846 --- /dev/null +++ b/specialisations/performance.nix @@ -0,0 +1,14 @@ +{ pkgs, + config, + ... }: +{ + specialisation.performance.configuration = { + # system.nixos.label = "marigoldOS-${config.system.nixos.release}-performance"; + # system.nixos.tags = [ "performance" ]; + boot.kernelPackages = pkgs.linuxPackages_zen; + powerManagement = { + enable = true; + cpuFreqGovernor = "performance"; + }; + }; +} -- 2.44.1